5 \___|\___/|_| \_\_____|
9 Version 7.68.0 (8 Jan 2020)
11 Daniel Stenberg (8 Jan 2020)
12 - RELEASE-NOTES: 7.68.0
14 - THANKS: updated with names from the 7.68.0 release
16 - RELEASE-PROCEDURE: add four future release dates
18 and remove four past release dates
22 Marcel Raad (6 Jan 2020)
23 - TrackMemory tests: always remove CR before LF
25 It was removed for output containing ' =' via `s/ =.*//`. With classic
26 MinGW, this made lines with `free()` end with CRLF, but lines with e.g.
27 `malloc()` end with only LF. The tests expect LF only.
29 Closes https://github.com/curl/curl/pull/4788
31 Daniel Stenberg (6 Jan 2020)
32 - multi.h: move INITIAL_MAX_CONCURRENT_STREAMS from public header
34 ... to the private multihhandle.h. It is not for public use and it
35 wasn't prefixed correctly anyway!
39 - file: fix copyright year range
41 Follow-up to 1b71bc532bd
43 - curl -w: handle a blank input file correctly
45 Previously it would end up with an uninitialized memory buffer that
46 would lead to a crash or junk getting output.
48 Added test 1271 to verify.
50 Reported-by: Brian Carpenter
53 - file: on Windows, refuse paths that start with \\
55 ... as that might cause an unexpected SMB connection to a given host
58 Reported-by: Fernando Muñoz
60 Bug: https://curl.haxx.se/docs/CVE-2019-15601.html
62 Jay Satiro (6 Jan 2020)
63 - CURLOPT_READFUNCTION.3: fix fopen params in example
65 - CURLOPT_READFUNCTION.3: fix variable name in example
67 Reported-by: Paul Joyce
69 Fixes https://github.com/curl/curl/issues/4787
71 Daniel Stenberg (5 Jan 2020)
72 - curl:getparameter return error for --http3 if libcurl doesn't support
76 - docs: mention CURL_MAX_INPUT_LENGTH restrictions
78 ... for curl_easy_setopt() and curl_url_set().
84 - curl: properly free mimepost data
86 ... as it could otherwise leak memory when a transfer failed.
88 Added test 1293 to verify.
90 Reported-by: Brian Carpenter
94 - curl: cleanup multi handle on failure
96 ... to fix memory leak in error path.
100 Reported-by: Brian Carpenter
102 Marcel Raad (3 Jan 2020)
103 - lib: fix compiler warnings with `CURL_DISABLE_VERBOSE_STRINGS`
105 Closes https://github.com/curl/curl/pull/4775
107 Daniel Stenberg (3 Jan 2020)
108 - COPYING: it's 2020!
112 Jay Satiro (3 Jan 2020)
113 - [Marc Aldorasi brought this change]
115 tests: Fix bounce requests with truncated writes
117 Prior to this change the swsbounce check in service_connection could
118 fail because prevtestno and prevpartno were not set, which would cause
119 the wrong response data to be sent to some tests and cause them to fail.
121 Ref: https://github.com/curl/curl/pull/4717#issuecomment-570240785
123 Marcel Raad (31 Dec 2019)
124 - tool: make a few char pointers point to const char instead
128 Closes https://github.com/curl/curl/pull/4771
130 Jay Satiro (31 Dec 2019)
131 - tests: Change NTLM tests to require SSL
133 Prior to this change tests that required NTLM feature did not require
136 There are pending changes to cmake builds that will allow enabling NTLM
137 in non-SSL builds in Windows. In that case the NTLM auth strings created
138 are different from what is expected by the NTLM tests and they fail:
140 "The issue with NTLM is that previous non-SSL builds would not enable
141 NTLM and so the NTLM tests would be skipped."
143 Assisted-by: marc-groundctl@users.noreply.github.com
145 Ref: https://github.com/curl/curl/pull/4717#issuecomment-566218729
147 Closes https://github.com/curl/curl/pull/4768
149 - [Michael Forney brought this change]
151 bearssl: Improve I/O handling
153 Factor out common I/O loop as bearssl_run_until, which reads/writes TLS
154 records until the desired engine state is reached. This is now used for
155 the handshake, read, write, and close.
157 Match OpenSSL SSL_write behavior, and don't return the number of bytes
158 written until the corresponding records have been completely flushed
159 across the socket. This involves keeping track of the length of data
160 buffered into the TLS engine, and assumes that when CURLE_AGAIN is
161 returned, the write function will be called again with the same data
162 and length arguments. This is the same requirement of SSL_write.
164 Handle TLS close notify as EOF when reading by returning 0.
166 Closes https://github.com/curl/curl/pull/4748
168 - travis: Fix error detection
170 - Stop using inline shell scripts for before_script and script sections.
172 Prior to this change Travis could ignore errors from commands in inline
173 scripts. I don't understand how or why it happens. This is a workaround.
175 Assisted-by: Simon Warta
177 Ref: https://github.com/travis-ci/travis-ci/issues/1066
179 Fixes https://github.com/curl/curl/issues/3730
180 Closes https://github.com/curl/curl/pull/3755
182 - tool_operate: fix mem leak when failed config parse
184 Found by fuzzing the config file.
186 Reported-by: Geeknik Labs
188 Fixes https://github.com/curl/curl/issues/4767
190 - [Xiang Xiao brought this change]
192 lib: remove erroneous +x file permission on some c files
194 Modified by commit eb9a604 accidentally.
196 Closes https://github.com/curl/curl/pull/4756
198 - [Xiang Xiao brought this change]
200 lib: fix warnings found when porting to NuttX
202 - Undefine DEBUGASSERT in curl_setup_once.h in case it was already
203 defined as a system macro.
205 - Don't compile write32_le in curl_endian unless
206 CURL_SIZEOF_CURL_OFF_T > 4, since it's only used by Curl_write64_le.
208 - Include <arpa/inet.h> in socketpair.c.
210 Closes https://github.com/curl/curl/pull/4756
212 - os400: Add missing CURLE error constants
214 Bug: https://github.com/curl/curl/pull/4754#issuecomment-569126922
215 Reported-by: Emil Engler
217 - CURLOPT_HEADERFUNCTION.3: Document that size is always 1
219 For compatibility with `fwrite`, the `CURLOPT_HEADERFUNCTION` callback
220 is passed two `size_t` parameters which, when multiplied, designate the
221 number of bytes of data passed in. In practice, CURL always sets the
222 first parameter (`size`) to 1.
224 This practice is also enshrined in documentation and cannot be changed
225 in future. The documentation states that the default callback is
226 `fwrite`, which means `fwrite` must be a suitable function for this
227 purpose. However, the documentation also states that the callback must
228 return the number of *bytes* it successfully handled, whereas ISO C
229 `fwrite` returns the number of items (each of size `size`) which it
230 wrote. The only way these numbers can be equal is if `size` is 1.
232 Since `size` is 1 and can never be changed in future anyway, document
233 that fact explicitly and let users rely on it.
235 Reported-by: Frank Gevaerts
236 Commit-message-by: Christopher Head
238 Ref: https://github.com/curl/curl/pull/2787
240 Fixes https://github.com/curl/curl/issues/4758
242 - examples/postinmemory.c: Call curl_global_cleanup always
244 Prior to this change curl_global_cleanup was not called if
245 curl_easy_init failed.
247 Reported-by: kouzhudong@users.noreply.github.com
249 Fixes https://github.com/curl/curl/issues/4751
251 Daniel Stenberg (21 Dec 2019)
252 - url2file.c: fix copyright year
254 Follow-up to 525787269599b5
256 - [Rickard Hallerbäck brought this change]
258 examples/url2file.c: corrected a comment
260 The comment was confusing and suggested that setting CURLOPT_NOPROGRESS
261 to 0L would both enable and disable debug output at the same time, like
262 a Schrödinger's cat of CURLOPTs.
266 - HISTORY: OSS-Fuzz started fuzzing libcurl in 2017
268 - RELEASE-NOTES: synced
270 Jay Satiro (20 Dec 2019)
271 - ngtcp2: Support the latest update key callback type
273 - Remove our cb_update_key in favor of ngtcp2's new
274 ngtcp2_crypto_update_key_cb which does the same thing.
276 Several days ago the ngtcp2_update_key callback function prototype was
277 changed in ngtcp2/ngtcp2@42ce09c. Though it would be possible to
278 fix up our cb_update_key for that change they also added
279 ngtcp2_crypto_update_key_cb which does the same thing so we'll use that
282 Ref: https://github.com/ngtcp2/ngtcp2/commit/42ce09c
284 Closes https://github.com/curl/curl/pull/4735
286 Daniel Stenberg (19 Dec 2019)
287 - sws: search for "Testno:" header uncondtionally if no testno
289 Even if the initial request line wasn't found. With the fix to 1455, the
290 test number is now detected correctly.
292 (Problem found when running tests in random order.)
296 - tests: set LC_ALL in more tests
298 Follow-up to 23208e330ac0c21
302 - test165: set LC_ALL=en_US.UTF-8 too
304 On my current Debian Unstable with libidn2 2.2.0, I get an error if
305 LC_ALL is set to blank. Then curl errors out with:
307 curl: (3) Failed to convert www.åäö.se to ACE; could not convert string to UTF-8
311 - curl.h: add two defines for the "pre ISO C" case
313 Without this fix, this caused a compilation failure on AIX with IBM xlc
316 Reported-by: Ram Krushna Mishra
320 - create_conn: prefer multiplexing to using new connections
322 ... as it would previously prefer new connections rather than
323 multiplexing in most conditions! The (now removed) code was a leftover
324 from the Pipelining code that was translated wrongly into a
325 multiplex-only world.
327 Reported-by: Kunal Ekawde
328 Bug: https://curl.haxx.se/mail/lib-2019-12/0060.html
331 - test1456: remove the use of a fixed local port
333 Fixup the test to instead not compare the port number. It sometimes
334 caused problems like this:
336 "curl: (45) bind failed with errno 98: Address already in use"
340 Jay Satiro (18 Dec 2019)
341 - CURLOPT_QUOTE.3: fix typos
343 Prior to this change the EXAMPLE in the QUOTE/PREQUOTE/POSTQUOTE man
344 pages would not compile because a variable name was incorrect.
346 Reported-by: Bylon2@users.noreply.github.com
348 Fixes https://github.com/curl/curl/issues/4736
350 - [Gisle Vanem brought this change]
352 strerror: Fix compiler warning "empty expression"
354 - Remove the final semi-colon in the SEC2TXT() macro definition.
356 Before: #define SEC2TXT(sec) case sec: txt = #sec; break;
358 After: #define SEC2TXT(sec) case sec: txt = #sec; break
360 Prior to this change SEC2TXT(foo); would generate break;; which caused
361 the empty expression warning.
363 Ref: https://github.com/curl/curl/commit/5b22e1a#r36458547
365 Daniel Stenberg (18 Dec 2019)
366 - curl/parseconfig: use curl_free() to free memory allocated by libcurl
368 Reported-by: bxac on github
372 - curl/parseconfig: fix mem-leak
374 When looping, first trying '.curlrc' and then '_curlrc', the function
375 would not free the first string.
379 - CURLOPT_URL.3: "curl supports SMB version 1 (only)"
383 - test1270: a basic -w redirect_url test
387 - HISTORY: the SMB(S) support landed in 2014
389 - define: remove HAVE_ENGINE_LOAD_BUILTIN_ENGINES, not used anymore
391 It is covered by USE_OPENSSL_ENGINE now.
393 Reported-by: Gisle Vanem
394 Bug: https://github.com/curl/curl/commit/87b9337c8f76c21c57b204e88b68c6ecf3bd1ac0#commitcomment-36447951
398 - lib: remove ASSIGNWITHINCONDITION exceptions, use our code style
402 Reviewed-by: Daniel Gustafsson
403 Reviewed-by: Jay Satiro
404 Reported-by: Jay Satiro
408 - tests: make sure checksrc runs on header files too
410 - Revert "checksrc: fix regexp for ASSIGNWITHINCONDITION"
412 This reverts commit ba82673dac3e8d00a76aa5e3779a0cb80e7442af.
416 - KNOWN_BUGS: TLS session cache doesn't work with TFO
421 - KNOWN_BUGS: Connection information when using TCP Fast Open
423 Also point to #4296 for more details
426 - KNOWN_BUGS: LDAP on Windows doesn't work
430 - docs: TLS SRP doesn't work with TLS 1.3
432 Reported-by: sayrer on github
436 Dan Fandrich (16 Dec 2019)
437 - cirrus: Switch to the FreeBSD 12.1 point release & enable more tests.
439 A few tests are now passing on FreeBSD, so no longer skip them.
442 Daniel Stenberg (16 Dec 2019)
443 - azure: the macos cmake doesn't need to install cmake
445 Error: cmake 3.15.5 is already installed
446 To upgrade to 3.16.1, run `brew upgrade cmake`.
450 Jay Satiro (15 Dec 2019)
451 - winbuild: Document CURL_STATICLIB requirement for static libcurl
453 A static libcurl (ie winbuild mode=static) requires that the user define
454 CURL_STATICLIB when using it in their application. This is already
455 covered in the FAQ and INSTALL.md, but is a pretty important point so
456 now it's noted in the BUILD.WINDOWS.txt as well.
458 Assisted-by: Michael Vittiglio
460 Closes https://github.com/curl/curl/pull/4721
462 Daniel Stenberg (15 Dec 2019)
463 - [Santino Keupp brought this change]
465 libssh2: add support for ECDSA and ed25519 knownhost keys
467 ... if a new enough libssh2 version is present.
469 Source: https://curl.haxx.se/mail/archive-2019-12/0023.html
470 Co-Authored-by: Daniel Stenberg
473 - lib1591: free memory properly on OOM, in the trailers callback
475 Detected by torture tests.
479 - runtests: --repeat=[num] to repeat tests
483 - RELEASE-NOTES: synced
485 - azure: add a torture test on mac
487 Uses --shallow=25 to keep it small enough to get through in time.
491 - multi: free sockhash on OOM
493 This would otherwise leak memory in the error path.
495 Detected by torture test 1540.
499 Marcel Raad (13 Dec 2019)
500 - tests: use DoH feature for DoH tests
502 Previously, http/2 was used instead.
504 Assisted-by: Jay Satiro
505 Closes https://github.com/curl/curl/pull/4692
507 - hostip: suppress compiler warning
509 With `--disable-doh --disable-threaded-resolver`, the `dns` parameter
512 Closes https://github.com/curl/curl/pull/4692
514 - tests: fix build with `CURL_DISABLE_DOH`
516 Closes https://github.com/curl/curl/pull/4692
518 Daniel Stenberg (13 Dec 2019)
519 - azure: add a torture test
521 Skipping all FTP tests for speed reasons.
525 - azure: make the default build use --enable-debug --enable-werror
527 - ntlm_wb: fix double-free in OOM
529 Detected by torture testing test 1310
533 Dan Fandrich (13 Dec 2019)
534 - cirrus: Drop the FreeBSD 10.4 build
536 Upstream support for 10.4 ended a year ago, and it looks like the image
540 Daniel Stenberg (13 Dec 2019)
541 - unit1620: fix bad free in OOM
545 - unit1609: fix mem-leak in OOM
549 - unit1607: fix mem-leak in OOM
553 - lib1559: fix mem-leak in OOM
557 - lib1557: fix mem-leak in OOM
561 - altsvc: make the save function ignore NULL filenames
563 It might happen in OOM situations. Detected bv torture tests.
567 - curl: fix memory leak in OOM in etags logic
569 Detected by torture tests
573 - doh: make it behave when built without proxy support
575 Reported-by: Marcel Raad
576 Bug: https://github.com/curl/curl/pull/4692#issuecomment-564115734
580 - curl: improved cleanup in upload error path
582 Memory leak found by torture test 58
586 - mailmap: fix Andrew Ishchuk
588 - travis: make torture use --shallow=40
590 As a first step to enable it to run over a more diverse set of tests in
593 - runtests: introduce --shallow to reduce huge torture tests
595 When set, shallow mode limits runtests -t to make no more than NUM fails
596 per test case. If more are found, it will randomly discard entries until
597 the number is right. The random seed can also be set.
599 This is particularly useful when running MANY tests as then most torture
600 failures will already fail the same functions over and over and make the
601 total operation painfully tedious.
605 - conncache: CONNECT_ONLY connections assumed always in-use
607 This makes them never to be considered "the oldest" to be discarded when
608 reaching the connection cache limit. The reasoning here is that
609 CONNECT_ONLY is primarily used in combination with using the
610 connection's socket post connect and since that is used outside of
611 curl's knowledge we must assume that it is in use until explicitly
614 Reported-by: Pavel Pavlov
615 Reported-by: Pavel Löbl
620 - [Gisle Vanem brought this change]
622 vtls: make BearSSL possible to set with CURL_SSL_BACKEND
624 Ref: https://github.com/curl/curl/commit/9b879160df01e7ddbb4770904391d3b74114302b#commitcomment-36355622
628 - RELEASE-NOTES: synced
630 - travis: remove "coverage", make it "torture"
632 The coveralls service and test coverage numbers are just too unreliable.
633 Removed badge from README.md as well.
638 - azure: add libssh2 and cmake macos builds
640 Removed the macos libssh2 build from travis
644 - curl: use errorf() better
646 Change series of error outputs to use errorf().
648 Only errors that are due to mistakes in command line option usage should
649 use helpf(), other types of errors in the tool should rather use
654 Jay Satiro (9 Dec 2019)
655 - [Marc Hoersken brought this change]
657 tests: make it possible to set executable extensions
659 This enables the use of Windows Subsystem for Linux (WSL) to run the
660 testsuite against Windows binaries while using Linux servers.
662 This commit introduces the following environment variables:
663 - CURL_TEST_EXE_EXT: set the executable extension for all components
664 - CURL_TEST_EXE_EXT_TOOL: set it for the curl tool only
665 - CURL_TEST_EXE_EXT_SSH: set it for the SSH tools only
667 Later testcurl.pl could be adjusted to make use of those variables.
668 - CURL_TEST_EXE_EXT_SRV: set it for the test servers only
670 (This is one of several commits to support use of WSL for the tests.)
672 Closes https://github.com/curl/curl/pull/3899
674 - [Marc Hoersken brought this change]
676 tests: fix permissions of ssh keys in WSL
678 Keys created on Windows Subsystem for Linux (WSL) require it for some
681 (This is one of several commits to support use of WSL for the tests.)
683 Ref: https://github.com/curl/curl/pull/3899
685 - [Marc Hoersken brought this change]
687 tests: use \r\n for log messages in WSL
689 Bash in Windows Subsystem for Linux (WSL) requires it for some reason.
691 (This is one of several commits to support use of WSL for the tests.)
693 Ref: https://github.com/curl/curl/pull/3899
695 - [Andrew Ishchuk brought this change]
697 winbuild: Define CARES_STATICLIB when WITH_CARES=static
699 When libcurl is built with MODE=static, c-ares is forced into static
700 linkage too. That doesn't happen when MODE=dll so linker would break
701 over undefined symbols.
703 closes https://github.com/curl/curl/pull/4688
705 Daniel Stenberg (9 Dec 2019)
706 - conn: always set bits.close with connclose()
710 - cirrus: enable clang sanitizers on freebsd 13
712 - conncache: fix multi-thread use of shared connection cache
714 It could accidentally let the connection get used by more than one
715 thread, leading to double-free and more.
717 Reported-by: Christopher Reid
721 - azure: add a vanilla macos build
725 - curl: make the etag load logic work without fseek
727 The fseek()s were unnecessary and caused Coverity warning CID 1456554
731 - mailmap: Mohammad Hasbini
733 - [Mohammad Hasbini brought this change]
739 - RELEASE-NOTES: synced
741 Jay Satiro (5 Dec 2019)
742 - lib: fix some loose ends for recently added CURLSSLOPT_NO_PARTIALCHAIN
744 Add support for CURLSSLOPT_NO_PARTIALCHAIN in CURLOPT_PROXY_SSL_OPTIONS
745 and OS400 package spec.
747 Also I added the option to the NameValue list in the tool even though it
748 isn't exposed as a command-line option (...yet?). (NameValue stringizes
749 the option name for the curl cmd -> libcurl source generator)
751 Follow-up to 564d88a which added CURLSSLOPT_NO_PARTIALCHAIN.
753 Ref: https://github.com/curl/curl/pull/4655
755 - setopt: Fix ALPN / NPN user option when built without HTTP2
757 - Stop treating lack of HTTP2 as an unknown option error result for
758 CURLOPT_SSL_ENABLE_ALPN and CURLOPT_SSL_ENABLE_NPN.
760 Prior to this change it was impossible to disable ALPN / NPN if libcurl
761 was built without HTTP2. Setting either option would result in
762 CURLE_UNKNOWN_OPTION and the respective internal option would not be
763 set. That was incorrect since ALPN and NPN are used independent of
766 Reported-by: Shailesh Kapse
768 Fixes https://github.com/curl/curl/issues/4668
769 Closes https://github.com/curl/curl/pull/4672
771 Daniel Stenberg (5 Dec 2019)
772 - etag: allow both --etag-compare and --etag-save in same cmdline
777 Marcel Raad (5 Dec 2019)
778 - curl_setup: fix `CURLRES_IPV6` condition
780 Move the definition of `CURLRES_IPV6` to before undefining
781 `HAVE_GETADDRINFO`. Regression from commit 67a08dca27a which caused
782 some tests to fail and others to be skipped with c-ares.
784 Fixes https://github.com/curl/curl/issues/4673
785 Closes https://github.com/curl/curl/pull/4677
787 Daniel Stenberg (5 Dec 2019)
788 - test342: make it return a 304 as the tag matches
790 Peter Wu (4 Dec 2019)
791 - CMake: add support for building with the NSS vtls backend
793 Options are cross-checked with configure.ac and acinclude.m4.
794 Tested on Arch Linux, untested on other platforms like Windows or macOS.
797 Reviewed-by: Kamil Dudka
799 Daniel Stenberg (4 Dec 2019)
800 - azure: add more builds
802 ... removed two from travis (that now runs on azure instead)
806 - CURLOPT_VERBOSE.3: see also ERRORBUFFER
808 - hostip4.c: bump copyright year range
810 Marcel Raad (3 Dec 2019)
811 - configure: enable IPv6 support without `getaddrinfo`
813 This makes it possible to recognize and connect to literal IPv6
814 addresses when `getaddrinfo` is not available, which is already the
815 case for the CMake build. This affects e.g. classic MinGW because it
816 still targets Windows 2000 by default, where `getaddrinfo` is not
817 available, but general IPv6 support is.
819 Instead of checking for `getaddrinfo`, check for `sockaddr_in6` as the
822 Closes https://github.com/curl/curl/pull/4662
824 - curl_setup: disable IPv6 resolver without `getaddrinfo`
826 Also, use `CURLRES_IPV6` only for actual DNS resolution, not for IPv6
827 address support. This makes it possible to connect to IPv6 literals by
828 setting `ENABLE_IPV6` even without `getaddrinfo` support. It also fixes
829 the CMake build when using the synchronous resolver without
830 `getaddrinfo` support.
832 Closes https://github.com/curl/curl/pull/4662
834 Daniel Stenberg (3 Dec 2019)
835 - github action/azure pipeline: run 'make test-nonflaky' for tests
837 To match travis and give more info on failures.
839 - openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chains
843 - openssl: set X509_V_FLAG_PARTIAL_CHAIN
845 Have intermediate certificates in the trust store be treated as
846 trust-anchors, in the same way as self-signed root CA certificates
847 are. This allows users to verify servers using the intermediate cert
848 only, instead of needing the whole chain.
850 Other TLS backends already accept partial chains.
852 Reported-by: Jeffrey Walton
853 Bug: https://curl.haxx.se/mail/lib-2019-11/0094.html
855 - curl: show better error message when no homedir is found
857 Reported-by: Vlastimil OvčáčĂk
861 - OPENSOCKETFUNCTION.3: correct the purpose description
863 Reported-by: Jeff Mears
864 Bug: https://curl.haxx.se/mail/lib-2019-12/0007.html
868 - [Peter Wu brought this change]
870 travis: do not use OVERRIDE_CC or OVERRIDE_CXX if empty
872 Fixes the macOS builds where OVERRIDE_CC and OVERRIDE_CXX are not set.
874 Reported-by: Jay Satiro
879 - azure-pipelines: fix the test script
881 - Azure Pipelines: initial CI setup
885 - docs: add "added: 7.68.0" to the --etag-* docs
887 - copyright: fix the year ranges for two files
889 Follow-up to 9c1806ae
891 Jay Satiro (1 Dec 2019)
892 - build: Disable Visual Studio warning "conditional expression is constant"
894 - Disable warning C4127 "conditional expression is constant" globally
895 in curl_setup.h for when building with Microsoft's compiler.
897 This mainly affects building with the Visual Studio project files found
900 Prior to this change the cmake and winbuild build systems already
901 disabled 4127 globally for when building with Microsoft's compiler.
902 Also, 4127 was already disabled for all build systems in the limited
903 circumstance of the WHILE_FALSE macro which disabled the warning
904 specifically for while(0). This commit removes the WHILE_FALSE macro and
905 all other cruft in favor of disabling globally in curl_setup.
909 We have various macros that cause 0 or 1 to be evaluated, which would
910 cause warning C4127 in Visual Studio. For example this causes it:
912 #define Curl_resolver_asynch() 1
914 Full behavior is not clearly defined and inconsistent across versions.
915 However it is documented that since VS 2015 Update 3 Microsoft has
916 addressed this somewhat but not entirely, not warning on while(true) for
919 Prior to this change some C4127 warnings occurred when I built with
920 Visual Studio using the generated projects in the projects dir.
922 Closes https://github.com/curl/curl/pull/4658
924 - openssl: retrieve reported LibreSSL version at runtime
926 - Retrieve LibreSSL runtime version when supported (>= 2.7.1).
928 For earlier versions we continue to use the compile-time version.
930 Ref: https://man.openbsd.org/OPENSSL_VERSION_NUMBER.3
932 Closes https://github.com/curl/curl/pull/2425
934 - strerror: Add Curl_winapi_strerror for Win API specific errors
936 - In all code call Curl_winapi_strerror instead of Curl_strerror when
937 the error code is known to be from Windows GetLastError.
939 Curl_strerror prefers CRT error codes (errno) over Windows API error
940 codes (GetLastError) when the two overlap. When we know the error code
941 is from GetLastError it is more accurate to prefer the Windows API error
944 Reported-by: Richard Alcock
946 Fixes https://github.com/curl/curl/issues/4550
947 Closes https://github.com/curl/curl/pull/4581
949 Daniel Stenberg (2 Dec 2019)
950 - global_init: undo the "intialized" bump in case of failure
952 ... so that failures in the global init function don't count as a
953 working init and it can then be called again.
955 Reported-by: Paul Groke
959 - parsedate: offer a getdate_capped() alternative
961 ... and use internally. This function will return TIME_T_MAX instead of
962 failure if the parsed data is found to be larger than what can be
963 represented. TIME_T_MAX being the largest value curl can represent.
965 Reviewed-by: Daniel Gustafsson
966 Reported-by: JanB on github
970 - docs: add more references to curl_multi_poll
975 - sha256: bump the copyright year range
977 Follow-up from 66e21520f
979 Daniel Gustafsson (28 Nov 2019)
980 - curl_setup_once: consistently use WHILE_FALSE in macros
982 The WHILE_FALSE construction is used to avoid compiler warnings in
983 macro constructions. This fixes a few instances where it was not
984 used in order to keep the code consistent.
987 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
989 Daniel Stenberg (28 Nov 2019)
990 - [Steve Holme brought this change]
992 http_ntlm: Remove duplicate NSS initialisation
994 Given that this is performed by the NTLM code there is no need to
995 perform the initialisation in the HTTP layer. This also keeps the
996 initialisation the same as the SASL based protocols and also fixes a
997 possible compilation issue if both NSS and SSPI were to be used as
998 multiple SSL backends.
1000 Reviewed-by: Kamil Dudka
1003 Daniel Gustafsson (28 Nov 2019)
1004 - checksrc: fix regexp for ASSIGNWITHINCONDITION
1006 The regexp looking for assignments within conditions was too greedy
1007 and matched a too long string in the case of multiple conditionals
1008 on the same line. This is basically only a problem in single line
1009 macros, and the code which exemplified this was essentially:
1011 do {Â if((x) != NULL) { x = NULL; }Â }Â while(0)
1013 ..where the final parenthesis of while(0) matched the regexp, and
1014 the legal assignment in the block triggered the warning. Fix by
1015 making the regexp less greedy by matching for the tell-tale signs
1016 of the if statement ending.
1018 Also remove the one occurrence where the warning was disabled due
1019 to a construction like the above, where the warning didn't apply
1023 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
1025 Daniel Stenberg (28 Nov 2019)
1026 - RELEASE-NOTES: synced
1028 - [Maros Priputen brought this change]
1030 curl: two new command line options for etags
1032 --etag-compare and --etag-save
1034 Suggested-by: Paul Hoffman
1038 Daniel Gustafsson (28 Nov 2019)
1041 Daniel Stenberg (28 Nov 2019)
1042 - mailmap: Niall O'Reilly's name
1044 - [Niall O'Reilly brought this change]
1046 doh: use dedicated probe slots
1048 ... to easier allow additional DNS transactions.
1052 - travis: build ngtcp2 with --enable-lib-only
1054 ... makes it skip the examples and other stuff we don't neeed.
1058 - [David Benjamin brought this change]
1060 ngtcp2: fix thread-safety bug in error-handling
1062 ERR_error_string(NULL) should never be called. It places the error in a
1063 global buffer, which is not thread-safe. Use ERR_error_string_n with a
1064 local buffer instead.
1068 - travis: export the CC/CXX variables when set
1070 Suggested-by: Peter Wu
1074 Marcel Raad (26 Nov 2019)
1075 - dist: add error-codes.pl
1077 Follow-up to commit 74f441c6d31.
1078 This should fix test 1175 when run via the daily source tarballs.
1080 Closes https://github.com/curl/curl/pull/4638
1082 Daniel Stenberg (26 Nov 2019)
1083 - [John Schroeder brought this change]
1085 curl: fix --upload-file . hangs if delay in STDIN
1087 Attempt to unpause a busy read in the CURLOPT_XFERINFOFUNCTION.
1089 When uploading from stdin in non-blocking mode, a delay in reading
1090 the stream (EAGAIN) causes curl to pause sending data
1091 (CURL_READFUNC_PAUSE). Prior to this change, a busy read was
1092 detected and unpaused only in the CURLOPT_WRITEFUNCTION handler.
1093 This change performs the same busy read handling in a
1094 CURLOPT_XFERINFOFUNCTION handler.
1098 Reported-by: bdry on github
1100 - [John Schroeder brought this change]
1102 XFERINFOFUNCTION: support CURL_PROGRESSFUNC_CONTINUE
1104 (also for PROGRESSFUNCTION)
1106 By returning this value from the callback, the internal progress
1107 function call is still called afterward.
1111 - [Michael Forney brought this change]
1113 TLS: add BearSSL vtls implementation
1117 - curl_multi_wakeup.3: add example and AVAILABILITY
1119 Reviewed-by: Gergely Nagy
1122 - [Gergely Nagy brought this change]
1124 multi: add curl_multi_wakeup()
1126 This commit adds curl_multi_wakeup() which was previously in the TODO
1127 list under the curl_multi_unblock name.
1129 On some platforms and with some configurations this feature might not be
1130 available or can fail, in these cases a new error code
1131 (CURLM_WAKEUP_FAILURE) is returned from curl_multi_wakeup().
1136 Jay Satiro (24 Nov 2019)
1137 - [Xiaoyin Liu brought this change]
1139 schannel: fix --tls-max for when min is --tlsv1 or default
1141 Prior to this change schannel ignored --tls-max (CURL_SSLVERSION_MAX_
1142 macros) when --tlsv1 (CURL_SSLVERSION_TLSv1) or default TLS
1143 (CURL_SSLVERSION_DEFAULT), using a max of TLS 1.2 always.
1145 Closes https://github.com/curl/curl/pull/4633
1147 - checksrc.bat: Add a check for vquic and vssh directories
1149 Ref: https://github.com/curl/curl/pull/4607
1151 - projects: Fix Visual Studio projects SSH builds
1153 - Generate VQUIC and VSSH filenames in Visual Studio project files.
1155 Prior to this change generated Visual Studio project configurations that
1156 enabled SSH did not build properly. Broken since SSH files were moved to
1157 lib/vssh 3 months ago in 5b2d703.
1159 Fixes https://github.com/curl/curl/issues/4492
1160 Fixes https://github.com/curl/curl/issues/4630
1161 Closes https://github.com/curl/curl/pull/4607
1163 Daniel Stenberg (23 Nov 2019)
1164 - RELEASE-NOTES: synced
1166 Jay Satiro (22 Nov 2019)
1167 - openssl: Revert to less sensitivity for SYSCALL errors
1169 - Disable the extra sensitivity except in debug builds (--enable-debug).
1171 - Improve SYSCALL error message logic in ossl_send and ossl_recv so that
1172 "No error" / "Success" socket error text isn't shown on SYSCALL error.
1174 Prior to this change 0ab38f5 (precedes 7.67.0) increased the sensitivity
1175 of OpenSSL's SSL_ERROR_SYSCALL error so that abrupt server closures were
1176 also considered errors. For example, a server that does not send a known
1177 protocol termination point (eg HTTP content length or chunked encoding)
1178 _and_ does not send a TLS termination point (close_notify alert) would
1179 cause an error if it closed the connection.
1181 To be clear that behavior made it into release build 7.67.0
1182 unintentionally. Several users have reported it as an issue.
1184 Ultimately the idea is a good one, since it can help prevent against a
1185 truncation attack. Other SSL backends may already behave similarly (such
1186 as Windows native OS SSL Schannel). However much more of our user base
1187 is using OpenSSL and there is a mass of legacy users in that space, so I
1188 think that behavior should be partially reverted and then rolled out
1191 This commit changes the behavior so that the increased sensitivity is
1192 disabled in all curl builds except curl debug builds (DEBUGBUILD). If
1193 after a period of time there are no major issues then it can be enabled
1194 in dev and release builds with the newest OpenSSL (1.1.1+), since users
1195 using the newest OpenSSL are the least likely to have legacy problems.
1197 Bug: https://github.com/curl/curl/issues/4409#issuecomment-555955794
1198 Reported-by: Bjoern Franke
1200 Fixes https://github.com/curl/curl/issues/4624
1201 Closes https://github.com/curl/curl/pull/4623
1203 - [Daniel Stenberg brought this change]
1205 openssl: improve error message for SYSCALL during connect
1207 Reported-by: Paulo Roberto Tomasi
1208 Bug: https://curl.haxx.se/mail/archive-2019-11/0005.html
1210 Closes https://github.com/curl/curl/pull/4593
1212 Daniel Stenberg (22 Nov 2019)
1213 - test1175: verify symbols-in-versions and libcurl-errors.3 in sync
1217 - include: make CURLE_HTTP3 use a new error code
1219 To avoid potential issues with error code reuse.
1221 Reported-by: Christoph M. Becker
1222 Assisted-by: Dan Fandrich
1226 - bump: next release will be 7.68.0
1228 - curl: add --parallel-immediate
1230 Starting with this change when doing parallel transfers, without this
1231 option set, curl will prefer to create new transfers multiplexed on an
1232 existing connection rather than creating a brand new one.
1234 --parallel-immediate can be set to tell curl to prefer to use new
1235 connections rather than to wait and try to multiplex.
1237 libcurl-wise, this means that curl will set CURLOPT_PIPEWAIT by default
1238 on parallel transfers.
1240 Suggested-by: Tom van der Woerdt
1243 Daniel Gustafsson (20 Nov 2019)
1244 - [Victor Magierski brought this change]
1248 Change 'experiemental' to 'experimental'.
1251 Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
1253 Jay Satiro (18 Nov 2019)
1254 - projects: Fix Visual Studio wolfSSL configurations
1256 - s/USE_CYASSL/USE_WOLFSSL/
1258 - Remove old compatibility macros.
1260 Follow-up to 1c6c59a from several months ago when CyaSSL named symbols
1261 were renamed to wolfSSL. The wolfSSL library was formerly named CyaSSL
1262 and we kept using their old name for compatibility reasons, until
1265 Daniel Stenberg (18 Nov 2019)
1266 - RELEASE-NOTES: synced
1268 - [Javier Blazquez brought this change]
1270 ngtcp2: use overflow buffer for extra HTTP/3 data
1275 - altsvc: bump to h3-24
1277 ... as both ngtcp2 and quiche now support that in their master branches
1281 - ngtcp2: free used resources on disconnect
1286 - ngtcp2: handle key updates as ngtcp2 master branch tells us
1288 Reviewed-by: Tatsuhiro Tsujikawa
1293 Jay Satiro (17 Nov 2019)
1294 - [Gergely Nagy brought this change]
1296 multi: Fix curl_multi_poll wait when extra_fds && !extra_nfds
1298 Prior to this change:
1300 The check if an extra wait is necessary was based not on the
1301 number of extra fds but on the pointer.
1303 If a non-null pointer was given in extra_fds, but extra_nfds
1304 was zero, then the wait was skipped even though poll was not
1307 Closes https://github.com/curl/curl/pull/4610
1309 - lib: Move lib/ssh.h -> lib/vssh/ssh.h
1311 Follow-up to 5b2d703 which moved ssh source files to vssh.
1313 Closes https://github.com/curl/curl/pull/4609
1315 Daniel Stenberg (16 Nov 2019)
1316 - [Andreas Falkenhahn brought this change]
1318 INSTALL.md: provide Android build instructions
1322 - [Niall O'Reilly brought this change]
1324 doh: improced both encoding and decoding
1326 Improved estimation of expected_len and updated related comments;
1327 increased strictness of QNAME-encoding, adding error detection for empty
1328 labels and names longer than the overall limit; avoided treating DNAME
1331 updated unit test 1655 with more thorough set of proofs and tests
1335 - ngtcp2: increase QUIC window size when data is consumed
1337 Assisted-by: Javier Blazquez
1338 Ref #4525 (partial fix)
1341 - [Melissa Mears brought this change]
1343 config-win32: cpu-machine-OS for Windows on ARM
1345 Define the OS macro properly for Windows on ARM builds. Also, we might
1346 as well add the GCC-style IA-64 macro.
1350 - examples: add multi-poll.c
1352 Show how curl_multi_poll() makes it even easier to use the multi
1357 - multi_poll: avoid busy-loop when called without easy handles attached
1361 Reported-by: 3dyd on github
1363 - curl: fix -T globbing
1365 Regression from e59371a4936f8 (7.67.0)
1367 Added test 490, 491 and 492 to verify the functionality.
1369 Reported-by: Kamil Dudka
1370 Reported-by: Anderson Sasaki
1375 - HISTORY: added cmake, HTTP/3 and parallel downloads with curl
1377 - quiche: reject headers in the wrong order
1379 Pseudo header MUST come before regular headers or cause an error.
1381 Reported-by: Cynthia Coan
1385 - openssl: prevent recursive function calls from ctx callbacks
1387 Follow the pattern of many other callbacks.
1392 - CURL-DISABLE: initial docs for the CURL_DISABLE_* defines
1394 The disable-scan script used in test 1165 is extended to also verify
1395 that the docs cover all used defines and all defines offered by
1398 Reported-by: SLDiggie on github
1402 - remove_handle: clear expire timers after multi_done()
1404 Since 59041f0, a new timer might be set in multi_done() so the clearing
1405 of the timers need to happen afterwards!
1407 Reported-by: Max Kellermann
1411 Marcel Raad (10 Nov 2019)
1412 - test1558: use double slash after file:
1414 Classic MinGW / MSYS 1 doesn't support `MSYS2_ARG_CONV_EXCL`, so this
1415 test unnecessarily failed when using `file:/` instead of `file:///`.
1417 Closes https://github.com/curl/curl/pull/4554
1419 Daniel Stenberg (10 Nov 2019)
1420 - pause: avoid updating socket if done was already called
1422 ... avoids unnecesary recursive risk when the transfer is already done.
1424 Reported-by: Richard Bowker
1428 Jay Satiro (9 Nov 2019)
1429 - strerror: Fix an error looking up some Windows error strings
1431 - Use FORMAT_MESSAGE_IGNORE_INSERTS to ignore format specifiers in
1432 Windows error strings.
1434 Since we are not in control of the error code we don't know what
1435 information may be needed by the error string's format specifiers.
1437 Prior to this change Windows API error strings which contain specifiers
1438 (think specifiers like similar to printf specifiers) would not be shown.
1439 The FormatMessage Windows API call which turns a Windows error code into
1440 a string could fail and set error ERROR_INVALID_PARAMETER if that error
1441 string contained a format specifier. FormatMessage expects a va_list for
1442 the specifiers, unless inserts are ignored in which case no substitution
1445 Ref: https://devblogs.microsoft.com/oldnewthing/20071128-00/?p=24353
1447 - [r-a-sattarov brought this change]
1449 system.h: fix for MCST lcc compiler
1451 Fixed build by MCST lcc compiler on MCST Elbrus 2000 architecture and do
1454 e2k (Elbrus 2000) - this is VLIW/EPIC architecture, like Intel Itanium
1457 Ref: https://en.wikipedia.org/wiki/Elbrus_2000
1459 Closes https://github.com/curl/curl/pull/4576
1461 Daniel Stenberg (8 Nov 2019)
1462 - TODO: curl_multi_unblock
1466 - TODO: Run web-platform-tests url tests
1470 - TODO: 1.4 alt-svc sharing
1474 - test1560: require IPv6 for IPv6 aware URL parsing
1476 The URL parser function can't reject a bad IPv6 address properly when
1477 curl was built without IPv6 support.
1479 Reported-by: Marcel Raad
1483 - checksrc: repair the copyrightyear check
1485 - Consider a modified file to be committed this year.
1487 - Make the travis CHECKSRC also do COPYRIGHTYEAR scan in examples and
1490 - Ignore 0 parents when getting latest commit date of file.
1492 since in the CI we're dealing with a truncated repo of last 50 commits,
1493 the file's most recent commit may not be available. when this happens
1494 git log and rev-list show the initial commit (ie first commit not to be
1495 truncated) but that's incorrect so ignore it.
1497 Ref: https://github.com/curl/curl/pull/4547
1499 Closes https://github.com/curl/curl/pull/4549
1501 Co-authored-by: Jay Satiro
1503 - copyrights: fix copyright year range
1505 .. because checksrc's copyright year check stopped working.
1507 Ref: https://github.com/curl/curl/pull/4547
1509 Closes https://github.com/curl/curl/pull/4549
1511 - RELEASE-NOTES: synced
1513 - curlver: bump to 7.67.1
1515 - mailmap: fixup Massimiliano Fantuzzi
1517 - scripts/contributors: make committers get included too
1519 in addition to authors
1521 Jay Satiro (8 Nov 2019)
1522 - [Massimiliano Fantuzzi brought this change]
1524 configure: fix typo in help text
1526 Closes https://github.com/curl/curl/pull/4570
1528 Daniel Stenberg (7 Nov 2019)
1529 - [Christian Schmitz brought this change]
1531 ntlm: USE_WIN32_CRYPTO check removed to get USE_NTLM2SESSION set
1535 Jay Satiro (6 Nov 2019)
1536 - [Wyatt O'Day brought this change]
1538 build: fix for CURL_DISABLE_DOH
1540 Fixes https://github.com/curl/curl/issues/4565
1541 Closes https://github.com/curl/curl/pull/4566
1543 - [Leonardo Taccari brought this change]
1545 configure: avoid unportable `==' test(1) operator
1547 Closes https://github.com/curl/curl/pull/4567
1549 Version 7.67.0 (5 Nov 2019)
1551 Daniel Stenberg (5 Nov 2019)
1552 - RELEASE-NOTES: synced
1556 - THANKS: add new names from 7.67.0
1558 - configure: only say ipv6 enabled when the variable is set
1560 Previously it could say "IPv6: enabled" at the end of the configure run
1561 but the define wasn't set because of a missing getaddrinfo().
1563 Reported-by: Marcel Raad
1567 Marcel Raad (2 Nov 2019)
1568 - certs/Server-localhost-lastSAN-sv: regenerate with sha256
1570 All other certificates were regenerated in commit ba782baac30, but
1571 this one was missed.
1572 Fixes test3001 on modern systems.
1574 Closes https://github.com/curl/curl/pull/4551
1576 Daniel Stenberg (2 Nov 2019)
1577 - [Vilhelm Prytz brought this change]
1579 copyrights: update all copyright notices to 2019 on files changed this year
1583 - [Bastien Bouclet brought this change]
1585 mbedtls: add error message for cert validity starting in the future
1589 Jay Satiro (1 Nov 2019)
1590 - schannel_verify: Fix concurrent openings of CA file
1592 - Open the CA file using FILE_SHARE_READ mode so that others can read
1595 Prior to this change our schannel code opened the CA file without
1596 sharing which meant concurrent openings (eg an attempt from another
1597 thread or process) would fail during the time it was open without
1598 sharing, which in curl's case would cause error:
1599 "schannel: failed to open CA file".
1601 Bug: https://curl.haxx.se/mail/lib-2019-10/0104.html
1602 Reported-by: Richard Alcock
1604 Daniel Stenberg (31 Oct 2019)
1605 - gtls: make gnutls_bye() not wait for response on shutdown
1607 ... as it can make it wait there for a long time for no good purpose.
1609 Patched-by: Jay Satiro
1610 Reported-by: Bylon2 on github
1611 Adviced-by: Nikos Mavrogiannopoulos
1616 - [Michał Janiszewski brought this change]
1618 appveyor: publish artifacts on appveyor
1620 This allows obtaining upstream builds of curl directly from appveyor for
1621 all the available configurations
1625 - url: make Curl_close() NULLify the pointer too
1627 This is the common pattern used in the code and by a unified approach we
1632 - [Trivikram Kamat brought this change]
1634 INSTALL: add missing space for configure commands
1638 - url: Curl_free_request_state() should also free doh handles
1640 ... or risk DoH memory leaks.
1642 Reported-by: Paul Dreik
1646 - examples: remove the "this exact code has not been verified"
1648 ... as really confuses the reader to not know what to believe!
1650 - [Trivikram Kamat brought this change]
1652 HTTP3: fix typo somehere1 > somewhere1
1656 Jay Satiro (28 Oct 2019)
1657 - [Javier Blazquez brought this change]
1659 HTTP3: fix invalid use of sendto for connected UDP socket
1661 On macOS/BSD, trying to call sendto on a connected UDP socket fails
1662 with a EISCONN error. Because the singleipconnect has already called
1663 connect on the socket when we're trying to use it for QUIC transfers
1664 we need to use plain send instead.
1667 Closes https://github.com/curl/curl/pull/4533
1669 Daniel Stenberg (28 Oct 2019)
1670 - RELEASE-NOTES: synced
1672 - [Javier Blazquez brought this change]
1674 HTTP3: fix Windows build
1676 The ngtcp2 QUIC backend was using the MSG_DONTWAIT flag for send/recv
1677 in order to perform nonblocking operations. On Windows this flag does
1678 not exist. Instead, the socket must be set to nonblocking mode via
1681 This change sets the nonblocking flag on UDP sockets used for QUIC on
1682 all platforms so the use of MSG_DONTWAIT is not needed.
1687 Marcel Raad (27 Oct 2019)
1688 - appveyor: add --disable-proxy autotools build
1690 This would have caught issue #3926.
1692 Also make formatting more consistent.
1694 Closes https://github.com/curl/curl/pull/4526
1696 Daniel Stenberg (25 Oct 2019)
1697 - appveyor: make winbuilds with DEBUG=no/yes and VS 2015/2017
1699 ... and invoke "curl -V" once done
1701 Co-Authored-By: Jay Satiro
1705 - [Francois Rivard brought this change]
1707 schannel: reverse the order of certinfo insertions
1712 Marcel Raad (24 Oct 2019)
1713 - test1591: fix spelling of http feature
1715 The test never got run because the feature name is `http` in lowercase.
1717 Closes https://github.com/curl/curl/pull/4520
1719 Daniel Stenberg (23 Oct 2019)
1720 - [Michał Janiszewski brought this change]
1722 appveyor: Use two parallel compilation on appveyor with CMake
1724 Appveyor provides 2 CPUs for each builder[1], make sure to use parallel
1725 compilation, when running with CMake. CMake learned this new option in
1726 version 3.12[2] and the version provided by appveyor is fresh enough.
1728 Curl doesn't really take that long to build and it is using the slowest
1729 builder available, msbuild, so expect only a moderate improvement in
1732 [1] https://www.appveyor.com/docs/build-environment/
1733 [2] https://cmake.org/cmake/help/v3.12/release/3.12.html
1737 - conn-reuse: requests wanting NTLM can reuse non-NTLM connections
1739 Added test case 338 to verify.
1741 Reported-by: Daniel Silverstone
1745 Marcel Raad (23 Oct 2019)
1746 - tests: add missing proxy features
1748 Daniel Stenberg (22 Oct 2019)
1749 - RELEASE-NOTES: synced
1751 Marcel Raad (21 Oct 2019)
1752 - tests: use %FILE_PWD for file:// URLs
1754 This way, we always have exactly one slash after the host name, making
1755 the tests pass when curl is compiled with the MSYS GCC.
1757 Closes https://github.com/curl/curl/pull/4512
1759 - tests: add `connect to non-listen` keywords
1761 These tests try to connect to ports nothing is listening on.
1763 Closes https://github.com/curl/curl/pull/4511
1765 - runtests: get textaware info from curl instead of perl
1767 The MSYS system on Windows can run the test suite for curl built with
1768 any toolset. When built with the MSYS GCC, curl uses Unix line endings,
1769 while it uses Windows line endings when built with the MinGW GCC, and
1770 `^O` reports 'msys' in both cases. Use the curl executable itself to
1771 determine the line endings instead, which reports 'x86_64-pc-msys' when
1772 built with the MSYS GCC.
1774 Closes https://github.com/curl/curl/pull/4506
1776 Daniel Stenberg (20 Oct 2019)
1777 - [Michał Janiszewski brought this change]
1779 appveyor: Add MSVC ARM64 build
1783 - http2_recv: a closed stream trumps pause state
1785 ... and thus should return 0, not EAGAIN.
1787 Reported-by: Tom van der Woerdt
1791 - http2: expire a timeout at end of stream
1793 To make sure that transfer is being dealt with. Streams without
1794 Content-Length need a final read to notice the end-of-stream state.
1796 Reported-by: Tom van der Woerdt
1799 Dan Fandrich (18 Oct 2019)
1800 - travis: Add an ARM64 build
1802 Test 323 is failing for some reason, so disable it there for now.
1804 Marcel Raad (18 Oct 2019)
1805 - examples/sslbackend: fix -Wchar-subscripts warning
1807 With the `isdigit` implementation that comes with MSYS2, the argument
1808 is used as an array subscript, resulting in a -Wchar-subscripts
1809 warning. `isdigit`'s behavior is undefined if the argument is negative
1810 and not EOF [0]. As done in lib/curl_ctype.h, cast the `char` variable
1811 to `unsigned char` to avoid that.
1813 [0] https://en.cppreference.com/w/c/string/byte/isdigit
1815 Closes https://github.com/curl/curl/pull/4503
1817 Daniel Stenberg (18 Oct 2019)
1818 - configure: remove all cyassl references
1820 In particular, this removes the case where configure would find an old
1821 cyall installation rather than a wolfssl one if present. The library is
1822 named wolfssl in modern days so there's no real need to keep support for
1825 Reported-by: Jacob Barthelmeh
1828 Marcel Raad (17 Oct 2019)
1829 - test1162: disable MSYS2's POSIX path conversion
1831 This avoids MSYS2 converting the backslasb in the URL to a slash,
1832 causing the test to fail.
1834 Daniel Stenberg (17 Oct 2019)
1835 - RELEASE-NOTES: synced
1837 Jay Satiro (16 Oct 2019)
1838 - CURLOPT_TIMEOUT.3: Clarify transfer timeout time includes queue time
1840 Prior to this change some users did not understand that the "request"
1841 starts when the handle is added to the multi handle, or probably they
1842 did not understand that some of those transfers may be queued and that
1843 time is included in timeout.
1845 Reported-by: Jeroen Ooms
1847 Fixes https://github.com/curl/curl/issues/4486
1848 Closes https://github.com/curl/curl/pull/4489
1850 - [Stian Soiland-Reyes brought this change]
1852 tool_operate: Fix retry sleep time shown to user when Retry-After
1854 - If server header Retry-After is being used for retry sleep time then
1855 show that value to the user instead of the normal retry sleep time.
1857 This is a follow-up to 640b973 (7.66.0) which changed curl tool so that
1858 the value from Retry-After header overrides other retry timing options.
1860 Closes https://github.com/curl/curl/pull/4498
1862 Daniel Stenberg (16 Oct 2019)
1863 - url: normalize CURLINFO_EFFECTIVE_URL
1865 The URL extracted with CURLINFO_EFFECTIVE_URL was returned as given as
1866 input in most cases, which made it not get a scheme prefixed like before
1867 if the URL was given without one, and it didn't remove dotdot sequences
1870 Added test case 1907 to verify that this now works as intended and as
1873 Regression introduced in 7.62.0
1875 Reported-by: Christophe Dervieux
1879 Marcel Raad (16 Oct 2019)
1880 - tests: line ending fixes for Windows
1882 Mark some files as text.
1884 Closes https://github.com/curl/curl/pull/4490
1886 - tests: use proxy feature
1888 This makes the tests succeed when using --disable-proxy.
1890 Closes https://github.com/curl/curl/pull/4488
1892 - smbserver: fix Python 3 compatibility
1894 Python 2's `ConfigParser` module is spelled `configparser` in Python 3.
1896 Closes https://github.com/curl/curl/pull/4484
1898 - security: silence conversion warning
1900 With MinGW-w64, `curl_socket_t` is is a 32 or 64 bit unsigned integer,
1901 while `read` expects a 32 bit signed integer.
1902 Use `sread` instead of `read` to use the correct parameter type.
1904 Closes https://github.com/curl/curl/pull/4483
1906 - connect: silence sign-compare warning
1908 With MinGW-w64 using WinSock, `curl_socklen_t` is signed, while the
1909 result of `sizeof` is unsigned.
1911 Closes https://github.com/curl/curl/pull/4483
1913 Daniel Stenberg (13 Oct 2019)
1914 - TODO: Handle growing SFTP files
1918 - KNOWN_BUGS: remove "CURLFORM_CONTENTLEN in an array"
1920 The curl_formadd() function is deprecated and shouldn't be used so the
1921 real fix for applications is to switch to the curl_mime_* API.
1923 - KNOWN_BUGS: "LDAP on Windows does authentication wrong"
1927 - appveyor: add a winbuild that uses VS2017
1931 - [Harry Sintonen brought this change]
1933 socketpair: fix include and define for older TCP header systems
1935 fixed build for systems that need netinet/in.h for IPPROTO_TCP and are
1936 missing INADDR_LOOPBACK
1940 - socketpair: fix double-close in error case
1942 Follow-up to bc2dbef0afc08
1944 - gskit: use the generic Curl_socketpair
1946 - asyn-thread: make use of Curl_socketpair() where available
1948 - socketpair: an implemention for Windows and more
1950 Curl_socketpair() is designed to be used and work everywhere if there's
1951 no native version or the native version isn't good enough.
1955 - RELEASE-NOTES: synced
1957 - connect: return CURLE_OPERATION_TIMEDOUT for errno == ETIMEDOUT
1959 Previosly all connect() failures would return CURLE_COULDNT_CONNECT, no
1960 matter what errno said.
1962 This makes for example --retry work on these transfer failures.
1964 Reported-by: Nathaniel J. Smith
1968 - cirrus: switch off blackhole status on the freebsd CI machines
1970 - tests: use port 2 instead of 60000 for a safer non-listening port
1972 ... when the tests want "connection refused".
1974 - KNOWN_BUGS: IDN tests failing on Windows
1978 Dan Fandrich (9 Oct 2019)
1979 - cirrus: Increase the git clone depth.
1981 If more commits are submitted to master between the time of triggering
1982 the first Cirrus build and the time the final build gets started, the
1983 desired commit is no longer at HEAD and the build will error out.
1986 Daniel Stenberg (9 Oct 2019)
1987 - docs: make sure the --no-progress-meter docs file is in dist too
1989 - docs: document it as --no-progress-meter instead of the reverse
1991 Follow-up to 93373a960c3bb4
1993 Reported-by: infinnovation-dev on github
1997 Dan Fandrich (9 Oct 2019)
1998 - cirrus: Switch the FreeBSD 11.x build to 11.3 and add a 13.0 build.
2000 Also, select the images using image_family to get the latest snapshots
2004 Daniel Stenberg (8 Oct 2019)
2005 - curl: --no-progress-meter
2007 New option that allows a user to ONLY switch off curl's progress meter
2008 and leave everything else in "talkative" mode.
2010 Reported-by: Piotr Komborski
2014 - TODO: Consult %APPDATA% also for .netrc
2018 - CURLOPT_TIMEOUT.3: remove the mention of "minutes"
2020 ... just say that limiting operations risk aborting otherwise fine
2021 working transfers. If that means seconds, minutes or hours, we leave to
2024 Reported-by: Martin Gartner
2027 - [Andrei Valeriu BICA brought this change]
2029 docs: added multi-event.c example
2031 Similar to multi-uv.c but using libevent 2. This is a simpler libevent
2032 integration example then hiperfifo.c.
2036 Jay Satiro (5 Oct 2019)
2037 - [Nicolas brought this change]
2039 ldap: fix OOM error on missing query string
2041 - Allow missing queries, don't return NO_MEMORY error in such a case.
2043 It is acceptable for there to be no specified query string, for example:
2045 curl ldap://ldap.forumsys.com
2047 A regression bug in 1b443a7 caused this issue.
2049 This is a partial fix for #4261.
2051 Bug: https://github.com/curl/curl/issues/4261#issuecomment-525543077
2052 Reported-by: Jojojov@users.noreply.github.com
2053 Analyzed-by: Samuel Surtees
2055 Closes https://github.com/curl/curl/pull/4467
2057 - [Paul B. Omta brought this change]
2059 build: Remove unused HAVE_LIBSSL and HAVE_LIBCRYPTO defines
2061 Closes https://github.com/curl/curl/pull/4460
2063 Daniel Stenberg (5 Oct 2019)
2064 - RELEASE-NOTES: synced
2066 - [Stian Soiland-Reyes brought this change]
2068 curl: ensure HTTP 429 triggers --retry
2070 This completes #3794.
2072 Also make sure the new tests from #4195 are enabled
2076 Marcel Raad (4 Oct 2019)
2077 - [apique brought this change]
2079 winbuild: add ENABLE_UNICODE option
2081 Fixes https://github.com/curl/curl/issues/4308
2082 Closes https://github.com/curl/curl/pull/4309
2084 Daniel Stenberg (4 Oct 2019)
2085 - ngtcp2: adapt to API change
2089 - cookies: change argument type for Curl_flush_cookies
2091 The second argument is really a 'bool' so use that and pass in TRUE/FALSE
2096 - http2: move state-init from creation to pre-transfer
2098 To make sure that the HTTP/2 state is initialized correctly for
2099 duplicated handles. It would otherwise easily generate "spurious"
2100 PRIORITY frames to get sent over HTTP/2 connections when duplicated easy
2103 Reported-by: Daniel Silverstone
2107 - urlapi: fix use-after-free bug
2109 Follow-up from 2c20109a9b5d04
2111 Added test 663 to verify.
2113 Reported by OSS-Fuzz
2114 Bug: https://crbug.com/oss-fuzz/17954
2118 - [Paul Dreik brought this change]
2120 cookie: avoid harmless use after free
2122 This fix removes a use after free which can be triggered by
2123 the internal cookie fuzzer, but otherwise is probably
2124 impossible to trigger from an ordinary application.
2126 The following program reproduces it:
2128 curl_global_init(CURL_GLOBAL_DEFAULT);
2129 CURL* handle=curl_easy_init();
2130 CookieInfo* info=Curl_cookie_init(handle,NULL,NULL,false);
2131 curl_easy_setopt(handle, CURLOPT_COOKIEJAR, "/dev/null");
2132 Curl_flush_cookies(handle, true);
2133 Curl_cookie_cleanup(info);
2134 curl_easy_cleanup(handle);
2135 curl_global_cleanup();
2137 This was found through fuzzing.
2141 - [Denis Chaplygin brought this change]
2143 docs: add note on failed handles not being counted by curl_multi_perform
2147 - CURLMOPT_MAX_CONCURRENT_STREAMS.3: fix SEE ALSO typo
2149 - [Niall O'Reilly brought this change]
2151 ESNI: initial build/setup
2155 - RELEASE-NOTES: synced
2157 - redirect: when following redirects to an absolute URL, URL encode it
2159 ... to make it handle for example (RFC violating) embeded spaces.
2161 Reported-by: momala454 on github
2165 - urlapi: fix URL encoding when setting a full URL
2167 - tool_operate: rename functions to make more sense
2169 - curl: create easy handles on-demand and not ahead of time
2171 This should again enable crazy-large download ranges of the style
2172 [1-10000000] that otherwise easily ran out of memory starting in 7.66.0
2173 when this new handle allocating scheme was introduced.
2175 Reported-by: Peter Sumatra
2179 - [Kunal Ekawde brought this change]
2181 CURLMOPT_MAX_CONCURRENT_STREAMS: new setopt
2185 - chunked-encoding: stop hiding the CURLE_BAD_CONTENT_ENCODING error
2187 Unknown content-encoding would get returned as CURLE_WRITE_ERROR if the
2188 response is chunked-encoded.
2190 Reported-by: Ilya Kosarev
2194 Marcel Raad (1 Oct 2019)
2195 - checksrc: fix uninitialized variable warning
2197 The loop doesn't need to be executed without a file argument.
2199 Closes https://github.com/curl/curl/pull/4444
2201 - urlapi: fix unused variable warning
2203 `dest` is only used with `ENABLE_IPV6`.
2205 Closes https://github.com/curl/curl/pull/4444
2207 - lib: silence conversion warnings
2209 Closes https://github.com/curl/curl/pull/4444
2211 - AppVeyor: add 32-bit MinGW-w64 build
2213 With WinSSL and testing enabled so that it would have detected most of
2214 the warnings fixed in [0] and [1].
2216 [0] https://github.com/curl/curl/pull/4398
2217 [1] https://github.com/curl/curl/pull/4415
2219 Closes https://github.com/curl/curl/pull/4433
2221 - AppVeyor: remove MSYS2_ARG_CONV_EXCL for winbuild
2223 It's only used for MSYS2 with MinGW.
2227 Daniel Stenberg (30 Sep 2019)
2228 - [Emil Engler brought this change]
2230 git: add tests/server/disabled to .gitignore
2234 - altsvc: accept quoted ma and persist values
2236 As mandated by the spec. Test 1654 is extended to verify.
2240 - mailmap: a Lucas fix
2242 Alessandro Ghedini (29 Sep 2019)
2243 - [Lucas Pardue brought this change]
2245 quiche: update HTTP/3 config creation to new API
2247 Daniel Stenberg (29 Sep 2019)
2248 - BINDINGS: PureBasic, Net::Curl for perl and Nim
2250 - BINDINGS: Kapito is an Erlang library, basically a binding
2252 - BINDINGS: added clj-curl
2254 Reported-by: Lucas Severo
2256 - [Jay Satiro brought this change]
2258 docs: disambiguate CURLUPART_HOST is for host name (ie no port)
2262 - cookies: using a share with cookies shouldn't enable the cookie engine
2264 The 'share object' only sets the storage area for cookies. The "cookie
2265 engine" still needs to be enabled or activated using the normal cookie
2268 This caused the curl command line tool to accidentally use cookies
2269 without having been told to, since curl switched to using shared cookies
2279 - setopt: handle ALTSVC set to NULL
2281 - RELEASE-NOTES: synced
2283 - [grdowns brought this change]
2285 INSTALL: add vcpkg installation instructions
2289 - [Zenju brought this change]
2291 FTP: add test for FTPFILE_NOCWD: Avoid redundant CWDs
2297 - [Zenju brought this change]
2299 FTP: url-decode path before evaluation
2303 Marcel Raad (27 Sep 2019)
2304 - tests: fix narrowing conversion warnings
2306 `timediff_t` is 64 bits wide also on 32-bit systems since
2309 Closes https://github.com/curl/curl/pull/4415
2311 Jay Satiro (27 Sep 2019)
2312 - [julian brought this change]
2314 vtls: Fix comment typo about macosx-version-min compiler flag
2316 Closes https://github.com/curl/curl/pull/4425
2318 Daniel Stenberg (26 Sep 2019)
2319 - [Yechiel Kalmenson brought this change]
2321 README: minor grammar fix
2325 - [Spezifant brought this change]
2327 HTTP3: fix prefix parameter for ngtcp2 build
2331 - quiche: don't close connection at end of stream!
2333 - quiche: set 'drain' when returning without having drained the queues
2335 - Revert "FTP: url-decode path before evaluation"
2337 This reverts commit 2f036a72d543e96128bd75cb0fedd88815fd42e2.
2339 - HTTP3: merged and simplified the two 'running' sections
2341 - HTTP3: show an --alt-svc using example too
2343 - [Zenju brought this change]
2345 FTP: url-decode path before evaluation
2349 - openssl: use strerror on SSL_ERROR_SYSCALL
2351 Instead of showing the somewhat nonsensical errno number, use strerror()
2352 to provide a more relatable error message.
2356 - HTTP3: update quic.aiortc.org + add link to server list
2358 Reported-by: Jeremy Lainé
2360 Jay Satiro (26 Sep 2019)
2361 - url: don't set appconnect time for non-ssl/non-ssh connections
2363 Prior to this change non-ssl/non-ssh connections that were reused set
2364 TIMER_APPCONNECT [1]. Arguably that was incorrect since no SSL/SSH
2365 handshake took place.
2367 [1]: TIMER_APPCONNECT is publicly known as CURLINFO_APPCONNECT_TIME in
2368 libcurl and %{time_appconnect} in the curl tool. It is documented as
2369 "the time until the SSL/SSH handshake is completed".
2371 Reported-by: Marcel Hernandez
2373 Ref: https://github.com/curl/curl/issues/3760
2375 Closes https://github.com/curl/curl/pull/3773
2377 Daniel Stenberg (25 Sep 2019)
2378 - ngtcp2: remove fprintf() calls
2380 - convert some of them to H3BUF() calls to infof()
2381 - remove some of them completely
2382 - made DEBUG_HTTP3 defined only if CURLDEBUG is set for now
2386 - [Jay Satiro brought this change]
2388 url: fix the NULL hostname compiler warning case
2392 - [Jay Satiro brought this change]
2394 travis: move the go install to linux-only
2396 ... to repair the build again
2399 - altsvc: correct the #ifdef for the ngtcp2 backend
2401 - altsvc: save h3 as h3-23
2403 Follow-up to d176a2c7e5
2405 - urlapi: question mark within fragment is still fragment
2407 The parser would check for a query part before fragment, which caused it
2408 to do wrong when the fragment contains a question mark.
2410 Extended test 1560 to verify.
2412 Reported-by: Alex Konev
2416 - [Alex Samorukov brought this change]
2418 HTTP3.md: move -p for mkdir, remove -j for make
2420 - mkdir on OSX/Darwin requires `-p` argument before dir
2422 - portabbly figuring out number of cores is an exercise for somewhere
2427 Patrick Monnerat (24 Sep 2019)
2428 - os400: getpeername() and getsockname() return ebcdic AF_UNIX sockaddr,
2430 As libcurl now uses these 2 system functions, wrappers are needed on os400
2431 to convert returned AF_UNIX sockaddrs to ascii.
2433 This is a follow-up to commit 7fb54ef.
2437 Jay Satiro (24 Sep 2019)
2438 - [Lucas Pardue brought this change]
2440 strcase: fix raw lowercasing the letter X
2442 Casing mistake in Curl_raw_tolower 'X' wasn't lowercased as 'x' prior to
2445 Follow-up to 0023fce which added the function several days ago.
2447 Ref: https://github.com/curl/curl/pull/4401#discussion_r327396546
2449 Closes https://github.com/curl/curl/pull/4408
2451 Daniel Stenberg (23 Sep 2019)
2452 - http2: Expression 'stream->stream_id != - 1' is always true
2457 - http2: A value is being subtracted from the unsigned variable
2462 - libssh: part of conditional expression is always true: !result
2467 - libssh: part of conditional expression is always true
2472 - libssh: The expression is excessive or contains a misprint
2477 - quiche: The expression must be surrounded by parentheses
2482 - vauth: The parameter 'status' must be surrounded by parentheses
2487 - [Paul Dreik brought this change]
2489 doh: allow only http and https in debug mode
2491 Otherwise curl may be told to use for instance pop3 to
2492 communicate with the doh server, which most likely
2493 is not what you want.
2495 Found through fuzzing.
2499 - [Paul Dreik brought this change]
2501 doh: return early if there is no time left
2505 - [Barry Pollard brought this change]
2507 http: lowercase headernames for HTTP/2 and HTTP/3
2512 Marcel Raad (23 Sep 2019)
2513 - vtls: fix narrowing conversion warnings
2515 Curl_timeleft returns `timediff_t`, which is 64 bits wide also on
2516 32-bit systems since commit b1616dad8f0.
2518 Closes https://github.com/curl/curl/pull/4398
2520 Daniel Stenberg (23 Sep 2019)
2521 - [Joel Depooter brought this change]
2523 winbuild: Add manifest to curl.exe for proper OS version detection
2525 This is a small fix to commit ebd213270a017a6830928ee2e1f4a9cabc799898
2526 in pull request #1221. That commit added the CURL_EMBED_MANIFEST flag to
2527 CURL_RC_FLAGS. However, later in the file CURL_RC_FLAGS is
2528 overwritten. The fix is to append values to CURL_RC_FLAGS instead of
2533 - RELEASE-NOTES: synced
2535 Marcel Raad (22 Sep 2019)
2536 - openssl: fix compiler warning with LibreSSL
2538 It was already fixed for BoringSSL in commit a0f8fccb1e0.
2539 LibreSSL has had the second argument to SSL_CTX_set_min_proto_version
2540 as uint16_t ever since the function was added in [0].
2542 [0] https://github.com/libressl-portable/openbsd/commit/56f107201baefb5533486d665a58d8f57fd3aeda
2544 Closes https://github.com/curl/curl/pull/4397
2546 Daniel Stenberg (22 Sep 2019)
2547 - curl: exit the create_transfers loop on errors
2549 When looping around the ranges and given URLs to create transfers, all
2550 errors should exit the loop and return. Previously it would keep
2553 Reported-by: SumatraPeter on github
2557 Jay Satiro (21 Sep 2019)
2558 - socks: Fix destination host shown on SOCKS5 error
2560 Prior to this change when a server returned a socks5 connect error then
2561 curl would parse the destination address:port from that data and show it
2562 to the user as the destination:
2564 curld -v --socks5 10.0.3.1:1080 http://google.com:99
2565 * SOCKS5 communication to google.com:99
2566 * SOCKS5 connect to IPv4 172.217.12.206 (locally resolved)
2567 * Can't complete SOCKS5 connection to 253.127.0.0:26673. (1)
2568 curl: (7) Can't complete SOCKS5 connection to 253.127.0.0:26673. (1)
2570 That's incorrect because the address:port included in the connect error
2571 is actually a bind address:port (typically unused) and not the
2572 destination address:port. This fix changes curl to show the destination
2573 information that curl sent to the server instead:
2575 curld -v --socks5 10.0.3.1:1080 http://google.com:99
2576 * SOCKS5 communication to google.com:99
2577 * SOCKS5 connect to IPv4 172.217.7.14:99 (locally resolved)
2578 * Can't complete SOCKS5 connection to 172.217.7.14:99. (1)
2579 curl: (7) Can't complete SOCKS5 connection to 172.217.7.14:99. (1)
2581 curld -v --socks5-hostname 10.0.3.1:1080 http://google.com:99
2582 * SOCKS5 communication to google.com:99
2583 * SOCKS5 connect to google.com:99 (remotely resolved)
2584 * Can't complete SOCKS5 connection to google.com:99. (1)
2585 curl: (7) Can't complete SOCKS5 connection to google.com:99. (1)
2587 Ref: https://tools.ietf.org/html/rfc1928#section-6
2589 Closes https://github.com/curl/curl/pull/4394
2591 Daniel Stenberg (21 Sep 2019)
2592 - travis: enable ngtcp2 h3-23 builds
2594 - altsvc: both backends run h3-23 now
2598 - http: fix warning on conversion from int to bit
2600 Follow-up from 03ebe66d70
2602 - urldata: use 'bool' for the bit type on MSVC compilers
2607 - appveyor: upgrade VS2017 to VS2019
2611 - [Zenju brought this change]
2613 FTP: FTPFILE_NOCWD: avoid redundant CWDs
2617 - cookie: pass in the correct cookie amount to qsort()
2619 As the loop discards cookies without domain set. This bug would lead to
2620 qsort() trying to sort uninitialized pointers. We have however not found
2621 it a security problem.
2623 Reported-by: Paul Dreik
2626 - [Paul Dreik brought this change]
2628 urlapi: avoid index underflow for short ipv6 hostnames
2630 If the input hostname is "[", hlen will underflow to max of size_t when
2631 it is subtracted with 2.
2633 hostname[hlen] will then cause a warning by ubsanitizer:
2635 runtime error: addition of unsigned offset to 0x<snip> overflowed to
2638 I think that in practice, the generated code will work, and the output
2639 of hostname[hlen] will be the first character "[".
2641 This can be demonstrated by the following program (tested in both clang
2645 char* hostname=strdup("[");
2646 size_t hlen = strlen(hostname);
2650 printf("character is %d\n",+hostname[hlen]);
2654 I found this through fuzzing, and even if it seems harmless, the proper
2655 thing is to return early with an error.
2659 - [Tatsuhiro Tsujikawa brought this change]
2661 ngtcp2: compile with latest ngtcp2 + nghttp3 draft-23
2665 - THANKS-filter: deal with my typos 'Jat' => 'Jay'
2667 - travis: use go master
2669 ... as the boringssl builds needs a very recent version
2671 Co-authored-by: Jat Satiro
2674 - tool_operate: removed unused variable 'done'
2676 Fixes warning detected by PVS-Studio
2679 - tool_operate: Expression 'config->resume_from' is always true
2681 Fixes warning detected by PVS-Studio
2684 - tool_getparam: remove duplicate switch case
2686 Fixes warning detected by PVS-Studio
2689 - libssh2: part of conditional expression is always true: !result
2691 Fixes warning detected by PVS-Studio
2694 - urlapi: Expression 'storep' is always true
2696 Fixes warning detected by PVS-Studio
2699 - urlapi: 'scheme' is always true
2701 Fixes warning detected by PVS-Studio
2704 - urlapi: part of conditional expression is always true: (relurl[0] == '/')
2706 Fixes warning detected by PVS-Studio
2709 - setopt: store CURLOPT_RTSP_SERVER_CSEQ correctly
2711 Fixes bug detected by PVS-Studio
2714 - mime: make Curl_mime_duppart() assert if called without valid dst
2716 Fixes warning detected by PVS-Studio
2719 - http_proxy: part of conditional expression is always true: !error
2721 Fixes warning detected by PVS-Studio
2724 - imap: merged two case-branches performing the same action
2726 Fixes warning detected by PVS-Studio
2729 - multi: value '2L' is assigned to a boolean
2731 Fixes warning detected by PVS-Studio
2734 - easy: part of conditional expression is always true: !result
2736 Fixes warning detected by PVS-Studio
2739 - netrc: part of conditional expression is always true: !done
2741 Fixes warning detected by PVS-Studio
2744 - version: Expression 'left > 1' is always true
2746 Fixes warning detected by PVS-Studio
2749 - url: remove dead code
2751 Fixes warning detected by PVS-Studio
2754 - url: part of expression is always true: (bundle->multiuse == 0)
2756 Fixes warning detected by PVS-Studio
2759 - ftp: the conditional expression is always true
2761 ... both !result and (ftp->transfer != FTPTRANSFER_BODY)!
2763 Fixes warning detected by PVS-Studio
2766 - ftp: Expression 'ftpc->wait_data_conn' is always false
2768 Fixes warning detected by PVS-Studio
2771 - ftp: Expression 'ftpc->wait_data_conn' is always true
2773 Fixes warning detected by PVS-Studio
2776 - ftp: part of conditional expression is always true: !result
2778 Fixes warning detected by PVS-Studio
2781 - http: fix Expression 'http->postdata' is always false
2783 Fixes warning detected by PVS-Studio
2785 Reported-by: Valerii Zapodovnikov
2787 - [Niall O'Reilly brought this change]
2789 doh: avoid truncating DNS QTYPE to lower octet
2793 - [Jens Finkhaeuser brought this change]
2795 urlapi: CURLU_NO_AUTHORITY allows empty authority/host part
2797 CURLU_NO_AUTHORITY is intended for use with unknown schemes (i.e. not
2798 "file:///") to override cURL's default demand that an authority exists.
2802 - version: next release will be 7.67.0
2804 - RELEASE-NOTES: synced
2806 - url: only reuse TLS connections with matching pinning
2808 If the requests have different CURLOPT_PINNEDPUBLICKEY strings set, the
2809 connection should not be reused.
2811 Bug: https://curl.haxx.se/mail/lib-2019-09/0061.html
2812 Reported-by: Sebastian Haglund
2816 - README: add OSS-Fuzz badge [skip ci]
2820 Michael Kaufmann (18 Sep 2019)
2821 - http: merge two "case" statements
2823 Daniel Stenberg (18 Sep 2019)
2824 - [Zenju brought this change]
2826 FTP: remove trailing slash from path for LIST/MLSD
2830 - mime: when disabled, avoid C99 macro
2834 - url: cleanup dangling DOH request headers too
2836 Follow-up to 9bc44ff64d9081
2839 Bug: https://crbug.com/oss-fuzz/17269
2843 - [Christoph M. Becker brought this change]
2845 http2: relax verification of :authority in push promise requests
2847 If the :authority pseudo header field doesn't contain an explicit port,
2848 we assume it is valid for the default port, instead of rejecting the
2849 request for all ports.
2851 Ref: https://curl.haxx.se/mail/lib-2019-09/0041.html
2855 - doh: clean up dangling DOH handles and memory on easy close
2857 If you set the same URL for target as for DoH (and it isn't a DoH
2858 server), like "https://example.com" in both, the easy handles used for
2859 the DoH requests could be left "dangling" and end up not getting freed.
2861 Reported-by: Paul Dreik
2864 - unit1655: make it C90 compliant
2866 Unclear why this was not detected in the CI.
2868 Follow-up to b7666027296a
2870 - smb: check for full size message before reading message details
2872 To avoid reading of uninitialized data.
2874 Assisted-by: Max Dymond
2875 Bug: https://crbug.com/oss-fuzz/16907
2878 - quiche: persist connection details
2880 ... like we do for other protocols at connect time. This makes "curl -I"
2881 and other things work.
2883 Reported-by: George Liu
2887 - openssl: fix warning with boringssl and SSL_CTX_set_min_proto_version
2889 Follow-up to ffe34b7b59
2892 - [Paul Dreik brought this change]
2894 doh: fix undefined behaviour and open up for gcc and clang optimization
2896 The undefined behaviour is annoying when running fuzzing with
2897 sanitizers. The codegen is the same, but the meaning is now not up for
2898 dispute. See https://cppinsights.io/s/516a2ff4
2900 By incrementing the pointer first, both gcc and clang recognize this as
2901 a bswap and optimizes it to a single instruction. See
2902 https://godbolt.org/z/994Zpx
2906 - [Paul Dreik brought this change]
2908 doh: fix (harmless) buffer overrun
2910 Added unit test case 1655 to verify.
2913 the code correctly finds the flaws in the old code,
2914 if one temporarily restores doh.c to the old version.
2916 Alessandro Ghedini (15 Sep 2019)
2917 - docs: remove trailing ':' from section names in CURLOPT_TRAILER* man
2919 - docs: fix typo in CURLOPT_HTTP_VERSION man
2921 GitHub (14 Sep 2019)
2922 - [Daniel Stenberg brought this change]
2924 CI: inintial github action job
2926 First shot at a CI build on github actions
2928 Daniel Stenberg (13 Sep 2019)
2929 - appveyor: add a winbuild
2931 Assisted-by: Marcel Raad
2932 Assisted-by: Jay Satiro
2936 - FTP: allow "rubbish" prepended to the SIZE response
2938 This is a protocol violation but apparently there are legacy proprietary
2941 Added test 336 and 337 to verify.
2943 Reported-by: Philippe Marguinaud
2946 - [Zenju brought this change]
2948 FTP: skip CWD to entry dir when target is absolute
2952 Kamil Dudka (13 Sep 2019)
2953 - curl: fix memory leaked by parse_metalink()
2955 This commit fixes a regression introduced by curl-7_65_3-5-gb88940850.
2956 Detected by tests 2005, 2008, 2009, 2010, 2011, and 2012 with valgrind
2957 and libmetalink enabled.
2961 Daniel Stenberg (13 Sep 2019)
2962 - parsedate: still provide the name arrays when disabled
2964 If FILE or FTP are enabled, since they also use them!
2966 Reported-by: Roland Hieber
2970 - [Gilles Vollant brought this change]
2972 curl:file2string: load large files much faster
2974 ... by using a more efficient realloc scheme.
2976 Bug: https://curl.haxx.se/mail/lib-2019-09/0045.html
2979 - openssl: close_notify on the FTP data connection doesn't mean closure
2981 For FTPS transfers, curl gets close_notify on the data connection
2982 without that being a signal to close the control connection!
2984 Regression since 3f5da4e59a556fc (7.65.0)
2986 Reported-by: Zenju on github
2987 Reviewed-by: Jay Satiro
2991 - [Jimmy Gaussen brought this change]
2993 docs/HTTP3: fix `--with-ssl` ngtcp2 configure flag
2997 - RELEASE-NOTES: synced
2999 - curlver: bump to 7.66.1
3001 - [Zenju brought this change]
3003 setopt: make it easier to add new enum values
3005 ... by using the *_LAST define names better.
3009 - asyn-thread: s/AF_LOCAL/AF_UNIX for Solaris
3011 Reported-by: Dagobert Michelsen
3015 - [Bernhard Walle brought this change]
3017 winbuild/MakefileBuild.vc: Add vssh
3019 Without that modification, the Windows build using the makefiles doesn't
3022 Signed-off-by: Bernhard Walle <bernhard.walle@posteo.eu>
3027 Bernhard Walle (11 Sep 2019)
3028 - winbuild/MakefileBuild.vc: Fix line endings
3030 The file had mixed line endings.
3032 Signed-off-by: Bernhard Walle <bernhard.walle@posteo.eu>
3034 Jay Satiro (11 Sep 2019)
3035 - ldap: Stop using wide char version of ldapp_err2string
3037 Despite ldapp_err2string being documented by MS as returning a
3038 PCHAR (char *), when UNICODE it is mapped to ldap_err2stringW and
3039 returns PWCHAR (wchar_t *).
3041 We have lots of code that expects ldap_err2string to return char *,
3042 most of it failf used like this:
3044 failf(data, "LDAP local: Some error: %s", ldap_err2string(rc));
3046 Closes https://github.com/curl/curl/pull/4272
3048 Version 7.66.0 (10 Sep 2019)
3050 Daniel Stenberg (10 Sep 2019)
3051 - RELEASE-NOTES: curl 7.66.0
3053 - THANKS: from the 7.66.0 release
3055 - curl: make sure the parallel transfers do them all
3057 The logic could erroneously break the loop too early before all
3058 transfers had been transferred.
3060 Reported-by: Tom van der Woerdt
3064 - urlapi: one colon is enough for the strspn() input (typo)
3066 - urlapi: verify the IPv6 numerical address
3068 It needs to parse correctly. Otherwise it could be tricked into letting
3069 through a-f using host names that libcurl would then resolve. Like
3072 Reported-by: Thomas Vegas
3075 - [Clément Notin brought this change]
3077 openssl: use SSL_CTX_set_<min|max>_proto_version() when available
3079 OpenSSL 1.1.0 adds SSL_CTX_set_<min|max>_proto_version() that we now use
3080 when available. Existing code is preserved for older versions of
3085 - [Clément Notin brought this change]
3087 openssl: indent, re-organize and add comments
3089 - [migueljcrum brought this change]
3091 sspi: fix memory leaks
3095 - travis: disable ngtcp2 builds (again)
3097 - Curl_fillreadbuffer: avoid double-free trailer buf on error
3099 Reviewed-by: Jay Satiro
3100 Reported-by: Thomas Vegas
3104 - tool_setopt: handle a libcurl build without netrc support
3106 Reported-by: codesniffer13 on github
3110 - security:read_data fix bad realloc()
3112 ... that could end up a double-free
3115 Bug: https://curl.haxx.se/docs/CVE-2019-5481.html
3117 - [Thomas Vegas brought this change]
3119 tftp: Alloc maximum blksize, and use default unless OACK is received
3121 Fixes potential buffer overflow from 'recvfrom()', should the server
3122 return an OACK without blksize.
3124 Bug: https://curl.haxx.se/docs/CVE-2019-5482.html
3127 - [Thomas Vegas brought this change]
3129 tftp: return error when packet is too small for options
3131 - KNOWN_BUGS/TODO: cleanup and remove outdated issues
3133 - RELEASE-NOTES: synced
3135 - netrc: free 'home' on error
3137 Follow-up to f9c7ba9096ec2
3139 Coverity CID 1453474
3143 - urldata: avoid 'generic', use dedicated pointers
3145 For the 'proto' union within the connectdata struct.
3149 - cleanup: move functions out of url.c and make them static
3153 - smtp: check for and bail out on too short EHLO response
3155 Otherwise, a three byte response would make the smtp_state_ehlo_resp()
3159 Bug: https://crbug.com/oss-fuzz/16918
3161 Assisted-by: Max Dymond
3165 - smb: init *msg to NULL in smb_send_and_recv()
3167 ... it might otherwise return OK from this function leaving that pointer
3170 Bug: https://crbug.com/oss-fuzz/16907
3174 - ROADMAP: updated after recent user poll
3178 - THANKS: remove duplicate
3180 - Curl_addr2string: take an addrlen argument too
3182 This allows the function to figure out if a unix domain socket has a
3183 file name or not associated with it! When a socket is created with
3184 socketpair(), as done in the fuzzer testing, the path struct member is
3185 uninitialized and must not be accessed.
3187 Bug: https://crbug.com/oss-fuzz/16699
3191 - [Rolf Eike Beer brought this change]
3193 CMake: remove needless newlines at end of gss variables
3195 - [Rolf Eike Beer brought this change]
3197 CI: remove duplicate configure flag for LGTM.com
3199 - [Rolf Eike Beer brought this change]
3201 CMake: use platform dependent name for dlopen() library
3205 - quiche: expire when poll returned data
3207 ... to make sure we continue draining the queue until empty
3211 - quiche: decrease available buffer size, don't assign it!
3213 Found-by: Jeremy Lainé
3215 - RELEASE-NOTES: synced
3217 - [Kyohei Kadota brought this change]
3219 curl: fix include conditions
3221 - [Kyohei Kadota brought this change]
3223 plan9: fix installation instructions
3227 - ngtcp2: on h3 stream close, call expire
3229 ... to trigger a new read to detect the stream close!
3233 - [Tatsuhiro Tsujikawa brought this change]
3235 ngtcp2: build latest ngtcp2 and ngtcp2_crypto_openssl
3239 - ngtcp2: set flow control window to stream buffer size
3243 - [Christopher Head brought this change]
3245 CURLOPT_HEADERFUNCTION.3: clarify
3249 - CURLINFO docs: mention that in redirects times are added
3251 Suggested-by: Brandon Dong
3255 - travis: enable ngtcp2 builds again
3257 Switched to the openssl-quic-draft-22 openssl branch.
3261 - HTTP3: switched openssl branch to use
3263 - [Tatsuhiro Tsujikawa brought this change]
3265 ngtcp2: Build with latest ngtcp2 and ngtcp2_crypto_openssl
3269 - http2: when marked for closure and wanted to close == OK
3271 It could otherwise return an error even when closed correctly if GOAWAY
3272 had been received previously.
3274 Reported-by: Tom van der Woerdt
3278 - RELEASE-NOTES: synced
3280 - build-openssl: fix build with Visual Studio 2019
3282 Reviewed-by: Marcel Raad
3283 Contributed-by: osabc on github
3287 Kamil Dudka (26 Aug 2019)
3288 - vauth: return CURLE_AUTH_ERROR on gss_init_sec_context() failure
3290 This is a follow-up to https://github.com/curl/curl/pull/3864 .
3294 Daniel Stenberg (26 Aug 2019)
3295 - KNOWN_BUGS: USE_UNIX_SOCKETS on Windows
3299 - quiche: send the HTTP body correctly on callback uploads
3303 - travis: disable ngtcp2 builds (temporarily)
3305 Just too many API changes right now
3309 - ngtcp2: add support for SSLKEYLOGFILE
3313 - ngtcp2: improve h3 response receiving
3317 - ngtcp2: use nghttp3_version()
3319 - ngtcp2: sync with upstream API changes
3321 Assisted-by: Tatsuhiro Tsujikawa
3323 - [Kyle Abramowitz brought this change]
3325 scp: fix directory name length used in memcpy
3327 Fix read off end of array due to bad pointer math in getworkingpath for
3328 SCP home directory case.
3332 - http: the 'closed' struct field is used by both ngh2 and ngh3
3334 and remove 'header_recvbuf', not used for anything
3336 Reported-by: Jeremy Lainé
3340 - ngtcp2: accept upload via callback
3344 - defines: avoid underscore-prefixed defines
3346 Double-underscored or underscore plus uppercase letter at least.
3348 ... as they're claimed to be reserved.
3350 Reported-by: patnyb on github
3355 - travis: add a build using ngtcp2 + nghttp3 (and a patched OpenSSL)
3361 - travis: bump to using nghttp2 version 1.39.2
3365 - [Gisle Vanem brought this change]
3367 docs/examples/curlx: fix errors
3369 Initialise 'mimetype' and require the -p12 arg.
3373 - cleanup: remove DOT_CHAR completely
3375 Follow-up to f9c7ba9096ec
3377 The use of DOT_CHAR for ".ssh" was probably a mistake and is removed
3380 Pointed-out-by: Gisle Vanem
3381 Bug: https://github.com/curl/curl/pull/4230#issuecomment-522960638
3385 - spnego_sspi: add typecast to fix build warning
3387 Reported in build "Win32 target on Debian Stretch (64-bit) -
3388 i686-w64-mingw32 - gcc-20170516"
3392 - openssl: build warning free with boringssl
3396 - curl: make --libcurl use CURL_HTTP_VERSION_3
3400 - ngtcp2: make postfields-set posts work
3404 - http: remove chunked-encoding and expect header use for HTTP/3
3406 - [Alessandro Ghedini brought this change]
3408 configure: use pkg-config to detect quiche
3410 This removes the need to hard-code the quiche target path in
3413 This depends on https://github.com/cloudflare/quiche/pull/128
3417 - CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2
3419 For a long time (since 7.28.1) we've returned error when setting the
3420 value to 1 to make applications notice that we stopped supported the old
3421 behavior for 1. Starting now, we treat 1 and 2 exactly the same.
3425 - curl: use .curlrc (with a dot) on Windows as well
3427 Fall-back to _curlrc if the dot-version is missing.
3429 Co-Authored-By: Steve Holme
3433 - netrc: make the code try ".netrc" on Windows as well
3435 ... but fall back and try "_netrc" too if the dot version didn't work.
3437 Co-Authored-By: Steve Holme
3439 - ngtcp2: use ngtcp2_version() to get the run-time version
3441 ... which of course doesn't have to be the same used at build-time.
3443 Function just recently merged in ngtcp2.
3445 - ngtcp2: move the h3 initing to immediately after the rx key
3447 To fix a segfault and to better deal with 0-RTT
3449 Assisted-by: Tatsuhiro Tsujikawa
3451 - [Alessandro Ghedini brought this change]
3453 quiche: register debug callback once and earlier
3455 The quiche debug callback is global and can only be initialized once, so
3456 make sure we don't do it multiple times (e.g. if multiple requests are
3459 In addition this initializes the callback before the connection is
3460 created, so we get logs for the handshake as well.
3464 - ssh: add a generic Curl_ssh_version function for SSH backends
3468 - base64: check for SSH, not specific SSH backends
3470 - vssh: move ssh init/cleanup functions into backend code
3472 - vssh: create directory for SSH backend code
3474 - TODO/ROADMAP: remove "refuse downgrade redirects" and HTTP/3
3476 HTTP3 is now already in full progress
3478 Downgrade redirects can be achived almost exactly like that by setting
3479 CURLOPT_REDIR_PROTOCOLS.
3481 - RELEASE-NOTES: synced
3483 - travis: add a quiche build
3487 - http: fix use of credentials from URL when using HTTP proxy
3489 When a username and password are provided in the URL, they were wrongly
3490 removed from the stored URL so that subsequent uses of the same URL
3491 wouldn't find the crendentials. This made doing HTTP auth with multiple
3492 connections (like Digest) mishave.
3494 Regression from 46e164069d1a5230 (7.62.0)
3496 Test case 335 added to verify.
3498 Reported-by: Mike Crowe
3503 - [Mike Crowe brought this change]
3505 tests: Replace outdated test case numbering documentation
3507 Tests are no longer grouped by numeric range[1]. Let's stop saying that
3508 and provide some alternative advice for numbering tests.
3510 [1] https://curl.haxx.se/mail/lib-2019-08/0043.html
3514 - travis: reduce number of torture tests in 'coverage'
3516 ... to make it complete in time. This cut seems not almost not affect
3517 the coverage percentage and yet completes within 35 minutes on travis
3518 where the previous runs recently always timed out after 50.
3522 - [Igor Makarov brought this change]
3524 configure: use -lquiche to link to quiche
3528 - ngtcp2: provide the callbacks as a static struct
3530 ... instead of having them in quicsocket
3532 - [Tatsuhiro Tsujikawa brought this change]
3534 ngtcp2: add missing nghttp3_conn_add_write_offset call
3538 - [Tatsuhiro Tsujikawa brought this change]
3540 ngtcp2: deal with stream close
3542 - [Tatsuhiro Tsujikawa brought this change]
3544 ngtcp2: Consume QUIC STREAM data properly
3546 - [Tatsuhiro Tsujikawa brought this change]
3548 ngtcp2: don't reinitialize SSL on Retry
3550 - multi: getsock improvements for QUIC connecting
3552 - connect: connections are persistent by default for HTTP/3
3554 - quiche: happy eyeballs
3558 - ngtcp2: do QUIC connections happy-eyeballs friendly
3560 - curl_version: bump string buffer size to 250
3562 With HTTP/3 libs and plenty TLS libs, I manged to hit the limit (which
3563 causes a truncated output).
3565 - CURLOPT_ALTSVC.3: use a "" file name to not load from a file
3567 Jay Satiro (14 Aug 2019)
3568 - vauth: Use CURLE_AUTH_ERROR for auth function errors
3570 - Add new error code CURLE_AUTH_ERROR.
3572 Prior to this change auth function errors were signaled by
3573 CURLE_OUT_OF_MEMORY and CURLE_RECV_ERROR, and neither one was
3574 technically correct.
3576 Ref: https://github.com/curl/curl/pull/3848
3578 Co-authored-by: Dominik Hölzl
3580 Closes https://github.com/curl/curl/pull/3864
3582 Daniel Stenberg (13 Aug 2019)
3583 - curl_version_info: make the quic_version a const
3585 Follow-up from 1a2df1518ad8653f
3589 - examples: add http3.c, altsvc.c and http3-present.c
3593 Peter Wu (13 Aug 2019)
3594 - nss: use TLSv1.3 as default if supported
3596 SSL_VersionRangeGetDefault returns (TLSv1.0, TLSv1.2) as supported
3597 range in NSS 3.45. It looks like the intention is to raise the minimum
3598 version rather than lowering the maximum, so adjust accordingly. Note
3599 that the caller (nss_setup_connect) initializes the version range to
3600 (TLSv1.0, TLSv1.3), so there is no need to check for >= TLSv1.0 again.
3603 Reviewed-by: Daniel Stenberg
3604 Reviewed-by: Kamil Dudka
3606 Daniel Stenberg (13 Aug 2019)
3607 - quic.h: remove unused proto
3609 - curl_version_info.3: mentioned ALTSVC and HTTP3
3611 ... and sorted the list alphabetically
3613 - lib/quic.c: unused - removed
3615 - CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED
3617 Follow-up to 98c3f148 that removed it from the header file
3619 - [Junho Choi brought this change]
3621 docs/HTTP3: simplify quiche build instruction
3623 Use --recursive to get boringssl in one line
3627 - altsvc: make it use h3-22 with ngtcp2 as well
3629 - ngtcp2: initial h3 request work
3633 - curl_version_info: offer quic (and h3) library info
3637 - HTTP3: use ngtcp2's draft-22 branch
3639 - RELEASE-NOTES: synced
3641 - CURLOPT_READFUNCTION.3: provide inline example
3643 ... instead of mentioning one in another place
3645 - [Tatsuhiro Tsujikawa brought this change]
3647 ngtcp2: send HTTP/3 request with nghttp3
3649 This commit makes sending HTTP/3 request with nghttp3 work. It
3650 minimally receives HTTP response and calls nghttp3 callbacks, but no
3651 processing is made at the moment.
3655 - nghttp3: initial h3 template code added
3657 - nghttp3: required when ngtcp2 is used for QUIC
3659 - checked for by configure
3660 - updated docs/HTTP3.md
3661 - shown in the version string
3665 - [Eric Wong brought this change]
3667 asyn-thread: issue CURL_POLL_REMOVE before closing socket
3669 This avoids EBADF errors from EPOLL_CTL_DEL operations in the
3670 ephiperfifo.c example. EBADF is dangerous in multi-threaded
3671 applications where I rely on epoll_ctl to operate on the same
3672 epoll description from different threads.
3674 Follow-up to eb9a604f8d7db8
3676 Bug: https://curl.haxx.se/mail/lib-2019-08/0026.html
3679 - [Carlo Marcelo Arenas BelĂłn brought this change]
3681 configure: avoid undefined check_for_ca_bundle
3683 instead of using a "greater than 0" test, check for variable being
3684 set, as it is always set to 1, and could be left unset if non of
3685 OPENSSL MBEDTLS GNUTLS WOLFSSL is being configured for.
3689 - [Tatsuhiro Tsujikawa brought this change]
3691 ngtcp2: Send ALPN h3-22
3695 - [Tatsuhiro Tsujikawa brought this change]
3697 ngtcp2: use ngtcp2_settings_default and specify initial_ts
3699 - curl_global_init_mem.3: mention it was added in 7.12.0
3701 - [Tatsuhiro Tsujikawa brought this change]
3703 ngtcp2: make the QUIC handshake work
3707 - [Alex Mayorga brought this change]
3709 HTTP3.md: Update quiche build instructions
3711 Added cloning for quiche and BoringSSL and modified the build
3712 instructions so they work on a clean folder.
3716 - CURLOPT_H3: removed
3718 There's no use for this anymore and it was never in a release.
3722 - http3: make connection reuse work
3726 - quiche: add SSLKEYLOGFILE support
3728 - cleanup: s/curl_debug/curl_dbg_debug in comments and docs
3730 Leftovers from the function rename back in 76b63489495
3732 Reported-by: Gisle Vanem
3733 Bug: https://github.com/curl/curl/commit/f3e0f071b14fcb46a453f69bdf4e062bcaacf362#com
3738 - RELEASE-NOTES: synced
3740 - alt-svc: add protocol version selection masking
3742 So that users can mask in/out specific HTTP versions when Alt-Svc is
3745 - Removed "h2c" and updated test case accordingly
3746 - Changed how the altsvc struct is laid out
3747 - Added ifdefs to make the unittest run even in a quiche-tree
3751 - http3: fix the HTTP/3 in the request, make alt-svc set right versions
3755 - alt-svc: send Alt-Used: in redirected requests
3759 When using an alternative service, clients SHOULD include an Alt-Used
3760 header field in all requests.
3762 Removed CURLALTSVC_ALTUSED again (feature is still EXPERIMENTAL thus
3765 You can disable sending this header just like you disable any other HTTP
3770 - CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly
3772 Even though it cannot fall-back to a lower HTTP version automatically. The
3773 safer way to upgrade remains via CURLOPT_ALTSVC.
3775 CURLOPT_H3 no longer has any bits that do anything and might be removed
3776 before we remove the experimental label.
3778 Updated the curl tool accordingly to use "--http3".
3782 - docs/ALTSVC: remove what works and the experimental explanation
3784 Also, put the TODO items at the bottom.
3788 - docs/EXPERIMENTAL: explain what it means and what's experimental now
3790 - curl: make use of CURLINFO_RETRY_AFTER when retrying
3792 If a Retry-After: header was used in the response, that value overrides
3793 other retry timing options.
3798 - curl: use CURLINFO_PROTOCOL to check for HTTP(s)
3800 ... instead of CURLINFO_EFFECTIVE_URL to avoid string operations.
3802 - CURLINFO_RETRY_AFTER: parse the Retry-After header value
3804 This is only the libcurl part that provides the information. There's no
3805 user of the parsed value. This change includes three new tests for the
3810 - docs/ALTSVC.md: first basic file format description
3812 - curl: have -w's 'http_version' show '3' for HTTP/3
3816 - curl.h: add CURL_HTTP_VERSION_3 to the version enum
3818 It can't be set for CURLOPT_HTTP_VERSION, but it can be extracted with
3819 CURLINFO_HTTP_VERSION.
3821 - quiche: make use of the connection timeout API properly
3823 - quiche: make POSTFIELDS posts work
3825 - quiche: improved error handling and memory cleanups
3827 - quiche: flush egress in h3_stream_recv() too
3829 - RELEASE-NOTES: synced
3831 Jay Satiro (6 Aug 2019)
3832 - [Patrick Monnerat brought this change]
3834 os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid().
3836 Ref: https://github.com/curl/curl/issues/3653
3837 Ref: https://github.com/curl/curl/pull/3790
3839 NOTE: This commit was cherry-picked and is part of a series of commits
3840 that added the authzid feature for upcoming 7.66.0. The series was
3841 temporarily reverted in db8ec1f so that it would not ship in a 7.65.x
3844 Closes https://github.com/curl/curl/pull/4186
3846 - tests: Fix the line endings for the SASL alt-auth tests
3848 - Change data and protocol sections to CRLF line endings.
3850 Prior to this change the tests would fail or hang, which is because
3851 certain sections such as protocol require CRLF line endings.
3853 Follow-up to grandparent commit which added the tests.
3855 Ref: https://github.com/curl/curl/issues/3653
3856 Ref: https://github.com/curl/curl/pull/3790
3858 NOTE: This commit was cherry-picked and is part of a series of commits
3859 that added the authzid feature for upcoming 7.66.0. The series was
3860 temporarily reverted in db8ec1f so that it would not ship in a 7.65.x
3863 Closes https://github.com/curl/curl/pull/4186
3865 - [Steve Holme brought this change]
3867 examples: Added SASL PLAIN authorisation identity (authzid) examples
3869 Ref: https://github.com/curl/curl/issues/3653
3870 Ref: https://github.com/curl/curl/pull/3790
3872 NOTE: This commit was cherry-picked and is part of a series of commits
3873 that added the authzid feature for upcoming 7.66.0. The series was
3874 temporarily reverted in db8ec1f so that it would not ship in a 7.65.x
3877 Closes https://github.com/curl/curl/pull/4186
3879 - [Steve Holme brought this change]
3881 curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool
3883 Ref: https://github.com/curl/curl/issues/3653
3884 Ref: https://github.com/curl/curl/pull/3790
3886 NOTE: This commit was cherry-picked and is part of a series of commits
3887 that added the authzid feature for upcoming 7.66.0. The series was
3888 temporarily reverted in db8ec1f so that it would not ship in a 7.65.x
3891 Closes https://github.com/curl/curl/pull/4186
3893 - [Steve Holme brought this change]
3895 sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID
3897 Added the ability for the calling program to specify the authorisation
3898 identity (authzid), the identity to act as, in addition to the
3899 authentication identity (authcid) and password when using SASL PLAIN
3905 NOTE: This commit was cherry-picked and is part of a series of commits
3906 that added the authzid feature for upcoming 7.66.0. The series was
3907 temporarily reverted in db8ec1f so that it would not ship in a 7.65.x
3910 Closes https://github.com/curl/curl/pull/4186
3912 Daniel Stenberg (6 Aug 2019)
3913 - docs/HTTP3: refreshed as it is now in master and HTTP/3 can be tested
3915 - [Yiming Jing brought this change]
3917 mesalink: implement client authentication
3921 - curl_multi_poll: a sister to curl_multi_wait() that waits more
3923 Repeatedly we see problems where using curl_multi_wait() is difficult or
3924 just awkward because if it has no file descriptor to wait for
3925 internally, it returns immediately and leaves it to the caller to wait
3926 for a small amount of time in order to avoid occasional busy-looping.
3928 This is often missed or misunderstood, leading to underperforming
3931 This change introduces curl_multi_poll() as a replacement drop-in
3932 function that accepts the exact same set of arguments. This function
3933 works identically to curl_multi_wait() - EXCEPT - for the case when
3934 there's nothing to wait for internally, as then this function will by
3935 itself wait for a "suitable" short time before it returns. This
3936 effectiely avoids all risks of busy-looping and should also make it less
3937 likely that apps "over-wait".
3939 This also changes the curl tool to use this funtion internally when
3940 doing parallel transfers and changes curl_easy_perform() to use it
3945 - quiche:h3_stream_recv return 0 at end of stream
3947 ... and remove some verbose messages we don't need. Made transfers from
3948 facebook.com work better.
3950 - altsvc: make quiche use h3-22 now
3952 - quiche: show the actual version number
3954 - quiche: first working HTTP/3 request
3957 - fix use of quiche API
3958 - use download buffer
3959 - separate header/body
3963 - http09: disable HTTP/0.9 by default in both tool and library
3965 As the plan has been laid out in DEPRECATED. Update docs accordingly and
3966 verify in test 1174. Now requires the option to be set to allow HTTP/0.9
3971 - quiche: initial h3 request send/receive
3973 - lib/Makefile.am: make checksrc run in vquic too
3975 - altsvc: fix removal of expired cache entry
3979 - RELEASE-NOTES: synced
3981 Steve Holme (4 Aug 2019)
3982 - md4: Use our own MD4 implementation when no crypto libraries are available
3986 - md4: No need to include Curl_md4.h for each TLS library
3988 - md4: No need for the NTLM code to call Curl_md4it() for each TLS library
3990 As the NTLM code no longer calls any of TLS libraries' specific MD4
3991 functions, there is no need to call this function for each #ifdef.
3993 - md4: Move the mbed TLS MD4 implementation out of the NTLM code
3995 - md4: Move the WinCrypt implementation out of the NTLM code
3997 - md4: Move the SecureTransport implementation out of the NTLM code
3999 - md4: Use the Curl_md4it() function for OpenSSL based NTLM
4001 - md4: Move the GNU TLS gcrypt MD4 implementation out of the NTLM code
4003 - md4: Move the GNU TLS Nettle MD4 implementation out of the NTLM code
4005 Jay Satiro (4 Aug 2019)
4006 - OS400: Add CURLOPT_H3 symbols
4008 Follow-up to 3af0e76 which added experimental H3 support.
4010 Closes https://github.com/curl/curl/pull/4185
4012 Daniel Stenberg (3 Aug 2019)
4013 - url: make use of new HTTP version if alt-svc has one
4015 - url: set conn->transport to default TCP at init time
4017 - altsvc: with quiche, use the quiche h3 alpn string
4021 - alt-svc: more liberal ALPN name parsing
4023 Allow pretty much anything to be part of the ALPN identifier. In
4024 particular minus, which is used for "h3-20" (in-progress HTTP/3
4030 - quiche: use the proper HTTP/3 ALPN
4032 - quiche: add failf() calls for two error cases
4038 - mailmap: added Kyohei Kadota
4040 Kamil Dudka (1 Aug 2019)
4041 - http_negotiate: improve handling of gss_init_sec_context() failures
4043 If HTTPAUTH_GSSNEGOTIATE was used for a POST request and
4044 gss_init_sec_context() failed, the POST request was sent
4045 with empty body. This commit also restores the original
4046 behavior of `curl --fail --negotiate`, which was changed
4047 by commit 6c6035532383e300c712e4c1cd9fdd749ed5cf59.
4049 Add regression tests 2077 and 2078 to cover this.
4054 Daniel Stenberg (1 Aug 2019)
4055 - mailmap: added 4 more names
4057 Evgeny Grin, Peter Pih, Anton Malov and Marquis de Muesli
4059 - mailmap: add Giorgos Oikonomou
4061 - src/makefile: fix uncompressed hugehelp.c generation
4063 Regression from 5cf5d57ab9 (7.64.1)
4065 Fixed-by: Lance Ware
4069 - appveyor: pass on -k to make
4071 - timediff: make it 64 bit (if possible) even with 32 bit time_t
4073 ... to make it hold microseconds too.
4078 - ROADMAP: parallel transfers are merged now
4080 - getenv: support up to 4K environment variable contents on windows
4082 Reported-by: Michal ÄŚaplygin
4086 - [Kyohei Kadota brought this change]
4088 plan9: add support for running on Plan 9
4092 - [Kyohei Kadota brought this change]
4094 ntlm: explicit type casting
4096 - [Justin brought this change]
4098 curl.h: fix outdated comment
4102 - curl: remove outdated comment
4104 Turned bad with commit b8894085000
4106 Reported-by: niallor on github
4110 - cleanup: remove the 'numsocks' argument used in many places
4112 It was used (intended) to pass in the size of the 'socks' array that is
4113 also passed to these functions, but was rarely actually checked/used and
4114 the array is defined to a fixed size of MAX_SOCKSPEREASYHANDLE entries
4115 that should be used instead.
4119 - readwrite_data: repair setting the TIMER_STARTTRANSFER stamp
4121 Regression, broken in commit 65eb65fde64bd5f (curl 7.64.1)
4123 Reported-by: Jonathan Cardoso Machado
4124 Assisted-by: Jay Satiro
4129 - mailmap: Amit Katyal
4131 - asyn-thread: removed unused variable
4133 Follow-up to eb9a604f. Mistake caused by me when I edited the commit
4136 - RELEASE-NOTES: synced
4138 - [Amit Katyal brought this change]
4140 asyn-thread: create a socketpair to wait on
4144 - curl: cap the maximum allowed values for retry time arguments
4146 ... to avoid integer overflows later when multiplying with 1000 to
4147 convert seconds to milliseconds.
4149 Added test 1269 to verify.
4151 Reported-by: Jason Lee
4154 - progress: reset download/uploaded counter
4156 ... to make CURLOPT_MAX_RECV_SPEED_LARGE and
4157 CURLOPT_MAX_SEND_SPEED_LARGE work correctly on subsequent transfers that
4158 reuse the same handle.
4160 Fixed-by: Ironbars13 on github
4164 - http2_recv: trigger another read when the last data is returned
4166 ... so that end-of-stream is detected properly.
4168 Reported-by: Tom van der Woerdt
4172 - curl: avoid uncessary libcurl timeouts (in parallel mode)
4174 When curl_multi_wait() returns OK without file descriptors to wait for,
4175 it might already have done a long timeout.
4179 - [Balazs Kovacsics brought this change]
4181 HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown
4183 If using the read callback for HTTP_POST, and POSTFIELDSIZE is not set,
4184 automatically add a Transfer-Encoding: chunked header, same as it is
4185 already done for HTTP_PUT, HTTP_POST_FORM and HTTP_POST_MIME. Update
4186 test 1514 according to the new behaviour.
4190 Jay Satiro (29 Jul 2019)
4191 - [Daniel Stenberg brought this change]
4193 winbuild: add vquic to list of build directories
4195 This fixes the winbuild build method which broke several days ago
4196 when experimental quic support was added in 3af0e76.
4198 Reported-by: Michael Lee
4200 Fixes https://github.com/curl/curl/issues/4158
4202 - easy: resize receive buffer on easy handle reset
4204 - In curl_easy_reset attempt to resize the receive buffer to its default
4205 size. If realloc fails then continue using the previous size.
4207 Prior to this change curl_easy_reset did not properly handle resetting
4208 the receive buffer (data->state.buffer). It reset the variable holding
4209 its size (data->set.buffer_size) to the default size (READBUFFER_SIZE)
4210 but then did not actually resize the buffer. If a user resized the
4211 buffer by using CURLOPT_BUFFERSIZE to set the size smaller than the
4212 default, later called curl_easy_reset and attempted to reuse the handle
4213 then a heap overflow would very likely occur during that handle's next
4216 Reported-by: Felix Hädicke
4218 Fixes https://github.com/curl/curl/issues/4143
4219 Closes https://github.com/curl/curl/pull/4145
4221 - [Brad Spencer brought this change]
4223 examples: Avoid reserved names in hiperfifo examples
4225 - Trade in __attribute__((unused)) for the classic (void)x to silence
4228 Because the classic way is not gcc specific. Also because the prior
4229 method mapped to symbol _Unused, which starts with _ and a capital
4230 letter which is reserved.
4232 Assisted-by: The Infinnovation team
4234 Bug: https://github.com/curl/curl/issues/4120#issuecomment-512542108
4236 Closes https://github.com/curl/curl/pull/4153
4238 Daniel Stenberg (25 Jul 2019)
4239 - RELEASE-NOTES: synced
4241 - [Felix Hädicke brought this change]
4243 ssh-libssh: do not specify O_APPEND when not in append mode
4245 Specifying O_APPEND in conjunction with O_TRUNC and O_CREAT does not
4246 make much sense. And this combination of flags is not accepted by all
4247 SFTP servers (at least not Apache SSHD).
4252 - [Gergely Nagy brought this change]
4254 multi: call detach_connection before Curl_disconnect
4256 Curl_disconnect bails out if conn->easyq is not empty, detach_connection
4257 needs to be called first to remove the current easy from the queue.
4262 Jay Satiro (23 Jul 2019)
4263 - tool_operate: fix implicit call to easysrc_cleanup
4265 easysrc_cleanup is only defined when CURL_DISABLE_LIBCURL_OPTION is not
4266 defined, and prior to this change would be called regardless.
4268 Bug: https://github.com/curl/curl/pull/3804#issuecomment-513922637
4269 Reported-by: Marcel Raad
4271 Closes https://github.com/curl/curl/pull/4142
4273 Daniel Stenberg (22 Jul 2019)
4274 - curl:create_transfers check return code from curl_easy_setopt
4276 From commit b8894085
4278 Pointed out by Coverity CID 1451703
4282 - HTTP3: initial (experimental) support
4284 USe configure --with-ngtcp2 or --with-quiche
4286 Using either option will enable a HTTP3 build.
4287 Co-authored-by: Alessandro Ghedini <alessandro@ghedini.me>
4291 - curl: remove dead code
4293 The loop never loops (since b889408500), pointed out by Coverity (CID
4298 - docs/PARALLEL-TRANSFERS: correct the version number
4300 - docs/PARALLEL-TRANSFERS: added
4302 - curl: support parallel transfers
4304 This is done by making sure each individual transfer is first added to a
4305 linked list as then they can be performed serially, or at will, in
4310 - docs/MANUAL.md: converted to markdown from plain text
4312 ... will make it render as a nicer web page.
4316 - curl_version_info: provide nghttp2 details
4318 Introducing CURLVERSION_SIXTH with nghttp2 info.
4322 - bump: start working on 7.66.0
4324 - source: remove names from source comments
4328 - we can't add everyone who's helping out so its unfair to just a few
4330 - we already list all helpers in THANKS and in RELEASE-NOTES for each
4332 - we don't want to give the impression that some parts of the code is
4333 "owned" or "controlled" by specific persons
4335 Assisted-by: Daniel Gustafsson
4338 Version 7.65.3 (19 Jul 2019)
4340 Daniel Stenberg (19 Jul 2019)
4341 - RELEASE-NOTES: 7.65.3
4343 - THANKS: 7.65.3 status
4345 - progress: make the progress meter appear again
4347 Fix regression caused by 21080e1
4349 Reported-by: Chih-Hsuan Yen
4353 - version: bump to 7.65.3
4355 - RELEASE-NOTES: Contributors or now 1990
4357 Version 7.65.2 (17 Jul 2019)
4359 Daniel Stenberg (17 Jul 2019)
4360 - RELEASE-NOTES: 7.65.2
4362 - THANKS: add contributors from 7.65.2
4364 Jay Satiro (17 Jul 2019)
4365 - [aasivov brought this change]
4367 cmake: Fix finding Brotli on case-sensitive file systems
4369 - Find package "Brotli" instead of "BROTLI" since the former is the
4370 casing used for CMake/FindBrotli.cmake, and otherwise find_package
4371 may fail on a case-sensitive file system.
4373 Fixes https://github.com/curl/curl/issues/4117
4375 - CURLOPT_RANGE.3: Caution against using it for HTTP PUT
4377 AFAICT CURLOPT_RANGE does not support ranged HTTP PUT uploads so I've
4378 cautioned against using it for that purpose and included a workaround.
4380 Bug: https://curl.haxx.se/mail/lib-2019-04/0075.html
4381 Reported-by: Christopher Head
4383 Closes https://github.com/curl/curl/issues/3814
4385 - [Stefano Simonelli brought this change]
4387 CURLOPT_SEEKDATA.3: fix variable name
4389 Closes https://github.com/curl/curl/pull/4118
4391 - [Giorgos Oikonomou brought this change]
4393 CIPHERS.md: Explain Schannel error SEC_E_ALGORITHM_MISMATCH
4395 If the SSL backend is Schannel and the user specifies an Schannel CALG_
4396 that is not supported by the protocol or the server then curl returns
4397 CURLE_SSL_CONNECT_ERROR (35) SEC_E_ALGORITHM_MISMATCH.
4399 Fixes https://github.com/curl/curl/issues/3389
4400 Closes https://github.com/curl/curl/pull/4106
4402 - [Daniel Gustafsson brought this change]
4404 nss: inspect returnvalue of token check
4406 PK11_IsPresent() checks for the token for the given slot is available,
4407 and sets needlogin flags for the PK11_Authenticate() call. Should it
4408 return false, we should however treat it as an error and bail out.
4410 Closes https://github.com/curl/curl/pull/4110
4412 - docs: Explain behavior change in --tlsv1. options since 7.54
4414 Since 7.54 --tlsv1. options use the specified version or later, however
4415 older versions of curl documented it as using just the specified version
4416 which may or may not have happened depending on the TLS library.
4417 Document this discrepancy to allay confusion for users familiar with the
4418 old documentation that expect just the specified version.
4420 Fixes https://github.com/curl/curl/issues/4097
4421 Closes https://github.com/curl/curl/pull/4119
4423 - libcurl: Restrict redirect schemes (follow-up)
4425 - Allow FTPS on redirect.
4427 - Update default allowed redirect protocols in documentation.
4429 Follow-up to 6080ea0.
4431 Ref: https://github.com/curl/curl/pull/4094
4433 Closes https://github.com/curl/curl/pull/4115
4435 Daniel Stenberg (16 Jul 2019)
4436 - test1173: make it also check all libcurl option man pages
4438 ... and adjust those that cause errors
4442 - curl: only accept COLUMNS less than 10000
4444 ... as larger values would rather indicate something silly (and could
4445 potentially cause buffer problems).
4447 Reported-by: pendrek at hackerone
4450 - dist: add manpage-syntax.pl
4452 follow-up to 7fb66c403
4454 - test1173: detect some basic man page format mistakes
4456 Triggered by PR #4111
4460 Jay Satiro (15 Jul 2019)
4461 - [Bjarni Ingi Gislason brought this change]
4463 docs: Fix missing lines caused by undefined macros
4465 - Escape apostrophes at line start.
4467 Some lines begin with a "'" (apostrophe, single quote), which is then
4468 interpreted as a control character in *roff.
4470 Such lines are interpreted as being a call to a macro, and if
4471 undefined, the lines are removed from the output.
4473 Bug: https://bugs.debian.org/926352
4474 Signed-off-by: Bjarni Ingi Gislason <bjarniig@rhi.hi.is>
4476 Submitted-by: Alessandro Ghedini
4478 Closes https://github.com/curl/curl/pull/4111
4480 Daniel Stenberg (14 Jul 2019)
4481 - libcurl-security.3: update to new CURLOPT_REDIR_PROTOCOLS defaults
4483 follow-up to 6080ea098
4485 - [Linos Giannopoulos brought this change]
4487 libcurl: Add testcase for gopher redirects
4489 The testcase ensures that redirects to CURLPROTO_GOPHER won't be
4490 allowed, by default, in the future. Also, curl is being used
4491 for convenience while keeping the testcases DRY.
4493 The expected error code is CURLE_UNSUPPORTED_PROTOCOL when the client is
4494 redirected to CURLPROTO_GOPHER
4496 Signed-off-by: Linos Giannopoulos <lgian@skroutz.gr>
4498 - [Linos Giannopoulos brought this change]
4500 libcurl: Restrict redirect schemes
4502 All protocols except for CURLPROTO_FILE/CURLPROTO_SMB and their TLS
4503 counterpart were allowed for redirect. This vastly broadens the
4504 exploitation surface in case of a vulnerability such as SSRF [1], where
4505 libcurl-based clients are forced to make requests to arbitrary hosts.
4507 For instance, CURLPROTO_GOPHER can be used to smuggle any TCP-based
4508 protocol by URL-encoding a payload in the URI. Gopher will open a TCP
4509 connection and send the payload.
4511 Only HTTP/HTTPS and FTP are allowed. All other protocols have to be
4512 explicitly enabled for redirects through CURLOPT_REDIR_PROTOCOLS.
4514 [1]: https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/
4516 Signed-off-by: Linos Giannopoulos <lgian@skroutz.gr>
4520 - [Zenju brought this change]
4522 openssl: define HAVE_SSL_GET_SHUTDOWN based on version number
4526 - [Peter Simonyi brought this change]
4528 http: allow overriding timecond with custom header
4530 With CURLOPT_TIMECONDITION set, a header is automatically added (e.g.
4531 If-Modified-Since). Allow this to be replaced or suppressed with
4537 Jay Satiro (11 Jul 2019)
4538 - [Juergen Hoetzel brought this change]
4540 smb: Use the correct error code for access denied on file open
4542 - Return CURLE_REMOTE_ACCESS_DENIED for SMB access denied on file open.
4544 Prior to this change CURLE_REMOTE_FILE_NOT_FOUND was returned instead.
4546 Closes https://github.com/curl/curl/pull/4095
4548 - [Daniel Gustafsson brought this change]
4550 DEPRECATE: fixup versions and spelling
4552 Correctly set the July 17 version to 7.65.2, and update spelling to
4553 be consistent. Also fix a typo.
4555 Closes https://github.com/curl/curl/pull/4107
4557 - [Gisle Vanem brought this change]
4559 system_win32: fix clang warning
4561 - Declare variable in header as extern.
4563 Bug: https://github.com/curl/curl/commit/48b9ea4#commitcomment-34084597
4565 Daniel Gustafsson (10 Jul 2019)
4566 - headers: Remove no longer exported functions
4568 There were a leftover few prototypes of Curl_ functions that we used to
4569 export but no longer do, this removes those prototypes and cleans up any
4570 comments still referring to them.
4572 Curl_write32_le(), Curl_strcpy_url(), Curl_strlen_url(), Curl_up_free()
4573 Curl_concat_url(), Curl_detach_connnection(), Curl_http_setup_conn()
4574 were made static in 05b100aee247bb9bec8e9a1b0166496aa4248d1c.
4575 Curl_http_perhapsrewind() made static in 574aecee208f79d391f10d57520b3.
4577 For the remainder, I didn't trawl the Git logs hard enough to capture
4578 their exact time of deletion, but they were all gone: Curl_splayprint(),
4579 Curl_http2_send_request(), Curl_global_host_cache_dtor(),
4580 Curl_scan_cache_used(), Curl_hostcache_destroy(), Curl_second_connect(),
4581 Curl_http_auth_stage() and Curl_close_connections().
4584 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
4586 - CMake: fix typos and spelling
4588 - [Kyle Edwards brought this change]
4590 CMake: Convert errant elseif() to else()
4592 CMake interprets an elseif() with no arguments as elseif(FALSE),
4593 resulting in the elseif() block not being executed. That is not what
4594 was intended here. Change the empty elseif() to an else() as it was
4598 Reported-by: Artalus <artalus-mail@yandex.ru>
4599 Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
4601 - buildconf: fix header filename
4603 The header file inclusion had a typo, it should be .h and not .hd.
4607 Reported-by: AceCrow on Github
4609 - [Jan Chren brought this change]
4611 configure: fix --disable-code-coverage
4613 This fixes the case when --disable-code-coverage supplied to ./configure
4614 would result in coverage="yes" being set.
4617 Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
4619 - cleanup: fix typo in comment
4621 - RELEASE-NOTES: synced
4623 Jay Satiro (6 Jul 2019)
4624 - [Daniel Gustafsson brought this change]
4626 nss: support using libnss on macOS
4628 The file suffix for dynamically loadable objects on macOS is .dylib,
4629 which need to be added for the module definitions in order to get the
4630 NSS TLS backend to work properly on macOS.
4632 Closes https://github.com/curl/curl/pull/4046
4634 - [Daniel Gustafsson brought this change]
4636 nss: don't set unused parameter
4638 The value of the maxPTDs parameter to PR_Init() has since at least
4639 NSPR 2.1, which was released sometime in 1998, been marked ignored
4640 as is accordingly not used in the initialization code. Setting it
4641 to a value when calling PR_Init() is thus benign, but indicates an
4642 intent which may be misleading. Reset the value to zero to improve
4645 Closes https://github.com/curl/curl/pull/4054
4647 - [Daniel Gustafsson brought this change]
4649 nss: only cache valid CRL entries
4651 Change the logic around such that we only keep CRLs that NSS actually
4652 ended up caching around for later deletion. If CERT_CacheCRL() fails
4653 then there is little point in delaying the freeing of the CRL as it
4656 Closes https://github.com/curl/curl/pull/4053
4658 - [Gergely Nagy brought this change]
4660 lib: Use UTF-8 encoding in comments
4662 Some editors and IDEs assume that source files use UTF-8 file encodings.
4663 It also fixes the build with MSVC when /utf-8 command line option is
4664 used (this option is mandatory for some other open-source projects, this
4665 is useful when using the same options is desired for building all
4666 libraries of a project).
4668 Closes https://github.com/curl/curl/pull/4087
4670 - [Caleb Raitto brought this change]
4672 CURLOPT_HEADEROPT.3: Fix example
4674 Fix an issue where example builds a curl_slist, but fails to actually
4677 Closes https://github.com/curl/curl/pull/4090
4679 - [Shankar Jadhavar brought this change]
4681 winbuild: Change Makefile to honor ENABLE_OPENSSL_AUTO_LOAD_CONFIG
4683 - Made changes so that ENABLE_OPENSSL_AUTO_LOAD_CONFIG will be honored.
4685 - Also removed some ^M chars from file.
4687 Prior to this change while building on Windows platform even if we pass
4688 the ENABLE_OPENSSL_AUTO_LOAD_CONFIG option with value as "no" it does
4689 not set the CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG flag.
4691 Closes https://github.com/curl/curl/pull/4086
4693 Daniel Stenberg (4 Jul 2019)
4694 - doh-url.d: added in 7.62.0
4696 Jay Satiro (30 Jun 2019)
4697 - docs: Fix links to OpenSSL docs
4699 OpenSSL changed their manual locations and does not redirect to the new
4702 Bug: https://curl.haxx.se/mail/lib-2019-06/0056.html
4703 Reported-by: Daniel Stenberg
4705 Daniel Stenberg (26 Jun 2019)
4706 - [Gaël PORTAY brought this change]
4708 curl_multi_wait.3: escape backslash in example
4710 The backslash in the character Line Feed must be escaped.
4712 The current man-page outputs the code as following:
4714 fprintf(stderr, "curl_multi failed, code %d.0, mc);
4716 The commit fixes it as follow:
4718 fprintf(stderr, "curl_multi failed, code %d\n", mc);
4722 - openssl: disable engine if OPENSSL_NO_UI_CONSOLE is defined
4724 ... since that needs UI_OpenSSL() which isn't provided when OpenSSL is
4725 built with OPENSSL_NO_UI_CONSOLE which happens when OpenSSL is built for
4726 UWP (with "VC-WIN32-UWP").
4728 Reported-by: Vasily Lobaskin
4732 - test1521: adapt to SLISTPOINT
4734 The header now has the slist-using options marked as SLISTPOINT so this
4735 makes sure test 1521 understands that.
4737 Follow-up to ae99b4de1c443ae989
4741 - win32: make DLL loading a no-op for UWP
4743 Reported-by: Michael Brehm
4747 - [1ocalhost brought this change]
4749 configure: fix typo '--disable-http-uath'
4753 - [Niklas HambĂĽchen brought this change]
4755 docs: fix string suggesting HTTP/2 is not the default
4757 Commit 25fd1057c9c86e3 made HTTP2 the default, and further down in the
4758 man page that new default is mentioned, but the section at the top
4759 contradicted it until now.
4761 Also remove claim that setting the HTTP version is not sensible.
4765 - RELEASE-NOTES: synced
4767 - [Stephan Szabo brought this change]
4769 tests: update fixed IP for hostip/clientip split
4771 These tests give differences for me on linux when using a hostip
4772 pointing to the external ip address for the local machine.
4776 Daniel Gustafsson (24 Jun 2019)
4777 - http: clarify header buffer size calculation
4779 The header buffer size calculation can from static analysis seem to
4780 overlow as it performs an addition between two size_t variables and
4781 stores the result in a size_t variable. Overflow is however guarded
4782 against elsewhere since the input to the addition is regulated by
4783 the maximum read buffer size. Clarify this with a comment since the
4786 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
4788 Daniel Stenberg (24 Jun 2019)
4789 - KNOWN_BUGS: Don't clear digest for single realm
4793 - KNOWN_BUGS: Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname
4797 - http2: call done_sending on end of upload
4799 To make sure a HTTP/2 stream registers the end of stream.
4801 Bug #4043 made me find this problem but this fix doesn't correct the
4806 - [James Brown brought this change]
4808 c-ares: honor port numbers in CURLOPT_DNS_SERVERS
4810 By using ares_set_servers_ports_csv on new enough c-ares.
4815 Daniel Gustafsson (24 Jun 2019)
4816 - CURLMOPT_SOCKETFUNCTION.3: fix typo
4818 Daniel Stenberg (24 Jun 2019)
4819 - [Koen Dergent brought this change]
4821 curl: skip CURLOPT_PROXY_CAPATH for disabled-proxy builds
4825 - test153: fix content-length to avoid occasional hang
4829 - RELEASE-NOTES: synced
4831 - multi: enable multiplexing by default (again)
4833 It was originally made default in d7c4213bd0c (7.62.0) but mistakenly
4834 reverted in commit 2f44e94efb3d (7.65.0). Now enabled again.
4838 - typecheck: add 3 missing strings and a callback data pointer
4842 - tests: add disable-scan.pl to dist
4844 follow-up from 29177f422a5
4848 - http2: don't call stream-close on already closed streams
4852 Marcel Raad (20 Jun 2019)
4853 - travis: enable alt-svc for coverage build
4857 - travis: enable libssh2 for coverage build
4859 It was enabled by default before commit c92d2e14cfb.
4861 Disable torture tests 600 and 601 because of
4862 https://github.com/curl/curl/issues/1678.
4866 - travis: disable threaded resolver for coverage build
4868 This enables more tests.
4872 - travis: enable brotli for all xenial jobs
4874 There's no need for a separate job, and no need to build it from source
4879 - travis: enable warnings-as-errors for coverage build
4883 GitHub (20 Jun 2019)
4884 - [Gisle Vanem brought this change]
4886 system_win32: fix typo
4888 Daniel Stenberg (20 Jun 2019)
4889 - typecheck: CURLOPT_CONNECT_TO takes an slist too
4891 Additionally, add an alias in curl.h for slist-using options so that
4892 we can grep/parse those out at will.
4896 - [Stephan Szabo brought this change]
4898 tests: support non-localhost HOSTIP for dict/smb servers
4900 smbserver.py/dictserver.py were explicitly using localhost/127.0.0.1 for
4901 binding the server which when we were running the tests with a separate
4902 HOSTIP and CLIENTIP had failures verifying the server from the device we
4905 This changes them to take the address from runtests.py and default to
4906 localhost/127.0.0.1 if none is given.
4910 - test1523: basic test of CURLOPT_LOW_SPEED_LIMIT
4912 - configure: --disable-progress-meter
4914 Builds libcurl without support for the built-in progress meter.
4918 - curl: improved skip-setopt-options when built with disabled features
4920 Reduces #ifdefs in src/tool_operate.c
4922 Follow-up from 4e86f2fc4e6
4925 Steve Holme (18 Jun 2019)
4926 - netrc: Return the correct error code when out of memory
4928 Introduced in 763c5178.
4932 Daniel Stenberg (18 Jun 2019)
4933 - config-os400: add getpeername and getsockname defines
4935 Reported-by: jonrumsey on github
4939 - runtests: keep logfiles around by default
4941 Make '-k' a no-op. The singletest function now clears the log directory
4942 BEFORE each individual test and not after, which makes it possible to
4943 always keep the logfiles around after a test has been run. No need to
4944 specify -k anymore. Keeping the option parsing around to work with users
4947 Some tests also didn't work properly when -k was used (since the old
4948 logs would be kep when a new test starts) which this change also fixes.
4952 - [Gergely Nagy brought this change]
4954 openssl: fix pubkey/signature algorithm detection in certinfo
4956 Certinfo gives the same result for all OpenSSL versions.
4957 Also made printing RSA pubkeys consistent with older versions.
4959 Reported-by: Michael Wallner
4963 - conn_maxage: move the check to prune_dead_connections()
4965 ... and avoid the locking issue.
4967 Reported-by: Kunal Ekawde
4971 - tests: have runtests figure out disabled features
4973 ... so that runtests can skip individual test cases that test features
4974 that are explicitly disabled in this build. This new logic is intended
4975 for disabled features that aren't otherwise easily visible through the
4976 curl_version_info() or other API calls.
4978 tests/server/disabled is a newly built executable that will output a
4979 list of disabled features. Outputs nothing for a default build.
4983 - test188/189: fix Content-Length
4985 This cures the flaky test results
4989 - [Thomas Gamper brought this change]
4991 winbuild: use WITH_PREFIX if given
4995 Daniel Gustafsson (17 Jun 2019)
4996 - openssl: remove outdated comment
4998 OpenSSL used to call exit(1) on syntax errors in OPENSSL_config(),
4999 which is why we switched to CONF_modules_load_file() and introduced
5000 a comment stating why. This behavior was however changed in OpenSSL
5001 commit abdd677125f3a9e3082f8c5692203590fdb9b860, so remove the now
5002 outdated and incorrect comment. The mentioned commit also declares
5003 OPENSSL_config() deprecated so keep the current coding.
5006 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
5008 Daniel Stenberg (16 Jun 2019)
5009 - RELEASE-NOTES: synced
5011 Patrick Monnerat (16 Jun 2019)
5012 - os400: make vsetopt() non-static as Curl_vsetopt() for os400 support.
5014 Use it in curl_easy_setopt_ccsid().
5016 Reported-by: jonrumsey on github
5020 Daniel Stenberg (15 Jun 2019)
5021 - runtests: report single test time + total duration
5023 ... after each successful test.
5027 - multi: fix the transfer hash function
5029 Follow-up from 8b987cc7eb
5031 Reported-by: Tom van der Woerdt
5035 - unit1654: cleanup on memory failure
5037 ... to make it handle torture tests properly.
5039 Reported-by: Marcel Raad
5043 Marcel Raad (13 Jun 2019)
5044 - krb5: fix compiler warning
5046 Even though the variable was used in a DEBUGASSERT, GCC 8 warned in
5048 krb5.c:324:17: error: unused variable 'maj' [-Werror=unused-variable]
5050 Just suppress the warning and declare the variable unconditionally
5051 instead of only for DEBUGBUILD (which also missed the check for
5054 Closes https://github.com/curl/curl/pull/4020
5056 Daniel Stenberg (13 Jun 2019)
5057 - quote.d: asterisk prefix works for SFTP as well
5059 Reported-by: Ben Voris
5063 - multi: fix the transfer hashes in the socket hash entries
5065 - The transfer hashes weren't using the correct keys so removing entries
5068 - Simplified the iteration logic over transfers sharing the same socket and
5069 they now simply are set to expire and thus get handled in the "regular"
5072 Reported-by: Tom van der Woerdt
5076 Jay Satiro (12 Jun 2019)
5077 - [Cliff Crosland brought this change]
5079 url: Fix CURLOPT_MAXAGE_CONN time comparison
5081 Old connections are meant to expire from the connection cache after
5082 CURLOPT_MAXAGE_CONN seconds. However, they actually expire after 1000x
5083 that value. This occurs because a time value measured in milliseconds is
5084 accidentally divided by 1M instead of by 1,000.
5086 Closes https://github.com/curl/curl/pull/4013
5088 Daniel Stenberg (11 Jun 2019)
5089 - test1165: verify that CURL_DISABLE_ symbols are in sync
5091 between configure.ac and source code. They should be possible to switch
5092 on/off in configure AND be used in source code.
5094 - configure: remove CURL_DISABLE_TLS_SRP
5096 It isn't used by code so stop providing the define.
5100 - Revert "cmake: add SMB to list of disabled protocols if HTTP_ONLY is specified"
5102 This reverts commit 36738caeb78603ce24e3ea089a167b8c216fb938.
5104 Apparently several of the appveyor windows builds broke.
5106 - [sergey-raevskiy brought this change]
5108 cmake: add SMB to list of disabled protocols if HTTP_ONLY is specified
5110 Reviewed-by: Jakub Zakrzewski
5113 - RELEASE-NOTES: synced
5115 - http2: remove CURL_DISABLE_TYPECHECK define
5117 ... in http2-less builds as it served no use.
5119 - configure: more --disable switches to toggle off individual features
5121 ... actual support in the code for disabling these has already landed.
5125 - wolfssl: fix key pinning build error
5127 follow-up from deb9462ff2de8
5129 - CURLMOPT_SOCKETFUNCTION.3: clarified
5131 Moved away the callback explanation from curl_multi_socket_action.3 and
5132 expanded it somewhat.
5136 - wolfssl: fixup for SNI use
5138 follow-up from deb9462ff2de8
5142 - CURLOPT_CAINFO.3: polished wording
5144 Clarify the functionality when built to use Schannel and Secure
5145 Transport and stop calling it the "recommended" or "preferred" way and
5146 instead rather call it the default.
5148 Removed the reference to the ssl comparison table as it isn't necessary.
5150 Reported-by: Richard Alcock
5151 Bug: https://curl.haxx.se/mail/lib-2019-06/0019.html
5154 GitHub (10 Jun 2019)
5155 - [Daniel Stenberg brought this change]
5157 SECURITY.md: created
5159 Brief security policy description for use/display on github.
5161 Daniel Gustafsson (10 Jun 2019)
5162 - tool_cb_prg: Fix integer overflow in progress bar
5164 Commit 61faa0b420c236480bc9ef6fd52b4ecc1e0f8d17 fixed the progress bar
5165 width calculation to avoid integer overflow, but failed to account for
5166 the fact that initial_size is initialized to -1 when the file size is
5167 retrieved from the remote on an upload, causing another signed integer
5168 overflow. Fix by separately checking for this case before the width
5172 Reported-by: Brian Carpenter (Geeknik Labs)
5173 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
5175 Daniel Stenberg (10 Jun 2019)
5176 - wolfssl: refer to it as wolfSSL only
5178 Remove support for, references to and use of "cyaSSL" from the source
5179 and docs. wolfSSL is the current name and there's no point in keeping
5180 references to ancient history.
5182 Assisted-by: Daniel Gustafsson
5186 - RELEASE-NOTES: synced
5188 - bindlocal: detect and avoid IP version mismatches in bind()
5190 Reported-by: Alex Grebenschikov
5194 - multi: make sure 'data' can present in several sockhash entries
5196 Since more than one socket can be used by each transfer at a given time,
5197 each sockhash entry how has its own hash table with transfers using that
5200 In addition, the sockhash entry can now be marked 'blocked = TRUE'"
5201 which then makes the delete function just set 'removed = TRUE' instead
5202 of removing it "for real", as a way to not rip out the carpet under the
5203 feet of a parent function that iterates over the transfers of that same
5206 Reported-by: Tom van der Woerdt
5213 - [Sorcus brought this change]
5215 libcurl-tutorial.3: Fix small typo (mutipart -> multipart)
5217 Fixed-by: MrSorcus on github
5220 - unpause: trigger a timeout for event-based transfers
5222 ... so that timeouts or other state machine actions get going again
5223 after a changing pause state. For example, if the last delivery was
5224 paused there's no pending socket activity.
5226 Reported-by: sstruchtrup on github
5230 Marcel Raad (9 Jun 2019)
5231 - travis: use xenial LLVM package for scan-build
5233 I missed that in commit 99a49d6.
5235 - travis: update scan-build job to xenial
5237 Closes https://github.com/curl/curl/pull/3999
5239 Daniel Stenberg (8 Jun 2019)
5240 - bump: start working on 7.65.2
5242 Marcel Raad (5 Jun 2019)
5243 - examples/htmltitle: use C++ casts between pointer types
5245 Compilers and static analyzers warn about using C-style casts here.
5247 Closes https://github.com/curl/curl/pull/3975
5249 - examples/fopen: fix comparison
5251 As want is size_t, (file->buffer_pos - want) is unsigned, so checking
5252 if it's less than zero makes no sense.
5253 Check if file->buffer_pos is less than want instead to avoid the
5254 unsigned integer wraparound.
5256 Closes https://github.com/curl/curl/pull/3975
5258 - build: fix Codacy warnings
5260 Reduce variable scopes and remove redundant variable stores.
5262 Closes https://github.com/curl/curl/pull/3975
5264 - sws: remove unused variables
5266 Unused since commit 2f44e94.
5268 Closes https://github.com/curl/curl/pull/3975
5270 Version 7.65.1 (4 Jun 2019)
5272 Daniel Stenberg (4 Jun 2019)
5273 - RELEASE-NOTES: 7.65.1
5275 - THANKS: new contributors from 7.65.1
5277 Steve Holme (4 Jun 2019)
5278 - [Frank Gevaerts brought this change]
5280 ssl: Update outdated "openssl-only" comments for supported backends
5282 These are for features that used to be openssl-only but were expanded
5283 over time to support other SSL backends.
5287 Daniel Stenberg (4 Jun 2019)
5288 - curl_share_setopt.3: improve wording [ci ship]
5290 Reported-by: Carlos ORyan
5292 Steve Holme (4 Jun 2019)
5293 - tool_parsecfg: Use correct return type for GetModuleFileName()
5295 GetModuleFileName() returns a DWORD which is a typedef of an unsigned
5296 long and not an int.
5300 Daniel Stenberg (3 Jun 2019)
5301 - TODO: "at least N milliseconds between requests" [ci skip]
5303 Suggested-by: dkwolfe4 on github
5306 Steve Holme (2 Jun 2019)
5307 - tests/server/.gitignore: Add socksd to the ignore list
5313 - tool_parsecfg: Fix control flow issue (DEADCODE)
5315 Follow-up to 8144ba38.
5317 Detected by Coverity CID 1445663
5320 Daniel Stenberg (2 Jun 2019)
5321 - [Sergey Ogryzkov brought this change]
5323 NTLM: reset proxy "multipass" state when CONNECT request is done
5327 - test334: verify HTTP 204 response with chunked coding header
5329 Verifies that a bodyless response don't parse this content-related
5332 - [Michael Kaufmann brought this change]
5334 http: don't parse body-related headers bodyless responses
5336 Responses with status codes 1xx, 204 or 304 don't have a response body. For
5337 these, don't parse these headers:
5345 This change ensures that HTTP/2 upgrades work even if a
5346 "Content-Length: 0" or a "Transfer-Encoding: chunked" header is present.
5348 Co-authored-by: Daniel Stenberg
5353 - tls13-docs: mention it is only for OpenSSL >= 1.1.1
5355 Reported-by: Jay Satiro
5356 Co-authored-by: Jay Satiro
5360 - dump-header.d: spell out that no headers == empty file [ci skip]
5362 Reported-by: wesinator at github
5366 - singlesocket: use separate variable for inner loop
5368 An inner loop within the singlesocket() function wrongly re-used the
5369 variable for the outer loop which then could cause an infinite
5370 loop. Change to using a separate variable!
5372 Reported-by: Eric Wu
5376 - RELEASE-NOTES: synced
5378 - [Josie Huddleston brought this change]
5380 http2: Stop drain from being permanently set on
5382 Various functions called within Curl_http2_done() can have the
5383 side-effect of setting the Easy connection into drain mode (by calling
5384 drain_this()). However, the last time we unset this for a transfer (by
5385 calling drained_transfer()) is at the beginning of Curl_http2_done().
5386 If the Curl_easy is reused for another transfer, it is then stuck in
5387 drain mode permanently, which in practice makes it unable to write any
5388 data in the new transfer.
5390 This fix moves the last call to drained_transfer() to later in
5391 Curl_http2_done(), after the functions that could potentially call for a
5396 Reported-by: Josie-H
5398 Steve Holme (29 May 2019)
5399 - conncache: Remove the DEBUGASSERT on length check
5401 We trust the calling code as this is an internal function.
5405 Jay Satiro (29 May 2019)
5406 - [Gisle Vanem brought this change]
5408 system_win32: fix function prototype
5410 - Change if_nametoindex parameter type from char * to const char *.
5412 Follow-up to 09eef8af from this morning.
5414 Bug: https://github.com/curl/curl/commit/09eef8af#r33716067
5416 Marcel Raad (29 May 2019)
5417 - appveyor: add Visual Studio solution build
5419 Closes https://github.com/curl/curl/pull/3941
5421 - appveyor: add support for other build systems
5423 Introduce BUILD_SYSTEM variable, which is currently always CMake.
5425 Closes https://github.com/curl/curl/pull/3941
5427 Steve Holme (29 May 2019)
5428 - url: Load if_nametoindex() dynamically from iphlpapi.dll on Windows
5430 This fixes the static dependency on iphlpapi.lib and allows curl to
5431 build for targets prior to Windows Vista.
5433 This partially reverts 170bd047.
5438 Daniel Stenberg (29 May 2019)
5439 - http: fix "error: equality comparison with extraneous parentheses"
5441 - parse_proxy: make sure portptr is initialized
5443 Reported-by: Benbuck Nason
5447 - url: default conn->port to the same as conn->remote_port
5449 ... so that it has a sensible value when ConnectionExists() is called which
5450 needs it set to differentiate host "bundles" correctly on port number!
5452 Also, make conncache:hashkey() use correct port for bundles that are proxy vs
5455 Probably a regression from 7.62.0
5457 Reported-by: Tom van der Woerdt
5461 - conncache: make "bundles" per host name when doing proxy tunnels
5463 Only HTTP proxy use where multiple host names can be used over the same
5464 connection should use the proxy host name for bundles.
5466 Reported-by: Tom van der Woerdt
5470 - multi: track users of a socket better
5472 They need to be removed from the socket hash linked list with more care.
5474 When sh_delentry() is called to remove a sockethash entry, remove all
5475 individual transfers from the list first. To enable this, each Curl_easy struct
5476 now stores a pointer to the sockethash entry to know how to remove itself.
5478 Reported-by: Tom van der Woerdt and Kunal Ekawde
5484 Steve Holme (28 May 2019)
5485 - curl-win32.h: Enable Unix Domain Sockets based on the Windows SDK version
5487 Microsoft added support for Unix Domain Sockets in Windows 10 1803
5488 (RS4). Rather than expect the user to enable Unix Domain Sockets by
5489 uncommenting the #define that was added in 0fd6221f we use the RS4
5490 pre-processor variable that is present in newer versions of the
5495 Daniel Stenberg (28 May 2019)
5496 - [Jonas Vautherin brought this change]
5498 cmake: support CMAKE_OSX_ARCHITECTURES when detecting SIZEOF variables
5502 Marcel Raad (27 May 2019)
5503 - HAProxy tests: add keywords
5505 Add the proxy and haproxy keywords in order to be able to exclude or
5506 run these specific tests.
5508 Closes https://github.com/curl/curl/pull/3949
5510 Daniel Stenberg (27 May 2019)
5511 - [Maksim Stsepanenka brought this change]
5513 tests: make test 1420 and 1406 work with rtsp-disabled libcurl
5517 Kamil Dudka (27 May 2019)
5518 - [Hubert Kario brought this change]
5520 nss: allow to specify TLS 1.3 ciphers if supported by NSS
5524 Daniel Stenberg (26 May 2019)
5525 - RELEASE-NOTES: synced
5527 - [Jay Satiro brought this change]
5529 Revert all SASL authzid (new feature) commits
5531 - Revert all commits related to the SASL authzid feature since the next
5532 release will be a patch release, 7.65.1.
5534 Prior to this change CURLOPT_SASL_AUTHZID / --sasl-authzid was destined
5535 for the next release, assuming it would be a feature release 7.66.0.
5536 However instead the next release will be a patch release, 7.65.1 and
5537 will not contain any new features.
5539 After the patch release after the reverted commits can be restored by
5542 git cherry-pick a14d72c a9499ff 8c1cc36 c2a8d52 0edf690
5544 Details for all reverted commits:
5546 Revert "os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid()."
5548 This reverts commit 0edf6907ae37e2020722e6f61229d8ec64095b0a.
5550 Revert "tests: Fix the line endings for the SASL alt-auth tests"
5552 This reverts commit c2a8d52a1356a722ff9f4aeb983cd4eaf80ef221.
5554 Revert "examples: Added SASL PLAIN authorisation identity (authzid) examples"
5556 This reverts commit 8c1cc369d0c7163c6dcc91fd38edfea1f509ae75.
5558 Revert "curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool"
5560 This reverts commit a9499ff136d89987af885e2d7dff0a066a3e5817.
5562 Revert "sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID"
5564 This reverts commit a14d72ca2fec5d4eb5a043936e4f7ce08015c177.
5566 - [dbrowndan brought this change]
5568 FAQ: more minor updates and spelling fixes
5572 - RELEASE-NOTES: synced
5574 - sectransp: handle errSSLPeerAuthCompleted from SSLRead()
5576 Reported-by: smuellerDD on github
5580 GitHub (24 May 2019)
5581 - [Gisle Vanem brought this change]
5585 Daniel Stenberg (23 May 2019)
5586 - tool_setopt: for builds with disabled-proxy, skip all proxy setopts()
5588 Reported-by: Marcel Raad
5592 Steve Holme (23 May 2019)
5593 - winbuild: Use two space indentation
5597 GitHub (23 May 2019)
5598 - [Gisle Vanem brought this change]
5600 tool_parse_cfg: Avoid 2 fopen() for WIN32
5602 Using the memdebug.h mem-leak feature, I noticed 2 calls like:
5603 FILE tool_parsecfg.c:70 fopen("c:\Users\Gisle\AppData\Roaming\_curlrc","rt")
5604 FILE tool_parsecfg.c:114 fopen("c:\Users\Gisle\AppData\Roaming\_curlrc","rt")
5606 No need for 'fopen(), 'fclose()' and a 'fopen()' yet again.
5608 Daniel Stenberg (23 May 2019)
5609 - md4: include the mbedtls config.h to get the MD4 info
5611 - md4: build correctly with openssl without MD4
5613 Reported-by: elsamuko at github
5617 Patrick Monnerat (23 May 2019)
5618 - os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid().
5620 Daniel Stenberg (23 May 2019)
5621 - .github/FUNDING: mention our opencollective "home" [ci skip]
5623 Marcel Raad (23 May 2019)
5624 - [Zenju brought this change]
5626 config-win32: add support for if_nametoindex and getsockname
5628 Closes https://github.com/curl/curl/pull/3923
5630 Jay Satiro (23 May 2019)
5631 - tests: Fix the line endings for the SASL alt-auth tests
5633 - Change data and protocol sections to CRLF line endings.
5635 Prior to this change the tests would fail or hang, which is because
5636 certain sections such as protocol require CRLF line endings.
5638 Follow-up to a9499ff from today which added the tests.
5640 Ref: https://github.com/curl/curl/pull/3790
5642 Daniel Stenberg (23 May 2019)
5643 - url: fix bad #ifdef
5645 Regression since e91e48161235272ff485.
5647 Reported-by: Tom Greenslade
5651 - Revert "progress: CURL_DISABLE_PROGRESS_METER"
5653 This reverts commit 3b06e68b7734cb10a555f9d7e804dd5d808236a4.
5655 Clearly this change wasn't good enough as it broke CURLOPT_LOW_SPEED_LIMIT +
5656 CURLOPT_LOW_SPEED_TIME
5658 Reported-by: Dave Reisner
5663 Steve Holme (22 May 2019)
5664 - examples: Added SASL PLAIN authorisation identity (authzid) examples
5666 - curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool
5668 - sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID
5670 Added the ability for the calling program to specify the authorisation
5671 identity (authzid), the identity to act as, in addition to the
5672 authentication identity (authcid) and password when using SASL PLAIN
5678 Marc Hoersken (22 May 2019)
5679 - tests: add support to test against OpenSSH for Windows
5681 Testing against OpenSSH for Windows requires v7.7.0.0 or newer
5682 due to the use of AllowUsers and DenyUsers. For more info see:
5683 https://github.com/PowerShell/Win32-OpenSSH/wiki/sshd_config
5685 Daniel Stenberg (22 May 2019)
5686 - bump: start on the next release
5688 Marcel Raad (22 May 2019)
5689 - examples: fix "clarify calculation precedence" warnings
5691 Closes https://github.com/curl/curl/pull/3919
5693 - hiperfifo: remove unused variable
5695 Closes https://github.com/curl/curl/pull/3919
5697 - examples: remove dead variable stores
5699 Closes https://github.com/curl/curl/pull/3919
5701 - examples: reduce variable scopes
5703 Closes https://github.com/curl/curl/pull/3919
5705 - http2-download: fix format specifier
5707 Closes https://github.com/curl/curl/pull/3919
5709 Daniel Stenberg (22 May 2019)
5710 - PolarSSL: deprecate support step 1. Removed from configure.
5712 Also removed mentions from most docs.
5714 Discussed: https://curl.haxx.se/mail/lib-2019-05/0045.html
5718 - configure/cmake: check for if_nametoindex()
5720 - adds the check to cmake
5722 - fixes the configure check to work for cross-compiled windows builds
5726 - parse_proxy: use the IPv6 zone id if given
5728 If the proxy string is given as an IPv6 numerical address with a zone
5729 id, make sure to use that for the connect to the proxy.
5731 Reported-by: Edmond Yu
5736 Version 7.65.0 (22 May 2019)
5738 Daniel Stenberg (22 May 2019)
5739 - RELEASE-NOTES: 7.65.0 release
5741 - THANKS: from the 7.65.0 release-notes
5743 - url: convert the zone id from a IPv6 URL to correct scope id
5745 Reported-by: GitYuanQu on github
5749 - configure: detect getsockname and getpeername on windows too
5751 Made detection macros for these two functions in the same style as other
5752 functions possibly in winsock in the hope this will work better to
5753 detect these functions when cross-compiling for Windows.
5755 Follow-up to e91e4816123
5760 Marcel Raad (21 May 2019)
5761 - examples: remove unused variables
5763 Fixes Codacy/CppCheck warnings.
5767 Daniel Gustafsson (21 May 2019)
5768 - udpateconninfo: mark variable unused
5770 When compiling without getpeername() or getsockname(), the sockfd
5771 paramter to Curl_udpateconninfo() became unused after commit e91e481612
5775 Fixes https://curl.haxx.se/dev/log.cgi?id=20190520172441-32196
5776 Reviewed-by: Marcel Raad, Daniel Stenberg
5778 - ftp: move ftp_ccc in under featureflag
5780 Commit e91e48161235272ff485ff32bd048c53af731f43 moved ftp_ccc in under
5781 the FTP featureflag in the UserDefined struct, but vtls callsites were
5782 still using it unprotected.
5785 Fixes: https://curl.haxx.se/dev/log.cgi?id=20190520044705-29865
5786 Reviewed-by: Daniel Stenberg, Marcel Raad
5788 Daniel Stenberg (20 May 2019)
5789 - curl: report error for "--no-" on non-boolean options
5791 Reported-by: Olen Andoni
5795 - [Guy Poizat brought this change]
5797 mbedtls: enable use of EC keys
5801 - lib1560: add tests for parsing URL with too long scheme
5805 - [Omar Ramadan brought this change]
5807 urlapi: increase supported scheme length to 40 bytes
5809 The longest currently registered URI scheme at IANA is 36 bytes long.
5814 Marcel Raad (20 May 2019)
5815 - lib: reduce variable scopes
5817 Fixes Codacy/CppCheck warnings.
5819 Closes https://github.com/curl/curl/pull/3872
5821 - tool_formparse: remove redundant assignment
5823 Just initialize word_begin with the correct value.
5825 Closes https://github.com/curl/curl/pull/3873
5827 - ssh: move variable declaration to where it's used
5829 This way, we need only one call to free.
5831 Closes https://github.com/curl/curl/pull/3873
5833 - ssh-libssh: remove unused variable
5835 sock was only used to be assigned to fd_read.
5837 Closes https://github.com/curl/curl/pull/3873
5839 Daniel Stenberg (20 May 2019)
5840 - test332: verify the blksize fix
5842 - tftp: use the current blksize for recvfrom()
5844 bug: https://curl.haxx.se/docs/CVE-2019-5436.html
5845 Reported-by: l00p3r on hackerone
5848 Daniel Gustafsson (19 May 2019)
5849 - version: make ssl_version buffer match for multi_ssl
5851 When running a multi TLS backend build the version string needs more
5852 buffer space. Make the internal ssl_buffer stack buffer match the one
5853 in Curl_multissl_version() to allow for the longer string. For single
5854 TLS backend builds there is no use in extended to buffer. This is a
5855 fallout from #3863 which fixes up the multi_ssl string generation to
5856 avoid a buffer overflow when the buffer is too small.
5859 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
5861 Steve Holme (18 May 2019)
5862 - http_ntlm_wb: Handle auth for only a single request
5864 Currently when the server responds with 401 on NTLM authenticated
5865 connection (re-used) we consider it to have failed. However this is
5866 legitimate and may happen when for example IIS is set configured to
5867 'authPersistSingleRequest' or when the request goes thru a proxy (with
5870 Implemented by imploying an additional state once a connection is
5871 re-used to indicate that if we receive 401 we need to restart
5876 - http_ntlm_wb: Cleanup handshake after clean NTLM failure
5880 - http_ntlm_wb: Return the correct error on receiving an empty auth message
5882 Missed in fe20826b as it wasn't implemented in http.c in b4d6db83.
5886 Daniel Stenberg (18 May 2019)
5887 - curl: make code work with protocol-disabled libcurl
5891 - libcurl: #ifdef away more code for disabled features/protocols
5893 - progress: CURL_DISABLE_PROGRESS_METER
5895 - hostip: CURL_DISABLE_SHUFFLE_DNS
5897 - netrc: CURL_DISABLE_NETRC
5899 Viktor Szakats (16 May 2019)
5900 - docs: Markdown and misc improvements [ci skip]
5902 Approved-by: Daniel Stenberg
5905 - docs/RELEASE-PROCEDURE: link to live iCalendar [ci skip]
5907 Ref: https://github.com/curl/curl/commit/0af41b40b2c7bd379b2251cbe7cd618e21fa0ea1#commitcomment-33563135
5908 Approved-by: Daniel Stenberg
5911 Daniel Stenberg (16 May 2019)
5912 - travis: add an osx http-only build
5916 - cleanup: remove FIXME and TODO comments
5918 They serve very little purpose and mostly just add noise. Most of them
5919 have been around for a very long time. I read them all before removing
5925 - curl: don't set FTP options for FTP-disabled builds
5927 ... since libcurl has started to be totally unaware of options for
5928 disabled protocols they now return error.
5930 Bug: https://github.com/curl/curl/commit/c9c5304dd4747cbe75d2f24be85920d572fcb5b8#commitcomment-33533937
5932 Reported-by: Marcel Raad
5935 Steve Holme (16 May 2019)
5936 - http_ntlm_wb: Move the type-2 message processing into a dedicated function
5938 This brings the code inline with the other HTTP authentication mechanisms.
5942 Daniel Stenberg (15 May 2019)
5943 - RELEASE-NOTES: synced
5945 - docs/RELEASE-PROCEDURE: updated coming releases dates [ci skip]
5947 - CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE [ci skip]
5949 Reported-by: Roy Bellingan
5952 - parse_proxy: use the URL parser API
5954 As we treat a given proxy as a URL we should use the unified URL parser
5955 to extract the parts out of it.
5959 Steve Holme (15 May 2019)
5960 - http_negotiate: Move the Negotiate state out of the negotiatedata structure
5962 Given that this member variable is not used by the SASL based protocols
5963 there is no need to have it here.
5967 - http_ntlm: Move the NTLM state out of the ntlmdata structure
5969 Given that this member variable is not used by the SASL based protocols
5970 there is no need to have it here.
5972 - url: Move the negotiate state type into a dedicated enum
5974 - url: Remove duplicate clean up of the winbind variables in conn_shutdown()
5976 Given that Curl_disconnect() calls Curl_http_auth_cleanup_ntlm() prior
5977 to calling conn_shutdown() and it in turn performs this, there is no
5978 need to perform the same action in conn_shutdown().
5982 Daniel Stenberg (14 May 2019)
5983 - urlapi: require a non-zero host name length when parsing URL
5985 Updated test 1560 to verify.
5989 - configure: error out if OpenSSL wasn't detected when asked for
5991 If --with-ssl is used and configure still couldn't enable SSL this
5992 creates an error instead of just silently ignoring the fact.
5994 Suggested-by: Isaiah Norton
5998 Daniel Gustafsson (14 May 2019)
5999 - imap: Fix typo in comment
6001 Steve Holme (14 May 2019)
6002 - url: Remove unnecessary initialisation from allocate_conn()
6004 No need to set variables to zero as calloc() does this for us.
6008 Daniel Stenberg (14 May 2019)
6009 - CURLOPT_CAINFO.3: with Schannel, you want Windows 8 or later [ci skip]
6011 Clues-provided-by: Jay Satiro
6012 Clues-provided-by: Jeroen Ooms
6016 Daniel Gustafsson (13 May 2019)
6017 - vtls: fix potential ssl_buffer stack overflow
6019 In Curl_multissl_version() it was possible to overflow the passed in
6020 buffer if the generated version string exceeded the size of the buffer.
6021 Fix by inverting the logic, and also make sure to not exceed the local
6022 buffer during the string generation.
6025 Reported-by: nevv on HackerOne/curl
6026 Reviewed-by: Jay Satiro
6027 Reviewed-by: Daniel Stenberg
6029 Daniel Stenberg (13 May 2019)
6030 - RELEASE-NOTES: synced
6032 - appveyor: also build "/ci" branches like travis
6034 - pingpong: disable more when no pingpong enabled
6036 - proxy: acknowledge DISABLE_PROXY more
6038 - parsedate: CURL_DISABLE_PARSEDATE
6040 - sasl: only enable if there's a protocol enabled using it
6042 - mime: acknowledge CURL_DISABLE_MIME
6044 - wildcard: disable from build when FTP isn't present
6046 - http: CURL_DISABLE_HTTP_AUTH
6048 - base64: build conditionally if there are users
6050 - doh: CURL_DISABLE_DOH
6052 Steve Holme (12 May 2019)
6053 - auth: Rename the various authentication clean up functions
6055 For consistency and to a avoid confusion.
6059 Daniel Stenberg (12 May 2019)
6060 - [Jay Satiro brought this change]
6062 docs/INSTALL: fix broken link [ci skip]
6064 Reported-by: Joombalaya on github
6067 Marcel Raad (12 May 2019)
6068 - easy: fix another "clarify calculation precedence" warning
6070 I missed this one in commit 6b3dde7fe62ea5a557fd1fd323fac2bcd0c2e9be.
6072 - build: fix "clarify calculation precedence" warnings
6074 Codacy/CppCheck warns about this. Consistently use parentheses as we
6075 already do in some places to silence the warning.
6077 Closes https://github.com/curl/curl/pull/3866
6079 - cmake: restore C89 compatibility of CurlTests.c
6081 I broke it in d1b5cf830bfe169745721b21245d2217d2c2453e and
6082 97de97daefc2ed084c91eff34af2426f2e55e134.
6084 Reported-by: Viktor Szakats
6085 Ref: https://github.com/curl/curl/commit/97de97daefc2ed084c91eff34af2426f2e55e134#commitcomment-33499044
6086 Closes https://github.com/curl/curl/pull/3868
6088 Steve Holme (11 May 2019)
6089 - http_ntlm: Corrected the name of the include guard
6095 - http_digest: Don't expose functions when HTTP and Crypto Auth are disabled
6099 - http_negotiate: Don't expose functions when HTTP is disabled
6101 Daniel Stenberg (11 May 2019)
6102 - SECURITY-PROCESS: fix links [ci skip]
6104 Marcel Raad (11 May 2019)
6105 - CMake: suppress unused variable warnings
6107 I missed these in commit d1b5cf830bfe169745721b21245d2217d2c2453e.
6109 Daniel Stenberg (11 May 2019)
6110 - doh: disable DOH for the cases it doesn't work
6112 Due to limitations in Curl_resolver_wait_resolv(), it doesn't work for
6113 DOH resolves. This fix disables DOH for those.
6115 Limitation added to KNOWN_BUGS.
6120 Jay Satiro (11 May 2019)
6121 - checksrc.bat: Ignore snprintf warnings in docs/examples
6123 .. because we allow snprintf use in docs/examples.
6125 Closes https://github.com/curl/curl/pull/3862
6127 Steve Holme (10 May 2019)
6128 - vauth: Fix incorrect function description for Curl_auth_user_contains_domain()
6130 ...and misalignment of these comments. From a78c61a4.
6134 Jay Satiro (10 May 2019)
6135 - Revert "multi: support verbose conncache closure handle"
6137 This reverts commit b0972bc.
6139 - No longer show verbose output for the conncache closure handle.
6141 The offending commit was added so that the conncache closure handle
6142 would inherit verbose mode from the user's easy handle. (Note there is
6143 no way for the user to set options for the closure handle which is why
6144 that was necessary.) Other debug settings such as the debug function
6145 were not also inherited since we determined that could lead to crashes
6146 if the user's per-handle private data was used on an unexpected handle.
6148 The reporter here says he has a debug function to capture the verbose
6149 output, and does not expect or want any output to stderr; however
6150 because the conncache closure handle does not inherit the debug function
6151 the verbose output for that handle does go to stderr.
6153 There are other plausible scenarios as well such as the user redirects
6154 stderr on their handle, which is also not inherited since it could lead
6155 to crashes when used on an unexpected handle.
6157 Short of allowing the user to set options for the conncache closure
6158 handle I don't think there's much we can safely do except no longer
6159 inherit the verbose setting.
6161 Bug: https://curl.haxx.se/mail/lib-2019-05/0021.html
6162 Reported-by: Kristoffer Gleditsch
6164 Ref: https://github.com/curl/curl/pull/3598
6165 Ref: https://github.com/curl/curl/pull/3618
6167 Closes https://github.com/curl/curl/pull/3856
6169 Steve Holme (10 May 2019)
6170 - ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup()
6176 Daniel Stenberg (9 May 2019)
6177 - BUG-BOUNTY: minor formatting fixes [ci skip]
6179 - RELEASE-NOTES: synced
6181 - BUG-BOUNTY.md: add the Dropbox "bonus" extra payout ability [ci skip]
6185 Kamil Dudka (9 May 2019)
6186 - http_negotiate: do not treat failure of gss_init_sec_context() as fatal
6191 - spnego_gssapi: fix return code on gss_init_sec_context() failure
6196 Steve Holme (9 May 2019)
6197 - gen_resp_file.bat: Removed unnecessary @ from all but the first command
6199 There is need to use @ on every command once echo has been turned off.
6203 Jay Satiro (8 May 2019)
6204 - http: Ignore HTTP/2 prior knowledge setting for HTTP proxies
6206 - Do not switch to HTTP/2 for an HTTP proxy that is not tunnelling to
6207 the destination host.
6209 We already do something similar for HTTPS proxies by not sending h2. [1]
6211 Prior to this change setting CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE would
6212 incorrectly use HTTP/2 to talk to the proxy, which is not something we
6213 support (yet?). Also it's debatable whether or not that setting should
6214 apply to HTTP/2 proxies.
6216 [1]: https://github.com/curl/curl/commit/17c5d05
6218 Bug: https://github.com/curl/curl/issues/3570
6219 Bug: https://github.com/curl/curl/issues/3832
6221 Closes https://github.com/curl/curl/pull/3853
6223 Marcel Raad (8 May 2019)
6224 - travis: update mesalink build to xenial
6226 Closes https://github.com/curl/curl/pull/3842
6228 Daniel Stenberg (8 May 2019)
6229 - [Ricky Leverence brought this change]
6231 OpenSSL: Report -fips in version if OpenSSL is built with FIPS
6233 Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS
6234 define. It uses this define to determine whether to publish -fips at
6235 the end of the version displayed. Applications that utilize the version
6236 reported by OpenSSL will see a mismatch if they compare it to what curl
6237 reports, as curl is not modifying the version in the same way. This
6238 change simply adds a check to see if OPENSSL_FIPS is defined, and will
6239 alter the reported version to match what OpenSSL itself provides. This
6240 only appears to be applicable in versions of OpenSSL <1.1.1
6244 Kamil Dudka (7 May 2019)
6245 - [Frank Gevaerts brought this change]
6247 nss: allow fifos and character devices for certificates.
6249 Currently you can do things like --cert <(cat ./cert.crt) with (at least) the
6250 openssl backend, but that doesn't work for nss because is_file rejects fifos.
6252 I don't actually know if this is sufficient, nss might do things internally
6253 (like seeking back) that make this not work, so actual testing is needed.
6257 Daniel Gustafsson (6 May 2019)
6258 - test2100: Fix typos in test description
6260 Daniel Stenberg (6 May 2019)
6261 - ssh: define USE_SSH if SSH is enabled (any backend)
6265 Steve Holme (5 May 2019)
6266 - winbuild: Add our standard copyright header to the winbuild batch files
6268 - makedebug: Fix ERRORLEVEL detection after running where.exe
6272 Daniel Stenberg (5 May 2019)
6273 - urlapi: add CURLUPART_ZONEID to set and get
6275 The zoneid can be used with IPv6 numerical addresses.
6277 Updated test 1560 to verify.
6281 - [Taiyu Len brought this change]
6283 WRITEFUNCTION: add missing set_in_callback around callback
6287 - RELEASE-NOTES: synced
6289 - CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk [ci skip]
6291 Reported-by: Ricardo Gomes
6296 - CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value
6298 The time field in the curl_fileinfo struct will always be zero. No code
6299 was ever implemented to actually convert the date string to a time_t.
6304 - OS400/ccsidcurl.c: code style fixes
6306 - OS400/ccsidcurl: replace use of Curl_vsetopt
6308 (and make the code style comply)
6312 - urlapi: strip off scope id from numerical IPv6 addresses
6314 ... to make the host name "usable". Store the scope id and put it back
6315 when extracting a URL out of it.
6317 Also makes curl_url_set() syntax check CURLUPART_HOST.
6322 - RELEASE-NOTES: synced
6324 - multiif.h: remove unused protos
6326 ... for functions related to pipelining. Those functions were removed in
6331 - [Yiming Jing brought this change]
6333 travis: mesalink: temporarily disable test 3001
6335 ... due to SHA-1 signatures in test certs
6337 - [Yiming Jing brought this change]
6339 travis: upgrade the MesaLink TLS backend to v1.0.0
6344 - ConnectionExists: improve non-multiplexing use case
6348 - make sure multiplex is enabled for it to be used
6350 - multi: provide Curl_multiuse_state to update information
6352 As soon as a TLS backend gets ALPN conformation about the specific HTTP
6353 version it can now set the multiplex situation for the "bundle" and
6354 trigger moving potentially queued up transfers to the CONNECT state.
6356 - process_pending_handles: mark queued transfers as previously pending
6358 With transfers being queued up, we only move one at a a time back to the
6359 CONNECT state but now we mark moved transfers so that when a moved
6360 transfer is confirmed "successful" (it connected) it will trigger the
6361 move of another pending transfer. Previously, it would otherwise wait
6362 until the transfer was done before doing this. This makes queued up
6363 pending transfers get processed (much) faster.
6365 - http: mark bundle as not for multiuse on < HTTP/2 response
6370 Daniel Gustafsson (1 May 2019)
6371 - cookie: Guard against possible NULL ptr deref
6373 In case the name pointer isn't set (due to memory pressure most likely)
6374 we need to skip the prefix matching and reject with a badcookie to avoid
6375 a possible NULL pointer dereference.
6378 Reported-by: Jonathan Moerman
6379 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6381 Patrick Monnerat (30 Apr 2019)
6382 - os400: Add CURLOPT_MAXAGE_CONN to ILE/RPG bindings
6384 Kamil Dudka (29 Apr 2019)
6385 - nss: provide more specific error messages on failed init
6389 Daniel Stenberg (29 Apr 2019)
6390 - [Reed Loden brought this change]
6392 docs: minor polish to the bug bounty / security docs
6396 - CURL_MAX_INPUT_LENGTH: largest acceptable string input size
6398 This limits all accepted input strings passed to libcurl to be less than
6399 CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls:
6400 curl_easy_setopt() and curl_url_set().
6402 The 8000000 number is arbitrary picked and is meant to detect mistakes
6403 or abuse, not to limit actual practical use cases. By limiting the
6404 acceptable string lengths we also reduce the risk of integer overflows
6407 NOTE: This does not apply to `CURLOPT_POSTFIELDS`.
6413 - [Tseng Jun brought this change]
6415 curlver.h: use parenthesis in CURL_VERSION_BITS macro
6419 Marcel Raad (27 Apr 2019)
6420 - [Simon Warta brought this change]
6422 cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP
6424 Closes https://github.com/curl/curl/pull/3769
6426 Steve Holme (23 Apr 2019)
6427 - ntlm: Missed pre-processor || (or) during rebase for cd15acd0
6429 - ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4
6431 Just like we do for mbed TLS, use our local implementation of MD4 when
6432 OpenSSL doesn't support it. This allows a type-3 message to include the
6435 Daniel Gustafsson (23 Apr 2019)
6436 - INTERNALS: fix misindentation of ToC item
6438 Kerberos was incorrectly indented as a subsection under FTP, which is
6439 incorrect as they are both top level sections. A fix for this was first
6440 attempted in commit fef38a0898322f285401c5ff2f5e7c90dbf3be63 but that
6441 was a few paddles short of being complete.
6443 - [Aron Bergman brought this change]
6445 INTERNALS: Add structs to ToC
6447 Add the subsections under "Structs in libcurl" to the table of contents.
6449 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6450 Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
6452 - [Aron Bergman brought this change]
6454 INTERNALS: Add code highlighting
6456 Make all struct members under the Curl_handler section
6457 print in monospace font.
6460 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6461 Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
6463 Daniel Stenberg (22 Apr 2019)
6464 - docs/BUG-BOUNTY: bug bounty time [skip ci]
6466 Introducing the curl bug bounty program on hackerone. We now recommend
6467 filing security issues directly in the hackerone ticket system which
6468 only is readable to curl security team members.
6470 Assisted-by: Daniel Gustafsson
6474 Steve Holme (22 Apr 2019)
6475 - sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616
6477 RFC 4616 specifies the authzid is optional in the client authentication
6478 message and that the server will derive the authorisation identity
6479 (authzid) from the authentication identity (authcid) when not specified
6482 Jay Satiro (22 Apr 2019)
6483 - [Gisle Vanem brought this change]
6485 memdebug: fix variable name
6487 Follow-up to 76b6348 which renamed logfile as curl_dbg_logfile.
6489 Ref: https://github.com/curl/curl/commit/76b6348#r33259088
6491 Steve Holme (21 Apr 2019)
6492 - vauth/cleartext: Don't send the authzid if it is empty
6494 Follow up to 762a292f.
6496 Daniel Stenberg (21 Apr 2019)
6497 - test 196,197,198: add 'retry' keyword [skip ci]
6499 - RELEASE-NOTES: synced
6501 - CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse
6503 ... and disconnect too old ones instead of trying to reuse.
6505 Default max age is set to 118 seconds.
6510 Daniel Gustafsson (20 Apr 2019)
6511 - [Po-Chuan Hsieh brought this change]
6513 altsvc: Fix building with cookies disables
6515 ALTSVC requires Curl_get_line which is defined in lib/cookie.c inside a #if
6516 check of HTTP and COOKIES. That makes Curl_get_line undefined if COOKIES is
6517 disabled. Fix by splitting out the function into a separate file which can
6518 be included where needed.
6521 Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
6522 Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
6524 Daniel Stenberg (20 Apr 2019)
6525 - test1002: correct the name [skip ci]
6527 - test660: verify CONNECT_ONLY with IMAP
6529 which basically just makes sure LOGOUT is *not* issued on disconnect
6531 - Curl_disconnect: treat all CONNECT_ONLY connections as "dead"
6533 Since the connection has been used by the "outside" we don't know the
6534 state of it anymore and curl should not use it anymore.
6536 Bug: https://curl.haxx.se/mail/lib-2019-04/0052.html
6540 - multi: fix the statenames (follow-up fix from 2f44e94efb3df8e)
6542 The list of names must be in sync with the defined states in the header
6545 Steve Holme (16 Apr 2019)
6546 - openvms: Remove pre-processors for Windows as VMS cannot support them
6548 - openvms: Remove pre-processor for SecureTransport as VMS cannot support it
6553 Jay Satiro (16 Apr 2019)
6554 - TODO: Add issue link to an existing entry
6556 Daniel Stenberg (16 Apr 2019)
6557 - RELEASE-NOTES: synced
6559 Jay Satiro (16 Apr 2019)
6560 - tool_help: Warn if curl and libcurl versions do not match
6562 .. because functionality may be affected if the versions differ.
6564 This commit implements TODO 18.7 "warning if curl version is not in sync
6565 with libcurl version".
6567 Ref: https://github.com/curl/curl/blob/curl-7_64_1/docs/TODO#L1028-L1033
6569 Closes https://github.com/curl/curl/pull/3774
6571 Steve Holme (16 Apr 2019)
6572 - md5: Update the function signature following d84da52d
6574 - md5: Forgot to update the code alignment in d84da52d
6576 - md5: Return CURLcode from the internally accessible functions
6578 Following 28f826b3 to return CURLE_OK instead of numeric 0.
6580 Daniel Gustafsson (15 Apr 2019)
6581 - tests: Run global cleanup at end of tests
6583 Make sure to run curl_global_cleanup() when shutting down the test
6584 suite to release any resources allocated in the SSL setup. This is
6585 clearly visible when running tests with PolarSSL where the thread
6586 lock calloc() memory which isn't released when not running cleanup.
6587 Below is an excerpt from the autobuild logs:
6589 ==12368== 96 bytes in 1 blocks are possibly lost in loss record 1 of 2
6590 ==12368== at 0x4837B65: calloc (vg_replace_malloc.c:752)
6591 ==12368== by 0x11A76E: curl_dbg_calloc (memdebug.c:205)
6592 ==12368== by 0x145CDF: Curl_polarsslthreadlock_thread_setup
6593 (polarssl_threadlock.c:54)
6594 ==12368== by 0x145B37: Curl_polarssl_init (polarssl.c:865)
6595 ==12368== by 0x14129D: Curl_ssl_init (vtls.c:171)
6596 ==12368== by 0x118B4C: global_init (easy.c:158)
6597 ==12368== by 0x118BF5: curl_global_init (easy.c:221)
6598 ==12368== by 0x118D0B: curl_easy_init (easy.c:299)
6599 ==12368== by 0x114E96: test (lib1906.c:32)
6600 ==12368== by 0x115495: main (first.c:174)
6603 Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
6604 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6606 Marcel Raad (15 Apr 2019)
6607 - travis: use mbedtls from Xenial
6609 No need to build it from source anymore.
6611 Closes https://github.com/curl/curl/pull/3779
6613 - travis: use libpsl from Xenial
6615 This makes building libpsl and libidn2 from source unnecessary and
6616 removes the need for the autopoint and libunistring-dev packages.
6618 Closes https://github.com/curl/curl/pull/3779
6620 Daniel Stenberg (15 Apr 2019)
6621 - runtests: start socksd like other servers
6623 ... without a $srcdir prefix. Triggered by the failures in several
6628 Daniel Gustafsson (14 Apr 2019)
6631 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6633 - socksd: Properly decorate static variables
6635 Mark global variables static to avoid compiler warning in Clang when
6636 using -Wmissing-variable-declarations.
6639 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6641 Steve Holme (14 Apr 2019)
6642 - md(4|5): Fixed indentation oddities with the importation of replacement code
6644 The indentation from 211d5329 and 57d6d253 was a little strange as
6645 parts didn't align correctly, uses 4 spaces rather than 2. Checked
6646 the indentation of the original source so it aligns, albeit, using
6649 - md5: Code style to return CURLE_OK rather than numeric 0
6651 - md5: Corrected code style for some pointer arguments
6653 Marcel Raad (13 Apr 2019)
6654 - travis: update some builds to xenial
6656 Xenial comes with more up-to-date software versions and more available
6657 packages, some of which we currently build from source. Unfortunately,
6658 some builds would fail with Xenial because of assertion failures in
6659 Valgrind when using OpenSSL, so leave these at Trusty.
6661 Closes https://github.com/curl/curl/pull/3777
6663 Daniel Stenberg (13 Apr 2019)
6664 - test: make tests and test scripts use socksd for SOCKS
6666 Make all SOCKS tests use socksd instead of ssh.
6668 - socksd: new SOCKS 4+5 server for tests
6672 - singleipconnect: show port in the verbose "Trying ..." message
6674 To aid debugging better.
6676 - [tmilburn brought this change]
6678 CURLOPT_ADDRESS_SCOPE: fix range check and more
6680 Commit 9081014 fixed most of the confusing issues between scope id and
6681 scope however 844896d added bad limits checking assuming that the scope
6682 is being set and not the scope id.
6684 I have fixed the documentation so it all refers to scope ids.
6686 In addition Curl_if2ip refered to the scope id as remote_scope_id which
6687 is incorrect, so I renamed it to local_scope_id.
6689 Adjusted-by: Daniel Stenberg
6695 - urlapi: stricter CURLUPART_PORT parsing
6697 Only allow well formed decimal numbers in the input.
6699 Document that the number MUST be between 1 and 65535.
6701 Add tests to test 1560 to verify the above.
6703 Ref: https://github.com/curl/curl/issues/3753
6706 Jay Satiro (13 Apr 2019)
6707 - [Jan Ehrhardt brought this change]
6709 winbuild: Support MultiSSL builds
6711 - Remove the lines in winbuild/Makefile.vc that generate an error with
6712 multiple SSL backends.
6714 - Add /DCURL_WITH_MULTI_SSL in winbuild/MakefileBuild.vc if multiple SSL
6717 Closes https://github.com/curl/curl/pull/3772
6719 Daniel Stenberg (12 Apr 2019)
6720 - travis: remove mesalink builds (temporarily?)
6722 Since the mesalink build started to fail on travis, even though we build
6723 a fixed release version, we disable it to prevent it from blocking
6728 - openssl: mark connection for close on TLS close_notify
6730 Without this, detecting and avoid reusing a closed TLS connection
6731 (without a previous GOAWAY) when doing HTTP/2 is tricky.
6733 Reported-by: Tom van der Woerdt
6737 - RELEASE-NOTES: synced
6739 Steve Holme (11 Apr 2019)
6740 - vauth/cleartext: Update the PLAIN login function signature to match RFC 4616
6742 Functionally this doesn't change anything as we still use the username
6743 for both the authorisation identity and the authentication identity.
6747 Daniel Stenberg (11 Apr 2019)
6748 - test1906: verify CURLOPT_CURLU + CURLOPT_PORT usage
6750 Based-on-code-by: Poul T Lomholt
6752 - url: always clone the CUROPT_CURLU handle
6754 Since a few code paths actually update that data.
6759 Reported-by: Poul T Lomholt
6761 - CURLOPT_DNS_USE_GLOBAL_CACHE: remove
6763 Remove the code too. The functionality has been disabled in code since
6764 7.62.0. Setting this option will from now on simply be ignored and have
6769 Marcel Raad (11 Apr 2019)
6770 - travis: install libgnutls28-dev only for --with-gnutls build
6772 Reduces the time needed for the other jobs a little.
6774 Closes https://github.com/curl/curl/pull/3721
6776 - travis: install libnss3-dev only for --with-nss build
6778 Reduces the time needed for the other jobs a little.
6780 Closes https://github.com/curl/curl/pull/3721
6782 - travis: install libssh2-dev only for --with-libssh2 build
6784 Reduces the time needed for the other jobs a little.
6786 Closes https://github.com/curl/curl/pull/3721
6788 - travis: install libssh-dev only for --with-libssh build
6790 Reduces the time needed for the other jobs a little.
6792 Closes https://github.com/curl/curl/pull/3721
6794 - travis: install krb5-user only for --with-gssapi build
6796 Reduces the time needed for the other jobs a little.
6798 Closes https://github.com/curl/curl/pull/3721
6800 - travis: install lcov only for the coverage job
6802 Reduces the time needed for the other jobs a little.
6804 Closes https://github.com/curl/curl/pull/3721
6806 - travis: install clang only when needed
6808 This reduces the GCC job runtimes a little and it's needed to
6809 selectively update clang builds to xenial.
6811 Closes https://github.com/curl/curl/pull/3721
6813 - AppVeyor: enable testing for WinSSL build
6815 Closes https://github.com/curl/curl/pull/3725
6817 - build: fix Codacy/CppCheck warnings
6819 - remove unused variables
6820 - declare conditionally used variables conditionally
6821 - suppress unused variable warnings in the CMake tests
6822 - remove dead variable stores
6823 - consistently use WIN32 macro to detect Windows
6825 Closes https://github.com/curl/curl/pull/3739
6827 - polarssl_threadlock: remove conditionally unused code
6829 Make functions no-ops if neither both USE_THREADS_POSIX and
6830 HAVE_PTHREAD_H nor both USE_THREADS_WIN32 and HAVE_PROCESS_H are
6831 defined. Previously, if only one of them was defined, there was either
6832 code compiled that did nothing useful or the wrong header included for
6835 Also, move POLARSSL_MUTEX_T define to implementation file as it's not
6838 Closes https://github.com/curl/curl/pull/3739
6840 - lib557: initialize variables
6842 These variables are only conditionally initialized.
6844 Closes https://github.com/curl/curl/pull/3739
6846 - lib509: add missing include for strdup
6848 Closes https://github.com/curl/curl/pull/3739
6850 - README.md: fix no-consecutive-blank-lines Codacy warning
6852 Consistently use one blank line between blocks.
6854 Closes https://github.com/curl/curl/pull/3739
6856 - tests/server/util: fix Windows Unicode build
6858 Always use the ANSI version of FormatMessage as we don't have the
6859 curl_multibyte gear available here.
6861 Closes https://github.com/curl/curl/pull/3758
6863 Daniel Stenberg (11 Apr 2019)
6864 - curl_easy_getinfo.3: fix minor formatting mistake
6866 Daniel Gustafsson (11 Apr 2019)
6867 - xattr: skip unittest on unsupported platforms
6869 The stripcredentials unittest fails to compile on platforms without
6870 xattr support, for example the Solaris member in the buildfarm which
6871 fails with the following:
6873 CC unit1621-unit1621.o
6874 CC ../libtest/unit1621-first.o
6876 Undefined first referenced
6878 stripcredentials unit1621-unit1621.o
6880 ld: fatal: symbol referencing errors. No output written to .libs/unit1621
6881 collect2: error: ld returned 1 exit status
6882 gmake[2]: *** [Makefile:996: unit1621] Error 1
6884 Fix by excluding the test on such platforms by using the reverse
6885 logic from where stripcredentials() is defined.
6888 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6890 Steve Holme (11 Apr 2019)
6891 - emailL Added reference to RFC8314 for implicit TLS
6893 - README: Schannel, stop calling it "winssl"
6895 Stick to "Schannel" everywhere - follow up to 180501cb.
6897 Jakub Zakrzewski (10 Apr 2019)
6898 - cmake: clear CMAKE_REQUIRED_LIBRARIES after each use
6900 This fixes GSSAPI builds with the libraries in a non-standard location.
6901 The testing for recv() were failing because it failed to link
6902 the Kerberos libraries, which are not needed for this or subsequent
6908 - cmake: avoid linking executable for some tests with cmake 3.6+
6910 With CMAKE_TRY_COMPILE_TARGET_TYPE set to STATIC_LIBRARY, the try_compile()
6911 (which is used by check_c_source_compiles()) will build static library
6912 instead of executable. This avoids linking additional libraries in and thus
6913 speeds up those checks a little.
6915 This commit also avoids #3743 (GSSAPI build errors) on itself with cmake
6916 3.6 or above. That issue was fixed separately for all versions.
6920 - cmake: minor cleanup
6922 - Remove nneeded include_regular_expression.
6923 It was setting what is already a default.
6925 - Remove duplicated include.
6927 - Don't check for pre-3.0.0 CMake version.
6928 We already require at least 3.0.0, so it's just clutter.
6932 Steve Holme (8 Apr 2019)
6933 - build-openssl.bat: Fixed support for OpenSSL v1.1.0+
6935 - build-openssl.bat: Perfer the use of if statements rather than goto (where possible)
6937 - build-openssl.bat: Perform the install for each build type directly after the build
6939 - build-openssl.bat: Split the install of static and shared build types
6941 - build-openssl.bat: Split the building of static and shared build types
6943 - build-openssl.bat: Move the installation into a separate function
6945 - build-openssl.bat: Move the build step into a separate function
6947 - build-openssl.bat: Move the OpenSSL configuration into a separate function
6949 - build-openssl.bat: Fixed the BUILD_CONFIG variable not being initialised
6951 Should the parent environment set this variable then the build might
6952 not be performed as the user intended.
6954 Daniel Stenberg (8 Apr 2019)
6955 - socks: fix error message
6957 - config.d: clarify that initial : and = might need quoting [skip ci]
6962 - RELEASE-NOTES: synced
6964 bumped to 7.65.0 for next release
6966 - socks5: user name and passwords must be shorter than 256
6968 bytes... since the protocol needs to store the length in a single byte field.
6970 Reported-by: XmiliaH on github
6974 - [Jakub Zakrzewski brought this change]
6976 test: urlapi: urlencode characters above 0x7f correctly
6978 - [Jakub Zakrzewski brought this change]
6980 urlapi: urlencode characters above 0x7f correctly
6985 - [Even Rouault brought this change]
6987 multi_runsingle(): fix use-after-free
6992 The following snippet
6997 CURL* hCurlHandle = curl_easy_init();
6998 curl_easy_setopt(hCurlHandle, CURLOPT_URL, "http://example.com");
6999 curl_easy_setopt(hCurlHandle, CURLOPT_PROXY, "1");
7000 curl_easy_perform(hCurlHandle);
7001 curl_easy_cleanup(hCurlHandle);
7005 triggers the following Valgrind warning
7008 ==4125== Invalid read of size 8
7009 ==4125== at 0x4E7D1EE: Curl_llist_remove (llist.c:97)
7010 ==4125== by 0x4E7EF5C: detach_connnection (multi.c:798)
7011 ==4125== by 0x4E80545: multi_runsingle (multi.c:1451)
7012 ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072)
7013 ==4125== by 0x4E766A0: easy_transfer (easy.c:625)
7014 ==4125== by 0x4E76915: easy_perform (easy.c:719)
7015 ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738)
7016 ==4125== by 0x4008BE: main (in /home/even/curl/test)
7017 ==4125== Address 0x9b3d1d0 is 1,120 bytes inside a block of size 1,600 free'd
7018 ==4125== at 0x4C2ECF0: free (vg_replace_malloc.c:530)
7019 ==4125== by 0x4E62C36: conn_free (url.c:756)
7020 ==4125== by 0x4E62D34: Curl_disconnect (url.c:818)
7021 ==4125== by 0x4E48DF9: Curl_once_resolved (hostip.c:1097)
7022 ==4125== by 0x4E8052D: multi_runsingle (multi.c:1446)
7023 ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072)
7024 ==4125== by 0x4E766A0: easy_transfer (easy.c:625)
7025 ==4125== by 0x4E76915: easy_perform (easy.c:719)
7026 ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738)
7027 ==4125== by 0x4008BE: main (in /home/even/curl/test)
7028 ==4125== Block was alloc'd at
7029 ==4125== at 0x4C2F988: calloc (vg_replace_malloc.c:711)
7030 ==4125== by 0x4E6438E: allocate_conn (url.c:1654)
7031 ==4125== by 0x4E685B4: create_conn (url.c:3496)
7032 ==4125== by 0x4E6968F: Curl_connect (url.c:4023)
7033 ==4125== by 0x4E802E7: multi_runsingle (multi.c:1368)
7034 ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072)
7035 ==4125== by 0x4E766A0: easy_transfer (easy.c:625)
7036 ==4125== by 0x4E76915: easy_perform (easy.c:719)
7037 ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738)
7038 ==4125== by 0x4008BE: main (in /home/even/curl/test)
7041 This has been bisected to commit 2f44e94
7043 Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14109
7046 - pipelining: removed
7048 As previously planned and documented in DEPRECATE.md, all pipelining
7053 - [cclauss brought this change]
7055 tests: make Impacket (SMB server) Python 3 compatible
7060 Marcel Raad (6 Apr 2019)
7061 - [Simon Warta brought this change]
7063 cmake: set SSL_BACKENDS
7065 This groups all SSL backends into the feature "SSL" and sets the
7066 SSL_BACKENDS analogue to configure.ac
7068 Closes https://github.com/curl/curl/pull/3736
7070 - [Simon Warta brought this change]
7072 cmake: don't run SORT on empty list
7074 In case of an empty list, SORTing leads to the cmake error "list
7075 sub-command SORT requires list to be present."
7077 Closes https://github.com/curl/curl/pull/3736
7079 Daniel Gustafsson (5 Apr 2019)
7080 - [Eli Schwartz brought this change]
7082 configure: fix default location for fish completions
7084 Fish defines a vendor completions directory for completions that are not
7085 installed as part of the fish project itself, and the vendor completions
7086 are preferred if they exist. This prevents trying to overwrite the
7087 builtin curl.fish completion (or creating file conflicts in distro
7090 Prefer the pkg-config defined location exported by fish, if it can be
7091 found, and fall back to the correct directory defined by most systems.
7094 Reviewed-by: Daniel Gustafsson
7096 Marcel Raad (5 Apr 2019)
7097 - ftplistparser: fix LGTM alert "Empty block without comment"
7099 Removing the block is consistent with line 954/957.
7101 Closes https://github.com/curl/curl/pull/3732
7103 - transfer: fix LGTM alert "Comparison is always true"
7105 Just remove the redundant condition, which also makes it clear that
7106 k->buf is always 0-terminated if this break is not hit.
7108 Closes https://github.com/curl/curl/pull/3732
7110 Jay Satiro (4 Apr 2019)
7111 - [Rikard Falkeborn brought this change]
7113 smtp: fix compiler warning
7115 - Fix clang string-plus-int warning.
7117 Clang 8 warns about adding a string to an int does not append to the
7118 string. Indeed it doesn't, but that was not the intention either. Use
7119 array indexing as suggested to silence the warning. There should be no
7122 (In other words clang warns about "foo"+2 but not &"foo"[2] so use the
7125 smtp.c:1221:29: warning: adding 'int' to a string does not append to the
7126 string [-Wstring-plus-int]
7127 eob = strdup(SMTP_EOB + 2);
7128 ~~~~~~~~~~~~~~~~^~~~
7130 Closes https://github.com/curl/curl/pull/3729