5 \___|\___/|_| \_\_____|
9 Version 8.5.0 (6 Dec 2023)
11 Daniel Stenberg (6 Dec 2023)
13 - RELEASE-NOTES: synced
15 The curl 8.5.0 release.
17 Dan Fandrich (5 Dec 2023)
19 - github/labeler: switch from the beta to labeler v5
21 Some keys were renamed and the dot option was made default.
25 Daniel Stenberg (5 Dec 2023)
27 - DEPRECATE: remove NTLM_WB in June 2024
29 Ref: https://curl.se/mail/lib-2023-12/0010.html
33 Jacob Hoffman-Andrews (4 Dec 2023)
35 - rustls: implement connect_blocking
39 Daniel Stenberg (4 Dec 2023)
41 - examples/rtsp-options.c: add
43 Just a bare bones RTSP example using CURLOPT_RTSP_SESSION_ID and
44 CURLOPT_RTSP_REQUEST set to CURL_RTSPREQ_OPTIONS.
48 Stefan Eissing (4 Dec 2023)
50 - ngtcp2: ignore errors on unknown streams
52 - expecially in is_alive checks on connections, we might
53 see incoming packets on streams already forgotten and closed,
54 leading to errors reported by nghttp3. Ignore those.
58 Daniel Stenberg (4 Dec 2023)
60 - docs: make all examples in all libcurl man pages compile
64 - checksrc.pl: support #line instructions
66 makes it identify the correct source file and line
68 - GHA/man-examples: verify libcurl man page examples
70 - verify-examples.pl: verify that all man page examples compile clean
72 - RELEASE-NOTES: synced
74 Graham Campbell (2 Dec 2023)
76 - http3: bump ngtcp2 and nghttp3 versions
85 - CI/quiche: use `3.1.4+quic` consistently in CI workflows
89 Viktor Szakats (2 Dec 2023)
91 - test1545: disable deprecation warnings
94 https://ci.appveyor.com/project/curlorg/curl/builds/48631551/job/bhx74e0i66yr
98 https://ci.appveyor.com/project/curlorg/curl/builds/48662893/job/ol8a78q9gmil
101 tests/libtest/lib1545.c:38:3: error: 'curl_formadd' is deprecated: since 7.56
102 .0. Use curl_mime_init() [-Werror=deprecated-declarations]
103 38 | curl_formadd(&m_formpost, &lastptr, CURLFORM_COPYNAME, "file",
108 Follow-up to 07a3cd83e0456ca17dfd8c3104af7cf45b7a1ff5 #12421
113 Daniel Stenberg (2 Dec 2023)
115 - INSTALL: update list of ports and CPU archs
117 - symbols-in-versions: the CLOSEPOLICY options are deprecated
119 The were used with the CURLOPT_CLOSEPOLICY option, which *never* worked.
123 - build: fix builds that disable protocols but not digest auth
125 - Build base64 functions if digest auth is not disabled.
127 Prior to this change if some protocols were disabled but not digest auth
128 then a build error would occur due to missing base64 functions.
130 Fixes https://github.com/curl/curl/issues/12440
131 Closes https://github.com/curl/curl/pull/12442
133 Michał Antoniak (1 Dec 2023)
135 - connect: reduce number of transportation providers
137 Use only the ones necessary - the ones that are built-in. Saves a few
138 bytes in the resulting code.
142 David Benjamin (1 Dec 2023)
144 - vtls: consistently use typedef names for OpenSSL structs
146 The foo_st names don't appear in OpenSSL public API documentation. The
147 FOO typedefs are more common. This header was already referencing
148 SSL_CTX via <openssl/ssl.h>. There is a comment about avoiding
149 <openssl/x509v3.h>, but OpenSSL actually declares all the typedefs in
150 <openssl/ossl_typ.h>, which is already included by <openssl/ssl.h> (and
151 every other OpenSSL header), so just use that. Though I've included it
154 (I'm also fairly sure including <openssl/ssl.h> already triggers the
155 Schannel conflicts anyway. The comment was probably just out of date.)
161 - libcurl-security.3: fix typo
167 Stefan Eissing (1 Dec 2023)
169 - ngtcp2: fix races in stream handling
171 - fix cases where ngtcp2 invokes callbacks on streams that
172 nghttp3 has already forgotten. Ignore the NGHTTP3_ERR_STREAM_NOT_FOUND
173 in these cases as it is normal behaviour.
177 Emanuele Torre (1 Dec 2023)
179 - tool_writeout_json: fix JSON encoding of non-ascii bytes
181 char variables if unspecified can be either signed or unsigned depending
182 on the platform according to the C standard; in most platforms, they are
185 This meant that the *i<32 waas always true for bytes with the top bit
186 set. So they were always getting encoded as \uXXXX, and then since they
187 were also signed negative, they were getting extended with 1s causing
188 '\xe2' to be expanded to \uffffffe2, for example:
190 $ curl --variable 'v=“' --expand-write-out '{{v:json}}\n' file:///dev/nul
192 \uffffffe2\uffffff80\uffffff9c
194 I fixed this bug by making the code use explicitly unsigned char*
195 variables instead of char* variables.
199 Reported-by: iconoclasthero
202 Stefan Eissing (1 Dec 2023)
204 - cf-socket: TCP trace output local address used in connect
208 Jay Satiro (1 Dec 2023)
210 - CURLINFO_PRETRANSFER_TIME_T.3: fix time explanation
212 - Change CURLINFO_PRETRANSFER_TIME_T explanation to say that it
213 includes protocol-specific instructions that trigger a transfer.
215 Prior to this change it explicitly said that it did not include those
216 instructions in the time, but that is incorrect.
218 The change is a copy of the fixed explanation already in
219 CURLINFO_PRETRANSFER_TIME, fixed by ec8dcd7b.
221 Reported-by: eeverettrbx@users.noreply.github.com
223 Fixes https://github.com/curl/curl/issues/12431
224 Closes https://github.com/curl/curl/pull/12432
226 Daniel Stenberg (30 Nov 2023)
228 - multi: during ratelimit multi_getsock should return no sockets
230 ... as there is nothing to wait for then, it just waits. Otherwise, this
231 causes much more CPU work and updates than necessary during ratelimit
234 Ref: https://curl.se/mail/lib-2023-11/0056.html
237 Dmitry Karpov (30 Nov 2023)
239 - transfer: abort pause send when connection is marked for closing
241 This handles cases of some bi-directional "upgrade" scenarios
242 (i.e. WebSockets) where sending is paused until some "upgrade" handshake
243 is completed, but server rejects the handshake and closes the
248 Daniel Stenberg (28 Nov 2023)
250 - RELEASE-NOTES: synced
252 - openssl: when a session-ID is reused, skip OCSP stapling
255 Reported-by: Alexey Larikov
258 - test1545: test doing curl_formadd twice with missing file
264 - Curl_http_body: cleanup properly when Curl_getformdata errors
266 Reported-by: yushicheng7788 on github
267 Based-on-work-by: yushicheng7788 on github
271 - test1477: verify that libcurl-errors.3 and public headers are synced
273 The script errorcodes.pl extracts all error codes from all headers and
274 checks that they are all documented, then checks that all documented
275 error codes are also specified in a header file.
279 - libcurl-errors.3: sync with current public headers
283 Stefan Eissing (28 Nov 2023)
285 - test459: fix for parallel runs
287 - change warniing message to work better with varying filename
289 - adapt test output check to new formatting
291 Follow-up to 97ccc4479f77ba3191c6
294 Daniel Stenberg (27 Nov 2023)
296 - tool_cb_prg: make the carriage return fit for wide progress bars
298 When the progress bar was made max width (256 columns), the fly()
299 function attempted to generate its output buffer too long so that the
300 trailing carriage return would not fit and then the output would show
301 wrongly. The fly function is called when the expected total transfer is
302 unknown, which could be one or more progress calls before the actual
303 progress meter get shown when the expected transfer size is provided.
305 This new take also replaces the msnprintf() call with a much simpler
308 Reported-by: Tim Hill
312 - tool_parsecfg: make warning output propose double-quoting
314 When the config file parser detects a word that *probably* should be
315 quoted, mention double-quotes as a possible remedy.
319 Proposed-by: Jiehong on github
323 Jay Satiro (26 Nov 2023)
325 - curl.rc: switch out the copyright symbol for plain ASCII
327 .. like we already do for libcurl.rc.
329 libcurl.rc copyright symbol used to cause a "non-ascii 8-bit codepoint"
330 warning so it was switched to ascii.
332 Ref: https://github.com/curl/curl/commit/1ca62bb5#commitcomment-133474972
334 Suggested-by: Robert Southee
336 Closes https://github.com/curl/curl/pull/12403
338 Daniel Stenberg (26 Nov 2023)
340 - conncache: use the closure handle when disconnecting surplus connections
342 Use the closure handle for disconnecting connection cache entries so
343 that anything that happens during the disconnect is not stored and
344 associated with the 'data' handle which already just finished a transfer
345 and it is important that details from the unrelated disconnect does not
346 taint meta-data in the data handle.
348 Like storing the response code.
350 This also adjust test 1506. Unfortunately it also removes a key part of
351 the test that verifies that a connection is closed since when this
352 output vanishes (because the closure handle is used), we don't know
353 exactly that the connection actually gets closed in this test...
355 Reported-by: ohyeaah on github
359 - RELEASE-NOTES: synced
361 Stefan Eissing (24 Nov 2023)
363 - quic: make eyeballers connect retries stop at weird replies
365 - when a connect immediately goes into DRAINING state, do
366 not attempt retries in the QUIC connection filter. Instead,
367 return CURLE_WEIRD_SERVER_REPLY
368 - When eyeballing, interpret CURLE_WEIRD_SERVER_REPLY as an
369 inconclusive answer. When all addresses have been attempted,
370 rewind the address list once on an inconclusive answer.
371 - refs #11832 where connects were retried indefinitely until
372 the overall timeout fired
376 Daniel Stenberg (24 Nov 2023)
378 - CI: verify libcurl function SYNPOSIS sections
380 With the .github/scripits/verify-synopsis.pl script
384 - docs/libcurl: SYNSOPSIS cleanup
386 - use the correct include file
387 - make sure they are declared as in the header file
388 - fix minor nroff syntax mistakes (missing .fi)
390 These are verified by verify-synopsis.pl, which extracts the SYNPOSIS
391 code and runs it through gcc.
395 - sendf: fix comment typo
397 - fopen: allocate the dir after fopen
399 Move the allocation of the directory name down to after the fopen() call
400 to allow that shortcut code path to avoid a superfluous malloc+free
403 Follow-up to 73b65e94f35311
407 Stefan Eissing (24 Nov 2023)
409 - transfer: cleanup done+excess handling
411 - add `SingleRequest->download_done` as indicator that
412 all download bytes have been received
413 - remove `stop_reading` bool from readwrite functions
414 - move excess body handling into client download writer
418 Daniel Stenberg (23 Nov 2023)
420 - fopen: create new file using old file's mode
422 Because the function renames the temp file to the target name as a last
423 step, if the file was previously owned by a different user, not ORing
424 the old mode could otherwise end up creating a file that was no longer
425 readable by the original owner after save.
427 Reported-by: Loïc Yhuel
431 - test1476: require proxy
433 Follow-up from 323df4261c3542
437 - fopen: create short(er) temporary file name
439 Only using random letters in the name plus a ".tmp" extension. Not by
440 appending characters to the final file name.
442 Reported-by: Maksymilian Arciemowicz
446 Stefan Eissing (23 Nov 2023)
448 - tests: git ignore generated second-hsts.txt file
450 File is generated in test lib1900
452 Follow-up to 7cb03229d9e9c5
456 Viktor Szakats (23 Nov 2023)
458 - openssl: enable `infof_certstack` for 1.1 and LibreSSL 3.6
460 Lower the barrier to enable `infof_certstack()` from OpenSSL 3 to
461 OpenSSL 1.1.x, and LibreSSL 3.6 or upper.
463 With the caveat, that "group name" and "type name" are missing from
464 the log output with these TLS backends.
466 Follow-up to b6e6d4ff8f253c8b8055bab9d4d6a10f9be109f3 #12030
468 Reviewed-by: Daniel Stenberg
471 Daniel Stenberg (23 Nov 2023)
473 - urldata: fix typo in comment
477 The list of words to ignore is in the file
478 .github/scripts/codespell-ignore.txt
482 - lib: fix comment typos
484 Five separate ones, found by codespell
488 - test1476: verify cookie PSL mixed case
490 - cookie: lowercase the domain names before PSL checks
492 Reported-by: Harry Sintonen
496 Viktor Szakats (23 Nov 2023)
498 - openssl: fix building with v3 `no-deprecated` + add CI test
500 - build quictls with `no-deprecated` in CI to have test coverage for
501 this OpenSSL 3 configuration.
503 - don't call `OpenSSL_add_all_algorithms()`, `OpenSSL_add_all_digests()`.
504 The caller code is meant for OpenSSL 3, while these two functions were
505 only necessary before OpenSSL 1.1.0. They are missing from OpenSSL 3
506 if built with option `no-deprecated`, causing build errors:
508 vtls/openssl.c:4097:3: error: call to undeclared function 'OpenSSL_add_all_
509 algorithms'; ISO C99 and later do not support implicit function declaration
510 s [-Wimplicit-function-declaration]
511 vtls/openssl.c:4098:3: error: call to undeclared function 'OpenSSL_add_all_
512 digests'; ISO C99 and later do not support implicit function declarations [
513 -Wimplicit-function-declaration]
515 Ref: https://ci.appveyor.com/project/curlorg/curl-for-win/builds/48587418?f
518 Regression from b6e6d4ff8f253c8b8055bab9d4d6a10f9be109f3 #12030
519 Bug: https://github.com/curl/curl/issues/12380#issuecomment-1822944669
520 Reviewed-by: Alex Bozarth
522 - vquic/curl_ngtcp2: fix using `SSL_get_peer_certificate` with
523 `no-deprecated` quictls 3 builds.
524 Do it by moving an existing solution for this from `vtls/openssl.c`
525 to `vtls/openssl.h` and adjusting caller code.
527 vquic/curl_ngtcp2.c:1950:19: error: implicit declaration of function 'SSL_g
528 et_peer_certificate'; did you mean 'SSL_get1_peer_certificate'? [-Wimplicit
529 -function-declaration]
531 Ref: https://github.com/curl/curl/actions/runs/6960723097/job/18940818625#s
534 - curl_ntlm_core: fix `-Wunused-parameter`, `-Wunused-variable` and
535 `-Wunused-function` when trying to build curl with NTLM enabled but
536 without the necessary TLS backend (with DES) support.
540 - curl.h: delete Symbian OS references
542 curl deprecated Symbian OS in 3d64031fa7a80ac4ae3fd09a5939196268b92f81
543 via #5989. Delete references to it from public headers, because there
544 is no fresh release to use those headers with.
546 Reviewed-by: Dan Fandrich
547 Reviewed-by: Jay Satiro
550 - windows: use built-in `_WIN32` macro to detect Windows
552 Windows compilers define `_WIN32` automatically. Windows SDK headers
553 or build env defines `WIN32`, or we have to take care of it. The
554 agreement seems to be that `_WIN32` is the preferred practice here.
555 Make the source code rely on that to detect we're building for Windows.
557 Public `curl.h` was using `WIN32`, `__WIN32__` and `CURL_WIN32` for
558 Windows detection, next to the official `_WIN32`. After this patch it
559 only uses `_WIN32` for this. Also, make it stop defining `CURL_WIN32`.
561 There is a slight chance these break compatibility with Windows
562 compilers that fail to define `_WIN32`. I'm not aware of any obsolete
563 or modern compiler affected, but in case there is one, one possible
564 solution is to define this macro manually.
566 grepping for `WIN32` remains useful to discover Windows-specific code.
570 - extend `checksrc` to ensure we're not using `WIN32` anymore.
572 - apply minor formatting here and there.
574 - delete unnecessary checks for `!MSDOS` when `_WIN32` is present.
576 Co-authored-by: Jay Satiro
577 Reviewed-by: Daniel Stenberg
581 Stefan Eissing (22 Nov 2023)
583 - url: ConnectionExists revisited
585 - have common pattern of `if not match, continue`
586 - revert pages long if()s to return early
587 - move dead connection check to later since it may
588 be relatively expensive
589 - check multiuse also when NOT building with NGHTTP2
590 - for MULTIUSE bundles, verify that the inspected
591 connection indeed supports multiplexing when in use
592 (bundles may contain a mix of connection, afaict)
596 Daniel Stenberg (22 Nov 2023)
598 - CURLMOPT_MAX_CONCURRENT_STREAMS: make sure the set value is within range
600 ... or use the default value.
602 Also clarify the documentation language somewhat.
606 - urldata: make maxconnects a 32 bit value
608 "2^32 idle connections ought to be enough for anybody"
612 - FEATURES: update the URL phrasing
614 The URL is length limited since a while back so "no limit" simply is not
615 true anymore. Mention the URL RFC standard used instead.
619 - wolfssh: remove redundant static prototypes
621 vssh/wolfssh.c:346:18: error: redundant redeclaration of ‘wscp_recv’ [-We
622 rror=redundant-decls]
626 - setopt: remove superfluous use of ternary expressions
630 - mime: store "form escape" as a single bit
634 - setopt: check CURLOPT_TFTP_BLKSIZE range on set
636 ... instead of later when the transfer is about to happen.
640 Viktor Szakats (21 Nov 2023)
642 - build: add more picky warnings and fix them
644 Enable more picky compiler warnings. I've found these options in the
645 nghttp3 project when implementing the CMake quick picky warning
646 functionality for it [1].
648 `-Wunused-macros` was too noisy to keep around, but fixed a few issues
649 it revealed while testing.
651 - autotools: reflect the more precisely-versioned clang warnings.
652 Follow-up to 033f8e2a08eb1d3102f08c4d8c8e85470f8b460e #12324
653 - autotools: sync between clang and gcc the way we set `no-multichar`.
654 - autotools: avoid setting `-Wstrict-aliasing=3` twice.
655 - autotools: disable `-Wmissing-noreturn` for MSYS gcc targets [2].
656 It triggers in libtool-generated stub code.
658 - lib/timeval: delete a redundant `!MSDOS` guard from a `WIN32` branch.
660 - lib/curl_setup.h: delete duplicate declaration for `fileno`.
661 Added in initial commit ae1912cb0d494b48d514d937826c9fe83ec96c4d
662 (1999-12-29). This suggests this may not be needed anymore, but if
663 it does, we may restore this for those specific (non-Windows) systems.
664 - lib: delete unused macro `FTP_BUFFER_ALLOCSIZE` since
665 c1d6fe2aaa5a26e49a69a4f2495b3cc7a24d9394.
666 - lib: delete unused macro `isxdigit_ascii` since
667 f65f750742068f579f4ee6d8539ed9d5f0afcb85.
668 - lib/mqtt: delete unused macro `MQTT_HEADER_LEN`.
669 - lib/multi: delete unused macro `SH_READ`/`SH_WRITE`.
670 - lib/hostip: add `noreturn` function attribute via new `CURL_NORETURN`
672 - lib/mprintf: delete duplicate declaration for `Curl_dyn_vprintf`.
673 - lib/rand: fix `-Wunreachable-code` and related fallouts [3].
674 - lib/setopt: fix `-Wunreachable-code-break`.
675 - lib/system_win32 and lib/timeval: fix double declarations for
676 `Curl_freq` and `Curl_isVistaOrGreater` in CMake UNITY mode [4].
677 - lib/warnless: fix double declarations in CMake UNITY mode [5].
678 This was due to force-disabling the header guard of `warnless.h` to
679 to reapply it to source code coming after `warnless.c` in UNITY
680 builds. This reapplied declarations too, causing the warnings.
681 Solved by adding a header guard for the lines that actually need
683 - lib/vauth/digest: fix `-Wunreachable-code-break` [6].
684 - lib/vssh/libssh2: fix `-Wunreachable-code-break` and delete redundant
686 - lib/vtls/sectransp: fix `-Wunreachable-code-break` [7].
687 - lib/vtls/sectransp: suppress `-Wunreachable-code`.
688 Detected in `else` branches of dynamic feature checks, with results
689 known at compile-time, e.g.
691 if(SecCertificateCopySubjectSummary) /* -> true */
693 Likely fixable as a separate micro-project, but given SecureTransport
694 is deprecated anyway, let's just silence these locally.
695 - src/tool_help: delete duplicate declaration for `helptext`.
696 - src/tool_xattr: fix `-Wunreachable-code`.
697 - tests: delete duplicate declaration for `unitfail` [8].
698 - tests: delete duplicate declaration for `strncasecompare`.
699 - tests/libtest: delete duplicate declaration for `gethostname`.
700 Originally added in 687df5c8c39c370a59999b9afc0917d808d978b7
702 Got complicated later: c49e9683b85ba9d12cbb6eebc4ab2c8dba68fbdc
703 If there are still systems around with warnings, we may restore the
704 prototype, but limited for those systems.
705 - tests/lib2305: delete duplicate declaration for
706 `libtest_debug_config`.
707 - tests/h2-download: fix `-Wunreachable-code-break`.
709 [1] https://github.com/ngtcp2/nghttp3/blob/a70edb08e954d690e8fb2c1df999b5a056
710 f8bf9f/cmake/PickyWarningsC.cmake
711 [2] https://ci.appveyor.com/project/curlorg/curl/builds/48553586/job/3qkgjaui
712 qla5fj45?fullLog=true#L1675
713 [3] https://github.com/curl/curl/actions/runs/6880886309/job/18716044703?pr=1
715 https://github.com/curl/curl/actions/runs/6883016087/job/18722707368?pr=1
717 [4] https://ci.appveyor.com/project/curlorg/curl/builds/48555101/job/9g15qkrr
719 [5] https://ci.appveyor.com/project/curlorg/curl/builds/48555101/job/9g15qkrr
721 [6] https://github.com/curl/curl/actions/runs/6880886309/job/18716042927?pr=1
723 [7] https://github.com/curl/curl/actions/runs/6891484996/job/18746659406?pr=1
725 [8] https://github.com/curl/curl/actions/runs/6882803986/job/18722082562?pr=1
730 Daniel Stenberg (21 Nov 2023)
732 - transfer: avoid unreachable expression
734 If curl_off_t and size_t have the same size (which is common on modern
735 64 bit systems), a condition cannot occur which Coverity pointed
736 out. Avoid the warning by having the code conditionally only used if
737 curl_off_t actually is larger.
739 Follow-up to 1cd2f0072fa482e25baa2
743 Stefan Eissing (21 Nov 2023)
745 - transfer: readwrite improvements
747 - changed header/chunk/handler->readwrite prototypes to accept `buf`,
748 `blen` and a `pconsumed` pointer. They now get the buffer to work on
749 and report back how many bytes they consumed
750 - eliminated `k->str` in SingleRequest
751 - improved excess data handling to properly calculate with any body data
752 left in the headerb buffer
753 - eliminated `k->badheader` enum to only be a bool
757 Daniel Stenberg (21 Nov 2023)
759 - RELEASE-NOTES: synced
761 Jiří Hruška (21 Nov 2023)
763 - transfer: avoid calling the read callback again after EOF
765 Regression since 7f43f3dc5994d01b12 (7.84.0)
767 Bug: https://curl.se/mail/lib-2023-11/0017.html
771 Daniel Stenberg (21 Nov 2023)
773 - doh: provide better return code for responses w/o addresses
775 Previously it was wrongly returning CURLE_OUT_OF_MEMORY when the
776 response did not contain any addresses. Now it more accurately returns
777 CURLE_COULDNT_RESOLVE_HOST.
779 Reported-by: lRoccoon on github
784 Stefan Eissing (21 Nov 2023)
786 - HTTP/2, HTTP/3: handle detach of onoing transfers
788 - refs #12356 where a UAF is reported when closing a connection
789 with a stream whose easy handle was cleaned up already
790 - handle DETACH events same as DONE events in h2/h3 filters
793 Reported-by: Paweł Wegner
796 Viktor Szakats (20 Nov 2023)
798 - autotools: stop setting `-std=gnu89` with `--enable-warnings`
800 Do not alter the C standard when building with `--enable-warnings` when
803 On one hand this alters warning results compared to a default build.
804 On the other, it may produce different binaries, which is unexpected.
806 Also fix new warnings that appeared after removing `-std=gnu89`:
808 - include: fix public curl headers to use the correct printf mask for
809 `CURL_FORMAT_CURL_OFF_T` and `CURL_FORMAT_CURL_OFF_TU` with mingw-w64
810 and Visual Studio 2013 and newer. This fixes the printf mask warnings
811 in examples and tests. E.g. [1]
813 - conncache: fix printf format string [2].
815 - http2: fix potential null pointer dereference [3].
816 (seen on Slackware with gcc 11.)
818 - libssh: fix printf format string in SFTP code [4].
819 Also make MSVC builds compatible with old CRT versions.
821 - libssh2: fix printf format string in SFTP code for MSVC.
822 Applying the same fix as for libssh above.
824 - unit1395: fix `argument is null` and related issues [5]:
825 - stop calling `strcmp()` with NULL to avoid undefined behaviour.
826 - fix checking results if some of them were NULL.
827 - do not pass NULL to printf `%s`.
829 - ci: keep a build job with `-std=gnu89` to continue testing for
830 C89-compliance. We can apply this to other gcc jobs as needed.
831 Ref: b23ce2cee7329bbf425f18b49973b7a5f23dfcb4 (2022-09-23) #9542
833 [1] https://dev.azure.com/daniel0244/curl/_build/results?buildId=18581&view=l
834 ogs&jobId=ccf9cc6d-2ef1-5cf2-2c09-30f0c14f923b
835 [2] https://github.com/curl/curl/actions/runs/6896854263/job/18763831142?pr=1
837 [3] https://github.com/curl/curl/actions/runs/6896854253/job/18763839238?pr=1
839 [4] https://github.com/curl/curl/actions/runs/6896854253/job/18763838007?pr=1
841 [5] https://github.com/curl/curl/actions/runs/6896854253/job/18763836775?pr=1
846 - autotools: fix/improve gcc and Apple clang version detection
848 - Before this patch we expected `n.n` `-dumpversion` output, but Ubuntu
849 may return `n-win32` (also with `-dumpfullversion`). Causing these
850 errors and failing to enable picky warnings:
852 ../configure: line 23845: test: : integer expression expected
854 Ref: https://github.com/libssh2/libssh2/actions/runs/6263453828/job/1700789
857 Fix that by stripping any dash-suffix and handling a dotless (major-only)
858 version number by assuming `.0` in that case.
860 `9.3-posix`, `9.3-win32`, `6`, `9.3.0`, `11`, `11.2`, `11.2.0`
861 Ref: https://github.com/mamedev/mame/pull/9767
863 - fix Apple clang version detection for releases between
864 'Apple LLVM version 7.3.0' and 'Apple LLVM version 10.0.1' where the
865 version was under-detected as 3.7 llvm/clang equivalent.
867 - fix Apple clang version detection for 'Apple clang version 11.0.0'
868 and newer where the Apple clang version was detected, instead of its
869 llvm/clang equivalent.
871 - display detected clang/gcc/icc compiler version.
874 - https://github.com/libssh2/libssh2/commit/00a3b88c51cdb407fbbb347a2e38c5c7d
876 https://github.com/libssh2/libssh2/pull/1187
877 - https://github.com/libssh2/libssh2/commit/89ccc83c7da73e7ca3a112e3500081319
879 https://github.com/libssh2/libssh2/pull/1232
883 - autotools: delete LCC compiler support bits
885 Follow-up to fd7ef00f4305a2919e6950def1cf83d0110a4acd #12222
889 - cmake: add test for `DISABLE` options, add `CURL_DISABLE_HEADERS_API`
891 - tests: verify CMake `DISABLE` options.
893 Make an exception for 2 CMake-only ones, and one more that's
894 using a different naming scheme, also in autotools and source.
896 - cmake: add support for `CURL_DISABLE_HEADERS_API`.
898 Suggested-by: Daniel Stenberg
899 Ref: https://github.com/curl/curl/pull/12345#pullrequestreview-1736238641
903 Jacob Hoffman-Andrews (20 Nov 2023)
905 - hyper: temporarily remove HTTP/2 support
907 The current design of the Hyper integration requires rebuilding the
908 Hyper clientconn for each request. However, building the clientconn
909 requires resending the HTTP/2 connection preface, which is incorrect
910 from a protocol perspective. That in turn causes servers to send GOAWAY
911 frames, effectively degrading performance to "no connection reuse" in
912 the best case. It may also be triggering some bugs where requests get
913 dropped entirely and reconnects take too long.
915 This doesn't rule out HTTP/2 support with Hyper, but it may take a
916 redesign of the Hyper integration in order to make things work.
920 Jay Satiro (20 Nov 2023)
922 - schannel: fix unused variable warning
924 Bug: https://github.com/curl/curl/pull/12349#issuecomment-1818000846
925 Reported-by: Viktor Szakats
927 Closes https://github.com/curl/curl/pull/12361
929 Daniel Stenberg (19 Nov 2023)
931 - url: find scheme with a "perfect hash"
933 Instead of a loop to scan over the potentially 30+ scheme names, this
934 uses a "perfect hash" table. This works fine because the set of schemes
935 is known and cannot change in a build. The hash algorithm and table size
936 is made to only make a single scheme index per table entry.
938 The perfect hash is generated by a separate tool (scripts/schemetable.c)
942 - scripts: add schemetable.c
944 This tool generates a scheme-matching table.
946 It iterates over a number of different initial and shift values in order
947 to find the hash algorithm that needs the smallest possible table.
949 The generated hash function, table and table size then needs to be used
950 by the url.c:Curl_getn_scheme_handler() function.
952 Stefan Eissing (19 Nov 2023)
954 - vtls/vquic, keep peer name information together
956 - add `struct ssl_peer` to keep hostname, dispname and sni
958 - allocate `sni` for use in VTLS backend
959 - eliminate `Curl_ssl_snihost()` and its use of the download buffer
960 - use ssl_peer in SSL and QUIC filters
964 Viktor Szakats (18 Nov 2023)
966 - build: always revert `#pragma GCC diagnostic` after use
968 Before this patch some source files were overriding gcc warning options,
969 but without restoring them at the end of the file. In CMake UNITY builds
970 these options spilled over to the remainder of the source code,
971 effecitvely disabling them for a larger portion of the codebase than
974 `#pragma clang diagnostic` didn't have such issue in the codebase.
976 Reviewed-by: Marcel Raad
979 - tidy-up: casing typos, delete unused Windows version aliases
981 - cmake: fix casing of `UnixSockets` to match the rest of the codebase.
983 - curl-compilers.m4: fix casing in a comment.
985 - setup-win32: delete unused Windows version constant aliases.
987 Reviewed-by: Marcel Raad
990 - keylog: disable if unused
992 Fully disable keylog code if there is no TLS or QUIC subsystem using it.
996 - cmake: add `CURL_DISABLE_BINDLOCAL` option
998 To match similar autotools option.
1002 Reviewed-by: Daniel Stenberg
1005 - url: fix `-Wzero-length-array` with no protocols
1009 ./lib/url.c:178:56: warning: use of an empty initializer is a C2x extension [
1011 178 | static const struct Curl_handler * const protocols[] = {
1013 ./lib/url.c:178:56: warning: zero size arrays are an extension [-Wzero-length
1019 - url: fix builds with `CURL_DISABLE_HTTP`
1023 ./lib/url.c:456:35: error: no member named 'formp' in 'struct UrlState'
1024 456 | Curl_mime_cleanpart(data->state.formp);
1028 Regression from 74b87a8af13a155c659227f5acfa78243a8b2aa6 #11682
1032 - http: fix `-Wunused-parameter` with no auth and no proxy
1035 lib/http.c:734:26: warning: unused parameter 'proxy' [-Wunused-parameter]
1040 Reviewed-by: Marcel Raad
1043 Daniel Stenberg (16 Nov 2023)
1045 - TODO: Some TLS options are not offered for HTTPS proxies
1050 - RELEASE-NOTES: synced
1052 - duphandle: make dupset() not return with pointers to old alloced data
1054 As the blob pointers are to be duplicated, the function must not return
1055 mid-function with lingering pointers to the old handle's allocated data,
1056 as that would lead to double-free in OOM situations.
1058 Make sure to clear all destination pointers first to avoid this risk.
1062 Viktor Szakats (16 Nov 2023)
1064 - http: fix `-Wunused-variable` compiler warning
1066 Fix compiler warnings in builds with disabled auths, NTLM and SPNEGO.
1068 E.g. with `CURL_DISABLE_BASIC_AUTH` + `CURL_DISABLE_BEARER_AUTH` +
1069 `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_NEGOTIATE_AUTH` +
1070 `CURL_DISABLE_NTLM` on non-Windows.
1073 ./curl/lib/http.c:737:12: warning: unused variable 'result' [-Wunused-variabl
1075 CURLcode result = CURLE_OK;
1077 ./curl/lib/http.c:995:18: warning: variable 'availp' set but not used [-Wunus
1078 ed-but-set-variable]
1079 unsigned long *availp;
1081 ./curl/lib/http.c:996:16: warning: variable 'authp' set but not used [-Wunuse
1087 Regression from e92edfbef64448ef461117769881f3ed776dec4e #11490
1092 Jay Satiro (16 Nov 2023)
1094 - tool: support bold headers in Windows
1096 - If virtual terminal processing is enabled in Windows then use ANSI
1097 escape codes Esc[1m and Esc[22m to turn bold on and off.
1099 Suggested-by: Gisle Vanem
1101 Ref: https://github.com/curl/curl/discussions/11770
1103 Closes https://github.com/curl/curl/pull/12321
1105 Viktor Szakats (15 Nov 2023)
1107 - build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS`
1109 Builds with libssh2 + `-DCURL_DISABLE_DIGEST_AUTH=ON` +
1110 `-DCURL_DISABLE_AWS=ON` in combination with either Schannel on Windows,
1111 or `-DCURL_DISABLE_NTLM=ON` on other operating systems failed while
1112 compiling due to a missing HMAC declaration.
1114 The reason is that HMAC is required by `lib/sha256.c` which publishes
1115 `Curl_sha256it()` which is required by `lib/vssh/libssh2.c` when
1116 building for libssh2 v1.8.2 (2019-05-25) or older.
1118 Make sure to compile the HMAC bits for a successful build.
1120 Both HMAC and `Curl_sha256it()` rely on the same internals, so splitting
1121 them into separate sources isn't practical.
1126 In file included from ./curl/_x64-win-ucrt-cmake-llvm-bld/lib/CMakeFiles/libc
1127 url_object.dir/Unity/unity_0_c.c:310:
1128 ./curl/lib/sha256.c:527:42: error: array has incomplete element type 'const s
1130 527 | const struct HMAC_params Curl_HMAC_SHA256[] = {
1132 ./curl/lib/curl_sha256.h:34:21: note: forward declaration of 'struct HMAC_par
1137 Regression from e92edfbef64448ef461117769881f3ed776dec4e #11490
1142 Daniel Stenberg (15 Nov 2023)
1144 - duphandle: also free 'outcurl->cookies' in error path
1146 Fixes memory-leak when OOM mid-function
1148 Use plain free instead of safefree, since the entire struct is
1151 Remove some free calls that is already freed in Curl_freeset()
1155 Viktor Szakats (15 Nov 2023)
1157 - config-win32: set `HAVE_SNPRINTF` for mingw-w64
1159 It's available in all mingw-w64 releases. We already pre-fill this
1164 - sasl: fix `-Wunused-function` compiler warning
1166 In builds with disabled auths.
1169 lib/curl_sasl.c:266:17: warning: unused function 'get_server_message' [-Wunus
1171 static CURLcode get_server_message(struct SASL *sasl, struct Curl_easy *data,
1173 1 warning generated.
1175 Ref: https://github.com/curl/trurl/actions/runs/6871732122/job/18689066151#st
1178 Reviewed-by: Daniel Stenberg
1181 - build: picky warning updates
1183 - cmake: sync some picky gcc warnings with autotools.
1184 - cmake, autotools: add `-Wold-style-definition` for clang too.
1185 - cmake: more precise version info for old clang options.
1186 - cmake: use `IN LISTS` syntax in `foreach()`.
1188 Reviewed-by: Daniel Stenberg
1189 Reviewed-by: Marcel Raad
1192 Daniel Stenberg (15 Nov 2023)
1194 - urldata: move cookielist from UserDefined to UrlState
1196 1. Because the value is not strictly set with a setopt option.
1198 2. Because otherwise when duping a handle when all the set.* fields are
1199 first copied and an error happens (think out of memory mid-function),
1200 the function would easily free the list *before* it was deep-copied,
1201 which could lead to a double-free.
1205 Viktor Szakats (14 Nov 2023)
1207 - autotools: avoid passing `LDFLAGS` twice to libcurl
1209 autotools passes `LDFLAGS` automatically linker commands. curl's
1210 `lib/Makefile.am` customizes libcurl linker flags. In that
1211 customization, it added `LDFLAGS` to the custom flags. This resulted in
1212 passing `LDFLAGS` _twice_ to the `libtool` command.
1214 Most of the time this is benign, but some `LDFLAGS` options can break
1215 the build when passed twice. One such example is passing `.o` files,
1216 e.g. `crt*.o` files necessary when customizing the C runtime, e.g. for
1219 Passing them twice resulted in duplicate symbol errors:
1221 libtool: link: clang-15 --target=aarch64-unknown-linux-musl [...] /usr/lib/a
1222 arch64-linux-musl/crt1.o [...] /usr/lib/aarch64-linux-musl/crt1.o [...]
1223 ld.lld-15: error: duplicate symbol: _start
1224 >>> defined at crt1.c
1225 >>> /usr/lib/aarch64-linux-musl/crt1.o:(.text+0x0)
1226 >>> defined at crt1.c
1227 >>> /usr/lib/aarch64-linux-musl/crt1.o:(.text+0x0)
1229 clang: error: linker command failed with exit code 1 (use -v to see invocatio
1233 This behaviour came with commit 1a593191c2769a47b8c3e4d9715ec9f6dddf5e36
1234 (2013-07-23) as a fix for bug https://curl.haxx.se/bug/view.cgi?id=1217.
1235 The patch was a works-for-me hack that ended up merged in curl:
1236 https://sourceforge.net/p/curl/bugs/1217/#06ef
1237 With the root cause remaining unclear.
1239 Perhaps the SUNPro 12 linker was sensitive to `-L` `-l` order, requiring
1240 `-L` first? This would be unusual and suggests a bug in either the
1241 linker or in `libtool`.
1243 The curl build does pass the list of detected libs via its own
1244 `LIBCURL_LIBS` variable, which ends up before `LDFLAGS` on the `libtool`
1245 command line, but it's the job of `libtool` to ensure that even
1246 a peculiar linker gets the options in the expected order. Also because
1247 autotools passes `LDFLAGS` last, making it hardly possible to pass
1250 Perhaps in the 10 years since this issue, this already got a fix
1253 This patch deletes `LDFLAGS` from our customized libcurl options,
1254 leaving a single copy of them as passed by autotools automatically.
1256 Reverts 1a593191c2769a47b8c3e4d9715ec9f6dddf5e36
1259 - autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}`
1261 To allow passing `LDFLAGS` specific to libcurl (`CURL_LDFLAGS_LIB`) and
1262 curl tool (`CURL_LDFLAGS_BIN`).
1264 This makes it possible to build libcurl and curl with a single
1265 invocation with lib- and tool-specific custom linker flags.
1267 Such flag can be enabling `.map` files, a `.def` file for libcurl DLL,
1268 controlling static/shared, incl. requesting a static curl tool (with
1269 `-static-libtool-libs`) while building both shared and static libcurl.
1271 curl-for-win uses the above and some more.
1273 These options are already supported in `Makefile.mk`. CMake has built-in
1278 Jay Satiro (14 Nov 2023)
1280 - tool_cb_hdr: add an additional parsing check
1282 - Don't dereference the past-the-end element when parsing the server's
1283 Content-disposition header.
1285 As 'p' is advanced it can point to the past-the-end element and prior
1286 to this change 'p' could be dereferenced in that case.
1288 Technically the past-the-end element is not out of bounds because dynbuf
1289 (which manages the header line) automatically adds a null terminator to
1290 every buffer and that is not included in the buffer length passed to
1291 the header callback.
1293 Closes https://github.com/curl/curl/pull/12320
1295 Philip Heiduck (14 Nov 2023)
1297 - .cirrus.yml: freebsd 14
1299 ensure curl works on latest freebsd version
1303 Daniel Stenberg (13 Nov 2023)
1305 - easy: in duphandle, init the cookies for the new handle
1307 ... not the source handle.
1311 - duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set
1313 Previously it would unconditionally use the size, which is set to -1
1314 when strlen is requested.
1316 Updated test 544 to verify.
1320 - RELEASE-NOTES: synced
1322 - curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped
1326 - urldata: move hstslist from 'set' to 'state'
1328 To make it work properly with curl_easy_duphandle(). This, because
1329 duphandle duplicates the entire 'UserDefined' struct by plain copy while
1330 'hstslist' is a linked curl_list of file names. This would lead to a
1331 double-free when the second of the two involved easy handles were
1336 - test1900: verify duphandle with HSTS using multiple files
1340 Goro FUJI (13 Nov 2023)
1342 - http: allow longer HTTP/2 request method names
1344 - Increase the maximum request method name length from 11 to 23.
1346 For HTTP/1.1 and earlier there's not a specific limit in libcurl for
1347 method length except that it is limited by the initial HTTP request
1348 limit (DYN_HTTP_REQUEST). Prior to fc2f1e54 HTTP/2 was treated the same
1349 and there was no specific limit.
1351 According to Internet Assigned Numbers Authority (IANA) the longest
1352 registered method is UPDATEREDIRECTREF which is 17 characters.
1354 Also there are unregistered methods used by some companies that are
1355 longer than 11 characters.
1357 The limit was originally added by 61f52a97 but not used until fc2f1e54.
1359 Ref: https://www.iana.org/assignments/http-methods/http-methods.xhtml
1361 Closes https://github.com/curl/curl/pull/12311
1363 Jay Satiro (12 Nov 2023)
1365 - CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does
1367 - Add an explanation of the CURL_BLOB_COPY flag to CURLOPT_CAINFO_BLOB
1368 and CURLOPT_PROXY_CAINFO_BLOB docs.
1370 All the other _BLOB option docs already have the same explanation.
1372 Closes https://github.com/curl/curl/pull/12277
1374 Viktor Szakats (11 Nov 2023)
1376 - tidy-up: dedupe Windows system libs in cmake
1378 Reviewed-by: Daniel Stenberg
1381 Junho Choi (11 Nov 2023)
1383 - ci: test with latest quiche release (0.19.0)
1387 - quiche: use quiche_conn_peer_transport_params()
1389 In recent quiche, transport parameter API is separated
1390 with quiche_conn_peer_transport_params().
1391 (https://github.com/cloudflare/quiche/pull/1575)
1392 It breaks with bulding with latest(post 0.18.0) quiche.
1396 Daniel Stenberg (11 Nov 2023)
1398 - Makefile: generate the VC 14.20 project files at dist-time
1400 Follow-up to 28287092cc5a6d6ef8 (#12282)
1404 Sam James (11 Nov 2023)
1406 - misc: fix -Walloc-size warnings
1408 GCC 14 introduces a new -Walloc-size included in -Wextra which gives:
1411 src/tool_operate.c: In function ‘add_per_transfer’:
1412 src/tool_operate.c:213:5: warning: allocation of insufficient size ‘1’ fo
1413 r type ‘struct per_transfer’ with size ‘480’ [-Walloc-size]
1414 213 | p = calloc(sizeof(struct per_transfer), 1);
1416 src/var.c: In function ‘addvariable’:
1417 src/var.c:361:5: warning: allocation of insufficient size â
\80\981â
\80\99 for type â
\80
1418 \98struct varâ
\80\99 with size â
\80\9832â
\80\99 [-Walloc-size]
1419 361 | p = calloc(sizeof(struct var), 1);
1423 The calloc prototype is:
1425 void *calloc(size_t nmemb, size_t size);
1428 So, just swap the number of members and size arguments to match the
1429 prototype, as we're initialising 1 struct of size `sizeof(struct
1430 ...)`. GCC then sees we're not doing anything wrong.
1434 Mark Gaiser (11 Nov 2023)
1438 - Fixed endianness bug in gateway file parsing
1439 - Use IPFS_PATH in tests where IPFS_DATA was used
1440 - Fixed typos from traling -> trailing
1441 - Fixed broken link in IPFS.md
1443 Follow-up to 859e88f6533f9e
1445 Reported-by: Michael Kaufmann
1446 Bug: https://github.com/curl/curl/pull/12152#issuecomment-1798214137
1449 Daniel Stenberg (11 Nov 2023)
1451 - VULN-DISCLOSURE-POLIC: remove broken link to hackerone
1453 It should ideally soon not be done from hackerone anyway
1457 Andrew Kurushin (11 Nov 2023)
1459 - schannel: add CA cache support for files and memory blobs
1461 - Support CA bundle and blob caching.
1463 Cache timeout is 24 hours or can be set via CURLOPT_CA_CACHE_TIMEOUT.
1465 Closes https://github.com/curl/curl/pull/12261
1467 Daniel Stenberg (10 Nov 2023)
1469 - RELEASE-NOTES: synced
1471 Charlie C (10 Nov 2023)
1473 - cmake: option to disable install & drop `curlu` target when unused
1475 This patch makes the following changes:
1476 - adds the option `CURL_DISABLE_INSTALL` - to disable 'install' targets.
1477 - Removes the target `curlu` when the option `BUILD_TESTING` is set to
1478 `OFF` - to prevent it from being loaded in Visual Studio.
1482 Kai Pastor (10 Nov 2023)
1484 - cmake: fix multiple include of CURL package
1486 Fixes errors on second `find_package(CURL)`. This is a frequent case
1487 with transitive dependencies:
1490 add_library cannot create ALIAS target "CURL::libcurl" because another
1491 target with the same name already exists.
1496 cmake_minimum_required(VERSION 3.27) # must be 3.18 or higher
1500 set(CURL_DIR "example/lib/cmake/CURL/")
1501 find_package(CURL CONFIG REQUIRED)
1502 find_package(CURL CONFIG REQUIRED) # fails
1504 add_executable(main main.c)
1505 target_link_libraries(main CURL::libcurl)
1508 Ref: https://cmake.org/cmake/help/latest/release/3.18.html#other-changes
1509 Ref: https://cmake.org/cmake/help/v3.18/policy/CMP0107.html
1511 Assisted-by: Harry Mallon
1514 Viktor Szakats (8 Nov 2023)
1516 - tidy-up: use `OPENSSL_VERSION_NUMBER`
1518 Uniformly use `OPENSSL_VERSION_NUMBER` to check for OpenSSL version.
1519 Before this patch some places used `OPENSSL_VERSION_MAJOR`.
1521 Also fix `lib/md4.c`, which included `opensslconf.h`, but that doesn't
1522 define any version number in these implementations: BoringSSL, AWS-LC,
1523 LibreSSL, wolfSSL. (Only in mainline OpenSSL/quictls). Switch that to
1524 `opensslv.h`. This wasn't causing a deeper problem because the code is
1525 looking for v3, which is only provided by OpenSSL/quictls as of now.
1527 According to https://github.com/openssl/openssl/issues/17517, the macro
1528 `OPENSSL_VERSION_NUMBER` is safe to use and not deprecated.
1530 Reviewed-by: Marcel Raad
1533 Daniel Stenberg (8 Nov 2023)
1535 - resolve.d: drop a multi use-sentence
1537 Since the `multi:` keyword adds that message.
1539 Reported-by: 積丹尼 Dan Jacobson
1540 Fixes https://github.com/curl/curl/discussions/12294
1543 - content_encoding: make Curl_all_content_encodings allocless
1545 - Fixes a memory leak pointed out by Coverity
1546 - Also found by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?
1548 - Avoids unncessary allocations
1550 Follow-up ad051e1cbec68b2456a22661b
1554 Michael Kaufmann (7 Nov 2023)
1556 - vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0
1558 Some servers don't support the ALPN protocol "http/1.0" (e.g. IIS 10),
1559 avoid it and use "http/1.1" instead.
1561 This reverts commit df856cb5c9 (#10183).
1566 Daniel Stenberg (7 Nov 2023)
1568 - Makefile.am: drop vc10, vc11 and vc12 projects from dist
1570 They are end of life products. Support for generating them remain in the
1571 repo for a while but this change drops them from distribution.
1575 David Suter (7 Nov 2023)
1577 - projects: add VC14.20 project files
1579 Windows projects included VC14, VC14.10, VC14.30 but not VC14.20.
1580 OpenSSL and Wolf SSL scripts mention VC14.20 so I don't see a reason why
1581 this is missing. Updated the templates to produce a VC14.20 project.
1582 Project opens in Visual Studio 2019 as expected.
1586 Daniel Stenberg (7 Nov 2023)
1588 - curl: move IPFS code into src/tool_ipfs.[ch]
1590 - convert ensure_trailing into ensure_trailing_slash
1591 - strdup the URL string to own it proper
1592 - use shorter variable names
1593 - combine some expressions
1594 - simplify error handling in ipfs_gateway()
1595 - add MAX_GATEWAY_URL_LEN + proper bailout if maximum is reached
1596 - ipfs-gateway.d polish and simplification
1597 - shorten ipfs error message + make them "synthetic"
1601 Viktor Szakats (6 Nov 2023)
1603 - build: delete support bits for obsolete Windows compilers
1605 - Pelles C: Unclear status, failed to obtain a fresh copy a few months
1606 ago. Possible website is HTTP-only. ~10 years ago I left this compiler
1607 dealing with crashes and other issues with no response on the forum
1608 for years. It has seen some activity in curl back in 2021.
1609 - LCC: Last stable release in September 2002.
1610 - Salford C: Misses winsock2 support, possibly abandoned? Last mentioned
1612 - Borland C++: We dropped Borland C++ support in 2018.
1613 - MS Visual C++ 6.0: Released in 1998. curl already requires VS 2010
1614 (or possibly 2008) as a minimum.
1618 - build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H`
1620 We use `stdint.h` unconditionally in all places except one. These uses
1621 are imposed by external dependencies / features. nghttp2, quic, wolfSSL
1622 and `HAVE_MACH_ABSOLUTE_TIME` do require this C99 header. It means that
1623 any of these features make curl require a C99 compiler. (In case of
1624 MSVC, this means Visual Studio 2010 or newer.)
1626 This patch changes the single use of `stdint.h` guarded by
1627 `HAVE_STDINT_H` to use `stdint.h` unconditionally. Also stop using
1628 `inttypes.h` as an alternative there. `HAVE_INTTYPES_H` wasn't used
1629 anywhere else, allowing to delete this feature check as well.
1633 Daniel Stenberg (6 Nov 2023)
1635 - tool_operate: do not mix memory models
1637 Make sure 'inputpath' only points to memory allocated by libcurl so that
1638 curl_free works correctly.
1640 Pointed out by Coverity
1642 Follow-up to 859e88f6533f9e1f890
1646 Stefan Eissing (6 Nov 2023)
1648 - lib: client writer, part 2, accounting + logging
1650 This PR has these changes:
1652 Renaming of unencode_* to cwriter, e.g. client writers
1653 - documentation of sendf.h functions
1654 - move max decode stack checks back to content_encoding.c
1655 - define writer phase which was used as order before
1656 - introduce phases for monitoring inbetween decode phases
1657 - offering default implementations for init/write/close
1659 Add type paramter to client writer's do_write()
1660 - always pass all writes through the writer stack
1661 - writers who only care about BODY data will pass other writes unchanged
1663 add RAW and PROTOCOL client writers
1664 - RAW used for Curl_debug() logging of CURLINFO_DATA_IN
1665 - PROTOCOL used for updates to data->req.bytecount, max_filesize checks and
1666 Curl_pgrsSetDownloadCounter()
1667 - remove all updates of data->req.bytecount and calls to
1668 Curl_pgrsSetDownloadCounter() and Curl_debug() from other code
1669 - adjust test457 expected output to no longer see the excess write
1673 Daniel Stenberg (6 Nov 2023)
1675 - VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw
1679 Viktor Szakats (6 Nov 2023)
1681 - rand: fix build error with autotools + LibreSSL
1683 autotools unexpectedly detects `arc4random` because it is also looking
1684 into dependency libs. One dependency, LibreSSL, happens to publish an
1685 `arc4random` function (via its shared lib before v3.7, also via static
1686 lib as of v3.8.2). When trying to use this function in `lib/rand.c`,
1687 its protoype is missing. To fix that, curl included a prototype, but
1688 that used a C99 type without including `stdint.h`, causing:
1691 ../../lib/rand.c:37:1: error: unknown type name 'uint32_t'
1692 37 | uint32_t arc4random(void);
1697 This patch improves this by dropping the local prototype and instead
1698 limiting `arc4random` use for non-OpenSSL builds. OpenSSL builds provide
1699 their own random source anyway.
1701 The better fix would be to teach autotools to not link dependency libs
1702 while detecting `arc4random`.
1704 LibreSSL publishing a non-namespaced `arc4random` tracked here:
1705 https://github.com/libressl/portable/issues/928
1707 Regression from 755ddbe901cd0c921fbc3ac5b3775c0dc683bc73 #10672
1709 Reviewed-by: Daniel Stenberg
1713 Daniel Stenberg (5 Nov 2023)
1715 - RELEASE-NOTES: synced
1717 - strdup: do Curl_strndup without strncpy
1719 To avoid (false positive) gcc-13 compiler warnings.
1721 Follow-up to 4855debd8a2c1cb
1723 Assisted-by: Jay Satiro
1724 Reported-by: Viktor Szakats
1727 Enno Boland (5 Nov 2023)
1729 - HTTP: fix empty-body warning
1731 This change fixes a compiler warning with gcc-12.2.0 when
1732 `-DCURL_DISABLE_BEARER_AUTH=ON` is used.
1734 /home/tox/src/curl/lib/http.c: In function 'Curl_http_input_auth':
1735 /home/tox/src/curl/lib/http.c:1147:12: warning: suggest braces around emp
1736 ty body in an 'else' statement [-Wempty-body]
1742 Daniel Stenberg (5 Nov 2023)
1744 - openssl: identify the "quictls" backend correctly
1746 Since vanilla OpenSSL does not support the QUIC API I think it helps
1747 users to identify the correct OpenSSL fork in version output. The best
1748 (crude) way to do that right now seems to be to check if ngtcp2 support
1753 Mark Gaiser (5 Nov 2023)
1755 - curl: improved IPFS and IPNS URL support
1757 Previously just ipfs://<cid> and ipns://<cid> was supported, which is
1758 too strict for some usecases.
1760 This patch allows paths and query arguments to be used too.
1761 Making this work according to normal http semantics:
1763 ipfs://<cid>/foo/bar?key=val
1764 ipns://<cid>/foo/bar?key=val
1766 The gateway url support is changed.
1767 It now only supports gateways in the form of:
1769 http://<gateway>/foo/bar
1772 Query arguments here are explicitly not allowed and trigger an intended
1773 malformed url error.
1775 There also was a crash when IPFS_PATH was set with a non trailing
1776 forward slash. This has been fixed.
1778 Lastly, a load of test cases have been added to verify the above.
1780 Reported-by: Steven Allen
1784 Harry Mallon (5 Nov 2023)
1786 - docs: KNOWN_BUGS cleanup
1788 * Remove other mention of hyper memory-leaks from `KNOWN_BUGS`.
1789 Should have been removed in 629723ecf22a8eae78d64cceec2f3bdae703ec95
1791 * Remove mention of aws-sigv4 sort query string from `KNOWN_BUGS`.
1794 * Remove mention of aws-sigv4 query empty value problems
1796 * Remove mention of aws-sigv4 missing amz-content-sha256
1799 - http_aws_sigv4: canonicalise valueless query params
1804 Michael Kaufmann (4 Nov 2023)
1806 - docs: preserve the modification date when copying the prebuilt man page
1808 The previously built man page "curl.1" must be copied with the original
1809 modification date, otherwise the man page is never updated.
1811 This fixes a bug that has been introduced with commit 2568441cab.
1813 Reviewed-by: Dan Fandrich
1814 Reviewed-by: Daniel Stenberg
1818 Daniel Stenberg (4 Nov 2023)
1820 - docs: remove bold from some man page SYNOPSIS sections
1822 In the name of consistency
1826 - openssl: two multi pointer checks should probably rather be asserts
1828 ... so add the asserts now and consider removing the dynamic checks in a
1834 boilingoden (4 Nov 2023)
1836 - docs: add supported version for the json write-out
1838 xref: https://curl.se/changes.html#7_70_0
1842 Viktor Szakats (3 Nov 2023)
1844 - appveyor: make VS2008-built curl tool runnable
1846 By linking the CRT statically. This avoids the error about missing
1847 runtime DLL `MSVCR90.dll` when running the freshly built `curl.exe`.
1851 Stefan Eissing (3 Nov 2023)
1853 - url: proxy ssl connection reuse fix
1855 - tunnel https proxy used for http: transfers does
1856 no check if proxy-ssl configuration matches
1857 - test cases added, test_10_12 fails on 8.4.0
1861 Jay Satiro (3 Nov 2023)
1863 - curl_sspi: support more revocation error names in error messages
1865 - Add these revocation errors to sspi error list:
1866 CRYPT_E_NO_REVOCATION_DLL, CRYPT_E_NO_REVOCATION_CHECK,
1867 CRYPT_E_REVOCATION_OFFLINE and CRYPT_E_NOT_IN_REVOCATION_DATABASE.
1869 Prior to this change those error codes were not matched to their macro
1870 name and instead shown as "unknown error".
1874 schannel: next InitializeSecurityContext failed:
1875 Unknown error (0x80092013) - The revocation function was
1876 unable to check revocation because the revocation server was offline.
1880 schannel: next InitializeSecurityContext failed:
1881 CRYPT_E_REVOCATION_OFFLINE (0x80092013) - The revocation function was
1882 unable to check revocation because the revocation server was offline.
1884 Bug: https://github.com/curl/curl/issues/12239
1885 Reported-by: Niracler Li
1887 Closes https://github.com/curl/curl/pull/12241
1889 - strdup: don't allow Curl_strndup to read past a null terminator
1891 - Use malloc + strncpy instead of Curl_memdup to dupe the string before
1892 null terminating it.
1894 Prior to this change if Curl_strndup was passed a length longer than
1895 the allocated string then it could copy out of bounds.
1897 This change is for posterity. Curl_strndup was added in the parent
1898 commit and currently none of the calls to it pass a length that would
1899 cause it to read past the allocated length of the input.
1901 Follow-up to d3b3ba35.
1903 Closes https://github.com/curl/curl/pull/12254
1905 Daniel Stenberg (2 Nov 2023)
1907 - lib: add and use Curl_strndup()
1909 The Curl_strndup() function is similar to memdup(), but copies 'n' bytes
1910 then adds a terminating null byte ('\0').
1914 - CURPOST_POSTFIELDS.3: add CURLOPT_COPYPOSTFIELDS in SEE ALSO
1916 Stefan Eissing (2 Nov 2023)
1918 - pytest: use lower count in repeat tests
1920 - lower large iteration counts in some tests somewhat for
1921 the same coverage with less duration
1925 Daniel Stenberg (2 Nov 2023)
1927 - RELEASE-NOTES: synced
1929 - docs: clarify that curl passes on input unfiltered
1931 ... for several options.
1933 Reported-by: Ophir Lojkine
1937 - urlapi: when URL encoding the fragment, pass in the right length
1939 A benign bug because it would only add an extra null terminator.
1941 Made lib1560 get a test that runs this code.
1945 Stefan Eissing (2 Nov 2023)
1947 - vtls: late clone of connection ssl config
1949 - perform connection cache matching against `data->set.ssl.primary`
1950 and proxy counterpart
1951 - fully clone connection ssl config only when connection is used
1955 - msh3: error when built with CURL_DISABLE_SOCKETPAIR set
1957 Reported-by: Gisle Vanem
1961 Daniel Stenberg (2 Nov 2023)
1963 - hsts: skip single-dot hostname
1965 Reported-by: Maksymilian Arciemowicz
1969 - vtls: fix build without proxy
1971 Follow-up to bf0e278a3c54bc7fee7360da17c
1975 - docs/example/keepalive.c: show TCP keep-alive options
1979 - lib1560: verify appending blank URL encoded query string
1981 - urlapi: skip appending NULL pointer query
1983 Reported-by: kirbyn17 on hackerone
1987 - lib1560: verify setting host to "" with and without URL encode
1989 - urlapi: avoid null deref if setting blank host to url encode
1991 Reported-by: kirbyn17 on hackerone
1995 - dynbuf: assert for NULL pointer inputs
1997 Help us catch more mistakes.
2001 - HTTP3: ngtcp2 builds are no longer experimental
2003 The other HTTP/3 backends are still experimental.
2007 Stefan Eissing (31 Oct 2023)
2009 - vtls: cleanup SSL config management
2011 - remove `Curl_ssl_get_config()`, no longer needed
2015 Daniel Stenberg (31 Oct 2023)
2017 - libcurl-thread.3: simplify the TLS section
2019 All TLS libraries curl can use are threadsafe since OpenSSL 1.1.x, August
2024 - configure: better --disable-http
2026 - disable HTTPS-proxy as well, since it can't work without HTTP
2028 - curl_setup: when HTTP is disabled, also disable all features that are
2031 - version: HTTPS-proxy only exists if HTTP support exists
2035 - http: consider resume with CURLOPT_FAILONERRROR and 416 to be fine
2037 Finding a 'Content-Range:' in the response changed the handling.
2039 Add test case 1475 to verify -C - with 416 and Content-Range: header,
2040 which is almost exactly like test 194 which instead uses a fixed -C
2041 offset. Adjusted test 194 to also be considered fine.
2044 Reported-by: Smackd0wn
2046 Reported-by: Anubhav Rai
2049 Stefan Eissing (30 Oct 2023)
2051 - GHA: fix checkout of quictls repository to use correct branch name
2053 Follow-up to c868b0e30f10cd0ac7
2057 Daniel Stenberg (30 Oct 2023)
2059 - docs/example/localport.c: show off CURLOPT_LOCALPORT
2063 - docs/examples/interface.c: show CURLOPT_INTERFACE use
2065 Although super simple.
2069 Viktor Szakats (30 Oct 2023)
2071 - build: fix compiler warning with auths disabled
2074 ./curl/lib/http.c:979:12: warning: unused function 'is_valid_auth_separator'
2076 static int is_valid_auth_separator(char ch)
2078 5 warnings generated.
2081 Follow-up to e92edfbef64448ef461117769881f3ed776dec4e #11490
2085 - build: require Windows XP or newer
2087 After this patch we assume availability of `getaddrinfo` and
2088 `freeaddrinfo`, first introduced in Windows XP. Meaning curl
2089 now requires building for Windows XP as a minimum.
2091 TODO: assume these also in autotools.
2093 Ref: https://github.com/curl/curl/pull/12221#issuecomment-1783761806
2096 - appveyor: bump one job to OpenSSL 3.1 (was 1.1.1)
2098 Use 3.1 with the modern runner image.
2100 We still use 1.1.1 in 8 jobs.
2102 1.1.1 is EOL since 2023-09-11:
2103 https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/
2106 - add missing SSL-backend to job descriptions.
2107 - tidy up CPU in job descriptions.
2111 Daniel Stenberg (30 Oct 2023)
2113 - RELEASE-NOTES: synced
2115 - GHA: bump ngtcp2, nghttp3, nghttp2 and quictls versions
2122 also sync HTTP3.md with these changes
2126 Kareem (29 Oct 2023)
2128 - wolfssl: add default case for wolfssl_connect_step1 switch
2132 Jay Satiro (29 Oct 2023)
2134 - curl_setup: disallow Windows IPv6 builds missing getaddrinfo
2136 - On Windows if IPv6 is enabled but getaddrinfo is missing then #error
2139 curl can be built with IPv6 support (ENABLE_IPV6) but without the
2140 ability to resolve hosts to IPv6 addresses (HAVE_GETADDRINFO). On
2141 Windows this is highly unlikely and should be considered a bad build
2144 Such a bad configuration has already given us a bug that was hard to
2145 diagnose. See #12134 and #12136 for discussion.
2147 Ref: https://github.com/curl/curl/issues/12134
2148 Ref: https://github.com/curl/curl/pull/12136
2150 Closes https://github.com/curl/curl/pull/12221
2152 Nico Rieck (29 Oct 2023)
2154 - openssl: make CURLSSLOPT_NATIVE_CA import Windows intermediate CAs
2156 - If CURLSSLOPT_NATIVE_CA on Windows then import from intermediate CA
2157 "CA" store after importing from root CA "ROOT" store.
2159 This change allows curl to work in situations where a server does not
2160 send all intermediate certs and they are present in the "CA" store (the
2161 store with intermediate CAs). This is already allowed by the Schannel
2164 Also this change makes partial chain verification possible for those
2165 certs since we allow partial chain verification by default for OpenSSL
2166 (unless CURLSSLOPT_NO_PARTIALCHAIN). This is not allowed by the Schannel
2169 Prior to this change CURLSSLOPT_NATIVE_CA only imported "ROOT" certs.
2171 Fixes https://github.com/curl/curl/issues/12155
2172 Closes https://github.com/curl/curl/pull/12185
2174 Viktor Szakats (28 Oct 2023)
2176 - Makefile.mk: fix `-rtmp` option for non-Windows [ci skip]
2178 Daniel Stenberg (28 Oct 2023)
2180 - asyn-ares: handle no connection in the addrinfo callback
2184 Follow-up from 56a4db2
2187 Jay Satiro (28 Oct 2023)
2189 - hostip6: fix DEBUG_ADDRINFO builds
2191 - Removed unused and incorrect parameter from dump_addrinfo().
2193 Bug: https://github.com/curl/curl/commit/56a4db2e#commitcomment-131050442
2194 Reported-by: Gisle Vanem
2196 Closes https://github.com/curl/curl/pull/12212
2198 Viktor Szakats (28 Oct 2023)
2200 - Makefile.mk: restore `_mingw.h` for default `_WIN32_WINNT`
2202 In 8.4.0 we deleted `_mingw.h` as part of purging old-mingw support.
2203 Turns out `_mingw.h` had the side-effect of setting a default
2204 `_WIN32_WINNT` value expected by `lib/config-win32.h` to enable
2205 `getaddrinfo` support in `Makefile.mk` mingw-w64 builds. This caused
2206 disabling support for this unless specifying the value manually.
2208 Restore this header and update its comment to tell why we continue
2211 This triggered a regression in official Windows curl builds starting
2212 with 8.4.0_1. Fixed in 8.4.0_6. (8.5.0 will be using CMake.)
2214 Regression from 38029101e2d78ba125732b3bab6ec267b80a0e72 #11625
2216 Reported-by: zhengqwe on github
2217 Helped-by: Nico Rieck
2222 - hostip: silence compiler warning `-Wparentheses-equality`
2227 hostip.c:1336:22: warning: equality comparison with extraneous parentheses [-
2228 Wparentheses-equality]
2229 1336 | (a->ai_family == PF_INET)) {
2230 | ~~~~~~~~~~~~~^~~~~~~~~~
2231 hostip.c:1336:22: note: remove extraneous parentheses around the comparison t
2232 o silence this warning
2233 1336 | (a->ai_family == PF_INET)) {
2235 hostip.c:1336:22: note: use '=' to turn this equality comparison into an assi
2237 1336 | (a->ai_family == PF_INET)) {
2240 1 warning generated.
2243 Follow-up to b651aba0962bb31353f55de4dc35f745952a1b10 #12145
2245 Reviewed-by: Daniel Stenberg
2248 Stefan Eissing (27 Oct 2023)
2250 - doh: use PIPEWAIT when HTTP/2 is attempted
2254 Daniel Stenberg (27 Oct 2023)
2256 - setopt: remove outdated cookie comment
2260 Stefan Eissing (27 Oct 2023)
2262 - cfilter: provide call to tell connection to forget a socket
2264 - fixed libssh.c workaround for a socket being closed by
2266 - eliminate the terrible hack in cf-socket.c to guess when
2267 this happened and try not closing the socket again.
2268 - fixes race in eyeballing when socket could have failed to
2269 be closed for a discarded connect attempt
2273 - url: protocol handler lookup tidy-up
2275 - rename lookup to what it does
2276 - use ARRAYSIZE instead of NULL check for end
2277 - offer alternate lookup for 0-terminated strings
2281 Viktor Szakats (27 Oct 2023)
2283 - build: variadic macro tidy-ups
2285 - delete unused `HAVE_VARIADIC_MACROS_C99/GCC` feature checks.
2286 (both autotools and CMake.)
2287 - delete duplicate `NULL` check in `Curl_trc_cf_infof()`.
2288 - fix compiler warning in `CURL_DISABLE_VERBOSE_STRINGS` builds.
2290 ./lib/cf-socket.c:122:41: warning: unused parameter 'data' [-Wunused-parame
2292 static void nosigpipe(struct Curl_easy *data,
2295 - fix `#ifdef` comments in `lib/curl_trc.{c,h}`.
2296 - fix indentation in some `infof()` calls.
2298 Follow-up to dac293cfb7026b1ca4175d88b80f1432d3d3c684 #12167
2300 Cherry-picked from #12105
2303 - cmake: speed up threads setup for Windows
2305 Win32 threads are always available. We enabled them unconditionally
2306 (with `ENABLE_THREADED_RESOLVER`). CMake built-in thread detection
2307 logic has this condition hard-coded for Windows as well (since at least
2310 Instead of doing all the work of detecting pthread combinations on
2311 Windows, then discarding those results, skip these efforts and assume
2312 built-in thread support when building for Windows.
2314 This saves 1-3 slow CMake configuration steps.
2316 Reviewed-by: Daniel Stenberg
2319 - cmake: speed up zstd detection
2321 Before this patch we detected the presence of a specific zstd API to
2322 see if we can use the library. zstd published that API in its first
2323 stable release: v1.0.0 (2016-08-31).
2325 Replace that method by detecting the zstd library version instead and
2326 accepting if it's v1.0.0 or newer. Also display this detected version
2327 and display a warning if the zstd found is unfit for curl.
2329 We use the same version detection method as zstd itself, via its public
2332 This deviates from autotools which keeps using the slow method of
2333 looking for the API by building a test program. The outcome is the same
2334 as long as zstd keeps offering this API.
2336 Ref: https://github.com/facebook/zstd/commit/5a0c8e24395079f8e8cdc90aa1659cd5
2337 ab1b7427 (2016-08-12, committed)
2338 Ref: https://github.com/facebook/zstd/releases/tag/v0.8.1 (2016-08-18, first
2340 Ref: https://github.com/facebook/zstd/releases/tag/v1.0.0
2342 Reviewed-by: Daniel Stenberg
2345 Daniel Stenberg (26 Oct 2023)
2347 - openssl: fix infof() to avoid compiler warning for %s with null
2349 vtls/openssl.c: In function ‘ossl_connect_step2’:
2350 ../lib/curl_trc.h:120:10: error: ‘%s’ directive argument is null [-Werror
2352 120 | Curl_infof(data, __VA_ARGS__); } while(0)
2353 | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2354 vtls/openssl.c:4008:5: note: in expansion of macro ‘infof’
2355 4008 | infof(data, "SSL connection using %s / %s / %s / %s",
2357 vtls/openssl.c:4008:49: note: format string is defined here
2358 4008 | infof(data, "SSL connection using %s / %s / %s / %s",
2361 Follow-up to b6e6d4ff8f253c8b8055bab
2364 Stefan Eissing (26 Oct 2023)
2366 - lib: apache style infof and trace macros/functions
2368 - test for a simplified C99 variadic check
2369 - args to infof() in --disable-verbose are no longer disregarded but
2377 Daniel Stenberg (26 Oct 2023)
2379 - RELEASE-NOTES: synced
2381 Stefan Eissing (26 Oct 2023)
2383 - urldata: move async resolver state from easy handle to connectdata
2385 - resolving is done for a connection, not for every transfer
2386 - save create/dup/free of a cares channel for each transfer
2387 - check values of setopt calls against a local channel if no
2388 connection has been attached yet, when needed.
2392 Daniel Stenberg (26 Oct 2023)
2394 - CURLOPT_WRITEFUNCTION.3: clarify what libcurl returns for CURL_WRITEFUNC_ERRO
2397 It returns CURLE_WRITE_ERROR. It was not previously stated clearly.
2399 Reported-by: enWILLYado on github
2403 Viktor Szakats (25 Oct 2023)
2405 - autotools: update references to deleted `crypt-auth` option
2407 Delete leftovers of the `crypt-auth` `./configure` option and
2408 add the new ones that replaced them.
2410 Follow-up to e92edfbef64448ef461117769881f3ed776dec4e #11490
2412 Reviewed-by: Daniel Stenberg
2415 Stefan Eissing (25 Oct 2023)
2417 - lib: introduce struct easy_poll_set for poll information
2419 Connection filter had a `get_select_socks()` method, inspired by the
2420 various `getsocks` functions involved during the lifetime of a
2421 transfer. These, depending on transfer state (CONNECT/DO/DONE/ etc.),
2422 return sockets to monitor and flag if this shall be done for POLLIN
2425 Due to this design, sockets and flags could only be added, not
2426 removed. This led to problems in filters like HTTP/2 where flow control
2427 prohibits the sending of data until the peer increases the flow
2428 window. The general transfer loop wants to write, adds POLLOUT, the
2429 socket is writeable but no data can be written.
2431 This leads to cpu busy loops. To prevent that, HTTP/2 did set the
2432 `SEND_HOLD` flag of such a blocked transfer, so the transfer loop cedes
2433 further attempts. This works if only one such filter is involved. If a
2434 HTTP/2 transfer goes through a HTTP/2 proxy, two filters are
2435 setting/clearing this flag and may step on each other's toes.
2437 Connection filters `get_select_socks()` is replaced by
2438 `adjust_pollset()`. They get passed a `struct easy_pollset` that keeps
2439 up to `MAX_SOCKSPEREASYHANDLE` sockets and their `POLLIN|POLLOUT`
2440 flags. This struct is initialized in `multi_getsock()` by calling the
2441 various `getsocks()` implementations based on transfer state, as before.
2443 After protocol handlers/transfer loop have set the sockets and flags
2444 they want, the `easy_pollset` is *always* passed to the filters. Filters
2445 "higher" in the chain are called first, starting at the first
2446 not-yet-connection one. Each filter may add sockets and/or change
2447 flags. When all flags are removed, the socket itself is removed from the
2452 * transfer wants to send, adds POLLOUT
2453 * http/2 filter has a flow control block, removes POLLOUT and adds
2454 POLLIN (it is waiting on a WINDOW_UPDATE from the server)
2455 * TLS filter is connected and changes nothing
2456 * h2-proxy filter also has a flow control block on its tunnel stream,
2457 removes POLLOUT and adds POLLIN also.
2458 * socket filter is connected and changes nothing
2459 * The resulting pollset is then mixed together with all other transfers
2460 and their pollsets, just as before.
2462 Use of `SEND_HOLD` is no longer necessary in the filters.
2464 All filters are adapted for the changed method. The handling in
2465 `multi.c` has been adjusted, but its state handling the the protocol
2466 handlers' `getsocks` method are untouched.
2468 The most affected filters are http/2, ngtcp2, quiche and h2-proxy. TLS
2469 filters needed to be adjusted for the connecting handshake read/write
2472 No noticeable difference in performance was detected in local scorecard
2477 Daniel Stenberg (25 Oct 2023)
2479 - tests/README: SOCKS tests are not using OpenSSH, it has its own server
2481 Follow-up to 04fd67555cc
2485 Jacob Hoffman-Andrews (25 Oct 2023)
2487 - tets: make test documentation more user-friendly
2489 Put the instructions to run tests right at the top of tests/README.md.
2491 Give instructions to read the runtests.1 man page for information
2492 about flags. Delete redundant copy of the flags documentation in the
2495 Add a mention in README.md of the important parallelism flag, to make
2496 test runs go much faster.
2498 Move documentation of output line format into the runtests.1 man page,
2499 and update it with missing flags.
2501 Fix the order of two flags in the man page.
2505 Viktor Szakats (24 Oct 2023)
2507 - cmake: pre-fill rest of detection values for Windows
2509 The goal of this patch is to avoid unnecessary feature detection work
2510 when doing Windows builds with CMake. Do this by pre-filling well-known
2511 detection results for Windows and specifically for mingw-w64 and MSVC
2512 compilers. Also limit feature checks to platforms where the results are
2513 actually used. Drop a few redundant ones. And some tidying up.
2515 - pre-fill remaining detection values in Windows CMake builds.
2517 Based on actual detection results observed in CI runs, preceding
2518 similar work over libssh2 and matching up values with
2519 `lib/config-win32.h`.
2521 This brings down CMake configuration time from 58 to 14 seconds on the
2524 On AppVeyor CI this translates to:
2525 - 128 seconds -> 50 seconds VS2022 MSVC with OpenSSL (per CMake job):
2526 https://ci.appveyor.com/project/curlorg/curl/builds/48208419/job/4gw66ecr
2528 https://ci.appveyor.com/project/curlorg/curl/builds/48217440/job/8m4fwrr2
2530 - 62 seconds -> 16 seconds VS2017 MINGW (per CMake job):
2531 https://ci.appveyor.com/project/curlorg/curl/builds/48208419/job/s1y8q5iv
2532 lcs7ub29?fullLog=true#L290
2533 https://ci.appveyor.com/project/curlorg/curl/builds/48217440/job/pchpxyjs
2534 yc9kl13a?fullLog=true#L194
2536 The formula is about 1-3 seconds delay for each detection. Almost all
2537 of these trigger a full compile-link cycle behind the scenes, slow
2538 even today, both cross and native, mingw-w64 and apparently MSVC too.
2539 Enabling .map files or other custom build features slows it down
2540 further. (Similar is expected for autotools configure.)
2542 - stop detecting `idn2.h` if idn2 was deselected.
2543 autotools does this.
2545 - stop detecting `idn2.h` if idn2 was not found.
2546 This deviates from autotools. Source code requires both header and
2547 lib, so this is still correct, but faster.
2549 - limit `ADDRESS_FAMILY` detection to Windows.
2551 - normalize `HAVE_WIN32_WINNT` value to lowercase `0x0a12` format.
2553 - pre-fill `HAVE_WIN32_WINNT`-dependent detection results.
2554 Saving 4 (slow) feature-detections in most builds: `getaddrinfo`,
2555 `freeaddrinfo`, `inet_ntop`, `inet_pton`
2557 - fix pre-filled `HAVE_SYS_TIME_H`, `HAVE_SYS_PARAM_H`,
2558 `HAVE_GETTIMEOFDAY` for mingw-w64.
2559 Luckily this do not change build results, as `WIN32` took
2560 priority over `HAVE_GETTIMEOFDAY` with the current source
2563 - limit `HAVE_CLOCK_GETTIME_MONOTONIC_RAW` and
2564 `HAVE_CLOCK_GETTIME_MONOTONIC` detections to non-Windows.
2565 We're not using these in the source code for Windows.
2567 - reduce compiler warning noise in CMake internal logs:
2568 - fix to include `winsock2.h` before `windows.h`.
2569 Apply it to autotools test snippets too.
2570 - delete previous `-D_WINSOCKAPI_=` hack that aimed to fix the above.
2571 - cleanup `CMake/CurlTests.c` to emit less warnings.
2573 - delete redundant `HAVE_MACRO_SIGSETJMP` feature check.
2574 It was the same check as `HAVE_SIGSETJMP`.
2576 - delete 'experimental' marking from `CURL_USE_OPENSSL`.
2578 - show CMake version via `CMakeLists.txt`.
2579 Credit to the `zlib-ng` project for the idea:
2580 https://github.com/zlib-ng/zlib-ng/blob/61e181c8ae93dbf56040336179c9954078b
2581 d1399/CMakeLists.txt#L7
2583 - make `CMake/CurlTests.c` pass `checksrc`.
2585 - `CMake/WindowsCache.cmake` tidy-ups.
2587 - replace `WIN32` guard with `_WIN32` in `CMake/CurlTests.c`.
2591 Jay Satiro (24 Oct 2023)
2593 - page-footer: clarify exit code 25
2595 - Clarify that curl tool exit code 25 means an upload failed to start.
2597 Exit code 25 is equivalent to CURLE_UPLOAD_FAILED (25). Prior to this
2598 change the documentation only mentioned the case of FTP STOR failing.
2600 Reported-by: Emanuele Torre
2602 Ref: https://github.com/curl/curl/blob/curl-8_4_0/docs/libcurl/libcurl-errors
2605 Fixes https://github.com/curl/curl/issues/12189
2606 Closes https://github.com/curl/curl/pull/12190
2608 Daniel Stenberg (24 Oct 2023)
2610 - scripts/cijobs.pl: adjust for appveyor
2612 Follow-up to a1d73a6bb
2614 Alex Bozarth (24 Oct 2023)
2616 - OpenSSL: Include SIG and KEM algorithms in verbose
2618 Currently the verbose output does not include which algorithms are used
2619 for the signature and key exchange when using OpenSSL. Including the
2620 algorithms used will enable better debugging when working on using new
2621 algorithm implementations. Know what algorithms are used has become more
2622 important with the fast growing research into new quantum-safe
2625 This implementation includes a build time check for the OpenSSL version
2626 to use a new function that will be included in OpenSSL 3.2 that was
2627 introduced in openssl/openssl@6866824
2629 Based-on-patch-by: Martin Schmatz <mrt@zurich.ibm.com>
2632 Daniel Stenberg (23 Oct 2023)
2634 - http2: provide an error callback and failf the message
2636 Getting nghttp2's error message helps users understand what's going
2637 on. For example when the connection is brought down due a forbidden
2638 header is used - as that header is then not displayed by curl itself.
2642 curl: (92) Invalid HTTP header field was received: frame type: 1,
2643 stream: 1, name: [upgrade], value: [h2,h2c]
2648 Turiiya (23 Oct 2023)
2650 - BINDINGS: add V binding
2654 Daniel Stenberg (22 Oct 2023)
2656 - configure: check for the fseeko declaration too
2658 ... and make the code require both symbol and declaration.
2660 This is because for Android, the symbol is always present in the lib at
2661 build-time even when not actually available in run-time.
2663 Assisted-by: Viktor Szakats
2664 Reported-by: 12932 on github
2668 Viktor Szakats (22 Oct 2023)
2670 - cmake: fix OpenSSL quic detection in quiche builds
2672 An orphan call to `CheckQuicSupportInOpenSSL()` remained after a recent
2673 update when checking QUIC for quiche. Move back QUIC detection to
2674 a function and fixup callers to use that. Also make sure that quiche
2675 gets QUIC from BoringSSL, because it doesn't support other forks at this
2678 Regression from dee310d54261f9a8416e87d50bccfe2cbe404949 #11555
2680 Reported-by: Casey Bodley <cbodley@redhat.com>
2684 Daniel Stenberg (22 Oct 2023)
2686 - RELEASE-NOTES: synced
2688 bump to 8.5.0 for pending release
2690 Dan Fandrich (21 Oct 2023)
2692 - test3103: add missing quotes around a test tag attribute
2694 Loïc Yhuel (21 Oct 2023)
2696 - tool: fix --capath when proxy support is disabled
2698 After 95e8515ca0, --capath always sets CURLOPT_PROXY_CAPATH, which fails
2699 with CURLE_UNKNOWN_OPTION when proxy support is disabled.
2703 Daniel Stenberg (21 Oct 2023)
2705 - openldap: move the alloc of ldapconninfo to *connect()
2707 Fixes a minor memory leak on LDAP connection reuse.
2709 Doing the allocation already in *setup_connection() is wrong since that
2710 connect struct might get discarded early when an existing connection is
2715 - openldap: set the callback argument in oldap_do
2717 ... to make sure it has the current 'data' pointer and not a stale old
2720 Reported-by: Dan Fandrich
2723 - gnutls: support CURLSSLOPT_NATIVE_CA
2725 Remove the CURL_CA_FALLBACK logic. That build option was added to allow
2726 primarily OpenSSL to use the default paths for loading the CA certs. For
2727 GnuTLS it was instead made to load the "system certs", which is
2728 different and not desirable.
2730 The native CA store loading is now asked for with this option.
2732 Follow-up to 7b55279d1d856
2734 Co-authored-by: Jay Satiro
2738 Stefan Eissing (21 Oct 2023)
2740 - RTSP: improved RTP parser
2742 - fix HTTP header parsing to report incomplete
2743 lines it buffers as consumed!
2744 - re-implement the RTP parser for interleave RTP
2745 messages for robustness. It is now keeping its
2746 state at the connection
2747 - RTSP protocol handler "readwrite" implementation
2748 now tracks if the response is before/in/after
2749 header parsing or "in" a bod by calling
2750 "Curl_http_readwrite_headers()" itself. This
2751 allows it to know when non-RTP bytes are "junk"
2753 - tested with #12035 and various small receive
2754 sizes where current master fails
2758 - http2: header conversion tightening
2760 - fold the code to convert dynhds to the nghttp2 structs
2761 into a dynhds internal method
2762 - saves code duplication
2763 - pacifies compiler analyzers
2767 Daniel Stenberg (21 Oct 2023)
2769 - curl_ntlm_wb: fix elif typo
2771 Reported-by: Manfred Schwarb
2772 Follow-up to d4314cdf65ae
2773 Bug: https://github.com/curl/curl/commit/d4314cdf65aee295db627016934bd9eb621a
2776 Dan Fandrich (20 Oct 2023)
2778 - test1683: remove commented-out check alternatives
2780 Python precheck/postcheck alternatives were included but commented out.
2781 Since these are not used and perl is guaranteed to be available to run
2782 the perl versions anyway, the Python ones are removed.
2784 Daniel Stenberg (20 Oct 2023)
2786 - hostip: show the list of IPs when resolving is done
2788 Getting 'curl.se' today then gets this verbose output which might help
2789 debugging connectivity related matters.
2791 * Host curl.se:80 was resolved.
2792 * IPv6: 2a04:4e42::347, 2a04:4e42:200::347, 2a04:4e42:400::347,
2793 2a04:4e42:600::347, 2a04:4e42:800::347, 2a04:4e42:a00::347,
2794 2a04:4e42:c00::347, 2a04:4e42:e00::347
2795 * IPv4: 151.101.193.91, 151.101.1.91, 151.101.65.91, 151.101.129.91
2797 Co-authored-by: Jay Satiro
2800 rilysh (20 Oct 2023)
2802 - docs: fix function typo in curl_easy_option_next.3
2806 Daniel Stenberg (20 Oct 2023)
2808 - vssh: remove the #ifdef for Curl_ssh_init, use empty macro
2810 In the same style as other init calls
2812 - easy: remove duplicate wolfSSH init call
2814 It is already done in Curl_ssh_init() where it belongs.
2818 - socks: make SOCKS5 use the CURLOPT_IPRESOLVE choice
2821 Reported-by: Ammar Faizi
2824 - urldata: move the 'internal' boolean to the state struct
2826 ... where all the other state bits for the easy handles live.
2830 - url: don't touch the multi handle when closing internal handles
2832 Reported-by: Maksymilian Arciemowicz
2835 Faraz Fallahi (19 Oct 2023)
2837 - getenv: PlayStation doesn't have getenv()
2841 Daniel Stenberg (19 Oct 2023)
2843 - transfer: only reset the FTP wildcard engine in CLEAR state
2845 To avoid the state machine to start over and redownload all the files
2848 Reported-by: lkordos on github
2849 Regression from 843b3baa3e3cb228 (shipped in 8.1.0)
2850 Bisect-by: Dan Fandrich
2854 Stefan Eissing (19 Oct 2023)
2856 - GHA: move mod_h2 version in CI to v2.0.25
2860 Daniel Stenberg (19 Oct 2023)
2862 - ntlm_wb: use pipe instead of socketpair when possible
2866 - RELEASE-NOTES: synced
2868 - asyn-thread: use pipe instead of socketpair for IPC when available
2870 If pipe() is present. Less overhead.
2872 Helped-by: Viktor Szakats
2875 Dan Fandrich (17 Oct 2023)
2877 - tests: Fix Windows test helper tool search & use it for handle64
2879 The checkcmd() and checktestcmd() functions would not have worked on
2880 Windows due to hard-coding the UNIX PATH separator character and not
2881 adding .exe file extension. This meant that tools like stunnel, valgrind
2882 and nghttpx would not have been found and used on Windows, and
2883 inspection of previous test runs show none of those being found in pure
2886 With this fixed, they can be used to detect the handle64.exe program
2887 before attempting to use it. When handle64.exe was called
2888 unconditionally without it existing, it caused perl to abort the test
2891 The running command stopped because the preference variable
2892 "ErrorActionPreference" or common parameter is set to Stop:
2893 sh: handle64.exe: command not found
2897 Daniel Stenberg (17 Oct 2023)
2899 - multi: use pipe instead of socketpair to *wakeup()
2901 If pipe() is present. Less overhead.
2905 Jay Satiro (17 Oct 2023)
2907 - build: fix 'threadsafe' feature detection for older gcc
2909 - Add 'threadsafe' to the feature list shown during build if POSIX
2910 threads are being used.
2912 This is a follow-up to 5adb6000 which added support for building a
2913 thread-safe libcurl with older versions of gcc where atomic is not
2914 available but pthread is.
2916 Reported-by: Dan Fandrich
2917 Co-authored-by: Dan Fandrich
2919 Fixes https://github.com/curl/curl/issues/12125
2920 Closes https://github.com/curl/curl/pull/12127
2922 Daniel Stenberg (16 Oct 2023)
2924 - test729: verify socks4a with excessive proxy user name length
2926 - socks: better buffer size checks for socks4a user and hostname
2928 Also limit the proxy user name to 255 bytes, which is the same limit as
2931 Reported-by: sd0 on hackerone
2934 - curl.h: on FreeBSD include sys/param.h instead of osreldate.h
2936 Should things build on Playstation as well
2939 Reported-by: Faraz Fallahi
2942 Marcin Rataj (16 Oct 2023)
2944 - tool_operate: fix links in ipfs errors
2946 URL fragment links generated from headers in
2947 https://curl.se/docs/ipfs.html are lowercase.
2951 Viktor Szakats (15 Oct 2023)
2953 - cmake: replace `check_library_exists_concat()`
2955 The idea of `check_library_exists_concat()` is that it detects an
2956 optional component and adds it to the list of libs that we also use in
2957 subsequent component checks. This caused problems when detecting
2958 components with unnecessary dependencies that were not yet built.
2960 CMake offers the `CMAKE_REQUIRED_LIBRARIES` variable to set libs used
2961 for component checks, which we already use in most cases. That left 4
2962 uses of `check_library_exists_concat()`. Only one of these actually
2963 needed the 'concat' feature (ldap/lber).
2965 Delete this function and replace it with standard
2966 `check_library_exists()` and manual management of our `CURL_LIBS`
2967 list we use when linking build targets. And special logic to handle the
2970 (We have a similar function for headers: `check_include_file_concat()`.
2971 It works, but problematic for performance reasons and because it hides
2972 the actual headers required in `check_symbol_exists()` calls.)
2979 LoRd_MuldeR (15 Oct 2023)
2981 - tool_cb_wrt: fix write output for very old Windows versions
2983 - Pass missing parameter for 'lpNumberOfCharsWritten' to WriteConsoleW()
2986 Apparently this parameter was *not* optional on older Windows versions.
2988 Issue observed on Windows XP SP2. Issue not observed on Windows 7 SP1.
2989 So at some point between those two Microsoft changed the behavior.
2991 Prior to this change, on those versions if parameter is NULL then the
2992 function call fails with error ERROR_INVALID_ACCESS.
2994 Regression since af3f4e41.
2996 Ref: https://github.com/MicrosoftDocs/Console-Docs/issues/299
2998 Fixes https://github.com/curl/curl/issues/12131
2999 Closes https://github.com/curl/curl/pull/12130
3001 Jay Satiro (15 Oct 2023)
3003 - tool_urlglob: fix build for old gcc versions
3005 - Don't use __builtin_mul_overflow for GCC 4 and earlier.
3007 The function was added in GCC 5.
3009 Ref: https://gcc.gnu.org/gcc-5/changes.html
3011 Reported-by: Dan Fandrich
3013 Fixes https://github.com/curl/curl/issues/12124
3014 Closes https://github.com/curl/curl/pull/12128
3016 Carlos Henrique Lima Melara (14 Oct 2023)
3018 - docs/libcurl: fix three minor man page format mistakes
3020 Reported-by: Samuel Henrique
3022 Closes https://github.com/curl/curl/pull/12126
3024 Jay Satiro (14 Oct 2023)
3026 - tests/server: add more SOCKS5 handshake error checking
3028 - Add additional checking for missing and too-short SOCKS5 handshake
3031 Prior to this change the SOCKS5 test server did not check that all parts
3032 of the handshake were received successfully. If those parts were missing
3033 or too short then the server would access uninitialized memory.
3035 This issue was discovered in CI job 'memory-sanitizer' test results.
3036 Test 2055 was failing due to the SOCKS5 test server not running. It was
3037 not running because either it crashed or memory sanitizer aborted it
3038 during Test 728. Test 728 connects to the SOCKS5 test server on a
3039 redirect but does not send any data on purpose. The test server was not
3042 Reported-by: Dan Fandrich
3044 Fixes https://github.com/curl/curl/issues/12117
3045 Closes https://github.com/curl/curl/pull/12118
3047 Daniel Stenberg (14 Oct 2023)
3049 - RELEASE-NOTES: synced
3051 Sohom Datta (14 Oct 2023)
3053 - tool_getparam: limit --rate to be smaller than number of ms
3055 Currently, curl allows users to specify absurd request rates that might
3056 be higher than the number of milliseconds in the unit (ex: curl --rate
3057 3600050/h http://localhost:8080 does not error out despite there being
3058 only 3600000ms in a hour).
3060 This change adds a conditional check before the millisecond calculation
3061 making sure that the number is not higher than the numerator (the unit)
3062 If the number is higher, curl errors out with PARAM_NUMBER_TOO_LARGE
3066 Daniel Stenberg (14 Oct 2023)
3068 - opts: fix two minor man page format mistakes
3070 Jay Satiro (14 Oct 2023)
3072 - curl_trc: remove a bad assertion
3074 - Remove DEBUGASSERT that an internal handle must not have user
3075 private_data set before calling the user's debug callback.
3077 This is a follow-up to 0dc40b2a. The user can distinguish their easy
3078 handle from an internal easy handle by setting CURLOPT_PRIVATE on their
3079 easy handle. I had wrongly assumed that meant the user couldn't then
3080 set CURLOPT_PRIVATE on an internal handle as well.
3082 Bug: https://github.com/curl/curl/pull/12060#issuecomment-1754594697
3083 Reported-by: Daniel Stenberg
3085 Closes https://github.com/curl/curl/pull/12104
3087 Dan Fandrich (13 Oct 2023)
3089 - test613: stop showing an error on missing output file
3091 This test would show an error message if the output was missing during
3092 the log post-processing step, but the message was not captured by the
3093 test harness and wasn't useful since the normal golden log file
3094 comparison would the problem more clearly.
3096 Stefan Eissing (13 Oct 2023)
3098 - quic: manage connection idle timeouts
3100 - configure a 120s idle timeout on our side of the connection
3101 - track the timestamp when actual socket IO happens
3102 - check IO timestamp to our *and* the peer's idle timeouts
3103 in "is this connection alive" checks
3105 Reported-by: calvin2021y on github
3109 Dan Fandrich (13 Oct 2023)
3111 - CI: ignore test 286 on Appveyor gcc 9 build
3113 This test fails sometimes with a super fast retry loop due to what may
3114 just be a compiler bug. The test results are ignored on the one CI job
3115 where it occurs because there seems to be nothing we can do to fix it.
3120 Viktor Szakats (13 Oct 2023)
3122 - lib: fix gcc warning in printf call
3124 Do not pass NULL to printf %s.
3126 Seen with gcc 13.2.0 on Debian:
3128 .../curl/lib/connect.c:696:27: warning: '%s' directive argument is null [-Wfo
3131 Ref: https://github.com/curl/curl-for-win/actions/runs/6476161689/job/1758442
3135 Co-authored-by: Jay Satiro
3138 Alex Klyubin (13 Oct 2023)
3140 - http2: safer invocation of populate_binsettings
3142 populate_binsettings now returns a negative value on error, instead of a
3143 huge positive value. Both places which call this function have been
3144 updated to handle this change in its contract.
3146 The way populate_binsettings had been used prior to this change the huge
3147 positive values -- due to signed->unsigned conversion of the potentially
3148 negative result of nghttp2_pack_settings_payload which returns negative
3149 values on error -- are not possible. But only because http2.c currently
3150 always provides a large enough output buffer and provides H2 SETTINGS
3151 IVs which pass the verification logic inside nghttp2. If the
3152 verification logic were to change or if http2.c started passing in more
3153 IVs without increasing the output buffer size, the overflow could become
3154 reachable, and libcurl/curl might start leaking memory contents to
3159 Daniel Stenberg (13 Oct 2023)
3161 - openssl: avoid BN_num_bits() NULL pointer derefs
3163 Reported-by: icy17 on github
3167 - wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA
3169 This define is set in wolfssl's options.h file when this function and
3170 feature is present. Handles both builds with the feature explicitly
3171 disabled and wolfSSL versions before 5.5.2 - which introduced this API
3176 - tool_urlglob: make multiply() bail out on negative values
3178 - Does not work correctly with negative values
3179 - use __builtin_mul_overflow() on gcc
3181 Reported-by: Torben Dury
3184 Loïc Yhuel (13 Oct 2023)
3186 - cmake: fix CURL_DISABLE_GETOPTIONS
3188 - Add CURL_DISABLE_GETOPTIONS to curl_config.h.cmake.
3190 Prior to this change the option had no effect because it was missing
3193 Closes https://github.com/curl/curl/pull/12091
3195 - easy_lock: add a pthread_mutex_t fallback
3197 This allows to keep the init threadsafe with gcc < 4.9.0 (no C11
3200 Closes https://github.com/curl/curl/pull/12090
3202 Viktor Szakats (12 Oct 2023)
3204 - CI: add autotools, out-of-tree, debug build to distro check job
3206 Add a job that builds curl from a generated source tarball sample, with
3207 autotools, out-of-tree, in debug mode.
3212 Daniel Stenberg (12 Oct 2023)
3214 - http: avoid Expect: 100-continue if Upgrade: is used
3216 Reported-by: Daniel Jelinski
3220 Jan Alexander Steffens (heftig) (12 Oct 2023)
3222 - docs: use SOURCE_DATE_EPOCH for generated manpages
3224 This should make builds from Git reproducible.
3228 Daniel Stenberg (12 Oct 2023)
3230 - RELEASE-NOTES: synced
3234 Viktor Szakats (12 Oct 2023)
3236 - cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection
3238 Fix `HAVE_H_ERRNO_ASSIGNABLE` to not run, only compile its test snippet,
3239 aligning this with autotools. This fixes an error when doing
3240 cross-builds and also actually detects this feature. It affected systems
3241 not allowlisted into this, e.g. SerenityOS.
3243 We used this detection result to enable `HAVE_GETADDRINFO_THREADSAFE`.
3245 Follow-up to 04a3a377d83fd72c4cf7a96c9cb6d44785e33264 #11979
3246 Ref: #12095 (closed in favour of this patch)
3247 Ref: #11964 (effort to sync cmake detections with autotools)
3249 Reported-by: Kartatz on Github
3250 Assisted-by: Kartatz on Github
3254 - build: add `src/.checksrc` to source tarball
3256 Regression from e5bb88b8f824ed87620bd923552534c83c2a516e #11958
3258 Bug: https://github.com/curl/curl/pull/11958#issuecomment-1757079071
3259 Reported-by: Romain Geissler
3263 Version 8.4.0 (11 Oct 2023)
3265 Daniel Stenberg (11 Oct 2023)
3267 - RELEASE-NOTES: synced
3269 - THANKS: add contributors from 8.4.0
3271 Jay Satiro (11 Oct 2023)
3273 - socks: return error if hostname too long for remote resolve
3275 Prior to this change the state machine attempted to change the remote
3276 resolve to a local resolve if the hostname was longer than 255
3277 characters. Unfortunately that did not work as intended and caused a
3280 Bug: https://curl.se/docs/CVE-2023-38545.html
3282 Stefan Eissing (10 Oct 2023)
3284 - CI: remove slowed-network tests
3286 - remove these tests as they are currently not reliable in our CI
3289 curl handles the test cases, but CI sometimes fails on these due to
3290 additional conditions. Rather than mix them in, an additional CI job
3291 will be added in the future that is specific to them.
3293 Closes https://github.com/curl/curl/pull/12075
3295 Jay Satiro (10 Oct 2023)
3297 - libcurl-env-dbg.3: move debug variables from libcurl-env.3
3299 - Move documentation of libcurl environment variables used only in debug
3300 builds from libcurl-env into a separate document libcurl-env-dbg.
3302 - Document more debug environment variables.
3304 Previously undocumented or missing a description:
3306 CURL_ALTSVC_HTTP, CURL_DBG_SOCK_WBLOCK, CURL_DBG_SOCK_WPARTIAL,
3307 CURL_DBG_QUIC_WBLOCK, CURL_DEBUG, CURL_DEBUG_SIZE, CURL_GETHOSTNAME,
3308 CURL_HSTS_HTTP, CURL_FORCETIME, CURL_SMALLREQSEND, CURL_SMALLSENDS,
3311 Closes https://github.com/curl/curl/pull/11811
3313 Dan Fandrich (9 Oct 2023)
3315 - test670: increase the test timeout
3317 This should make it more immune to loaded servers.
3321 Stefan Eissing (9 Oct 2023)
3323 - MQTT: improve receive of ACKs
3325 - add `mq->recvbuf` to provide buffering of incomplete
3327 - continue ACK reading until sufficient bytes available
3328 - fixes test failures on low network receives
3332 Viktor Szakats (9 Oct 2023)
3334 - quic: fix BoringSSL build
3336 Add guard around `SSL_CTX_set_ciphersuites()` use.
3338 Bug: https://github.com/curl/curl/pull/12065#issuecomment-1752171885
3340 Follow-up to aa9a6a177017e4b74d33cdf85a3594900f4a7f81
3342 Co-authored-by: Jay Satiro
3343 Reviewed-by: Daniel Stenberg
3346 Stefan Eissing (9 Oct 2023)
3348 - test1540: improve reliability
3350 - print that bytes have been received on pausing, but not how many
3354 - test2302: improve reliability
3356 - make result print collected write data, unless
3357 change in meta flags is detected
3358 - will show same result even when data arrives via
3359 several writecb invocations
3363 Daniel Stenberg (9 Oct 2023)
3365 - curl_easy_pause: set "in callback" true on exit if true
3367 Because it might have called another callback in the mean time that then
3368 set the bit FALSE on exit.
3370 Reported-by: Jay Satiro
3374 Viktor Szakats (8 Oct 2023)
3376 - h3: add support for ngtcp2 with AWS-LC builds
3379 curl 8.4.0-DEV (x86_64-apple-darwin) libcurl/8.4.0-DEV (SecureTransport) AWS-
3380 LC/1.15.0 nghttp2/1.56.0 ngtcp2/0.19.1 nghttp3/0.15.0
3381 Release-Date: [unreleased]
3382 Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps
3383 mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp ws wss
3384 Features: alt-svc AsynchDNS HSTS HTTP2 HTTP3 HTTPS-proxy IPv6 Largefile Multi
3385 SSL NTLM SSL threadsafe UnixSockets
3388 Also delete an obsolete GnuTLS TODO and update the header comment in
3391 Reviewed-by: Daniel Stenberg
3394 - build: do not publish `HAVE_BORINGSSL`, `HAVE_AWSLC` macros
3396 Syncing this up with CMake.
3398 Source code uses the built-in `OPENSSL_IS_AWSLC` and
3399 `OPENSSL_IS_BORINSSL` macros to detect BoringSSL and AWS-LC. No help is
3400 necessary from the build tools.
3402 The one use of `HAVE_BORINGSSL` in the source turned out to be no longer
3403 necessary for warning-free BoringSSL + Schannel builds. Ref: #1610 #2634
3405 autotools detects this anyway for display purposes.
3406 CMake detects this to decide whether to use the BoringSSL-specific
3407 crypto lib with ngtcp2. It detects AWS-LC, but doesn't use the detection
3408 result just yet (planned in #12066).
3412 Reviewed-by: Daniel Stenberg
3413 Reviewed-by: Jay Satiro
3416 Marc Hoersken (8 Oct 2023)
3418 - CI: move distcheck job from Azure Pipelines to GitHub Actions
3420 This will allow for more trigger excludes within Azure Pipelines.
3422 Also fixes seemingly broken check with scripts/installcheck.sh.
3423 Ref: 190374c74ec4e5247d9066544c86e8d095e1d7b5
3425 Assisted-by: Philip Heiduck
3428 Daniel Stenberg (8 Oct 2023)
3430 - url: fall back to http/https proxy env-variable if ws/wss not set
3432 Reported-by: Craig Andrews
3436 Stefan Eissing (8 Oct 2023)
3438 - cf-socket: simulate slow/blocked receives in debug
3440 add 2 env variables for non-UDP sockets:
3441 1. CURL_DBG_SOCK_RBLOCK: percentage of receive calls that randomly
3442 should return EAGAIN
3443 2. CURL_DBG_SOCK_RMAX: max amount of bytes read from socket
3447 - http2: refused stream handling for retry
3449 - answer HTTP/2 streams refused via a GOAWAY from the server to
3450 respond with CURLE_RECV_ERROR in order to trigger a retry
3451 on another connection
3453 Reported-by: black-desk on github
3457 Jay Satiro (8 Oct 2023)
3459 - CURLOPT_DEBUGFUNCTION.3: warn about internal handles
3461 - Warn that the user's debug callback may be called with the handle
3462 parameter set to an internal handle.
3464 Without this warning the user may assume that the only handles their
3465 debug callback receives are the easy handles on which they set
3466 CURLOPT_DEBUGFUNCTION.
3468 This is a follow-up to f8cee8cc which changed DoH handles to inherit
3469 the debug callback function set in the user's easy handle. As a result
3470 those handles are now passed to the user's debug callback function.
3472 Closes https://github.com/curl/curl/pull/12034
3476 Daniel Stenberg (8 Oct 2023)
3478 - test458: verify --expand-output, expanding a file name accepting option
3480 Verifies the fix in #12055 (commit f2c8086ff15e6e995e1)
3482 - tool_getparam: accept variable expansion on file names too
3484 Reported-by: PBudmark on github
3488 - RELEASE-NOTES: synced
3490 - multi: do CURLM_CALL_MULTI_PERFORM at two more places
3492 ... when it does a state transition but there is no particular socket or
3493 timer activity. This was made apparent when commit b5bb84c removed a
3494 superfluous timer expiry.
3496 Reported-by: Dan Fandrich.
3500 Viktor Szakats (7 Oct 2023)
3502 - GHA/linux: mbedtls 3.5.0 + minor dep bumps
3506 Dan Fandrich (7 Oct 2023)
3508 - CI: bump OpenLDAP package version on FreeBSD
3510 The old one is no longer available.
3512 Marc Hoersken (7 Oct 2023)
3514 - docs/libcurl/opts/Makefile.inc: add missing manpage files
3518 Dan Fandrich (7 Oct 2023)
3520 - tests: fix a race condition in ftp server disconnect
3522 If a client disconnected and reconnected quickly, before the ftp server
3523 had a chance to respond, the protocol message/ack (ping/pong) sequence
3524 got out of sync, causing messages sent to the old client to be delivered
3525 to the new. A disconnect must now be acknowledged and intermediate
3526 requests thrown out until it is, which ensures that such synchronization
3527 problems can't occur. This problem could affect ftp, pop3, imap and smtp
3533 Viktor Szakats (7 Oct 2023)
3535 - appveyor: bump mingw-w64 job to gcc 13 (was: 8)
3537 This sets gcc 6, 7, 9, 13 in our test mix (was: 6, 7, 8, 9).
3538 Adding a modern gcc version to the tests.
3540 (The gcc 8 job used to take around 50 minutes. The new image with gcc 13
3541 finished in 32, 35, 34 minutes in the 3 test runs so far.)
3543 It also adds a modern CMake version and OS env to our mingw-w64 builds.
3547 David Benjamin (6 Oct 2023)
3549 - openssl: use X509_ALGOR_get0 instead of reaching into X509_ALGOR
3551 While the struct is still public in OpenSSL, there is a (somewhat
3552 inconvenient) accessor. Use it to remain compatible if it becomes opaque
3557 Daniel Stenberg (6 Oct 2023)
3559 - curl_easy_pause.3: mention it works within callbacks
3561 Reported-by: Maxim Dzhura
3562 Bug: https://curl.se/mail/lib-2023-10/0010.html
3565 - curl_easy_pause.3: mention h2/h3 buffering
3567 Asked-by: Maxim Dzhura
3568 Ref: https://curl.se/mail/lib-2023-10/0011.html
3572 Viktor Szakats (6 Oct 2023)
3574 - cmake: re-add missed C89 headers for specific detections
3576 We removed C89 `setjmp.h` and `signal.h` detections and excluded them
3577 from the global header list we use when detecting functions [1]. Then
3578 missed to re-add these headers to the specific functions which need
3579 them to be detected [2]. Fix this omission in this patch.
3581 [1] Follow-up to 3795fcde995d96db641ddbcc8a04f9f0f03bef9f #11951
3582 [2] Follow-up to 96c29900bcec32dd6bc8e9857c8871ff4b8b8ed9 #11940
3586 Daniel Stenberg (6 Oct 2023)
3588 - multi: set CURLM_CALL_MULTI_PERFORM after switch to DOING_MORE
3590 Since there is nothing to wait for there. Avoids the test 1233 hang
3593 Reported-by: Dan Fandrich
3596 Dan Fandrich (5 Oct 2023)
3598 - test1903: actually verify the cookies after the test
3600 The test otherwise could do just about anything (except leak memory in
3601 debug mode) and its bad behaviour wouldn't be detected. Now, check the
3602 resulting cookie file to ensure the cookies are still there.
3606 - test: add missing <feature>s
3608 The tests will otherwise fail if curl has them disabled.
3610 - test1906: set a lower timeout since it's hit on Windows
3612 msys2 builds actually hit the connect timeout in normal operation, so
3613 lower the timeout from 5 minutes to 5 seconds to reduce test time.
3618 Daniel Stenberg (5 Oct 2023)
3620 - RELEASE-NOTES: synced
3622 Jay Satiro (5 Oct 2023)
3624 - idn: fix WinIDN null ptr deref on bad host
3626 - Return CURLE_URL_MALFORMAT if IDN hostname cannot be converted from
3629 Prior to this change a failed conversion erroneously returned CURLE_OK
3630 which meant 'decoded' pointer (what would normally point to the
3631 punycode) would not be written to, remain NULL and be dereferenced
3632 causing an access violation.
3634 Closes https://github.com/curl/curl/pull/11983
3636 Dan Fandrich (4 Oct 2023)
3638 - tests: close the shell used to start sshd
3640 This shell isn't needed once sshd starts, so use "exec" so it doesn't
3645 Daniel Stenberg (4 Oct 2023)
3647 - base64: also build for curl
3649 Since the tool itself now uses the base64 code using the curlx way, it
3650 needs to build also when the tool needs it. Starting now, the tool build
3651 defines BULDING_CURL to allow lib-side code to use it.
3653 Follow-up to 2e160c9c6525
3657 Eduard Strehlau (4 Oct 2023)
3659 - tests: Fix zombie processes left behind by FTP tests.
3661 ftpserver.pl correctly cleans up spawned server processes,
3662 but forgets to wait for the shell used to spawn them.
3663 This is barely noticeable during a normal testrun,
3664 but causes process exhaustion and test failure
3665 during a complete torture run of the FTP tests.
3670 Dan Fandrich (4 Oct 2023)
3672 - github/labeler: improve labeler matches
3674 - test574: add a timeout to the test
3676 This one hangs occasionally, so this will speed up a test run and allow
3677 logs to be seen when it does.
3681 - tests: propagate errors in libtests
3683 Use the test macros to automatically propagate some errors, and check
3684 and log others while running the tests. This can help in debugging
3685 exactly why a test has failed.
3687 - tests: set --expect100-timeout to improve test reliability
3689 On an overloaded server, the default 1 second timeout can go by without
3690 the test server having a chance to respond with the expected headers,
3691 causing tests to fail. Increase the 1 second timeout to 99 seconds so
3692 this failure mode is no longer a problem on test 1129. Some other tests
3693 already set a high value, but make them consistently 99 seconds so if
3694 something goes wrong the test is stalled for less time.
3698 - CI: ignore the "flaky" and "timing-dependent" test results in CMake
3700 This was already done for automake builds but CMake builds were missed.
3701 Test 1086 actually causes the test harness to crash with:
3703 Warning: unable to close filehandle DWRITE properly: Broken pipe at C:/projec
3704 ts/curl/tests/ftpserver.pl line 527
3706 Rather than fix it now, this change leaves test 1086 entirely skipped on
3707 those builds that show this problem.
3709 Follow-up to 589dca761
3713 Viktor Szakats (4 Oct 2023)
3715 - cmake: improve OpenLDAP builds
3717 - cmake: detect OpenLDAP based on function `ldap_init_fd`.
3718 autotools does this. autotools also publishes this detection result
3719 in `HAVE_LDAP_INIT_FD`. We don't mimic that with CMake as the source
3720 doesn't use this value. (it might need to be remove-listed in
3721 `scripts/cmp-config.pl` for future OpenLDAP test builds.)
3722 This also deletes existing self-declaration method via the
3723 CMake-specific `CURL_USE_OPENLDAP` configuration.
3725 - cmake: define `LDAP_DEPRECATED=1` for OpenLDAP.
3726 Like autotools does. This fixes a long list of these warnings:
3728 /usr/local/opt/openldap/include/ldap.h:1049:5: warning: 'LDAP_DEPRECATED' i
3729 s not defined, evaluates to 0 [-Wundef]
3732 - cmake: delete LDAP TODO comment no longer relevant.
3736 - autotools: replace domain name `dummy` with `0.0.0.0` in LDAP feature
3737 detection functions.
3739 Ref: #11964 (effort to sync cmake detections with autotools)
3743 - cmake: fix unity builds for more build combinations
3745 By using unique static function/variable names in source files
3746 implementing these interfaces.
3748 - OpenLDAP combined with any SSH backend.
3750 - MultiSSL with mbedTLS, OpenSSL, wolfSSL, SecureTransport.
3754 Daniel Stenberg (4 Oct 2023)
3756 - tests: remove leading spaces from some tags
3758 The threee tags `<name>`, `</name>` and `<command>` were frequently used
3759 with a leading space that this removes. The reason this habbit is so
3760 widespread in testcases is probably that they have been copy and pasted.
3762 Hence, fixing them all now might curb this practice from now on.
3766 Viktor Szakats (4 Oct 2023)
3768 - GHA: bump actions/checkout
3770 Follow-up to 2e0fa50fc16b9339f51e0a7bfff0352829323acb #11964
3771 Follow-up to c39585d9b7ef3cbfc1380812dec60e7b275b6af3 #12000
3775 - spelling: fix codespell 2.2.6 typos
3779 Daniel Stenberg (3 Oct 2023)
3781 - GHA: add workflow to compare configure vs cmake outputs
3783 Uses scripts/cmp-config.pl two compare two curl_config.h files,
3784 presumbly generated with configure and cmake. It displays the
3785 differences and filters out a lot of known lines we ignore.
3787 The script also shows the matches that were *not* used. Possibly
3788 subjects for removal.
3792 - appveyor: enable test 571
3794 Follow-up from 8a940fd55c175f7 / #12013
3798 Viktor Szakats (3 Oct 2023)
3800 - build: alpha-sort source files for lib and src
3804 - cmake: delete old `HAVE_LDAP_URL_PARSE` logic
3806 Left there by accident after adding proper detection for this.
3808 Follow-up to 772f0d8edf1c3c2745543f42388ccec5a16ee2c0 #12006
3810 Ref: #11964 (effort to sync cmake detections with autotools)
3814 Stefan Eissing (3 Oct 2023)
3816 - tests: increase lib571 timeout from 3s to 30s
3818 - 3s is too short for our CI, making this test fail occasionally
3819 - test usually experiences no delay run locally, so 30s wont hurt
3823 Viktor Szakats (3 Oct 2023)
3825 - cmake: fix unity with Windows Unicode + TrackMemory
3827 Found the root cause of the startup crash in unity builds with Unicode
3828 and TrackMemory enabled at the same time.
3830 We must make sure that the `memdebug.h` header doesn't apply to
3831 `lib/curl_multibyte.c` (as even noted in a comment there.) In unity
3832 builds all headers apply to all sources, including `curl_multibyte.c`.
3833 This probably resulted in an infinite loop on startup.
3835 Exclude this source from unity compilation with TrackMemory enabled,
3836 in both libcurl and curl tool. Enable unity mode for a debug Unicode
3837 CI job to keep it tested. Also delete the earlier workaround that
3838 fully disabled unity for affected builds.
3840 Follow-up to d82b080f6374433ce7c98241329189ad2d3976f8 #12005
3841 Follow-up to 3f8fc25720900b14b7432f4bd93407ca15311719 #11095
3845 - cmake: disable unity mode with Windows Unicode + TrackMemory
3847 "TrackMemory" is `ENABLE_DEBUG=ON` (aka `ENABLE_CURLDEBUG=ON`,
3850 There is an issue with memory tracking and Unicode when built in "unity"
3851 mode, which results in the curl tool crashing right on startup, even
3852 without any command-line option. Interestingly this doesn't happen under
3853 WINE (at least on the system I tested this on), but consistenly happens
3854 on real Windows machines. Crash is 0xC0000374 heap corruption. Both
3855 shared and static curl executables are affected.
3857 This limitation probably won't hit too many people, but it remains
3858 a TODO to find and fix the root cause and drop this workaround.
3860 Example builds and runs:
3861 https://ci.appveyor.com/project/curlorg/curl/builds/48169111/job/17cptxhtpubd
3863 https://ci.appveyor.com/project/curlorg/curl/builds/48169111/job/76e1ge758tby
3866 Follow-up to 3f8fc25720900b14b7432f4bd93407ca15311719 #11095
3871 - cmake: tidy-up `NOT_NEED_LBER_H` detection
3873 Follow-up to 772f0d8edf1c3c2745543f42388ccec5a16ee2c0 #12006
3875 - appveyor: rewrite batch in PowerShell + CI improvements
3877 1. Rewrite in PowerShell:
3879 - rewrite MS-DOS batch build script in PowerShell.
3880 - move some bash operations into native PowerShell.
3881 - fixups for PowerShell insisting on failure when a command outputs
3882 something to stderr.
3883 - fix to actually run `curl -V` after every build.
3884 (and exclude ARM64 builds.)
3885 - also say why we skipped `curl -V` if we had to skip.
3886 - fix CMake warnings about unused configuration variables, by adapting
3887 these dynamically for build cases.
3888 - dedupe OpenSSL path into a variable.
3889 - disable `test1451` failing with a warning anyway due to missing python
3890 impacket. (after trying and failing to install impacket)
3891 PowerShell promotes these warnings to errors by PowerShell. We can also
3892 suppress they wholesale if they start causing issues in the future,
3893 like we already to with `autoreconf` and `./configure`.
3895 PowerShell is better than MS-DOS batches, so the hope is this makes it
3896 easier to extend and maintain the AppVeyor build logic. POSIX/bash isn't
3897 supported inline by AppVeyor on Windows build machines, but we are okay
3898 to keep it in an external script, so it's also an option.
3902 - enable tests for a "unity" build job.
3903 - speed-up CI initialization by using shallow clones of the curl repo.
3904 - speed-up CMake MSVC jobs with `TrackFileAccess=false`.
3905 - enable parallelism in `VisualStudioSolution` builds.
3906 - display CMake version before builds.
3907 - always show the CPU in job names.
3908 - tell which jobs are build-only in job names.
3909 - move `TESTING:` value next to `DISABLED_TESTS:` in two jobs.
3910 - add `config.log` (autotools) to dumped logs (need to enable manually).
3914 - use single-quotes in YAML like we do in other CI YAML files.
3915 It also allows to drop quoting characters and lighter to write/read.
3916 (keep double quotes for PowerShell strings needing expansion.)
3920 - cmake: fix `HAVE_LDAP_SSL`, `HAVE_LDAP_URL_PARSE` on non-Windows
3922 - set `HAVE_LDAP_URL_PARSE` if `ldap_url_parse` function exists.
3923 Before this patch we set it based it on the presence of `stricmp`,
3924 which correctly enabled it on e.g. Windows, but was inaccurate for
3927 - always set `HAVE_LDAP_SSL` if an LDAP backend is detected and
3928 LDAPS is not explicitly disabled. This mimics autotools behaviour.
3929 Previously we set it only for Windows LDAP. After this fix, LDAPS is
3930 correctly enabled in default macOS builds.
3932 - enable LDAP[S] for a CMake macOS CI job. Target OS X 10.9 (Mavericks)
3933 to avoid deprecation warnings for LDAP API.
3935 - always detect `HAVE_LDAP_SSL_H`, even with LDAPS explicitly disabled.
3936 This doesn't make much sense, but let's do it to sync behaviour with
3939 - fix benign typo in variable name.
3941 Ref: #11964 (effort to sync cmake detections with autotools)
3945 - autotools: restore `HAVE_IOCTL_*` detections
3947 This restores `CURL_CHECK_FUNC_IOCTL` detection. I deleted it in
3948 4d73854462f30948acab12984b611e9e33ee41e6 and
3949 c3456652a0c72d1845d08df9769667db7e159949 (2022-08), because the
3950 `HAVE_IOCTL` result it generated was unused in the source. But,
3951 I did miss the fact that this had two dependent checks:
3952 `CURL_CHECK_FUNC_IOCTL_FIONBIO`,
3953 `CURL_CHECK_FUNC_IOCTL_SIOCGIFADDR` that we do actually need:
3954 `HAVE_IOCTL_FIONBIO`, `HAVE_IOCTL_SIOCGIFADDR`.
3956 Regression from 4d73854462f30948acab12984b611e9e33ee41e6
3958 Ref: #11964 (effort to sync cmake detections with autotools)
3962 Daniel Stenberg (2 Oct 2023)
3964 - RELEASE-PROCEDURE.md: updated coming release dates
3966 - RELEASE-NOTES: synced
3968 Viktor Szakats (1 Oct 2023)
3970 - cmake: pre-cache `HAVE_POLL_FINE` on Windows
3972 Windows doesn't support `poll()`, so we can safely skip checking for
3977 - gha: bump actions to latest versions
3979 - actions@checkout@v4 (from v3 and v2)
3981 - fsfe/reuse-action@v2 (from v1)
3985 Stefan Eissing (30 Sep 2023)
3987 - h2: testcase and fix for pausing h2 streams
3989 - refs #11982 where it was noted that paused transfers may
3990 close successfully without delivering the complete data
3991 - made sample poc into tests/http/client/h2-pausing.c and
3992 added test_02_27 to reproduce
3996 Reported-by: Harry Sintonen
3998 Viktor Szakats (30 Sep 2023)
4000 - cmake: validate `CURL_DEFAULT_SSL_BACKEND` config value
4002 Before this patch CMake builds accepted any value and it was used at
4003 runtime as-is. This patch make sure that the selected default backend
4004 is also enabled in the build. It also enforces a full lowercase value.
4006 This improves reproducibility and brings CMake in sync with autotools
4007 which already worked like described above.
4009 Follow-up to 26c7feb8b9d51a57fab3325571b4bbfa03b11af0 #11774
4013 - autotools: adjust `CURL_CA_PATH` value to CMake
4015 autotools was using the same value as CMake, but with an ending
4016 slash. Delete the ending slash to match configurations.
4018 Ref: #11964 (effort to sync cmake detections with autotools)
4022 - cmake: detect `sys/wait.h` and `netinet/udp.h`
4024 Ref: #11964 (effort to sync cmake detections with autotools)
4028 Daniel Stenberg (30 Sep 2023)
4030 - lib: provide and use Curl_hexencode
4032 Generates a lower case ASCII hex output from a binary input.
4036 - configure: check for the capath by default
4038 ... if the chosen TLS backend supports it: OpenSSL, GnuTLS, mbedTLS or wolfSS
4043 Assisted-by: Viktor Szakats
4046 - wolfssl: ignore errors in CA path
4048 The default wolfSSL_CTX_load_verify_locations() function is quite picky
4049 with the certificates it loads and will for example return error if just
4050 one of the certs has expired.
4052 With the *_ex() function and its WOLFSSL_LOAD_FLAG_IGNORE_ERR flag, it
4053 behaves more similar to what OpenSSL does by default.
4055 Even the set of default certs on my Debian unstable has several expired
4058 Assisted-by: Juliusz Sosinowicz
4059 Assisted-by: Michael Osipov
4063 - create-dirs.d: clarify it also uses --output-dirs
4065 Reported-by: Robert Simpson
4069 Viktor Szakats (30 Sep 2023)
4071 - appveyor: fix yamlint issues, indent
4074 - use double quotes in all batch if statements.
4078 - cmake: detect `HAVE_CLOCK_GETTIME_MONOTONIC_RAW`
4080 Based on existing autotools logic.
4082 Ref: #11964 (effort to sync cmake detections with autotools)
4086 - cmake: detect `HAVE_GETADDRINFO_THREADSAFE`
4088 Based on existing autotools logic.
4090 autotools checks for old versions of the allowlisted target OSes and
4091 disables this feature when seeing them. In CMake we assume we're running
4092 on newer systems and enable regardless of OS version.
4094 autotools always runs all 3 probes for non-fast-tracked systems and
4095 enables this feature if any one of them was successful. To save
4096 configuration time, CMake stops at the first successful check.
4098 OpenBSD is not fast-tracked and then gets blocklisted as a generic BSD
4099 system. I haven't double-checked if this is correct, but looks odd.
4101 Ref: #11964 (effort to sync cmake detections with autotools)
4105 - cmake: fix `HAVE_WRITABLE_ARGV` detection
4107 Move detection before the creation of detection results in
4110 Ref: #11964 (effort to sync cmake detections with autotools)
4114 - appveyor: minor improvements
4116 - run `curl -V` after builds to see if they run and with what features.
4117 Except for one job where a CRT DLL is missing. And ARM64 which should
4118 fail, but is silently not launched instead.
4120 - copy libcurl DLL next to curl tool and tests binaries in shared mode.
4121 This makes it possible to run the tests. (We don't run tests after
4124 - list the DLLs and EXEs present after the builds.
4126 - add `DEBUG` variable for CMake builds to allow disabling it, for
4127 testing non-debug builds. (currently enabled for all)
4129 - add commented lines that dump CMake configuration logs for debugging
4130 build/auto-detection issues.
4132 - add gcc version to jobs where missing.
4134 - switch a job to the native MSYS2 mingw-w64 toolchain. This adds gcc 9
4137 - make `SHARED=OFF` and `OPENSSL=OFF` defaults global.
4139 - delete a duplicate backslash.
4143 - configure: replace adhoc domain with `localhost` in tests
4145 Reviewed-by: Daniel Stenberg
4148 - tidy-up: use more example domains
4150 Also make use of the example TLD:
4151 https://en.wikipedia.org/wiki/.example
4153 Reviewed-by: Daniel Stenberg
4156 Dan Fandrich (29 Sep 2023)
4158 - runtests: display the test status if tests appear hung
4160 It sometimes happens that a test hangs during a test run and never
4161 returns. The test harness will wait indefinitely for the results and on
4162 CI servers the CI job will eventually be killed after an hour or two.
4163 At the end of a test run, if results haven't come in within a couple of
4164 minutes, display the status of all test runners and what tests they're
4165 running to help in debugging the problem.
4167 This feature is really only kick in with parallel testing enabled, which
4168 is fine because without parallel testing it's usually easy to tell what
4173 - github/labeler: remove workaround for labeler
4175 This was added due to what seemed to be a bug regarding the sync-labels:
4176 config option, but it looks like it wasn't necessary.
4178 Follow-up to b2b0534e7
4180 Viktor Szakats (29 Sep 2023)
4182 - docs: upgrade an URL to HTTPS in `BINDINGS.md` [ci skip]
4184 Daniel Stenberg (29 Sep 2023)
4186 - docs: replace made up domains with example.com
4188 in FAQ and MANUAL.md
4190 - example.com was made for this purpose.
4192 - reduces the risk that one of those domains suddenly start hosting
4193 something nasty and we provide links to them
4197 Michael Osipov (29 Sep 2023)
4199 - acinclude.m4: Document proper system truststore on FreeBSD
4201 The default system truststore on FreeBSD has been /etc/ssl/certs for many
4202 years now. It is managed canonically through certctl(8) and contains hashed
4203 symlinks for OpenSSL and other TLS providers.
4204 The previous ones require security/ca_root_nss which might not be installed o
4206 will not contain any custom CA certificates.
4210 Daniel Stenberg (29 Sep 2023)
4212 - FAQ: How do I upgrade curl.exe in Windows?
4214 This is a growing question, better answer it here to get somewhere to
4219 Viktor Szakats (28 Sep 2023)
4221 - cmake: pre-cache `HAVE_BASENAME` for mingw-w64 and MSVC
4223 `basename` is present in mingw-w64, missing from MSVC. Pre-cache
4224 accordingly to make configure faster.
4226 Notice that `basename` has a bug so we later disable it even with
4228 https://github.com/curl/curl/blob/781242ffa44a9f9b95b6da5ac5a1bf6372ec6257/li
4229 b/curl_setup.h#L820-L825
4233 Daniel Stenberg (28 Sep 2023)
4235 - cmake: add missing checks
4237 - check for arc4random. To make rand.c use it accordingly.
4239 - fix fseek detection
4240 - add SIZEOF_CURL_SOCKET_T
4241 - fix USE_UNIX_SOCKETS
4242 - define HAVE_SNPRINTF to 1
4244 - check for sched_yield
4245 - remove HAVE_GETPPID duplicate from curl_config.h
4250 Co-authored-by: Viktor Szakats
4253 - configure: remove unused checks
4263 - lib: remove TIME_WITH_SYS_TIME
4265 It is not used in any code anywhere.
4270 - docs: update curl man page references
4272 Detected by the manpage-syntax update
4276 - manpage-syntax: verify curl man page references
4278 1. References to curl symbols are now checked that they indeed exist as
4279 man pages. This for \f references as well as the names referenced in the
4282 Allowlist curl.1 since it is not always built in builds
4284 2. References to curl symbols that lack section now causes warning, since tha
4286 will prevent them from getting linked properly
4288 3. Check for "bare" references to curl functions and warn, they should be
4293 - cmake: add check for suseconds_t
4295 And fix the HAVE_LONGLONG define
4300 Viktor Szakats (28 Sep 2023)
4302 - tidy-up: whitespace fixes
4306 - cmake: detect TLS-SRP in OpenSSL/wolfSSL/GnuTLS
4308 With new option `CURL_DISABLE_SRP=ON` to force-disable it.
4309 To match existing option and detection logic in autotools.
4312 - fix detecting GnuTLS.
4313 We assume `nettle` as a GnuTLS dependency.
4314 - add CMake GnuTLS CI job.
4315 - bump AppVeyor CMake OpenSSL MSVC job to OpenSSL 1.1.1 (from 1.0.2)
4316 TLS-SRP fails to detect with 1.0.2 due to an OpenSSL header bug.
4317 - fix compiler warning when building with GnuTLS and disabled TLS-SRP.
4318 - fix comment typos, whitespace.
4324 - tool: use our own stderr variable
4326 Earlier this year we changed our own stderr variable to use the standard
4327 name `stderr` (to avoid bugs where someone is using `stderr` instead of
4328 the curl-tool specific variable). This solution needed to override the
4329 standard `stderr` symbol via the preprocessor. This in turn didn't play
4330 well with unity builds and caused curl tool to crash or stay silent due
4331 to an uninitialized stderr. This was a hard to find issue, fixed by
4332 manually breaking out one file from the unity sources.
4334 To avoid two these two tricks, this patch implements a different
4335 solution: Restore using our own local variable for our stderr output and
4336 leave `stderr` as-is. To avoid using `stderr` by mistake, add a
4337 `checksrc` rule (based on logic we already used in lib for `strerror`)
4338 that detects any `stderr` use in `src` and points to using our own
4339 variable instead: `tool_stderr`.
4341 Follow-up to 06133d3e9b8aeb9e9ca0b3370c246bdfbfc8619e
4342 Follow-up to 2f17a9b654121dd1ecf4fc043c6d08a9da3522db
4346 Loïc Yhuel (28 Sep 2023)
4348 - connect: only start the happy eyeballs timer when needed
4350 The timeout is only used when there is a second address family, for the
4355 Daniel Stenberg (28 Sep 2023)
4357 - tool_operate: free 'gateway' correctly
4359 Pointed out by Coverity. The fix in 93885cf3a8d4e was incomplete.
4361 Also removed repeated wording in IPFS related error messages.
4365 Stefan Eissing (28 Sep 2023)
4367 - lib: move handling of `data->req.writer_stack` into Curl_client_write()
4369 - move definitions from content_encoding.h to sendf.h
4370 - move create/cleanup/add code into sendf.c
4371 - installed content_encoding writers will always be called
4372 on Curl_client_write(CLIENTWRITE_BODY)
4373 - Curl_client_cleanup() frees writers and tempbuffers from
4374 paused transfers, irregardless of protocol
4378 Loïc Yhuel (28 Sep 2023)
4380 - multi: round the timeout up to prevent early wakeups
4382 Curl_timediff rounds down to the millisecond, so curl_multi_perform can
4383 be called too early, then we get a timeout of 0 and call it again.
4385 The code already handled the case of timeouts which expired less than
4386 1ms in the future. By rounding up, we make sure we will never ask the
4387 platform to wake up too early.
4391 Daniel Stenberg (28 Sep 2023)
4393 - RELEASE-NOTES: spell out that IPFS is via gateway
4395 - RELEASE-NOTES: synced
4397 - tool_operate: avoid strlen() -1 on zero length content from file
4399 Follow-up to 65b563a96a226649ba12cb1e
4403 - tool_operate: fix memory mixups
4405 Switch to plain getenv() from curl_getenv() to avoid the allocation and
4406 having to keep track of which free() or curl_free() that need to be
4409 Coverity found issues and a memory leak.
4411 Follow-up to 65b563a96a226649ba12cb1e
4415 Viktor Szakats (27 Sep 2023)
4417 - curl-functions.m4: fixup recent bad edits
4419 Follow-up to 96c29900bcec32dd6bc8e9857c8871ff4b8b8ed9 #11940
4423 Daniel Stenberg (27 Sep 2023)
4425 - curl-functions.m4: fix include line
4427 This made the getaddrinfo detection fail, but we did not spot it in the
4428 CI because it graciously falled back to using legacy functions instead!
4430 Follow-up to 96c29900bcec (#11940)
4434 - inet_ntop: add typecast to silence Coverity
4436 CID 1024653: Integer handling issues (SIGN_EXTENSION)
4438 Suspicious implicit sign extension: "src[i]" with type "unsigned char
4439 const" (8 bits, unsigned) is promoted in "src[i] << (1 - i % 2 << 3)" to
4440 type "int" (32 bits, signed), then sign-extended to type "unsigned long"
4441 (64 bits, unsigned). If "src[i] << (1 - i % 2 << 3)" is greater than
4442 0x7FFFFFFF, the upper bits of the result will all be 1.
4444 111 words[i/2] |= (src[i] << ((1 - (i % 2)) << 3));
4446 The value will not be greater than 0x7FFFFFFF so this still cannot
4449 Also, switch to ints here instead of longs. The values stored are 16 bit
4450 so at least no need to use 64 bit variables. Also, longs are 32 bit on
4451 some platforms so this logic still needs to work with 32 bits.
4455 - docs: adapt SEE ALSO sections to new requirements
4457 To please manpage-syntax.pl used by test 1173
4461 - manpage-syntax.pl: verify SEE ALSO syntax
4463 - Enforce a single reference per .BR line
4464 - Skip the quotes around the section number for example (3)
4465 - Insist on trailing commas on all lines except the last
4466 - Error on comma on the last SEE ALSO entry
4468 - List the entries alpha-sorted, not enforced just recommended
4472 - connect: expire the timeout when trying next
4474 ... so that it gets called again immediately and can continue trying
4475 addresses to connect to. Otherwise it might unnecessarily wait for a
4479 Reported-by: Loïc Yhuel
4482 - http: remove wrong comment for http_should_fail
4484 Reported-by: Christian Schmitz
4488 Dan Fandrich (26 Sep 2023)
4490 - tool_setopt: remove unused function tool_setopt_flags
4492 This function is identical to tool_setopt_bitmask except that it treats
4493 the argument as unsigned.
4497 Viktor Szakats (26 Sep 2023)
4499 - cmake: add feature checks for `memrchr` and `getifaddrs`
4501 - `HAVE_MEMRCHR` for `memrchr`.
4502 - `HAVE_GETIFADDRS` for `getifaddrs`.
4503 This was present in `lib/curl_config.h.cmake` but missed the detection
4506 To match existing autotools feature checks.
4510 - cmake: move global headers to specific checks
4512 Before this patch we added standard headers unconditionally to the
4513 global list of headers used for feature checks. This is unnecessary
4514 and also doesn't help CMake 'Generate' performance. This patch moves
4515 these headers to each feature check where they are actually needed.
4516 Stop using `stddef.h`, as it seems unnecessary.
4518 I've used autotools' `m4/curl-functions.m4` to figure out these
4521 Also delete checking for the C89 standard header `time.h`, that I
4522 missed in the earlier commit.
4524 Ref: 96c29900bcec32dd6bc8e9857c8871ff4b8b8ed9 #11940
4528 - src/mkhelp: make generated code pass `checksrc`
4532 - tests: show which curl tool `runtests.pl` is using
4534 To help debugging when there is issue finding or running it.
4538 - CI/azure: make `MAKEFLAGS` global to parallelize all jobs
4540 https://dev.azure.com/daniel0244/curl/_build/results?buildId=17528 (before)
4541 https://dev.azure.com/daniel0244/curl/_build/results?buildId=17545 (after, wi
4546 - CI/azure: migrate old mingw MSYS1 jobs to MSYS2
4548 Also delete an accidental variable reference.
4550 Follow-up to 38029101e2d78ba125732b3bab6ec267b80a0e72
4554 Daniel Stenberg (26 Sep 2023)
4556 - docs: add see also curl_multi_get_handles to some man pages
4558 Assisted-by: Jay Satiro
4562 Viktor Szakats (26 Sep 2023)
4564 - cmake: assume `_fseeki64` and no `fseeko` on Windows
4566 `_fseeki64` is present in mingw-w64 1.0 (2011-09-26) headers, and
4567 at least Watcom C 1.9 (2010) headers and MSVS 2008 [1].
4569 `fseeko` is not present in any of these.
4571 (mingw-w64 1.0 also offers `fseeko64`.)
4573 [1] https://github.com/curl/curl/pull/11944#issuecomment-1734995004
4575 Follow-up to 9c7165e96a3a9a2d0b7059c87c699b5ca8cdae93 #11918
4579 - build: delete checks for C89 standard headers
4581 Delete checks and guards for standard C89 headers and assume these are
4582 available: `stdio.h`, `string.h`, `time.h`, `setjmp.h`, `stdlib.h`,
4583 `stddef.h`, `signal.h`.
4585 Some of these we already used unconditionally, some others we only used
4588 Follow-up to 9c7165e96a3a9a2d0b7059c87c699b5ca8cdae93 #11918 (for `stdio.h` i
4593 Stefan Eissing (26 Sep 2023)
4595 - multiif.h: remove Curl_multi_dump declaration
4597 Follow-up to d850eea2 which removed the Curl_multi_dump definition.
4599 Closes https://github.com/curl/curl/pull/11946
4601 Jay Satiro (26 Sep 2023)
4603 - config-win32: define HAVE__FSEEKI64
4605 Follow-up to 9c7165e9 which added an fseeko wrapper to the lib that
4606 calls _fseeki64 if it is available.
4608 Closes https://github.com/curl/curl/pull/11944
4610 - docs: explain how PINNEDPUBLICKEY is independent of VERIFYPEER
4612 - Explain that peer verification via CURLOPT_PINNEDPUBLICKEY takes place
4613 even if peer verification via CURLOPT_SSL_VERIFYPEER is turned off.
4615 The behavior is verified by test2048.
4617 Bug: https://github.com/curl/curl/issues/2935#issuecomment-418371872
4618 Reported-by: claudiusaiz@users.noreply.github.com
4620 Bug: https://github.com/curl/curl/discussions/11910
4621 Reported-by: Hakan Sunay Halil
4623 Closes https://github.com/curl/curl/pull/11930
4625 Stefan Eissing (26 Sep 2023)
4627 - openssl: improve ssl shutdown handling
4629 - If SSL shutdown is not finished then make an additional call to
4630 SSL_read to gather additional tracing.
4632 - Fix http2 and h2-proxy filters to forward do_close() calls to the next
4635 For example h2 and SSL shutdown before and after this change:
4639 Curl_conn_close -> cf_hc_close -> Curl_conn_cf_discard_chain ->
4644 Curl_conn_close -> cf_hc_close -> cf_h2_close -> cf_setup_close ->
4647 Note that currently the tracing does not show output on the connection
4648 closure handle. Refer to discussion in #11878.
4650 Ref: https://github.com/curl/curl/discussions/11878
4652 Closes https://github.com/curl/curl/pull/11858
4654 Loïc Yhuel (26 Sep 2023)
4656 - multi: fix small timeouts
4658 Since Curl_timediff rounds down to the millisecond, timeouts which
4659 expire in less than 1ms are considered as outdated and removed from the
4660 list. We can use Curl_timediff_us instead, big timeouts could saturate
4661 but this is not an issue.
4665 Viktor Szakats (25 Sep 2023)
4667 - cmake: fix stderr initialization in unity builds
4669 Before this patch, in certain build configurations the curl tool may
4670 not have displayed anything (debug, macOS), or crashed at startup
4673 Follow-up to 3f8fc25720900b14b7432f4bd93407ca15311719
4674 Necessary after 2f17a9b654121dd1ecf4fc043c6d08a9da3522db
4678 - cmake: fix missing `zlib.h` when compiling `libcurltool`
4680 Came up while testing debug/testing build for Windows. I'm not sure why
4681 it didn't come up in earlier tests with similar config.
4682 `tool_hugehelp.c` might indeed require `zlib.h` and without linking
4683 `CURL_LIBS` to the `curltool` target, CMake doesn't seem to add detected
4684 dependency headers to the compiler command.
4687 [ 25%] Building C object src/CMakeFiles/curltool.dir/tool_hugehelp.c.obj
4688 cd .../curl/bld-cmake-llvm-x64/src && /usr/local/opt/llvm/bin/clang
4689 --target=x86_64-w64-mingw32 --sysroot=/usr/local/opt/mingw-w64/toolchain-x8
4691 -DCURLDEBUG -DCURL_STATICLIB -DHAVE_CONFIG_H -DUNICODE -DUNITTESTS -D_UNICO
4693 -I.../curl/include -I.../curl/lib -I.../curl/bld-cmake-llvm-x64/lib
4694 -I.../curl/bld-cmake-llvm-x64/include -I.../curl/src -Wno-unused-command-li
4696 -D_UCRT -DDEBUGBUILD -DHAS_ALPN -DUSE_MANUAL=1 -fuse-ld=lld -Wl,-s -static
4698 -lucrt [...] -O3 -DNDEBUG -municode -MD
4699 -MT src/CMakeFiles/curltool.dir/tool_hugehelp.c.obj
4700 -MF CMakeFiles/curltool.dir/tool_hugehelp.c.obj.d
4701 -o CMakeFiles/curltool.dir/tool_hugehelp.c.obj -c .../curl/bld-cmake-llvm-x
4702 64/src/tool_hugehelp.c
4703 .../curl/bld-cmake-llvm-x64/src/tool_hugehelp.c:6:10: fatal error: 'zlib.h' f
4705 6 | #include <zlib.h>
4709 Follow-up to 39e7c22bb459c2e818f079984989a26a09741860
4713 - cmake: fix duplicate symbols when linking tests
4715 The linker resolves this automatically in non-unity builds. In unity
4716 builds the linker cannot drop a single object with the duplicates,
4717 resulting in these errors. The root issue is that we started including
4718 certain objects both via both libcurlu and libcurltool libs.
4720 Regression from 39e7c22bb459c2e818f079984989a26a09741860
4724 [ 3%] Linking C executable unit1303.exe
4725 [ 3%] Building C object tests/server/CMakeFiles/rtspd.dir/__/__/lib/curl_mul
4727 ../../lib/libcurlu-d.a(unity_0.c.obj): In function `curlx_convert_UTF8_to_wch
4729 C:/projects/curl/lib/curl_multibyte.c:44: multiple definition of `curlx_conve
4731 ../../src/libcurltool-d.a(unity_0.c.obj):C:/projects/curl/lib/curl_multibyte.
4732 c:44: first defined here
4733 ../../lib/libcurlu-d.a(unity_0.c.obj): In function `curlx_convert_wchar_to_UT
4735 C:/projects/curl/lib/curl_multibyte.c:66: multiple definition of `curlx_conve
4737 ../../src/libcurltool-d.a(unity_0.c.obj):C:/projects/curl/lib/curl_multibyte.
4738 c:66: first defined here
4739 ../../lib/libcurlu-d.a(unity_0.c.obj): In function `curlx_win32_open':
4740 C:/projects/curl/lib/curl_multibyte.c:92: multiple definition of `curlx_win32
4742 ../../src/libcurltool-d.a(unity_0.c.obj):C:/projects/curl/lib/curl_multibyte.
4743 c:92: first defined here
4744 ../../lib/libcurlu-d.a(unity_0.c.obj): In function `curlx_win32_fopen':
4745 C:/projects/curl/lib/curl_multibyte.c:120: multiple definition of `curlx_win3
4747 ../../src/libcurltool-d.a(unity_0.c.obj):C:/projects/curl/lib/curl_multibyte.
4748 c:120: first defined here
4749 ../../lib/libcurlu-d.a(unity_0.c.obj): In function `curlx_win32_stat':
4752 Ref: https://ci.appveyor.com/project/curlorg/curl/builds/48110107/job/nvlhpt9
4757 [ 56%] Linking C executable unit1302
4758 duplicate symbol '_curlx_sotouz' in:
4759 ../../lib/libcurlu.a(unity_0_c.c.o)
4760 ../../src/libcurltool.a(unity_0_c.c.o)
4761 duplicate symbol '_curlx_sitouz' in:
4762 ../../lib/libcurlu.a(unity_0_c.c.o)
4763 ../../src/libcurltool.a(unity_0_c.c.o)
4764 duplicate symbol '_curlx_uztosz' in:
4765 ../../lib/libcurlu.a(unity_0_c.c.o)
4766 ../../src/libcurltool.a(unity_0_c.c.o)
4771 -DCMAKE_UNITY_BUILD=ON \
4772 -DENABLE_DEBUG=ON -DBUILD_TESTING=ON -DCMAKE_C_FLAGS=-DDEBUGBUILD \
4773 -DBUILD_SHARED_LIBS=ON \
4774 -DBUILD_STATIC_LIBS=OFF
4779 - cmake: lib `CURL_STATICLIB` fixes (Windows)
4781 - always define `CURL_STATICLIB` when building libcurl for Windows.
4783 This disables `__declspec(dllexport)` for exported libcurl symbols.
4784 In normal mode (hide symbols) these exported symbols are specified
4785 via `libcurl.def`. When not hiding symbols, all symbols are exported
4788 Regression from 1199308dbc902c52be67fc805c72dd2582520d30
4792 - fix to omit `libcurl.def` when not hiding private symbols.
4794 Regression from 2ebc74c36a19a1700af394c16855ce144d9878e3
4796 - fix `ENABLED_DEBUG=ON` + shared curl tool Windows builds by also
4797 omitting `libcurl.def` in this case, and exporting all symbols
4798 instead. This ensures that a shared curl tool can access all debug
4799 functions which are not normally exported from libcurl DLL.
4801 - delete `INTERFACE_COMPILE_DEFINITIONS "CURL_STATICLIB"` for "objects"
4804 Follow-up to 2ebc74c36a19a1700af394c16855ce144d9878e3
4806 - delete duplicate `BUILDING_LIBCURL` definitions.
4808 - fix `HIDES_CURL_PRIVATE_SYMBOLS` to not overwrite earlier build settings.
4810 Follow-up to 1199308dbc902c52be67fc805c72dd2582520d30
4814 Daniel Stenberg (25 Sep 2023)
4816 - RELEASE-NOTES: synced
4818 Dan Fandrich (25 Sep 2023)
4820 - tests: fix log directory path in IPFS tests
4822 Hard-coding the log directory name fails with parallel tests.
4824 Follow-up to 65b563a96
4828 Daniel Stenberg (25 Sep 2023)
4830 - curl_multi_get_handles: get easy handles from a multi handle
4834 Stefan Eissing (25 Sep 2023)
4836 - http: h1/h2 proxy unification
4838 - use shared code for setting up the CONNECT request
4839 when tunneling, used in HTTP/1.x and HTTP/2 proxying
4840 - eliminate use of Curl_buffer_send() and other manipulations
4841 of `data->req` or `data->state.ulbuf`
4845 Natanael Copa (25 Sep 2023)
4847 - lib: use wrapper for curl_mime_data fseek callback
4849 fseek uses long offset which does not match with curl_off_t. This leads
4850 to undefined behavior when calling the callback and caused failure on
4853 Use a wrapper to solve this and use fseeko which uses off_t instead of
4856 Thanks to the nice people at Libera IRC #musl for helping finding this
4863 - configure: sort AC_CHECK_FUNCS
4865 No functional changes.
4867 Daniel Stenberg (25 Sep 2023)
4869 - warnless: remove unused functions
4871 Previously put there for use with the intel compiler
4875 - GHA/linux: run singleuse to detect single-use global functions
4877 Use --unit for configure --enable-debug builds
4881 - singleuse: add scan for use in other source codes
4883 This should reduce false-positive to almost zero. Checks for presence in
4884 unit tests if --unit is specified, which is intended for debug builds
4885 where unit testing is enabled.
4889 - multi: remove Curl_multi_dump
4891 A debug-only function that is basically never used. Removed to ease the
4892 use of the singleuse script to detect non-static functions not used
4893 outside the file where it is defined.
4897 Viktor Szakats (24 Sep 2023)
4899 - tests: fix compiler warnings
4901 Seen with llvm 17 on Windows x64.
4904 .../curl/tests/server/rtspd.c:136:13: warning: no previous extern declaration
4905 for non-static variable 'logdir' [-Wmissing-variable-declarations]
4906 136 | const char *logdir = "log";
4908 .../curl/tests/server/rtspd.c:136:7: note: declare 'static' if the variable i
4909 s not intended to be used outside of this translation unit
4910 136 | const char *logdir = "log";
4912 .../curl/tests/server/rtspd.c:137:6: warning: no previous extern declaration
4913 for non-static variable 'loglockfile' [-Wmissing-variable-declarations]
4914 137 | char loglockfile[256];
4916 .../curl/tests/server/rtspd.c:137:1: note: declare 'static' if the variable i
4917 s not intended to be used outside of this translation unit
4918 137 | char loglockfile[256];
4920 .../curl/tests/server/fake_ntlm.c:43:13: warning: no previous extern declarat
4921 ion for non-static variable 'logdir' [-Wmissing-variable-declarations]
4922 43 | const char *logdir = "log";
4924 .../curl/tests/server/fake_ntlm.c:43:7: note: declare 'static' if the variabl
4925 e is not intended to be used outside of this translation unit
4926 43 | const char *logdir = "log";
4928 .../curl/src/tool_doswin.c:350:8: warning: possible misuse of comma operator
4932 .../curl/src/tool_doswin.c:350:5: note: cast expression to void to silence wa
4940 .../curl/tests/libtest/lib540.c:146:27: warning: result of comparison 'long'
4941 > 2147483647 is always false [-Wtautological-type-limit-compare]
4942 146 | int itimeout = (L > (long)INT_MAX) ? INT_MAX : (int)L;
4944 1 warning generated.
4946 .../curl/tests/libtest/libntlmconnect.c:195:31: warning: result of comparison
4947 'long' > 2147483647 is always false [-Wtautological-type-limit-compare]
4948 195 | int itimeout = (timeout > (long)INT_MAX) ? INT_MAX : (int)timeo
4950 | ~~~~~~~ ^ ~~~~~~~~~~~~~
4951 1 warning generated.
4953 .../curl/tests/libtest/lib591.c:117:31: warning: result of comparison 'long'
4954 > 2147483647 is always false [-Wtautological-type-limit-compare]
4955 117 | int itimeout = (timeout > (long)INT_MAX) ? INT_MAX : (int)timeo
4957 | ~~~~~~~ ^ ~~~~~~~~~~~~~
4958 1 warning generated.
4959 .../curl/tests/libtest/lib597.c:99:31: warning: result of comparison 'long' >
4960 2147483647 is always false [-Wtautological-type-limit-compare]
4961 99 | int itimeout = (timeout > (long)INT_MAX) ? INT_MAX : (int)timeo
4963 | ~~~~~~~ ^ ~~~~~~~~~~~~~
4964 1 warning generated.
4967 Seen on macOS Intel:
4969 .../curl/tests/server/sws.c:440:64: warning: field precision should have type
4970 'int', but argument has type 'size_t' (aka 'unsigned long') [-Wformat]
4971 msnprintf(logbuf, sizeof(logbuf), "Got request: %s %.*s HTTP/%d.%d"
4974 1 warning generated.
4979 Jay Satiro (24 Sep 2023)
4981 - url: fix netrc info message
4983 - Fix netrc info message to use the generic ".netrc" filename if the
4984 user did not specify a netrc location.
4986 - Update --netrc doc to add that recent versions of curl on Windows
4987 prefer .netrc over _netrc.
4990 * Couldn't find host google.com in the (nil) file; using defaults
4993 * Couldn't find host google.com in the .netrc file; using defaults
4995 Closes https://github.com/curl/curl/pull/11904
4997 Dan Fandrich (23 Sep 2023)
4999 - wolfssh: do cleanup in Curl_ssh_cleanup
5003 Daniel Stenberg (24 Sep 2023)
5005 - tool_listhelp: regenerated
5007 Polished the --ipfs-gateway description
5009 Fixed the --trace-config description
5011 The script also fixed some other small mistakes
5015 Viktor Szakats (23 Sep 2023)
5017 - Makefile.mk: always set `CURL_STATICLIB` for lib (Windows)
5019 Also fix to export all symbols in Windows debug builds, making
5020 `-debug-dyn` builds work with `-DCURL_STATICLIB` set.
5022 Ref: https://github.com/curl/curl/pull/11914 (same for CMake)
5026 Daniel Stenberg (23 Sep 2023)
5028 - quic: set ciphers/curves the same way regular TLS does
5030 for OpenSSL/BoringSSL
5033 Reported-by: Karthikdasari0423 on github
5034 Assisted-by: Jay Satiro
5037 - test457: verify --max-filesize with chunked encoding
5039 - lib: let the max filesize option stop too big transfers too
5041 Previously it would only stop them from getting started if the size is
5042 known to be too big then.
5044 Update the libcurl and curl docs accordingly.
5047 Reported-by: Elliot Killick
5048 Assisted-by: Jay Satiro
5051 Viktor Szakats (23 Sep 2023)
5053 - mingw: delete support for legacy mingw.org toolchain
5055 Drop support for "old" / "legacy" / "classic" / "v1" / "mingw32" MinGW:
5056 https://en.wikipedia.org/wiki/MinGW, https://osdn.net/projects/mingw/
5057 Its homepage used to be http://mingw.org/ [no HTTPS], and broken now.
5058 It supported the x86 CPU only and used a old Windows API header and
5059 implib set, often causing issues. It also misses most modern Windows
5060 features, offering old versions of both binutils and gcc (no llvm/clang
5061 support). It was last updated 2 years ago.
5063 curl now relies on toolchains based on the mingw-w64 project:
5064 https://www.mingw-w64.org/ https://sourceforge.net/projects/mingw-w64/
5065 https://www.msys2.org/ https://github.com/msys2/msys2
5066 https://github.com/mstorsjo/llvm-mingw
5067 (Also available via Linux and macOS package managers.)
5071 Mark Gaiser (23 Sep 2023)
5073 - curl: add support for the IPFS protocols:
5078 This allows you tu use ipfs in curl like:
5083 For more information consult the readme at:
5084 https://curl.se/docs/ipfs.html
5088 Daniel Stenberg (23 Sep 2023)
5090 - bufq: remove Curl_bufq_skip_and_shift (unused)
5094 - scripts/singleuse.pl: add curl_global_trace
5096 Viktor Szakats (22 Sep 2023)
5098 - cmake: fix unity symbol collisions in h2 builds
5100 Regression from 331b89a319d0067fa1e6441719307cfef9c7960f
5102 Reviewed-by: Daniel Stenberg
5103 Reviewed-by: Jay Satiro
5106 Daniel Stenberg (22 Sep 2023)
5108 - RELEASE-NOTES: synced
5110 Dan Fandrich (21 Sep 2023)
5112 - github/labeler: improve the match patterns
5114 This includes new rules for setting the appleOS and logging labels and
5115 matches on some example files. Also, enable dot mode for wildcard
5116 matches in the .github directory.
5118 Daniel Stenberg (21 Sep 2023)
5120 - upload-file.d: describe the file name slash/backslash handling
5124 Jakub Jelen (21 Sep 2023)
5126 - libssh: cap SFTP packet size sent
5128 Due to libssh limitations
5130 Signed-off-by: Jakub Jelen <jjelen@redhat.com>
5134 Daniel Stenberg (21 Sep 2023)
5136 - curl.h: mark CURLSSLBACKEND_NSS as deprecated since 8.3.0
5140 - mailmap: unify Michael Osipov under a single email
5142 Ted Lyngmo (21 Sep 2023)
5144 - docs: use CURLSSLBACKEND_NONE
5146 [ssl] use CURLSSLBACKEND_NONE instead of (curl_sslbackend)-1 in
5147 documentation and examples.
5149 Signed-off-by: Ted Lyngmo <ted@lyncon.se>
5153 Dan Fandrich (21 Sep 2023)
5155 - github/labeler: give the sync-labels config item a default value
5157 This shouldn't be necessary and is likely a bug with this beta version
5160 Also, fix the negative matches for the documentation label.
5162 Follow-up to dd12b452a
5165 - github/labeler: fix up more the labeler config format
5167 The new version didn't like the workaround we had for a bug in the
5168 previous labeler version, and it should no longer be needed.
5170 Follow-up to dd12b452a
5173 - github/labeler: fix indenting to try to appease labeller
5175 Follow-up to dd12b452a
5177 Jay Satiro (21 Sep 2023)
5179 - libssh2: fix error message on failed pubkey-from-file
5181 - If libssh2_userauth_publickey_fromfile_ex returns -1 then show error
5182 message "SSH public key authentication failed: Reason unknown (-1)".
5184 When libssh2_userauth_publickey_fromfile_ex returns -1 it does so as a
5185 generic error and therefore doesn't set an error message. AFAICT that is
5186 not documented behavior.
5188 Prior to this change libcurl retrieved the last set error message which
5189 would be from a previous function failing. That resulted in misleading
5190 auth failed error messages in verbose mode.
5192 Bug: https://github.com/curl/curl/issues/11837#issue-1891827355
5193 Reported-by: consulion@users.noreply.github.com
5195 Closes https://github.com/curl/curl/pull/11881
5197 Stefan Eissing (21 Sep 2023)
5199 - pytest: exclude test_03_goaway in CI runs due to timing dependency
5203 - lib: disambiguate Curl_client_write flag semantics
5205 - use CLIENTWRITE_BODY *only* when data is actually body data
5206 - add CLIENTWRITE_INFO for meta data that is *not* a HEADER
5207 - debug assertions that BODY/INFO/HEADER is not used mixed
5208 - move `data->set.include_header` check into Curl_client_write
5209 so protocol handlers no longer have to care
5210 - add special in FTP for `data->set.include_header` for historic,
5211 backward compatible reasons
5212 - move unpausing of client writes from easy.c to sendf.c, so that
5213 code is in one place and can forward flags correctly
5217 Patrick Monnerat (21 Sep 2023)
5219 - tftpd: always use curl's own tftp.h
5221 Using the system's provided arpa/tftp.h and optimizing, GCC 12 detects
5222 and reports a stringop-overread warning:
5224 tftpd.c: In function ‘write_behind.isra’:
5225 tftpd.c:485:12: warning: ‘write’ reading between 1 and 2147483647 bytes f
5226 rom a region of size 0 [-Wstringop-overread]
5227 485 | return write(test->ofile, writebuf, count);
5228 | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
5229 In file included from tftpd.c:71:
5230 /usr/include/arpa/tftp.h:58:30: note: source object ‘tu_data’ of size 0
5231 58 | char tu_data[0]; /* data or error stri
5235 This occurs because writebuf points to this field and the latter
5236 cannot be considered as being of dynamic length because it is not
5237 the last field in the structure. Thus it is bound to its declared
5240 This commit always uses curl's own version of tftp.h where the
5241 target field is last in its structure, effectively avoiding the
5244 As HAVE_ARPA_TFTP_H is not used anymore, cmake/configure checks for
5245 arpa/tftp.h are removed.
5249 Dan Fandrich (20 Sep 2023)
5251 - test1474: make precheck more robust on non-Solaris systems
5253 If uname -r returns something odd, perl could return an error code and
5254 the test would be erroneously skipped. The qx// syntax avoid this.
5256 Followup to 08f9b2148
5258 - github/labeler: switch to the 5 beta version
5260 This version adds an important feature that will allow more PRs to be
5261 labelled. Rather than being limited to labeling PRs with files that
5262 match a single glob, it can now label them if multiple changed files
5263 match any one of a number of globs.
5265 Daniel Stenberg (20 Sep 2023)
5267 - lib: enable hmac for digest as well
5269 Previously a build that disabled NTLM and aws-sigv4 would fail to build
5270 since the hmac was disabled, but it is also needed for digest auth.
5272 Follow-up to e92edfbef64448ef
5275 Reported-by: Aleksander Mazur
5278 - idn: if idn2_check_version returns NULL, return error
5280 ... this avoids a NULL dereference for this unusual case.
5282 Reported-by: s0urc3_ on hackerone
5285 - http: fix CURL_DISABLE_BEARER_AUTH breakage
5287 When bearer auth was disabled, the if/else logic got wrong and caused
5290 Follow-up to e92edfbef64448ef461
5292 Reported-by: Aleksander Mazur
5295 Michael Osipov (20 Sep 2023)
5297 - wolfssl: allow capath with CURLOPT_CAINFO_BLOB
5299 Remain consistent with OpenSSL. While CAfile is nulled as documented
5300 with CURLOPT_CAINFO_BLOB, CApath remains intact.
5304 - wolfssl: use ssl_cafile/ssl_capath variables consistent with openssl.c
5308 Dan Fandrich (19 Sep 2023)
5310 - test1474: disable test on NetBSD, OpenBSD and Solaris 10
5312 These kernels only send a fraction of the requested amount of the first
5313 large block, invalidating the assumptions of the test and causing it to
5316 Assisted-by: Christian Weisgerber
5317 Ref: https://curl.se/mail/lib-2023-09/0021.html
5320 Ryan Schmidt (20 Sep 2023)
5322 - cmake, configure: also link with CoreServices
5324 When linking with CoreFoundation, also link with CoreServices which is
5325 apparently required to avoid an NSInvalidArgumentException in software
5326 linking with libcurl on macOS Sonoma 14 and later.
5331 Marc Hoersken (19 Sep 2023)
5333 - CI/azure: remove pip, wheel, cryptography, pyopenssl and impacket
5335 These dependencies are now already included in the Docker image.
5337 Ref: https://github.com/mback2k/curl-docker-winbuildenv/commit/2607a31bcab544
5338 b41d15606e97f38cf312c1ce56
5342 Daniel Stenberg (19 Sep 2023)
5344 - wolfssl: if CURLOPT_CAINFO_BLOB is set, ignore the CA files
5347 Reported-by: Michael Osipov
5350 - RELEASE-NOTES: synced
5352 - test3103: CURLOPT_COOKIELIST test
5354 - cookie: set ->running in cookie_init even if data is NULL
5356 This is a regression introduced in b1b326ec500 (shipped in curl 8.1.0)
5361 Reported-by: wangp on github
5364 - test498: total header size for all redirects is larger than accepted
5366 - http: use per-request counter to check too large headers
5368 Not the counter that accumulates all headers over all redirects.
5370 Follow-up to 3ee79c1674fd6
5372 Do a second check for 20 times the limit for the accumulated size for
5376 Reported-by: Joshix-1 on github
5379 Jay Satiro (18 Sep 2023)
5381 - THANKS: add Eric Murphy
5383 He reported #11850 (quiche build error) but I forgot to add a
5384 'reported-by' entry in the fix 267e14f1.
5386 Daniel Stenberg (18 Sep 2023)
5388 - h2-proxy: remove left-over mistake in drain_tunnel()
5390 Left-over from 331b89a319
5394 Closes https://github.com/curl/curl/pull/11877
5396 vvb2060 (18 Sep 2023)
5398 - lib: failf/infof compiler warnings
5402 Daniel Stenberg (17 Sep 2023)
5404 - rand: fix 'alnum': array is too small to include a terminating null character
5406 It was that small on purpose, but this change now adds the null byte to
5409 Follow-up to 3aa3cc9b052353b1
5411 Reported-by: Dan Fandrich
5415 Mathias Fuchs (16 Sep 2023)
5417 - cmake: fix the help text to the static build option in CMakeLists.txt
5421 John Haugabook (16 Sep 2023)
5423 - MANUAL.md: change domain to example.com
5427 Daniel Stenberg (16 Sep 2023)
5429 - doh: inherit DEBUGFUNCTION/DATA
5431 When creating new transfers for doing DoH, they now inherit the debug
5432 settings from the initiating transfer, so that the application can
5433 redirect and handle the verbose output correctly even for the DoH
5436 Reported-by: calvin2021y on github
5440 Dan Fandrich (16 Sep 2023)
5442 - http_aws_sigv4: fix sorting with empty parts
5444 When comparing with an empty part, the non-empty one is always
5445 considered greater-than. Previously, the two would be considered equal
5446 which would randomly place empty parts amongst non-empty ones. This
5447 showed as a test 439 failure on Solaris as it uses a different
5448 implementation of qsort() that compares parts differently.
5453 - CI: ignore the "flaky" and "timing-dependent" test results
5455 CI builds will now run these tests, but will ignore the results if they
5456 fail. The relevant tests are ones that are sensitive to timing or
5457 have edge conditions that make them more likely to fail on CI servers,
5458 which are often heavily overloaded and slow.
5460 This change only adds two additional tests to be ignored, since the
5461 others already had the flaky keyword.
5465 - runtests: eliminate a warning on old perl versions
5467 The warning "Use of implicit split to @_ is deprecated" showed between
5468 perl versions about 5.8 through 5.11.
5470 - tests: log the test result code after each libtest
5472 This makes it easier to determine the test status. Also, capitalize
5473 FAILURE and ABORT messages in log lines to make them easier to spot.
5475 Harry Sintonen (16 Sep 2023)
5477 - misc: better random strings
5479 Generate alphanumerical random strings.
5481 Prior this change curl used to create random hex strings. This was
5482 mostly okay, but having alphanumerical random strings is better: The
5483 strings have more entropy in the same space.
5485 The MIME multipart boundary used to be mere 64-bits of randomness due
5486 to being 16 hex chars. With these changes the boundary is 22
5487 alphanumerical chars, or little over 130 bits of randomness.
5491 Daniel Stenberg (15 Sep 2023)
5493 - cookie: reduce variable scope, add const
5495 - cookie: do not store the expire or max-age strings
5497 Convert it to an expire time at once and save memory.
5501 - cookie: remove unnecessary struct fields
5503 Plus: reduce the hash table size from 256 to 63. It seems unlikely to
5504 make much of a speed difference for most use cases but saves 1.5KB of
5509 - RELEASE-NOTES: synced
5511 Bumped to 8.4.0, the next presumed version
5513 Dan Fandrich (14 Sep 2023)
5515 - test2600: remove special case handling for USE_ALARM_TIMEOUT
5517 This was originally added to handle platforms that supported only 1
5518 second granularity in connect timeouts, but after some recent changes
5519 the test currently permafails on several Windows platforms.
5521 The need for this special-case was removed in commit 8627416, which
5522 increased the connect timeout in all cases to well above 1 second.
5527 Daniel Stenberg (14 Sep 2023)
5529 - SECURITY-PROCESS.md. call it vulnerability disclosure policy
5531 SECURITY-PROCESS.md -> VULN-DISCLOSURE-POLICY.md
5533 This a name commonly used for a document like this. This name helps
5538 Junho Choi (14 Sep 2023)
5540 - quiche: fix build error with --with-ca-fallback
5542 - Fix build error when curl is built with --with-quiche
5543 and --with-ca-fallback.
5545 - Add --with-ca-fallback to the quiche CI job.
5547 Fixes https://github.com/curl/curl/issues/11850
5548 Closes https://github.com/curl/curl/pull/11847
5550 Jay Satiro (14 Sep 2023)
5552 - escape: replace Curl_isunreserved with ISUNRESERVED
5554 - Use the ALLCAPS version of the macro so that it is clear a macro is
5555 being called that evaluates the variable multiple times.
5557 - Also capitalize macro isurlpuntcs => ISURLPUNTCS since it evaluates
5558 a variable multiple times.
5560 This is a follow-up to 291d225a which changed Curl_isunreserved into an
5561 alias macro for ISUNRESERVED. The problem is the former is not easily
5562 identified as a macro by the caller, which could lead to a bug.
5564 For example, ISUNRESERVED(*foo++) is easily identifiable as wrong but
5565 Curl_isunreserved(*foo++) is not even though they both are the same.
5567 Closes https://github.com/curl/curl/pull/11846
5569 Dan Fandrich (13 Sep 2023)
5571 - tests: increase the default server logs lock timeout
5573 This timeout is used to wait for the server to finish writing its logs
5574 before checking them against the expected values. An overloaded machine
5575 could take more than the two seconds previously allocated, so increase
5576 the timeout to 5 seconds.
5581 - tests: increase TEST_HANG_TIMEOUT in two tests
5583 These tests had a 5 second timeout compared to 60 seconds for all other
5584 tests. Make these consistent with the others for more reliability on
5585 heavily-loaded machines.
5589 - test1056: disable on Windows
5591 This test relies on the IPv6 scope field being ignored when connecting to
5592 ipv6-localhost (i.e. [::1%259999] is treated as [::1]). Maybe this is a bit
5593 dodgy, but it works on all our test platforms except Windows. This
5594 test was disabled manually on all Windows CI builds already, so instead
5595 add an incompatible feature and precheck so it's skipped on Windows
5596 everywhere automatically.
5598 - test587: add a slight delay after test
5600 This test is designed to connect to the server, then immediately send a
5601 few bytes and disconnect. In some situations, such as on a loaded
5602 server, this doesn't give the server enough time to write its lock file
5603 before its existence is checked. The test harness then fails to find the
5604 server's input log file (because it hasn't been written yet) and fails
5605 the test. By adding a short delay after the test, the HTTP server has
5606 enough time to write its lock file which gives itself more time to write
5607 its remaining files.
5611 - tests: stop overriding the lock timeout
5613 These tests reduce the server lock wait timeout which can increase
5614 flakiness on loaded machines. Since this is merely an optimization,
5615 eliminate them in favour of reliability.
5619 - tests: add some --expect100-timeout to reduce timing dependencies
5621 These tests can fail when the test machine is so slow that the test HTTP
5622 server didn't get a chance to complete before the client's one second
5623 100-continue timeout triggered. Increase that 1 second to 999 seconds so
5624 this situation doesn't happen.
5628 - test661: return from test early in case of curl error
5630 - tests: add the timing-dependent keyword on several tests
5632 These are ones likely to fail on heavily-loaded machines that alter the
5633 normal test timing. Most of these tests already had the flaky keyword
5634 since this condition makes them more likely to fail on CI.
5636 - test1592: greatly increase the maximum test timeout
5638 It was too short to be reliable on heavily loaded CI machines, and
5639 as a fail-safe only, it didn't need to be short.
5643 - test: minor test cleanups
5645 Remove an obsolete block of code in tests 2032 & 576.
5646 Add a comment in test 1474.
5648 - tests: quadruple the %FTPTIME2 and %FTPTIME3 timeouts
5650 This gives more of a margin for error when running on overloaded CI
5655 - tests: improve SLOWDOWN test reliability by reducing sent data
5657 These tests are run in SLOWDOWN mode which adds a 10 msec delay after
5658 each character output, which means it takes at least 1.6 seconds (and
5659 320 kernel calls) just to get through the long welcome banner. On an
5660 overloaded system, this can end up taking much more than 1.6 seconds,
5661 and even more than the 7 or 16 second curl timeout that the tests rely
5662 on, causing them to fail. Reducing the size of the welcome banner drops
5663 the total number of characters sent before the transfer starts by more
5664 than half, which reduces the opportunity for test-breaking slowdowns by
5669 - test650: fix an end tag typo
5671 Jay Satiro (13 Sep 2023)
5673 - tool_cb_wrt: fix debug assertion
5675 - Fix off-by-one out-of-bounds array index in Windows debug assertion.
5677 Bug: https://github.com/curl/curl/commit/af3f4e41#r127212213
5678 Reported-by: Gisle Vanem
5680 Daniel Stenberg (13 Sep 2023)
5682 - ctype: add ISUNRESERVED()
5684 ... and make Curl_isunreserved() use that macro instead of providing a
5685 separate funtion for the purpose.
5689 Version 8.3.0 (13 Sep 2023)
5691 Daniel Stenberg (13 Sep 2023)
5693 - RELEASE-NOTES: syn ced
5697 - THANKS: contributors from 8.3.0
5699 Thorsten Klein (12 Sep 2023)
5701 - cmake: set SIZEOF_LONG_LONG in curl_config.h
5703 in order to support 32bit builds regarding wolfssl CTC_SETTINGS
5707 Jay Satiro (12 Sep 2023)
5709 - curl_ngtcp2: fix error message
5711 - http_aws_sigv4: handle no-value user header entries
5713 - Handle user headers in format 'name:' and 'name;' with no value.
5715 The former is used when the user wants to remove an internal libcurl
5716 header and the latter is used when the user actually wants to send a
5717 no-value header in the format 'name:' (note the semi-colon is converted
5718 by libcurl to a colon).
5720 Prior to this change the AWS header import code did not special case
5721 either of those and the generated AWS SignedHeaders would be incorrect.
5723 Reported-by: apparentorder@users.noreply.github.com
5725 Ref: https://curl.se/docs/manpage.html#-H
5727 Fixes https://github.com/curl/curl/issues/11664
5728 Closes https://github.com/curl/curl/pull/11668
5730 Dan Fandrich (11 Sep 2023)
5732 - CI: run pytest with the -v option
5734 This lists of the test cases being run so it can be tracked over time.
5738 Daniel Stenberg (11 Sep 2023)
5740 - HTTP3: the msquic backend is not functional
5742 I ask that we do not submit bugs for this backend just yet as we know it
5743 does not fully work.
5748 - aws_sigv4: the query canon code miscounted URL encoded input
5750 Added some extra ampersands to test 439 to verify "blank" query parts
5752 Follow-up to fc76a24c53b08cdf
5756 vvb2060 (11 Sep 2023)
5758 - quic: don't set SNI if hostname is an IP address
5760 We already do this for TLS connections.
5762 RFC 6066 says: Literal IPv4 and IPv6 addresses are not permitted in
5765 Ref: https://www.rfc-editor.org/rfc/rfc6066#section-3
5767 Fixes https://github.com/curl/curl/issues/11827
5768 Closes https://github.com/curl/curl/pull/11828
5770 Daniel Stenberg (10 Sep 2023)
5772 - RELEASE-NOTES: synced
5774 Benoit Pierre (10 Sep 2023)
5776 - configure: fix `HAVE_TIME_T_UNSIGNED` check
5778 The syntax was incorrect (need a proper main body), and the test
5779 condition was wrong (resulting in a signed `time_t` detected as
5784 Daniel Stenberg (9 Sep 2023)
5786 - THANKS-filter: pszlazak on github
5788 pszlazak (9 Sep 2023)
5790 - include.d: explain headers not printed with --fail before 7.75.0
5792 Prior to 7.75.0 response headers were not printed if -f/--fail was used
5793 and an error was reported by server. This was fixed in ab525c0
5798 Daniel Stenberg (8 Sep 2023)
5800 - http_aws_sigv4: skip the op if the query pair is zero bytes
5802 Follow-up to fc76a24c53b08cdf
5806 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62175
5809 - cmdline-docs: use present tense, not future
5811 + some smaller cleanups
5815 - cmdline-docs: make sure to phrase it as "added in ...."
5817 References to things that were added or changed in a specific version
5818 should be specified as "(added in [version]) for two reasons:
5822 2 - to allow gen.pl to strip them out if deemed referring to too old
5827 Jay Satiro (8 Sep 2023)
5829 - docs: mark --ssl-revoke-best-effort as Schannel specific
5831 Closes https://github.com/curl/curl/pull/11760
5833 Nathan Moinvaziri (8 Sep 2023)
5835 - schannel: fix ordering of cert chain info
5837 - Use CERT_CONTEXT's pbCertEncoded to determine chain order.
5839 CERT_CONTEXT from SECPKG_ATTR_REMOTE_CERT_CONTEXT contains
5840 end-entity/server certificate in pbCertEncoded. We can use this pointer
5841 to determine the order of certificates when enumerating hCertStore using
5842 CertEnumCertificatesInStore.
5844 This change is to help ensure that the ordering of the certificate chain
5845 requested by the user via CURLINFO_CERTINFO has the same ordering on all
5846 versions of Windows.
5848 Prior to this change Schannel certificate order was reversed in 8986df80
5849 but that was later reverted in f540a39b when it was discovered that
5850 Windows 11 22H2 does the reversal on its own.
5852 Ref: https://github.com/curl/curl/issues/9706
5854 Closes https://github.com/curl/curl/pull/11632
5856 Chris Talbot (8 Sep 2023)
5858 - digest: Use hostname to generate spn instead of realm
5860 In https://www.rfc-editor.org/rfc/rfc2831#section-2.1.2
5862 digest-uri-value should be serv-type "/" host , where host is:
5864 The DNS host name or IP address for the service requested. The
5865 DNS host name must be the fully-qualified canonical name of the
5866 host. The DNS host name is the preferred form; see notes on server
5867 processing of the digest-uri.
5869 Realm may not be the host, so we must specify the host explicitly.
5871 Note this change only affects the non-SSPI digest code. The digest code
5872 used by SSPI builds already uses the hostname to generate the spn.
5874 Ref: https://github.com/curl/curl/issues/11369
5876 Closes https://github.com/curl/curl/pull/11395
5878 Daniel Stenberg (7 Sep 2023)
5880 - docs: remove use of the word 'very'
5882 It is mostly superfluous. proselint would complain.
5886 - curl_multi_remove_handle.3: clarify what happens with connection
5890 - RELEASE-NOTES: synced
5892 - test439: verify query canonization for aws-sigv4
5894 - tool_operate: make aws-sigv4 not require TLS to be used
5896 Maybe not used too often, but we want it for testing and it should work.
5898 - http_aws_sigv4: canonicalize the query
5900 Percent encoding needs to be done using uppercase, and most
5901 non-alphanumerical must be percent-encoded.
5904 Reported-by: John Walker
5907 Wyatt O'Day (7 Sep 2023)
5909 - lib: add ability to disable auths individually
5911 Both with configure and cmake
5915 Stefan Eissing (7 Sep 2023)
5917 - ngtcp2: fix handling of large requests
5919 - requests >64K are send in parts to the filter
5920 - fix parsing of the request to assemble it correctly
5922 - open a QUIC stream only when the complete request has
5927 - openssl: when CURLOPT_SSL_CTX_FUNCTION is registered, init x509 store before
5929 - we delay loading the x509 store to shorten the handshake time.
5930 However an application callback installed via CURLOPT_SSL_CTX_FUNCTION
5931 may need to have the store loaded and try to manipulate it.
5932 - load the x509 store before invoking the app callback
5935 Reported-by: guoxinvmware on github
5938 Daniel Stenberg (7 Sep 2023)
5940 - krb5: fix "implicit conversion loses integer precision" warnings
5942 conversions to/from enum and unsigned chars
5946 Stefan Eissing (7 Sep 2023)
5948 - pytest: improvements
5950 - set CURL_CI for pytest runs in CI environments
5951 - exclude timing sensitive tests from CI runs
5952 - for failed results, list only the log and stat of
5955 - fix type in http.c comment
5959 - CI: move on to ngtcp2 v0.19.1
5963 Dan Fandrich (5 Sep 2023)
5965 - CI: run Circle macOS builds on x86 for now
5967 The ARM machines aren't ready for us and requesting them now causes
5968 warnings e-mails to be sent to some PR pushers.
5972 Viktor Szakats (5 Sep 2023)
5974 - http3: adjust cast for ngtcp2 v0.19.0
5976 ngtcp2 v0.19.0 made size of `ecn` member of `ngtcp2_pkt_info`
5977 an `uint8_t` (was: `uint32_t`). Adjust our local cast accordingly.
5981 ./curl/lib/vquic/curl_ngtcp2.c:1912:12: warning: implicit conversion loses in
5982 teger precision: 'uint32_t' (aka 'unsigned int') to 'uint8_t' (aka 'unsigned
5983 char') [-Wimplicit-int-conversion]
5984 pi.ecn = (uint32_t)ecn;
5988 Also bump ngtcp2, nghttp3 and nghttp2 to their latest versions in our
5991 Ref: https://github.com/ngtcp2/ngtcp2/commit/80447281bbc94af53f8aa7a4cfc19175
5993 Ref: https://github.com/ngtcp2/ngtcp2/pull/877
5996 Stefan Eissing (5 Sep 2023)
5998 - http: fix sending of large requests
6000 - refs #11342 where errors with git https interactions
6002 - problem was caused by 1st sends of size larger than 64KB
6003 which resulted in later retries of 64KB only
6004 - limit sending of 1st block to 64KB
6005 - adjust h2/h3 filters to cope with parsing the HTTP/1.1
6006 formatted request in chunks
6008 - introducing Curl_nwrite() as companion to Curl_write()
6009 for the many cases where the sockindex is already known
6011 Fixes #11342 (again)
6014 - pytest: fix check for slow_network skips to only apply when intended
6018 Daniel Stenberg (5 Sep 2023)
6020 - curl_url_get/set.3: add missing semicolon in SYNOPSIS
6022 - CURLOPT_URL.3: explain curl_url_set() uses the same parser
6024 - CURLOPT_URL.3: add two URL API calls in the see-also section
6026 Dan Fandrich (4 Sep 2023)
6028 - CI: add a 32-bit i686 Linux build
6030 This is done by cross-compiling under regular x86_64 Linux. Since the
6031 kernel offers backwards compatibility, the binaries can be tested as
6036 - tests: fix a type warning on 32-bit x86
6038 Viktor Szakats (4 Sep 2023)
6040 - tests: delete stray `.orig` file
6042 Follow-up to 331b89a319d0067fa1e6441719307cfef9c7960f
6045 Daniel Stenberg (4 Sep 2023)
6047 - RELEASE-NOTES: synced
6049 Viktor Szakats (4 Sep 2023)
6051 - lib: silence compiler warning in inet_ntop6
6054 ./curl/lib/inet_ntop.c:121:21: warning: possible misuse of comma operator her
6056 cur.base = i, cur.len = 1;
6058 ./curl/lib/inet_ntop.c:121:9: note: cast expression to void to silence warnin
6060 cur.base = i, cur.len = 1;
6067 Daniel Stenberg (4 Sep 2023)
6069 - transfer: also stop the sending on closed connection
6071 Previously this cleared the receiving bit only but in some cases it is
6072 also still sending (like a request-body) when disconnected and neither
6073 direction can continue then.
6076 Reported-by: Oleg Jukovec
6079 John Bampton (4 Sep 2023)
6081 - docs: change `sub-domain` to `subdomain`
6083 https://en.wikipedia.org/wiki/Subdomain
6087 Stefan Eissing (4 Sep 2023)
6089 - multi: more efficient pollfd count for poll
6091 - do not use separate pollfds for sockets that have POLLIN+POLLOUT
6095 - http2: polish things around POST
6097 - added test cases for various code paths
6098 - fixed handling of blocked write when stream had
6099 been closed inbetween attempts
6100 - re-enabled DEBUGASSERT on send with smaller data size
6102 - in debug builds, environment variables can be set to simulate a slow
6103 network when sending data. cf-socket.c and vquic.c support
6104 * CURL_DBG_SOCK_WBLOCK: percentage of send() calls that should be
6105 answered with a EAGAIN. TCP/UNIX sockets.
6106 This is chosen randomly.
6107 * CURL_DBG_SOCK_WPARTIAL: percentage of data that shall be written
6108 to the network. TCP/UNIX sockets.
6109 Example: 80 means a send with 1000 bytes would only send 800
6110 This is applied to every send.
6111 * CURL_DBG_QUIC_WBLOCK: percentage of send() calls that should be
6112 answered with EAGAIN. QUIC only.
6113 This is chosen randomly.
6117 Daniel Stenberg (4 Sep 2023)
6119 - docs: add curl_global_trace to some SEE ALSO sections
6123 - os400: fix checksrc nits
6127 Nicholas Nethercote (3 Sep 2023)
6129 - hyper: remove `hyptransfer->endtask`
6131 `Curl_hyper_stream` needs to distinguish between two kinds of
6132 `HYPER_TASK_EMPTY` tasks: (a) the `foreach` tasks it creates itself, and
6133 (b) background tasks that hyper produces. It does this by recording the
6134 address of any `foreach` task in `hyptransfer->endtask` before pushing
6135 it into the executor, and then comparing that against the address of
6136 tasks later polled out of the executor.
6138 This works right now, but there is no guarantee from hyper that the
6139 addresses are stable. `hyper_executor_push` says "The executor takes
6140 ownership of the task, which should not be accessed again unless
6141 returned back to the user with `hyper_executor_poll`". That wording is a
6142 bit ambiguous but with my Rust programmer's hat on I read it as meaning
6143 the task returned with `hyper_executor_poll` may be conceptually the
6144 same as a task that was pushed, but that there are no other guarantees
6145 and comparing addresses is a bad idea.
6147 This commit instead uses `hyper_task_set_userdata` to mark the `foreach`
6148 task with a `USERDATA_RESP_BODY` value which can then be checked for,
6149 removing the need for `hyptransfer->endtask`. This makes the code look
6150 more like that hyper C API examples, which use userdata for every task
6151 and never look at task addresses.
6155 Dave Cottlehuber (3 Sep 2023)
6157 - ws: fix spelling mistakes in examples and tests
6161 Daniel Stenberg (3 Sep 2023)
6163 - tool_filetime: make -z work with file dates before 1970
6166 Reported-by: Harry Sintonen
6169 Dan Fandrich (1 Sep 2023)
6171 - build: fix portability of mancheck and checksrc targets
6173 At least FreeBSD preserves cwd across makefile lines, so rules
6174 consisting of more than one "cd X; do_something" must be explicitly run
6175 in a subshell to avoid this. This problem caused the Cirrus FreeBSD
6176 build to fail when parallel make jobs were enabled.
6178 - CI: adjust labeler match patterns for new & obsolete files
6180 - configure: trust pkg-config when it's used for zlib
6182 The library flags retrieved from pkg-config were later thrown out and
6183 harded-coded, which negates the whole reason to use pkg-config.
6184 Also, previously, the assumption was made that --libs-only-l and
6185 --libs-only-L are the full decomposition of --libs, which is untrue and
6186 would not allow linking against a static zlib. The new approach is
6187 better in that it uses --libs, although only if --libs-only-l returns
6190 Bug: https://curl.se/mail/lib-2023-08/0081.html
6191 Reported-by: Randall
6194 Stefan Eissing (1 Sep 2023)
6196 - CI/ngtcp2: clear wolfssl for when cache is ignored
6200 Daniel Stenberg (1 Sep 2023)
6202 - RELEASE-NOTES: synced
6204 Nicholas Nethercote (1 Sep 2023)
6206 - hyper: fix a progress upload counter bug
6208 `Curl_pgrsSetUploadCounter` should be a passed a total count, not an
6211 This changes the failing diff for test 579 with hyper from this:
6213 Progress callback called with UL 0 out of 0[LF]
6214 -Progress callback called with UL 8 out of 0[LF]
6215 -Progress callback called with UL 16 out of 0[LF]
6216 -Progress callback called with UL 26 out of 0[LF]
6217 -Progress callback called with UL 61 out of 0[LF]
6218 -Progress callback called with UL 66 out of 0[LF]
6219 +Progress callback called with UL 29 out of 0[LF]
6223 Progress callback called with UL 0 out of 0[LF]
6224 -Progress callback called with UL 8 out of 0[LF]
6225 -Progress callback called with UL 16 out of 0[LF]
6226 -Progress callback called with UL 26 out of 0[LF]
6227 -Progress callback called with UL 61 out of 0[LF]
6228 -Progress callback called with UL 66 out of 0[LF]
6229 +Progress callback called with UL 40 out of 0[LF]
6231 Presumably a step in the right direction.
6235 Daniel Stenberg (1 Sep 2023)
6237 - awssiv4: avoid freeing the date pointer on error
6239 Since it was not allocated, don't free it even if it was wrong syntax
6241 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61908
6243 Follow-up to b137634ba3adb
6247 Stefan Eissing (1 Sep 2023)
6249 - CI: ngtcp2-linux: use separate caches for tls libraries
6251 allow ever changing master for wolfssl
6255 - replace `master` as wolfssl-version with recent commit
6257 - wolfssl, use master again in CI
6259 - with the shared session update fix landed in master, it
6260 is time to use that in our CI again
6262 Nicholas Nethercote (31 Aug 2023)
6264 - tests: fix formatting errors in `FILEFORMAT.md`.
6266 Without the surrounding backticks, these tags get swallowed when the
6267 markdown is rendered.
6271 Viktor Szakats (31 Aug 2023)
6273 - cmake: add support for `CURL_DEFAULT_SSL_BACKEND`
6275 Allow overriding the default TLS backend via a CMake setting.
6278 `cmake [...] -DCURL_DEFAULT_SSL_BACKEND=mbedtls`
6280 Accepted values: bearssl, gnutls, mbedtls, openssl, rustls,
6281 schannel, secure-transport, wolfssl
6283 The passed string is baked into the curl/libcurl binaries.
6284 The value is case-insensitive.
6286 We added a similar option to autotools in 2017 via
6287 c7170e20d0a18ec8a514b4daa53bcdbb4dcb3a05.
6289 TODO: Convert to lowercase to improve reproducibility.
6293 - sectransp: fix compiler warnings
6295 https://github.com/curl/curl-for-win/actions/runs/6037489221/job/16381860220#
6298 /Users/runner/work/curl-for-win/curl-for-win/curl/lib/vtls/sectransp.c:2435:1
6299 4: warning: unused variable 'success' [-Wunused-variable]
6302 /Users/runner/work/curl-for-win/curl-for-win/curl/lib/vtls/sectransp.c:3300:4
6303 4: warning: unused parameter 'sha256len' [-Wunused-parameter]
6310 - tidy-up: mostly whitespace nits
6312 - delete completed TODO from `./CMakeLists.txt`.
6313 - convert a C++ comment to C89 in `./CMake/CurlTests.c`.
6314 - delete duplicate EOLs from EOF.
6315 - add missing EOL at EOF.
6316 - delete whitespace at EOL (except from expected test results).
6317 - convert tabs to spaces.
6318 - convert CRLF EOLs to LF in GHA yaml.
6319 - text casing fixes in `./CMakeLists.txt`.
6320 - fix a codespell typo in `packages/OS400/initscript.sh`.
6324 Dan Fandrich (31 Aug 2023)
6326 - CI: remove Windows builds from Cirrus, without replacement
6328 If we don't do this, all coverage on Cirrus will cease in a few days. By
6329 removing the Windows builds, the FreeBSD one should still continue
6330 as before. The Windows builds will need be moved to another service to
6331 maintain test coverage.
6335 - CI: switch macOS ARM build from Cirrus to Circle CI
6337 Cirrus is drastically reducing their free tier on Sept. 1, so they will
6338 no longer perform all these builds for us. All but one build has been
6339 moved, with the LibreSSL one being dropped because of linking problems
6342 One important note about this change is that Circle CI is currently
6343 directing all these builds to x86_64 hardware, despite them requesting
6344 ARM. This is because ARM nodes are scheduled to be available on the
6345 free tier only in December. This reduces our architectural diversity
6346 until then but it should automatically come back once those machines are
6349 - CI: use the right variable for BSD make
6351 BSD uses MAKEFLAGS instead of MAKE_FLAGS so it wasn't doing parallel
6354 - CI: drop the FreeBSD 12.X build
6356 Cirrus' new free tier won't let us have many builds, so drop the
6357 nonessential ones. The FreeBSD 13.X build will still give us the most
6358 relevant FreeBSD coverage.
6360 - CI: move the Alpine build from Cirrus to GHA
6362 Cirrus is reducing their free tier to next to nothing, so we must move
6365 Stefan Eissing (30 Aug 2023)
6367 - test_07_upload.py: fix test_07_34 curl args
6369 - Pass correct filename to --data-binary.
6371 Prior to this change --data-binary was passed an incorrect filename due
6372 to a missing separator in the arguments list. Since aacbeae7 curl will
6373 error on incorrect filenames for POST.
6375 Fixes https://github.com/curl/curl/issues/11761
6376 Closes https://github.com/curl/curl/pull/11763
6378 Nicholas Nethercote (30 Aug 2023)
6380 - tests: document which tests fail due to hyper's lack of trailer support.
6384 - docs: removing "pausing transfers" from HYPER.md.
6386 It's a reference to #8600, which was fixed by #9070.
6390 Patrick Monnerat (30 Aug 2023)
6392 - os400: handle CURL_TEMP_PRINTF() while building bind source
6396 - os400: build test servers
6398 Also fix a non-compliant main prototype in disabled.c.
6402 - tests: fix compilation error for os400
6404 OS400 uses BSD 4.3 setsockopt() prototype by default: this does not
6405 define parameter as const, resulting in an error if actual parameter is
6406 const. Remove the const keyword from the actual parameter cast: this
6407 works in all conditions, even if the formal parameter uses it.
6411 - os400: make programs and command name configurable
6415 - os400: move build configuration parameters to a separate script
6417 They can then easily be overriden in a script named "config400.override"
6418 that is not part of the distribution.
6422 - os400: implement CLI tool
6424 This is provided as a QADRT (ascii) program, a link to it in the IFS and
6425 a minimal CL command.
6429 Matthias Gatto (30 Aug 2023)
6431 - lib: fix aws-sigv4 having date header twice in some cases
6433 When the user was providing the header X-XXX-Date, the header was
6434 re-added during signature computation, and we had it twice in the
6437 Reported-by: apparentorder@users.noreply.github.com
6439 Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
6441 Fixes: https://github.com/curl/curl/issues/11738
6442 Closes: https://github.com/curl/curl/pull/11754
6444 Jay Satiro (30 Aug 2023)
6446 - multi: remove 'processing: <url>' debug message
6448 - Remove debug message added by e024d566.
6450 Closes https://github.com/curl/curl/pull/11759
6452 - ftp: fix temp write of ipv6 address
6454 - During the check to differentiate between a port and IPv6 address
6455 without brackets, write the binary IPv6 address to an in6_addr.
6457 Prior to this change the binary IPv6 address was erroneously written to
6458 a sockaddr_in6 'sa6' when it should have been written to its in6_addr
6459 member 'sin6_addr'. There's no fallout because no members of 'sa6' are
6460 accessed before it is later overwritten.
6462 Closes https://github.com/curl/curl/pull/11747
6464 - tool: change some fopen failures from warnings to errors
6466 - Error on missing input file for --data, --data-binary,
6467 --data-urlencode, --header, --variable, --write-out.
6469 Prior to this change if a user of the curl tool specified an input file
6470 for one of the above options and that file could not be opened then it
6471 would be treated as zero length data instead of an error. For example, a
6472 POST using `--data @filenametypo` would cause a zero length POST which
6473 is probably not what the user intended.
6475 Closes https://github.com/curl/curl/pull/11677
6479 Davide Masserut (29 Aug 2023)
6481 - tool: avoid including leading spaces in the Location hyperlink
6483 Co-authored-by: Dan Fandrich <dan@coneharvesters.com>
6487 Daniel Stenberg (29 Aug 2023)
6489 - SECURITY-PROCESS.md: not a sec issue: Tricking user to run a cmdline
6493 - connect: stop halving the remaining timeout when less than 600 ms left
6495 When curl wants to connect to a host, it always has a TIMEOUT. The
6496 maximum time it is allowed to spend until a connect is confirmed.
6498 curl will try to connect to each of the IP adresses returned for the
6499 host. Two loops, one for each IP family.
6501 During the connect loop, while curl has more than one IP address left to
6502 try within a single address family, curl has traditionally allowed (time
6503 left/2) for *this* connect attempt. This, to not get stuck on the
6504 initial addresses in case the timeout but still allow later addresses to
6507 This has the downside that when users set a very short timeout and the
6508 host has a large number of IP addresses, the effective result might be
6509 that every attempt gets a little too short time.
6511 This change stop doing the divided-by-two if the total time left is
6512 below a threshold. This threshold is 600 milliseconds.
6516 - asyn-ares: reduce timeout to 2000ms
6518 When UDP packets get lost this makes for slightly faster retries. This
6519 lower timeout is used by @c-ares itself by default starting next
6524 John Bampton (29 Aug 2023)
6526 - misc: remove duplicate words
6530 Daniel Stenberg (29 Aug 2023)
6532 - RELEASE-NOTES: synced
6534 - wolfSSL: avoid the OpenSSL compat API when not needed
6536 ... and instead call wolfSSL functions directly.
6540 Viktor Szakats (28 Aug 2023)
6542 - lib: fix null ptr derefs and uninitialized vars (h2/h3)
6544 Fixing compiler warnings with gcc 13.2.0 in unity builds.
6546 Assisted-by: Jay Satiro
6547 Assisted-by: Stefan Eissing
6550 Jay Satiro (28 Aug 2023)
6552 - secureserver.pl: fix stunnel version parsing
6554 - Allow the stunnel minor-version version part to be zero.
6556 Prior to this change with the stunnel version scheme of <major>.<minor>
6557 if either part was 0 then version parsing would fail, causing
6558 secureserver.pl to fail with error "No stunnel", causing tests that use
6559 the SSL protocol to be skipped. As a practical matter this bug can only
6560 be caused by a minor-version part of 0, since the major-version part is
6561 always greater than 0.
6563 Closes https://github.com/curl/curl/pull/11722
6565 - secureserver.pl: fix stunnel path quoting
6567 - Store the stunnel path in the private variable $stunnel unquoted and
6568 instead quote it in the command strings.
6570 Prior to this change the quoted stunnel path was passed to perl's file
6571 operators which cannot handle quoted paths. For example:
6573 $stunnel = "\"/C/Program Files (x86)/stunnel/bin/tstunnel\"";
6574 if(-x $stunnel or -x "$stunnel")
6575 # false even if path exists and is executable
6577 Our other test scripts written in perl, unlike this one, use servers.pm
6578 which has a global $stunnel variable with the path stored unquoted and
6579 therefore those scripts don't have this problem.
6581 Closes https://github.com/curl/curl/pull/11721
6583 Daniel Stenberg (28 Aug 2023)
6585 - altsvc: accept and parse IPv6 addresses in response headers
6587 Store numerical IPv6 addresses in the alt-svc file with the brackets
6590 Verify with test 437 and 438
6593 Reported-by: oliverpool on github
6596 - libtest: use curl_free() to free libcurl allocated data
6598 In several test programs. These mistakes are not detected or a problem
6599 as long as memdebug.h is included, as that provides the debug wrappers
6600 for all memory functions in the same style libcurl internals do it,
6601 which makes curl_free and free effectively the same call.
6603 Reported-by: Nicholas Nethercote
6606 Jay Satiro (28 Aug 2023)
6608 - disable.d: explain --disable not implemented prior to 7.50.0
6610 Option -q/--disable was added in 5.0 but only -q was actually
6611 implemented. Later --disable was implemented in e200034 (precedes
6612 7.49.0), but incorrectly, and fixed in 6dbc23c (precedes 7.50.0).
6614 Reported-by: pszlazak@users.noreply.github.com
6616 Fixes https://github.com/curl/curl/issues/11710
6619 Nicholas Nethercote (28 Aug 2023)
6621 - hyper: fix ownership problems
6623 Some of these changes come from comparing `Curl_http` and
6624 `start_CONNECT`, which are similar, and adding things to them that are
6625 present in one and missing in another.
6627 The most important changes:
6628 - In `start_CONNECT`, add a missing `hyper_clientconn_free` call on the
6630 - In `start_CONNECT`, add a missing `hyper_request_free` on the error
6632 - In `bodysend`, add a missing `hyper_body_free` on an early-exit path.
6633 - In `bodysend`, remove an unnecessary `hyper_body_free` on a different
6634 error path that would cause a double-free.
6635 https://docs.rs/hyper/latest/hyper/ffi/fn.hyper_request_set_body.html
6636 says of `hyper_request_set_body`: "This takes ownership of the
6637 hyper_body *, you must not use it or free it after setting it on the
6638 request." This is true even if `hyper_request_set_body` returns an
6639 error; I confirmed this by looking at the hyper source code.
6641 Other changes are minor but make things slightly nicer.
6645 Daniel Stenberg (28 Aug 2023)
6647 - multi.h: the 'revents' field of curl_waitfd is supported
6649 Since 6d30f8ebed34e7276
6651 Reported-by: Nicolás Ojeda Bär
6655 Gerome Fournier (27 Aug 2023)
6657 - tool_paramhlp: improve str2num(): avoid unnecessary call to strlen()
6661 Daniel Stenberg (27 Aug 2023)
6663 - docs: mention critical files in same directories as curl saves
6665 ... cannot be fully protected. Don't do it.
6667 Co-authored-by: Jay Satiro
6668 Reported-by: Harry Sintonen
6672 John Hawthorn (26 Aug 2023)
6674 - OpenSSL: clear error queue after SSL_shutdown
6676 We've seen errors left in the OpenSSL error queue (specifically,
6677 "shutdown while in init") by adding some logging it revealed that the
6678 source was this file.
6680 Since we call SSL_read and SSL_shutdown here, but don't check the return
6681 code for an error, we should clear the OpenSSL error queue in case one
6684 This didn't affect curl because we call ERR_clear_error before every
6685 write operation (a0dd9df9ab35528eb9eb669e741a5df4b1fb833c), but when
6686 libcurl is used in a process with other OpenSSL users, they may detect
6687 an OpenSSL error pushed by libcurl's SSL_shutdown as if it was their
6690 Co-authored-by: Satana de Sant'Ana <satana@skylittlesystem.org>
6694 Alexander Kanavin (25 Aug 2023)
6696 - tests: update cookie expiry dates to far in the future
6698 This allows testing Y2038 with system time set to after that, so that
6699 actual Y2038 issues can be exposed, and not masked by expiry errors.
6704 John Bampton (25 Aug 2023)
6706 - misc: fix spelling
6710 Daniel Stenberg (25 Aug 2023)
6712 - cmdline-opts/page-header: clarify stronger that !opt == URL
6714 Everything provided on the command line that is not an option (or an
6715 argument to an option) is treated as a URL.
6719 - tests/runner: fix %else handling
6721 Getting the show state proper for %else and %endif did not properly work
6724 Follow-up to 3d089c41ea9
6728 Nicholas Nethercote (25 Aug 2023)
6730 - docs: Remove mention of #10803 from `KNOWN_BUGS`.
6732 Because the leaks have been fixed.
6734 - c-hyper: fix another memory leak in `Curl_http`.
6736 There is a `hyper_clientconn_free` call on the happy path, but not one
6737 on the error path. This commit adds one.
6739 Fixes the second memory leak reported by Valgrind in #10803.
6744 - c-hyper: fix a memory leak in `Curl_http`.
6746 A request created with `hyper_request_new` must be consumed by either
6747 `hyper_clientconn_send` or `hyper_request_free`.
6749 This is not terrifically clear from the hyper docs --
6750 `hyper_request_free` is documented only with "Free an HTTP request if
6751 not going to send it on a client" -- but a perusal of the hyper code
6754 This commit adds a `hyper_request_free` to the `error:` path in
6755 `Curl_http` so that the request is consumed when an error occurs after
6756 the request is created but before it is sent.
6758 Fixes the first memory leak reported by Valgrind in #10803.
6762 Daniel Stenberg (25 Aug 2023)
6764 - RELEASE-NOTES: synced
6766 John Bampton (25 Aug 2023)
6772 Daniel Stenberg (25 Aug 2023)
6774 - tests: add support for nested %if conditions
6776 Provides more flexiblity to test cases.
6778 Also warn and bail out if there is an '%else' or %endif' without a
6784 - time-cond.d: mention what happens on a missing file
6788 Christian Hesse (24 Aug 2023)
6790 - docs/cmdline-opts: match the current output
6792 The release date has been added in output, reflect that in documentation.
6796 Daniel Stenberg (24 Aug 2023)
6798 - lib: minor comment corrections
6800 - docs: rewrite to present tense
6802 ... instead of using future tense.
6804 + numerous cleanups and improvements
6805 + stick to "reuse" not "re-use"
6806 + fewer contractions
6810 - urlapi: setting a blank URL ("") is not an ok URL
6814 Reported-by: ad0p on github
6817 - spelling: use 'reuse' not 're-use' in code and elsewhere
6819 Unify the spelling as both versions were previously used intermittently
6823 Michael Osipov (23 Aug 2023)
6825 - system.h: add CURL_OFF_T definitions on HP-UX with HP aCC
6827 HP-UX on IA64 provides two modes: 32 and 64 bit while 32 bit being the
6828 default one. Use "long long" in 32 bit mode and just "long" in 64 bit
6833 Dan Fandrich (22 Aug 2023)
6835 - tests: don't call HTTP errors OK in test cases
6837 Some HTTP errors codes were accompanied by the text OK, which causes
6838 some cognitive dissonance when reading them.
6840 - http: close the connection after a late 417 is received
6842 In this situation, only part of the data has been sent before aborting
6843 so the connection is no longer usable.
6845 Assisted-by: Jay Satiro
6849 - runtests: slightly increase the longest log file displayed
6851 The new limit provides enough space for a 64 KiB data block to be logged
6852 in a trace file, plus a few lines at the start and end for context. This
6853 happens to be the amount of data sent at a time in a PUT request.
6855 - tests: add delay command to the HTTP server
6857 This adds a delay after client connect.
6859 Daniel Stenberg (22 Aug 2023)
6861 - cirrus: install everthing with pkg, avoid pip
6863 Assisted-by: Sevan Janiyan
6867 - curl_url*.3: update function descriptions
6869 - expand and clarify several descriptions
6870 - avoid using future tense all over
6874 - RELEASE-NOTES: synced
6876 Stefan Eissing (21 Aug 2023)
6878 - CI/cirrus: disable python install on FreeBSD
6880 - python cryptography package does not build build FreeBSD
6881 - install just mentions "error"
6882 - this gets the build and the main test suite going again
6886 - test2600: fix flakiness on low cpu
6888 - refs #11355 where failures to to low cpu resources in CI
6890 - vastly extend CURLOPT_CONNECTTIMEOUT_MS and max durations
6892 - trigger Curl_expire() in test filter to allow re-checks before
6893 the usual 1second interval
6897 Maksim Sciepanienka (20 Aug 2023)
6899 - tool_urlglob: use the correct format specifier for curl_off_t in msnprintf
6903 Daniel Stenberg (20 Aug 2023)
6905 - test687/688: two more basic --xattr tests
6909 - cmdline-opts/docs: mentioned the negative option part
6911 ... for --no-alpn and --no-buffer in the same style done for other --no-
6914 "Note that this is the negated option name documented."
6918 Emanuele Torre (19 Aug 2023)
6920 - tool/var: also error when expansion result starts with NUL
6922 Expansions whose output starts with NUL were being expanded to the empty
6923 string, and not being recognised as values that contain a NUL byte, and
6928 Daniel Stenberg (19 Aug 2023)
6930 - tests: add 'large-time' as a testable feature
6932 This allows test cases to require this feature to run and to be used in
6935 Large here means larger than 32 bits. Ie does not suffer from y2038.
6939 - tests/Makefile: add check-translatable-options.pl to tarball
6943 Follow-up to ae806395abc8c
6945 - gen.pl: fix a long version generation mistake
6947 Too excessive escaping made the parsing not find the correct long names
6948 later and instead add "wrong" links.
6950 Follow-up to 439ff2052e219
6952 Reported-by: Lukas Tribus
6956 - lib: move mimepost data from ->req.p.http to ->state
6958 When the legacy CURLOPT_HTTPPOST option is used, it gets converted into
6959 the modem mimpost struct at first use. This data is (now) kept for the
6960 entire transfer and not only per single HTTP request. This re-enables
6961 rewind in the beginning of the second request instead of in end of the
6962 first, as brought by 1b39731.
6964 The request struct is per-request data only.
6966 Extend test 650 to verify.
6969 Reported-by: yushicheng7788 on github
6972 Patrick Monnerat (17 Aug 2023)
6974 - os400: do not check translatable options at build time
6976 Now that there is a test for this, the build time check is not needed
6981 - test1554: check translatable string options in OS400 wrapper
6983 This test runs a perl script that checks all string options are properly
6984 translated by the OS400 character code conversion wrapper. It also
6985 verifies these options are listed in alphanumeric order in the wrapper
6990 Daniel Stenberg (17 Aug 2023)
6992 - unit3200: skip testing if function is not present
6994 Fake a successful run since we have no easy mechanism to skip this test
6995 for this advanced condition.
6997 - unit2600: fix build warning if built without verbose messages
6999 - test1608: make it build and get skipped without shuffle DNS support
7001 - lib: --disable-bindlocal builds curl without local binding support
7003 - test1304: build and skip without netrc support
7005 - lib: build fixups when built with most things disabled
7009 - workflows/macos.yml: disable zstd and alt-svc in the http-only build
7013 Stefan Eissing (17 Aug 2023)
7015 - bearssl: handshake fix, provide proper get_select_socks() implementation
7017 - bring bearssl handshake times down from +200ms down to other TLS backends
7018 - vtls: improve generic get_select_socks() implementation
7019 - tests: provide Apache with a suitable ssl session cache
7023 - tests: TLS session sharing test
7025 - test TLS session sharing with special test client
7026 - expect failure with wolfSSL
7027 - disable flaky wolfSSL test_02_07b
7031 Daniel Stenberg (17 Aug 2023)
7033 - CURLOPT_*TIMEOUT*: extend and clarify
7037 - urlapi: return CURLUE_BAD_HOSTNAME if puny2idn encoding fails
7039 And document it. Only return out of memory when it actually is a memory
7042 Pointed-out-by: Jacob Mealey
7045 Mathew Benson (17 Aug 2023)
7047 - cmake: add GnuTLS option
7049 - Option to use GNUTLS was missing. Hence was not able to use GNUTLS
7050 with ngtcp2 for http3.
7054 Daniel Stenberg (16 Aug 2023)
7056 - RELEASE-NOTES: synced
7058 - http: remove the p_pragma struct field
7060 unused since 40e8b4e52 (2008)
7064 Jay Satiro (16 Aug 2023)
7066 - CURLINFO_CERTINFO.3: better explain curl_certinfo struct
7068 Closes https://github.com/curl/curl/pull/11666
7070 - CURLINFO_TLS_SSL_PTR.3: clarify a recommendation
7072 - Remove the out-of-date SSL backend list supported by
7073 CURLOPT_SSL_CTX_FUNCTION.
7075 It makes more sense to just refer to that document instead of having
7076 a separate list that has to be kept in sync.
7078 Closes https://github.com/curl/curl/pull/11665
7080 - write-out.d: clarify %{time_starttransfer}
7082 sync it up with CURLINFO_STARTTRANSFER_TIME_T
7084 Daniel Stenberg (15 Aug 2023)
7086 - transfer: don't set TIMER_STARTTRANSFER on first send
7088 The time stamp is for measuring the first *received* byte
7091 Reported-by: JazJas on github
7094 trrui-huawei (15 Aug 2023)
7096 - quiche: enable quiche to handle timeout events
7098 In parallel with ngtcp2, quiche also offers the `quiche_conn_on_timeout`
7099 interface for the application to invoke upon timer
7100 expiration. Therefore, invoking the `on_timeout` function of the
7101 Connection is crucial to ensure seamless functionality of quiche with
7106 - quiche: adjust quiche `QUIC_IDLE_TIMEOUT` to 60s
7108 Set the `QUIC_IDLE_TIMEOUT` parameter to match ngtcp2 for consistency.
7110 Daniel Stenberg (15 Aug 2023)
7112 - KNOWN_BUGS: LDAPS requests to ActiveDirectory server hang
7116 - imap: add a check for failing strdup()
7118 - imap: remove the only sscanf() call in the IMAP code
7120 Avoids the use of a stack buffer.
7124 - imap: use a dynbuf in imap_atom
7126 Avoid a calculation + malloc. Build the output in a dynbuf.
7130 Marin Hannache (14 Aug 2023)
7132 - http: do not require a user name when using CURLAUTH_NEGOTIATE
7134 In order to get Negotiate (SPNEGO) authentication to work in HTTP you
7135 used to be required to provide a (fake) user name (this concerned both
7136 curl and the lib) because the code wrongly only considered
7137 authentication if there was a user name provided, as in:
7139 curl -u : --negotiate https://example.com/
7141 This commit leverages the `struct auth` want member to figure out if the
7142 user enabled CURLAUTH_NEGOTIATE, effectively removing the requirement of
7143 setting a user name both in curl and the lib.
7145 Signed-off-by: Marin Hannache <git@mareo.fr>
7146 Reported-by: Enrico Scholz
7147 Fixes https://sourceforge.net/p/curl/bugs/440/
7151 Viktor Szakats (13 Aug 2023)
7153 - build: streamline non-UWP wincrypt detections
7155 - with CMake, use the variable `WINDOWS_STORE` to detect an UWP build
7156 and disable our non-UWP-compatible use the Windows crypto API. This
7157 allows to drop two dynamic feature checks.
7159 `WINDOWS_STORE` is true when invoking CMake with
7160 `CMAKE_SYSTEM_NAME` == `WindowsStore`. Introduced in CMake v3.1.
7162 Ref: https://cmake.org/cmake/help/latest/variable/WINDOWS_STORE.html
7164 - with autotools, drop the separate feature check for `wincrypt.h`. On
7165 one hand this header has been present for long (even Borland C 5.5 had
7166 it from year 2000), on the other we used the check result solely to
7167 enable another check for certain crypto functions. This fails anyway
7168 with the header not present. We save one dynamic feature check at the
7171 Reviewed-by: Marcel Raad
7174 Nicholas Nethercote (13 Aug 2023)
7176 - docs/HYPER.md: update hyper build instructions
7178 Nightly Rust and `-Z unstable-options` are not needed.
7180 The instructions here now match the hyper docs exactly:
7181 https://github.com/hyperium/hyper/commit/bd7928f3dd6a8461f0f0fdf7ee0fd95c2f15
7186 Daniel Stenberg (13 Aug 2023)
7188 - RELEASE-NOTES: synced
7190 - urlapi: CURLU_PUNY2IDN - convert from punycode to IDN name
7192 Asssisted-by: Jay Satiro
7195 - spellcheck: adapt to backslashed minuses
7197 As the curl.1 has more backslashed minus, the cleanup sed lines xneed to
7200 Adjusted some docs slighly.
7202 Follow-up to 439ff2052e
7206 - gen: escape more minus
7208 Detected since it was still hard to search for option names using dashes
7209 in the middle in the man page.
7213 - cookie-jar.d: enphasize that this option is ONLY writing cookies
7215 Reported-by: Dan Jacobson
7216 Tweaked-by: Jay Satiro
7220 Nicholas Nethercote (11 Aug 2023)
7222 - docs/HYPER.md: document a workaround for a link error
7226 Jay Satiro (11 Aug 2023)
7228 - schannel: verify hostname independent of verify cert
7230 Prior to this change when CURLOPT_SSL_VERIFYPEER (verifypeer) was off
7231 and CURLOPT_SSL_VERIFYHOST (verifyhost) was on we did not verify the
7232 hostname in schannel code.
7234 This fixes KNOWN_BUG 2.8 "Schannel disable CURLOPT_SSL_VERIFYPEER and
7235 verify hostname". We discussed a fix several years ago in #3285 but it
7238 Assisted-by: Daniel Stenberg
7240 Bug: https://curl.haxx.se/mail/lib-2018-10/0113.html
7241 Reported-by: Martin Galvan
7243 Ref: https://github.com/curl/curl/pull/3285
7245 Fixes https://github.com/curl/curl/issues/3284
7246 Closes https://github.com/curl/curl/pull/10056
7248 Daniel Stenberg (11 Aug 2023)
7250 - curl_quiche: remove superfluous NULL check
7252 'stream' is always non-NULL at this point
7254 Pointed out by Coverity
7258 - curl/urlapi.h: tiny typo
7260 - github/labeler: make HYPER.md set Hyper and not TLS
7262 - docs/cmdline-opts/gen.pl: hide "added in" before 7.50.0
7264 7.50.0 shipped on Jul 21 2016, over seven years ago. We no longer need
7265 to specify version changes for earlier releases in the generated output.
7267 This ups the limit from the previous 7.30.0 (Apr 12 2013)
7269 This hides roughly 35 "added in" mentions.
7273 Jay Satiro (10 Aug 2023)
7275 - bug_report: require reporters to specify curl and os versions
7277 - Change curl version and os sections from single-line input to
7278 multi-line textarea.
7280 - Require curl version and os sections to be filled out before report
7283 Closes https://github.com/curl/curl/pull/11636
7285 Daniel Stenberg (9 Aug 2023)
7287 - gen.pl: replace all single quotes with aq
7289 - this prevents man from using a unicode sequence for them
7290 - which then allows search to work properly
7294 Viktor Szakats (9 Aug 2023)
7296 - cmake: fix to use variable for the curl namespace
7298 Replace (wrong) literal with a variable to specify the curl
7301 Follow-up to 1199308dbc902c52be67fc805c72dd2582520d30 #11505
7303 Reported-by: balikalina on Github
7304 Fixes https://github.com/curl/curl/commit/1199308dbc902c52be67fc805c72dd25825
7308 - cmake: allow `SHARE_LIB_OBJECT=ON` on all platforms
7310 2ebc74c36a19a1700af394c16855ce144d9878e3 #11546 introduced sharing
7311 libcurl objects for shared and static targets.
7313 The above automatically enabled for Windows builds, with an option to
7314 disable with `SHARE_LIB_OBJECT=OFF`.
7316 This patch extend this feature to all platforms as a manual option.
7317 You can enable it by setting `SHARE_LIB_OBJECT=ON`. Then shared objects
7318 are built in PIC mode, meaning the static lib will also have PIC code.
7324 - cmake: assume `wldap32` availability on Windows
7326 This system library first shipped with Windows ME, available as an extra
7327 install for some older releases (according to [1]). The import library
7328 was present already in old MinGW 3.4.2 (year 2007).
7330 Drop the feature check and its associated `HAVE_WLDAP32` variable.
7332 To manually disable `wldap32`, you can use the `USE_WIN32_LDAP=OFF`
7333 CMake option, like before.
7335 [1]: https://dlcdn.apache.org/httpd/binaries/win32/LEGACY.html
7337 Reviewed-by: Jay Satiro
7340 Daniel Stenberg (9 Aug 2023)
7342 - page-header: move up a URL paragraph from GLOBBING to URL
7344 - variable.d: output the function names table style
7346 Also correct the url function name in the header
7350 - haproxy-clientip.d: remove backticks
7352 This is not markdown
7354 Follow-up to 0a75964d0d94a4
7358 - RELEASE-NOTES: synced
7360 - gen.pl: escape all dashes (ascii minus) to avoid unicode hyphens
7362 Reported-by: FC Stegerman
7366 - cmdline-opts/page-header: reorder, clean up
7368 - removed some unnecessary blurb to focus
7369 - moved up the more important URL details
7370 - put "globbing" into its own subtitle and moved down a little
7371 - mention the online man page in the version section
7375 - c-hyper: adjust the hyper to curlcode conversion
7379 - test2306: make it use a persistent connection
7381 + enable verbose already from the start
7385 eppesuig (8 Aug 2023)
7387 - list-only.d: mention SFTP as supported protocol
7391 Daniel Stenberg (8 Aug 2023)
7393 - request.d: use .TP for protocol "labels"
7395 To render the section nicer in man page.
7399 - cf-haproxy: make CURLOPT_HAPROXY_CLIENT_IP set the *source* IP
7403 Update test 3201 and 3202 accordingly.
7405 Reported-by: Markus Sommer
7409 - page-footer: QLOGDIR works with ngtcp2 and quiche
7411 It previously said "both" backends which is confusing as we currently
7416 Stefan Eissing (8 Aug 2023)
7418 - http3: quiche, handshake optimization, trace cleanup
7420 - load x509 store after clienthello
7421 - cleanup of tracing
7425 Daniel Stenberg (8 Aug 2023)
7427 - ngtcp2: remove dead code
7429 'result' is always zero (CURLE_OK) at this point
7431 Detected by Coverity
7435 Viktor Szakats (8 Aug 2023)
7437 - openssl: auto-detect `SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED`
7439 OpenSSL 1.1.1 defines this macro, but no ealier version, or any of the
7440 popular forks (yet). Use the macro itself to detect its presence,
7441 replacing the hard-wired fork-specific conditions.
7443 This way the feature will enable automatically when forks implement it,
7444 while also shorter and possibly requiring less future maintenance.
7446 Follow-up to 94241a9e78397a2aaf89a213e6ada61e7de7ee02 #6721
7448 Reviewed-by: Jay Satiro
7451 - openssl: use `SSL_CTX_set_ciphersuites` with LibreSSL 3.4.1
7453 LibreSSL 3.4.1 (2021-10-14) added support for
7454 `SSL_CTX_set_ciphersuites`.
7456 Ref: https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.4.1-relnotes.txt
7458 Reviewed-by: Jay Satiro
7461 - openssl: use `SSL_CTX_set_keylog_callback` with LibreSSL 3.5.0
7463 LibreSSL 3.5.0 (2022-02-24) added support for
7464 `SSL_CTX_set_keylog_callback`.
7466 Ref: https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.5.0-relnotes.txt
7468 Reviewed-by: Jay Satiro
7471 - cmake: drop `HAVE_LIBWINMM` and `HAVE_LIBWS2_32` feature checks
7473 - `HAVE_LIBWINMM` was detected but unused. The `winmm` system library is
7474 also not used by curl, but it is by its optional dependency `librtmp`.
7475 Change the logic to always add `winmm` when `USE_LIBRTMP` is set. This
7476 library has been available since the early days of Windows.
7478 - `HAVE_LIBWS2_32` detected `ws2_32` lib on Windows. This lib is present
7479 since Windows 95 OSR2 (AFAIR). Winsock1 already wasn't supported and
7480 other existing logic already assumed this lib being present, so delete
7481 the check and replace the detection variable with `WIN32` and always
7482 add `ws2_32` on Windows.
7486 Daniel Gustafsson (8 Aug 2023)
7488 - crypto: ensure crypto initialization works
7490 Make sure that context initialization during hash setup works to avoid
7491 going forward with the risk of a null pointer dereference.
7493 Reported-by: Philippe Antoine on HackerOne
7494 Assisted-by: Jay Satiro
7495 Assisted-by: Daniel Stenberg
7499 Viktor Szakats (7 Aug 2023)
7501 - openssl: switch to modern init for LibreSSL 2.7.0+
7503 LibreSSL 2.7.0 (2018-03-21) introduced automatic initialization,
7504 `OPENSSL_init_ssl()` function and deprecated the old, manual init
7505 method, as seen in OpenSSL 1.1.0. Switch to the modern method when
7508 Ref: https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.7.0-relnotes.txt
7510 Reviewed-by: Daniel Stenberg
7513 Daniel Stenberg (7 Aug 2023)
7517 We remove support for building curl with gskit.
7519 - This is a niche TLS library, only running on some IBM systems
7520 - no regular curl contributors use this backend
7521 - no CI builds use or verify this backend
7522 - gskit, or the curl adaption for it, lacks many modern TLS features
7523 making it an inferior solution
7524 - build breakages in this code take weeks or more to get detected
7525 - fixing gskit code is mostly done "flying blind"
7527 This removal has been advertized in DEPRECATED in Jan 2, 2023 and it has
7528 been mentioned on the curl-library mailing list.
7530 It could be brought back, this is not a ban. Given proper effort and
7531 will, gskit support is welcome back into the curl TLS backend family.
7535 - RELEASE-NOTES: synced
7537 Dan Fandrich (7 Aug 2023)
7539 - THANKS-filter: add a name typo
7541 Stefan Eissing (7 Aug 2023)
7543 - http3/ngtcp2: shorten handshake, trace cleanup
7545 - shorten handshake timing by delayed x509 store load (OpenSSL)
7547 - cleanup of trace output, align with HTTP/2 output
7551 Daniel Stenberg (7 Aug 2023)
7553 - headers: accept leading whitespaces on first response header
7555 This is a bad header fold but since the popular browsers accept this
7556 violation, so does curl now. Unless built with hyper.
7558 Add test 1473 to verify and adjust test 2306.
7560 Reported-by: junsik on github
7564 - include/curl/mprintf.h: add __attribute__ for the prototypes
7566 - if gcc or clang is used
7567 - if __STDC_VERSION__ >= 199901L, which means greater than C90
7568 - if not using mingw
7569 - if CURL_NO_FMT_CHECKS is not defined
7573 - tests: fix bad printf format flags in test code
7575 - tests: fix header scan tools for attribute edits in mprintf.h
7577 - cf-socket: log successful interface bind
7579 When the setsockopt SO_BINDTODEVICE operation succeeds, output that in
7585 - CURLOPT_SSL_VERIFYPEER.3: mention it does not load CA certs when disabled
7590 - CURLOPT_SSL_VERIFYPEER.3: add two more see also options
7592 CURLINFO_CAINFO and CURLINFO_CAPATH
7596 - KNOWN_BUGS: aws-sigv4 does not behave well with AWS VPC Lattice
7600 Graham Campbell (6 Aug 2023)
7602 - CI: use openssl 3.0.10+quic, nghttp3 0.14.0, ngtcp2 0.18.0
7606 Daniel Stenberg (6 Aug 2023)
7608 - TODO: add *5* entries for aws-sigv4
7616 - TODO: LDAP Certificate-Based Authentication
7620 Stefan Eissing (6 Aug 2023)
7622 - http2: cleanup trace messages
7624 - more compact format with bracketed stream id
7625 - all frames traced in and out
7629 Daniel Stenberg (6 Aug 2023)
7631 - tests/tftpd+mqttd: make variables static to silence picky warnings
7635 - docs/cmdline: remove repeated working for negotiate + ntlm
7637 The extra wording is added automatically by the gen.pl tool
7641 - docs/cmdline: add small "warning" to verbose options
7643 "Note that verbose output of curl activities and network traffic might
7644 contain sensitive data, including user names, credentials or secret data
7645 content. Be aware and be careful when sharing trace logs with others."
7649 - RELEASE-NOTES: synced
7651 - pingpong: don't use *bump_headersize
7653 We use that for HTTP(S) only.
7655 Follow-up to 3ee79c1674fd6
7659 - urldata: remove spurious parenthesis to unbreak no-proxy build
7661 Follow-up to e12b39e13382
7665 - easy: don't call Curl_trc_opt() in disabled-verbose builds
7667 Follow-up to e12b39e133822c6a0
7671 - http: use %u for printfing int
7673 Follow-up to 3ee79c1674fd6f99e8efca5
7677 Goro FUJI (3 Aug 2023)
7679 - vquic: show stringified messages for errno
7683 Stefan Eissing (3 Aug 2023)
7685 - trace: make tracing available in non-debug builds
7687 Add --trace-config to curl
7689 Add curl_global_trace() to libcurl
7693 Daniel Stenberg (3 Aug 2023)
7695 - TODO: remove "Support intermediate & root pinning for PINNEDPUBLICKEY"
7697 See also https://github.com/curl/curl/pull/7507
7699 - TODO: add "WebSocket read callback"
7701 remove "Upgrade to websockets" as we already have this
7705 - test497: verify rejecting too large incoming headers
7707 - http: return error when receiving too large header set
7709 To avoid abuse. The limit is set to 300 KB for the accumulated size of
7710 all received HTTP headers for a single response. Incomplete research
7711 suggests that Chrome uses a 256-300 KB limit, while Firefox allows up to
7716 Stefan Eissing (3 Aug 2023)
7718 - http2: upgrade tests and add fix for non-existing stream
7720 - check in h2 filter recv that stream actually exists
7721 and return error if not
7722 - add test for parallel, extreme h2 upgrades that fail if
7723 connections get reused before fully switched
7724 - add h2 upgrade upload test just for completeness
7728 Viktor Szakats (3 Aug 2023)
7730 - tests: ensure `libcurl.def` contains all exports
7732 Add `test1279` to verify that `libcurl.def` lists all exported API
7733 functions found in libcurl headers.
7737 - extend test suite XML `stdout` tag with the `loadfile` attribute.
7739 - fix `tests/extern-scan.pl` and `test1135` to include websocket API.
7741 - use all headers (sorted) in `test1135` instead of a manual list.
7743 - add options `--sort`, `--heading=` to `tests/extern-scan.pl`.
7745 - add `libcurl.def` to the auto-labeler GHA task.
7747 Follow-up to 2ebc74c36a19a1700af394c16855ce144d9878e3
7751 Daniel Stenberg (2 Aug 2023)
7753 - url: change default value for CURLOPT_MAXREDIRS to 30
7755 It was previously unlimited by default, but that's not a sensible
7756 default. While changing this has a remote risk of breaking an existing
7757 use case, I figure it is more likely to actually save users from loops.
7761 - lib: fix a few *printf() flag mistakes
7763 Reported-by: Gisle Vanem
7767 Samuel Chiang (2 Aug 2023)
7769 - openssl: make aws-lc version support OCSP
7771 And bump version in CI
7775 Daniel Stenberg (2 Aug 2023)
7777 - tool: make the length argument an int for printf()-.* flags
7781 - tool_operate: fix memory leak when SSL_CERT_DIR is used
7783 Detected by Coverity
7785 Follow-up to 29bce9857a12b6cfa726a5
7789 - tool/var: free memory on OOM
7791 Coverity detected this memory leak in OOM situation
7793 Follow-up to 2e160c9c652504e
7797 Viktor Szakats (2 Aug 2023)
7799 - gha: bump libressl and mbedtls versions
7803 Jay Satiro (2 Aug 2023)
7805 - schannel: fix user-set legacy algorithms in Windows 10 & 11
7807 - If the user set a legacy algorithm list (CURLOPT_SSL_CIPHER_LIST) then
7808 use the SCHANNEL_CRED legacy structure to pass the list to Schannel.
7810 - If the user set both a legacy algorithm list and a TLS 1.3 cipher list
7813 Although MS doesn't document it, Schannel will not negotiate TLS 1.3
7814 when SCHANNEL_CRED is used. That means setting a legacy algorithm list
7815 limits the user to earlier versions of TLS.
7817 Prior to this change, since 8beff435 (precedes 7.85.0), libcurl would
7818 ignore legacy algorithms in Windows 10 1809 and later.
7820 Reported-by: zhihaoy@users.noreply.github.com
7822 Fixes https://github.com/curl/curl/pull/10741
7823 Closes https://github.com/curl/curl/pull/10746
7825 Daniel Stenberg (2 Aug 2023)
7827 - variable.d: setting a variable again overwrites it
7829 Reported-by: Niall McGee
7830 Bug: https://twitter.com/niallmcgee/status/1686523075423322113
7833 Jay Satiro (2 Aug 2023)
7835 - CURLOPT_PROXY_SSL_OPTIONS.3: sync formatting
7837 - Re-wrap CURLSSLOPT_ALLOW_BEAST description.
7839 Daniel Stenberg (2 Aug 2023)
7841 - RELEASE-NOTES: synced
7843 - resolve: use PF_INET6 family lookups when CURL_IPRESOLVE_V6 is set
7845 Previously it would always do PF_UNSPEC if CURL_IPRESOLVE_V4 is not
7846 used, thus unnecessarily asking for addresses that will not be used.
7848 Reported-by: Joseph Tharayil
7852 - docs: link to the website versions instead of markdowns
7854 ... to make the links work when the markdown is converted to webpages on
7857 Reported-by: Maurício Meneghini Fauth
7858 Fixes https://github.com/curl/curl-www/issues/272
7861 Viktor Szakats (1 Aug 2023)
7863 - cmake: cache more config and delete unused ones
7865 - cache more Windows config results for faster initialization.
7867 - delete unused config macros `HAVE_SYS_UTSNAME_H`, `HAVE_SSL_H`.
7869 - delete dead references to `sys/utsname.h`.
7873 - egd: delete feature detection and related source code
7875 EGD is Entropy Gathering Daemon, a socket-based entropy source supported
7876 by pre-OpenSSL v1.1 versions and now deprecated. curl also deprecated it
7879 Its detection in CMake was broken all along because OpenSSL libs were
7880 not linked at the point of feature check.
7882 Delete detection from both cmake and autotools, along with the related
7883 source snippet, and the `--with-egd-socket=` `./configure` option.
7887 Stefan Eissing (1 Aug 2023)
7889 - tests: fix h3 server check and parallel instances
7891 - fix check for availability of nghttpx server
7892 - add `tcp` frontend config for same port as quic, as
7893 without this, port 3000 is bound which clashes for parallel
7898 Daniel Stenberg (1 Aug 2023)
7900 - docs/cmdline-opts: spellfixes, typos and polish
7902 To make them accepted by the spell checker
7906 - CI/spellcheck: build curl.1 and spellcheck it
7908 Added acceptable words
7912 Alexander Jaeger (1 Aug 2023)
7914 - misc: fix various typos
7918 Daniel Stenberg (1 Aug 2023)
7920 - http2: avoid too early connection re-use/multiplexing
7922 HTTP/1 connections that are upgraded to HTTP/2 should not be picked up
7923 for reuse and multiplexing by other handles until the 101 switching
7924 process is completed.
7926 Lots-of-debgging-by: Stefan Eissing
7927 Reported-by: Richard W.M. Jones
7928 Bug: https://curl.se/mail/lib-2023-07/0045.html
7931 - Revert "KNOWN_BUGS: build for iOS simulator on macOS 13.2 with Xcode 14"
7933 This reverts commit 2e8a3d7cb73c85a9aa151e263315f8a496dbb9d4.
7935 It's a user error for supplying incomplete information to the build system.
7937 Reported-by: Ryan Schmidt
7938 Ref: https://github.com/curl/curl/issues/11215#issuecomment-1658729367
7940 Viktor Szakats (1 Aug 2023)
7942 - cmake: add support for single libcurl compilation pass
7944 Before this patch CMake builds used two separate compilation passes to
7945 build the shared and static libcurl respectively. This patch allows to
7946 reduce that to a single pass if the target platform and build settings
7949 This reduces CMake build times when building both static and shared
7950 libcurl at the same time, making these dual builds an almost zero-cost
7953 Enable this feature for Windows builds, where the difference between the
7954 two passes was the use of `__declspec(dllexport)` attribute for exported
7955 API functions for the shared builds. This patch replaces this method
7956 with the use of `libcurl.def` at DLL link time.
7958 Also update `Makefile.mk` to use `libcurl.def` to export libcurl API
7959 symbols on Windows. This simplifies (or fixes) this build method (e.g.
7960 in curl-for-win, which generated a `libcurl.def` from `.h` files using
7961 an elaborate set of transformations).
7963 `libcurl.def` has the maintenance cost of keeping the list of public
7964 libcurl API symbols up-to-date. This list seldom changes, so the cost
7969 - cmake: detect `SSL_set0_wbio` in OpenSSL
7971 Present in OpenSSL 1.1.0 and BoringSSL.
7972 Missing from LibreSSL 3.8.0.
7974 Follow-up to f39472ea9f4f4e12cfbc0500c4580a8d52ce4a59
7976 While here, also fix `RAND_egd()` detection which was broken, likely all
7977 along. This feature is probably broken with CMake builds and also
7978 requires a sufficiently obsolete OpenSSL version, so this part of the
7979 update was not tested.
7983 - cmake: fixup H2 duplicate symbols for unity builds
7987 Pablo Busse (1 Aug 2023)
7989 - openssl: Support async cert verify callback
7991 - Update the OpenSSL connect state machine to handle
7992 SSL_ERROR_WANT_RETRY_VERIFY.
7994 This allows libcurl users that are using custom certificate validation
7995 to suspend processing while waiting for external I/O during certificate
7998 Closes https://github.com/curl/curl/pull/11499
8000 Jay Satiro (1 Aug 2023)
8002 - tool_cb_wrt: fix invalid unicode for windows console
8004 - Suppress an incomplete UTF-8 sequence at the end of the buffer.
8006 - Attempt to reconstruct incomplete UTF-8 sequence from prior call(s)
8009 Prior to this change, in Windows console UTF-8 sequences split between
8010 two or more calls to the write callback would cause invalid "replacement
8011 characters" U+FFFD to be printed instead of the actual Unicode
8012 character. This is because in Windows only UTF-16 encoded characters are
8013 printed to the console, therefore we convert the UTF-8 contents to
8014 UTF-16, which cannot be done with partial UTF-8 sequences.
8016 Reported-by: Maksim Arhipov
8018 Fixes https://github.com/curl/curl/issues/9841
8019 Closes https://github.com/curl/curl/pull/10890
8021 Daniel Stenberg (1 Aug 2023)
8023 - sectransp: prevent CFRelease() of NULL
8025 When SecCertificateCopyCommonName() returns NULL, the common_name
8026 pointer remains set to NULL which apparently when calling CFRelease() on
8027 (sometimes?) crashes.
8029 Reported-by: Guillaume Algis
8033 Jay Satiro (1 Aug 2023)
8035 - vtls: clarify "ALPN: offers" message
8038 * ALPN: offers h2,http/1.1
8041 * ALPN: curl offers h2,http/1.1
8043 Bug: https://curl.se/mail/lib-2023-07/0041.html
8044 Reported-by: Richard W.M. Jones
8047 Daniel Stenberg (1 Aug 2023)
8049 - urlapi: make sure zoneid is also duplicated in curl_url_dup
8051 Add several curl_url_dup() tests to the general lib1560 test.
8053 Reported-by: Rutger Broekhoff
8054 Bug: https://curl.se/mail/lib-2023-07/0047.html
8059 - urlapi: fix heap buffer overflow
8061 `u->path = Curl_memdup(path, pathlen + 1);` accesses bytes after the null-ter
8065 ==2676==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x04d48c75 a
8066 t pc 0x0112708a bp 0x006fb7e0 sp 0x006fb3c4
8067 READ of size 78 at 0x04d48c75 thread T0
8068 #0 0x1127089 in __asan_wrap_memcpy D:\a\_work\1\s\src\vctools\asan\llvm\c
8069 ompiler-rt\lib\sanitizer_common\sanitizer_common_interceptors.inc:840
8070 #1 0x1891a0e in Curl_memdup C:\actions-runner\_work\client\client\third_p
8071 arty\curl\lib\strdup.c:97
8072 #2 0x18db4b0 in parseurl C:\actions-runner\_work\client\client\third_part
8073 y\curl\lib\urlapi.c:1297
8074 #3 0x18db819 in parseurl_and_replace C:\actions-runner\_work\client\clien
8075 t\third_party\curl\lib\urlapi.c:1342
8076 #4 0x18d6e39 in curl_url_set C:\actions-runner\_work\client\client\third_
8077 party\curl\lib\urlapi.c:1790
8078 #5 0x1877d3e in parseurlandfillconn C:\actions-runner\_work\client\client
8079 \third_party\curl\lib\url.c:1768
8080 #6 0x1871acf in create_conn C:\actions-runner\_work\client\client\third_p
8081 arty\curl\lib\url.c:3403
8082 #7 0x186d8dc in Curl_connect C:\actions-runner\_work\client\client\third_
8083 party\curl\lib\url.c:3888
8084 #8 0x1856b78 in multi_runsingle C:\actions-runner\_work\client\client\thi
8085 rd_party\curl\lib\multi.c:1982
8086 #9 0x18531e3 in curl_multi_perform C:\actions-runner\_work\client\client\
8087 third_party\curl\lib\multi.c:2756
8092 Daniel Stenberg (31 Jul 2023)
8094 - curl: make %output{} in -w specify a file to write to
8096 It can be used multiple times. Use %output{>>name} to append.
8098 Add docs. Test 990 and 991 verify.
8101 Suggested-by: ed0d2b2ce19451f2
8104 - RELEASE-NOTES: synced
8106 - tool: add "variable" support
8108 Add support for command line variables. Set variables with --variable
8109 name=content or --variable name@file (where "file" can be stdin if set
8110 to a single dash (-)).
8112 Variable content is expanded in option parameters using "{{name}}"
8113 (without the quotes) if the option name is prefixed with
8114 "--expand-". This gets the contents of the variable "name" inserted, or
8115 a blank if the name does not exist as a variable. Insert "{{" verbatim
8116 in the string by prefixing it with a backslash, like "\\{{".
8118 Import an environment variable with --variable %name. It makes curl exit
8119 with an error if the environment variable is not set. It can also rather
8120 get a default value if the variable does not exist, using =content or
8121 @file like shown above.
8123 Example: get the USER environment variable into the URL:
8126 --expand-url = "https://example.com/api/{{USER}}/method"
8128 When expanding variables, curl supports a set of functions that can make
8129 the variable contents more convenient to use. It can trim leading and
8130 trailing white space with "trim", output the contents as a JSON quoted
8131 string with "json", URL encode it with "url" and base 64 encode it with
8132 "b64". To apply functions to a variable expansion, add them colon
8133 separated to the right side of the variable. They are then performed in
8134 a left to right order.
8136 Example: get the contents of a file called $HOME/.secret into a variable
8137 called "fix". Make sure that the content is trimmed and percent-encoded
8140 --variable %HOME=/home/default
8141 --expand-variable fix@{{HOME}}/.secret
8142 --expand-data "{{fix:trim:url}}"
8143 https://example.com/
8145 Documented. Many new test cases.
8147 Co-brainstormed-by: Emanuele Torre
8148 Assisted-by: Jat Satiro
8151 - KNOWN_BUGS: cygwin: make install installs curl-config.1 twice
8155 - KNOWN_BUGS: build for iOS simulator on macOS 13.2 with Xcode 14
8159 - KNOWN_BUGS: cmake outputs: no version information available
8163 - KNOWN_BUGS: APOP authentication fails on POP3
8167 - KNOWN_BUGS: hyper is slow
8171 Patrick Monnerat (31 Jul 2023)
8173 - configure, cmake, lib: more form api deprecation
8175 Introduce a --enable-form-api configure option to control its inclusion
8176 in builds. The condition name defined for it is CURL_DISABLE_FORM_API.
8178 Form api code is dependent of MIME: configure and CMake handle this
8179 dependency automatically: CMake by making it a dependent option
8180 explicitly, configure by inheriting the MIME value by default and
8181 rejecting explicit incompatible values.
8183 "form-api" is now a new hidden test feature.
8185 Update libcurl modules to respect this option and adjust tests
8190 Daniel Stenberg (31 Jul 2023)
8192 - mailmap: add Derzsi Dániel
8194 Derzsi Dániel (31 Jul 2023)
8196 - wolfssl: support loading system CA certificates
8200 Viktor Szakats (30 Jul 2023)
8202 - nss: delete more NSS references
8204 Fix the distcheck CI failure and delete more NSS references.
8206 Follow-up to 7c8bae0d9c9b2dfeeb008b9a316117d7b9675175
8208 Reviewed-by: Marcel Raad
8209 Reviewed-by: Daniel Stenberg
8212 Daniel Stenberg (29 Jul 2023)
8214 - nss: remove support for this TLS library
8218 Ryan Schmidt (29 Jul 2023)
8220 - macOS: fix target detection more
8222 Now SCDynamicStoreCopyProxies is called (and the required frameworks are
8223 linked in) on all versions of macOS and only on macOS. Fixes crash due
8224 to undefined symbol when built with the macOS 10.11 SDK or earlier.
8226 CURL_OSX_CALL_COPYPROXIES is renamed to CURL_MACOS_CALL_COPYPROXIES and
8227 is now only defined when SCDynamicStoreCopyProxies will actually be
8228 called. Previously, it was defined when ENABLE_IPV6 was not defined but
8229 SCDynamicStoreCopyProxies is not called in that case.
8231 TARGET_OS_OSX is only defined in the macOS 10.12 SDK and later and only
8232 when dynamic targets are enabled. TARGET_OS_MAC is always defined but
8233 means any Mac OS or derivative including macOS, iOS, tvOS, and watchOS.
8234 TARGET_OS_IPHONE means any Darwin OS other than macOS.
8236 Follow-up to c73b2f82
8241 Daniel Stenberg (29 Jul 2023)
8243 - tool_operate: allow SSL_CERT_FILE and SSL_CERT_DIR
8247 Reported-by: Gabriel Corona
8251 Thomas M. DuBuisson (29 Jul 2023)
8253 - CI: remove Lift's configuration
8255 The Lift tool is being retired. Their site reads:
8257 "Sonatype Lift will be retiring on Sep 12, 2023, with its analysis
8258 stopping on Aug 12, 2023."
8262 Nathan Moinvaziri (29 Jul 2023)
8264 - Revert "schannel: reverse the order of certinfo insertions"
8266 This reverts commit 8986df802db9b5338d9d50a54232ebae4dbcf6dd.
8268 Windows does not guarantee a particular certificate ordering, even
8269 though TLS may have its own ordering/relationship guarantees. Recent
8270 versions of Windows 11 reversed the ordering of ceritifcates returned by
8271 CertEnumCertificatesInStore, therefore this commit no longer works as
8272 initially intended. libcurl makes no guarantees about certificate
8273 ordering if the operating system can't.
8275 Ref: https://github.com/curl/curl/issues/9706
8277 Closes https://github.com/curl/curl/pull/11536
8279 wangzhikun (29 Jul 2023)
8281 - winbuild: improve check for static zlib
8283 - Check for zlib static library name zlibstatic.lib.
8285 zlib's static library has a different name depending on how it was
8286 built. zlibstatic.lib is output by cmake. zlibstat.lib is output by
8287 their pre-generated Visual Studio project files (in the contrib
8288 directory) and defines ZLIB_WINAPI (ie it's meant to use stdcall
8289 instead of cdecl if you end up exporting the zlib functions).
8291 Prior to this change the makefile only checked for the latter.
8293 Closes https://github.com/curl/curl/pull/11521
8295 Daniel Stenberg (29 Jul 2023)
8297 - configure: use the pkg-config --libs-only-l flag for libssh2
8299 ... instead of --libs, as that one also returns -L flags.
8301 Reported-by: Wilhelm von Thiele
8305 Viktor Szakats (29 Jul 2023)
8307 - cmake: support building static and shared libcurl in one go
8309 This patch adds the ability to build a static and shared libcurl library
8310 in a single build session. It also adds an option to select which one to
8311 use when building the curl executable.
8314 - `BUILD_STATIC_LIBS`. Default: `OFF`.
8315 Enabled automatically if `BUILD_SHARED_LIBS` is `OFF`.
8316 - `BUILD_STATIC_CURL`. Default: `OFF`.
8317 Requires `BUILD_STATIC_LIBS` enabled.
8318 Enabled automatically if building static libcurl only.
8319 - `STATIC_LIB_SUFFIX`. Default: empty.
8320 - `IMPORT_LIB_SUFFIX`. Default: `_imp` if implib filename would collide
8321 with static lib name (typically with MSVC) in Windows builds.
8326 - Stop setting the `CURL_STATICLIB` macro via `curl_config.h`, and pass
8327 it directly to the compiler. This also allows to delete a condition
8328 from `tests/server/CMakeLists.txt`.
8330 - Complete a TODO by following the logic used in autotools (also for
8331 `LIBCURL_NO_SHARED`), and set `-DCURL_STATICLIB` in `Cflags:` of
8332 `libcurl.pc` for _static-only_ curl builds.
8334 - Convert an existing CI test to build both shared and static libcurl.
8338 Stefan Eissing (28 Jul 2023)
8340 - CI/awslc: add cache for build awslc library
8344 - GHA/linux.yml: add caching
8348 Daniel Stenberg (27 Jul 2023)
8350 - RELEASE-NOTES: synced
8352 Bump working version to 8.3.0
8354 - url: remove infof() output for "still name resolving"
8356 The message does not help and might get spewed a lot during times.
8358 Reported-by: yushicheng7788 on github
8362 - KNOWN_BUGS: cygwin: "WARNING: UNPROTECTED PRIVATE KEY FILE!"
8366 Stefan Eissing (27 Jul 2023)
8368 - CI: quiche updates
8370 - remove quiche from standard `linux` workflow
8371 - add mod_h2 caching to quiche workflow
8372 - rename quiche to quiche-linux
8373 - move version definitions into env section
8377 - http2: disable asssertion blocking OSSFuzz testing
8379 - not clear how this triggers and it blocks OSSFuzz testing other
8380 things. Since we handle the case with an error return, disabling the
8381 assertion for now seems the best way forward.
8386 - http2: fix in h2 proxy tunnel: progress in ingress on sending
8388 - depending on what is tunneled, the proxy may never get invoked for
8389 receiving data explicitly. Not progressing ingress may lead to stalls
8390 due to missed WINDOW_UPDATEs.
8393 - add a chache for building mod_h2
8397 - CI ngtcp2+quictls: use nghttpx cache as in quiche build
8399 Jay Satiro (27 Jul 2023)
8401 - bearssl: don't load CA certs when peer verification is disabled
8403 We already do this for other SSL backends.
8405 Bug: https://github.com/curl/curl/pull/11457#issuecomment-1644587473
8406 Reported-by: kyled-dell@users.noreply.github.com
8408 Closes https://github.com/curl/curl/pull/11497
8410 Daniel Stenberg (26 Jul 2023)
8412 - easy: remove #ifdefs to make code easier on the eye
8416 Stefan Eissing (26 Jul 2023)
8418 - GHA: adding quiche workflow
8420 - adding separate quiche workflow to also build nghttpx server for testing
8424 Version 8.2.1 (26 Jul 2023)
8426 Daniel Stenberg (26 Jul 2023)
8428 - RELEASE-NOTES: synced
8432 - THANKS: add contributors from 8.2.1
8434 - docs: provide more see also for cipher options
8436 More cross references. Hide nroff errors.
8440 - docs: mark two TLS options for TLS, not SSL
8444 Brad Harder (25 Jul 2023)
8446 - curl_multi_wait.3: fix arg quoting to doc macro .BR
8450 Daniel Stenberg (24 Jul 2023)
8452 - RELEASE-NOTES: synced
8454 Viktor Szakats (24 Jul 2023)
8456 - cmake: update ngtcp2 detection
8458 Replace `OpenSSL` with `quictls` to follow the same change
8459 in the v0.17.0 ngtcp2 release.
8461 Follow-up to e0093b4b732f6495b0fb1cd6747cbfedcdcf63ed
8465 Stefan Eissing (24 Jul 2023)
8467 - http: VLH, very large header test and fixes
8469 - adding tests using very large passwords in auth
8470 - fixes general http sending to treat h3 like h2, and
8472 - eliminate H2_HEADER max definitions and use the commmon
8473 DYN_HTTP_REQUEST everywhere, different limits do not help
8474 - fix http2 handling of requests denied by nghttp2 on send
8475 to immediately report the refused stream
8479 Andrei Rybak (23 Jul 2023)
8481 - CONTRIBUTE: drop mention of copyright year ranges
8483 Year ranges in copyrights were dropped in commits [1] and [2].
8484 Verification of year ranges in copyrights was dropped from script
8485 'scripts/copyright.pl' in commit [3]. However, the corresponding
8486 passages in file 'docs/CONTRIBUTE.md' weren't updated.
8488 Drop mentions of copyright year ranges from 'docs/CONTRIBUTE.md'.
8490 [1] 2bc1d775f (copyright: update all copyright lines and remove year
8492 [2] c46761bd8 (tests/http: remove year ranges from copyrights,
8494 [3] 0e293bacb (copyright.pl: cease doing year verifications, 2023-01-28)
8498 - CONTRIBUTE: fix syntax in commit message description
8500 File 'docs/CONTRIBUTE.md' includes a description of how one should write
8501 commit messages in the curl project. Different possible parts of the
8502 message are enclosed in square brackets. One exception is the section
8503 describing how the curl project doesn't use "Signed-off-by" commit
8504 trailers [1], which is enclosed in an opening curly brace paired with a
8505 closing square bracket.
8507 Fix the enclosing square brackets in description of "Signed-off-by"
8508 trailers in commit messages in file 'docs/CONTRIBUTE.md'.
8510 [1] See description of option '--signoff' in Git documentation:
8511 https://git-scm.com/docs/git-commit
8515 Daniel Stenberg (23 Jul 2023)
8517 - src/mkhelp: strip off escape sequences
8519 At some point the nroff command stopped stripping off escape sequences,
8520 so then this script needs to do the job instead.
8522 Reported-by: VictorVG on github
8526 - KNOWN_BUGS: building for old macOS fails with gcc
8530 Jacob Hoffman-Andrews (22 Jul 2023)
8532 - rustls: update rustls-ffi 0.10.0
8534 This brings in version 0.21.0 of the upstream rustls implementation,
8535 which notable includes support for IP address certificates.
8539 Brad Harder (22 Jul 2023)
8541 - websocket: rename arguments/variables to match docs
8543 Pedantry/semantic-alignment between functions, docs, comments with
8544 respect to websocket protocol code; No functional change intended.
8546 * "totalsize", "framesize" becomes "fragsize" (we deal in frame fragments).
8548 * "sendflags" becomes "flags"
8550 * use canonical CURL *handle
8554 Jan Macku (21 Jul 2023)
8556 - bug_report: use issue forms instead of markdown template
8558 Issue forms allow you to define web-like input forms using YAML
8559 syntax. It allows you to guide the reporter to get the required
8562 Signed-off-by: Jan Macku <jamacku@redhat.com>
8565 Daniel Stenberg (21 Jul 2023)
8567 - TODO: Obey Retry-After in redirects
8569 (remove "Set custom client ip when using haproxy protocol" which was
8572 Mentioned-by: Yair Lenga
8575 - RELEASE-NOTES: synced
8577 Oliver Roberts (21 Jul 2023)
8579 - amissl: fix AmiSSL v5 detection
8581 Due to changes in the AmiSSL SDK, the detection needed adjusting.
8585 Alois Klink (21 Jul 2023)
8587 - unittest/makefile: remove unneeded unit1621_LDADD
8589 The `unit1621_LDADD` variable has the exact same value as the `LDADD`
8590 flag in `Makefile.am`, except without `@LDFLAGS@ @LIBCURL_LIBS@`.
8592 This was originally added by [98e6629][], but I can't see any reason
8593 why it exists, so we should remove it to clean things up.
8595 [98e6629]: https://github.com/curl/curl/commit/98e6629154044e4ab1ee7cff8351c7
8600 - unittest/makefile: remove unneeded unit1394_LDADD
8602 These custom `unit1394_LDADD` and similar automake overrides are no
8603 longer neded. They were originally added by added by [8dac7be][] for
8604 metalink support, but are no longer after [265b14d][] removed metalink.
8606 [8dac7be]: https://github.com/curl/curl/commit/8dac7be438512a8725d3c71e9139bd
8608 [265b14d]: https://github.com/curl/curl/commit/265b14d6b37c4298bd5556fabcbc37
8613 - cmake: add `libcurlu`/`libcurltool` for unit tests
8615 Add a `libcurlu`/`libcurltool` static library that is compiled only for
8616 unit tests. We use `EXCLUDE_FROM_ALL` to make sure that they're not
8617 built by default, they're only built if unit tests are built.
8619 These libraries allow us to compile every unit test with CMake.
8623 Daniel Stenberg (21 Jul 2023)
8625 - test979: test -u with redirect to (the same) absolute host
8629 - transfer: do not clear the credentials on redirect to absolute URL
8631 Makes test 979 work. Regression shipped in 8.2.0 from commit
8635 Reported-by: Cloudogu Siebels
8638 Jon Rumsey (20 Jul 2023)
8640 - os400: correct EXPECTED_STRING_LASTZEROTERMINATED
8642 Correct EXPECTED_STRING_LASTZEROTERMINATED to account for
8643 CURLOPT_HAPROXY_CLIENT_IP which requires EBCDIC to ASCII conversion when
8644 passed into curl_easy_setopt().
8648 Oliver Roberts (20 Jul 2023)
8650 - amissl: add missing signal.h include
8652 In some environments, signal.h is already included, but not in others
8653 which cause compilation to fail, so explictly include it.
8657 - amigaos: fix sys/mbuf.h m_len macro clash
8659 The updated Curl_http_req_make and Curl_http_req_make2 functions spawned
8660 a parameter called m_len. The AmigaOS networking headers, derived from
8661 NetBSD, contain "#define m_len m_hdr.mh_len" which clashes with
8662 this. Since we do not actually use mbuf, force the include file to be
8663 ignored, removing the clash.
8667 Daniel Stenberg (20 Jul 2023)
8669 - socks: print ipv6 address within brackets
8674 Christian Schmitz (20 Jul 2023)
8676 - libcurl-errors.3: add CURLUE_OK
8680 Oliver Roberts (20 Jul 2023)
8682 - cfilters: rename close/connect functions to avoid clashes
8684 Rename `close` and `connect` in `struct Curl_cftype` for
8685 consistency and to avoid clashes with macros of the same name
8686 (the standard AmigaOS networking connect() function is implemented
8691 Stefan Eissing (20 Jul 2023)
8693 - http2: fix regression on upload EOF handling
8695 - a regression introduced by c9ec85121110d7cbbbed2990024222c8f5b8afe5
8696 where optimization of small POST bodies leads to a new code path
8697 for such uploads that did not trigger the "done sending" event
8698 - add triggering this event for early "upload_done" situations
8702 Reported-by: Aleksander Mazur
8704 Daniel Stenberg (19 Jul 2023)
8706 - configure: check for nghttp2_session_get_stream_local_window_size
8708 The http2 code uses it now. Introduced in nghttp2 1.15.0 (Sep 2016)
8711 Reported-by: Paul Howarth
8714 Stefan Eissing (19 Jul 2023)
8716 - quiche: fix segfault and other things
8718 - refs #11449 where a segfault is reported when IP Eyeballing did
8719 not immediately connect but made several attempts
8720 - The transfer initiating the eyeballing was initialized too early,
8721 leadding to references to the filter instance that was then
8722 replaced in the subsequent eyeball attempts. That led to a use
8723 after free in the buffer handling for the transfer
8724 - transfers are initiated now more lazy (like in the ngtcp2 filter),
8725 when the stream is actually opened
8726 - suppress reporting on quiche event errors for "other" transfers
8727 than the current one to not fail a transfer due to faults in
8729 - revert recent return value handling for quiche_h3_recv_body()
8730 to not indicate an error but an EAGAIN situation. We wish quiche
8731 would document what functions return.
8737 Daniel Stenberg (19 Jul 2023)
8739 - hostip: return IPv6 first for localhost resolves
8742 Reported-by: Chilledheart on github
8745 Harry Sintonen (19 Jul 2023)
8747 - tool: fix tool_seek_cb build when SIZEOF_CURL_OFF_T > SIZEOF_OFF_T
8749 - a variable was renamed, and some use of it wasn't. this fixes the
8754 Stefan Eissing (19 Jul 2023)
8756 - quiche: fix lookup of transfer at multi
8758 - refs #11449 where weirdness in quiche multi connection tranfers was
8760 - fixes lookup of transfer for a quiche event to take the connection
8762 - formerly, a transfer with the same stream_id, but on another connection
8767 Daniel Stenberg (19 Jul 2023)
8769 - RELEASE-NOTES: synced
8773 John Haugabook (19 Jul 2023)
8775 - ciphers.d: put URL in first column
8777 This makes the URL turn into a link properly when "webified".
8779 Fixes https://github.com/curl/curl-www/issues/270
8782 Version 8.2.0 (19 Jul 2023)
8784 Daniel Stenberg (19 Jul 2023)
8786 - RELEASE-NOTES: synced
8790 - THANKS-filter: strip out "GitHub"
8792 - THANKS: add contributors from 8.2.0
8794 - RELEASE-PROCEDURE.md: adjust the release dates
8796 Stefan Eissing (17 Jul 2023)
8798 - quiche: fix defects found in latest coverity report
8802 Daniel Stenberg (17 Jul 2023)
8804 - quiche: avoid NULL deref in debug logging
8806 Coverity reported "Dereference after null check"
8808 If stream is NULL and the function exits, the logging must not deref it.
8812 Stefan Eissing (17 Jul 2023)
8814 - http2: treat initial SETTINGS as a WINDOW_UPDATE
8816 - refs #11426 where spurious stalls on large POST requests
8818 - the issue seems to involve the following
8819 * first stream on connection adds up to 64KB of POST
8820 data, which is the max default HTTP/2 stream window size
8821 transfer is set to HOLD
8822 * initial SETTINGS from server arrive, enlarging the stream
8823 window. But no WINDOW_UPDATE is received.
8825 - the fix un-HOLDs a stream on receiving SETTINGS, not
8826 relying on a WINDOW_UPDATE from lazy servers
8830 Daniel Stenberg (17 Jul 2023)
8832 - ngtcp2: assigning timeout, but value is overwritten before used
8834 Reported by Coverity
8838 - krb5: add typecast to please Coverity
8840 Derzsi Dániel (16 Jul 2023)
8842 - wolfssl: support setting CA certificates as blob
8846 - wolfssl: detect when TLS 1.2 support is not built into wolfssl
8850 Graham Campbell (15 Jul 2023)
8852 - CI: bump nghttp2 from 1.55.0 to 1.55.1
8856 Daniel Stenberg (15 Jul 2023)
8858 - curl: return error when asked to use an unsupported HTTP version
8860 When one of the following options are used but the libcurl in use does
8864 --http2-prior-knowledge
8869 Chris Paulson-Ellis (14 Jul 2023)
8871 - cf-socket: don't bypass fclosesocket callback if cancelled before connect
8873 After upgrading to 8.1.2 from 7.84.0, I found that sockets were being
8874 closed without calling the fclosesocket callback if a request was
8875 cancelled after the associated socket was created, but before the socket
8876 was connected. This lead to an imbalance of fopensocket & fclosesocket
8877 callbacks, causing problems with a custom event loop integration using
8880 This was caused by cf_socket_close() calling sclose() directly instead
8881 of calling socket_close() if the socket was not active. For regular TCP
8882 client connections, the socket is activated by cf_socket_active(), which
8883 is only called when the socket completes the connect.
8885 As far as I can tell, this issue has existed since 7.88.0. That is,
8886 since the code in question was introduced by:
8887 commit 71b7e0161032927cdfb4e75ea40f65b8898b3956
8888 Author: Stefan Eissing <stefan@eissing.org>
8889 Date: Fri Dec 30 09:14:55 2022 +0100
8891 lib: connect/h2/h3 refactor
8895 Daniel Stenberg (13 Jul 2023)
8897 - tool_parsecfg: accept line lengths up to 10M
8899 Bumped from 100K set in 47dd957daff9
8901 Reported-by: Antoine du Hamel
8905 Stefan Eissing (13 Jul 2023)
8907 - CI: brew fix for openssl in default path
8909 If brew install/update links openssl into /usr/local, it will be found
8910 before anything we add with `-isystem path` to CPP/LDLFAGS. Get rid of
8911 that by unlinking the keg.
8916 Daniel Stenberg (13 Jul 2023)
8918 - RELEASE-NOTES: synced
8920 Ondřej Koláček (13 Jul 2023)
8922 - sectransp: fix EOF handling
8924 Regression since the large refactor from 2022
8928 Daniel Stenberg (13 Jul 2023)
8930 - checksrc: quote the file name to work with "funny" letters
8934 Karthikdasari0423 (13 Jul 2023)
8936 - HTTP3.md: ngtcp2 updated to v0.17.0 and nghttp3 to v0.13.0
8938 Follow-up to e0093b4b732f6
8942 Daniel Stenberg (13 Jul 2023)
8944 - CURLOPT_MIMEPOST.3: clarify what setting to NULL means
8946 Follow-up to e08382a208d4e480
8950 Tatsuhiro Tsujikawa (12 Jul 2023)
8952 - ngtcp2: build with 0.17.0 and nghttp3 0.13.0
8954 - ngtcp2_crypto_openssl was renamed to ngtcp2_crypto_quictls.
8958 - CI: Bump ngtcp2, nghttp3, and nghttp2
8962 James Fuller (11 Jul 2023)
8964 - example/maxconnects: set maxconnect example
8968 Pontakorn Prasertsuk (11 Jul 2023)
8970 - http2: send HEADER & DATA together if possible
8974 Daniel Stenberg (11 Jul 2023)
8976 - CI: use wolfSSL 5.6.3 in builds
8978 No using master anymore
8982 SaltyMilk (11 Jul 2023)
8988 Daniel Stenberg (11 Jul 2023)
8990 - cmake: make use of snprintf
8992 Follow-up to 935b1bd4544a23a91d68
8996 Stefan Eissing (11 Jul 2023)
8998 - macOS: fix taget detection
9000 - TARGET_OS_OSX is not always defined on macOS
9001 - this leads to missing symbol Curl_macos_init()
9002 - TargetConditionals.h seems to define these only when
9003 dynamic targets are enabled (somewhere?)
9004 - this PR fixes that on my macOS 13.4.1
9005 - I have no clue why CI builds worked without it
9007 Follow-up to c7308592fb8ba213fc2c1
9010 Stan Hu (9 Jul 2023)
9012 - hostip.c: Move macOS-specific calls into global init call
9014 https://github.com/curl/curl/pull/7121 introduced a macOS system call
9015 to `SCDynamicStoreCopyProxies`, which is invoked every time an IP
9016 address needs to be resolved.
9018 However, this system call is not thread-safe, and macOS will kill the
9019 process if the system call is run first in a fork. To make it possible
9020 for the parent process to call this once and prevent the crash, only
9021 invoke this system call in the global initialization routine.
9023 In addition, this change is beneficial because it:
9025 1. Avoids extra macOS system calls for every IP lookup.
9026 2. Consolidates macOS-specific initialization in a separate file.
9031 Daniel Stenberg (9 Jul 2023)
9033 - docs: use a space after RFC when spelling out RFC numbers
9039 - imap-append.c: update to make it more likely to work
9044 Emanuele Torre (9 Jul 2023)
9046 - tool_writeout_json: fix encoding of control characters
9048 Control characters without a special escape sequence e.g. %00 or %06
9049 were being encoded as "u0006" instead of "\u0006".
9051 Ref: https://github.com/curl/trurl/pull/214#discussion_r1257487858
9054 Stefan Eissing (9 Jul 2023)
9056 - http3/ngtcp2: upload EAGAIN handling
9058 - refs #11389 where IDLE timeouts on upload are reported
9059 - reword ngtcp2 expiry handling to apply to both send+recv
9060 calls into the filter
9061 - EAGAIN uploads similar to the recent changes in HTTP/2, e.g.
9062 report success only when send data was ACKed.
9063 - HOLD sending of EAGAINed uploads to avoid cpu busy loops
9064 - rename internal function for consistency with HTTP/2
9070 Brian Nixon (9 Jul 2023)
9072 - tool_easysrc.h: correct `easysrc_perform` for `CURL_DISABLE_LIBCURL_OPTION`
9076 Daniel Stenberg (9 Jul 2023)
9078 - RELEASE-NOTES: synced
9080 - transfer: clear credentials when redirecting to absolute URL
9082 Make sure the user and password for the second request is taken from the
9085 Add test case 899 to verify.
9087 Reported-by: James Lucas
9091 Stefan Eissing (8 Jul 2023)
9093 - hyper: fix EOF handling on input
9095 We ran out of disc space due to an infinite loop with debug logging
9099 Reported-by: Dan Fandrich
9101 - http2: raise header limitations above and beyond
9103 - not quite to infinity
9104 - rewrote the implementation of our internal HTTP/1.x request
9105 parsing to work with very large lines using dynbufs.
9106 - new default limit is `DYN_HTTP_REQUEST`, aka 1MB, which
9107 is also the limit of curl's general HTTP request processing.
9112 Juan Cruz Viotti (8 Jul 2023)
9114 - curl_easy_nextheader.3: add missing open parenthesis examples
9117 Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
9119 Dan Fandrich (7 Jul 2023)
9121 - CI: enable verbose test output on pytest
9123 This shows individual pass/fail status on tests and makes this output
9124 consistent with other jobs' pytest invocations.
9126 Stefan Eissing (28 Jun 2023)
9128 - http2: fix crash in handling stream weights
9130 - Delay the priority handling until the stream has been opened.
9132 - Add test2404 to reproduce and verify.
9134 Weights may change "on the run", which is why there are checks in
9135 general egress handling. These must not trigger when the stream has not
9138 Reported-by: jbgoog@users.noreply.github.com
9140 Fixes https://github.com/curl/curl/issues/11379
9141 Closes https://github.com/curl/curl/pull/11384
9143 - tests/http: Add mod_h2 directive `H2ProxyRequests`
9145 master of mod_h2 now requires H2ProxyRequests directives for forward
9146 proxying with HTTP/2 to work.
9148 Ref: https://github.com/icing/mod_h2/commit/3897a7086
9150 Closes https://github.com/curl/curl/pull/11392
9152 Dan Fandrich (28 Jun 2023)
9154 - CI: make Appveyor job names unique
9156 Two otherwise identical mingw-w64 jobs now have their differing compiler
9157 versions mentioned in their names.
9159 Sheshadri.V (25 Jun 2023)
9161 - curl.h: include <sys/select.h> for vxworks
9165 Dan Fandrich (24 Jun 2023)
9167 - CI: enable parallel make in more builds
9169 Most CI services provide at least two cores, so enable parallel make
9170 jobs to take advantage of that for builds. Some dependencies aren't safe
9171 to build in parallel so leave those as-is. Also, rename a few
9172 workflows to eliminate duplicate names and provide a better idea what
9175 - CI: don't install impacket if tests are not run
9177 It just wastes time and bandwidth and isn't even used.
9179 divinity76 (24 Jun 2023)
9181 - configure: the --without forms of the options are also gone
9183 --without-darwin-ssl and --without-metalink
9187 Daniel Stenberg (23 Jun 2023)
9189 - configure: add check for ldap_init_fd
9191 ... as otherwise the configure script will say it is OpenLDAP in the
9192 summary, but not set the USE_OPENLDAP define, therefor not using the
9193 intended OpenLDAP code paths.
9195 Regression since 4d7385446 (7.85.0)
9198 Reported-by: vlkl-sap on github
9200 Michał Petryka (23 Jun 2023)
9202 - cmake: stop CMake from quietly ignoring missing Brotli
9204 The CMake project was set to `QUIET` for Brotli instead of
9205 `REQUIRED`. This makes builds unexpectedly ignore missing Brotli even
9206 when `CURL_BROTLI` is enabled.
9210 Emanuele Torre (22 Jun 2023)
9212 - docs: add more .IP after .RE to fix indentation of generate paragraphs
9214 follow-up from 099f41e097c030077b8ec078f2c2d4038d31353b
9216 I just thought of checking all the other files with .RE, and I found 6
9217 other files that were missing .IP at the end.
9221 Stefan Eissing (22 Jun 2023)
9223 - http2: h2 and h2-PROXY connection alive check fixes
9225 - fix HTTP/2 check to not declare a connection dead when
9226 the read attempt results in EAGAIN
9227 - add H2-PROXY alive check as for HTTP/2 that was missing
9229 - add attach/detach around Curl_conn_is_alive() and remove
9230 these in filter methods
9231 - add checks for number of connections used in some test_10
9232 proxy tunneling tests
9236 - http2: error stream resets with code CURLE_HTTP2_STREAM
9238 - refs #11357, where it was reported that HTTP/1.1 downgrades
9240 - fixed with suggested change
9241 - added test_05_03 and a new handler in the curltest module
9242 to reproduce that downgrades work
9246 Reported-by: Jay Satiro
9248 Daniel Stenberg (22 Jun 2023)
9250 - connect-timeout.d: mention that the DNS lookup is included
9254 Emanuele Torre (22 Jun 2023)
9256 - quote.d: fix indentation of generated paragraphs
9258 quote.d was missing a .IP at the end which caused the paragraphs
9259 generated for See-also, Multi, and Example to not be indented correctly.
9261 I also remove a redundant "This option can be used multiple times.", and
9262 replaced .IP "item" with .TP .B "item" to make more clear which lines
9263 are part of the list of commands and which aren't.
9267 Paul Wise (22 Jun 2023)
9269 - checksrc: modernise perl file open
9271 Use regular variables and separate file open modes from filenames.
9273 Suggested by perlcritic
9275 Copied from https://github.com/curl/trurl/commit/f2784a9240f47ee28a845
9279 Dan Fandrich (21 Jun 2023)
9281 - runtests: work around a perl without SIGUSR1
9283 At least msys2 perl v5.32.1 doesn't seem to define this signal. Since
9284 this signal is only used for debugging, just ignore if setting it fails.
9286 Reported-by: Marcel Raad
9290 - runtests: include missing valgrind package
9292 use valgrind was missing which caused torture tests with valgrind
9295 Reported-by: Daniel Stenberg
9299 - runtests: use more consistent failure lines
9301 After a test failure log a consistent log message to make it easier to
9302 parse the log file. Also, log a consistent message with "ignored" for
9303 failures that cause the test to be not considered at all. These should
9304 perhaps be counted in the skipped category, but this commit does not
9305 change that behaviour.
9307 - runtests: consistently write the test check summary block
9309 The memory check character was erroneously omitted if the memory
9310 checking file was not available for some reason, making the block of
9311 characters an inconsistent length.
9313 - test2600: fix the description
9315 It looks like it was cut-and-pasted.
9319 Daniel Stenberg (21 Jun 2023)
9321 - TODO: "Support HTTP/2 for HTTP(S) proxies" *done*
9323 humbleacolyte (21 Jun 2023)
9325 - cf-socket: move ctx declaration under HAVE_GETPEERNAME
9329 Daniel Stenberg (20 Jun 2023)
9331 - RELEASE-NOTES: synced
9333 - example/connect-to: show CURLOPT_CONNECT_TO
9337 Stefan Eissing (20 Jun 2023)
9341 - refs #11203 where hyper was reported as being slow
9342 - fixes hyper_executor_poll to loop until it is out of
9343 tasks as advised by @seanmonstar in https://github.com/hyperium/hyper/issue
9345 - added a fix in hyper io handling for detecting EAGAIN
9346 - added some debug logs to see IO results
9347 - pytest http/1.1 test cases pass
9348 - pytest h2 test cases fail on connection reuse. HTTP/2
9349 connection reuse does not seem to work. Hyper submits
9350 a request on a reused connection, curl's IO works and
9351 thereafter hyper declares `Hyper: [1] operation was canceled: connection cl
9353 on stderr without any error being logged before.
9356 Reported-by: Gisle Vanem
9357 Advised-by: Sean McArthur
9360 - HTTP/2: upload handling fixes
9362 - fixes #11242 where 100% CPU on uploads was reported
9363 - fixes possible stalls on last part of a request body when
9364 that information could not be fully send on the connection
9366 - applies the same EGAIN handling to HTTP/2 proxying
9368 Reported-by: Sergey Alirzaev
9372 Daniel Stenberg (20 Jun 2023)
9374 - example/opensslthreadlock: remove
9376 This shows how to setup OpenSSL mutex callbacks, but this is not
9377 necessary since OpenSSL 1.1.0 - meaning that no currently supported
9378 OpenSSL version requires this anymore
9382 Dan Fandrich (19 Jun 2023)
9384 - libtest: display the times after a test timeout error
9386 This is to help with test failure debugging.
9391 - test2600: bump a test timeout
9393 Case 1 failed at least once on GHA by going 30 msec too long.
9397 - runtests: better detect and handle pipe errors in the controller
9399 Errors reading and writing to the pipes are now better detected and
9400 propagated up to the main test loop so it can be cleanly shut down. Such
9401 errors are usually due to a runner dying so it doesn't make much sense
9402 to try to continue the test run.
9404 - runtests: cleanly abort the runner if the controller dies
9406 If the controller dies unexpectedly, have the runner stop its servers
9407 and exit cleanly. Otherwise, the orphaned servers will stay running in
9410 - runtests: improve error logging
9412 Give more information about test harness error conditions to help figure
9413 out what might be wrong. Print some internal test state when SIGUSR1 is
9414 sent to runtests.pl.
9418 - runtests: better handle ^C during slow tests
9420 Since the SIGINT handler now just sets a flag that must be checked in the
9421 main controller loop, make sure that runs periodically. Rather than
9422 blocking on a response from a test runner near the end of the test run,
9423 add a short timeout to allow it.
9425 - runtests: rename server command file
9427 The name ftpserver.cmd was historical and has been used for more than
9428 ftp for many years now. Rename it to plain server.cmd to reduce
9431 - tests: improve reliability of TFTP tests
9433 Stop checking the timeout used by the client under test (for most
9434 tests). The timeout will change if the TFTP test server is slow (such as
9435 happens on an overprovisioned CI server) because the client will retry
9436 and reduce its timeout, and the actual value is not important for most
9439 test285 is changed a different way, by increasing the connect timeout.
9440 This improves test coverage by allowing the changed timeout value to be
9441 checked, but improves reliability with a carefully-chosen timeout that
9442 not only allows twice the time to respond as before, but also allows
9443 several retries before the client will change its timeout value.
9447 Daniel Stenberg (19 Jun 2023)
9449 - cf-socket: skip getpeername()/getsockname for TFTP
9451 Since the socket is not connected then the call fails. When the call
9452 fails, failf() is called to write an error message that is then
9453 surviving and is returned when the *real* error occurs later. The
9454 earlier, incorrect, error therefore hides the actual error message.
9456 This could be seen in stderr for test 1007
9458 Test 1007 has now been extended to verify the stderr message.
9462 - example/crawler: make it use a few more options
9464 For show, but reasonable
9466 - libcurl-ws.3: mention raw mode
9470 - example/default-scheme: set the default scheme for schemeless URLs
9474 - example/hsts-preload: show one way to HSTS preload
9478 - examples/http-options: show how to send "OPTIONS *"
9480 With CURLOPT_REQUEST_TARGET.
9482 Also add use of CURLOPT_QUICK_EXIT to show.
9486 - examples: make use of CURLOPT_(REDIR_|)PROTOCOLS_STR
9488 To show how to use them
9492 - examples/smtp-mime: use CURLOPT_MAIL_RCPT_ALLOWFAILS
9498 - http: rectify the outgoing Cookie: header field size check
9500 Previously it would count the size of the entire outgoing request and
9501 not just the size of only the Cookie: header field - which was the
9504 This could make the check be off by several hundred bytes in some cases.
9508 Jay Satiro (17 Jun 2023)
9510 - lib: fix some format specifiers
9512 - Use CURL_FORMAT_CURL_OFF_T where %zd was erroneously used for some
9513 curl_off_t variables.
9515 - Use %zu where %zd was erroneously used for some size_t variables.
9517 Prior to this change some of the Windows CI tests were failing because
9518 in Windows 32-bit targets have a 32-bit size_t and a 64-bit curl_off_t.
9519 When %zd was used for some curl_off_t variables then only the lower
9520 32-bits was read and the upper 32-bits would be read for part or all of
9523 Fixes https://github.com/curl/curl/issues/11327
9524 Closes https://github.com/curl/curl/pull/11321
9526 Marcel Raad (16 Jun 2023)
9528 - test427: add `cookies` feature and keyword
9530 This test doesn't work with `--disable-cookies`.
9532 Closes https://github.com/curl/curl/pull/11320
9534 Chris Talbot (15 Jun 2023)
9536 - imap: Provide method to disable SASL if it is advertised
9538 - Implement AUTH=+LOGIN for CURLOPT_LOGIN_OPTIONS to prefer plaintext
9539 LOGIN over SASL auth.
9541 Prior to this change there was no method to be able to fall back to
9542 LOGIN if an IMAP server advertises SASL capabilities. However, this may
9543 be desirable for e.g. a misconfigured server.
9545 Per: https://www.ietf.org/rfc/rfc5092.html#section-3.2
9547 ";AUTH=<enc-auth-type>" looks to be the correct way to specify what
9548 authenication method to use, regardless of SASL or not.
9550 Closes https://github.com/curl/curl/pull/10041
9552 Daniel Stenberg (15 Jun 2023)
9554 - RELEASE-NOTES: synced
9556 - examples/multi-debugcallback.c: avoid the bool typedef
9558 Apparently this cannot be done in c23
9560 Reported-by: Cristian Rodríguez
9564 - docs/libcurl/libcurl.3: cleanups and improvements
9568 - libcurl-ws.3: fix typo
9570 - curl_ws_*.3: enhance
9572 - all: SEE ALSO the libcurl-ws man page
9573 - send: add example and return value information
9574 - meta: mention that the returned data is read-only
9578 - docs/libcurl/libcurl-ws.3: see also CURLOPT_WS_OPTIONS
9580 - docs/libcurl/libcurl-ws.3: minor polish
9582 - libcurl-ws.3. WebSocket API overview
9586 - libcurl-url.3: also mention CURLUPART_ZONEID
9588 ... and sort the two part-using lists alphabetically
9590 Marcel Raad (14 Jun 2023)
9592 - fopen: fix conversion warning on 32-bit Android
9594 When building for 32-bit ARM or x86 Android, `st_mode` is defined as
9595 `unsigned int` instead of `mode_t`, resulting in a
9596 -Wimplicit-int-conversion clang warning because `mode_t` is
9597 `unsigned short`. Add a cast to silence the warning.
9599 Ref: https://android.googlesource.com/platform/bionic/+/refs/tags/ndk-r25c/li
9600 bc/include/sys/stat.h#86
9601 Closes https://github.com/curl/curl/pull/11313
9603 - http2: fix variable type
9605 `max_recv_speed` is `curl_off_t`, so using `size_t` might result in
9606 -Wconversion GCC warnings for 32-bit `size_t`. Visible in the NetBSD
9609 Closes https://github.com/curl/curl/pull/11312
9611 Daniel Stenberg (13 Jun 2023)
9613 - vtls: fix potentially uninitialized local variable warnings
9615 Follow-up from a4a5e438ae533c
9619 - timeval: use CLOCK_MONOTONIC_RAW if available
9621 Reported-by: Harry Sintonen
9625 Stefan Eissing (12 Jun 2023)
9627 - tool: add curl command line option `--trace-ids`
9629 - added and documented --trace-ids to prepend (after the timestamp)
9630 the transfer and connection identifiers to each verbose log line
9631 - format is [n-m] with `n` being the transfer id and `m` being the
9632 connection id. In case there is not valid connection id, print 'x'.
9633 - Log calls with a handle that has no transfer id yet, are written
9638 - lib: add CURLINFO_CONN_ID and CURLINFO_XFER_ID
9640 - add an `id` long to Curl_easy, -1 on init
9641 - once added to a multi (or its own multi), it gets
9642 a non-negative number assigned by the connection cache
9643 - `id` is unique among all transfers using the same
9644 cache until reaching LONG_MAX where it will wrap
9645 around. So, not unique eternally.
9646 - CURLINFO_CONN_ID returns the connection id attached to
9647 data or, if none present, data->state.lastconnect_id
9648 - variables and type declared in tool for write out
9652 Daniel Stenberg (12 Jun 2023)
9654 - CURLOPT_INFILESIZE.3: mention -1 triggers chunked
9659 Philip Heiduck (12 Jun 2023)
9661 - CI: openssl-3.0.9+quic
9665 Karthikdasari0423 (12 Jun 2023)
9667 - HTTP3.md: update openssl version
9671 Daniel Stenberg (12 Jun 2023)
9673 - vtls: avoid memory leak if sha256 call fails
9675 ... in the pinned public key handling function.
9677 Reported-by: lizhuang0630 on github
9681 - examples/ipv6: disable on win32
9683 I can't make if_nametoindex() work there
9685 Follow-up to c23dc42f3997acf23
9689 - tool_operate: allow cookie lines up to 8200 bytes
9691 Since this option might set multiple cookies in the same line, it does
9692 not make total sense to cap this at 4096 bytes, which is the limit for a
9693 single cookie name or value.
9697 - test427: verify sending more cookies than fit in a 8190 bytes line
9699 curl will then only populate the header with cookies that fit, dropping
9700 ones that otherwise would have been sent
9702 Ref: https://curl.se/mail/lib-2023-06/0020.html
9706 - testutil: allow multiple %-operators on the same line
9710 Oleg Jukovec (12 Jun 2023)
9712 - docs: update CURLOPT_UPLOAD.3
9714 The behavior of CURLOPT_UPLOAD differs from what is described in the
9715 documentation. The option automatically adds the 'Transfer-Encoding:
9716 chunked' header if the upload size is unknown.
9720 Daniel Stenberg (12 Jun 2023)
9722 - RELEASE-NOTES: synced
9724 - CURLOPT_AWS_SIGV4.3: remove unused variable from example
9728 - examples/https.c: use CURLOPT_CA_CACHE_TIMEOUT
9730 for demonstration purposes
9734 - example/ipv6: feature CURLOPT_ADDRESS_SCOPE in use
9738 Karthikdasari0423 (10 Jun 2023)
9740 - docs: Update HTTP3.md for newer ngtcp2 and nghttp3
9742 Follow-up to fb9b9b58
9747 Dan Fandrich (10 Jun 2023)
9749 - docs: update the supported ngtcp2 and nghttp3 versions
9751 Follow-up to cae9d10b
9756 - tests: fix error messages & handling around sockets
9758 The wrong error code was checked on Windows on UNIX socket failures,
9759 which could have caused all UNIX sockets to be reported as having
9760 errored and the tests therefore skipped. Also, a useless error message
9761 was displayed on socket errors in many test servers on Windows because
9762 strerror() doesn't work on WinSock error codes; perror() is overridden
9763 there to work on all errors and is used instead.
9768 Daniel Stenberg (9 Jun 2023)
9770 - CURLOPT_SSH_PRIVATE_KEYFILE.3: expand on the file search
9772 Reported-by: atjg on github
9776 Stefan Eissing (9 Jun 2023)
9778 - ngtcp2: use ever increasing timestamp in io
9780 - ngtcp2 v0.16.0 asserts that timestamps passed to its function
9781 will only ever increase.
9782 - Use a context shared between ingress/egress operations that
9783 uses a shared timestamp, regularly updated during calls.
9787 Daniel Stenberg (9 Jun 2023)
9789 - GHA: use nghttp2 1.54.0 for the ngtcp2 jobs
9791 Philip Heiduck (9 Jun 2023)
9793 - GHA: ngtcp2: use 0.16.0 and nghttp3 0.12.0
9795 Daniel Stenberg (9 Jun 2023)
9797 - ngtcp2: build with 0.16.0 and nghttp3 0.12.0
9799 - moved to qlog_write
9800 - crypto => encryption
9801 - CRYPTO => ENCRYPTION
9803 - ngtcp2_conn_shutdown_stream_read and
9804 ngtcp2_conn_shutdown_stream_write got flag arguments
9805 - the nghttp3_callbacks struct got a recv_settings callback
9809 - example/http2-download: set CURLOPT_BUFFERSIZE
9811 Primarily because no other example sets it, and remove the disabling of
9812 the certificate check because we should not recommend that.
9816 - example/crawler: also set CURLOPT_AUTOREFERER
9818 Could make sense, and it was not used in any example before.
9822 Wyatt OʼDay (9 Jun 2023)
9824 - tls13-ciphers.d: include Schannel
9828 Daniel Stenberg (9 Jun 2023)
9830 - curl_pushheader_byname/bynum.3: document in their own man pages
9832 These two functions were added in 7.44.0 when CURLMOPT_PUSHFUNCTION was
9833 introduced but always lived a life in the shadows, embedded in the
9834 CURLMOPT_PUSHFUNCTION man page. Until now.
9836 It makes better sense and gives more visibility to document them in
9837 their own stand-alone man pages.
9841 - curl_mprintf.3: minor fix of the example
9843 - curl_url_set: enforce the max string length check for all parts
9845 Update the docs and test 1559 accordingly
9849 - examples/ftpuploadresume.c: add use of CURLOPT_ACCEPTTIMEOUT_MS
9855 - examples/unixsocket.c: example using CURLOPT_UNIX_SOCKET_PATH
9857 and alternatively CURLOPT_ABSTRACT_UNIX_SOCKET
9861 Anssi Kolehmainen (8 Jun 2023)
9863 - docs: fix missing parameter names in examples
9867 Daniel Stenberg (8 Jun 2023)
9869 - urlapi: have *set(PATH) prepend a slash if one is missing
9871 Previously the code would just do that for the path when extracting the
9872 full URL, which made a subsequent curl_url_get() of the path to
9873 (unexpectedly) still return it without the leading path.
9875 Amend lib1560 to verify this. Clarify the curl_url_set() docs about it.
9877 Bug: https://curl.se/mail/lib-2023-06/0015.html
9879 Reported-by: Pedro Henrique
9881 Dan Fandrich (7 Jun 2023)
9883 - runtests; give each server a unique log lock file
9885 Logs are written by several servers and all of them must be finished
9886 writing before the test results can be determined. This means each
9887 server must have its own lock file rather than sharing a single one,
9888 which is how it was done up to now. Previously, the first server to
9889 complete a test would clear the lock before the other server was done,
9890 which caused flaky tests.
9892 Lock files are now all found in their own directory, so counting locks
9893 equals counting the files in that directory. The result is that the
9894 proxy logs are now reliably written which actually changes the expected
9895 output for two tests.
9900 - runtests: make test file directories in log/N
9902 Test files in subdirectories were not created after parallel test log
9903 directories were moved down a level due to a now-bad comparison.
9905 Follow-up to 92d7dd39
9910 Daniel Stenberg (7 Jun 2023)
9912 - ws: make the curl_ws_meta() return pointer a const
9914 The returned info is read-only for the user.
9918 - RELEASE-NOTES: synced
9920 - runtests: move parallel log dirs from logN to log/N
9922 Having several hundreds of them in there gets annoying.
9926 Dan Fandrich (7 Jun 2023)
9928 - test447: move the test file into %LOGDIR
9930 Viktor Szakats (7 Jun 2023)
9932 - cmake: add support for "unity" builds
9934 Aka "jumbo" or "amalgamation" builds. It means to compile all sources
9935 per target as a single C source. This is experimental.
9937 You can enable it by passing `-DCMAKE_UNITY_BUILD=ON` to cmake.
9938 It requires CMake 3.16 or newer.
9940 It makes builds (much) faster, allows for better optimizations and tends
9941 to promote less ambiguous code.
9943 Also add a new AppVeyor CI job and convert an existing one to use
9944 "unity" mode (one MSVC, one MinGW), and enable it for one macOS CI job.
9947 - add missing include guard to `easy_lock.h`.
9948 - rename static variables and functions (and a macro) with names reused
9949 across sources, or shadowed by local variables.
9950 - add an `#undef` after use.
9951 - add a missing `#undef` before use.
9952 - move internal definitions from `ftp.h` to `ftp.c`.
9953 - `curl_memory.h` fixes to make it work when included repeatedly.
9954 - stop building/linking curlx bits twice for a static-mode curl tool.
9955 These caused doubly defined symbols in unity builds.
9956 - silence missing extern declarations compiler warning for ` _CRT_glob`.
9957 - fix extern declarations for `tool_freq` and `tool_isVistaOrGreater`.
9958 - fix colliding static symbols in debug mode: `debugtime()` and
9960 - rename `ssl_backend_data` structure to unique names for each
9961 TLS-backend, along with the `ssl_connect_data` struct member
9962 referencing them. This required adding casts for each access.
9963 - add workaround for missing `[P]UNICODE_STRING` types in certain Windows
9964 builds when compiling `lib/ldap.c`. To support "unity" builds, we had
9965 to enable `SCHANNEL_USE_BLACKLISTS` for Schannel (a Windows
9966 `schannel.h` option) _globally_. This caused an indirect inclusion of
9967 Windows `schannel.h` from `ldap.c` via `winldap.h` to have it enabled
9968 as well. This requires `[P]UNICODE_STRING` types, which is apperantly
9969 not defined automatically (as seen with both MSVS and mingw-w64).
9970 This patch includes `<subauth.h>` to fix it.
9971 Ref: https://github.com/curl/curl/runs/13987772013
9972 Ref: https://dev.azure.com/daniel0244/curl/_build/results?buildId=15827&vie
9973 w=logs&jobId=2c9f582d-e278-56b6-4354-f38a4d851906&j=2c9f582d-e278-56b6-4354-f
9974 38a4d851906&t=90509b00-34fa-5a81-35d7-5ed9569d331c
9975 - tweak unity builds to compile `lib/memdebug.c` separately in memory
9976 trace builds to avoid PP confusion.
9977 - force-disable unity for test programs.
9978 - do not compile and link libcurl sources to libtests _twice_ when libcurl
9979 is built in static mode.
9982 - running tests with unity builds may fail in cases.
9983 - some build configurations/env may not compile in unity mode. E.g.:
9984 https://ci.appveyor.com/project/curlorg/curl/builds/47230972/job/51wfesgnfu
9987 Ref: https://github.com/libssh2/libssh2/issues/1034
9988 Ref: https://cmake.org/cmake/help/latest/prop_tgt/UNITY_BUILD.html
9989 Ref: https://en.wikipedia.org/wiki/Unity_build
9993 Daniel Stenberg (7 Jun 2023)
9995 - examples/websocket.c: websocket example using CONNECT_ONLY
9999 - websocket-cb: example doing WebSocket download using callback
10005 - test/.gitignore: ignore log*
10007 Dan Fandrich (5 Jun 2023)
10009 - runtests: document the -j parallel testing option
10011 Reported-by: Daniel Stenberg
10015 - runtests: create multiple test runners when requested
10017 Parallel testing is enabled by using a nonzero value for the -j option
10018 to runtests.pl. Performant values seem to be about 7*num CPU cores, or
10019 1.3*num CPU cores if Valgrind is in use.
10021 Flaky tests due to improper log locking (bug #11231) are exacerbated
10022 while parallel testing, so it is not enabled by default yet.
10027 - runtests: handle repeating tests in multiprocess mode
10029 Such as what happens with the --repeat option. Some functions are
10030 changed to pass the runner ID instead of relying on the non-unique test
10035 - runtests: buffer logmsg while running singletest()
10037 This allows all messages relating to a single test case to be displayed
10038 together at the end of the test.
10042 - runtests: call initserverconfig() in the runner
10044 This must be done so variables pick up the runner's unique $LOGDIR.
10048 - runtests: use a per-runner random seed
10050 Each runner needs a unique random seed to reduce the chance of port
10051 number collisions. The new scheme uses a consistent per-runner source of
10052 randomness which results in deterministic behaviour, as it did before.
10056 - runtests: complete main test loop refactor for multiple runners
10058 The main test loop is now able to handle multiple runners, or no
10059 additional runner processes at all. At most one process is still
10064 - runtests: prepare main test loop for multiple runners
10066 Some variables are expanded to arrays and hashes so that multiple
10067 runners can be used for running tests.
10071 Stefan Eissing (5 Jun 2023)
10073 - bufq: make write/pass methods more robust
10075 - related to #11242 where curl enters busy loop when
10076 sending http2 data to the server
10080 Boris Verkhovskiy (5 Jun 2023)
10082 - tool_getparam: fix comment
10086 Raito Bezarius (5 Jun 2023)
10088 - haproxy: add --haproxy-clientip flag to spoof client IPs
10090 CURLOPT_HAPROXY_CLIENT_IP in the library
10094 Daniel Stenberg (5 Jun 2023)
10096 - curl: add --ca-native and --proxy-ca-native
10098 These are two boolean options to ask curl to use the native OS's CA
10099 store when verifying TLS servers. For peers and for proxies
10102 They currently only have an effect for curl on Windows when built to use
10107 Viktor Szakats (5 Jun 2023)
10109 - build: drop unused/redundant `HAVE_WINLDAP_H`
10111 Sources did not use it. Autotools used it when checking for the
10112 `winldap` library, which is redundant.
10114 With CMake, detection was broken:
10116 Run Build Command(s):/usr/local/Cellar/cmake/3.26.3/bin/cmake -E env VERBOSE=
10117 1 /usr/bin/make -f Makefile cmTC_2d8fe/fast && /Library/Developer/CommandLine
10118 Tools/usr/bin/make -f CMakeFiles/cmTC_2d8fe.dir/build.make CMakeFiles/cmTC_2
10120 Building C object CMakeFiles/cmTC_2d8fe.dir/HAVE_WINLDAP_H.c.obj
10121 /usr/local/opt/llvm/bin/clang --target=x86_64-w64-mingw32 --sysroot=/usr/loca
10122 l/opt/mingw-w64/toolchain-x86_64 -D_WINSOCKAPI_="" -I/my/quictls/x64-ucrt/usr
10123 /include -I/my/zlib/x64-ucrt/usr/include -I/my/brotli/x64-ucrt/usr/include -W
10124 no-unused-command-line-argument -D_UCRT -DCURL_HIDDEN_SYMBOLS -DHAVE_SSL_SE
10125 T0_WBIO -DHAS_ALPN -DNGHTTP2_STATICLIB -DNGHTTP3_STATICLIB -DNGTCP2_STATICLIB
10126 -DUSE_MANUAL=1 -fuse-ld=lld -Wl,-s -static-libgcc -lucrt -Wextra -Wall -p
10127 edantic -Wbad-function-cast -Wconversion -Winline -Wmissing-declarations -Wmi
10128 ssing-prototypes -Wnested-externs -Wno-long-long -Wno-multichar -Wpointer-ari
10129 th -Wshadow -Wsign-compare -Wundef -Wunused -Wwrite-strings -Wcast-align -Wde
10130 claration-after-statement -Wempty-body -Wendif-labels -Wfloat-equal -Wignored
10131 -qualifiers -Wno-format-nonliteral -Wno-sign-conversion -Wno-system-headers -
10132 Wstrict-prototypes -Wtype-limits -Wvla -Wshift-sign-overflow -Wshorten-64-to-
10133 32 -Wdouble-promotion -Wenum-conversion -Wunused-const-variable -Wcomma -Wmis
10134 sing-variable-declarations -Wassign-enum -Wextra-semi-stmt -MD -MT CMakeFile
10135 s/cmTC_2d8fe.dir/HAVE_WINLDAP_H.c.obj -MF CMakeFiles/cmTC_2d8fe.dir/HAVE_WINL
10136 DAP_H.c.obj.d -o CMakeFiles/cmTC_2d8fe.dir/HAVE_WINLDAP_H.c.obj -c /my/curl/b
10137 ld-cmake-llvm-x64-shared/CMakeFiles/CMakeScratch/TryCompile-3JP6dR/HAVE_WINLD
10139 In file included from /my/curl/bld-cmake-llvm-x64-shared/CMakeFiles/CMakeScra
10140 tch/TryCompile-3JP6dR/HAVE_WINLDAP_H.c:2:
10141 In file included from /usr/local/opt/mingw-w64/toolchain-x86_64/x86_64-w64-mi
10142 ngw32/include/winldap.h:17:
10143 In file included from /usr/local/opt/mingw-w64/toolchain-x86_64/x86_64-w64-mi
10144 ngw32/include/schnlsp.h:9:
10145 In file included from /usr/local/opt/mingw-w64/toolchain-x86_64/x86_64-w64-mi
10146 ngw32/include/schannel.h:10:
10147 /usr/local/opt/mingw-w64/toolchain-x86_64/x86_64-w64-mingw32/include/wincrypt
10148 .h:5041:254: error: unknown type name 'PSYSTEMTIME'
10149 WINIMPM PCCERT_CONTEXT WINAPI CertCreateSelfSignCertificate (HCRYPTPROV_OR_
10150 NCRYPT_KEY_HANDLE hCryptProvOrNCryptKey, PCERT_NAME_BLOB pSubjectIssuerBlob,
10151 DWORD dwFlags, PCRYPT_KEY_PROV_INFO pKeyProvInfo, PCRYPT_ALGORITHM_IDENTIFIER
10152 pSignatureAlgorithm, PSYSTEMTIME pStartTime, PSYSTEMTIME pEndTime, PCERT_EXT
10153 ENSIONS pExtensions);
10158 /usr/local/opt/mingw-w64/toolchain-x86_64/x86_64-w64-mingw32/include/wincrypt
10159 .h:5041:278: error: unknown type name 'PSYSTEMTIME'
10160 WINIMPM PCCERT_CONTEXT WINAPI CertCreateSelfSignCertificate (HCRYPTPROV_OR_
10161 NCRYPT_KEY_HANDLE hCryptProvOrNCryptKey, PCERT_NAME_BLOB pSubjectIssuerBlob,
10162 DWORD dwFlags, PCRYPT_KEY_PROV_INFO pKeyProvInfo, PCRYPT_ALGORITHM_IDENTIFIER
10163 pSignatureAlgorithm, PSYSTEMTIME pStartTime, PSYSTEMTIME pEndTime, PCERT_EXT
10164 ENSIONS pExtensions);
10169 2 errors generated.
10170 make[1]: *** [CMakeFiles/cmTC_2d8fe.dir/HAVE_WINLDAP_H.c.obj] Error 1
10171 make: *** [cmTC_2d8fe/fast] Error 2
10175 Cherry-picked from #11095 88e4a21ff70ccef391cf99c8165281ff81374503
10176 Reviewed-by: Daniel Stenberg
10179 Daniel Stenberg (5 Jun 2023)
10181 - urlapi: scheme starts with alpha
10183 Add multiple tests to lib1560 to verify
10186 Reported-by: ad0p on github
10189 - RELEASE-NOTES: synced
10191 - CURLOPT_MAIL_RCPT_ALLOWFAILS: replace CURLOPT_MAIL_RCPT_ALLLOWFAILS
10193 Deprecate the name using three Ls and prefer the name with two.
10198 - tests/servers: generate temp names in /tmp for unix domain sockets
10200 ... instead of putting them in the regular pid directories because
10201 systems generally have strict length requirements for the path name to
10202 be shorter than 107 bytes and we easily hit that boundary otherwise.
10204 The new concept generates two random names: one for the socks daemon and
10207 Reported-by: Andy Fiddaman
10211 Stefan Eissing (2 Jun 2023)
10213 - http2: better support for --limit-rate
10215 - leave transfer loop when --limit-rate is in effect and has
10217 - adjust stream window size to --limit-rate plus some slack
10218 to make the server observe the pacing we want
10219 - add test case to confirm behaviour
10223 - curl_log: evaluate log statement only when transfer is verbose
10227 Daniel Stenberg (2 Jun 2023)
10229 - libssh2: provide error message when setting host key type fails
10231 Ref: https://curl.se/mail/archive-2023-06/0001.html
10235 Igor Todorovski (2 Jun 2023)
10237 - system.h: remove __IBMC__/__IBMCPP__ guards and apply to all z/OS compiles
10241 Daniel Stenberg (2 Jun 2023)
10243 - docs/SECURITY-PROCESS.md: link to example of previous critical flaw
10245 Mark Seuffert (2 Jun 2023)
10247 - README.md: updated link to opencollective
10251 Daniel Stenberg (1 Jun 2023)
10253 - libssh2: use custom memory functions
10255 Because of how libssh2_userauth_keyboard_interactive_ex() works: the
10256 libcurl callback allocates memory that is later free()d by libssh2, we
10257 must set the custom memory functions.
10259 Reverts 8b5f100db388ee60118c08aa28
10261 Ref: https://github.com/libssh2/libssh2/issues/1078
10264 - test447: test PUTting a file that grows
10266 ... and have curl trim the end when it reaches the expected total amount
10267 of bytes instead of over-sending.
10269 Reported-by: JustAnotherArchivist on github
10272 - curl: count uploaded data to stop at the originally given size
10276 Reported-by: JustAnotherArchivist on github
10278 - tool: remove exclamation marks from error/warning messages
10280 - tool: use errorf() for error output
10282 Convert a number of fprintf() calls.
10284 - tool: remove newlines from all helpf/notef/warnf/errorf calls
10286 Make voutf() always add one.
10290 - tests/servers.pm: pick unused port number with a server socket
10292 This change replaces the previous method of picking a port number at
10293 random to try to start servers on, then retrying up to ten times with
10294 new random numbers each time, with a function that creates a server
10295 socket on port zero, thereby getting a suitable random port set by the
10296 kernel. That server socket is then closed and that port number is used
10297 to setup the actual test server on.
10299 There is a risk that *another* server can be started on the machine in
10300 the time gap, but the server verification feature will detect that.
10304 - RELEASE-NOTES: synced
10308 Alejandro R. Sedeño (31 May 2023)
10310 - configure: fix run-compiler for old /bin/sh
10312 If you try to assign and export on the same line on some older /bin/sh
10313 implementations, it complains:
10316 $ export "NAME=value"
10317 NAME=value: is not an identifier
10320 This commit rewrites run-compiler's assignments and exports to work with
10321 old /bin/sh, splitting assignment and export into two separate
10322 statements, and only quote the value. So now we have:
10329 While we're here, make the same change to the two supporting
10330 assign+export lines preceeding the script to be consistent with how
10331 exports work throughout the rest of configure.ac.
10335 Philip Heiduck (31 May 2023)
10337 - circleci: install impacket & wolfssl 5.6.0
10341 Daniel Stenberg (31 May 2023)
10343 - tool_urlglob: use curl_off_t instead of longs
10345 To handle more globs better (especially on Windows)
10349 Dan Fandrich (30 May 2023)
10351 - scripts: Fix GHA matrix job detection in cijobs.pl
10353 The parsing is pretty brittle and it broke detecting some jobs at some
10354 point. Also, detect if Windows is used in GHA.
10356 - runtests: abort test run after failure without -a
10358 This was broken in a recent refactor and test runs would not stop.
10360 Follow-up to d4a1b5b6
10362 Reported-by: Daniel Stenberg
10366 Version 8.1.2 (30 May 2023)
10368 Daniel Stenberg (30 May 2023)
10370 - RELEASE-NOTES: synced
10374 - THANKS: contributors from 8.1.2