Changelog
-Daniel Stenberg (18 May 2010)
-- Eric Mertens posted bug report #3003005 pointing out that the libcurl TFTP
- code was not sending the timeout option properly to the server, and
- suggested a fix.
-
- (http://curl.haxx.se/bug/view.cgi?id=3003005)
-
-Kamil Dudka (16 May 2010)
-- Pavel Raiskup introduced a new option CURLOPT_FNMATCH_DATA in order to pass
- a custom data pointer to the callback specified by CURLOPT_FNMATCH_FUNCTION.
-
-Daniel Stenberg (14 May 2010)
-- John-Mark Bell filed bug #3000052 that identified a problem (with an
- associated patch) with the OpenSSL handshake state machine when the multi
- interface is used:
-
- Performing an https request using a curl multi handle and using select or
- epoll to wait for events results in a hang. It appears that the cause is the
- fix for bug #2958179, which makes ossl_connect_common unconditionally return
- from the step 2 loop when fetching from a multi handle.
-
- When ossl_connect_step2 has completed, it updates connssl->connecting_state
- to ssl_connect_3. ossl_connect_common will then return to the caller, as a
- multi handle is in use. Eventually, the client code will call
- curl_multi_fdset to obtain an updated fdset to select or epoll on. For https
- requests, curl_multi_fdset will cause https_getsock to be called.
- https_getsock will only return a socket handle if the connecting_state is
- ssl_connect_2_reading or ssl_connect_2_writing. Therefore, the client will
- never obtain a valid fdset, and thus not drive the multi handle, resulting
- in a hang.
-
- (http://curl.haxx.se/bug/view.cgi?id=3000052)
-
-- Sebastian V reported bug #3000056 identifying a problem with redirect
- following. It showed that when curl followed redirects it didn't properly
- ignore the response body of the 30X response if that response was using
- compressed Content-Encoding!
-
- (http://curl.haxx.se/bug/view.cgi?id=3000056)
-
-Daniel Stenberg (12 May 2010)
-- Howard Chu brought support for RTMP. This is powered by the underlying
- librtmp library. It supports a range of variations and "sub-protocols"
- within the RTMP family.
-
-- Pavel Raiskup brought support for FTP directory wildcard matching to allow
- selective downloading. To provide that, a set of new options were added:
-
- CURLOPT_WILDCARDMATCH
- CURLOPT_CHUNK_BGN_FUNCTION
- CURLOPT_CHUNK_END_FUNCTION
- CURLOPT_CHUNK_DATA
- CURLOPT_FNMATCH_FUNCTION
-
- There were also a set of new tests added (574 - 577) to verify this.
-
-Kamil Dudka (11 May 2010)
-- CRL support in libcurl-NSS has been completely broken. Now it works. Original
- bug report: https://bugzilla.redhat.com/581926
-
-Daniel Stenberg (7 May 2010)
-- Dirk Manske reported a regression. When connecting with the multi interface,
- there were situations where libcurl wouldn't store connect time correctly as
- it used to (and is documented to) do.
-
- Using his fine sample program we could repeat it, and I wrote up test case
- 573 using that code. The problem does not easily show itself using the local
- test suite though.
-
- The fix, also as suggested by Dirk, is a bit on the ugly side as it adds yet
- another call to Curl_verboseconnect() and setting the TIMER_CONNECT time.
- That situation is subject for some closer inspection in the future.
-
-- Howard Chu split the I/O handling functions into private handlers.
-
- Howard Chu brought the bulk work of this patch that properly moves out the
- sending and recving of data to the parts of the code that are properly
- responsible for the various ways of doing so.
+Version 7.53.1 (24 Feb 2017)
+
+Daniel Stenberg (24 Feb 2017)
+- release: 7.53.1
+
+- Revert "tests: use consistent environment variables for setting charset"
+
+ This reverts commit ecd1d020abdae3c3ce3643ddab3106501e62e7c0.
+
+ That commit caused test failures on my Debian Linux machine for all
+ changed test cases. We need to reconsider how that should get done.
+
+Dan Fandrich (23 Feb 2017)
+- tests: use consistent environment variables for setting charset
+
+ Character set in POSIX is set by the locale defined (in decreasing order
+ of precedence) by the LC_ALL, LC_CTYPE and LANG environment variables (I
+ believe CHARSET is only historic). LC_ALL is cleared to ensure that
+ LC_CTYPE takes effect, but LC_ALL is not used to set the locale to
+ ensure that other parts of the locale aren't overriden, if set. Since
+ there doesn't seem to be a cross-platform way of specifying a UTF-8
+ locale, and not all systems may support UTF-8, a <precheck> is used
+ (where relevant) to skip the test if UTF-8 isn't in use. Test 1035 was
+ also converted to UTF-8 for consistency, as the actual character set
+ used there is irrelevant to the test.
+
+Jay Satiro (23 Feb 2017)
+- url: Default the CA proxy bundle location to CURL_CA_BUNDLE
+
+ If the compile-time CURL_CA_BUNDLE location is defined use it as the
+ default value for the proxy CA bundle location, which is the same as
+ what we already do for the regular CA bundle location.
+
+ Ref: https://github.com/curl/curl/pull/1257
+
+Daniel Stenberg (23 Feb 2017)
+- [Sergii Pylypenko brought this change]
+
+ rand: added missing #ifdef HAVE_FCNTL_H around fcntl.h header
+
+ Closes #1285
+
+- TODO: "OPTIONS *"
+
+ Closes #1280
+
+- RELEASE-NOTES: synced with 443e5b03a7d441
+
+- THANKS-filter: shachaf
+
+- [İsmail Dönmez brought this change]
+
+ tests: Set CHARSET & LANG to UTF-8 in 1035, 2046 and 2047
+
+ Closes #1283
+ Fixes #1277
+
+- bump: 7.53.1 coming up
+
+ synced with df665f4df0f7a352
+
+- formdata: check for EOF when reading from stdin
+
+ Reported-by: shachaf@users.noreply.github.com
+
+ Fixes #1281
+
+Jay Satiro (22 Feb 2017)
+- docs: gitignore curl.1
+
+ curl.1 is generated by the cmdline-opts script since 4c49b83.
+
+Daniel Stenberg (22 Feb 2017)
+- TODO: HTTP Digest using SHA-256
+
+- TODO: brotli is deployed widely now
+
+Jay Satiro (21 Feb 2017)
+- [Viktor Szakats brought this change]
+
+ urldata: include curl_sspi.h when Windows SSPI is enabled
+
+ f77dabe broke builds in Windows using Windows SSPI but not Windows SSL.
+
+ Bug: https://github.com/curl/curl/issues/1276
+ Reported-by: jveazey@users.noreply.github.com
+
+- url: Improve CURLOPT_PROXY_CAPATH error handling
+
+ - Change CURLOPT_PROXY_CAPATH to return CURLE_NOT_BUILT_IN if the option
+ is not supported, which is the same as what we already do for
+ CURLOPT_CAPATH.
+
+ - Change the curl tool to handle CURLOPT_PROXY_CAPATH error
+ CURLE_NOT_BUILT_IN as a warning instead of as an error, which is the
+ same as what we already do for CURLOPT_CAPATH.
+
+ - Fix CAPATH docs to show that CURLE_NOT_BUILT_IN is returned when the
+ respective CAPATH option is not supported by the SSL library.
+
+ Ref: https://github.com/curl/curl/pull/1257
+
+- cyassl: fix typo
+
+Version 7.53.0 (22 Feb 2017)
+
+Daniel Stenberg (22 Feb 2017)
+- release: 7.53.0
+
+- cookie: fix declaration of 'dup' shadows a global declaration
+
+- TLS: make SSL_VERIFYSTATUS work again
+
+ The CURLOPT_SSL_VERIFYSTATUS option was not properly handled by libcurl
+ and thus even if the status couldn't be verified, the connection would
+ be allowed and the user would not be told about the failed verification.
+
+ Regression since cb4e2be7c6d42ca
+
+ CVE-2017-2629
+ Bug: https://curl.haxx.se/docs/adv_20170222.html
+
+ Reported-by: Marcus Hoffmann
+
+Jay Satiro (21 Feb 2017)
+- digest_sspi: Handle 'stale=TRUE' directive in HTTP digest
+
+ - If the server has provided another challenge use it as the replacement
+ input token if stale=TRUE. Otherwise previous credentials have failed
+ so return CURLE_LOGIN_DENIED.
+
+ Prior to this change the stale directive was ignored and if another
+ challenge was received it would cause error CURLE_BAD_CONTENT_ENCODING.
+
+ Ref: https://tools.ietf.org/html/rfc2617#page-10
+
+ Bug: https://github.com/curl/curl/issues/928
+ Reported-by: tarek112@users.noreply.github.com
+
+Daniel Stenberg (20 Feb 2017)
+- smb: use getpid replacement for windows UWP builds
+
+ Source: https://github.com/Microsoft/vcpkg/blob/7676b8780db1e1e591c4fc7eba4f96f73c428cb4/ports/curl/0002_fix_uwp.patch
+
+- TODO: CURLOPT_RESOLVE for any port number
+
+ Closes #1264
+
+- RELEASE-NOTES: synced with af30f1152d43dcdb
+
+- [Jean Gressmann brought this change]
+
+ sftp: improved checks for create dir failures
+
+ Since negative values are errors and not only -1. This makes SFTP upload
+ with --create-dirs work (again).
+
+ Closes #1269
+
+Jay Satiro (20 Feb 2017)
+- [Max Khon brought this change]
+
+ digest_sspi: Fix nonce-count generation in HTTP digest
+
+ - on the first invocation: keep security context returned by
+ InitializeSecurityContext()
+
+ - on subsequent invocations: use MakeSignature() instead of
+ InitializeSecurityContext() to generate HTTP digest response
+
+ Bug: https://github.com/curl/curl/issues/870
+ Reported-by: Andreas Roth
+
+ Closes https://github.com/curl/curl/pull/1251
+
+- examples/multi-uv: checksrc compliance
+
+Michael Kaufmann (19 Feb 2017)
+- string formatting: fix 4 printf-style format strings
+
+Dan Fandrich (18 Feb 2017)
+- tests: removed the obsolete name parameter
+
+Michael Kaufmann (18 Feb 2017)
+- speed caps: update the timeouts if the speed is too low/high
+
+ Follow-up to 4b86113
+
+ Fixes https://github.com/curl/curl/issues/793
+ Fixes https://github.com/curl/curl/issues/942
+
+- docs: fix timeout handling in multi-uv example
+
+- proxy: fix hostname resolution and IDN conversion
+
+ Properly resolve, convert and log the proxy host names.
+ Support the "--connect-to" feature for SOCKS proxies and for passive FTP
+ data transfers.
+
+ Follow-up to cb4e2be
+
+ Reported-by: Jay Satiro
+ Fixes https://github.com/curl/curl/issues/1248
+
+Jay Satiro (17 Feb 2017)
+- [Isaac Boukris brought this change]
+
+ http: fix missing 'Content-Length: 0' while negotiating auth
+
+ - While negotiating auth during PUT/POST if a user-specified
+ Content-Length header is set send 'Content-Length: 0'.
+
+ This is what we do already in HTTPREQ_POST_FORM and what we did in the
+ HTTPREQ_POST case (regression since afd288b).
+
+ Prior to this change no Content-Length header would be sent in such a
+ case.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-02/0006.html
+ Reported-by: Dominik Hölzl
+
+ Closes https://github.com/curl/curl/pull/1242
+
+Daniel Stenberg (16 Feb 2017)
+- [Simon Warta brought this change]
+
+ winbuild: add note on auto-detection of MACHINE in Makefile.vc
+
+ Closes #1265
+
+- RELEASE-PROCEDURE: update the upcoming release calendar
+
+- TODO: consider file name from the redirected URL with -O ?
+
+ It isn't easily solved, but with some thinking someone could probably
+ come up with a working approach?
+
+ Closes #1241
+
+Jay Satiro (15 Feb 2017)
+- tool_urlglob: Allow a glob range with the same start and stop
+
+ For example allow ranges like [1-1] and [a-a] etc.
+
+ Regression since 5ca96cb.
+
+ Bug: https://github.com/curl/curl/issues/1238
+ Reported-by: R. Dennis Steed
+
+Daniel Stenberg (15 Feb 2017)
+- axtls: adapt to API changes
+
+ Builds with axTLS 2.1.2. This then also breaks compatibility with axTLS
+ < 2.1.0 (the older API)
+
+ ... and fix the session_id mixup brought in 04b4ee549
+
+ Fixes #1220
+
+- RELEASE-NOTES: synced with 690935390c29c
+
+- [Nick Draffen brought this change]
+
+ curl: fix typo in time condition warning message
+
+ The warning message had a typo. The argument long form is --time-cond
+ not --timecond
+
+ Closes #1263
+
+- smb: code indent
+
+Jay Satiro (14 Feb 2017)
+- configure: Allow disabling pthreads, fall back on Win32 threads
+
+ When the threaded resolver option is specified for configure the default
+ thread library is pthreads. This change makes it possible to
+ --disable-pthreads and then configure can fall back on Win32 threads for
+ native Windows builds.
+
+ Closes https://github.com/curl/curl/pull/1260
+
+Daniel Stenberg (13 Feb 2017)
+- http2: fix memory-leak when denying push streams
+
+ Reported-by: zelinchen@users.noreply.github.com
+ Fixes #1229
+
+Jay Satiro (11 Feb 2017)
+- tool_operate: Show HTTPS-Proxy options on CURLE_SSL_CACERT
+
+ When CURLE_SSL_CACERT occurs the tool shows a lengthy error message to
+ the user explaining possible solutions such as --cacert and --insecure.
+
+ This change appends to that message similar options --proxy-cacert and
+ --proxy-insecure when there's a specified HTTPS proxy.
+
+ Closes https://github.com/curl/curl/issues/1258
+
+Daniel Stenberg (10 Feb 2017)
+- cmdline-opts/page-footer: ftp.sunet.se is no longer an FTP mirror
+
+- URL: only accept ";options" in SMTP/POP3/IMAP URL schemes
+
+ Fixes #1252
+
+Jay Satiro (9 Feb 2017)
+- cmdline-opts/socks*: Mention --preproxy in --socks* opts
+
+ - Document in --socks* opts they're still mutually exclusive of --proxy.
+
+ Partial revert of 423a93c; I had misinterpreted the SOCKS proxy +
+ HTTP/HTTPS proxy combination.
+
+ - Document in --socks* opts that --preproxy can be used to specify a
+ SOCKS proxy at the same time --proxy is used with an HTTP/HTTPS proxy.
+
+Daniel Stenberg (9 Feb 2017)
+- CURLOPT_SSL_VERIFYPEER.3: also the https proxy version
+
+Kamil Dudka (9 Feb 2017)
+- nss: make FTPS work with --proxytunnel
+
+ If the NSS code was in the middle of a non-blocking handshake and it
+ was asked to finish the handshake in blocking mode, it unexpectedly
+ continued in the non-blocking mode, which caused a FTPS connection
+ over CONNECT to fail with "(81) Socket not ready for send/recv".
+
+ Bug: https://bugzilla.redhat.com/1420327
+
+Daniel Stenberg (9 Feb 2017)
+- examples/multithread.c: link to our multi-thread docs
+
+ ... instead of the OpenSSL mutex page.
+
+- http_proxy: avoid freeing static memory
+
+ Follow up to 7fe81ec298e0: make sure 'host' is either NULL or malloced.
+
+- [Cameron MacMinn brought this change]
+
+ http_proxy: Fix tiny memory leak upon edge case connecting to proxy
+
+ Fixes #1255
+
+Michael Kaufmann (8 Feb 2017)
+- polarssl, mbedtls: Fix detection of pending data
+
+ Reported-by: Dan Fandrich
+ Bug: https://curl.haxx.se/mail/lib-2017-02/0032.html
+
+Dan Fandrich (7 Feb 2017)
+- test1139: Added the --manual keyword since the manual is required
+
+Daniel Stenberg (7 Feb 2017)
+- RELEASE-NOTES: synced with 102454459dd688c
+
+- THANKS-filter: polish some recent contributors
+
+- http2: reset push header counter fixes crash
+
+ When removing an easy handler from a multi before it completed its
+ transfer, and it had pushed streams, it would segfault due to the pushed
+ counted not being cleared.
+
+ Fixed-by: zelinchen@users.noreply.github.com
+ Fixes #1249
+
+- [Markus Westerlind brought this change]
+
+ transfer: only retry nobody-requests for HTTP
+
+ Using sftp to delete a file with CURLOPT_NOBODY set with a reused
+ connection would fail as curl expected to get some data. Thus it would
+ retry the command again which fails as the file has already been
+ deleted.
+
+ Fixes #1243
+
+Jay Satiro (7 Feb 2017)
+- [Daniel Gustafsson brought this change]
+
+ telnet: Fix typos
+
+ Ref: https://github.com/curl/curl/pull/1245
+
+- [Daniel Gustafsson brought this change]
+
+ test552: Fix typos
+
+ Closes https://github.com/curl/curl/pull/1245
+
+- [Daniel Gustafsson brought this change]
+
+ darwinssl: Avoid parsing certificates when not in verbose mode
+
+ The information extracted from the server certificates in step 3 is only
+ used when in verbose mode, and there is no error handling or validation
+ performed as that has already been done. Only run the certificate
+ information extraction when in verbose mode and libcurl was built with
+ verbose strings.
+
+ Closes https://github.com/curl/curl/pull/1246
+
+- [JDepooter brought this change]
+
+ schannel: Remove incorrect SNI disabled message
+
+ - Remove the SNI disabled when host verification disabled message
+ since that is incorrect.
+
+ - Show a message for legacy versions of Windows <= XP that connections
+ may fail since those versions of WinSSL lack SNI, algorithms, etc.
+
+ Bug: https://github.com/curl/curl/pull/1240
+
+Daniel Stenberg (7 Feb 2017)
+- CHANGES: spell fix, use correct path to script
+
+- CHANGES.0: removed
+
+ This is the previously manually edited changelog, not touched since Aug
+ 2015. Still present in git for those who wants it.
+
+Dan Fandrich (6 Feb 2017)
+- cmdline-opts: Fixed build and test in out of source tree builds
+
+Viktor Szakats (6 Feb 2017)
+- use *.sourceforge.io and misc URL updates
+
+ Ref: https://sourceforge.net/blog/introducing-https-for-project-websites/
+ Closes: https://github.com/curl/curl/pull/1247
+
+Jay Satiro (6 Feb 2017)
+- docs: Add more HTTPS proxy documentation
+
+ - Document HTTPS proxy type.
+
+ - Document --write-out %{proxy_ssl_verify_result}.
+
+ - Document SOCKS proxy + HTTP/HTTPS proxy combination.
+
+ HTTPS proxy support was added in 7.52.0 for OpenSSL, GnuTLS and NSS.
+
+ Ref: https://github.com/curl/curl/commit/cb4e2be
+
+- OS400: Fix symbols
+
+ - s/CURLOPT_SOCKS_PROXY/CURLOPT_PRE_PROXY
+ Follow-up to 7907a2b and 845522c.
+
+ - Fix incorrect id for CURLOPT_PROXY_PINNEDPUBLICKEY.
+
+ - Add id for CURLOPT_ABSTRACT_UNIX_SOCKET.
+
+ Bug: https://github.com/curl/curl/issues/1237
+ Reported-by: jonrumsey@users.noreply.github.com
+
+- [Sean Burford brought this change]
+
+ cmake: Support curl --xattr when built with cmake
+
+ - Test for and set HAVE_FSETXATTR when support for extended file
+ attributes is present.
+
+ Closes https://github.com/curl/curl/pull/1176
+
+- [Adam Langley brought this change]
+
+ openssl: Don't use certificate after transferring ownership
+
+ SSL_CTX_add_extra_chain_cert takes ownership of the given certificate
+ while, despite the similar name, SSL_CTX_add_client_CA does not. Thus
+ it's best to call SSL_CTX_add_client_CA before
+ SSL_CTX_add_extra_chain_cert, while the code still has ownership of the
+ argument.
+
+ Closes https://github.com/curl/curl/pull/1236
+
+Daniel Stenberg (29 Jan 2017)
+- [Antoine Aubert brought this change]
+
+ mbedtls: implement CTR-DRBG and HAVEGE random generators
+
+ closes #1227
+
+- docs: we no longer ship HTML versions of man pages
+
+ ... refer to the web site for the web versions.
+
+- [railsnewbie257 brought this change]
+
+ docs: proofread README.netware README.win32
+
+ Closes #1231
+
+- RELEASE-NOTES; synced with ab08d82648
+
+Michael Kaufmann (28 Jan 2017)
+- mbedtls: disable TLS session tickets
+
+ SSL session reuse with TLS session tickets is not supported yet.
+ Use SSL session IDs instead.
+
+ See https://github.com/curl/curl/issues/1109
+
+- gnutls: disable TLS session tickets
+
+ SSL session reuse with TLS session tickets is not supported yet.
+ Use SSL session IDs instead.
+
+ Fixes https://github.com/curl/curl/issues/1109
+
+- polarssl: fix hangs
+
+ This bugfix is similar to commit c111178bd4.
+
+Daniel Stenberg (27 Jan 2017)
+- cookies: do not assume a valid domain has a dot
+
+ This repairs cookies for localhost.
+
+ Non-PSL builds will now only accept "localhost" without dots, while PSL
+ builds okeys everything not listed as PSL.
+
+ Added test 1258 to verify.
+
+ This was a regression brought in a76825a5efa6b4
+
+- TODO: remove "Support TLS v1.3"
+
+ Support is trickling in already.
+
+- [railsnewbie257 brought this change]
+
+ INTERNALS.md: language improvements
+
+ Closes #1226
+
+- telnet: fix windows compiler warnings
+
+ Thumbs-up-by: Jay Satiro
+
+ Closes #1225
+
+- VC: remove the makefile.vc6 build infra
+
+ The winbuild/ build files is now the single MSVC makefile build choice.
+
+ Closes #1215
+
+- [Jay Satiro brought this change]
+
+ cmdline-opts/gen.pl: Open input files in CRLF mode
+
+ On Windows it's possible to have input files with CRLF line endings and
+ a perl that defaults to LF line endings (eg msysgit). Currently that
+ results in generator output of mixed line endings of CR, LF and CRLF.
+
+ This change fixes that issue in the most succinct way by opening the
+ files in :crlf text mode even when the perl being used does not default
+ to that mode. (On operating systems that don't have a separate text mode
+ it's essentially a no-op.) The output continues to be in the perl's
+ native line ending.
+
+- docs/curl.1: generate from the cmdline-opts script
+
+- vtls: source indentation fix
+
+- contri*.sh: cut off parentheses from names too
+
+- RELEASE-NOTES: synced with 01ab7c30bba6f
+
+- vtls: fix PolarSSL non-blocking handling
+
+ A regression brought in cb4e2be
+
+ Reported-by: Michael Kaufmann
+ Bug: https://github.com/curl/curl/issues/1174#issuecomment-274018791
+
+- [Antoine Aubert brought this change]
+
+ vtls: fix mbedtls multi non blocking handshake.
+
+ When using multi, mbedtls handshake is in non blocking mode. vtls must
+ set wait for read/write flags for the socket.
+
+ Closes #1223
+
+- [Richy Kim brought this change]
+
+ CURLOPT_BUFFERSIZE: support enlarging receive buffer
+
+ Replace use of fixed macro BUFSIZE to define the size of the receive
+ buffer. Reappropriate CURLOPT_BUFFERSIZE to include enlarging receive
+ buffer size. Upon setting, resize buffer if larger than the current
+ default size up to a MAX_BUFSIZE (512KB). This can benefit protocols
+ like SFTP.
+
+ Closes #1222
+
+- sws: use SOCKERRNO, not errno
+
+ Reported-by: Gisle Vanem
+
+Michael Kaufmann (19 Jan 2017)
+- KNOWN_BUGS: HTTP/2 server push enabled when no pushes can be accepted
+
+ This has been implemented with commit 9ad034e.
+
+Viktor Szakats (19 Jan 2017)
+- *.rc: escape non-ASCII/non-UTF-8 character for clarity
+
+ Closes https://github.com/curl/curl/pull/1217
+
+Kamil Dudka (19 Jan 2017)
+- docs: non-blocking SSL handshake is now supported with NSS
+
+ Implemented since curl-7_36_0-130-g8868a22
+
+ Reported-by: Fahim Chandurwala
+
+Michael Kaufmann (18 Jan 2017)
+- CURLOPT_CONNECT_TO: Fix compile warnings
+
+ Fix compile warnings that appeared only when curl has been configured
+ with '--disable-verbose'.
+
+Daniel Stenberg (18 Jan 2017)
+- usercertinmem.c: improve the short description
+
+- parseurl: move back buffer to function scope
+
+ Regression since 1d4202ad, which moved the buffer into a more narrow
+ scope, but the data in that buffer was used outside of that more narrow
+ scope.
+
+ Reported-by: Dan Fandrich
+ Bug: https://curl.haxx.se/mail/lib-2017-01/0093.html
+
+Jay Satiro (17 Jan 2017)
+- openssl: Fix random generation
+
+ - Fix logic error in Curl_ossl_random.
+
+ Broken a few days ago in 807698d.
+
+Daniel Stenberg (17 Jan 2017)
+- TODO: share OpenSSL contexts
+
+ By supporting this, subsequent connects would load a lot less data from
+ disk.
+
+ Closes #1110
+
+- bump: next release will be 7.53.0
+
+Kamil Dudka (15 Jan 2017)
+- nss: use the correct lock in nss_find_slot_by_name()
+
+Alessandro Ghedini (15 Jan 2017)
+- http2: disable server push if not requested
+
+ Ref: https://github.com/curl/curl/pull/1160
+
+Daniel Stenberg (14 Jan 2017)
+- [railsnewbie257 brought this change]
+
+ docs: improved language in README.md HISTORY.md CONTRIBUTE.md
+
+ Closes #1211
+
+Alessandro Ghedini (14 Jan 2017)
+- http: print correct HTTP string in verbose output when using HTTP/2
+
+ Before:
+ ```
+ % src/curl https://sigsegv.ninja/ -v --http2
+ ...
+ > GET / HTTP/1.1
+ > Host: sigsegv.ninja
+ > User-Agent: curl/7.52.2-DEV
+ > Accept: */*
+ >
+ ...
+ ```
+
+ After:
+ ```
+ % src/curl https://sigsegv.ninja/ -v --http2
+ ...
+ > GET / HTTP/2
+ > Host: sigsegv.ninja
+ > User-Agent: curl/7.52.2-DEV
+ > Accept: */*
+ >
+ ```
+
+Daniel Stenberg (14 Jan 2017)
+- TODO: send only part of --data
+
+ Closes #1200
+
+- TODO: implemened "--fail-fast to exit on first transfer fail"
+
+ Even though it is called --fail-early
+
+- TODO: Chunked transfer multipart formpost
+
+ Closes #1139
+
+- TODO: Improve formpost API, not just add an easy argument
+
+- addrinfo: fix compiler warning on offsetof() use
+
+ curl_addrinfo.c:519:20: error: conversion to ‘curl_socklen_t {aka
+ unsigned int}’ from ‘long unsigned int’ may alter its value
+ [-Werror=conversion]
+
+ Follow-up to 1d786faee1046f
+
+- THANKS-filter: Jiri Malak
+
+- RELEASE-NOTES: synced with a7c73ae309c
+
+Peter Wu (13 Jan 2017)
+- [Isaac Boukris brought this change]
+
+ unix_socket: add support for abstract unix domain socket
+
+ In addition to unix domain sockets, Linux also supports an
+ abstract namespace which is independent of the filesystem.
+
+ In order to support it, add new CURLOPT_ABSTRACT_UNIX_SOCKET
+ option which uses the same storage as CURLOPT_UNIX_SOCKET_PATH
+ internally, along with a flag to specify abstract socket.
+
+ On non-supporting platforms, the abstract address will be
+ interpreted as an empty string and fail gracefully.
+
+ Also add new --abstract-unix-socket tool parameter.
+
+ Signed-off-by: Isaac Boukris <iboukris@gmail.com>
+ Reported-by: Chungtsun Li (typeless)
+ Reviewed-by: Daniel Stenberg
+ Reviewed-by: Peter Wu
+ Closes #1197
+ Fixes #1061
+
+Daniel Stenberg (13 Jan 2017)
+- write-out.d: 'time_total' is not always shown with ms precision
+
+ We have higher resolution since 7.52.0
+
+- next.d: --trace and --trace-ascii are also global
+
+- [Isaac Boukris brought this change]
+
+ curl: reset the easy handle at --next
+
+ So that only "global" options (verbose mostly) survive into the next
+ transfer, and the others have to be set again unless default is fine.
+
+- [Frank Gevaerts brought this change]
+
+ docs: Add note about libcurl copying strings to CURLOPT_* manpages
+
+ Closes #1169
+
+- [Frank Gevaerts brought this change]
+
+ CURLOPT_PREQUOTE.3: takes a struct curl_slist*, not a char*
+
+- IDN: Use TR46 non-transitional
+
+ Assisted-by: Tim Rühsen
+
+- IDN: revert use of the transitional option
+
+ It made the german ß get converted to ss, IDNA2003 style, and we can't
+ have that for the .de TLD - a primary reason for our switch to IDNA2008.
+
+ Test 165 verifies.
+
+- [Tim Rühsen brought this change]
+
+ IDN: Fix compile time detection of linidn2 TR46
+
+ Follow-up to f30cbcac1
+
+ Closes #1207
+
+- [ERAMOTO Masaya brought this change]
+
+ url: --noproxy option overrides NO_PROXY environment variable
+
+ Under condition using http_proxy env var, noproxy list was the
+ combination of --noproxy option and NO_PROXY env var previously. Since
+ this commit, --noproxy option overrides NO_PROXY environment variable
+ even if use http_proxy env var.
+
+ Closes #1140
+
+- [ERAMOTO Masaya brought this change]
+
+ url: Refactor detect_proxy()
+
+ If defined CURL_DISABLE_HTTP, detect_proxy() returned NULL. If not
+ defined CURL_DISABLE_HTTP, detect_proxy() checked noproxy list.
+
+ Thus refactor to set proxy to NULL instead of calling detect_proxy() if
+ define CURL_DISABLE_HTTP, and refactor to call detect_proxy() if not
+ define CURL_DISABLE_HTTP and the host is not in the noproxy list.
+
+- [ERAMOTO Masaya brought this change]
+
+ url: Fix NO_PROXY env var to work properly with --proxy option.
+
+ The combination of --noproxy option and http_proxy env var works well
+ both for proxied hosts and non-proxied hosts.
+
+ However, when combining NO_PROXY env var with --proxy option,
+ non-proxied hosts are not reachable while proxied host is OK.
+
+ This patch allows us to access non-proxied hosts even if using NO_PROXY
+ env var with --proxy option.
+
+- [Tim Rühsen brought this change]
+
+ IDN: Use TR46 'transitional' for toASCII translations
+
+ References: http://unicode.org/faq/idn.html
+ http://unicode.org/reports/tr46
+
+ Closes #1206
+
+- [railsnewbie257 brought this change]
+
+ docs: FAQ MAIL-ETIQUETTE language fixes
+
+ Closes #1194
+
+- [Marcus Hoffmann brought this change]
+
+ gnutls: check for alpn and ocsp in configure
+
+ Check for presence of gnutls_alpn_* and gnutls_ocsp_* functions during
+ configure instead of relying on the version number. GnuTLS has options
+ to turn these features off and we ca just work with with such builds
+ like we work with older versions.
+
+ Signed-off-by: Marcus Hoffmann <m.hoffmann@cartelsol.com>
+
+ Closes #1204
+
+Jay Satiro (12 Jan 2017)
+- url: Fix parsing for when 'file' is the default protocol
+
+ Follow-up to 3463408.
+
+ Prior to 3463408 file:// hostnames were silently stripped.
+
+ Prior to this commit it did not work when a schemeless url was used with
+ file as the default protocol.
+
+ Ref: https://curl.haxx.se/mail/lib-2016-11/0081.html
+ Closes https://github.com/curl/curl/pull/1124
+
+ Also fix for drive letters:
+
+ - Support --proto-default file c:/foo/bar.txt
+
+ - Support file://c:/foo/bar.txt
+
+ - Fail when a file:// drive letter is detected and not MSDOS/Windows.
+
+ Bug: https://github.com/curl/curl/issues/1187
+ Reported-by: Anatol Belski
+ Assisted-by: Anatol Belski
+
+Daniel Stenberg (12 Jan 2017)
+- rand: make it work without TLS backing
+
+ Regression introduced in commit f682156a4fc6c4
+
+ Reported-by: John Kohl
+ Bug: https://curl.haxx.se/mail/lib-2017-01/0055.html
+
+Jay Satiro (12 Jan 2017)
+- STARTTLS: Don't print response character in denied messages
+
+ Both IMAP and POP3 response characters are used internally, but when
+ appended to the STARTTLS denial message likely could confuse the user.
+
+ Closes https://github.com/curl/curl/pull/1203
+
+- smtp: Fix STARTTLS denied error message
+
+ - Format the numeric denial code as an integer instead of a character.
+
+Daniel Stenberg (11 Jan 2017)
+- http2_send: avoid unsigned integer wrap around
+
+ ... when checking for a too large request.
+
+Jay Satiro (9 Jan 2017)
+- [Jiri Malak brought this change]
+
+ cmake: Fix passing _WINSOCKAPI_ macro to compiler
+
+ Define _WINSOCKAPI_ blank rather than to 1 in order to match the value
+ used by Microsoft's winsock header files.
+
+ Closes https://github.com/curl/curl/pull/1195
+
+Daniel Stenberg (9 Jan 2017)
+- sws: retry send() on EWOULDBLOCK
+
+ Fixes spurious test 1060 and 1061 failures on OpenBSD, Solaris and more.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-01/0009.html
+ Reported-by: Christian Weisgerber
+
+- RELEASE-NOTES: synced with a41e8592d6b3e58
+
+- examples: make the C++ examples follow our code style too
+
+ At least mostly, not counting // comments.
+
+- [Aulddays brought this change]
+
+ asiohiper: improved socket handling
+
+ libcurl requires CURLMOPT_SOCKETFUNCTION to KEEP watching socket events
+ and notify back. Modify event_cb() to continue watching events when
+ fired.
+
+ Fixes #1191
+ Closes #1192
+ Fixed-by: Mingliang Zhu
+
+- [Jiří Malák brought this change]
+
+ lib506: fix build for Open Watcom
+
+ Rename symbol lock to locks to not clash with OW CRTL function name.
+
+ Closes #1196
+
+- ROADMAP: 2017 cleanup
+
+ Removed items already fixed, clarified a few others.
+
+- COPYING: update the generic copyright year range
+
+- docs/silent: mention --show-error in --silent description
+
+ Reported in #1190
+ Reported-by: Dan Jacobson
+
+- docs/page-header: mention how to disable the progress meter
+
+ curl.1 is regenerated
+
+ Fixes #1190
+
+Dan Fandrich (7 Jan 2017)
+- wolfssl: display negotiated SSL version and cipher
+
+- wolfssl: support setting cipher list
+
+Patrick Monnerat (6 Jan 2017)
+- CIPHERS.md: document GSKit ciphers
+
+Jay Satiro (5 Jan 2017)
+- [peterpih brought this change]
+
+ TheArtOfHttpScripting: grammar
+
+Nick Zitzmann (3 Jan 2017)
+- darwinssl: --insecure overrides --cacert if both settings are in use
+
+ Fixes #1184
+
+Jay Satiro (2 Jan 2017)
+- docs/libcurl: TCP_KEEPALIVE start and interval default to 60
+
+ Since the TCP keep-alive options were added in 705f0f7 the start and
+ interval default values have been 60, but that wasn't documented.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-01/0000.html
+ Reported-by: Praveen Pvs
+
+Daniel Stenberg (29 Dec 2016)
+- curl.h: CURLE_FUNCTION_NOT_FOUND is no longer in use
+
+ This error code was once introduced when some library was dynamically
+ loaded and a funciton within said library couldn't be found.
+
+- content_encoding: change return code on a failure
+
+ Failure to decompress is now a write error instead of the weird
+ "function not found".
+
+- page-footer: error 36 is protocol agnostic!
+
+Jay Satiro (28 Dec 2016)
+- tool_operate: Fix --remote-time incorrect times on Windows
+
+ - Use Windows API SetFileTime to set the file time instead of utime.
+
+ Avoid utime on Windows if possible because it may apply a daylight
+ saving time offset to our UTC file time.
+
+ Bug: https://curl.haxx.se/mail/archive-2016-11/0033.html
+ Reported-by: Tim
+
+ Closes https://github.com/curl/curl/pull/1121
+
+Daniel Stenberg (29 Dec 2016)
+- [Max Khon brought this change]
+
+ digest_sspi: copy terminating NUL as well
+
+ Curl_auth_decode_digest_http_message(): copy terminating NUL as later
+ Curl_override_sspi_http_realm() expects a NUL-terminated string.
+
+ Fixes #1180
+
+- curl_formadd.3: CURLFORM_CONTENTSLENGTH not needed when chunked
+
+ Mentioned in #1013
+
+- [Kyselgov E.N brought this change]
+
+ cmake: use crypt32.lib when building with OpenSSL on windows
+
+ Reviewed-by: Peter Wu
+ Closes #1149
+ Fixes #1147
+
+- [Chris Araman brought this change]
+
+ darwinssl: fix CFArrayRef leak
+
+ Reviewed-by: Nick Zitzmann
+ Closes #1173
+
+- [Chris Araman brought this change]
+
+ darwinssl: fix iOS build
+
+ Reviewed-by: Nick Zitzmann
+ Fixes #1172
+
+- curl: remove superfluous include file
+
+ The <netinet/tcp.h> is a leftover from the past when TCP socket options
+ were set in this file. This include causes build issues on AIX 4.3.
+
+ Reported-by: Kim Minjoong
+
+ Closes #1178
+
+- RELEASE-NOTES: synced with a7b38c9dc98481e
+
+- vtls: s/SSLEAY/OPENSSL
+
+ Fixed an old leftover use of the USE_SSLEAY define which would make a
+ socket get removed from the applications sockets to monitor when the
+ multi_socket API was used, leading to timeouts.
+
+ Bug: #1174
+
+- docs/ciphers: link to our own new page about ciphers
+
+ ... as the former ones always go stale!
+
+- cmdline-opts/page-footer: add three more exit codes
+
+ ... and regenerated curl.1
+
+- formdata: use NULL, not 0, when returning pointers
+
+- ftp: failure to resolve proxy should return that error code
+
+- configure: accept --with-libidn2 instead
+
+ ... which the help text already implied since we switched to libidn2
+ from libidn in commit 9c91ec778104ae3b back in October 2016.
+
+ Reported-by: Christian Weisgerber
+ Bug: https://curl.haxx.se/mail/lib-2016-12/0110.html
+
+- test1282: verify the ftp-gss check
+
+- ftp-gss: check for init before use
+
+ To avoid dereferencing a NULL pointer.
+
+ Reported-by: Daniel Romero
+
+Jay Satiro (24 Dec 2016)
+- build-wolfssl: Sync config with wolfSSL 3.10
+
+ wolfSSL configure script relevant changes from 3.9 to 3.10:
+
+ - DES3 no longer enabled by default
+ - Shamir no longer enabled by default
+ - Extended master secret enabled by default
+ - RSA and ECC timing protections enabled by default
+
+ For backwards compatibility I enabled DES3 and ECC shamir config options
+ (ie no change from 3.9), and the other changes are included.
+
+- cyassl: use time_t instead of long for timeout
+
+Daniel Stenberg (23 Dec 2016)
+- bump: toward next release
+
+- http: remove "Curl_http_done: called premature" message
+
+ ... it only confuses people.
+
+- openssl-random: check return code when asking for random
+
+ and fail appropriately if it returns error
+
+- gnutls-random: check return code for failed random
+
+Version 7.52.1 (22 Dec 2016)
+
+Daniel Stenberg (22 Dec 2016)
+- RELEASE-NOTES: curl 7.52.1
+
+- lib557.c: use a shorter MAXIMIZE representation
+
+ Since several compilers had problems with the previous one
+
+ Reported-by: Ray Satiro
+ Bug: https://curl.haxx.se/mail/lib-2016-12/0098.html
+
+- runtests: remove the valgrind parser
+
+ Old legacy parsing that 1) hid problems for us and 2) probably isn't
+ needed anymore.
+
+- [Kamil Dudka brought this change]
+
+ randit: store the value in the buffer
+
+- tests/Makefile: run checksrc on debug builds
+
+ ... just like we already do in src/ and lib/
+
+- lib557: move the "enable LONGLINE" to allow more long lines
+
+ This file is riddled with them...
+
+- bump: toward next release
+
+Marcel Raad (21 Dec 2016)
+- lib: fix MSVC compiler warnings
+
+ Visual C++ complained:
+ warning C4267: '=': conversion from 'size_t' to 'long', possible loss of data
+ warning C4701: potentially uninitialized local variable 'path' used
+
+Version 7.52.0 (20 Dec 2016)
+
+Daniel Stenberg (20 Dec 2016)
+- THANKS: 13 new contributors from 7.52.0
+
+- RELEASE-NOTES: 7.52.0
+
+- ssh: inhibit coverity warning with (void)
+
+ CID 1397391 (#1 of 1): Unchecked return value (CHECKED_RETURN)
+
+- Curl_recv_has_postponed_data: silence compiler warnings
+
+ Follow-up to d00f2a8f2
+
+Jay Satiro (19 Dec 2016)
+- tests: checksrc compliance
+
+- http_proxy: Fix proxy CONNECT hang on pending data
+
+ - Check for pending data before waiting on the socket.
+
+ Bug: https://github.com/curl/curl/issues/1156
+ Reported-by: Adam Langley
+
+Daniel Stenberg (19 Dec 2016)
+- cmdline-opts/tlsv1.d: rephrased
+
+- [Dan McNulty brought this change]
+
+ schannel: fix wildcard cert name validation on Win CE
+
+ Fixes a few issues in manual wildcard cert name validation in
+ schannel support code for Win32 CE:
+ - when comparing the wildcard name to the hostname, the wildcard
+ character was removed from the cert name and the hostname
+ was checked to see if it ended with the modified cert name.
+ This allowed cert names like *.com to match the connection
+ hostname. This violates recommendations from RFC 6125.
+ - when the wildcard name in the certificate is longer than the
+ connection hostname, a buffer overread of the connection
+ hostname buffer would occur during the comparison of the
+ certificate name and the connection hostname.
+
+- printf: fix floating point buffer overflow issues
+
+ ... and add a bunch of floating point printf tests
+
+- config-amigaos.h: (embarrassed) made the line shorter
+
+- config-amigaos.h: fix bug report email reference
+
+- RELEASE-NOTES: synced with 4517158abfeba
+
+- CIPHERS.md: backtick the names to show underscores fine
+
+- form-string.d: fix format mistake
+
+ and regenerated curl.1
+
+ Reported-by: Gisle Vanem
+
+Michael Kaufmann (18 Dec 2016)
+- openssl: simplify expression in Curl_ossl_version
+
+- curl_easy_recv: Improve documentation and example program
+
+ Follow-up to 82245ea: Fix the example program sendrecv.c (handle
+ CURLE_AGAIN, handle incomplete send). Improve the documentation
+ for curl_easy_recv() and curl_easy_send().
+
+ Reviewed-by: Frank Meier
+ Assisted-by: Jay Satiro
+
+ See https://github.com/curl/curl/pull/1134
+
+- [Isaac Boukris brought this change]
+
+ Curl_getconnectinfo: avoid checking if the connection is closed
+
+ It doesn't benefit us much as the connection could get closed at
+ any time, and also by checking we lose the ability to determine
+ if the socket was closed by reading zero bytes.
+
+ Reported-by: Michael Kaufmann
+
+ Closes https://github.com/curl/curl/pull/1134
+
+Daniel Stenberg (18 Dec 2016)
+- CIPHERS.md: attempt to document TLS cipher names
+
+ As the official docs seems really hard to keep track of and link to over
+ time
+
+- curl.1: generated after 6cce4dbf830
+
+- cmdline-opts/post30X.d: fix the RFC references
+
+- curl.1: regenerated
+
+ Fixed trailing whitespace and numerous formatting glitches
+
+- cmdline-opts: formatting fixes
+
+- curl_easy_setopt.3: removed CURLOPT_SOCKS_PROXYTYPE
+
+- tool_getparam.c: make comments use the up-to-date option names
+
+- manpage-scan.pl: allow deprecated options to get removed from curl.1
+
+ --krb4, --ftp-ssl and --ftp-ssl-reqd no longer need to be documented in the
+ man page
+
+- cmdline-opts/gen.pl: trim off trailing spaces
+
+- cmdline-opts/proxy-tlsuser.d: remove trailing .d
+
+- curl_easy_setopt.3: CURLOPT_PRE_PROXY instead of CURLOPT_SOCKS_PROXY
+
+- symbols: removed two, added one
+
+- cmdline-opts: include the man page split up files in the dist
+
+- curl.1: generated with gen.pl
+
+ This is the first time we replace the manually edited curt.1 with the
+ generated one created by gen.pl and the individual option documentation
+ pages.
+
+ Do not edit this file, edit the individual pages and regenerate this
+ output.
+
+ This file will be generated by the build system soon and then removed
+ from git.
+
+- cmdline-opts: added some missing info
+
+- CURLINFO_SSL_VERIFYRESULT.3: language
+
+- HTTPS-PROXY docs: update/polish
+
+- cmdline-opts/page-header: mention it is generated
+
+ ... to avoid people from trying to edit the pending curl.1 version that
+ gets generated by gen.pl
+
+- preproxy: renamed what was added as SOCKS_PROXY
+
+ CURLOPT_SOCKS_PROXY -> CURLOPT_PRE_PROXY
+
+ Added the corresponding --preroxy command line option. Sets a SOCKS
+ proxy to connect to _before_ connecting to a HTTP(S) proxy.
+
+- curl: normal socks proxies still use CURLOPT_PROXY
+
+ ... the newly introduced CURLOPT_SOCKS_PROXY is special and should be
+ asked for specially. (Needs new code.)
+
+ Unified proxy type to a single variable in the config struct.
+
+- CURLOPT_SOCKS_PROXYTYPE: removed
+
+ This was added as part of the SOCKS+HTTPS proxy merge but there's no
+ need to support this as we prefer to have the protocol specified as a
+ prefix instead.
+
+- curl_multi_socket.3: fix typo
+
+- checksrc: warn for assignments within if() expressions
+
+ ... they're already frowned upon in our source code style guide, this
+ now enforces the rule harder.
+
+- checksrc: stricter no-space-before-paren enforcement
+
+ In order to make the code style more uniform everywhere
+
+- ISSUE_TEMPLATE: try mentioning known bugs/todo in new issue template
+
+- RELEASE-NOTES: synced with 71a55534fa6
+
+- [Adam Langley brought this change]
+
+ openssl: don't use OpenSSL's ERR_PACK.
+
+ ERR_PACK is an internal detail of OpenSSL. Also, when using it, a
+ function name must be specified which is overly specific: the test will
+ break whenever OpenSSL internally change things so that a different
+ function creates the error.
+
+ Closes #1157
+
+Dan Fandrich (5 Dec 2016)
+- test2032: Mark test as flaky
+
+Jay Satiro (3 Dec 2016)
+- [Jeremy Pearson brought this change]
+
+ libcurl-multi.3: typo
+
+ Closes https://github.com/curl/curl/pull/1153
+
+Dan Fandrich (2 Dec 2016)
+- test1281: added http as a required feature
+
+Daniel Stenberg (2 Dec 2016)
+- curl: support zero-length argument strings in config files
+
+ ... like 'user-agent = ""'
+
+ Adjusted test 71 to verify.
+
+- http_proxy: simplify CONNECT response reading
+
+ Since it now reads responses one byte a time, a loop could be removed
+ and it is no longer limited to get the whole response within 16K, it is
+ now instead only limited to 16K maximum header line lengths.
+
+- tests: fix CONNECT test cases to be more strict
+
+ ... as they broke with the cleaned up CONNECT handling
+
+- CONNECT: read responses one byte at a time
+
+ ... so that it doesn't read data that is actually coming from the
+ remote. 2xx responses have no body from the proxy, that data is from the
+ peer.
+
+ Fixes #1132
+
+- CONNECT: reject TE or CL in 2xx responses
+
+ A server MUST NOT send any Transfer-Encoding or Content-Length header
+ fields in a 2xx (Successful) response to CONNECT. (RFC 7231 section
+ 4.3.6)
+
+ Also fixes the three test cases that did this.
+
+- URL parser: reject non-numerical port numbers
+
+ Test 1281 added to verify
+
+Dan Fandrich (30 Nov 2016)
+- runtests: made Servers: output be more consistent by removing OFF
+
+- cyassl: fixed typo introduced in 4f8b1774
+
+Michael Kaufmann (30 Nov 2016)
+- CURLOPT_CONNECT_TO: Skip non-matching "connect-to" entries properly
+
+ If a port number in a "connect-to" entry does not match, skip this
+ entry instead of connecting to port 0.
+
+ If a port number in a "connect-to" entry matches, use this entry
+ and look no further.
+
+ Reported-by: Jay Satiro
+ Assisted-by: Jay Satiro, Daniel Stenberg
+
+ Closes #1148
+
+Daniel Stenberg (29 Nov 2016)
+- BUGS: describe bug handling process
+
+- RELEASE-NOTES: synced with 19613fb3
+
+Jay Satiro (28 Nov 2016)
+- http2: check nghttp2_session_set_local_window_size exists
+
+ The function only exists since nghttp2 1.12.0.
+
+ Bug: https://github.com/curl/curl/commit/a4d8888#commitcomment-19985676
+ Reported-by: Michael Kaufmann
+
+Daniel Stenberg (28 Nov 2016)
+- [Anders Bakken brought this change]
+
+ http2: Fix crashes when parent stream gets aborted
+
+ Closes #1125
+
+- cmdline-docs: more options converted and fixed
+
+ Now all options are in the new system.
+
+- gen: include footer in mainpage output
+
+Jay Satiro (28 Nov 2016)
+- lib1536: checksrc compliance
+
+Daniel Stenberg (28 Nov 2016)
+- cmdline-opts: more command line options documented
+
+ Moved over to the new format
+
+- curl: remove --proxy-ssl* options
+
+ There's mostly likely no need to allow setting SSLv2/3 version for HTTPS
+ proxy. Those protocols are insecure by design and deprecated.
+
+- CURLOPT_PROXY_*.3: polished some proxy option man pages
+
+Patrick Monnerat (26 Nov 2016)
+- os400: support CURLOPT_PROXY_PINNEDPUBLICKEY
+
+ Also define it in ILE/RPG binding.
+
+Daniel Stenberg (26 Nov 2016)
+- [Okhin Vasilij brought this change]
+
+ curl_version_info: add CURL_VERSION_HTTPS_PROXY
+
+ Closes #1142
+
+- [Frank Gevaerts brought this change]
+
+ tests: Add some testcases for recent new features.
+
+ Add missing tests for CURLINFO_SCHEME, CURLINFO_PROTOCOL, %{scheme},
+ and %{http_version}
+
+ closes #1143
+
+- [Frank Gevaerts brought this change]
+
+ curl_easy_reset: clear info for CULRINFO_PROTOCOL and CURLINFO_SCHEME
+
+- CURLOPT_PROXY_CAINFO.3: clarify proxy use
+
+- CURLOPT_PROXY_CRLFILE.3: clarify https proxy and availability
+
+- curl_easy_setopt.3: add CURLOPT_PROXY_PINNEDPUBLICKEY
+
+ Follow-up to 4f8b17743d7c55a
+
+- docs: include all opts man pages in dist
+
+ Sorted the lists too.
+
+ ... and include the new ones in the PDF and HTML generation targets
+
+- [Thomas Glanzmann brought this change]
+
+ HTTPS Proxy: Implement CURLOPT_PROXY_PINNEDPUBLICKEY
+
+- [Thomas Glanzmann brought this change]
+
+ url: proxy: Use 443 as default port for https proxies
+
+- TODO: removed "HTTPS proxy"
+
+- [Jan-E brought this change]
+
+ winbuild: add config option ENABLE_NGHTTP2
+
+ Closes #1141
+
+Jay Satiro (24 Nov 2016)
+- tool_urlglob: Improve sanity check in glob_range
+
+ Prior to this change we depended on errno if strtol could not perform a
+ conversion. POSIX says EINVAL *may* be set. Some implementations like
+ Microsoft's will not set it if there's no conversion.
+
+ Ref: https://github.com/curl/curl/commit/ee4f7660#commitcomment-19658189
+
+- tool_help: Change description for --retry-connrefused
+
+ Ref: https://github.com/curl/curl/pull/1064#issuecomment-260052409
+
+Patrick Monnerat (25 Nov 2016)
+- os400: sync ILE/RPG binding
+
+Jay Satiro (24 Nov 2016)
+- test1135: Fix curl_easy_duphandle prototype for code style
+
+ Follow-up to dbadaeb which changed the style.
+
+- x509asn1: Restore the parameter check in Curl_getASN1Element
+
+ - Restore the removed parts of the parameter check.
+
+ Follow-up to 945f60e which altered the parameter check.
+
+Daniel Stenberg (25 Nov 2016)
+- RELEASE-NOTES: update option counters
+
+- [Frank Gevaerts brought this change]
+
+ add CURLINFO_SCHEME, CURLINFO_PROTOCOL, and %{scheme}
+
+ Adds access to the effectively used protocol/scheme to both libcurl and
+ curl, both in string and numeric (CURLPROTO_*) form.
+
+ Note that the string form will be uppercase, as it is just the internal
+ string.
+
+ As these strings are declared internally as const, and all other strings
+ returned by curl_easy_getinfo() are de-facto const as well, string
+ handling in getinfo.c got const-ified.
+
+ Closes #1137
+
+- RELEASE-NOTES: synced with 63198a4750aeb
+
+- curl.1: the new --proxy options ship in 7.52.0
+
+- checksrc: move open braces to comply with function declaration style
+
+- checksrc: detect wrongly placed open braces in func declarations
+
+- checksrc: white space edits to comply to stricter checksrc
+
+- checksrc: verify ASTERISKNOSPACE
+
+ Detects (char*) and 'char*foo' uses.
+
+- checksrc: code style: use 'char *name' style
+
+- checksrc: add ASTERISKSPACE
+
+ Verifies a 'char *name' style, with no space after the asterisk.
+
+- openssl: remove dead code
+
+ Coverity CID 1394666
+
+- [Okhin Vasilij brought this change]
+
+ HTTPS-proxy: fixed mbedtls and polishing
+
+- darwinssl: adopted to the HTTPS proxy changes
+
+ It builds and runs all test cases. No adaptations for actual HTTPS proxy
+ support has been made.
+
+- gtls: fix indent to silence compiler warning
+
+ vtls/gtls.c: In function ‘Curl_gtls_data_pending’:
+ vtls/gtls.c:1429:3: error: this ‘if’ clause does not guard... [-Werror=misleading-indentation]
+ if(conn->proxy_ssl[connindex].session &&
+ ^~
+ vtls/gtls.c:1433:5: note: ...this statement, but the latter is misleadingly indented as if it is guarded by the ‘if’
+ return res;
+
+- [Thomas Glanzmann brought this change]
+
+ mbedtls: Fix compile errors
+
+- [Alex Rousskov brought this change]
+
+ proxy: Support HTTPS proxy and SOCKS+HTTP(s)
+
+ * HTTPS proxies:
+
+ An HTTPS proxy receives all transactions over an SSL/TLS connection.
+ Once a secure connection with the proxy is established, the user agent
+ uses the proxy as usual, including sending CONNECT requests to instruct
+ the proxy to establish a [usually secure] TCP tunnel with an origin
+ server. HTTPS proxies protect nearly all aspects of user-proxy
+ communications as opposed to HTTP proxies that receive all requests
+ (including CONNECT requests) in vulnerable clear text.
+
+ With HTTPS proxies, it is possible to have two concurrent _nested_
+ SSL/TLS sessions: the "outer" one between the user agent and the proxy
+ and the "inner" one between the user agent and the origin server
+ (through the proxy). This change adds supports for such nested sessions
+ as well.
+
+ A secure connection with a proxy requires its own set of the usual SSL
+ options (their actual descriptions differ and need polishing, see TODO):
+
+ --proxy-cacert FILE CA certificate to verify peer against
+ --proxy-capath DIR CA directory to verify peer against
+ --proxy-cert CERT[:PASSWD] Client certificate file and password
+ --proxy-cert-type TYPE Certificate file type (DER/PEM/ENG)
+ --proxy-ciphers LIST SSL ciphers to use
+ --proxy-crlfile FILE Get a CRL list in PEM format from the file
+ --proxy-insecure Allow connections to proxies with bad certs
+ --proxy-key KEY Private key file name
+ --proxy-key-type TYPE Private key file type (DER/PEM/ENG)
+ --proxy-pass PASS Pass phrase for the private key
+ --proxy-ssl-allow-beast Allow security flaw to improve interop
+ --proxy-sslv2 Use SSLv2
+ --proxy-sslv3 Use SSLv3
+ --proxy-tlsv1 Use TLSv1
+ --proxy-tlsuser USER TLS username
+ --proxy-tlspassword STRING TLS password
+ --proxy-tlsauthtype STRING TLS authentication type (default SRP)
+
+ All --proxy-foo options are independent from their --foo counterparts,
+ except --proxy-crlfile which defaults to --crlfile and --proxy-capath
+ which defaults to --capath.
+
+ Curl now also supports %{proxy_ssl_verify_result} --write-out variable,
+ similar to the existing %{ssl_verify_result} variable.
+
+ Supported backends: OpenSSL, GnuTLS, and NSS.
+
+ * A SOCKS proxy + HTTP/HTTPS proxy combination:
+
+ If both --socks* and --proxy options are given, Curl first connects to
+ the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS
+ proxy.
+
+ TODO: Update documentation for the new APIs and --proxy-* options.
+ Look for "Added in 7.XXX" marks.
+
+Patrick Monnerat (24 Nov 2016)
+- Declare endian read functions argument as a const pointer.
+ This is done for all functions of the form Curl_read[136][624]_[lb]e.
+
+- Limit ASN.1 structure sizes to 256K. Prevent some allocation size overflows.
+ See CRL-01-006.
+
+Jay Satiro (22 Nov 2016)
+- url: Fix conn reuse for local ports and interfaces
+
+ - Fix connection reuse for when the proposed new conn 'needle' has a
+ specified local port but does not have a specified device interface.
+
+ Bug: https://curl.haxx.se/mail/lib-2016-11/0137.html
+ Reported-by: bjt3[at]hotmail.com
+
+Daniel Stenberg (21 Nov 2016)
+- rand: pass in number of randoms as an unsigned argument
+
+Jay Satiro (20 Nov 2016)
+- rand: Fix potentially uninitialized result warning
+
+Marcel Raad (19 Nov 2016)
+- vtls: fix build warnings
+
+ Fix warnings about conversions from long to time_t in openssl.c and
+ schannel.c.
+
+ Follow-up to de4de4e3c7c
+
+Daniel Stenberg (18 Nov 2016)
+- [Marcel Raad brought this change]
+
+ lib: fix compiler warnings after de4de4e3c7c
+
+ Visual C++ now complains about implicitly casting time_t (64-bit) to
+ long (32-bit). Fix this by changing some variables from long to time_t,
+ or explicitly casting to long where the public interface would be
+ affected.
+
+ Closes #1131
+
+Peter Wu (17 Nov 2016)
+- [Isaac Boukris brought this change]
+
+ Don't mix unix domain sockets with regular ones
+
+ When reusing a connection, make sure the unix domain
+ socket option matches.
+
+Jay Satiro (17 Nov 2016)
+- tests: Fix HTTP2-Settings header for huge window size
+
+ Follow-up to a4d8888. Changing the window size in that commit resulted
+ in a different HTTP2-Settings upgrade header, causing test 1800 to fail.
+
+- http2: Use huge HTTP/2 windows
+
+ - Improve performance by using a huge HTTP/2 window size.
+
+ Bug: https://github.com/curl/curl/issues/1102
+ Reported-by: afrind@users.noreply.github.com
+ Assisted-by: Tatsuhiro Tsujikawa
+
+Daniel Stenberg (16 Nov 2016)
+- cmdline-docs: more conversion
+
+- gen: support 'protos'
+
+ and warn on unrecognized lines
+
+- gen: support 'single' to make an individual page man page
+
+- cmdline-docs: more options converted over
+
+- gen: support 'redirect'
+
+ ... and warn for too long --help lines
+
+- cmdline/gen: replace options in texts better
+
+Jay Satiro (16 Nov 2016)
+- http2: Fix address sanitizer memcpy warning
+
+ - In Curl_http2_switched don't call memcpy when src is NULL.
+
+ Curl_http2_switched can be called like:
+
+ Curl_http2_switched(conn, NULL, 0);
+
+ .. and prior to this change memcpy was then called like:
+
+ memcpy(dest, NULL, 0)
+
+ .. causing address sanitizer to warn:
+
+ http2.c:2057:3: runtime error: null pointer passed as argument 2, which
+ is declared to never be null
+
+- tool_help: Clarify --dump-header only writes received headers
+
+- curl.1: Clarify --dump-header only writes received headers
+
+Daniel Stenberg (15 Nov 2016)
+- [Alex Chan brought this change]
+
+ docs: Spelling fixes
+
+Kamil Dudka (15 Nov 2016)
+- docs: the next release will be 7.52.0
+
+Daniel Stenberg (15 Nov 2016)
+- cmdline-opts: support generating the --help output
+
+- [David Schweikert brought this change]
+
+ darwinssl: fix SSL client certificate not found on MacOS Sierra
+
+ Reviewed-by: Nick Zitzmann
+
+ Closes #1105
+
+- curl: add --fail-early to help output
+
+ Fixes test 1139 failures
+
+ Follow-up to f82bbe01c8835
+
+- glob: fix [a-c] globbing regression
+
+ Brought in ee4f76606cf
+
+ Added test case 1280 to verify
+
+ Reported-by: Dave Reisner
+
+ Bug: https://github.com/curl/curl/commit/ee4f76606cfa4ee068bf28edd37c8dae7e8db317#commitcomment-19823146
+
+- curl: add --fail-early
+
+ Exit with an error on the first transfer error instead of continuing to
+ do the rest of the URLs.
+
+ Discussion: https://curl.haxx.se/mail/archive-2016-11/0038.html
+
+- Curl_rand: fixed and moved to rand.c
+
+ Now Curl_rand() is made to fail if it cannot get the necessary random
+ level.
+
+ Changed the proto of Curl_rand() slightly to provide a number of ints at
+ once.
+
+ Moved out from vtls, since it isn't a TLS function and vtls provides
+ Curl_ssl_random() for this to use.
+
+ Discussion: https://curl.haxx.se/mail/lib-2016-11/0119.html
+
+- cmdline-opts: first test version of a new man page generator kit
+
+ See MANPAGE.md for the description of how this works. Each command line
+ option is now described in a separate .d file.
+
+- time_t fix: follow-up to de4de4e3c7c
+
+ Blah, I accidentally wrote size_t instead of time_t for two variables.
+
+ Reported-by: Dave Reisner
+
+- timeval: prefer time_t to hold seconds instead of long
+
+ ... as long is still 32bit on modern 64bit windows machines, while
+ time_t is generally 64bit.
+
+Dan Fandrich (12 Nov 2016)
+- tests: fixed variable might be clobbered warning
+
+ This stops the compiler from potentially making invalid assumptions
+ about the immutability of sdp and sap across the longjmp boundary.
+
+Daniel Stenberg (12 Nov 2016)
+- RELEASE-NOTES: synced with 346340808c
+
+- URL-parser: for file://[host]/ URLs, the [host] must be localhost
+
+ Previously, the [host] part was just ignored which made libcurl accept
+ strange URLs misleading users. like "file://etc/passwd" which might've
+ looked like it refers to "/etc/passwd" but is just "/passwd" since the
+ "etc" is an ignored host name.
+
+ Reported-by: Mike Crowe
+ Assisted-by: Kamil Dudka
+
+- test558: adapt to 0649433da
+
+- openssl: make sure to fail in the unlikely event that PRNG seeding fails
+
+- openssl: avoid unnecessary seeding if already done
+
+ 1.1.0+ does more of this by itself so we can avoid extra processing this
+ way.
+
+- openssl: RAND_status always exists in OpenSSL >= 0.9.7
+
+ and remove RAND_screen from configure since nothing is using that
+ function
+
+- Curl_pgrsUpdate: use dedicated function for time passed
+
+- realloc: use Curl_saferealloc to avoid common mistakes
+
+ Discussed: https://curl.haxx.se/mail/lib-2016-11/0087.html
+
+- [Daniel Hwang brought this change]
+
+ curl: Add --retry-connrefused
+
+ to consider ECONNREFUSED as a transient error.
+
+ Closes #1064
+
+- openssl: raise the max_version to 1.3 if asked for
+
+ Now I've managed to negotiate TLS 1.3 with https://enabled.tls13.com/ when
+ using boringssl.
+
+Jay Satiro (9 Nov 2016)
+- vtls: Fail on unrecognized param for CURLOPT_SSLVERSION
+
+ - Fix GnuTLS code for CURL_SSLVERSION_TLSv1_2 that broke when the
+ TLS 1.3 support was added in 6ad3add.
+
+ - Homogenize across code for all backends the error message when TLS 1.3
+ is not available to "<backend>: TLS 1.3 is not yet supported".
+
+ - Return an error when a user-specified ssl version is unrecognized.
+
+ ---
+
+ Prior to this change our code for some of the backends used the
+ 'default' label in the switch statement (ie ver unrecognized) for
+ ssl.version and treated it the same as CURL_SSLVERSION_DEFAULT.
+
+ Bug: https://curl.haxx.se/mail/lib-2016-11/0048.html
+ Reported-by: Kamil Dudka
+
+Daniel Stenberg (9 Nov 2016)
+- [Isaac Boukris brought this change]
+
+ SPNEGO: Fix memory leak when authentication fails
+
+ If SPNEGO fails, cleanup the negotiate handle right away.
+
+ Fixes #1115
+
+ Signed-off-by: Isaac Boukris <iboukris@gmail.com>
+ Reported-by: ashman-p
+
+- CODE_STYLE.md: link to INTERNALS.md correctly
+
+- bump: next version will be 7.52.0
+
+- RELEASE-NOTES: synced with dfcdaaba371e9a3
+
+- examples/fileupload.c: fclose the file as well
+
+- printf: fix ".*f" handling
+
+ It would always use precision 1 instead of reading it from the argument
+ list as intended.
+
+ Reported-by: Ray Satiro
+
+ Bug: #1113
+
+- curl_formadd.3: *_FILECONTENT and *_FILE need the file to be kept
+
+ Reported-by: Frank Gevaerts
+
+Kamil Dudka (7 Nov 2016)
+- nss: silence warning 'SSL_NEXT_PROTO_EARLY_VALUE not handled in switch'
+
+ ... with nss-3.26.0 and newer
+
+ Reported-by: Daniel Stenberg
+
+Daniel Stenberg (7 Nov 2016)
+- openssl: initial TLS 1.3 adaptions
+
+ BoringSSL supports TLSv1.3 already, but these changes don't seem to be anough
+ to get it working.
+
+- ssh: check md5 fingerprints case insensitively (regression)
+
+ Revert the change from ce8d09483eea but use the new function
+
+ Reported-by: Kamil Dudka
+ Bug: https://github.com/curl/curl/commit/ce8d09483eea2fcb1b50e323e1a8ed1f3613b2e3#commitcomment-19666146
+
+Kamil Dudka (7 Nov 2016)
+- curl: introduce the --tlsv1.3 option to force TLS 1.3
+
+ Fully implemented with the NSS backend only for now.
+
+ Reviewed-by: Ray Satiro
+
+- vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3
+
+ Fully implemented with the NSS backend only for now.
+
+ Reviewed-by: Ray Satiro
+
+- nss: map CURL_SSLVERSION_DEFAULT to NSS default
+
+ ... but make sure we use at least TLSv1.0 according to libcurl API
+
+ Reported-by: Cure53
+ Reviewed-by: Ray Satiro
+
+Daniel Stenberg (7 Nov 2016)
+- s/cURL/curl
+
+ We're mostly saying just "curl" in lower case these days so here's a big
+ cleanup to adapt to this reality. A few instances are left as the
+ project could still formally be considered called cURL.
+
+Jay Satiro (7 Nov 2016)
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Don't send header fields prohibited by HTTP/2 spec
+
+ Previously, we just ignored "Connection" header field. But HTTP/2
+ specification actually prohibits few more header fields. This commit
+ ignores all of them so that we don't send these bad header fields.
+
+ Bug: https://curl.haxx.se/mail/archive-2016-10/0033.html
+ Reported-by: Ricki Hirner
+
+ Closes https://github.com/curl/curl/pull/1092
+
+Daniel Stenberg (7 Nov 2016)
+- curl.1: explain the SMTP data expected for -T
+
+ Fixes #1107
+
+ Reported-by: Adam Piggott
+
+Peter Wu (6 Nov 2016)
+- cmake: disable poll for macOS
+
+ Mirrors the autotools behavior introduced with curl-7_50_3-83-ga34c7ce.
+
+ Fixes #1089
+
+Jay Satiro (5 Nov 2016)
+- easy: Initialize info variables on easy init and duphandle
+
+ - Call Curl_initinfo on init and duphandle.
+
+ Prior to this change the statistical and informational variables were
+ simply zeroed by calloc on easy init and duphandle. While zero is the
+ correct default value for almost all info variables, there is one where
+ it isn't (filetime initializes to -1).
+
+ Bug: https://github.com/curl/curl/issues/1103
+ Reported-by: Neal Poole
+
+Daniel Stenberg (5 Nov 2016)
+- [Mauro Rappa brought this change]
+
+ curl -w: added more decimal digits to timing counters
+
+ Now showing microsecond resolution.
+
+ Closes #1106
+
+Jakub Zakrzewski (4 Nov 2016)
+- dist: add CMakeLists.txt to the tarball
+
+Daniel Stenberg (4 Nov 2016)
+- mbedtls: fix build with mbedtls versions < 2.4.0
+
+ Regression added in 62a8095e714
+
+ Reported-by: Tony Kelman
+
+ Discussed in #1087
+
+- configure: verify that compiler groks -Werror=partial-availability
+
+ Reported-by: bemoody
+
+ Fixes #1104
+
+- docs: shorten and simplify the top comment in multi-uv.c
+
+ and change URL to use https
+
+- [Andrei Sedoi brought this change]
+
+ docs: handle CURL_POLL_INOUT in multi-uv example
+
+- [Andrei Sedoi brought this change]
+
+ docs: multi-uv: don't use CURLMsg after cleanup
+
+- [Andrei Sedoi brought this change]
+
+ docs: remove unused variables in multi-uv example
+
+- bump: start working on 7.51.1
+
+- winbuild: remove strcase.obj from curl build
+
+ Reported-by: Bruce Stephens
+
+ Fixes #1098
+
+Dan Fandrich (2 Nov 2016)
+- msvc: removed a straggling reference to strequal.c
+
+ Follow-up to 502acba2
+
+Version 7.51.0 (2 Nov 2016)
+
+Daniel Stenberg (2 Nov 2016)
+- THANKS: synced with 7.51.0
+
+- RELEASE-NOTES: 7.51.0
+
+- ftp_done: don't clobber the passed in error code
+
+ Coverity CID 1374359 pointed out the unused result value.
+
+- ftp: remove dead code in ftp_done
+
+ Coverity CID 1374358
+
+Jay Satiro (1 Nov 2016)
+- generate.bat: Include include/curl in libcurl VS projects
+
+ .. because including those headers helps Visual Studio's Intellisense.
+
+- generate.bat: Remove strcase.[ch] from curl tool VS projects
+
+ ..because they're no longer needed in the tool build. strcase is still
+ built by the libcurl project and exports curl_str(n)equal which is used
+ by the curl tool.
+
+ Bug: https://github.com/curl/curl/commit/9363f1a#all_commit_comments
+
+Daniel Stenberg (2 Nov 2016)
+- metalink: simplify the hex parsing function
+
+ ... and now it avoids using the libcurl toupper() function
+
+Michael Kaufmann (1 Nov 2016)
+- file: fix compiler warning
+
+ follow-up to 46133aa5
+
+Dan Fandrich (1 Nov 2016)
+- strcase: fixed Metalink builds by redefining checkprefix()
+
+ ...to use the public function curl_strnequal(). This isn't ideal because
+ it adds extra overhead to any internal calls to checkprefix.
+
+ follow-up to 95bd2b3e
+
+Daniel Stenberg (1 Nov 2016)
+- curl.1: typo
+
+- curl.1: expand on how multiple uses of -o looks
+
+ Suggested-by: Dan Jacobson
+ Issue: https://github.com/curl/curl/issues/1097
+
+- tests/util: get a private strncasecompare clone
+
+ ... since the curlx_* code no longer provides one and we don't link
+ libcurl to these test servers.
+
+- strcase: make the tool use curl_str[n]equal instead
+
+ As they are after all part of the public API. Saves space and reduces
+ complexity. Remove the strcase defines from the curlx_ family.
+
+ Suggested-by: Dan Fandrich
+ Idea: https://curl.haxx.se/mail/lib-2016-10/0136.html
+
+Kamil Dudka (31 Oct 2016)
+- gskit, nss: do not include strequal.h
+
+ follow-up to 811a693b80
+
+Dan Fandrich (31 Oct 2016)
+- strcasecompare: include curl.h in strcase.c
+
+ This should fix the "warning: 'curl_strequal' redeclared without
+ dllimport attribute: previous dllimport ignored" message and subsequent
+ link error on Windows because of the missing CURL_EXTERN on the
+ prototype.
+
+Daniel Stenberg (31 Oct 2016)
+- strcase: fix the remaining rawstr users
+
+- msvc builds: s/rawstr/strcase
+
+ Follow-up to 811a693b
+
+Dan Fandrich (31 Oct 2016)
+- strcasecompare: replaced remaining rawstr.h with strcase.h
+
+ This is a followup to commit 811a693b
+
+Marcel Raad (31 Oct 2016)
+- digest_sspi: fix include
+
+ Fix compile break from 811a693b80
+
+Dan Fandrich (31 Oct 2016)
+- libauthretry: use the external function curl_strequal
+
+ The internal version strcasecompare isn't available outside libcurl
+
+Daniel Stenberg (31 Oct 2016)
+- RELEASE-NOTES: synced with d14538d2501ef0da
+
+- configure: raise the default minimum version for macos to 10.8
+
+ follow-up to 4f8d0b6f02aa7043. Since the darwinssl code breaks
+ otherwise. If you build without darwinssl 10.5 works fine.
+
+- unit1301: keep testing curl_strequal
+
+ as that is still part of the API, fix from 8fe4bd084412f30
+
+- ldap: fix include
+
+ Fix bug from 811a693b80
+
+- url: remove unconditional idn2.h include
+
+ Mistake brought by 9c91ec778104a
+
+- curl_strequal: part of public API/ABI, needs to be kept
+
+ These two public functions have been mentioned as deprecated since a
+ very long time but since they are still part of the API and ABI we need
+ to keep them around.
+
+- strcase: s/strequal/strcasecompare
+
+ some more follow-ups to 811a693b80
+
+- ldap: fix strcase use
+
+ follow-up to 811a693b80
+
+- test165: adapted to the libidn2 use and IDNA2008 fix
+
+- cookie: replace use of fgets() with custom version
+
+ ... that will ignore lines that are too long to fit in the buffer.
+
+ CVE-2016-8615
+
+ Bug: https://curl.haxx.se/docs/adv_20161102A.html
+ Reported-by: Cure53
+
+- strcasecompare: all case insensitive string compares ignore locale now
+
+ We had some confusions on when each function was used. We should not act
+ differently on different locales anyway.
+
+- strcasecompare: is the new name for strequal()
+
+ ... to make it less likely that we forget that the function actually
+ does case insentive compares. Also replaced several invokes of the
+ function with a plain strcmp when case sensitivity is not an issue (like
+ comparing with "-").
+
+- ftp: check for previous patch must be case sensitive!
+
+ ... otherwise example.com/PATH and example.com/path would be assumed to
+ be the same and they usually aren't!
+
+- SSH: check md5 fingerprint case sensitively
+
+- connectionexists: use case sensitive user/password comparisons
+
+ CVE-2016-8616
+
+ Bug: https://curl.haxx.se/docs/adv_20161102B.html
+ Reported-by: Cure53
+
+- base64: check for integer overflow on large input
+
+ CVE-2016-8617
+
+ Bug: https://curl.haxx.se/docs/adv_20161102C.html
+ Reported-by: Cure53
+
+- krb5: avoid realloc(0)
+
+ If the requested size is zero, bail out with error instead of doing a
+ realloc() that would cause a double-free: realloc(0) acts as a free()
+ and then there's a second free in the cleanup path.
+
+ CVE-2016-8619
+
+ Bug: https://curl.haxx.se/docs/adv_20161102E.html
+ Reported-by: Cure53
+
+- aprintf: detect wrap-around when growing allocation
+
+ On 32bit systems we could otherwise wrap around after 2GB and allocate 0
+ bytes and crash.
+
+ CVE-2016-8618
+
+ Bug: https://curl.haxx.se/docs/adv_20161102D.html
+ Reported-by: Cure53
+
+- range: reject char globs with missing end like '[L-]'
+
+ ... which previously would lead to out of boundary reads.
+
+ Reported-by: Luật Nguyễn
+
+- glob_next_url: make sure to stay within the given output buffer
+
+- range: prevent negative end number in a glob range
+
+ CVE-2016-8620
+
+ Bug: https://curl.haxx.se/docs/adv_20161102F.html
+ Reported-by: Luật Nguyễn
+
+- parsedate: handle cut off numbers better
+
+ ... and don't read outside of the given buffer!
+
+ CVE-2016-8621
+
+ bug: https://curl.haxx.se/docs/adv_20161102G.html
+ Reported-by: Luật Nguyễn
+
+- escape: avoid using curl_easy_unescape() internally
+
+ Since the internal Curl_urldecode() function has a better API.
+
+- unescape: avoid integer overflow
+
+ CVE-2016-8622
+
+ Bug: https://curl.haxx.se/docs/adv_20161102H.html
+ Reported-by: Cure53
+
+- cookies: getlist() now holds deep copies of all cookies
+
+ Previously it only held references to them, which was reckless as the
+ thread lock was released so the cookies could get modified by other
+ handles that share the same cookie jar over the share interface.
+
+ CVE-2016-8623
+
+ Bug: https://curl.haxx.se/docs/adv_20161102I.html
+ Reported-by: Cure53
+
+- TODO: remove IDNA2008
+
+- idn: switch to libidn2 use and IDNA2008 support
+
+ CVE-2016-8625
+
+ Bug: https://curl.haxx.se/docs/adv_20161102K.html
+ Reported-by: Christian Heimes
+
+- test1246: verify URL parsing with host name ending with '#'
+
+- urlparse: accept '#' as end of host name
+
+ 'http://example.com#@127.0.0.1/x.txt' equals a request to example.com
+ for the '/' document with the rest of the URL being a fragment.
+
+ CVE-2016-8624
+
+ Bug: https://curl.haxx.se/docs/adv_20161102J.html
+ Reported-by: Fernando Muñoz
+
+Jay Satiro (31 Oct 2016)
+- INTERNALS: better markdown (follow-up)
+
+ - Wrap more words with underscores in backticks.
+
+ Follow-up to 13f4913.
+
+Daniel Stenberg (30 Oct 2016)
+- INTERNALS: better markdown
+
+ words with underscore need to be within `these`
+
+ Bug: https://github.com/curl/curl-www/issues/19
+ Reported-by : Jay Satiro
+
+Jay Satiro (30 Oct 2016)
+- mk-ca-bundle.vbs: Fix UTF-8 output
+
+ - Change initial message box to mention delay when downloading/parsing.
+
+ Since there is no progress meter it was somewhat unexpected that after
+ choosing a filename nothing appears to happen, when actually the cert
+ data is in the process of being downloaded and parsed.
+
+ - Warn if OpenSSL is not present.
+
+ - Use a UTF-8 stream to make the ca-bundle data.
+
+ - Save the UTF-8 ca-bundle stream as binary so that no BOM is added.
+
+ ---
+
+ This is a follow-up to d2c6d15 which switched mk-ca-bundle.vbs output to
+ ANSI due to corrupt UTF-8 output, now fixed.
+
+ This change completes making the default certificate bundle output of
+ mk-ca-bundle.vbs as close as possible to that of mk-ca-bundle.pl, which
+ should make it easier to review any difference between their output.
+
+ Ref: https://github.com/curl/curl/pull/1012
+
+Daniel Stenberg (28 Oct 2016)
+- BINDINGS: converted to markdown
+
+ To make it render better on the web site, at the price of it becoming
+ slightly less readable as text.
+
+Jay Satiro (27 Oct 2016)
+- CURLMOPT_MAX_PIPELINE_LENGTH.3: Clarify it's not for HTTP/2
+
+ - Clarify that this option is only for HTTP/1.1 pipelining.
+
+ Bug: https://github.com/curl/curl/issues/1059
+ Reported-by: Jeroen Ooms
+
+ Assisted-by: Daniel Stenberg
+
+Daniel Stenberg (27 Oct 2016)
+- KNOWN_BUGS: HTTP/2 server push enabled when no pushes can be accepted
+
+ Closes #927
+
+- KNOWN_BUGS: c-ares deviates from stock resolver on http://1346569778
+
+ Closes #893
+
+Michael Osipov (27 Oct 2016)
+- configure.in: Fix test syntax
+
+ Some versions of test allow == for equality, but others (such as the HP-UX
+ version) do not. Use a single = for correctness.
+
+ Error output:
+ checking for monotonic clock_gettime... ./configure[20445]: ==: A test command parameter is not valid.
+
+Daniel Stenberg (27 Oct 2016)
+- SECURITY: minor updates
+
+ - we allow the security push up to 48 hours before the release
+
+ - add a mention about possible pre-notifications
+
+ - lower case the 'curl-security' title
+
+- [Andrei Sedoi brought this change]
+
+ docs: fix req->data in multi-uv example
+
+ Closes #1088
+
+- mbedtls: stop using deprecated include file
+
+ Reported-by: wyattoday
+ Fixes #1087
+
+Kamil Dudka (25 Oct 2016)
+- [Martin Frodl brought this change]
+
+ nss: fix tight loop in non-blocking TLS handhsake over proxy
+
+ ... in case the handshake completes before entering
+ CURLM_STATE_PROTOCONNECT
+
+ Bug: https://bugzilla.redhat.com/1388162
+
+Jay Satiro (25 Oct 2016)
+- mk-ca-bundle: Update the vbscript version
+
+ Bring the VBScript version more in line with the perl version:
+
+ - Change timestamp to UTC.
+
+ - Change URL retrieval to HTTPS-only by default.
+
+ - Comment out the options that disabled SSL cert checking by default.
+
+ - Assume OpenSSL is present, get SHA256. And add a flag to toggle it.
+
+ - Fix cert issuer name output.
+
+ The cert issuer output is now ansi, converted from UTF-8. Prior to this
+ it was corrupt UTF-8. It turns out though we can work with UTF-8 the
+ FSO object that writes ca-bundle can't write UTF-8, so there will have
+ to be some alternative if UTF-8 is needed (like an ADODB.Stream).
+
+ - Disable the certificate text info feature.
+
+ The certificate text info doesn't work properly with any recent OpenSSL.
+
+Daniel Stenberg (24 Oct 2016)
+- TODO: indent code to make it render properly
+
+- TODO: Remove the generated include file
+
+- TODO: add "--retry should resume"
+
+ See #1084
+
+- mk-ca-bundle.1: document -k
+
+ Brought in 1ad2bdcf110266c. Now does HTTPS by default and needs -k to
+ fall back to plain HTTP.
+
+- [Jay Satiro brought this change]
+
+ mk-ca-bundle: Change URL retrieval to HTTPS-only by default
+
+ - Change all predefined Mozilla URLs to HTTPS (Gregory Szorc).
+
+ - New option -k to allow URLs other than HTTPS and enable HTTP fallback.
+
+ Prior to this change the default URL retrieval mode was to fall back to
+ HTTP if HTTPS didn't work.
+
+ Reported-by: Gregory Szorc
+
+ Closes #1012
+
+- RELEASE-NOTES: synced with 50ee3aaf1a9b22d
+
+Dan Fandrich (23 Oct 2016)
+- INSTALL.md: Updated minimum file sizes for 7.50.3
+
+Daniel Stenberg (22 Oct 2016)
+- multi: force connections to get closed in close_all_connections
+
+ Several independent reports on infinite loops hanging in the
+ close_all_connections() function when closing a multi handle, can be
+ fixed by first marking the connection to get closed before calling
+ Curl_disconnect.
+
+ This is more fixing-the-symptom rather than the underlying problem
+ though.
+
+ Bug: https://curl.haxx.se/mail/lib-2016-10/0011.html
+ Bug: https://curl.haxx.se/mail/lib-2016-10/0059.html
+
+ Reported-by: Dan Fandrich, Valentin David, Miloš Ljumović
+
+- [Anders Bakken brought this change]
+
+ curl_multi_remove_handle: fix a double-free
+
+ In short the easy handle needs to be disconnected from its connection at
+ this point since the connection still is serving other easy handles.
+
+ In our app we can reliably reproduce a crash in our http2 stress test
+ that is fixed by this change. I can't easily reproduce the same test in
+ a small example.
+
+ This is the gdb/asan output:
+
+ ==11785==ERROR: AddressSanitizer: heap-use-after-free on address 0xe9f4fb80 at pc 0x09f41f19 bp 0xf27be688 sp 0xf27be67c
+ READ of size 4 at 0xe9f4fb80 thread T13 (RESOURCE_HTTP)
+ #0 0x9f41f18 in curl_multi_remove_handle /path/to/source/3rdparty/curl/lib/multi.c:666
+
+ 0xe9f4fb80 is located 0 bytes inside of 1128-byte region [0xe9f4fb80,0xe9f4ffe8)
+ freed by thread T13 (RESOURCE_HTTP) here:
+ #0 0xf7b1b5c2 in __interceptor_free /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_malloc_linux.cc:45
+ #1 0x9f7862d in conn_free /path/to/source/3rdparty/curl/lib/url.c:2808
+ #2 0x9f78c6a in Curl_disconnect /path/to/source/3rdparty/curl/lib/url.c:2876
+ #3 0x9f41b09 in multi_done /path/to/source/3rdparty/curl/lib/multi.c:615
+ #4 0x9f48017 in multi_runsingle /path/to/source/3rdparty/curl/lib/multi.c:1896
+ #5 0x9f490f1 in curl_multi_perform /path/to/source/3rdparty/curl/lib/multi.c:2123
+ #6 0x9c4443c in perform /path/to/source/src/net/resourcemanager/ResourceManagerCurlThread.cpp:854
+ #7 0x9c445e0 in ...
+ #8 0x9c4cf1d in ...
+ #9 0xa2be6b5 in ...
+ #10 0xf7aa5780 in asan_thread_start /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_interceptors.cc:226
+ #11 0xf4d3a16d in __clone (/lib/i386-linux-gnu/libc.so.6+0xe716d)
+
+ previously allocated by thread T13 (RESOURCE_HTTP) here:
+ #0 0xf7b1ba27 in __interceptor_calloc /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_malloc_linux.cc:70
+ #1 0x9f7dfa6 in allocate_conn /path/to/source/3rdparty/curl/lib/url.c:3904
+ #2 0x9f88ca0 in create_conn /path/to/source/3rdparty/curl/lib/url.c:5797
+ #3 0x9f8c928 in Curl_connect /path/to/source/3rdparty/curl/lib/url.c:6438
+ #4 0x9f45a8c in multi_runsingle /path/to/source/3rdparty/curl/lib/multi.c:1411
+ #5 0x9f490f1 in curl_multi_perform /path/to/source/3rdparty/curl/lib/multi.c:2123
+ #6 0x9c4443c in perform /path/to/source/src/net/resourcemanager/ResourceManagerCurlThread.cpp:854
+ #7 0x9c445e0 in ...
+ #8 0x9c4cf1d in ...
+ #9 0xa2be6b5 in ...
+ #10 0xf7aa5780 in asan_thread_start /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_interceptors.cc:226
+ #11 0xf4d3a16d in __clone (/lib/i386-linux-gnu/libc.so.6+0xe716d)
+
+ SUMMARY: AddressSanitizer: heap-use-after-free /path/to/source/3rdparty/curl/lib/multi.c:666 in curl_multi_remove_handle
+ Shadow bytes around the buggy address:
+ 0x3d3e9f20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9f30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9f40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
+ 0x3d3e9f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+ =>0x3d3e9f70:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9f80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ Shadow byte legend (one shadow byte represents 8 application bytes):
+ Addressable: 00
+ Partially addressable: 01 02 03 04 05 06 07
+ Heap left redzone: fa
+ Heap right redzone: fb
+ Freed heap region: fd
+ Stack left redzone: f1
+ Stack mid redzone: f2
+ Stack right redzone: f3
+ Stack partial redzone: f4
+ Stack after return: f5
+ Stack use after scope: f8
+ Global redzone: f9
+ Global init order: f6
+ Poisoned by user: f7
+ Container overflow: fc
+ Array cookie: ac
+ Intra object redzone: bb
+ ASan internal: fe
+ Left alloca redzone: ca
+ Right alloca redzone: cb
+ ==11785==ABORTING
+
+ Thread 14 "RESOURCE_HTTP" received signal SIGABRT, Aborted.
+ [Switching to Thread 0xf27bfb40 (LWP 12324)]
+ 0xf7fd8be9 in __kernel_vsyscall ()
+ (gdb) bt
+ #0 0xf7fd8be9 in __kernel_vsyscall ()
+ #1 0xf4c7ee89 in __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:54
+ #2 0xf4c803e7 in __GI_abort () at abort.c:89
+ #3 0xf7b2ef2e in __sanitizer::Abort () at /opt/toolchain/src/gcc-6.2.0/libsanitizer/sanitizer_common/sanitizer_posix_libcdep.cc:122
+ #4 0xf7b262fa in __sanitizer::Die () at /opt/toolchain/src/gcc-6.2.0/libsanitizer/sanitizer_common/sanitizer_common.cc:145
+ #5 0xf7b21ab3 in __asan::ScopedInErrorReport::~ScopedInErrorReport (this=0xf27be171, __in_chrg=<optimized out>) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_report.cc:689
+ #6 0xf7b214a5 in __asan::ReportGenericError (pc=166993689, bp=4068206216, sp=4068206204, addr=3925146496, is_write=false, access_size=4, exp=0, fatal=true) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_report.cc:1074
+ #7 0xf7b21fce in __asan::__asan_report_load4 (addr=3925146496) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_rtl.cc:129
+ #8 0x09f41f19 in curl_multi_remove_handle (multi=0xf3406080, data=0xde582400) at /path/to/source3rdparty/curl/lib/multi.c:666
+ #9 0x09f6b277 in Curl_close (data=0xde582400) at /path/to/source3rdparty/curl/lib/url.c:415
+ #10 0x09f3354e in curl_easy_cleanup (data=0xde582400) at /path/to/source3rdparty/curl/lib/easy.c:860
+ #11 0x09c6de3f in ...
+ #12 0x09c378c5 in ...
+ #13 0x09c48133 in ...
+ #14 0x09c4d092 in ...
+ #15 0x0a2be6b6 in ...
+ #16 0xf7aa5781 in asan_thread_start (arg=0xf2d22938) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_interceptors.cc:226
+ #17 0xf5de52b5 in start_thread (arg=0xf27bfb40) at pthread_create.c:333
+ #18 0xf4d3a16e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:114
+
+ Fixes #1083
+
+- testcurl.1: fix the URL to the autobuild summary
+
+- testcurl.1: update URLs
+
+- INSTALL: converted to markdown => INSTALL.md
+
+ Also heavily edited for content. Removed lots of old cruft that we added
+ like 10+ years ago that is likely incorrect by now.
+
+ Also removed INSTALL.devcpp for same reason.
+
+- [Martin Storsjo brought this change]
+
+ configure: Check for other variants of the -m*os*-version-min flags
+
+ In addition to -miphoneos-version-min, the same version can be set
+ using -mios-version-min. And for WatchOS and TvOS, there's
+ -mwatchos-version-min and -mtvos-version-min.
+
+- configure: set min version flags for builds on mac
+
+ This helps building binaries that can work on multiple macOS versions.
+
+ Help-by: Martin Storsjö
+
+ Fixes #1069
+
+- curl_multi_add_handle: set timeouts in closure handles
+
+ The closure handle only ever has default timeouts set. To improve the
+ state somewhat we clone the timeouts from each added handle so that the
+ closure handle always has the same timeouts as the most recently added
+ easy handle.
+
+ Fixes #739
+
+- configure/CURL_CHECK_FUNC_POLL: disable poll completely on mac
+
+ ... so that the same libcurl build easier can run on any version.
+
+ Follow-up to issue #1057
+
+- RELEASE-NOTES: synced with f36f8c14551efc6772
+
+- test14xx: fixed --libcurl output tests again after 8e8afa82cbb
+
+- s/cURL/curl
+
+ The tool was never called cURL, only the project. But even so, we have
+ more and more over time switched to just use lower case.
+
+- polarssl: indented code, removed unused variables
+
+- polarssl: reduce #ifdef madness with a macro
+
+- polarssl: fix unaligned SSL session-id lock
+
+- Curl_polarsslthreadlock_thread_setup: clear array at init
+
+ ... since if it fails to init the entire array and then tries to clean
+ it up, it would attempt to work on an uninitialized pointer.
+
+- curl: set INTERLEAVEDATA too
+
+ As otherwise the callback could be called with a NULL pointer when RTSP
+ data is provided.
+
+- gopher: properly return error for poll failures
+
+- select: switch to macros in uppercase
+
+ Curl_select_ready() was the former API that was replaced with
+ Curl_select_check() a while back and the former arg setup was provided
+ with a define (in order to leave existing code unmodified).
+
+ Now we instead offer SOCKET_READABLE and SOCKET_WRITABLE for the most
+ common shortcuts where only one socket is checked. They're also more
+ visibly macros.
+
+- select: use more proper macro-looking names
+
+ ... so that it becomes more obvious in the code what is what. Also added
+ a typecast for one of the calculations.
+
+- Curl_socket_check: add extra check to avoid integer overflow
+
+- maketgz: make it support "only" generating version info
+
+ ... to allow you to update the local repository with the given version
+ number data.
+
+Jay Satiro (17 Oct 2016)
+- url: skip to-be-closed connections when pipelining (follow-up)
+
+ - Change back behavior so that pipelining is considered possible for
+ connections that have not yet reached the protocol level.
+
+ This is a follow-up to e5f0b1a which had changed the behavior of
+ checking if pipelining is possible to ignore connections that had
+ 'bits.close' set. Connections that have not yet reached the protocol
+ level also have that bit set, and we need to consider pipelining
+ possible on those connections.
+
+Daniel Stenberg (17 Oct 2016)
+- HTTP2: mention the tool's limited support
+
+- RELEASE-NOTES: synced with a1a5cd04877fd6fd
+
+- [David Woodhouse brought this change]
+
+ curl: do not set CURLOPT_SSLENGINEDEFAULT automatically
+
+ There were bugs in the PKCS#11 engine, and fixing them triggers bugs in
+ OpenSSL. Just don't get involved; there's no need to be making the
+ engine methods the default anyway.
+
+ https://github.com/OpenSC/libp11/pull/108
+ https://github.com/openssl/openssl/pull/1639
+
+ Merges #1042
+
+- KNOWN_BUGS: two more existing problems
+
+Marcel Raad (16 Oct 2016)
+- win: fix Universal Windows Platform build
+
+ This fixes a merge error in commit 7f3df80 caused by commit 332e8d6.
+
+ Additionally, this changes Curl_verify_windows_version for Windows App
+ builds to assume to always be running on the target Windows version.
+ There seems to be no way to determine the Windows version from a
+ UWP app. Neither GetVersion(Ex), nor VerifyVersionInfo, nor the
+ Version Helper functions are supported.
+
+ Bug: https://github.com/curl/curl/pull/820#issuecomment-250889878
+ Reported-by: Paul Joyce
+
+ Closes https://github.com/curl/curl/pull/1048
+
+Daniel Stenberg (16 Oct 2016)
+- KNOWN_BUGS: minor formatting edit
+
+Jay Satiro (14 Oct 2016)
+- [Rider Linden brought this change]
+
+ url: skip to-be-closed connections when pipelining
+
+ No longer attempt to use "doomed" to-be-closed connections when
+ pipelining. Prior to this change connections marked for deletion (e.g.
+ timeout) would be erroneously used, resulting in sporadic crashes.
+
+ As originally reported and fixed by Carlo Wood (origin unknown).
+
+ Bug: https://github.com/curl/curl/issues/627
+ Reported-by: Rider Linden
+
+ Closes https://github.com/curl/curl/pull/1075
+ Participation-by: nopjmp@users.noreply.github.com
+
+Daniel Stenberg (13 Oct 2016)
+- vtls: only re-use session-ids using the same scheme
+
+ To make it harder to do cross-protocol mistakes
+
+Jay Satiro (11 Oct 2016)
+- [Torben Dannhauer brought this change]
+
+ dist: add missing cmake modules to the tarball
+
+ Closes https://github.com/curl/curl/pull/1070
+
+Daniel Stenberg (11 Oct 2016)
+- configure: detect the broken poll() in macOS 10.12
+
+ Fixes #1057
+
+- dist: remove PDF and HTML converted docs from the releases
+
+- [Remo E brought this change]
+
+ cmake: add nghttp2 support
+
+ Closes #922
+
+- [Andreas Streichardt brought this change]
+
+ resolve: add error message when resolving using SIGALRM
+
+ Closes #1066
+
+- GIT-INFO: remove the Mac 10.1-specific details
+
+ There shouldn't be many devs out there anymore using such outdated macOS
+ versions. And it removes the dead link.
+
+ Closes #1049
+
+- RELEASE-NOTES: spellfix
+
+- RELEASE-NOTES: synced with 82720490628cb53a
+
+ 5 more fixes, 2 more contributors
+
+- [Tobias Stoeckmann brought this change]
+
+ smb: properly check incoming packet boundaries
+
+ Not all reply messages were properly checked for their lengths, which
+ made it possible to access uninitialized memory (but this does not lead
+ to out of boundary accesses).
+
+ Closes #1052
+
+- test557: verify printf() with 128 and 129 arguments
+
+- mprintf: return error on too many arguments
+
+ 128 arguments should be enough for everyone
+
+- ftp: fix Curl_ftpsendf()
+
+ ... it no longer takes printf() arguments since it was only really taken
+ advantage by one user and it was not written and used in a safe
+ way. Thus the 'f' is removed from the function name and the proto is
+ changed.
+
+ Although the current code wouldn't end up in badness, it was a risk that
+ future changes could end up springf()ing too large data or passing in a
+ format string inadvertently.
+
+- formpost: avoid silent snprintf() truncation
+
+ The previous use of snprintf() could make libcurl silently truncate some
+ input data and not report that back on overly large input, which could
+ make data get sent over the network in a bad format.
+
+ Example:
+
+ $ curl --form 'a=b' -H "Content-Type: $(perl -e 'print "A"x4100')"
+
+- TODO: build: Enable PIE and RELRO by default
+
+- TODO: Support better than MD5 hostkey hash (for ssh)
+
+- [Daniel Gustafsson brought this change]
+
+ tests: Fix a small typo in the tests README (#1060)
+
+ The subdirectory for logs in tests/ is named log/ without an 's'
+ at the end.
+
+- TODO: Introduce --fail-fast to exit on first transfer fail
+
+ See #1054
+
+- TODO: Leave secure cookies alone
+
+- [Rainer Müller brought this change]
+
+ CURLOPT_DEBUGFUNCTION.3: unused argument warning (#1056)
+
+ The 'userp' argument is unused in this example code.
+
+- TODO: TCP Fast Open for windows
+
+- RELEASE-NOTES: synced with 8fd2a754f0de
+
+- CURLOPT_KEEP_SENDING_ON_ERROR.3: mention when it is added
+
+- memdup: use 'void *' as return and source type
+
+- TODO: Add easy argument to formpost functions
+
+- formpost: trying to attach a directory no longer crashes
+
+ The error path would previously add a freed entry to the linked list.
+
+ Reported-by: Toby Peterson
+
+ Fixes #1053
+
+- [Sergei Kuzmin brought this change]
+
+ cookies: same domain handling changed to match browser behavior
+
+ Cokie with the same domain but different tailmatching property are now
+ considered different and do not replace each other. If header contains
+ following lines then two cookies will be set: Set-Cookie: foo=bar;
+ domain=.foo.com; expires=Thu Mar 3 GMT 8:56:27 2033 Set-Cookie: foo=baz;
+ domain=foo.com; expires=Thu Mar 3 GMT 8:56:27 2033
+
+ This matches Chrome, Opera, Safari, and Firefox behavior. When sending
+ stored tokens to foo.com Chrome, Opera, Firefox store send them in the
+ stored order, while Safari pre-sort the cookies.
+
+ Closes #1050
+
+- [Stephen Brokenshire brought this change]
+
+ FAQ: Fix typos in section 5.14 (#1047)
+
+ Type required for YourClass::func C++ function (using size_t in line
+ with the documentation for CURLOPT_WRITEFUNCTION) and missing second
+ colon when specifying the static function for CURLOPT_WRITEFUNCTION.
+
+- [Sebastian Mundry brought this change]
+
+ KNOWN_BUGS: Fix typos in section 5.8.
+
+ Closes #1046
+
+- [mundry brought this change]
+
+ CONTRIBUTE.md: Fix typo in 'About pull requests' section. (#1045)
+
+- curl.1: --trace supports % for sending to stderr!
+
+- KNOWN_BUGS: 5.8 configure finding libs in wrong directory
+
+Dan Fandrich (24 Sep 2016)
+- configure: Fixed builds with libssh2 in a custom location
+
+ A libssh2 library in the standard system location was being used in
+ preference to the desired one while linking.
+
+Daniel Stenberg (23 Sep 2016)
+- SECURITY: remove the top ascii logo
+
+Michael Kaufmann (22 Sep 2016)
+- New libcurl option to keep sending on error
+
+ Add the new option CURLOPT_KEEP_SENDING_ON_ERROR to control whether
+ sending the request body shall be completed when the server responds
+ early with an error status code.
+
+ This is suitable for manual NTLM authentication.
+
+ Reviewed-by: Jay Satiro
+
+ Closes https://github.com/curl/curl/pull/904
+
+Kamil Dudka (22 Sep 2016)
+- nss: add chacha20-poly1305 cipher suites if supported by NSS
+
+- nss: add cipher suites using SHA384 if supported by NSS
+
+- nss: fix typo in ecdhe_rsa_null cipher suite string
+
+ As it seems to be a rarely used cipher suite (for securely established
+ but _unencrypted_ connections), I believe it is fine not to provide an
+ alias for the misspelled variant.
+
+Jay Satiro (21 Sep 2016)
+- docs: Remove that --proto is just used for initial retrieval
+
+ .. and add that --proto-redir and CURLOPT_REDIR_PROTOCOLS do not
+ override protocols denied by --proto and CURLOPT_PROTOCOLS.
+
+ - Add a test to enforce: --proto deny must override --proto-redir allow
+
+ Closes https://github.com/curl/curl/pull/1031
+
+Daniel Stenberg (21 Sep 2016)
+- dist: add CurlSymbolHiding.cmake to the tarball
+
+ Follow-up to 6140dfcf3e784
+
+ Reported-by: Alexander Sinditskiy
+
+- curl_global_cleanup.3: don't unload the lib with sub threads running
+
+ Discussed in #997
+
+ Assisted-by: Jay Satiro
+
+- MAIL-ETIQUETTE: language
+
+Jay Satiro (20 Sep 2016)
+- easy: Reset all statistical session info in curl_easy_reset
+
+ Bug: https://github.com/curl/curl/issues/1017
+ Reported-by: Jeroen Ooms
+
+Daniel Stenberg (19 Sep 2016)
+- RELEASE-NOTES: synced with 79607eec51055
+
+Jay Satiro (19 Sep 2016)
+- [Daniel Gustafsson brought this change]
+
+ darwinssl: Fix typo in comment
+
+ Closes https://github.com/curl/curl/pull/1028
+
+Daniel Stenberg (19 Sep 2016)
+- [Bernard Spil brought this change]
+
+ libressl: fix version output
+
+ LibreSSL defines `OPENSSL_VERSION_NUMBER` as `0x20000000L` for all
+ versions returning `LibreSSL/2.0.0` for any LibreSSL version.
+
+ This change provides a local OpenSSL_version_num function replacement
+ returning LIBRESSL_VERSION_NUMBER instead.
+
+ Closes #1029
+
+- [rugk brought this change]
+
+ TODO: Add PINNEDPUBLICKEY - HPKP compatibility, HSTS & HPKP
+
+ Closes #1025
+ Closes #1026
+ Closes #1027
+
+- openssl: don't call ERR_remote_thread_state on >= 1.1.0
+
+ Follow-up fix to d9321562
+
+- openssl: don’t call CRYTPO_cleanup_all_ex_data
+
+ The OpenSSL function CRYTPO_cleanup_all_ex_data() cannot be called
+ multiple times without crashing - and other libs might call it! We
+ basically cannot call it without risking a crash. The function is a
+ no-op since OpenSSL 1.1.0.
+
+ Not calling this function only risks a small memory leak with OpenSSL <
+ 1.1.0.
+
+ Bug: https://curl.haxx.se/mail/lib-2016-09/0045.html
+ Reported-by: Todd Short
+
+- TODO: Support SSLKEYLOGFILE
+
+Jay Satiro (18 Sep 2016)
+- CURLOPT_PINNEDPUBLICKEY.3: fix the AVAILABILITY formatting
+
+Nick Zitzmann (18 Sep 2016)
+- darwinssl: disable RC4 cipher-suite support
+
+ RC4 was a nice alternative to CBC back in the days of BEAST, but it's insecure and obsolete now.
+
+- configure: change "iOS/Mac OS X native" to "Apple OS native"
+
+ Since I first wrote that text, Apple introduced tvOS and watchOS, and renamed "Mac OS X" to "macOS." Let's make the text a little more inclusive, since curl can be built for all four operating systems.
+
+Jay Satiro (18 Sep 2016)
+- test2048: fix url
+
+- examples/imap-append: Set size of data to be uploaded
+
+ Prior to this commit this example failed with error
+ 'Cannot APPEND with unknown input file size'.
+
+ Bug: https://github.com/curl/curl/issues/1008
+ Reported-by: lukaszgn@users.noreply.github.com
+
+ Closes https://github.com/curl/curl/pull/1011
+
+Daniel Stenberg (16 Sep 2016)
+- [Tony Kelman brought this change]
+
+ LICENSE-MIXING.md: update with mbedTLS dual licensing
+
+ Recent versions of mbedTLS are available under either Apache 2.0 or GPL
+ 2.0, see https://tls.mbed.org/how-to-get
+
+ Closes #1019
+
+- KNOWN_BUGS: chunked-encoded requests with HTTP/2 is fixed
+
+- http2: debug ouput sent HTTP/2 request headers
+
+- http: accept "Transfer-Encoding: chunked" for HTTP/2 as well
+
+ ... but don't send the actual header over the wire as it isn't accepted.
+ Chunked uploading is still triggered using this method.
+
+ Fixes #1013
+ Fixes #662
+
+- openssl: fix per-thread memory leak usiong 1.0.1 or 1.0.2
+
+ OpenSSL 1.0.1 and 1.0.2 build an error queue that is stored per-thread
+ so we need to clean it when easy handles are freed, in case the thread
+ will be killed in which the easy handle was used. All OpenSSL code in
+ libcurl should extract the error in association with the error already
+ so clearing this queue here should be harmless at worst.
+
+ Fixes #964
+
+- RELEASE-NOTES: reset and go toward 7.51.0 (again)
+
+Version 7.50.3 (14 Sep 2016)
+
+Daniel Stenberg (14 Sep 2016)
+- THANKS: updated with curl 7.50.3 contributors
+
+- RELEASE-NOTES: curl 7.50.3
+
+- test1605: verify negative input lengths to (un)escape functions
+
+- curl_easy_unescape: deny negative string lengths as input
+
+ CVE-2016-7167
+
+ Bug: https://curl.haxx.se/docs/adv_20160914.html
+
+- curl_easy_escape: deny negative string lengths as input
+
+ CVE-2016-7167
+
+ Bug: https://curl.haxx.se/docs/adv_20160914.html
+
+- curl: make --create-dirs on windows grok both forward and backward slashes
+
+ Reported-by: Ryan Scott
+
+ Fixes #1007
+
+- RELEASE-NOTES: synced with 665694979b6
+
+- [Tony Kelman brought this change]
+
+ mbedtls: switch off NTLM in build if md4 isn't available
+
+ NTLM support with mbedTLS was added in 497e7c9 but requires that mbedTLS
+ is built with the MD4 functions available, which it isn't in default
+ builds. This now adapts if the funtion isn't there and builds libcurl
+ without NTLM support if so.
+
+ Fixes #1004
+
+Jay Satiro (12 Sep 2016)
+- CODE_STYLE: fix long-line guideline
+
+ - Change maximum allowed line length from 80 to 79.
+
+- CODE_STYLE: add column alignment section
+
+ Note that since the added examples are for column alignment I had to
+ encapsulate with ~~~c markdown to preserve their alignment.
+
+Peter Wu (11 Sep 2016)
+- cmake: fix curl-config --static-libs
+
+ The `curl-config --static-libs` command should not output paths like
+ -l/usr/lib/libssl.so, instead print the absolute path without `-l`.
+
+ This also removes the confusing message "Static linking is broken" which
+ was printed because curl-config --static-libs was disfunctional even
+ though the static libcurl.a library works properly.
+
+ Fixes https://github.com/curl/curl/issues/841
+
+Daniel Stenberg (11 Sep 2016)
+- http: refuse to pass on response body with NO_NODY was set
+
+ ... like when a HTTP/0.9 response comes back without any headers at all
+ and just a body this now prevents that body from being sent to the
+ callback etc.
+
+ Adapted test 1144 to verify.
+
+ Fixes #973
+
+ Assisted-by: Ray Satiro
+
+- RELEASE-NOTES: synced with 257bf3ac67eb6
+
+Jakub Zakrzewski (10 Sep 2016)
+- CMake: Don't build unit tests if private symbols are hidden
+
+ This only excludes building unit tests from default build ( 'all' Make
+ target or "Build Solution" in VisualStudio). The projects and Make
+ targets will still be generated and shown in supporting IDEs.
+
+ Fixes https://github.com/curl/curl/issues/981
+ Reported-by: Randy Armstrong
+
+ Closes https://github.com/curl/curl/pull/990
+
+- CMake: Try to (un-)hide private library symbols
+
+ Detect support for compiler symbol visibility flags and apply those
+ according to CURL_HIDDEN_SYMBOLS option.
+ It should work true to the autotools build except it tries to unhide
+ symbols on Windows when requested and prints warning if it fails.
+
+ Ref: https://github.com/curl/curl/issues/981#issuecomment-242665951
+ Reported-by: Daniel Stenberg
+
+Daniel Stenberg (9 Sep 2016)
+- openssl: fix bad memory free (regression)
+
+ ... by partially reverting f975f06033b1. The allocation could be made by
+ OpenSSL so the free must be made with OPENSSL_free() to avoid problems.
+
+ Reported-by: Harold Stuart
+ Fixes #1005
+
+- http2: support > 64bit sized uploads
+
+ ... by making sure we don't count down the "upload left" counter when the
+ uploaded size is unknown and then it can be allowed to continue forever.
+
+ Fixes #996
+
+Jay Satiro (7 Sep 2016)
+- errors: new alias CURLE_WEIRD_SERVER_REPLY (8)
+
+ Since we're using CURLE_FTP_WEIRD_SERVER_REPLY in imap, pop3 and smtp as
+ more of a generic "failed to parse" introduce an alias without FTP in
+ the name.
+
+ Closes https://github.com/curl/curl/pull/975
+
+Daniel Stenberg (7 Sep 2016)
+- bump: toward 7.51.0
+
+- HISTORY: remove ascii logo to render nicer on web
+
+- curl: whitelist use of strtok() in non-threaded context
+
+- checksrc: detect strtok() use
+
+ ... as that function slipped through once before.
+
+GitHub (7 Sep 2016)
+- [Viktor Szakats brought this change]
+
+ mk-ca-bundle.pl: use SHA256 instead of SHA1
+
+ This hash is used to verify the original downloaded certificate bundle
+ and also included in the generated bundle's comment header. Also
+ rename related internal symbols to algorithm-agnostic names.
+
+Version 7.50.2 (7 Sep 2016)
+
+Daniel Stenberg (7 Sep 2016)
+- RELEASE-NOTES: curl 7.50.2 release
+
+- THANKS: updated for 7.50.2
+
+Jay Satiro (6 Sep 2016)
+- [Gaurav Malhotra brought this change]
+
+ openssl: fix CURLINFO_SSL_VERIFYRESULT
+
+ CURLINFO_SSL_VERIFYRESULT does not get the certificate verification
+ result when SSL_connect fails because of a certificate verification
+ error.
+
+ This fix saves the result of SSL_get_verify_result so that it is
+ returned by CURLINFO_SSL_VERIFYRESULT.
+
+ Closes https://github.com/curl/curl/pull/995
+
+Daniel Stenberg (6 Sep 2016)
+- [Daniel Gustafsson brought this change]
+
+ darwinssl: test for errSecSuccess in PKCS12 import rather than noErr (#993)
+
+ While noErr and errSecSuccess are defined as the same value, the API
+ documentation states that SecPKCS12Import() returns errSecSuccess if
+ there were no errors in importing. Ensure that a future change of the
+ defined value doesn't break (however unlikely) and be consistent with
+ the API docs.
+
+- [Daniel Gustafsson brought this change]
+
+ docs: Fix link to CONTRIBUTE in Github contribution guidelines (#994)
+
+- [Marcel Raad brought this change]
+
+ openssl: Fix compilation with OPENSSL_API_COMPAT=0x10100000L
+
+ With OPENSSL_API_COMPAT=0x10100000L (OpenSSL 1.1 API), the cleanup
+ functions are unavailable (they're no-ops anyway in OpenSSL 1.1). The
+ replacements for SSL_load_error_strings, SSLeay_add_ssl_algorithms, and
+ OpenSSL_add_all_algorithms are called automatically [1][2]. SSLeay() is
+ now called OpenSSL_version_num().
+
+ [1]: https://www.openssl.org/docs/man1.1.0/ssl/OPENSSL_init_ssl.html
+ [2]: https://www.openssl.org/docs/man1.1.0/crypto/OPENSSL_init_crypto.html
+
+ Closes #992
+
+- RELEASE-NOTES: synced with 3d4c0c8b9bc1d
+
+- http2: return EOF when done uploading without known size
+
+ Fixes #982
+
+- http2: skip the content-length parsing, detect unknown size
+
+- http2: minor white space edit
+
+- http2: use named define instead of magic constant in read callback
+
+- [Craig Davison brought this change]
+
+ configure: make the cpp -P detection not clobber CPPFLAGS
+
+ CPPPFLAGS is now CPPPFLAG. Fixes CURL_CHECK_DEF.
+
+ Fixes #958
+
+- [Olivier Brunel brought this change]
+
+ speed caps: not based on average speeds anymore
+
+ Speed limits (from CURLOPT_MAX_RECV_SPEED_LARGE &
+ CURLOPT_MAX_SEND_SPEED_LARGE) were applied simply by comparing limits
+ with the cumulative average speed of the entire transfer; While this
+ might work at times with good/constant connections, in other cases it
+ can result to the limits simply being "ignored" for more than "short
+ bursts" (as told in man page).
+
+ Consider a download that goes on much slower than the limit for some
+ time (because bandwidth is used elsewhere, server is slow, whatever the
+ reason), then once things get better, curl would simply ignore the limit
+ up until the average speed (since the beginning of the transfer) reached
+ the limit. This could prove the limit useless to effectively avoid
+ using the entire bandwidth (at least for quite some time).
+
+ So instead, we now use a "moving starting point" as reference, and every
+ time at least as much as the limit as been transferred, we can reset
+ this starting point to the current position. This gets a good limiting
+ effect that applies to the "current speed" with instant reactivity (in
+ case of sudden speed burst).
+
+ Closes #971
+
+- HISTORY.md: the multi socket was put in the wrong year!
+
+- [Mark Hamilton brought this change]
+
+ tool_helpers.c: fix comment typo (#989)
+
+- [Mark Hamilton brought this change]
+
+ libtest/test.h: fix typo (#988)
+
+- CURLMOPT_PIPELINING.3: language
+
+- CURLMOPT_PIPELINING.3: extended and clarified
+
+ Especially in regards to the multiplexing part.
+
+Steve Holme (31 Aug 2016)
+- curl_sspi.c: Updated function description comments
+
+ * Added description to Curl_sspi_free_identity()
+ * Added parameter and return explanations to Curl_sspi_global_init()
+ * Added parameter explaination to Curl_sspi_global_cleanup()
+
+- README: Corrected the supported Visual Studio versions
+
+ Missed from commit 8356022d17.
+
+- KNOWN_BUGS: Move the Visual Studio project shortcomings from local README
+
+- KNOWN_BUGS: Expand 6.4 to include Kerberos V5
+
+ ...and discuss a possible solution.
+
+Daniel Stenberg (30 Aug 2016)
+- connect: fix #ifdefs for debug versions of conn/streamclose() macros
+
+ CURLDEBUG is for the memory debugging
+
+ DEBUGBUILD is for the extra debug stuff
+
+ Pointed-out-by: Steve Holme
+
+- KNOWN_BUGS: mention some cmake "support gaps"
+
+Nick Zitzmann (28 Aug 2016)
+- darwinssl: add documentation stating that the --cainfo option is intended for backward compatibility only
+
+ In other news, I changed one other reference to "Mac OS X" in the documentation (that I previously wrote) to say "macOS" instead.
+
+Daniel Stenberg (28 Aug 2016)
+- http2: return CURLE_HTTP2_STREAM for unexpected stream close
+
+ Follow-up to c3e906e9cd0f, seems like a more appropriate error code
+
+ Suggested-by: Jay Satiro
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: handle closed streams when uploading
+
+ Fixes #986
+
+- http2: make sure stream errors don't needlessly close the connection
+
+ With HTTP/2 each transfer is made in an indivial logical stream over the
+ connection, making most previous errors that caused the connection to get
+ forced-closed now instead just kill the stream and not the connection.
+
+ Fixes #941
+
+- Curl_verify_windows_version: minor edit to avoid compiler warnings
+
+ ... instead of if() before the switch(), add a default to the switch so
+ that the compilers don't warn on "warning: enumeration value
+ 'PLATFORM_DONT_CARE' not handled in switch" anymore.
+
+Steve Holme (27 Aug 2016)
+- RELEASE-NOTES: Added missing fix from commit 15592143f
+
+Jay Satiro (26 Aug 2016)
+- schannel: Disable ALPN for Wine since it is causing problems
+
+ - Disable ALPN on Wine.
+
+ - Don't pass input secbuffer when ALPN is disabled.
+
+ When ALPN support was added a change was made to pass an input secbuffer
+ to initialize the context. When ALPN is enabled the buffer contains the
+ ALPN information, and when it's disabled the buffer is empty. In either
+ case this input buffer caused problems with Wine and connections would
+ not complete.
+
+ Bug: https://github.com/curl/curl/issues/983
+ Reported-by: Christian Fillion
+
+Kamil Dudka (26 Aug 2016)
+- [Peter Wang brought this change]
+
+ nss: work around race condition in PK11_FindSlotByName()
+
+ Serialise the call to PK11_FindSlotByName() to avoid spurious errors in
+ a multi-threaded environment. The underlying cause is a race condition
+ in nssSlot_IsTokenPresent().
+
+ Bug: https://bugzilla.mozilla.org/1297397
+
+ Closes #985
+
+- nss: refuse previously loaded certificate from file
+
+ ... when we are not asked to use a certificate from file
+
+Daniel Stenberg (26 Aug 2016)
+- ftp_done: remove dead code
+
+- TLS: random file/egd doesn't have to match for conn reuse
+
+- test161: add comment for the exit code
+
+Dan Fandrich (26 Aug 2016)
+- test219: Add http as a required feature
+
+Daniel Stenberg (25 Aug 2016)
+- [Michael Kaufmann brought this change]
+
+ HTTP: stop parsing headers when switching to unknown protocols
+
+ - unknown protocols probably won't send more headers (e.g. WebSocket)
+ - improved comments and moved them to the correct case statements
+
+ Closes #899
+
+- openssl: make build with 1.1.0 again
+
+ synced with OpenSSL git master commit cc06906707
+
+- INTERNALS: fix title
+
+- configure: detect zlib with our pkg-config macros
+
+ ... instead of relying on the pkg-config autoconf macros to be present.
+
+ Fixes #972 (again...)
+
+Jay Satiro (25 Aug 2016)
+- http2: Remove incorrect comments
+
+ .. also remove same from scp
+
+Daniel Stenberg (23 Aug 2016)
+- [Ales Novak brought this change]
+
+ ftp: fix wrong poll on the secondary socket
+
+ When we're uploading using FTP and the server issues a tiny pause
+ between opening the connection to the client's secondary socket, the
+ client's initial poll() times out, which leads to second poll() which
+ does not wait for POLLIN on the secondary socket. So that poll() also
+ has to time out, creating a long (200ms) pause.
+
+ This patch adds the correct flag to the secondary socket, making the
+ second poll() correctly wait for the connection there too.
+
+ Signed-off-by: Ales Novak <alnovak@suse.cz>
+
+ Closes #978
+
+- RELEASE-NOTES: synced with 95ded2c56
+
+- configure: make it work without PKG_CHECK_MODULES
+
+ With commit c2f9b78 we added a new dependency on pkg-config for
+ developers which may be unwanted. This change make the configure script
+ still work as before if pkg-config isn't installed, it'll just use the
+ old zlib detection logic without pkg-config.
+
+ Reported-by: Marc Hörsken
+
+ Fixes #972
+
+Marc Hoersken (21 Aug 2016)
+- Revert "KNOWN_BUGS: SOCKS proxy not working via IPv6"
+
+ This reverts commit 9cb1059f92286a6eb5d28c477fdd3f26aed1d554.
+
+ As discussed in #835 SOCKS5 supports IPv6 proxies and destinations.
+
+Daniel Stenberg (21 Aug 2016)
+- [Marco Deckel brought this change]
+
+ win: Basic support for Universal Windows Platform apps
+
+ Closes #820
+
+Steve Holme (21 Aug 2016)
+- sasl: Don't use GSSAPI authentication when domain name not specified
+
+ Only choose the GSSAPI authentication mechanism when the user name
+ contains a Windows domain name or the user is a valid UPN.
+
+ Fixes #718
+
+- vauth: Added check for supported SSPI based authentication mechanisms
+
+ Completing commit 00417fd66c and 2708d4259b.
+
+- http.c: Remove duplicate (authp->avail & CURLAUTH_DIGEST) check
+
+ From commit 2708d4259b.
+
+Marc Hoersken (20 Aug 2016)
+- socks.c: display the hostname returned by the SOCKS5 proxy server
+
+ Instead of displaying the requested hostname the one returned
+ by the SOCKS5 proxy server is used in case of connection error.
+ The requested hostname is displayed earlier in the connection sequence.
+
+ The upper-value of the port is moved to a temporary variable and
+ replaced with a 0-byte to make sure the hostname is 0-terminated.
+
+Steve Holme (20 Aug 2016)
+- urldata.h: Corrected comment for httpcode which is also populated by SMTP
+
+ As of 7.25.0 and commit 5430007222.
+
+Marc Hoersken (20 Aug 2016)
+- socks.c: use Curl_printable_address in SOCKS5 connection sequence
+
+ Replace custom string formatting with Curl_printable_address.
+ Add additional debug and error output in case of failures.
+
+- socks.c: align SOCKS4 connection sequence with SOCKS5
+
+ Calling sscanf is not required since the raw IPv4 address is
+ available and the protocol can be detected using ai_family.
+
+Steve Holme (20 Aug 2016)
+- http.c: Corrected indentation change from commit 2708d4259b
+
+ Made by Visual Studio's auto-correct feature and missed by me in my own
+ code reviews!
+
+- http: Added calls to Curl_auth_is_<mechansism>_supported()
+
+ Hooked up the HTTP authentication layer to query the new 'is mechanism
+ supported' functions when deciding what mechanism to use.
+
+ As per commit 00417fd66c existing functionality is maintained for now.
+
+Marc Hoersken (20 Aug 2016)
+- socks.c: improve verbose output of SOCKS5 connection sequence
+
+- configure.ac: add missing quotes to PKG_CHECK_MODULES
+
+Steve Holme (20 Aug 2016)
+- sasl: Added calls to Curl_auth_is_<mechansism>_supported()
+
+ Hooked up the SASL authentication layer to query the new 'is mechanism
+ supported' functions when deciding what mechanism to use.
+
+ For now existing functionality is maintained.
+
+Daniel Stenberg (19 Aug 2016)
+- [Miroslav Franc brought this change]
+
+ spnego_sspi: fix memory leak in case *outlen is zero (#970)
+
+- CURLMOPT_MAX_TOTAL_CONNECTIONS.3: mention it can also multiplex
+
+Steve Holme (18 Aug 2016)
+- vauth: Introduced Curl_auth_is_<mechansism>_supported() functions
+
+ As Windows SSPI authentication calls fail when a particular mechanism
+ isn't available, introduced these functions for DIGEST, NTLM, Kerberos 5
+ and Negotiate to allow both HTTP and SASL authentication the opportunity
+ to query support for a supported mechanism before selecting it.
+
+ For now each function returns TRUE to maintain compatability with the
+ existing code when called.
+
+Daniel Stenberg (18 Aug 2016)
+- test1144: verify HEAD with body-only response
+
+Steve Holme (17 Aug 2016)
+- RELEASE-PROCEDURE: Added some more future release dates
+
+ ...and removed some old ones
+
+Daniel Stenberg (17 Aug 2016)
+- [David Woodhouse brought this change]
+
+ curl: allow "pkcs11:" prefix for client certificates
+
+ RFC7512 provides a standard method to reference certificates in PKCS#11
+ tokens, by means of a URI starting 'pkcs11:'.
+
+ We're working on fixing various applications so that whenever they would
+ have been able to use certificates from a file, users can simply insert
+ a PKCS#11 URI instead and expect it to work. This expectation is now a
+ part of the Fedora packaging guidelines, for example.
+
+ This doesn't work with cURL because of the way that the colon is used
+ to separate the certificate argument from the passphrase. So instead of
+
+ curl -E 'pkcs11:manufacturer=piv_II;id=%01' …
+
+ I instead need to invoke cURL with the colon escaped, like this:
+
+ curl -E 'pkcs11\:manufacturer=piv_II;id=%01' …
+
+ This is suboptimal because we want *consistency* — the URI should be
+ usable in place of a filename anywhere, without having strange
+ differences for different applications.
+
+ This patch therefore disables the processing in parse_cert_parameter()
+ when the string starts with 'pkcs11:'. It means you can't pass a
+ passphrase with an unescaped PKCS#11 URI, but there's no need to do so
+ because RFC7512 allows a PIN to be given as a 'pin-value' attribute in
+ the URI itself.
+
+ Also, if users are already using RFC7512 URIs with the colon escaped as
+ in the above example — even providing a passphrase for cURL to handling
+ instead of using a pin-value attribute, that will continue to work
+ because their string will start 'pkcs11\:' and won't match the check.
+
+ What *does* break with this patch is the extremely unlikely case that a
+ user has a file which is in the local directory and literally named
+ just "pkcs11", and they have a passphrase on it. If that ever happened,
+ the user would need to refer to it as './pkcs11:<passphrase>' instead.
+
+- nss: make the global variables static
+
+- openssl: use regular malloc instead of OPENSSL_malloc
+
+ This allows for better memmory debugging and torture tests.
+
+- proxy: fix tests as follow-up to 93b0d907d5
+
+ This fixes tests that were added after 113f04e664b as the tests would
+ fail otherwise.
+
+ We bring back "Proxy-Connection: Keep-Alive" now unconditionally to fix
+ regressions with old and stupid proxies, but we could possibly switch to
+ using it only for CONNECT or only for NTLM in a future if we want to
+ gradually reduce it.
+
+ Fixes #954
+
+ Reported-by: János Fekete
+
+- Revert "Proxy-Connection: stop sending this header by default"
+
+ This reverts commit 113f04e664b16b944e64498a73a4dab990fe9a68.
+
+- CURLOPT_PROXY.3: unsupported schemes cause errors now
+
+ Follow-up to a96319ebb9 (document the new behavior)
+
+- tests/README: mention nghttpx for HTTP/2 tests
+
+- README.md: add our CII Best Practices badge
+
+- proxy: polished the error message for unsupported schemes
+
+ Follow up to a96319ebb93
+
+- test219: verify unsupported scheme for proxies get rejected
+
+- proxy: reject attempts to use unsupported proxy schemes
+
+ I discovered some people have been using "https://example.com" style
+ strings as proxy and it "works" (curl doesn't complain) because curl
+ ignores unknown schemes and then assumes plain HTTP instead.
+
+ I think this misleads users into believing curl uses HTTPS to proxies
+ when it doesn't. Now curl rejects proxy strings using unsupported
+ schemes instead of just ignoring and defaulting to HTTP.
+
+- RELEASE-NOTES: synced with b7ee5316c2fd5b
+
+Marc Hoersken (14 Aug 2016)
+- socks.c: Correctly calculate position of port in response packet
+
+ Third commit to fix issue #944 regarding SOCKS5 error handling.
+
+ Reported-by: David Kalnischkies
+
+- socks.c: Do not modify and invalidate calculated response length
+
+ Second commit to fix issue #944 regarding SOCKS5 error handling.
+
+ Reported-by: David Kalnischkies
+
+- socks.c: Move error output after reading the whole response packet
+
+ First commit to fix issue #944 regarding SOCKS5 error handling.
+
+ Reported-by: David Kalnischkies
+
+Daniel Stenberg (13 Aug 2016)
+- [Ronnie Mose brought this change]
+
+ MANUAL: Remove invalid link to LDAP documentation (#962)
+
+ The server developer.netscape.com does not resolve into any
+ ip address and can be removed.
+
+Jay Satiro (13 Aug 2016)
+- openssl: accept subjectAltName iPAddress if no dNSName match
+
+ Undo change introduced in d4643d6 which caused iPAddress match to be
+ ignored if dNSName was present but did not match.
+
+ Also, if iPAddress is present but does not match, and dNSName is not
+ present, fail as no-match. Prior to this change in such a case the CN
+ would be checked for a match.
+
+ Bug: https://github.com/curl/curl/issues/959
+ Reported-by: wmsch@users.noreply.github.com
+
+Daniel Stenberg (12 Aug 2016)
+- [Dambaev Alexander brought this change]
+
+ configure.ac: add zlib search with pkg-config
+
+ Closes #956
+
+- rtsp: ignore whitespace in session id
+
+ Follow-up to e577c43bb to fix test case 569 brekage: stop the parser at
+ whitespace as well.
+
+ Help-by: Erik Janssen
+
+- HTTP: retry failed HEAD requests too
+
+ Mark's new document about HTTP Retries
+ (https://mnot.github.io/I-D/httpbis-retry/) made me check our code and I
+ spotted that we don't retry failed HEAD requests which seems totally
+ inconsistent and I can't see any reason for that separate treatment.
+
+ So, no separate treatment for HEAD starting now. A HTTP request sent
+ over a reused connection that gets cut off before a single byte is
+ received will be retried on a fresh connection.
+
+ Made-aware-by: Mark Nottingham
+
+- mk-ca-bundle.1: document -m, added in 1.26
+
+- RELEASE-NOTES: synced with e577c43bb5
+
+- [Erik Janssen brought this change]
+
+ rtsp: accept any RTSP session id
+
+ Makes libcurl work in communication with gstreamer-based RTSP
+ servers. The original code validates the session id to be in accordance
+ with the RFC. I think it is better not to do that:
+
+ - For curl the actual content is a don't care.
+
+ - The clarity of the RFC is debatable, is $ allowed or only as \$, that
+ is imho not clear
+
+ - Gstreamer seems to url-encode the session id but % is not allowed by
+ the RFC
+
+ - less code
+
+ With this patch curl will correctly handle real-life lines like:
+ Session: biTN4Kc.8%2B1w-AF.; timeout=60
+
+ Bug: https://curl.haxx.se/mail/lib-2016-08/0076.html
+
+- symbols-in-versions: add CURL_STRICTER
+
+ Added in 5fce88aa8c12564
+
+- [Simon Warta brought this change]
+
+ winbuild: Allow changing C compiler via environment variable CC (#952)
+
+ This makes it possible to use specific compilers or a cache.
+
+ Sample use for clcache:
+ set CC=clcache.bat
+ nmake /f Makefile.vc DEBUG=no MODE=static VC=14 GEN_PDB=no
+
+- LICENSE-MIXING.md: switched to markdown
+
+- docs-make: have markdown files use .md
+
+- curl.h: make CURL_NO_OLDIES define CURL_STRICTER
+
+- HISTORY.md: use markdown extension
+
+- SSLCERTS.md: renamed to markdown extension
+
+- INTERNALS.md: use markdown extension for markdown content
+
+- CONTRIBUTE.md: markdown extension
+
+- CONTRIBUTE: changed to markdown
+
+- CONTRIBUTE: refreshed
+
+- TODO: added an SSH section and two SFTP things to do
+
+- TODO: remove the 1.22 duplicated item
+
+- TODO: move "CURLOPT_MAIL_CLIENT" to SMTP section
+
+- TODO: API for URL parsing/splitting
+
+- TODO: move QUIC to the HTTP section
+
+- [Simon Warta brought this change]
+
+ winbuild: Free name $(CC) in Makefile (#950)
+
+ In the old line number 290, CC and CURL_CC had the same value. After
+ that, /DCURL_STATICLIB was added to CC but not CURL_CC (intended?).
+
+ This gets rid of the CC variable entirely. It is a first step to make it
+ possible to manualyl set a CC variable in order to be able to change the
+ compiler.
+
+- TODO: Use huge HTTP/2 windows
+
+- [Simon Warta brought this change]
+
+ winbuild: Avoid setting redundant CFLAGS to compile commands (#949)
+
+ $(CURL_CC) is always used with $(CURL_CFLAGS) appended, so before this,
+ all arguments in CURL_CFLAGS have been added twice.
+
+Jay Satiro (8 Aug 2016)
+- cmake: Enable win32 threaded resolver by default
+
+ - Turn on USE_THREADS_WIN32 in Windows if ares isn't on
+
+ This change is similar to what we already do in the autotools build.
+
+- cmake: Enable win32 large file support by default
+
+ All compilers used by cmake in Windows should support large files.
+
+ - Add test SIZEOF_OFF_T
+ - Remove outdated test SIZEOF_CURL_OFF_T
+ - Turn on USE_WIN32_LARGE_FILES in Windows
+ - Check for 'Largefile' during the features output
+
+Daniel Stenberg (7 Aug 2016)
+- TODO: added several ideas, removed SPDY
+
+- http2: always wait for readable socket
+
+ Since the server can at any time send a HTTP/2 frame to us, we need to
+ wait for the socket to be readable during all transfers so that we can
+ act on incoming frames even when uploading etc.
+
+ Reminded-by: Tatsuhiro Tsujikawa
+
+- RELEASE-NOTES: synced with 7b4bf37a44791
+
+- [Thomas Glanzmann brought this change]
+
+ mbedtls: set debug threshold to 4 (verbose) when MBEDTLS_DEBUG is defined
+
+ In order to make MBEDTLS_DEBUG work, the debug threshold must be unequal
+ to 0. This patch also adds a comment how mbedtls must be compiled in
+ order to make debugging work, and explains the possible debug levels.
+
+- CURLOPT_TCP_NODELAY: now enabled by default
+
+ After a few wasted hours hunting down the reason for slowness during a
+ TLS handshake that turned out to be because of TCP_NODELAY not being
+ set, I think we have enough motivation to toggle the default for this
+ option. We now enable TCP_NODELAY by default and allow applications to
+ switch it off.
+
+ This also makes --tcp-nodelay unnecessary, but --no-tcp-nodelay can be
+ used to disable it.
+
+ Thanks-to: Tim Rühsen
+ Bug: https://curl.haxx.se/mail/lib-2016-06/0143.html
+
+- [Serj Kalichev brought this change]
+
+ TFTP: Fix upload problem with piped input
+
+ When input stream for curl is stdin and input stream is not a file but
+ generated by a script then curl can truncate data transfer to arbitrary
+ size since a partial packet is treated as end of transfer by TFTP.
+
+ Fixes #857
+
+- mk-ca-bundle.pl: -m keeps ca cert meta data in output
+
+ Makes the script pass on comments holding meta data to the output
+ file. Like fingerprinters, issuer, date ranges etc.
+
+ Closes #937
+
+- multi: make Curl_expire() work with 0 ms timeouts
+
+ Previously, passing a timeout of zero to Curl_expire() was a magic code
+ for clearing all timeouts for the handle. That is now instead made with
+ the new Curl_expire_clear() function and thus a 0 timeout is fine to set
+ and will trigger a timeout ASAP.
+
+ This will help removing short delays, in particular notable when doing
+ HTTP/2.
+
+- transfer: return without select when the read loop reached maxcount
+
+ Regression added in 790d6de48515. The was then added to avoid one
+ particular transfer to starve out others. But when aborting due to
+ reading the maxcount, the connection must be marked to be read from
+ again without first doing a select as for some protocols (like SFTP/SCP)
+ the data may already have been read off the socket.
+
+ Reported-by: Dan Donahue
+ Bug: https://curl.haxx.se/mail/lib-2016-07/0057.html
+
+Steve Holme (3 Aug 2016)
+- [Bill Nagel brought this change]
+
+ mbedtls: Added support for NTLM
+
+Daniel Stenberg (3 Aug 2016)
+- [Sergei Nikulov brought this change]
+
+ travis: removed option to rebuild autotool from source
+
+ Fixes #943
+
+- bump: start working toward 7.50.2
+
+Version 7.50.1 (3 Aug 2016)
+
+Daniel Stenberg (3 Aug 2016)
+- THANKS: 7 new contributors from the 7.50.1 release
+
+- RELEASE-NOTES: 7.50.1
+
+- TLS: only reuse connections with the same client cert
+
+ CVE-2016-5420
+ Bug: https://curl.haxx.se/docs/adv_20160803B.html
+
+- TLS: switch off SSL session id when client cert is used
+
+ CVE-2016-5419
+ Bug: https://curl.haxx.se/docs/adv_20160803A.html
+ Reported-by: Bru Rom
+ Contributions-by: Eric Rescorla and Ray Satiro
+
+- curl_multi_cleanup: clear connection pointer for easy handles
+
+ CVE-2016-5421
+ Bug: https://curl.haxx.se/docs/adv_20160803C.html
+ Reported-by: Marcelo Echeverria and Fernando Muñoz
+
+- KNOWN_BUGS: SOCKS proxy not working via IPv6
+
+ Closes #835
+
+- KNOWN_BUGS: CURLOPT_SEEKFUNCTION not called with CURLFORM_STREAM
+
+ Closes #768
+
+- KNOWN_BUGS: transfer-encoding: chunked in HTTP/2
+
+ Closes #662
+
+- TODO: Provide cmake config-file
+
+ Closes #885
+
+Patrick Monnerat (2 Aug 2016)
+- os400: define BUILDING_LIBCURL in make script.
+
+Daniel Stenberg (1 Aug 2016)
+- RELEASE-NOTES: synced with aa9f536a18b
+
+Jay Satiro (1 Aug 2016)
+- [Thomas Glanzmann brought this change]
+
+ mbedtls: Fix debug function name
+
+ This patch is necessary so that curl compiles if MBEDTLS_DEBUG is
+ defined.
+
+ Bug: https://curl.haxx.se/mail/lib-2016-08/0001.html
+
+Daniel Stenberg (1 Aug 2016)
+- [Sergei Nikulov brought this change]
+
+ travis: fix OSX build by re-installing libtool
+
+ Apparently due to a broken homebrew install
+
+ fixes #934
+ Closes #939
+
+- [Martin Vejnár brought this change]
+
+ win32: fix a potential memory leak in Curl_load_library
+
+ If a call to GetSystemDirectory fails, the `path` pointer that was
+ previously allocated would be leaked. This makes sure that `path` is
+ always freed.
+
+ Closes #938
+
+- include: revert 9adf3c4 and make public types void * again
+
+ Many applications assume the actual contents of the public types and use
+ that do for example forward declarations (saving them from including our
+ public header) which then breaks when we switch from void * to a struct
+ *.
+
+ I'm not convinced we were wrong, but since this practise seems
+ widespread enough I'm willing to (partly) step down.
+
+ Now libcurl uses the struct itself when it is built and it allows
+ applications to use the struct type if CURL_STRICTER is defined at the
+ time of the #include.
+
+ Reported-by: Peter Frühberger
+ Fixes #926
+
+Jay Satiro (28 Jul 2016)
+- [Yonggang Luo brought this change]
+
+ cmake: Fix for schannel support
+
+ The check_library_exists_concat do not check crypt32 library properly.
+ So include it directly.
+
+ Bug: https://github.com/curl/curl/pull/917
+ Reported-by: Yonggang Luo
+
+ Bug: https://github.com/curl/curl/issues/935
+ Reported-by: Alain Danteny
+
+- Revert "travis: Install libtool for OS X builds"
+
+ Didn't work.
+
+ This reverts commit 50723585ed380744358de054e2a55dccee65dfd7.
+
+- travis: Install libtool for OS X builds
+
+ CI is failing due to missing libtoolize, so I'm trying this.
+
+Daniel Stenberg (26 Jul 2016)
+- [Viktor Szakats brought this change]
+
+ TODO: minor typo in last commit
+
+ merged #931
+
+- TODO: Timeout idle connections from the pool
+
+Patrick Monnerat (25 Jul 2016)
+- os400: minimum supported OS version: V6R1M0.
+ Do not log compilation informational messages.
+
+Jay Satiro (24 Jul 2016)
+- tests: Fix for http/2 feature
+
+ Bug: https://curl.haxx.se/mail/lib-2016-07/0070.html
+ Reported-by: Paul Howarth
+
+Steve Holme (23 Jul 2016)
+- README: Mention wolfSSL in the 'Dependencies' section
+
+- vauth.h: No need to query HAVE_GSSAPI || USE_WINDOWS_SSPI for SPNEGO
+
+ As SPNEGO is only defined when these pre-processor variables are defined
+ there is no need to query them explicitly.
+
+- spnego: Corrected miss-placed * in Curl_auth_spnego_cleanup() declaration
+
+ Typo introduced in commit ad5e9bfd5d.
+
+Daniel Stenberg (22 Jul 2016)
+- SECURITY: mention how to get windows-specific CVEs
+
+ ... and make the distros link a proper link
+
+Dan Fandrich (21 Jul 2016)
+- test558: fix test by stripping file paths from FD lines
+
+Kamil Dudka (21 Jul 2016)
+- tests: distribute the http2-server.pl script, too
+
+- docs: distribute the CURLINFO_HTTP_VERSION(3) man page, too
+
+Daniel Stenberg (21 Jul 2016)
+- bump: start working on 7.50.1
+
+Version 7.50.0 (21 Jul 2016)
+
+Daniel Stenberg (21 Jul 2016)
+- RELEASE-NOTES: version 7.50.0 ready
+
+- THANKS: 13 new contributors from the 7.50.0 release
+
+Jay Satiro (21 Jul 2016)
+- winbuild: fix embedded manifest option
+
+ Embedded manifest option didn't work due to typo.
+
+ Reported-by: Stefan Kanthak
+
+- vauth: Fix memleak by freeing credentials if out of memory
+
+ This is a follow up to the parent commit dcdd4be which fixes one leak
+ but creates another by failing to free the credentials handle if out of
+ memory. Also there's a second location a few lines down where we fail to
+ do same. This commit fixes both of those issues.
+
+Daniel Stenberg (20 Jul 2016)
+- [Saurav Babu brought this change]
+
+ vauth: Fixed memory leak due to function returning without free
+
+ This patch allocates memory to "output_token" only when it is required
+ so that memory is not leaked if function returns.
+
+- test558: updated after ipv6-check move
+
+ Follow-up commit to c50980807c5 to make this test pass.
+
+Jay Satiro (20 Jul 2016)
+- connect: disable TFO on Linux when using SSL
+
+ - Linux TFO + TLS is not implemented yet.
+
+ Bug: https://github.com/curl/curl/issues/907
+
+Daniel Stenberg (19 Jul 2016)
+- ROADMAP: QUIC and TLS 1.3
+
+- RELEASE-NOTES: synced with c50980807c5
+
+Jay Satiro (18 Jul 2016)
+- [Brian Prodoehl brought this change]
+
+ curl_global_init: Check if IPv6 works
+
+ - Curl_ipv6works() is not thread-safe until after the first call, so
+ call it once during global init to avoid a possible race condition.
+
+ Bug: https://github.com/curl/curl/issues/915
+ PR: https://github.com/curl/curl/pull/918
+
+- [Timothy Polich brought this change]
+
+ CURLMOPT_SOCKETFUNCTION.3: fix typo
+
+ Closes https://github.com/curl/curl/pull/914
+
+- [Miroslav Franc brought this change]
+
+ library: Fix memory leaks found during static analysis
+
+ Closes https://github.com/curl/curl/pull/913
+
+- [Viktor Szakats brought this change]
+
+ cookie.c: Fix misleading indentation
+
+ Closes https://github.com/curl/curl/pull/911
+
+- FAQ: Update FTP directory listing section for MLSD command
+
+ Explain how some FTP servers support the machine readable listing
+ format MLSD from RFC 3659 and compare it to LIST.
+
+ Ref: https://github.com/curl/curl/issues/906
+
+Daniel Stenberg (1 Jul 2016)
+- [Sergei Nikulov brought this change]
+
+ Appveyor: Updates for options - CURL_STATICLIB/BUILD_TESTING
+
+ Closes #892
+
+- TODO: 17.4 also brings more HTTP/2 support
+
+- TODO: try next proxy if one doesn't work
+
+ Closes #896
+
+- conn: don't free easy handle data in handler->disconnect
+
+ Reported-by: Gou Lingfeng
+ Bug: https://curl.haxx.se/mail/lib-2016-06/0139.html
+
+- test1244: test different proxy ports same URL
+
+- curl_global_init.3: improved formatting of the flags
+
+- curl_global_init.3: expand on the SSL and WIN32 bits purpose
+
+ Reported-by: Richard Gray
+ Bug: https://curl.haxx.se/mail/lib-2016-06/0136.html
+
+- [Michael Kaufmann brought this change]
+
+ cleanup: minor code cleanup in Curl_http_readwrite_headers()
+
+ - the expression of an 'if' was always true
+ - a 'while' contained a condition that was always true
+ - use 'if(k->exp100 > EXP100_SEND_DATA)' instead of 'if(k->exp100)'
+ - fixed a typo
+
+ Closes #889
+
+- SFTP: set a generic error when no SFTP one exists...
+
+ ... as otherwise we could get a 0 which would count as no error and we'd
+ wrongly continue and could end up segfaulting.
+
+ Bug: https://curl.haxx.se/mail/lib-2016-06/0052.html
+ Reported-by: 暖和的和暖
+
+- ROADMAP: http2 tests are merged, mention http2 perf
+
+- docs/README.md: to render nicer pages on github
+
+ ... as previously the README.cmake would be picked and put at the bottom
+ of the docs page there and it wasn't very representative!
+
+- README.md: change host name for the svg logo
+
+ rawgit.com asks to use the domain cdn.rawgit.com for production
+
+ See #900
+
+- [Viktor Szakats brought this change]
+
+ README.md: use the SVG logo
+
+- README.md: logo on top!
+
+- KNOWN_BUGS: 3.4 POP3 expects "CRLF.CRLF" eob for some
+
+ Closes #740
+
+- RELEASE-NOTES: synced with d61c80515aa8
+
+- [Michael Osipov brought this change]
+
+ acinclude.m4: improve autodetection of CA bundle on FreeBSD
+
+ The FreeBSD Port security/ca_root_nss installs the Mozilla NSS CA bundle
+ to /usr/local/share/certs/ca-root-nss.crt. Use this bundle in the
+ discovery process.
+
+ This change also removes the former FreeBSD path that has been obsolete
+ for 8 years since this FreeBSD ports commit:
+ https://svnweb.freebsd.org/ports/head/security/?view=revision&revision=215953
+
+ Closes #894
+
+- configure: don't specify .lib for libs on windows
+
+ Another follow up for crypt32.lib linking with winssl
+
+- configure: fix winssl LIBS change typo
+
+ follow-up from 120bf29e
+
+- TODO: "TCP Fast Open" is done, add monitor pool connections
+
+- configure: add crypt32.lib for winssl builds
+
+ Necessary since 6cabd78531f
+
+- Makefile.vc: link with crypt32.lib for winssl builds
+
+ Necessary since 6cabd78531f
+
+ Fixes #853
+
+- [Joel Depooter brought this change]
+
+ VC: Add crypt32.lib to Visual Sudio project template files
+
+ Closes #854
+
+- vc: fix the build for schannel certinfo support
+
+ Broken since 6cabd785, which adds use of the Curl_extract_certinfo
+ function from the x509asn1.c file.
+
+- typedefs: use the full structs in internal code...
+
+ ... and save the typedef'ed names for headers and external APIs.
+
+- internals: rename the SessionHandle struct to Curl_easy
+
+- headers: forward declare CURL, CURLM and CURLSH as structs
+
+ Instead of typedef'ing to void, typedef to their corresponding actual
+ struct names to allow compilers to type-check.
+
+ Assisted-by: Reinhard Max
+
+Jay Satiro (22 Jun 2016)
+- vtls: Only call add/getsession if session id is enabled
+
+ Prior to this change we called Curl_ssl_getsessionid and
+ Curl_ssl_addsessionid regardless of whether session ID reusing was
+ enabled. According to comments that is in case session ID reuse was
+ disabled but then later enabled.
+
+ The old way was not intuitive and probably not something users expected.
+ When a user disables session ID caching I'd guess they don't expect the
+ session ID to be cached anyway in case the caching is later enabled.
+
+Daniel Stenberg (22 Jun 2016)
+- curl.1: the used progress meter suffix is k in lower case
+
+ Closes #883
+
+- [Sergei Nikulov brought this change]
+
+ cmake: now using BUILD_TESTING=ON/OFF
+
+ CMake build now using BUILD_TESTING=ON/OFF (default is OFF) to build
+ tests and enabling CTest integration. Options BUILD_CURL_TESTS and
+ BUILD_DASHBOARD_REPORTS was removed.
+
+ Closes #882
+
+ Reviewed-by: Brad King
+
+- [Michael Kaufmann brought this change]
+
+ cleanup: fix method names in code comments
+
+ Closes #887
+
+Kamil Dudka (21 Jun 2016)
+- curl-compilers.m4: improve detection of GCC's -fvisibility= flag
+
+ Some builds of GCC produce output on both stdout and stderr when --help
+ --verbose is used. The 2>&1 redirection caused them to be arbitrarily
+ interleaved with each other because of stream buffering. Consequently,
+ grep failed to match the fvisibility= string in the mixed output, even
+ though the string was present in GCC's standard output.
+
+ This led to silently disabling symbol hiding in some builds of curl.
+
+Daniel Stenberg (19 Jun 2016)
+- tests: fix the HTTP/2 tests
+
+ The HTTP/2 tests brought with commit bf05606ef1f were using the internal
+ name 'http2' for the HTTP/2 server, while in fact that name was already
+ used for the second instance of the HTTP server. This made tests using
+ the second instance (like test 2050) fail after a HTTP/2 test had run.
+
+ The server is now known as HTTP/2 internally and within the <server>
+ section in test cases. 1700, 1701 and 1702 were updated accordingly.
+
+- openssl: use more 'const' to fix build warnings with 1.1.0 branch
+
+- curl.1: missed 'T' in the progress unit suffixes
+
+- curl.1: mention the unix for the progress meter
+
+Patrick Monnerat (16 Jun 2016)
+- os400: add new definitions to ILE/RPG binding.
+
+Daniel Stenberg (16 Jun 2016)
+- openssl: fix cert check with non-DNS name fields present
+
+ Regression introduced in 5f5b62635 (released in 7.48.0)
+
+ Reported-by: Fabian Ruff
+ Fixes #875
+
+Dan Fandrich (16 Jun 2016)
+- axtls: Use Curl_wait_ms instead of the less-portable usleep
+
+- axtls: Fixed compile after compile 31c521b0
+
+- tests: Added HTTP proxy keywords to tests 1141 & 1142
+
+Jay Satiro (15 Jun 2016)
+- [Sergei Nikulov brought this change]
+
+ cmake: Fix build with winldap
+
+ Bug: https://github.com/curl/curl/pull/874
+ Reported-by: Sergei Nikulov
+
+- CURLOPT_POSTFIELDS.3: Clarify what happens when set empty
+
+ When CURLOPT_POSTFIELDS is set to an empty string libcurl will send a
+ zero-byte POST. Prior to this change it was documented as sending data
+ from the read callback.
+
+ This also changes the wording of what happens when empty or NULL so that
+ it's hopefully easier to understand for people whose primary language
+ isn't English.
+
+ Bug: https://github.com/curl/curl/issues/862
+ Reported-by: Askar Safin
+
+- [Michael Wallner brought this change]
+
+ curl_multi_socket_action.3: Fix rewording
+
+ - Remove some erroneous text.
+
+ Closes https://github.com/curl/curl/pull/865
+
+- [Luo Jinghua brought this change]
+
+ resolve: enable protocol family logic for synthesized IPv6
+
+ - Enable protocol family logic for IPv6 resolves even when support
+ for synthesized addresses is enabled.
+
+ This is a follow up to the parent commit that added support for
+ synthesized IPv6 addresses from IPv4 on iOS/OS X. The protocol family
+ logic needed for IPv6 was inadvertently excluded if support for
+ synthesized addresses was enabled.
+
+ Bug: https://github.com/curl/curl/issues/863
+ Ref: https://github.com/curl/curl/pull/866
+ Ref: https://github.com/curl/curl/pull/867
+
+Daniel Stenberg (7 Jun 2016)
+- [Luo Jinghua brought this change]
+
+ resolve: add support for IPv6 DNS64/NAT64 Networks on OS X + iOS
+
+ Use getaddrinfo() to resolve the IPv4 address literal on iOS/Mac OS X.
+ If the current network interface doesn’t support IPv4, but supports
+ IPv6, NAT64, and DNS64.
+
+ Closes #866
+ Fixes #863
+
+- tests: two more HTTP/2 tests
+
+ 1701 and 1702
+
+- runtests: don't display logs when http2 server fails to start
+
+- runtests: make stripfile work on stdout as well
+
+ ... and have test 1700 use that to strip out the nghttpx server: headers
+
+- http2-tests: test1700 is the first real HTTP/2 test
+
+ It requires that 'nghttpx' is in the PATH, and it will run the tests
+ using nghttpx as a front-end proxy in front of the standard HTTP/1 test
+ server. This uses HTTP/2 over plain TCP.
+
+ If you like me have nghttpx installed in a custom path, you can run test 1700
+ like this:
+
+ $ PATH=$PATH:$HOME/build-nghttp2/bin/ ./runtests.pl 1700
+
+- RELEASE-NOTES: synced with 34855feeb4c299
+
+Steve Holme (6 Jun 2016)
+- schannel: Disable ALPN on Windows < 8.1
+
+ Calling QueryContextAttributes with SECPKG_ATTR_APPLICATION_PROTOCOL
+ fails on Windows < 8.1 so we need to disable ALPN on these OS versions.
+
+ Inspiration provide by: Daniel Seither
+
+ Closes #848
+ Fixes #840
+
+Jay Satiro (5 Jun 2016)
+- checksrc: Add LoadLibrary to the banned functions list
+
+ LoadLibrary was supplanted by Curl_load_library for security
+ reasons in 6df916d.
+
+- http: Fix HTTP/2 connection reuse
+
+ - Change the parser to not require a minor version for HTTP/2.
+
+ HTTP/2 connection reuse broke when we changed from HTTP/2.0 to HTTP/2
+ in 8243a95 because the parser still expected a minor version.
+
+ Bug: https://github.com/curl/curl/issues/855
+ Reported-by: Andrew Robbins, Frank Gevaerts
+
+Steve Holme (4 Jun 2016)
+- connect.c: Fixed compilation warning from commit 332e8d6164
+
+ connect.c:952:5: warning: suggest explicit braces to avoid ambiguous 'else'
+
+- win32: Used centralised verify windows version function
+
+ Closes #845
+
+- win32: Added verify windows version functionality
+
+- win32: Introduced centralised verify windows version function
+
+Kamil Dudka (3 Jun 2016)
+- tool_urlglob: fix off-by-one error in glob_parse()
+
+ ... causing SIGSEGV while parsing URL with too many globs.
+ Minimal example:
+
+ $ curl $(for i in $(seq 101); do printf '{a}'; done)
+
+ Reported-by: Romain Coltel
+ Bug: https://bugzilla.redhat.com/1340757
+
+Daniel Stenberg (1 Jun 2016)
+- [Benjamin Kircher brought this change]
+
+ libcurl-multi.3: fix small typo
+
+ Closes #850
+
+- [Viktor Szakats brought this change]
+
+ makefile.m32: add crypt32 for winssl builds
+
+ Dependency added by 6cabd78
+
+ Closes #849
+
+- [Ivan Avdeev brought this change]
+
+ vtls: fix ssl session cache race condition
+
+ Sessionid cache management is inseparable from managing individual
+ session lifetimes. E.g. for reference-counted sessions (like those in
+ SChannel and OpenSSL engines) every session addition and removal
+ should be accompanied with refcount increment and decrement
+ respectively. Failing to do so synchronously leads to a race condition
+ that causes symptoms like use-after-free and memory corruption.
+ This commit:
+ - makes existing session cache locking explicit, thus allowing
+ individual engines to manage lock's scope.
+ - fixes OpenSSL and SChannel engines by putting refcount management
+ inside this lock's scope in relevant places.
+ - adds these explicit locking calls to other engines that use
+ sessionid cache to accommodate for this change. Note, however,
+ that it is unknown whether any of these engines could also have
+ this race.
+
+ Bug: https://github.com/curl/curl/issues/815
+ Fixes #815
+ Closes #847
+
+- [Andrew Kurushin brought this change]
+
+ schannel: add CURLOPT_CERTINFO support
+
+ Closes #822
+
+- RELEASE-NOTES: synced with 142ee9fa15002315
+
+- openssl: rename the private SSL_strerror
+
+ ... to make it not look like an OpenSSL function
+
+- [Michael Kaufmann brought this change]
+
+ openssl: Use correct buffer sizes for error messages
+
+ Closes #844
+
+- curl: fix -q [regression]
+
+ This broke in 7.49.0 with commit e200034425a7625
+
+ Fixes #842
+
+- URL parser: allow URLs to use one, two or three slashes
+
+ Mostly in order to support broken web sites that redirect to broken URLs
+ that are accepted by browsers.
+
+ Browsers are typically even more leniant than this as the WHATWG URL
+ spec they should allow an _infinite_ amount. I tested 8000 slashes with
+ Firefox and it just worked.
+
+ Added test case 1141, 1142 and 1143 to verify the new parser.
+
+ Closes #791
+
+- [Renaud Lehoux brought this change]
+
+ cmake: Added missing mbedTLS support
+
+ Closes #837
+
+- [Renaud Lehoux brought this change]
+
+ mbedtls: removed unused variables
+
+ Closes #838
+
+- [Frank Gevaerts brought this change]
+
+ http: add CURLINFO_HTTP_VERSION and %{http_version}
+
+ Adds access to the effectively used http version to both libcurl and
+ curl.
+
+ Closes #799
+
+- bump: start the journey toward 7.50.0
+
+- [Marcel Raad brought this change]
+
+ openssl: fix build with OPENSSL_NO_COMP
+
+ With OPENSSL_NO_COMP defined, there is no function
+ SSL_COMP_free_compression_methods
+
+ Closes #836
+
+- [Gisle Vanem brought this change]
+
+ memdebug: fix MSVC crash with -DMEMDEBUG_LOG_SYNC
+
+ Fixes #828
+
+- [Jonathan brought this change]
+
+ README.md: polish
+
+ Closes #834
+
+- RELEASE-NOTES: fix vuln link
+
+Version 7.49.1 (30 May 2016)
+
+Daniel Stenberg (30 May 2016)
+- RELEASE-NOTES: 7.49.1
+
+- [Steve Holme brought this change]
+
+ loadlibrary: Only load system DLLs from the system directory
+
+ Inspiration provided by: Daniel Stenberg and Ray Satiro
+
+ Bug: https://curl.haxx.se/docs/adv_20160530.html
+
+ Ref: Windows DLL hijacking with curl, CVE-2016-4802
+
+- ssh: fix version number check typo
+
+Jay Satiro (29 May 2016)
+- curl_share_setopt.3: Add min ver needed for ssl session lock
+
+ Bug: https://github.com/curl/curl/issues/826
+ Reported-by: Michael Wallner
+
+Daniel Stenberg (29 May 2016)
+- ssh: fix build for libssh2 before 1.2.6
+
+ The statvfs functionality was added to libssh2 in that version, so we
+ switch off that functionality when built with older libraries.
+
+ Fixes #831
+
+- mbedtls: fix includes so snprintf() works
+
+ Regression from the previous *printf() rearrangements, this file missed to
+ include the correct header to make sure snprintf() works universally.
+
+ Reported-by: Moti Avrahami
+ Bug: https://curl.haxx.se/mail/lib-2016-05/0196.html
+
+Steve Holme (23 May 2016)
+- checksrc.pl: Added variants of strcat() & strncat() to banned function list
+
+ Added support for checking the tchar, unicode and mbcs variants of
+ strcat() and strncat() in the banned function list.
+
+Daniel Stenberg (23 May 2016)
+- smtp: minor ident (white space) fixes
+
+- THANKS: updated after script fixes
+
+ Now giving credit properly to github user names, fixed some UTF-8 issues
+ and added names discovered when contrithanks was improved.
+
+- THANKS-filter: more name cleanups
+
+- contrithanks.sh: exclude existing names case insensitively
+
+- contrithanks.sh: use same grep pattern and -a flag as contributors.sh
+
+- contributors.sh: better grep pattern, use grep -a
+
+- THANKS-filter: fix more names
+
+- contrithanks.sh: do the same github fix as contributors.sh
+
+ from 1577bfa35ba
+
+Jay Satiro (23 May 2016)
+- contributors: Show GitHub username if real name unknown
+
+ Prior to this change if a GitHub contributor's real name was unknown
+ they would be omitted from the list.
+
+ Bug: https://github.com/curl/curl/issues/824
+
+Daniel Stenberg (21 May 2016)
+- RELEASE-NOTES: synced with 3caaeffbe8ded4
+
+Jay Satiro (20 May 2016)
+- openssl: cleanup must free compression methods
+
+ - Free compression methods if OpenSSL 1.0.2 to avoid a memory leak.
+
+ Bug: https://github.com/curl/curl/issues/817
+ Reported-by: jveazey@users.noreply.github.com
+
+Daniel Stenberg (20 May 2016)
+- [Gisle Vanem brought this change]
+
+ curl_multibyte: fix compiler error
+
+ While compiling lib/curl_multibyte.c with '-DUSE_WIN32_IDN' etc. I was
+ getting:
+
+ f:\mingw32\src\inet\curl\lib\memdebug.h(38): error C2054: expected '('
+ to follow 'CURL_EXTERN'
+
+ f:\mingw32\src\inet\curl\lib\memdebug.h(38): error C2085:
+ 'curl_domalloc': not in formal parameter list
+
+- THANKS-filter: make Jan-E get proper credit
+
+- [Jan-E brought this change]
+
+ winbuild/Makefile.vc: Fix check on SSL, MBEDTLS, WINSSL exclusivity
+
+ Closes #818
+
+- [Alexander Traud brought this change]
+
+ libcurl.m4: Avoid obsolete warning
+
+ Closes #821
+
+Jay Satiro (20 May 2016)
+- [Michael Kaufmann brought this change]
+
+ CURLOPT_CONNECT_TO.3: user must not free the list prematurely
+
+ The connect-to list isn't copied so as long as the handle may be used
+ for a transfer the list must be valid.
+
+ Bug: https://github.com/curl/curl/pull/819
+ Reported-by: Michael Kaufmann
+
+Daniel Stenberg (19 May 2016)
+- RELEASE-NOTES: synced with 48114a8634242c
+
+- openssl: ERR_remove_thread_state() is deprecated in latest 1.1.0
+
+ See OpenSSL commit 21e001747d4a
+
+- http2: use HTTP/2 in the HTTP/1.1-alike header
+
+ ... when generating them, not "2.0" as the protocol is called just
+ HTTP/2 and nothing else.
+
+Jay Satiro (19 May 2016)
+- dist: include curl_multi_socket_all.3
+
+ Closes https://github.com/curl/curl/pull/816
+
+Steve Holme (18 May 2016)
+- bump: Start work on 7.49.1
+
+Daniel Stenberg (18 May 2016)
+- curlbuild.h.dist: check __LP64__ as well to fix MIPS build
+
+ The preprocessor check that sets up the 32bit defines for non-configure
+ builds didn't work properly for MIPS systems as __mips__ is defined for
+ both 32bit and 64bit. Now __LP64__ is also checked and indicates 64bit.
+
+ Reported-by: Tomas Jakobsson
+ Fixes #813
+
+- [Marcel Raad brought this change]
+
+ schannel: fix compile break with MSVC XP toolset
+
+ For the Windows XP toolset of Visual C++ 2013/2015, the old Windows SDK
+ 7.1 is used. In this case, _USING_V110_SDK71_ is defined.
+
+ Closes #812
+
+- dist: include CHECKSRC.md
+
+ Reported-by: Paul Howarth
+ Bug: https://curl.haxx.se/mail/lib-2016-05/0116.html
+
+- test/Makefile.am: include manpage-scan.pl and nroff-scan.pl in dist
+
+ Reported-by: Ray Satiro
+ Bug: https://curl.haxx.se/mail/lib-2016-05/0113.html
+
+Version 7.49.0 (17 May 2016)
+
+Daniel Stenberg (17 May 2016)
+- THANKS: 24 new names from 7.49.0 release notes
+
+- RELEASE-NOTES: 7.49.0
+
+- mbedtls/polarssl: set "hostname" unconditionally
+
+ ...as otherwise the TLS libs will skip the CN/SAN check and just allow
+ connection to any server. curl previously skipped this function when SNI
+ wasn't used or when connecting to an IP address specified host.
+
+ CVE-2016-3739
+
+ Bug: https://curl.haxx.se/docs/adv_20160518A.html
+ Reported-by: Moti Avrahami
+
+- [Frank Gevaerts brought this change]
+
+ CURLOPT_RESOLVE.3: fix typo
+
+ Closes #811
+
+- docs: CURLOPT_RESOLVE overrides CURLOPT_IPRESOLVE
+
+- KNOWN_BUGS: GnuTLS backend skips really long certificate fields
+
+ Closes #762
+
+- CURLOPT_HTTPPOST.3: the data needs to be around while in use
+
+- openssl: get_cert_chain: fix NULL dereference
+
+ CID 1361815: Explicit null dereferenced (FORWARD_NULL)
+
+- openssl: get_cert_chain: avoid NULL dereference
+
+ CID 1361811: Explicit null dereferenced (FORWARD_NULL)
+
+- dprintf_formatf: fix (false?) Coverity warning
+
+ CID 1024412: Memory - illegal accesses (OVERRUN). Claimed to happen when
+ we run over 'workend' but the condition says <= workend and for all I
+ can see it should be safe. Compensating for the warning by adding a byte
+ margin in the buffer.
+
+ Also, removed the extra brace level indentation in the code and made it
+ so that 'workend' is only assigned once within the function.
+
+- RELEASE-NOTES: synced with 2dcb5adc72d6
+
+- THANKS-filter: fixed Jonathan Cardoso
+
+Jay Satiro (15 May 2016)
+- ftp: fix incorrect out-of-memory code in Curl_pretransfer
+
+ - Return value type must match function type.
+
+ s/CURLM_OUT_OF_MEMORY/CURLE_OUT_OF_MEMORY/
+
+ Caught by Travis CI
+
+Daniel Stenberg (15 May 2016)
+- ftp wildcard: segfault due to init only in multi_perform
+
+ The proper FTP wildcard init is now more properly done in Curl_pretransfer()
+ and the corresponding cleanup in Curl_close().
+
+ The previous place of init/cleanup code made the internal pointer to be NULL
+ when this feature was used with the multi_socket() API, as it was made within
+ the curl_multi_perform() function.
+
+ Reported-by: Jonathan Cardoso Machado
+ Fixes #800
+
+Jay Satiro (13 May 2016)
+- libcurl-tlibcurl-thread: Update OpenSSL links
+
+ Because the old OpenSSL link now redirects to their master documentation
+ (currently 1.1.0), which does not document the required actions for
+ OpenSSL <= 1.0.2.
+
+Daniel Stenberg (13 May 2016)
+- [Viktor Szakats brought this change]
+
+ darwinssl.c: fix OS X codename typo in comment
+
+- RELEASE-NOTES: synced with 68701e51c1f7
+
+ Added 8 bug fixes and 5 more contrbutors
+
+- [Jay Satiro brought this change]
+
+ mprintf: Fix processing of width and prec args
+
+ Prior to this change a width arg could be erroneously output, and also
+ width and precision args could not be used together without crashing.
+
+ "%0*d%s", 2, 9, "foo"
+
+ Before: "092"
+ After: "09foo"
+
+ "%*.*s", 5, 2, "foo"
+
+ Before: crash
+ After: " fo"
+
+ Test 557 is updated to verify this and more
+
+- [Michael Kaufmann brought this change]
+
+ ConnectionExists: follow-up fix for proxy re-use
+
+ Follow-up commit to 5823179
+
+ Closes #648
+
+- [Per Malmberg brought this change]
+
+ darwinssl: fix certificate verification disable on OS X 10.8
+
+ The new way of disabling certificate verification doesn't work on
+ Mountain Lion (OS X 10.8) so we need to use the old way in that version
+ too. I've tested this solution on versions 10.7.5, 10.8, 10.9, 10.10.2
+ and 10.11.
+
+ Closes #802
+
+- [Cory Benfield brought this change]
+
+ http2: Add space between colon and header value
+
+ curl's representation of HTTP/2 responses involves transforming the
+ response to a format that is similar to HTTP/1.1. Prior to this change,
+ curl would do this by separating header names and values with only a
+ colon, without introducing a space after the colon.
+
+ While this is technically a valid way to represent a HTTP/1.1 header
+ block, it is much more common to see a space following the colon. This
+ change introduces that space, to ensure that incautious tools are safely
+ able to parse the header block.
+
+ This also ensures that the difference between the HTTP/1.1 and HTTP/2
+ response layout is as minimal as possible.
+
+ Bug: https://github.com/curl/curl/issues/797
+
+ Closes #798
+ Fixes #797
+
+Kamil Dudka (12 May 2016)
+- openssl: fix compile-time warning in Curl_ossl_check_cxn()
+
+ ... introduced in curl-7_48_0-293-g2968c83:
+
+ Error: COMPILER_WARNING:
+ lib/vtls/openssl.c: scope_hint: In function ‘Curl_ossl_check_cxn’
+ lib/vtls/openssl.c:767:15: warning: conversion to ‘int’ from ‘ssize_t’
+ may alter its value [-Wconversion]
+
+Jay Satiro (11 May 2016)
+- openssl: stricter connection check function
+
+ - In the case of recv error, limit returning 'connection still in place'
+ to EINPROGRESS, EAGAIN and EWOULDBLOCK.
+
+ This is an improvement on the parent commit which changed the openssl
+ connection check to use recv MSG_PEEK instead of SSL_peek.
+
+ Ref: https://github.com/curl/curl/commit/856baf5#comments
+
+Daniel Stenberg (11 May 2016)
+- [Anders Bakken brought this change]
+
+ TLS: SSL_peek is not a const operation
+
+ Calling SSL_peek can cause bytes to be read from the raw socket which in
+ turn can upset the select machinery that determines whether there's data
+ available on the socket.
+
+ Since Curl_ossl_check_cxn only tries to determine whether the socket is
+ alive and doesn't actually need to see the bytes SSL_peek seems like
+ the wrong function to call.
+
+ We're able to occasionally reproduce a connect timeout due to this
+ bug. What happens is that Curl doesn't know to call SSL_connect again
+ after the peek happens since data is buffered in the SSL buffer and thus
+ select won't fire for this socket.
+
+ Closes #795
+
+Jay Satiro (9 May 2016)
+- [Daniel Stenberg brought this change]
+
+ TLS: move the ALPN/NPN enable bits to the connection
+
+ Only protocols that actually have a protocol registered for ALPN and NPN
+ should try to get that negotiated in the TLS handshake. That is only
+ HTTPS (well, http/1.1 and http/2) right now. Previously ALPN and NPN
+ would wrongly be used in all handshakes if libcurl was built with it
+ enabled.
+
+ Reported-by: Jay Satiro
+
+ Fixes #789
+
+Daniel Stenberg (8 May 2016)
+- libcurl-thread.3: openssl 1.1.0 is safe, and so is boringssl
+
+- [Antonio Larrosa brought this change]
+
+ connect: fix invalid "Network is unreachable" errors
+
+ Sometimes, in systems with both ipv4 and ipv6 addresses but where the
+ network doesn't support ipv6, Curl_is_connected returns an error
+ (intermittently) even if the ipv4 socket connects successfully.
+
+ This happens because there's a for-loop that iterates on the sockets but
+ the error variable is not resetted when the ipv4 is checked and is ok.
+
+ This patch fixes this problem by setting error to 0 when checking the
+ second socket and not having a result yet.
+
+ Fixes #794
+
+Jay Satiro (5 May 2016)
+- FAQ: refer to thread safety guidelines
+
+Daniel Stenberg (3 May 2016)
+- connections: non-HTTP proxies on different ports aren't reused either
+
+ Reported-by: Oleg Pudeyev and fuchaoqun
+
+ Fixes #648
+
+- http: make sure a blank header overrides accept_decoding
+
+ Reported-by: rcanavan
+ Assisted-by: Isaac Boukris
+ Closes #785
+
+- CHECKSRC.md: clarified, explained the whitelist file
+
+- nroff-scan.pl: verify that references are made with \fI
+
+- docs: unified man page references to use \fI
+
+- TODO: 17.14 --fail without --location should treat 3xx as a failure
+
+ Closes #727
+
+- RELEASE-NOTES: synced with 7987f5cb14d
+
+- [Isaac Boukris brought this change]
+
+ CURLOPT_ACCEPT_ENCODING.3: Follow-up clarification
+
+ Mention possible content-length mismatch with sum of bytes reported
+ by write callbacks when auto decoding is enabled.
+
+ See #785
+
+- test1140: run nroff-scan to verify man pages
+
+- nroff-scan.pl: verify the .BR references as well
+
+- CURLOPT_CONV_TO_NETWORK_FUNCTION.3: fix bad man page reference
+
+- CURLOPT_BUFFERSIZE.3: fix reference to CURLOPT_MAX_RECV_SPEED_LARGE
+
+- curl_easy_pause.3: fix man page reference
+
+Jay Satiro (1 May 2016)
+- tool_cb_hdr: Fix --remote-header-name with schemeless URL
+
+ - Move the existing scheme check from tool_operate.
+
+ In the case of --remote-header-name we want to parse Content-disposition
+ for a filename, but only if the scheme is http or https. A recent
+ adjustment 0dc4d8e was made to account for schemeless URLs however it's
+ not 100% accurate. To remedy that I've moved the scheme check to the
+ header callback, since at that point the library has already determined
+ the scheme.
+
+ Bug: https://github.com/curl/curl/issues/760
+ Reported-by: Kai Noda
+
+Daniel Stenberg (1 May 2016)
+- tls: make setting pinnedkey option fail if not supported
+
+ to make it obvious to users trying to use the feature with TLS backends
+ not supporting it.
+
+ Discussed in #781
+ Reported-by: Travis Burtrum
+
+- nroff-scan.pl: verifies nroff pages
+
+ ... not used by any test yet but can be used stand-alone.
+
+- opts: fix broken/bad references
+
+- [Michael Kaufmann brought this change]
+
+ docs: fix bugs in CURLOPT_HTTP_VERSION.3 and CURLOPT_PIPEWAIT.3
+
+ Closes #786
+
+- CURLOPT_ACCEPT_ENCODING.3: clarified
+
+ As discussed in #785
+
+- curl.1: --mail-rcpt can be used multiple times
+
+ Reported-by: mgendre
+ Closes #784
+
+- [Karlson2k brought this change]
+
+ tests: Use 'pathhelp' for paths conversions in secureserver.pl
+
+ Closes #675
+
+- [Karlson2k brought this change]
+
+ tests: Use 'pathhelp' for paths conversions in sshserver.pl
+
+- [Karlson2k brought this change]
+
+ tests: Use 'pathhelp' for current path in runtests.pl
+
+- [Karlson2k brought this change]
+
+ tests: pathhelp.pm to process paths on Msys/Cygwin
+
+- lib: include curl_printf.h as one of the last headers
+
+ curl_printf.h defines printf to curl_mprintf, etc. This can cause
+ problems with external headers which may use
+ __attribute__((format(printf, ...))) markers etc.
+
+ To avoid that they cause problems with system includes, we include
+ curl_printf.h after any system headers. That makes the three last
+ headers to always be, and we keep them in this order:
+
+ curl_printf.h
+ curl_memory.h
+ memdebug.h
+
+ None of them include system headers, they all do funny #defines.
+
+ Reported-by: David Benjamin
+
+ Fixes #743
+
+- memdebug.h: remove inclusion of other headers
+
+ Mostly because they're not needed, because memdebug.h is always included
+ last of all headers so the others already included the correct ones.
+
+ But also, starting now we don't want this to accidentally include any
+ system headers, as the header included _before_ this header may add
+ defines and other fun stuff that we won't want used in system includes.
+
+- [Jay Satiro brought this change]
+
+ curl -J: make it work even without http:// scheme on URL
+
+ It does open up a miniscule risk that one of the other protocols that
+ libcurl could use would send back a Content-Disposition header and then
+ curl would act on it even if not HTTP.
+
+ A future mitigation for this risk would be to allow the callback to ask
+ libcurl which protocol is being used.
+
+ Verified with test 1312
+
+ Closes #760
+
+- manpage-scan.pl: also verify the command line option docs
+
+ This script now also scans src/tool_getparam.c, docs/curl.1 and
+ src/tool_help.c and will warn if any of them lists a command line option
+ not mentioned in one of the other places.
+
+- curl: show the long option version of -q in the -h list
+
+- curl: remove "--socks" as "--socks5" turned 8
+
+ In commit 2e42b0a2524 (Jan 2008) we made the option "--socks" deprecated
+ and it has not been documented since. The more explicit socks options
+ (like --socks4 or --socks5) should be used.
+
+- curl.1: document the deprecated --ftp-ssl option
+
+- curl: remove --http-request
+
+ It was mentioned as deprecated already in commit ae1912cb0d4 from
+ 1999. It has not been documented in this millennium.
+
+- curl: mention --ntlm-wb in -h list
+
+- curl: -h output lacked --proxy-header
+
+- curl.1: document --ntlm-wb
+
+- curl.1: document the long format of -q: --disable
+
+- curl.1: mention the deprecated --krb4 option
+
+- curl.1: document --ftp-ssl-reqd
+
+ Even if deprecated, document it so that people will find it as old
+ scripts may still use it.
+
+- curl: use --telnet-option as documented
+
+ The code said "telnet-options" but no documentation ever said so. It
+ worked fine since the code is fine with a unique match of the first
+ part.
+
+- getparam: remove support for --ftpport
+
+ It has been deprecated and undocumented since commit ad5ead8bed7 (Dec
+ 2003). --ftp-port is the proper long option name.
+
+- curl: make --disable work as long form of -q
+
+ To make the aliases list reflect reality.
+
+- aliases: remove trailing space from capath string
+
+- cmdline parse: only single letter options have single-letter strings
+
+ ... moved around options so that parsing the code to find all
+ single-letter options easier.
+
+Jay Satiro (28 Apr 2016)
+- CURLINFO_TLS_SSL_PTR.3: Clarify SSL pointer availability
+
+ Bug: https://curl.haxx.se/mail/lib-2016-04/0126.html
+ Reported-by: Bru Rom
+
+Daniel Stenberg (28 Apr 2016)
+- curl_easy_getinfo.3: remove superfluous blank lines
+
+- test1139: verifies libcurl option man page presence
+
+ - checks that each option has its own man page present
+
+ - checks that each option is mentioned in its corresponding index man
+ page
+
+- curl_easy_getinfo.3: added missing mention of CURLINFO_TLS_SESSION
+
+ ... although it is deprecated.
+
+Jay Satiro (28 Apr 2016)
+- mbedtls: Fix session resume
+
+ This also fixes PolarSSL session resume.
+
+ Prior to this change the TLS session information wasn't properly
+ saved and restored for PolarSSL and mbedTLS.
+
+ Bug: https://curl.haxx.se/mail/lib-2016-01/0070.html
+ Reported-by: Thomas Glanzmann
+
+ Bug: https://curl.haxx.se/mail/lib-2016-04/0095.html
+ Reported-by: Moti Avrahami
+
+Daniel Stenberg (27 Apr 2016)
+- RELEASE-NOTES: synced with f4298fcc6d2
+
+- [Michael Kaufmann brought this change]
+
+ opts: Fix some syntax errors in example code fragments
+
+ Fixes #779
+
+- openssl: avoid BN_print a NULL bignum
+
+ OpenSSL 1.1.0-pre seems to return NULL(?) for a whole lot of those
+ numbers so make sure the function handles this.
+
+ Reported-by: Linus Nordberg
+
+- [Marcel Raad brought this change]
+
+ CONNECT_ONLY: don't close connection on GSS 401/407 reponses
+
+ Previously, connections were closed immediately before the user had a
+ chance to extract the socket when the proxy required Negotiate
+ authentication.
+
+ This regression was brought in with the security fix in commit
+ 79b9d5f1a42578f
+
+ Closes #655
+
+- CURLINFO_TLS_SESSION.3: clarify TLS library support before 7.48.0
+
+- mbedtls.c: silly spellfix of a comment
+
+- KNOWN_BUGS: 1.10 Strips trailing dot from host name
+
+ Closes #716
+
+- test1322: verify stripping of trailing dot from host name
+
+ While being debated (in #716) and a violation of RFC 7230 section 5.4,
+ this test verifies that the existing functionality works as intended. It
+ strips the dot from the host name and uses the host without dot
+ throughout the internals.
+
+- multi: accidentally used resolved host name instead of proxy
+
+ Regression introduced in 09b5a998
+
+ Bug: https://curl.haxx.se/mail/lib-2016-04/0084.html
+ Reported-by: BoBo
+
+- symbols-in-versions: added new CURLSSLBACKEND_ symbols
+
+- test148: fixed after the --ftp-create-dirs retry change
+
+ follow-up commit to 3c1e84f569 as it made curl try a little harder
+
+- curl.h: clarify curl_sslbackend for openssl clones and renames
+
+- [Karlson2k brought this change]
+
+ url.c: fixed DEBUGASSERT() for WinSock workaround
+
+ If buffer is allocated, but nothing is received during prereceive
+ stage, than number of processed bytes must be zero.
+
+ Closes #778
+
+- KNOWN_BUGS: --interface for ipv6 binds to unusable IP address
+
+ Closes #686 for now.
+
+- TODO: 1.17 Add support for IRIs
+
+ Adding support for IRIs is a mouthful, but is probably interesting at
+ least for areas and countries where the use of such "URLs" are growing
+ popularity.
+
+ Closes #776
+
+- THANKS-filter: Travis Burtrum
+
+- lib1517: checksrc compliance
+
+- [moparisthebest brought this change]
+
+ PolarSSL: Implement public key pinning
+
+Patrick Monnerat (22 Apr 2016)
+- os400: upgrade ILE/RPG binding
+
+- curl.h: CURLOPT_CONNECT_TO sets a struct slist *, not a string
+
+Daniel Stenberg (22 Apr 2016)
+- contributors.sh: make --releasenotes implied
+
+ It got too annoying to type =)
+
+- RELEASE-NOTES: synced with 3c1e84f5693d8093
+
+- curl: make --ftp-create-dirs retry on failure
+
+ The underlying libcurl option used for this feature is
+ CURLOPT_FTP_CREATE_MISSING_DIRS which has the ability to retry the dir
+ creation, but it was never set to do that by the command line tool.
+
+ Now it does.
+
+ Bug: https://curl.haxx.se/mail/archive-2016-04/0021.html
+ Reported-by: John Wanghui
+ Help-by: Leif W
+
+- [Henrik Gaßmann brought this change]
+
+ winbuild: add mbedtls support
+
+ Add WITH_MBEDTLS option. Make WITH_SSL, WITH_MBEDTLS and ENABLE_WINSSL
+ options mutual exclusive.
+
+ Closes #606
+
+- KNOWN_BUGS: fixed "5.6 Improper use of Autoconf cache variables"
+
+ As of commit d9f3b365a3
+
+- [Irfan Adilovic brought this change]
+
+ configure: ac_cv_ -> curl_cv_ for write-only vars
+
+ These configure vars are modified in a curl-specific way but never
+ evaluated or loaded from cache, even though they are designated as
+ _cv_. We could either implement proper AC_CACHE_CHECKs for them, or
+ remove them completely.
+
+ Fixes #603 as ac_cv_func_gethostbyname is no longer clobbered, and
+ AC_CHECK_FUNC(gethostbyname...) will no longer spuriously succeed after
+ the first configure run with caching.
+
+ `ac_cv_func_strcasecmp` is curious, see #770.
+
+ `eval "ac_cv_func_$func=yes"` can still cause problems as it works in
+ tandem with AC_CHECK_FUNCS and then potentially modifies its result. It
+ would be best to rewrite this test to use a new CURL_CHECK_FUNCS macro,
+ which works the same as AC_CHECK_FUNCS but relies on caching the values
+ of curl_cv_func_* variables, without modifiying ac_cv_func_*.
+
+- [Irfan Adilovic brought this change]
+
+ configure: ac_cv_ -> curl_cv_ for r/w vars
+
+ These configure vars are modified in a curl-specific way and modified by
+ the configure process, but are never loaded from cache, even though they
+ are designated as _cv_. We should implement proper AC_CACHE_CHECKs for
+ them eventually.
+
+- [Irfan Adilovic brought this change]
+
+ configure: ac_cv_func_clock_gettime -> curl_...
+
+ This variable must not be cached in its current form, as any cached
+ information will prevent the next configure run from determining the
+ correct LIBS needed for the function. Thus, rename prefix `ac_cv_` to
+ just `curl_`.
+
+- [Irfan Adilovic brought this change]
+
+ configure: ac_cv_ -> curl_cv_ for all cached vars
+
+ This was automated by:
+
+ sed -b -i -f <(ack -A1 AC_CACHE_CHECK | \
+ ack -o 'ac_cv_.*?\b' | \
+ sort -u | xargs -n1 bash -c \
+ 'echo "s/$0/curl_cv_${0#ac_cv_}/g"') \
+ $(git ls-files)
+
+ This only changed the prefix for 16 variables actually checked with
+ AC_CACHE_CHECK.
+
+- openssl: builds with OpenSSL 1.1.0-pre5
- Daniel Stenberg assisted with polishing a few bits and fixed some minor
- flaws in the original patch.
-
- Another upside of this patch is that we now abuse CURLcodes less with the
- "magic" -1 return codes and instead use CURLE_AGAIN more consistently.
-
-Daniel Stenberg (5 May 2010)
-- Hoi-Ho Chan introduced support for using the PolarSSL library. You control
- this with the new configure option --with-polarssl.
-
-Daniel Stenberg (29 Apr 2010)
-- Ben Greear made telnet a lot better/easier to use by an application:
-
- The main change is to allow input from user-specified methods, when they are
- specified with CURLOPT_READFUNCTION. All calls to fflush(stdout) in
- telnet.c were removed, which makes using 'curl telnet://foo.com' painful
- since prompts and other data are not always returned to the user promptly.
- Use 'curl --no-buffer telnet://foo.com' instead. In general, the user
- should have their CURLOPT_WRITEFUNCTION do a fflush for interactive use.
-
- Also fix assumption that reading from stdin never returns < 0.
- Old code could crash in that case.
-
- Call progress functions in telnet main loop.
-
-Daniel Stenberg (26 Apr 2010)
-- Make use of the libssh2_init/exit functions that libssh2 added in version
- 1.2.5. Using them will improve how libcurl works in threaded situations when
- SCP and SFTP are transfered.
-
-Daniel Stenberg (25 Apr 2010)
-- Based on work by Kamil Dudka, I've introduced the new configure option
- --enable-threaded-resolver. When used, the configure script will check for
- pthreads and if around, it will build libcurl to use pthreads to do name
- resolving in a threaded manner. Note that this is just a fix to offer an
- option that can enable the code that already included. The threader resolver
- code was mostly added on Jan 26 2010.
-
-Daniel Stenberg (24 Apr 2010)
-- Alex Bligh introduced the --proto and -proto-redir options that limit what
- protocols curl accepts for the requests and when following redirects.
-
-Kamil Dudka (24 Apr 2010)
-- Fixed test536 in order to not fail with threaded DNS resolver and tweaked
- comments in certain examples using curl_multi_fdset().
-
-- Fixed SSL handshake timeout underflow in libcurl-NSS, which caused test405
- to hang on a slow machine.
-
-Daniel Stenberg (21 Apr 2010)
-- The -O option caused curl to crash on windows and DOS due to the tool
- writing out of boundary memory.
-
-Yang Tse (20 Apr 2010)
-- Ruslan Gazizov detected that MSVC makefiles were using wsock32.lib instead
- of ws2_32.lib, this generated linking issues on MSVC IPv6 enabled builds
- that were done using those makefiles.
-
-Daniel Stenberg (19 Apr 2010)
-- -J/--remote-header-name didn't strip trailing carriage returns or linefeeds
- properly, so they could be used in the file name.
-
-Daniel Stenberg (16 Apr 2010)
-- Jerome Vouillon made the GnuTLS SSL handshake phase non-blocking.
-
-- The recent overhaul of the SSL recv function made the GnuTLS specific code
- treat a zero returned from gnutls_record_recv() as an error, and this caused
- our HTTPS test cases to fail. We leave it to upper layer code to detect if
- an EOF is a problem or not.
-
-- I reverted the resolver fix from yesterday and instead removed all uses of
- AI_CANONNAME all over libcurl and made the only user of that info (krb5.c)
- use the host name from the URL instead. No reverse resolving is a good
- thing.
-
-- Paul Howarth made configure properly detect GSS "on ancient Linux distros"
- by editing in which order we use headers to detect GSS.
-
-Daniel Stenberg (15 Apr 2010)
-- Rainer Canavan filed bug report #2987196 that identified libcurl doing
- unnecesary reverse name lookups in many cases when built to use IPv4 and
- getaddrinfo(). The logic for ipv6 is now used for ipv4 too.
-
- (http://curl.haxx.se/bug/view.cgi?id=2963679)
-
-Version 7.20.1 (14 April 2010)
-
-Daniel Stenberg (9 Apr 2010)
-- Prefixing the FTP quote commands with an asterisk really only worked for the
- postquote actions. This is now fixed and test case 227 has been extended to
- verify.
-
-Kamil Dudka (4 Apr 2010)
-- Eliminated a race condition in Curl_resolv_timeout().
-
-- Refactorized interface of Curl_ssl_recv()/Curl_ssl_send().
-
-- libcurl-NSS now provides more accurate messages and error codes in case of
- client certificate problem. Either during connection, or transfer phase.
-
-Daniel Stenberg (1 Apr 2010)
-- Matt Wixson found and fixed a bug in the SCP/SFTP area where the code
- treated a 0 return code from libssh2 to be the same as EAGAIN while in
- reality it isn't. The problem caused a hang in SFTP transfers from a
- MessageWay server.
-
-Daniel Stenberg (28 Mar 2010)
-- Ben Greear: If you pass a URL to pop3 that does not contain a message ID as
- part of the URL, it would previously ask for 'INBOX' which just causes the
- pop3 server to return an error.
-
- Now libcurl treats en empty message ID as a request for LIST (list of pop3
- message IDs). User's code could then parse this and download individual
- messages as desired.
-
-Daniel Stenberg (27 Mar 2010)
-- Ben Greear brought a patch that from now on allows all protocols to specify
- name and user within the URL, in the same manner HTTP and FTP have been
- allowed to in the past - although far from all of the libcurl supported
- protocls actually have that feature in their URL definition spec.
-
-Daniel Stenberg (26 Mar 2010)
-- Ben Greear brought code that makes the rate limiting code for the easy
- interface a bit smoother as it introduces sub-second sleeps during it and it
- also takes the buffer sizes into account.
-
-Daniel Stenberg (24 Mar 2010)
-- Bob Richmond: There's an annoying situation where libcurl will read new HTTP
- response data from a socket, then check if it's a timeout if one is set. If
- the last packet received constitutes the end of the response body, libcurl
- still treats it as a timeout condition and reports a message like:
-
- "Operation timed out after 3000 milliseconds with 876 out of 876 bytes
- received"
-
- It should only a timeout if the timer lapsed and we DIDN'T receive the end
- of the response body yet.
+ The RSA, DSA and DH structs are now opaque and require use of new APIs
+
+ Fixes #763
+
+Steve Holme (20 Apr 2016)
+- url.c: Prefer we don't use explicit NULLs in conditions
+
+ Fixed commit fa5fa65a30 to not use NULLs in if condition.
+
+Daniel Stenberg (20 Apr 2016)
+- [Isaac Boukris brought this change]
+
+ NTLM: check for NULL pointer before deferencing
+
+ At ConnectionExists, both check->proxyuser and check->proxypasswd
+ could be NULL, so make sure to check first.
+
+ Fixes #765
+
+- [Karlson2k brought this change]
+
+ tests: added test1517
+
+ ... for checking ability to receive full HTTP response when POST request
+ is used with slow read callback function.
+
+ This test checks for bug #657 and verifies the work-around from
+ 72d5e144fbc6.
+
+ Closes #720
+
+- [Karlson2k brought this change]
+
+ sendf.c: added ability to call recv() before send() as workaround
+
+ WinSock destroys recv() buffer if send() is failed. As result - server
+ response may be lost if server sent it while curl is still sending
+ request. This behavior noticeable on HTTP server short replies if
+ libcurl use several send() for request (usually for POST request).
+ To workaround this problem, libcurl use recv() before every send() and
+ keeps received data in intermediate buffer for further processing.
+
+ Fixes: #657
+ Closes: #668
+
+Kamil Dudka (19 Apr 2016)
+- connect: make sure that rc is initialized in singleipconnect()
+
+ This commit fixes a Clang warning introduced in curl-7_48_0-190-g8f72b13:
+
+ Error: CLANG_WARNING:
+ lib/connect.c:1120:11: warning: The right operand of '==' is a garbage value
+ 1118| }
+ 1119|
+ 1120|-> if(-1 == rc)
+ 1121| error = SOCKERRNO;
+ 1122| }
+
+Daniel Stenberg (19 Apr 2016)
+- make/checksrc: use $srcdir, not $top_srcdir
+
+- src/checksrc.whitelist: removed
+
+- tool_operate: switch to inline checksrc ignore
+
+- lib/checksrc.whitelist: not needed anymore
+
+ ... as checksrc now skips comments
+
+- vtls.h: remove a space before semicolon
+
+ ... that the new checksrc detected
+
+- darwinssl: removed commented out code
+
+- http_chunks: removed checksrc disable
+
+ ... since checksrc now skips comments
+
+- imap: inlined checksrc disable instead of whitelist edit
+
+- checksrc: taught to skip comments
+
+ ... but output non-stripped version of the line, even if that then can
+ make the script identify the wrong position in the line at
+ times. Showing the line stripped (ie without comments) is just too
+ surprising.
-- Christopher Conroy fixed a problem with RTSP and GET_PARAMETER reported
- to us by Massimo Callegari. There's a new test case 572 that verifies this
+- opts/Makefile.am: list all docs file one by one
+
+ ... to make it easier to add lines in patches that won't just break all
+ other patches trying to add lines too.
+
+- curl_easy_setopt.3: mention CURLOPT_TCP_FASTOPEN
+
+- RELEASE-NOTES: synced with 03de4e4b219
+
+ (since we just merged two major features)
+
+- [Alessandro Ghedini brought this change]
+
+ connect: implement TCP Fast Open for Linux
+
+ Closes #660
+
+- [Alessandro Ghedini brought this change]
+
+ tool: add --tcp-fastopen option
+
+- [Alessandro Ghedini brought this change]
+
+ connect: implement TCP Fast Open for OS X
+
+- [Alessandro Ghedini brought this change]
+
+ url: add CURLOPT_TCP_FASTOPEN option
+
+- checksrc: pass on -D so the whitelists are found correctly
+
+- configure: remove check for libresolve
+
+ 'strncasecmp' was once provided by libresolv (no trailing e) for SunOS,
+ but this check is broken and most likely adds nothing useful. Removing
now.
+
+ Reported-by: Irfan Adilovic
+
+ Discussed in #770
+
+- scripts/make: use $(EXEEXT) for executables
+
+ Reported-by: bodop
+
+ Fixes #771
-- The 'ares' subtree has been removed from the source repository. It was
- always a separate project that sort of piggybacked on the curl project since
- the dawn of times and now the time has come for it to go stand on its own
- legs and continue living its own life. All details on c-ares and its new
- source code repository is found at http://c-ares.haxx.se/
-
-Daniel Stenberg (23 Mar 2010)
-- Kenny To filed the bug report #2963679 with patch to fix a problem he
- experienced with doing multi interface HTTP POST over a proxy using
- PROXYTUNNEL. He found a case where it would connect fine but bits.tcpconnect
- was not set correct so libcurl didn't work properly.
-
- (http://curl.haxx.se/bug/view.cgi?id=2963679)
-
-- Akos Pasztory filed debian bug report #572276
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572276 mentioning a problem
- with a resource that returns chunked-encoded _and_ with a Content-Length
- and libcurl failed to properly ignore the latter information.
-
-- Hauke Duden provided an example program that made the multi interface crash.
- His example simply used the multi interface and did first one FTP transfer
- and after completion it used a second easy handle and did another FTP
- transfer on the same FTP server.
-
- This triggered a bug in the "delayed easy handle kill" system that curl
- uses: when an FTP connection is left alive it must keep an easy handle
- around internally - only for the purpose of having an easy handle when it
- later disconnects it. The code assumed that when the easy handle was removed
- and an internal reference was made, that version could be killed later on
- when a new easy handle came using the same connection. This was wrong as
- Hauke's example showed that the removed handle wasn't killed for real until
- later. This caused a double close attempt => segfault.
-
-Daniel Stenberg (22 Mar 2010)
-- Thomas Lopatic fixed the alarm()-based DNS timeout:
-
- Looking at the code of Curl_resolv_timeout() in hostip.c, I think that in
- case of a timeout, the signal handler for SIGALRM never gets removed. I
- think that in my case it gets executed at some point later on when execution
- has long left Curl_resolv_timeout() or even the cURL library.
-
- The code that is jumped to with siglongjmp() simply sets the error message
- to "name lookup timed out" and then returns with CURLRESOLV_ERROR. I guess
- that instead of simply returning without cleaning up, the code should have a
- goto that jumps to the spot right after the call to Curl_resolv().
-
-Kamil Dudka (22 Mar 2010)
-- Douglas Steinwand contributed a patch fixing insufficient initialization in
- Curl_clone_ssl_config()
-
-Daniel Stenberg (21 Mar 2010)
-- Ben Greear improved TFTP: the error code returning and the treatment
- of TSIZE == 0 when uploading.
-
-- We've switched from CVS to git. See http://curl.haxx.se/source.html
-
-Kamil Dudka (19 Mar 2010)
-- Improved Curl_read() to not ignore the error returned from Curl_ssl_recv().
-
-Daniel Stenberg (15 Mar 2010)
-- Constantine Sapuntzakis brought a patch:
-
- The problem mentioned on Dec 10 2009
- (http://curl.haxx.se/bug/view.cgi?id=2905220) was only partially fixed.
- Partially because an easy handle can be associated with many connections in
- the cache (e.g. if there is a redirect during the lifetime of the easy
- handle). The previous patch only cleaned up the first one. The new fix now
- removes the easy handle from all connections, not just the first one.
-
-Daniel Stenberg (6 Mar 2010)
-- Ben Greear brought a patch that fixed the rate limiting logic for TFTP when
- the easy interface was used.
-
-Daniel Stenberg (5 Mar 2010)
-- Daniel Johnson provided fixes for building curl with the clang compiler.
-
-Yang Tse (5 Mar 2010)
-- Constantine Sapuntzakis detected and fixed a double free in builds done
- with threaded resolver enabled (Windows default configuration) that would
- get triggered when a curl handle is closed while doing DNS resolution.
-
-Daniel Stenberg (2 Mar 2010)
-- [Daniel Johnson] I've been trying to build libcurl with clang on Darwin and
- ran into some issues with the GSSAPI tests in configure.ac. The tests first
- try to determine the include dirs and libs and set CPPFLAGS and LIBS
- accordingly. It then checks for the headers and finally sets LIBS a second
- time, causing the libs to be included twice. The first setting of LIBS seems
- redundant and should be left out, since the first part is otherwise just
- about finding headers.
-
- My second issue is that 'krb5-config --libs gssapi' on Darwin is less than
- useless and returns junk that, while it happens to work with gcc, causes
- clang to choke. For example, --libs returns $CFLAGS along with the libs,
- which is really retarded. Simply setting 'LIBS="$LIBS -lgssapi_krb5
- -lresolv"' on Darwin is sufficient.
-
-- Based on patch provided by Jacob Moshenko, the transfer logic now properly
- makes sure that when using sub-second timeouts, there's no final bad 1000ms
- wait. Previously, a sub-second timeout would often make the elapsed time end
- up the time rounded up to the nearest second (e.g. 1s for 200ms timeout)
-
-- Andrei Benea filed bug report #2956698 and pointed out that the
- CURLOPT_CERTINFO feature leaked memory due to a missing OpenSSL function
- call. He provided the patch to fix it too.
-
- http://curl.haxx.se/bug/view.cgi?id=2956698
-
-- Markus Duft pointed out in bug #2961796 that even though Interix has a
- poll() function it doesn't quite work the way we want it so we must disable
- it, and he also provided a patch for it.
-
- http://curl.haxx.se/bug/view.cgi?id=2961796
-
-- Made the pingpong timeout code properly deal with the response timeout AND
- the global timeout if set. Also, as was reported in the bug report #2956437
- by Ryan Chan, the time stamp to use as basis for the per command timeout was
- not set properly in the DONE phase for FTP (and not for SMTP) so I fixed
- that just now. This was a regression compared to 7.19.7 due to the
- conversion of FTP code over to the generic pingpong concepts.
-
- http://curl.haxx.se/bug/view.cgi?id=2956437
-
-Daniel Stenberg (1 Mar 2010)
-- Ben Greear provided an update for TFTP that fixes upload.
-
-- Wesley Miaw reported bug #2958179 which identified a case of looping during
- OpenSSL based SSL handshaking even though the multi interface was used and
- there was no good reason for it.
-
- http://curl.haxx.se/bug/view.cgi?id=2958179
-
-Daniel Stenberg (26 Feb 2010)
-- Pat Ray in bug #2958474 pointed out an off-by-one case when receiving a
- chunked-encoding trailer.
+- includes: avoid duplicate memory callback typdefs even harder
- http://curl.haxx.se/bug/view.cgi?id=2958474
-
-Daniel Fandrich (25 Feb 2010)
-- Fixed a couple of out of memory leaks and a segfault in the SMTP & IMAP code.
-
-Yang Tse (25 Feb 2010)
-- I fixed bug report #2958074 indicating
- (http://curl.haxx.se/bug/view.cgi?id=2958074) that curl on Windows with
- option --trace-time did not use local time when timestamping trace lines.
- This could also happen on other systems depending on time souurce.
-
-Patrick Monnerat (22 Feb 2010)
-- Proper handling of STARTTLS on SMTP, taking CURLUSESSL_TRY into account.
-- SMTP falls back to RFC821 HELO when EHLO fails (and SSL is not required).
-- Use of true local host name (i.e.: via gethostname()) when available, as
- default argument to SMTP HELO/EHLO.
-- Test case 804 for HELO fallback.
-
-Daniel Stenberg (20 Feb 2010)
-- Fixed the SMTP compliance by making sure RCPT TO addresses are specified
- properly in angle brackets. Recipients provided with CURLOPT_MAIL_RCPT now
- get angle bracket wrapping automatically by libcurl unless the recipient
- starts with an angle bracket as then the app is assumed to deal with that
- properly on its own.
-
-- I made the SMTP code expect a 250 response back from the server after the
- full DATA has been sent, and I modified the test SMTP server to also send
- that response. As usual, the DONE operation that is made after a completed
- transfer is still not doable in a non-blocking way so this waiting for 250
- is unfortunately made blockingly.
-
-Yang Tse (14 Feb 2010)
-- Overhauled test suite getpart() function. Fixing potential out of bounds
- stack and memory overwrites triggered with huge test case definitions.
-
-Daniel Stenberg (13 Feb 2010)
-- Martin Hager reported and fixed a problem with a missing quote in libcurl.m4
-
- (http://curl.haxx.se/bug/view.cgi?id=2951319)
-
-- Tom Donovan fixed the CURL_FORMAT_* defines when building with cmake.
-
- (http://curl.haxx.se/bug/view.cgi?id=2951269)
-
-Daniel Stenberg (12 Feb 2010)
-- Jack Zhang reported a problem with SMTP: we wrongly used multiple addresses
- in the same RCPT TO line, when they should be sent in separate single
- commands. I updated test case 802 to verify this.
-
-- I also fixed a bad use of my_setopt_str() of CURLOPT_MAIL_RCPT in the curl
- tool which made it try to output it as string for the --libcurl feature
- which could lead to crashes.
-
-Yang Tse (11 Feb 2010)
-- Steven M. Schweda fixed VMS builder bad behavior when used in a batch job,
- removed obsolete batch_compile.com and defines.com and updated VMS readme.
-
-Version 7.20.0 (9 February 2010)
-
-Daniel Stenberg (9 Feb 2010)
-- When downloading compressed content over HTTP and the app asked libcurl to
- automatically uncompress it with the CURLOPT_ENCODING option, libcurl could
- wrongly provide the callback with more data than the maximum documented
- amount. An application could thus get tricked into badness if the maximum
- limit was trusted to be enforced by libcurl itself (as it is documented).
-
- This is further detailed and explained in the libcurl security advisory
- 20100209 at
-
- http://curl.haxx.se/docs/adv_20100209.html
-
-Daniel Fandrich (3 Feb 2010)
-- Changed the Watcom makefiles to make them easier to keep in sync with
- Makefile.inc since that can't be included directly.
-
-Yang Tse (2 Feb 2010)
-- Symbol CURL_FORMAT_OFF_T now obsoleted, will be removed in a future release,
- symbol will not be available when building with CURL_NO_OLDIES defined. Use
- of CURL_FORMAT_CURL_OFF_T is preferred since 7.19.0
-
-Daniel Stenberg (1 Feb 2010)
-- Using the multi_socket API, it turns out at times it seemed to "forget"
- connections (which caused a hang). It turned out to be an existing (7.19.7)
- bug in libcurl (that's been around for a long time) and it happened like
- this:
-
- The app calls curl_multi_add_handle() to add a new easy handle, libcurl will
- then set it to timeout in 1 millisecond so libcurl will tell the app about
- it.
-
- The app's timeout fires off that there's a timeout, the app calls libcurl as
- we so often document it:
-
- do {
- res = curl_multi_socket_action(... TIMEOUT ...);
- } while(CURLM_CALL_MULTI_PERFORM == res);
-
- And this is the problem number one:
-
- When curl_multi_socket_action() is called with no specific handle, but only
- a timeout-action, it will *only* perform actions within libcurl that are
- marked to run at this time. In this case, the request would go from INIT to
- CONNECT and return CURLM_CALL_MULTI_PERFORM. When the app then calls libcurl
- again, there's no timer set for this handle so it remains in the CONNECT
- state. The CONNECT state is a transitional state in libcurl so it reports no
- sockets there, and thus libcurl never tells the app anything more about that
- easy handle/connection.
-
- libcurl _does_ set a 1ms timeout for the handle at the end of
- multi_runsingle() if it returns CURLM_CALL_MULTI_PERFORM, but since the loop
- is instant the new job is not ready to run at that point (and there's no
- code that makes libcurl call the app to update the timout for this new
- timeout). It will simply rely on that some other timeout will trigger later
- on or that something else will update the timeout callback. This makes the
- bug fairly hard to repeat.
-
- The fix made to adress this issue:
-
- We introduce a loop in lib/multi.c around all calls to multi_runsingle() and
- simply check for CURLM_CALL_MULTI_PERFORM internally. This has the added
- benefit that this goes in line with my long-term wishes to get rid of the
- CURLM_CALL_MULTI_PERFORM all together from the public API.
-
- The downside of this fix, is that the counter we return in 'running_handles'
- in several of our public functions then gets a slightly new and possibly
- confusing behavior during times:
-
- If an app adds a handle that fails to connect (very quickly) it may just
- as well never appear as a 'running_handle' with this fix. Previously it
- would first bump the counter only to get it decreased again at next call.
- Even I have used that change in handle counter to signal "end of a
- transfer". The only *good* way to find the end of a individual transfer
- is calling curl_multi_info_read() to see if it returns one.
-
- Of course, if the app previously did the looping before it checked the
- counter, it really shouldn't be any new effect.
-
-Yang Tse (26 Jan 2010)
-- Constantine Sapuntzakis' and Joshua Kwan's work done in the last four months
- relative to the asynchronous DNS lookups, along with with some integration
- adjustments I have done are finally committed to CVS.
-
- Currently these enhancements will benefit builds done using c-ares on any
- platform as well as Windows builds using the default threaded resolver.
-
- This release does not make generally available POSIX threaded DNS lookups
- yet. There is no configure option to enable this feature yet. It is possible
- to experimantally try this feature running configure with compiler flags that
- make simultaneous definition of preprocessor symbols USE_THREADS_POSIX and
- HAVE_PTHREAD_H, as well as whatever reentrancy compiler flags and linker ones
- are required to link and properly use pthread_* functions on each platform.
-
-Daniel Stenberg (26 Jan 2010)
-- Mike Crowe made libcurl return CURLE_COULDNT_RESOLVE_PROXY when it is the
- proxy that cannot be resolved when using c-ares. This matches the behaviour
- when not using c-ares.
-
-Björn Stenberg (23 Jan 2010)
-- Added a new flag: -J/--remote-header-name. This option tells the
- -O/--remote-name option to use the server-specified Content-Disposition
- filename instead of extracting a filename from the URL.
-
-Daniel Stenberg (21 Jan 2010)
-- Chris Conroy brought support for RTSP transfers, and with it comes 8(!) new
- libcurl options for controlling what to get and how to receive posssibly
- interleaved RTP data.
-
-Daniel Stenberg (20 Jan 2010)
-- As was pointed out on the http-state mailing list, the order of cookies in a
- HTTP Cookie: header _needs_ to be sorted on the path length in the cases
- where two cookies using the same name are set more than once using
- (overlapping) paths. Realizing this, identically named cookies must be
- sorted correctly. But detecting only identically named cookies and take care
- of them individually is harder than just to blindly and unconditionally sort
- all cookies based on their path lengths. All major browsers also already do
- this, so this makes our behavior one step closer to them in the cookie area.
-
- Test case 8 was the only one that broke due to this change and I updated it
- accordingly.
-
-Daniel Stenberg (19 Jan 2010)
-- David McCreedy brought a fix and a new test case (129) to make libcurl work
- again when downloading files over FTP using ASCII and it turns out that the
- final size of the file is not the same as the initial size the server
- reported. This is very common since servers don't take the newline
- conversions into account.
-
-Kamil Dudka (14 Jan 2010)
-- Suppressed side effect of OpenSSL configure checks, which prevented NSS from
- being properly detected under certain circumstances. It had been caused by
- strange behavior of pkg-config when handling PKG_CONFIG_LIBDIR. pkg-config
- distinguishes among empty and non-existent environment variable in that case.
-
-Daniel Stenberg (12 Jan 2010)
-- Gil Weber reported a peculiar flaw with the multi interface when doing SFTP
- transfers: curl_multi_fdset() would return -1 and not set and file
- descriptors several times during a transfer of a single file. It turned out
- to be due to two different flaws now fixed. Gil's excellent recipe helped me
- nail this.
-
-Daniel Stenberg (11 Jan 2010)
-- Made sure that the progress callback is repeatedly called at a regular
- interval even during very slow connects.
-
-- The tests/runtests.pl script now checks to see if the test case that runs is
- present in the tests/data/Makefile.am and outputs a notice message on the
- screen if not. Each test file has to be included in that Makefile.am to get
- included in release archives and forgetting to add files there is a common
- mistake. This is an attempt to make it harder to forget.
-
-Daniel Stenberg (9 Jan 2010)
-- Johan van Selst found and fixed a OpenSSL session ref count leak:
-
- ossl_connect_step3() increments an SSL session handle reference counter on
- each call. When sessions are re-used this reference counter may be
- incremented many times, but it will be decremented only once when done (by
- Curl_ossl_session_free()); and the internal OpenSSL data will not be freed
- if this reference count remains positive. When a session is re-used the
- reference counter should be corrected by explicitly calling
- SSL_SESSION_free() after each consecutive SSL_get1_session() to avoid
- introducing a memory leak.
-
- (http://curl.haxx.se/bug/view.cgi?id=2926284)
-
-Daniel Stenberg (7 Jan 2010)
-- Make sure the progress callback is called repeatedly even during very slow
- name resolves when c-ares is used for resolving.
-
-Claes Jakobsson (6 Jan 2010)
-- Julien Chaffraix fixed so that the fragment part in an URL is not sent
- to the server anymore.
-
-Kamil Dudka (3 Jan 2010)
-- Julien Chaffraix eliminated a duplicated initialization in singlesocket().
-
-Daniel Stenberg (2 Jan 2010)
-- Make curl support --ssl and --ssl-reqd instead of the previous FTP-specific
- versions --ftp-ssl and --ftp-ssl-reqd as these options are now used to
- control SSL/TLS for IMAP, POP3 and SMTP as well in addition to FTP. The old
- option names are still working but the new ones are the ones listed and
- documented.
-
-Daniel Stenberg (1 Jan 2010)
-- Ingmar Runge enhanced libcurl's FTP engine to support the PRET command. This
- command is a special "hack" used by the drftpd server, but even though it is
- a custom extension I've deemed it fine to add to libcurl since this server
- seems to survive and people keep using it and want libcurl to support
- it. The new libcurl option is named CURLOPT_FTP_USE_PRET, and it is also
- usable from the curl tool with --ftp-pret. Using this option on a server
- that doesn't support this command will make libcurl fail.
-
- I added test cases 1107 and 1108 to verify the functionality.
-
- The PRET command is documented at
- http://www.drftpd.org/index.php/Distributed_PASV
-
-Yang Tse (30 Dec 2009)
-- Steven M. Schweda improved VMS build system, and Craig A. Berry helped
- with the patch and testing.
-
-Daniel Stenberg (26 Dec 2009)
-- Renato Botelho and Peter Pentchev brought a patch that makes the libcurl
- headers work correctly even on FreeBSD systems before v8.
-
- (http://curl.haxx.se/bug/view.cgi?id=2916915)
-
-Daniel Stenberg (17 Dec 2009)
-- David Byron fixed Curl_ossl_cleanup to actually call ENGINE_cleanup when
- available.
-
-- Follow-up fix for the proxy fix I did for Jon Nelson's bug. It turned out I
- was a bit too quick and broke test case 1101 with that change. The order of
- some of the setups is sensitive. I now changed it slightly again to make
- sure we do them in this order:
-
- 1 - parse URL and figure out what protocol is used in the URL
- 2 - prepend protocol:// to URL if missing
- 3 - parse name+password off URL, which needs to know what protocol is used
- (since only some allows for name+password in the URL)
- 4 - figure out if a proxy should be used set by an option
- 5 - if no proxy option, check proxy environment variables
- 6 - run the protocol-specific setup function, which needs to have the proxy
- already set
-
-Daniel Stenberg (15 Dec 2009)
-- Jon Nelson found a regression that turned out to be a flaw in how libcurl
- detects and uses proxies based on the environment variables. If the proxy
- was given as an explicit option it worked, but due to the setup order
- mistake proxies would not be used fine for a few protocols when picked up
- from '[protocol]_proxy'. Obviously this broke after 7.19.4. I now also added
- test case 1106 that verifies this functionality.
-
- (http://curl.haxx.se/bug/view.cgi?id=2913886)
-
-Daniel Stenberg (12 Dec 2009)
-- IMAP, POP3 and SMTP support and their TLS versions (including IMAPS, POP3S
- and SMTPS) are now supported. The current state may not yet be solid, but
- the foundation is in place and the test suite has some initial support for
- these protocols. Work will now persue to make them nice libcurl citizens
- until release.
-
- The work with supporting these new protocols was sponsored by
- networking4all.com - thanks!
-
-Daniel Stenberg (10 Dec 2009)
-- Siegfried Gyuricsko found out that the curl manual said --retry would retry
- on FTP errors in the transient 5xx range. Transient FTP errors are in the
- 4xx range. The code itself only tried on 5xx errors that occured _at login_.
- Now the retry code retries on all FTP transfer failures that ended with a
- 4xx response.
-
- (http://curl.haxx.se/bug/view.cgi?id=2911279)
-
-- Constantine Sapuntzakis figured out a case which would lead to libcurl
- accessing alredy freed memory and thus crash when using HTTPS (with
- OpenSSL), multi interface and the CURLOPT_DEBUGFUNCTION and a certain order
- of cleaning things up. I fixed it.
-
- (http://curl.haxx.se/bug/view.cgi?id=2905220)
-
-Daniel Stenberg (7 Dec 2009)
-- Martin Storsjo made libcurl use the Expect: 100-continue header for posts
- with unknown size. Previously it was only used for posts with a known size
- larger than 1024 bytes.
-
-Daniel Stenberg (1 Dec 2009)
-- If the Expect: 100-continue header has been set by the application through
- curl_easy_setopt with CURLOPT_HTTPHEADER, the library should set
- data->state.expect100header accordingly - the current code (in 7.19.7 at
- least) doesn't handle this properly. Martin Storsjo provided the fix!
-
-Yang Tse (28 Nov 2009)
-- Added Diffie-Hellman parameters to several test harness certificate files in
- PEM format. Required by several stunnel versions used by our test harness.
-
-Daniel Stenberg (28 Nov 2009)
-- Markus Koetter provided a polished and updated version of Chad Monroe's TFTP
- rework patch that now integrates TFTP properly into libcurl so that it can
- be used non-blocking with the multi interface and more. BLKSIZE also works.
-
- The --tftp-blksize option was added to allow setting the TFTP BLKSIZE from
- the command line.
-
-Daniel Stenberg (26 Nov 2009)
-- Extended and fixed the change I did on Dec 11 for the the progress
- meter/callback during FTP command/response sequences. It turned out it was
- really lame before and now the progress meter SHOULD get called at least
- once per second.
-
-Daniel Stenberg (23 Nov 2009)
-- Bjorn Augustsson reported a bug which made curl not report any problems even
- though it failed to write a very small download to disk (done in a single
- fwrite call). It turned out to be because fwrite() returned success, but
- there was insufficient error-checking for the fclose() call which tricked
- curl to believe things were fine.
-
-Yang Tse (23 Nov 2009)
-- David Byron modified Makefile.dist vc8 and vc9 targets in order to allow
- finer granularity control when generating src and lib makefiles.
-
-Yang Tse (22 Nov 2009)
-- I modified configure to force removal of the curlbuild.h file included in
- distribution tarballs for use by non-configure systems. As intended, this
- would get overwriten when doing in-tree builds. But VPATH builds would end
- having two curlbuild.h files, one in the source tree and another in the
- build tree. With the modification I introduced 5 Nov 2009 this could become
- an issue when running libcurl's test suite.
-
-Daniel Stenberg (20 Nov 2009)
-- Constantine Sapuntzakis identified a write after close, as the sockets were
- closed by libcurl before the SSL lib were shutdown and they may write to its
- socket. Detected to at least happen with OpenSSL builds.
-
-- Jad Chamcham pointed out a bug with connection re-use. If a connection had
- CURLOPT_HTTPPROXYTUNNEL enabled over a proxy, a subsequent request using the
- same proxy with the tunnel option disabled would still wrongly re-use that
- previous connection and the outcome would only be badness.
-
-Yang Tse (18 Nov 2009)
-- I modified the memory tracking system to make it intolerant with zero sized
- malloc(), calloc() and realloc() function calls.
-
-Daniel Stenberg (17 Nov 2009)
-- Constantine Sapuntzakis provided another fix for the DNS cache that could
- end up with entries that wouldn't time-out:
-
- 1. Set up a first web server that redirects (307) to a http://server:port
- that's down
- 2. Have curl connect to the first web server using curl multi
-
- After the curl_easy_cleanup call, there will be curl dns entries hanging
- around with in_use != 0.
-
- (http://curl.haxx.se/bug/view.cgi?id=2891591)
-
-- Marc Kleine-Budde fixed: curl saved the LDFLAGS set during configure into
- its pkg-config file. So -Wl stuff ended up in the .pc file, which is really
- bad, and breaks if there are multiple -Wl in our LDFLAGS (which are in
- PTXdist). bug #2893592 (http://curl.haxx.se/bug/view.cgi?id=2893592)
-
-Kamil Dudka (15 Nov 2009)
-- David Byron improved the configure script to use pkg-config to find OpenSSL
- (and in particular the list of required libraries) even if a path is given
- as argument to --with-ssl
-
-Yang Tse (15 Nov 2009)
-- I removed enable-thread / disable-thread configure option. These were only
- placebo options. The library is always built as thread safe as possible on
- every system.
-
-Claes Jakobsson (14 Nov 2009)
-- curl-config now accepts '--configure' to see what arguments was
- passed to the configure script when building curl.
-
-Daniel Stenberg (14 Nov 2009)
-- Claes Jakobsson restored the configure functionality to detect NSS when
- --with-nss is set but not "yes".
-
- I think we can still improve that to check for pkg-config in that path etc,
- but at least this patch brings back the same functionality we had before.
-
-- Camille Moncelier added support for the file type SSL_FILETYPE_ENGINE for
- the client certificate. It also disable the key name test as some engines
- can select a private key/cert automatically (When there is only one key
- and/or certificate on the hardware device used by the engine)
-
-Yang Tse (14 Nov 2009)
-- Constantine Sapuntzakis provided the fix that ensures that an SSL connection
- won't be reused unless protection level for peer and host verification match.
-
- I refactored how preprocessor symbol _THREAD_SAFE definition is done.
-
-Kamil Dudka (12 Nov 2009)
-- Kevin Baughman provided a fix preventing libcurl-NSS from crash on doubly
- closed NSPR descriptor. The issue was hard to find, reported several times
- before and always closed unresolved. More info at the RH bug:
- https://bugzilla.redhat.com/534176
-
-- libcurl-NSS now tries to reconnect with TLS disabled in case it detects
- a broken TLS server. However it does not happen if SSL version is selected
- manually. The approach was originally taken from PSM. Kaspar Brand helped me
- to complete the patch. Original bug reports:
- https://bugzilla.redhat.com/525496
- https://bugzilla.redhat.com/527771
-
-Yang Tse (12 Nov 2009)
-- I modified configure script to make the getaddrinfo function check also
- verify if the function is thread safe.
-
-Yang Tse (11 Nov 2009)
-- Marco Maggi reported that compilation failed when configured --with-gssapi
- and GNU GSS installed due to a missing mutual exclusion of header files in
- the Kerberos 5 code path. He also verified that my patch worked for him.
-
-Daniel Stenberg (11 Nov 2009)
-- Constantine Sapuntzakis posted bug #2891595
- (http://curl.haxx.se/bug/view.cgi?id=2891595) which identified how an entry
- in the DNS cache would linger too long if the request that added it was in
- use that long. He also provided the patch that now makes libcurl capable of
- still doing a request while the DNS hash entry may get timed out.
-
-- Christian Schmitz noticed that the progress meter/callback was not properly
- used during the FTP connection phase (after the actual TCP connect), while
- it of course should be. I also made the speed check get called correctly so
- that really slow servers will trigger that properly too.
-
-Kamil Dudka (5 Nov 2009)
-- Dropped misleading timeouts in libcurl-NSS and made sure the SSL socket works
- in non-blocking mode.
-
-Yang Tse (5 Nov 2009)
-- I removed leading 'curl' path on the 'curlbuild.h' include statement in
- curl.h, adjusting auto-makefiles include path, to enhance portability to
- OS's without an orthogonal directory tree structure such as OS/400.
-
-Daniel Stenberg (4 Nov 2009)
-- I fixed several problems with the transfer progress meter. It showed the
- wrong percentage for small files, most notable for <1000 bytes and could
- easily end up showing more than 100% at the end. It also didn't show any
- percentage, transfer size or estimated transfer times when transferring
- less than 100 bytes.
-
-Version 7.19.7 (4 November 2009)
-
-Daniel Stenberg (2 Nov 2009)
-- As reported independent by both Stan van de Burgt and Didier Brisebourg,
- CURLINFO_SIZE_DOWNLOAD (the -w variable size_download) didn't work when
- getting data from ldap!
-
-Daniel Stenberg (31 Oct 2009)
-- Gabriel Kuri reported a problem with CURLINFO_CONTENT_LENGTH_DOWNLOAD if the
- download was 0 bytes, as libcurl would then return the size as unknown (-1)
- and not 0. I wrote a fix and test case 566 to verify it.
-
-Daniel Stenberg (30 Oct 2009)
-- Liza Alenchery mentioned a problem with re-used SCP connection when a bad
- auth is used, as it caused a crash. I failed to repeat the issue, but still
- made a change that now forces the TCP connection used for a freed SCP
- session to get closed and not be re-used.
-
-- "Tom" posted a bug report that mentioned how libcurl did wrong when doing a
- POST using a read callback, with Digest authentication and
- "Transfer-Encoding: chunked" enforced. I would then cause the first request
- to be wrongly sent and then basically hang until the server closed the
- connection. I fixed the problem and added test case 565 to verify it.
-
-Daniel Stenberg (25 Oct 2009)
-- Dima Barsky made the curl cookie parser accept cookies even with blank or
- unparsable expiry dates and then treat them as session cookies - previously
- libcurl would reject cookies with a date format it couldn't parse. Research
- shows that the major browser treat such cookies as session cookies. I
- modified test 8 and 31 to verify this.
-
-Daniel Stenberg (21 Oct 2009)
-- Attempt to use pkg-config for finding out libssh2 installation details
- during configure.
-
-- A patch in bug report #2883177 (http://curl.haxx.se/bug/view.cgi?id=2883177)
- by Johan van Selst introduced the --crlfile option to curl, which makes curl
- tell libcurl about a file with CRL (certificate revocation list) data to
- read.
-
-Daniel Stenberg (18 Oct 2009)
-- Ray Dassen provided a patch in Debian's bug tracker (bug number #551461)
- that now makes curl_getdate(3) actually handles RFC 822 formatted dates that
- use the "single letter military timezones".
- http://www.rfc-ref.org/RFC-TEXTS/822/chapter5.html has the details.
-
-- Fixed memory leak in the SCP/SFTP code as it never freed the knownhosts
- data!
-
-- John Dennis filed bug report #2873666
- (http://curl.haxx.se/bug/view.cgi?id=2873666) which identified a problem
- which made libcurl loop infinitely when given incorrect credentials when
- using HTTP GSS negotiate authentication. He also provided a small and simple
- patch for it.
-
-- Kevin Baughman found a double close() problem with libcurl-NSS, as when
- libcurl called NSS to close the SSL "session" it also closed the actual
- socket.
-
-Yang Tse (17 Oct 2009)
-- Bug report #2866724 indicated
- (http://curl.haxx.se/bug/view.cgi?id=2866724) that curl on Windows failed
- when writing files whose file names originally contained characters which
- are not valid for file names on Windows. Dan Fandrich provided an initial
- patch and another revised one to fix this issue.
-
-Daniel Stenberg (1 Oct 2009)
-- Tom Mueller correctly reported in bug report #2870221
- (http://curl.haxx.se/bug/view.cgi?id=2870221) that libcurl returned an
- incorrect return code from the internal trynextip() function which caused
- him grief. This is a regression that was introduced in 7.19.1 and I find it
- strange it hasn't hit us harder, but I won't persue into figuring out
- exactly why.
-
-- Constantine Sapuntzakis: The current implementation will always set
- SO_SNDBUF to CURL_WRITE_SIZE even if the SO_SNDBUF starts out larger. The
- patch doesn't do a setsockopt if SO_SNDBUF is already greater than
- CURL_WRITE_SIZE. This should help folks who have set up their computer with
- large send buffers.
-
-Daniel Stenberg (27 Sep 2009)
-- I introduced a maximum limit for received HTTP headers. It is controlled by
- the define CURL_MAX_HTTP_HEADER which is even exposed in the public header
- file to allow for users to fairly easy rebuild libcurl with a modified
- limit. The rationale for a fixed limit is that libcurl is realloc()ing a
- buffer to be able to put a full header into it, so that it can call the
- header callback with the entire header, but that also risk getting it into
- trouble if a server by mistake or willingly sends a header that is more or
- less without an end. The limit is set to 100K.
-
-Daniel Stenberg (26 Sep 2009)
-- John P. McCaskey posted a bug report that showed how libcurl did wrong when
- saving received cookies with no given path, if the path in the request had a
- query part. That is means a question mark (?) and characters on the right
- side of that. I wrote test case 1105 and fixed this problem.
-
-Kamil Dudka (26 Sep 2009)
-- Implemented a protocol independent way to specify blocking direction, used by
- transfer.c for blocking. It is currently used only by SCP and SFTP protocols.
- This enhancement resolves an issue with 100% CPU usage during SFTP upload,
- reported by Vourhey.
-
-Daniel Stenberg (25 Sep 2009)
-- Chris Mumford filed bug report #2861587
- (http://curl.haxx.se/bug/view.cgi?id=2861587) identifying that libcurl used
- the OpenSSL function X509_load_crl_file() wrongly and failed if it would
- load a CRL file with more than one certificate within. This is now fixed.
-
-Daniel Stenberg (16 Sep 2009)
-- Sven Anders reported that we introduced a cert verfication flaw for OpenSSL-
- powered libcurl in 7.19.6. If there was a X509v3 Subject Alternative Name
- field in the certficate it had to match and so even if non-DNS and non-IP
- entry was present it caused the verification to fail.
-
-Daniel Fandrich (15 Sep 2009)
-- Moved the libssh2 checks after the SSL library checks. This helps when
- statically linking since libssh2 needs the SSL library link flags to be
- set up already to satisfy its dependencies. This wouldn't be necessary if
- the libssh2 configure check was changed to use pkg-config since the
- --static flag would add the dependencies automatically.
-
-Yang Tse (14 Sep 2009)
-- Revert Joshua Kwan's patch committed 11 Sep 2009.
-
- Some systems poll function sets POLLHUP in revents without setting
- POLLIN, and sets POLLERR without setting POLLIN and POLLOUT. In some
- libcurl code execution paths this could trigger busy wait loops with
- high CPU usage until a timeout condition aborted the loop.
-
- The reverted patch addressed the above issue for a very specific case,
- when awaiting c-ares to resolve. A libcurl-wide fix for Curl_poll now
- superceeds this one.
-
-Guenter Knauf (11 Sep 2009)
-- Joshua Kwan provided a patch to pass POLLERR / POLLHUP back to c-ares.
- This fixes a loop problem with high CPU usage.
-
-Daniel Stenberg (10 Sep 2009)
-- Claes Jakobsson fixed a problem with cookie expiry dates at exctly the epoch
- start second "Thu Jan 1 00:00:00 GMT 1970" as the date parser then returns 0
- which internally then is treated as a session cookie. That particular date
- is now made to get the value of 1.
-
-Daniel Stenberg (2 Sep 2009)
-- Daniel Johnson found a flaw in the code converting sftp-errors to libcurl
- errors.
-
-Daniel Stenberg (1 Sep 2009)
-- Peter Sylvester made a debug feature for Curl_resolv() that now will force
- libcurl to resolve 'localhost' whatever name you use in the URL *if* you set
- the --interface option to (exactly) "LocalHost". This will enable us to
- write tests for custom hosts names but still use a local host server.
-
-- configure now tries to use pkg-config for a number of sub-dependencies even
- when cross-compiling. The key to success is then you properly setup
- PKG_CONFIG_PATH before invoking configure.
-
- I also improved how NSS is detected by trying nss-config if pkg-config isn't
- present, and as a last resort just use the lib name and force the user to
- setup the LIBS/LDFLAGS/CFLAGS etc properly. The previous last resort would
- add a range of various libs that would almost never be quite correct.
-
-Daniel Stenberg (31 Aug 2009)
-- When using the multi interface with FTP and you asked for NOBODY, you did no
- QUOTE commands and the request used the same path as the connection had
- already changed to, it would decide that no commands would be necessary for
- the "DO" action and that was not handled properly but libcurl would instead
- hang.
-
-Kamil Dudka (28 Aug 2009)
-- Improved error message for not matching certificate subject name in
- libcurl-NSS. Originally reported at:
- https://bugzilla.redhat.com/show_bug.cgi?id=516056#c9
-
-Patrick Monnerat (24 Aug 2009)
-- Introduced a SYST-based test to properly set-up name format when dealing
- with the OS/400 FTP server.
-
-- Fixed an ftp_readresp() bug preventing detection of failing control socket
- and causing FTP client to loop forever.
-
-Daniel Stenberg (24 Aug 2009)
-- Marc de Bruin pointed out that configure --with-gnutls=PATH didn't work
- properly and provided a fix. http://curl.haxx.se/bug/view.cgi?id=2843008
-
-- Eric Wong introduced support for the new option -T. (dot) that makes curl
- read stdin in a non-blocking fashion. This also brings back -T- (minus) to
- the previous blocking behavior since it could break stuff for people at
- times.
-
-Michal Marek (21 Aug 2009)
-- With CURLOPT_PROXY_TRANSFER_MODE, avoid sending invalid URLs like
- ftp://example.com;type=i if the user specified ftp://example.com without the
- slash.
-
-Daniel Stenberg (21 Aug 2009)
-- Andre Guibert de Bruet pointed out a missing return code check for a
- strdup() that could lead to segfault if it returned NULL. I extended his
- suggest patch to now have Curl_retry_request() return a regular return code
- and better check that.
-
-- Lots of good work by Krister Johansen, mostly related to pipelining:
-
- Fix SIGSEGV on free'd easy_conn when pipe unexpectedly breaks
- Fix data corruption issue with re-connected transfers
- Fix use after free if we're completed but easy_conn not NULL
-
-Kamil Dudka (13 Aug 2009)
-- Changed NSS code to not ignore the value of ssl.verifyhost and produce more
- verbose error messages. Originally reported at:
- https://bugzilla.redhat.com/show_bug.cgi?id=516056
-
-Daniel Stenberg (12 Aug 2009)
-- Karl Moerder fixed the Makefile.vc* makefiles to include the new file
- nonblock.c so that they work fine again
-
-- I expanded test 517 with a bunch of more dates that originate from the
- Chrome browser test suite. It turns out most of them get parsed the same
- way.
+- checksrc/makefile.am: use $top_srcdir to find source files
+
+ ... to properly support out of source tree builds.
+
+- RELEASE-NOTES: synced with 26ec93dd6aeba8dfb5
+
+- opts: fix option references missing (section)
+
+- [Michael Kaufmann brought this change]
+
+ news: CURLOPT_CONNECT_TO and --connect-to
+
+ Makes curl connect to the given host+port instead of the host+port found
+ in the URL.
+
+- makefile.vc6: use d suffix on debug object
+
+ To allow both release and debug builds in parallel.
+
+ Reported-by: Rod Widdowson
+
+ Fixes #769
-Version 7.19.6 (12 August 2009)
-
-Daniel Stenberg (12 Aug 2009)
-- Carsten Lange reported a bug and provided a patch for TFTP upload and the
- sending of the TSIZE option. I don't like fixing bugs just hours before
- a release, but since it was broken and the patch fixes this for him I decided
- to get it in anyway.
-
-Daniel Stenberg (11 Aug 2009)
-- Peter Sylvester made the HTTPS test server use specific certificates for
- each test, so that the test suite can now be used to actually test the
- verification of cert names etc. This made an error show up in the OpenSSL-
- specific code where it would attempt to match the CN field even if a
- subjectAltName exists that doesn't match. This is now fixed and verified
- in test 311.
-
-- Benbuck Nason posted the bug report #2835196
- (http://curl.haxx.se/bug/view.cgi?id=2835196), fixing a few compiler
- warnings when mixing ints and bools.
-
-Daniel Fandrich (10 Aug 2009)
-- Fixed a memory leak in the FTP code and an off-by-one heap buffer overflow.
-
-Daniel Fandrich (9 Aug 2009)
-- Fixed some memory leaks in the command-line tool that caused most of the
- torture tests to fail.
-
-Daniel Stenberg (2 Aug 2009)
-- Curt Bogmine reported a problem with SNI enabled on a particular server. We
- should introduce an option to disable SNI, but as we're in feature freeze
- now I've addressed the obvious bug here (pointed out by Peter Sylvester): we
- shouldn't try to enable SNI when SSLv2 or SSLv3 is explicitly selected.
- Code for OpenSSL and GnuTLS was fixed. NSS doesn't seem to have a particular
- option for SNI, or are we simply not using it?
-
-Daniel Stenberg (1 Aug 2009)
-- Scott Cantor posted the bug report #2829955
- (http://curl.haxx.se/bug/view.cgi?id=2829955) mentioning the recent SSL cert
- verification flaw found and exploited by Moxie Marlinspike. The presentation
- he did at Black Hat is available here:
- https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike
-
- Apparently at least one CA allowed a subjectAltName or CN that contain a
- zero byte, and thus clients that assumed they would never have zero bytes
- were exploited to OK a certificate that didn't actually match the site. Like
- if the name in the cert was "example.com\0theatualsite.com", libcurl would
- happily verify that cert for example.com.
-
- libcurl now better uses the length of the extracted name, not using the zero
- termination for getting the string length.
-
- This fixing only made and needed in OpenSSL interfacing code.
-
-- Tanguy Fautre pointed out that OpenSSL's function RAND_screen() (present
- only in some OpenSSL installs - like on Windows) isn't thread-safe and we
- agreed that moving it to the global_init() function is a decent way to deal
- with this situation.
-
-- Alexander Beedie provided the patch for a noproxy problem: If I have set
- CURLOPT_NOPROXY to "*", or to a host that should not use a proxy, I actually
- could still end up using a proxy if a proxy environment variable was set.
-
-Daniel Stenberg (27 Jul 2009)
-- All the quote options (CURLOPT_QUOTE, CURLOPT_POSTQUOTE and
- CURLOPT_PREQUOTE) now accept a preceeding asterisk before the command to
- send when using FTP, as a sign that libcurl shall simply ignore the response
- from the server instead of treating it as an error. Not treating a 400+ FTP
- response code as an error means that failed commands will not abort the
- chain of commands, nor will they cause the connection to get disconnected.
-
-Daniel Stenberg (26 Jul 2009)
-- Johan van Selst posted bug report #2825989
- (http://curl.haxx.se/bug/view.cgi?id=2825989) pointing out that
- OpenSSL-powered libcurl didn't support the SHA-2 digest algorithm, and
- provided the solution too: to use OpenSSL_add_all_algorithms() in addition
- to the older SSLeay_* alternative. OpenSSL_add_all_algorithms was added in
- OpenSSL 0.9.5
-
-Daniel Stenberg (23 Jul 2009)
-- Added CURLOPT_SSH_KNOWNHOSTS, CURLOPT_SSH_KEYFUNCTION, CURLOPT_SSH_KEYDATA.
- They introduce known_host support for SSH keys to libcurl. See docs for
- details. Note that this feature depends on a new enough libssh2 version, to
- be supported in libssh2 1.2 and later (or current git repo at this time).
-
-Michal Marek (22 Jul 2009)
-- David Binderman found a memory and fd leak in lib/gtls.c:load_file()
- (https://bugzilla.novell.com/523919). When looking at the code, I found that
- also the ptr pointer can leak.
-
-Kamil Dudka (20 Jul 2009)
-- Claes Jakobsson improved the support for client certificates handling in
- NSS-powered libcurl. Now the client certificates can be selected
- automatically by a NSS built-in hook. Additionally pre-login to all PKCS11
- slots is no more performed. It used to cause problems with HW tokens.
-
-- Fixed reference counting for NSS client certificates. Now the PEM reader
- module should be always properly unloaded on Curl_nss_cleanup(). If the
- unload fails though, libcurl will try to reuse the already loaded instance.
-
-Daniel Fandrich (15 Jul 2009)
-- Added nonblock.c to the non-automake makefiles (note that the dependencies
- in the Watcom makefiles aren't quite correct).
-
-Michal Marek (15 Jul 2009)
-- Changed the description of CURLINFO_OS_ERRNO to make it clear that the
- errno is not reset on success.
-
-Guenter Knauf (14 Jul 2009)
-- renamed generated config.h to curl_config.h to avoid any future clashes
- with config.h from other projects.
-
-Daniel Stenberg (9 Jul 2009)
-- Eric Wong introduced curlx_nonblock() that the curl tool now (re-)uses for
- setting a file descriptor non-blocking. Used by the functionality Eric
- himself brough on June 15th.
-
-Daniel Stenberg (8 Jul 2009)
-- Constantine Sapuntzakis posted bug report #2813123
- (http://curl.haxx.se/bug/view.cgi?id=2813123) and an a patch that fixes the
- problem:
-
- Url A is accessed using auth. Url A redirects to Url B (on a different
- server0. Url B reuses a persistent connection. Url B has auth, even though
- it's on a different server.
-
- Note: if Url B does not reuse a persistent connection, auth is not sent.
-
- reason:
-
- data->state.first_host is not initialized becuase Curl_http_connect is not
- called when a connection is reused.
-
- Solution:
-
- move initialization of data->state.first_host to Curl_http. No code before
- Curl_http uses data->state.first_host anyway.
-
-Guenter Knauf (4 Jul 2009)
-- Markus Koetter provided a patch to avoid getnameinfo() usage which broke a
- couple of both IPv4 and IPv6 autobuilds.
-
-Daniel Stenberg (29 Jun 2009)
-- Markus Koetter made CURLOPT_FTPPORT (and curl's -P/--ftpport) support a port
- range if given colon-separated after the host name/address part. Like
- "192.168.0.1:2000-10000"
-
-- Modified the separators used for CURLOPT_CERTINFO in multi-part outputs. I
- don't know how they got wrong in the first place, but using this output
- format makes it possible to quite easily separate the string into an array
- of multiple items.
-
-Daniel Fandrich (16 June 2009)
-- Added a few more compiler warning options for gcc.
-
-Daniel Stenberg (16 Jun 2009)
-- Reuven Wachtfogel made curl -o - properly produce a binary output on windows
- (no newline translations). Use -B/--use-ascii if you rather get the ascii
- approach.
-
-Michal Marek (16 Jun 2009)
-- When doing non-anonymous ftp via http proxies and the password is not
- provided in the url, add it there (squid needs this).
-
-Daniel Stenberg (15 Jun 2009)
-- Eric Wong's patch:
-
- This allows curl(1) to be used as a client-side tunnel for arbitrary stream
- protocols by abusing chunked transfer encoding in both the HTTP request and
- HTTP response. This requires server support for sending a response while a
- request is still being read, of course.
-
- If attempting to read from stdin returns EAGAIN, then we pause our sender.
- This leaves curl to attempt to read from the socket while reading from stdin
- (and thus sending) is paused.
-
- This change was needed to allow successfully tunneling the git protocol over
- HTTP (--no-buffer is needed, as well).
-
-Patrick Monnerat (15 Jun 2009)
-- Replaced use of standard C library rand()/srand() by our own pseudo-random
- number generator.
-
-Yang Tse (11 Jun 2009)
-- I adapted testcurl script to allow building test harness programs when
- cross-compiling for a *-*-mingw* host.
-
-Daniel Stenberg (10 Jun 2009)
-- Fabian Keil ran clang on the (lib)curl code, found a bunch of warnings and
- contributed a range of patches to fix them.
-
-Yang Tse (10 Jun 2009)
-- I introduced configure script option --enable-curldebug which now allows
- the decoupled enabling or disabling of the curl debug memory tracking
- feature from the --enable-debug option which no longer controls this.
-
- curl --version will list 'Debug' feature for debug enabled builds, and
- will list 'TrackMemory' feature for curl debug memory tracking capable
- builds. These features are independent and can be controlled when running
- the configure script. When --enable-debug is given both features will be
- enabled, unless some restriction prevents memory tracking from being used.
-
- Internally, definition of preprocessor symbol DEBUGBUILD restricts code
- which is only compiled for debug enabled builds. And symbol CURLDEBUG is
- used to differentiate code which is _only_ used for memory tracking.
-
-Yang Tse (9 Jun 2009)
-- Daniel Steinberg pointed out that Curl_FormInit() in formdata.c was not
- initializing the fread callback pointer and this triggered a compiler
- warning, also provided a friendly suggestion on how to fix it.
-
-Daniel Stenberg (8 Jun 2009)
-- Claes Jakobsson provided a patch for libcurl-NSS that fixed a bad refcount
- issue with client certs that caused issues like segfaults.
- http://curl.haxx.se/mail/lib-2009-05/0316.html
-
-- Triggered by bug report #2798852 and the patch in there, I fixed configure
- to detect gnutls build options with pkg-config only and not libgnutls-config
- anymore since GnuTLS has stopped distributing that tool. If an explicit path
- is given to configure, we will instead guess on how to link and use that
- lib. I did not use the patch from the bug report.
-
-Yang Tse (8 Jun 2009)
-- Igor Novoseltsev adjusted Makefile.vxworks to get sources and headers
- included from Makefile.inc, and provided docs\INSTALL VxWorks section.
-
-- I removed buildconf.bat from release and daily snapshot archives. This
- file is only for CVS tree checkout builds.
-
-Daniel Stenberg (8 Jun 2009)
-- Eric Wong fixed --no-buffer to actually switch off output buffering. Been
- broken since 7.19.0
-
-Bill Hoffman (6 Jun 2009)
-- Added some cmake docs and fixed socklen_t in the build.
-
-Yang Tse (5 Jun 2009)
-- John E. Malmberg provided VMS specific patch: "This fixes an existing bug
- in urlglob.c where it was not converting the Curl Unix exit code to a VMS
- DCL compatible exit code. This fix required the enhancement described next.
- This also adds an enhancement to main.c so that when curl is run under a
- Unix shell like Bash on VMS, it will return the standard Unix exit codes
- and messages." And another patch for docs/examples.
-
- I introduced os-specific.c and os-specific.h for use in curl tool code
- and adjusted John E. Malmberg's patch placement to use these new files
- as an effort to prevent main.c from growing ad infinitum. Code already
- existing in main.c which is OS specific should be moved into these files.
-
-Daniel Stenberg (4 June 2009)
-- Setting the Content-Length: header from your app when you do a POST or PUT
- is almost always a VERY BAD IDEA. Yet there are still apps out there doing
- this, and now recently it triggered a bug/side-effect in libcurl as when
- libcurl sends a POST or PUT with NTLM, it sends an empty post first when it
- knows it will just get a 401/407 back. If the app then replaced the
- Content-Length header, it caused the server to wait for input that libcurl
- wouldn't send. Aaron Oneal reported this problem in bug report #2799008
- (http://curl.haxx.se/bug/view.cgi?id=2799008) and helped us verify the fix.
-
-Yang Tse (4 Jun 2009)
-- Igor Novoseltsev provided patches and information, that after some
- adjustments to better fit curl's way of doing things, have resulted
- in the posibility of building libcurl for VxWorks.
-
-Daniel Fandrich (2 June 2009)
-- Checked in a Google Android make file. To use it, you must first
- create a config.h file by running configure in the Android environment,
- which doesn't seem to be easy to do. If no easy way can be found, a
- static config-android.h may need to be created and checked in to the
- libcurl source tree.
-
-Daniel Stenberg (1 June 2009)
-- Claes Jakobsson fixed the configure script to better find and use NSS
- without pkg-config.
-
-Yang Tse (1 Jun 2009)
-- John E. Malmberg provided a VMS specific clean-up for curl.h, and pointed
- out that the configure script was failing to detect the timeval struct on
- VMS when building with _XOPEN_SOURCE_EXTENDED undefined due to definition
- taking place in socket.h instead of time.h. I have adjusted configure
- script to also include this header when checking struct timeval.
-
-Daniel Stenberg (27 May 2009)
-- Frank McGeough provided a small OpenSSL #include fix to make libcurl compile
- fine with Nokia 5th edition 1.0 SDK for Symbian.
-
-- Andre Guibert de Bruet found a call to a OpenSSL function that didn't check
- for a failure properly.
-
-- Mike Crowe pointed out that setting CURLOPT_USERPWD to NULL used to clear
- the auth credentials back in 7.19.0 and earlier while now you have to set ""
- to get the same effect. His patch brings back the ability to use NULL.
-
-- Claes Jakobsson fixed libcurl-NSS to build fine even without the
- PK11_CreateGenericObject() function.
-
-Daniel Stenberg (25 May 2009)
-- bug report #2796358 (http://curl.haxx.se/bug/view.cgi?id=2796358) pointed
- out that the cookie parser would leak memory when it parses cookies that are
- received with domain, path etc set multiple times in the same header. While
- such a cookie is questionable, they occur in the wild and libcurl no longer
- leaks memory for them. I added such a header to test case 8.
-
-Daniel Fandrich (22 May 2009)
-- Removed some obsolete digest code that caused a valgrind error in test 551.
-
-Daniel Fandrich (20 May 2009)
-- Added "non-existing host" test keywords to make it easy to skip those
- tests on machines that have broken DNS configurations (such as
- those configured to use OpenDNS).
-
-Daniel Stenberg (19 May 2009)
-- Kamil Dudka brought the patch from the Redhat bug entry
- https://bugzilla.redhat.com/show_bug.cgi?id=427966 which was libcurl closing
- a bad file descriptor when closing down the FTP data connection. Caolan
- McNamara seems to be the original author of it.
-
-Version 7.19.5 (18 May 2009)
-
-Daniel Stenberg (17 May 2009)
-- James Bursa posted a patch to the mailing list that fixed a problem with
- no_proxy which made it not skip the proxy if the URL entered contained a
- user name. I added test case 1101 to verify.
-
-Daniel Stenberg (11 May 2009)
-- Balint Szilakszi reported a memory leak when libcurl did gzip decompression
- of streams that had some parts (legitimately) missing. We now provide and use
- a proper cleanup function for the content encoding submodule.
- http://curl.haxx.se/mail/lib-2009-05/0092.html
-
-- Kamil Dudka provided a fix for libcurl-NSS reported by Michael Cronenworth
- at https://bugzilla.redhat.com/show_bug.cgi?id=453612#c12
-
- If an incorrect password is given while loading a private key, libcurl ends
- up in an infinite loop consuming memory. The bug is critical.
-
-- I fixed the problem with doing NTLM, POST and then following a 302 redirect,
- as reported by Ebenezer Ikonne (on curl-users) and Laurent Rabret (on
- curl-library). The transfer was mistakenly marked to get more data to send
- but since it didn't actually have that, it just hung there...
-
-Daniel Stenberg (10 May 2009)
-- Andre Guibert de Bruet correctly pointed out an over-alloc with one wasted
- byte in the digest code.
-
-Yang Tse (9 May 2009)
-- Removed DOS and TPF package's subdirectory Makefile.am, it was only used
- to include some files in the distribution tarball serving no other purpose.
- Files from the DOS and TPF subdirectories are now included in the EXTRA_DIST
- of the Makefile in the parent subdirectory.
-
-Yang Tse (8 May 2009)
-- Changed host name literal in several tests to one under the haxx.se domain.
-
-- Renamed vc6 workspace and project files to avoid filename clash when used
- for conversion to later VS versions.
-
-Daniel Stenberg (8 May 2009)
-- Constantine Sapuntzakis fixed bug report #2784055
- (http://curl.haxx.se/bug/view.cgi?id=2784055) identifying a problem to
- connect to SOCKS proxies when using the multi interface. It turned out to
- almost not work at all previously. We need to wait for the TCP connect to
- be properly verified before doing the SOCKS magic.
-
- There's still a flaw in the FTP code for this.
-
-Daniel Stenberg (7 May 2009)
-- Made the SO_SNDBUF setting for the data connection socket for ftp uploads as
- well. See change 28 Apr 2009.
-
-Yang Tse (7 May 2009)
-- Fixed an issue affecting FTP transfers, introduced with the transfer.c
- patch committed May 4.
-
-Daniel Stenberg (7 May 2009)
-- Man page *roff problems fixed thanks to input from Colin Watson. Problems
- reported in the Debian package.
-
-- Vijay G filed bug report #2723236
- (http://curl.haxx.se/bug/view.cgi?id=2723236) identifying a problem with
- libcurl's TFTP code and its lack of dealing with the OACK packet.
-
-Yang Tse (5 May 2009)
-- Fixed the --ftp-port address of test #251 to the CLIENTIP address, and
- reverted the change affecting test suite harness committed 4 May.
-
-Daniel Stenberg (5 May 2009)
-- Inspired by Michael Smith's session id fix for OpenSSL, I did the
- corresponding fix in the GnuTLS code: make sure to store the new session id
- in case the previous re-used one is rejected.
-
-Daniel Stenberg (4 May 2009)
-- Michael Smith posted bug report #2786255
- (http://curl.haxx.se/bug/view.cgi?id=2786255) with a patch, identifying how
- libcurl did not deal with SSL session ids properly if the server rejected a
- re-use of one. Starting now, it will forget the rejected one and remember
- the new. This change was for OpenSSL only, it is likely that other SSL lib
- code needs similar fixes.
-
-Yang Tse (4 May 2009)
-- Applied David McCreedy's "transfer.c fixes for CURL_DO_LINEEND_CONV and
- non-ASCII platform HTTP requests" patch addressing two HTTP PUT problems:
- 1) On non-ASCII platforms not all of the protocol portions of the PUT are
- being translated to ASCII. 2) On all platforms the line endings of part of
- the protocol portions are mangled from CRLF to CRCRLF if data->set.crlf or
- data->set.prefer_ascii are set (depending on CURL_DO_LINEEND_CONV).
-
-- Applied David McCreedy's patch to fix test suite harness to allow test FTP
- server and client on different machines, providing FTP client address when
- running the FTP test server.
-
-Daniel Fandrich (3 May 2009)
-- Added and disabled test case 563 which shows KNOWN_BUGS #59. The bug
- report failed to mention that a proxy must be used to reproduce it.
-
-Yang Tse (2 May 2009)
-- Use a build-time configured curl_socklen_t data type instead of socklen_t.
-
-Yang Tse (1 May 2009)
-- Applied David McCreedy's patches "TPF-platform specific changes to various
- files" and "http.c fix to Curl_proxyCONNECT for non-ASCII platforms", the
- former with minor edits.
-
-Daniel Stenberg (30 Apr 2009)
-- I was going to fix issue #59 in KNOWN_BUGS
-
- If the CURLOPT_PORT option is used on an FTP URL like
- "ftp://example.com/file;type=A" the ";type=A" is stripped off.
-
- I added test case 562 to verify, only to find out that I couldn't repeat
- this bug so I hereby consider it not a bug anymore!
-
-Daniel Stenberg (29 Apr 2009)
-- Based on bug report #2723219 (http://curl.haxx.se/bug/view.cgi?id=2723219)
- I've now made TFTP "connections" not being kept for re-use within libcurl.
- TFTP is UDP-based so the benefit was really low (if even existing) to begin
- with so instead of tracking down to fix this problem we instead removed the
- re-use. I also enabled test case 1099 that I wrote a few days ago to verify
- that this change fixes the reported problem.
-
-Daniel Stenberg (28 Apr 2009)
-- Constantine Sapuntzakis filed bug report #2783090
- (http://curl.haxx.se/bug/view.cgi?id=2783090) pointing out that on windows
- we need to grow the SO_SNDBUF buffer somewhat to get really good upload
- speeds. http://support.microsoft.com/kb/823764 has the details. Friends
- confirmed that simply adding 32 to CURL_MAX_WRITE_SIZE is enough.
-
-- Bug report #2709004 (http://curl.haxx.se/bug/view.cgi?id=2709004) by Tim
- Chen pointed out how curl couldn't upload with resume when reading from a
- pipe.
-
- This ended up with the introduction of a new return code for the
- CURLOPT_SEEKFUNCTION callback that basically says that the seek failed but
- that libcurl may try to resolve the situation anyway. In our case this means
- libcurl will attempt to instead read that much data from the stream instead
- of seeking and that way curl can now upload with resume when data is read
- from a stream!
-
-Daniel Stenberg (26 Apr 2009)
-- Bug report #2779733 (http://curl.haxx.se/bug/view.cgi?id=2779733) by Sven
- Wegener pointed out that CURLINFO_APPCONNECT_TIME didn't work with the multi
- interface and provided a patch that fixed the problem!
-
-Daniel Stenberg (24 Apr 2009)
-- Kamil Dudka fixed another NSS-related leak when client certs were used.
-
-- Bug report #2779245 (http://curl.haxx.se/bug/view.cgi?id=2779245) by Rainer
- Koenig pointed out that the man page didn't tell that the *_proxy
- environment variables can be specified lower case or UPPER CASE and the
- lower case takes precedence,
-
-Daniel Fandrich (21 Apr 2009)
-- Added new libcurl source files to Amiga, RiscOS and VC6 build files.
-
-Yang Tse (21 Apr 2009)
-- Moved potential inclusion of system's malloc.h and memory.h header files to
- setup_once.h. Inclusion of each header file is based on the definition of
- NEED_MALLOC_H and NEED_MEMORY_H respectively.
-
- Renamed libcurl's memory.h to curl_memory.h
-
-Daniel Stenberg (20 Apr 2009)
-- Leanic Lefever reported a crash and did some detailed research on why and
- how it occurs (http://curl.haxx.se/mail/lib-2009-04/0289.html). The
- conclusion was that if an error is detected and Curl_done() is called for
- the connection, ftp_done() could at times return another error code that
- then would take precedence and that new code confused existing logic that
- works for the first error code (CURLE_SEND_ERROR) only.
-
-- Gisle Vanem noticed that --libtool would produce bogus strings at times for
- OBJECTPOINT options. Now we've introduced a new function - my_setopt_str -
- within the app for setting plain string options to avoid the risk of this
- mistake happening.
-
-Daniel Stenberg (17 Apr 2009)
-- Pramod Sharma reported and tracked down a bug when doing FTP over a HTTP
- proxy. libcurl would then wrongly close the connection after each
- request. In his case it had the weird side-effect that it killed NTLM auth
- for the proxy causing an inifinite loop!
-
- I added test case 1098 to verify this fix. The test case does however not
- properly verify that the transfers are done persistently - as I couldn't
- think of a clever way to achieve it right now - but you need to read the
- stderr output after a test run to see that it truly did the right thing.
-
-Daniel Stenberg (13 Apr 2009)
-- bug report #2727981 (http://curl.haxx.se/bug/view.cgi?id=2727981) by Martin
- Storsjö pointed out how setting CURLOPT_NOBODY to 0 could be downright
- confusing as it set the method to either GET or HEAD. The example he showed
- looked like:
-
- curl_easy_setopt(curl, CURLOPT_PUT, 1);
- curl_easy_setopt(curl, CURLOPT_NOBODY, 0);
-
- The new way doesn't alter the method until the request is about to start. If
- CURLOPT_NOBODY is then 1 the HTTP request will be HEAD. If CURLOPT_NOBODY is
- 0 and the request happens to have been set to HEAD, it will then instead be
- set to GET. I believe this will be less surprising to users, and hopefully
- not hit any existing users badly.
-
-- Toshio Kuratomi reported a memory leak problem with libcurl+NSS that turned
- out to be leaking cacerts. Kamil Dudka helped me complete the fix. The issue
- is found in Redhat's bug tracker:
- https://bugzilla.redhat.com/show_bug.cgi?id=453612
-
- There are still memory leaks present, but they seem to have other reasons.
-
-Daniel Fandrich (11 Apr 2009)
-- Added new libcurl source files to Symbian OS build files.
-- Improved Symbian support for SSL.
-
-Yang Tse (10 Apr 2009)
-- Daniel Johnson improved the MacOSX-Framework shell script to now perform all
- the steps required to build a Mac OS X four way fat ppc/i386/ppc64/x86_64
- libcurl.framework. Four way fat framework requires OS X 10.5 SDK or later.
-
-Yang Tse (8 Apr 2009)
-- Removed Sun compilers preprocessor block from curlbuild.h.dist, this also
- removes it from the curlbuild.h file originally distributed by the cURL
- project as this file is intended for systems not capable of running the
- configure script. For those who have been building curl out of the source
- code curl distribution tarball provided by curl.haxx.se the change implies
- nothing. Previous change in this area committed 2 Apr becomes irrelevant.
-
-Daniel Stenberg (6 Apr 2009)
-- I clarified in the docs that CURLOPT_SEEKFUNCTION should return 0 on success
- and 1 on fatal errors. Previously it only mentioned non-zero on fatal
- errors. This is a slight change in meaning, but it follows what we've done
- elsewhere before and it opens up for LOTS of more useful return codes
- whenever we can think of them...
-
-Yang Tse (2 Apr 2009)
-- Fix curl_off_t definition for builds done using Sun compilers and a
- non-configured libcurl. In this case curl_off_t data type was gated
- to the off_t data type which depends on the _FILE_OFFSET_BITS. This
- configuration is exactly the unwanted configuration for our curl_off_t
- data type which must not depend on such setting. This breaks ABI for
- libcurl libraries built with Sun compilers which were built without
- having run the configure script with _FILE_OFFSET_BITS different than
- 64 and using the ILP32 data model.
-
-Daniel Stenberg (1 Apr 2009)
-- Andre Guibert de Bruet fixed a NULL pointer use in an infof() call if a
- strdup() call failed.
-
-Daniel Fandrich (31 Mar 2009)
-- Properly return an error code in curl_easy_recv (reported by Jim Freeman).
-
-Daniel Stenberg (18 Mar 2009)
-- Kamil Dudka brought a patch that enables 6 additional crypto algorithms when
- NSS is used. These ciphers were added in NSS 3.4 and require to be enabled
- explicitly.
-
-Daniel Stenberg (13 Mar 2009)
-- Use libssh2_version() to present the libssh2 version in case the libssh2
- library is found to support it.
-
-Yang Tse (12 Mar 2009)
-- Added missing Curl_read() return code checking in TELNET transfers.
-
-- Pierre Brico found and fixed TELNET transfers not being aborted upon
- a write callback failure.
-
-Daniel Stenberg (11 Mar 2009)
-- Kamil Dudka made the curl tool properly call curl_global_init() before any
- other libcurl function.
-
-Yang Tse (11 Mar 2009)
-- Added missing TELNET timeout support for Windows builds. This issue was
- reported by Pierre Brico.
-
-Daniel Stenberg (9 Mar 2009)
-- Frank Hempel found out a bug and provided the fix:
-
- curl_easy_duphandle did not necessarily duplicate the CURLOPT_COOKIEFILE
- option. It only enabled the cookie engine in the destination handle if
- data->cookies is not NULL (where data is the source handle). In case of a
- newly initialized handle which just had the cookie support enabled by a
- curl_easy_setopt(handle, CURL_COOKIEFILE, "")-call, handle->cookies was
- still NULL because the setopt-call only appends the value to
- data->change.cookielist, hence duplicating this handle would not have the
- cookie engine switched on.
-
- We also concluded that the slist-functionality would be suitable for being
- put in its own module rather than simply hanging out in lib/sendf.c so I
- created lib/slist.[ch] for them.
-
-- Andreas Farber made the 'buildconf' script check for the presence of m4
- scripts to make it detect a bad checkout earlier. People with older
- checkouts who don't do cvs update with the -d option won't get the new dirs
- and then will get funny outputs that can be a bit hard to understand and
- fix.
-
-Daniel Stenberg (8 Mar 2009)
-- Andre Guibert de Bruet found and fixed a code segment in ssluse.c where the
- allocation of the memory BIO was not being properly checked.
-
-- Andre Guibert de Bruet fixed the gnutls-using code: There are a few places
- in the gnutls code where we were checking for negative values for errors,
- when the man pages state that GNUTLS_E_SUCCESS is returned on success and
- other values indicate error conditions.
-
-- Bill Egert pointed out (http://curl.haxx.se/bug/view.cgi?id=2671602) that
- curl didn't use sprintf() in a way that is documented to work in POSIX but
- since we use our own printf() code (from libcurl) that shouldn't be a
- problem. Nonetheless I modified the code to not rely on such particular
- features and to not cause further raised eyebrowse with no good reason.
-
-Daniel Fandrich (5 Mar 2009)
-- Expanded the security section of the libcurl-tutorial man page to cover
- more issues for authors to consider when writing robust libcurl-using
- applications.
-
-Yang Tse (5 Mar 2009)
-- Fixed NTLM authentication memory leak on SSPI enabled Windows builds. This
- issue was noticed by Chris Deidun.
-
-Daniel Fandrich (4 Mar 2009)
-- Fixed a problem with m4 quoting in the OpenSSL configure check reported
- by Daniel Johnson.
-
-Daniel Stenberg (3 Mar 2009)
-- David James brought a patch that make libcurl close (all) dead connections
- whenever you attempt to open a new connection.
-
- 1. After cleaning up a dead connection, "continue" instead of
- returning FALSE. This ensures that we clean up all dead connections,
- rather than just cleaning up the first dead connection.
- 2. Move up the cleanup for dead connections so that it occurs for
- all connections, rather than just the connections which have the same
- preferences as our current new connection.
-
-Version 7.19.4 (3 March 2009)
-
-Daniel Stenberg (3 Mar 2009)
-- David Kierznowski notified us about a security flaw
- (http://curl.haxx.se/docs/adv_20090303.html also known as CVE-2009-0037) in
- which previous libcurl versions (by design) can be tricked to access an
- arbitrary local/different file instead of a remote one when
- CURLOPT_FOLLOWLOCATION is enabled. This flaw is now fixed in this release
- together this the addition of two new setopt options for controlling this
- new behavior:
-
- o CURLOPT_REDIR_PROTOCOLS controls what protocols libcurl is allowed to
- follow to when CURLOPT_FOLLOWLOCATION is enabled. By default, this option
- excludes the FILE and SCP protocols and thus you nee to explicitly allow
- them in your app if you really want that behavior.
-
- o CURLOPT_PROTOCOLS controls what protocol(s) libcurl is allowed to fetch
- using the primary URL option. This is useful if you want to allow a user or
- other outsiders control what URL to pass to libcurl and yet not allow all
- protocols libcurl may have been built to support.
-
-Daniel Stenberg (27 Feb 2009)
-- Senthil Raja Velu reported a problem when CURLOPT_INTERFACE and
- CURLOPT_LOCALPORT were used together (the local port bind failed), and
- Markus Koetter provided the fix!
-
-Daniel Stenberg (25 Feb 2009)
-- As Daniel Fandrich figured out, we must do the GnuTLS initing in the
- curl_global_init() function to properly maintain the performing functions
- thread-safe. We've previously (28 April 2007) moved the init to a later time
- just to avoid it to fail very early when libgcrypt dislikes the situation,
- but that move was bad and the fix should rather be in libgcrypt or
- elsewhere.
-
-Daniel Stenberg (24 Feb 2009)
-- Brian J. Murrell found out that Negotiate proxy authentication didn't work.
- It happened because the code used the struct for server-based auth all the
- time for both proxy and server auth which of course was wrong.
-
-Daniel Stenberg (23 Feb 2009)
-- After a bug reported by James Cheng I've made curl_easy_getinfo() for
- CURLINFO_CONTENT_LENGTH_DOWNLOAD and CURLINFO_CONTENT_LENGTH_UPLOAD return
- -1 if the sizes aren't know. Previously these returned 0, make it impossible
- to detect the difference between actually zero and unknown.
-
-Yang Tse (23 Feb 2009)
-- Daniel Johnson provided a shell script that will perform all the steps needed
- to build a Mac OS X fat ppc/i386 or ppc64/x86_64 libcurl.framework
-
-Daniel Stenberg (23 Feb 2009)
-- I renamed everything in the windows builds files that used the name 'curllib'
- to the proper 'libcurl' as clearly this caused confusion.
-
-Yang Tse (20 Feb 2009)
-- Do not halt compilation when using VS2008 to build a Windows 2000 target.
-
-Daniel Stenberg (20 Feb 2009)
-- Linus Nielsen Feltzing reported and helped me repeat and fix a problem with
- FTP with the multi interface: when a transfer fails, like when aborted by a
- write callback, the control connection was wrongly closed and thus not
- re-used properly.
-
- This change is also an attempt to cleanup the code somewhat in this area, as
- now the FTP code attempts to keep (better) track on pending responses
- necessary to get read in ftp_done().
-
-Daniel Stenberg (19 Feb 2009)
-- Patrik Thunstrom reported a problem and helped me repeat it. It turned out
- libcurl did a superfluous 1000ms wait when doing SFTP downloads!
-
- We read data with libssh2 while doing the "DO" operation for SFTP and then
- when we were about to start getting data for the actual file part, the
- "TRANSFER" part, we waited for socket action (in 1000ms) before doing a
- libssh2-read. But in this case libssh2 had already read and buffered the
- data so we ended up always just waiting 1000ms before we get working on the
- data!
-
-Patrick Monnerat (18 Feb 2009)
-- FTP downloads (i.e.: RETR) ending with code 550 now return error
- CURLE_REMOTE_FILE_NOT_FOUND instead of CURLE_FTP_COULDNT_RETR_FILE.
-
-Daniel Stenberg (17 Feb 2009)
-- Kamil Dudka made NSS-powered builds compile and run again!
-
-- A second follow-up change by Andre Guibert de Bruet to fix a related memory
- leak like that fixed on the 14th. When zlib returns failure, we need to
- cleanup properly before returning error.
-
-- CURLOPT_FTP_CREATE_MISSING_DIRS can now be set to 2 in addition to 1 for
- plain FTP connections, and it will then allow MKD to fail once and retry the
- CWD afterwards. This is especially useful if you're doing many simultanoes
- connections against the same server and they all have this option enabled,
- as then CWD may first fail but then another connection does MKD before this
- connection and thus MKD fails but trying CWD works! The numbers can
- (should?) now be set with the convenience enums now called
- CURLFTP_CREATE_DIR and CURLFTP_CREATE_DIR_RETRY.
-
- Tests has proven that if you're making an application that uploads a set of
- files to an ftp server, you will get a noticable gain in speed if you're
- using multiple connections and this option will be then be very useful.
-
-Daniel Stenberg (14 Feb 2009)
-- Andre Guibert de Bruet found and fixed a memory leak in the content encoding
- code, which could happen on libz errors.
-
-Daniel Fandrich (12 Feb 2009)
-- Added support for Digest and NTLM authentication using GnuTLS.
-
-Daniel Stenberg (11 Feb 2009)
-- CURLINFO_CONDITION_UNMET was added to allow an application to get to know if
- the condition in the previous request was unmet. This is typically a time
- condition set with CURLOPT_TIMECONDITION and was previously not possible to
- reliably figure out. From bug report #2565128
- (http://curl.haxx.se/bug/view.cgi?id=2565128) filed by Jocelyn Jaubert.
-
-Daniel Fandrich (4 Feb 2009)
-- Don't add the standard /usr/lib or /usr/include paths to LDFLAGS and CPPFLAGS
- (respectively) when --with-ssl=/usr is used (patch based on FreeBSD).
-
-- Added an explicit buffer limit check in msdosify() (patch based on FreeBSD).
- This couldn't ever overflow in curl, but might if the code were used
- elsewhere or under different conditions.
-
-Daniel Stenberg (3 Feb 2009)
-- Hidemoto Nakada provided a small fix that makes it possible to get the
- CURLINFO_CONTENT_LENGTH_DOWNLOAD size from file:// "transfers" with
- CURLOPT_NOBODY set true.
-
-Daniel Stenberg (2 Feb 2009)
-- Patrick Scott found a rather large memory leak when using the multi
- interface and setting CURLMOPT_MAXCONNECTS to something less than the number
- of handles you add to the multi handle. All the connections that didn't fit
- in the cache would not be properly disconnected nor freed!
-
-- Craig A West brought us: libcurl now defaults to do CONNECT with HTTP
- version 1.1 instead of 1.0 like before. This change also introduces the new
- proxy type for libcurl called 'CURLPROXY_HTTP_1_0' that then allows apps to
- switch (back) to CONNECT 1.0 requests. The curl tool also got a --proxy1.0
- option that works exactly like --proxy but sets CURLPROXY_HTTP_1_0.
-
- I updated all test cases cases that use CONNECT and I tried to do some using
- --proxy1.0 and some updated to do CONNECT 1.1 to get both versions run.
-
-Daniel Stenberg (31 Jan 2009)
-- When building with c-ares 1.6.1 (not yet released) or later and IPv6 support
- enabled, we can now take advantage of its brand new AF_UNSPEC support in
- ares_gethostbyname(). This makes test case 241 finally run fine for me with
- this setup since it now parses the "::1 ip6-localhost" line fine in my
- /etc/hosts file!
-
-Daniel Stenberg (30 Jan 2009)
-- Scott Cantor filed bug report #2550061
- (http://curl.haxx.se/bug/view.cgi?id=2550061) mentioning that I failed to
- properly make sure that the VC9 makefiles got included in the latest
- release. I've now fixed the release script and verified it so next release
- will hopefully include them properly!
-
-Daniel Fandrich (30 Jan 2009)
-- Fixed --disable-proxy for FTP and SOCKS. Thanks to Daniel Egger for
- reporting.
-
-Yang Tse (29 Jan 2009)
-- Introduced curl_sspi.c and curl_sspi.h for the implementation of functions
- Curl_sspi_global_init() and Curl_sspi_global_cleanup() which previously were
- named Curl_ntlm_global_init() and Curl_ntlm_global_cleanup() in http_ntlm.c
- Also adjusted socks_sspi.c to remove the link-time dependency on the Windows
- SSPI library using it now in the same way as it was done in http_ntlm.c.
-
-Daniel Stenberg (28 Jan 2009)
-- Markus Moeller introduced two new options to libcurl:
- CURLOPT_SOCKS5_GSSAPI_SERVICE and CURLOPT_SOCKS5_GSSAPI_NEC to allow libcurl
- to do GSS-style authentication with SOCKS5 proxies. The curl tool got the
- options called --socks5-gssapi-service and --socks5-gssapi-nec to enable
- these.
-
-Daniel Stenberg (26 Jan 2009)
-- Chad Monroe provided the new CURLOPT_TFTP_BLKSIZE option that allows an app
- to set desired block size to use for TFTP transfers instead of the default
- 512 bytes.
-
-- The "-no_ticket" option was introduced in Openssl0.9.8j. It's a flag to
- disable "rfc4507bis session ticket support". rfc4507bis was later turned
- into the proper RFC5077 it seems: http://tools.ietf.org/html/rfc5077
-
- The enabled extension concerns the session management. I wonder how often
- libcurl stops a connection and then resumes a TLS session. also, sending the
- session data is some overhead. .I suggest that you just use your proposed
- patch (which explicitly disables TICKET).
-
- If someone writes an application with libcurl and openssl who wants to
- enable the feature, one can do this in the SSL callback.
-
- Sharad Gupta brought this to my attention. Peter Sylvester helped me decide
- on the proper action.
-
-- Alexey Borzov filed bug report #2535504
- (http://curl.haxx.se/bug/view.cgi?id=2535504) pointing out that realms with
- quoted quotation marks in HTTP Digest headers didn't work. I've now added
- test case 1095 that verifies my fix.
-
-- Craig A West brought CURLOPT_NOPROXY and the corresponding --noproxy option.
- They basically offer the same thing the NO_PROXY environment variable only
- offered previously: list a set of host names that shall not use the proxy
- even if one is specified.
-
-Daniel Fandrich (20 Jan 2009)
-- Call setlocale() for libtest tests to test the effects of locale-induced
- libc changes on libcurl.
-
-- Fixed a couple more locale-dependent toupper conversions, mainly for
- clarity. This does fix one problem that causes ;type=i FTP URLs
- to fail in the Turkish locale when CURLOPT_PROXY_TRANSFER_MODE is
- used (test case 561)
-
-- Added tests 561 and 1091 through 1094 to test various combinations
- of ;type= and ;mode= URLs that could potentially fail in the Turkish
- locale.
-
-Daniel Stenberg (20 Jan 2009)
-- Lisa Xu pointed out that the ssh.obj file was missing from the
- lib/Makefile.vc6 file (and thus from the vc8 and vc9 ones too).
-
-Version 7.19.3 (19 January 2009)
-
-Daniel Stenberg (16 Jan 2009)
-- Andrew de los Reyes fixed curlbuild.h for "generic" gcc builds on PPC, both
- 32 bit and 64 bit.
-
-Daniel Stenberg (15 Jan 2009)
-- Tim Ansell fixed a compiler warning in lib/cookie.c
-
-Daniel Stenberg (14 Jan 2009)
-- Grant Erickson fixed timeouts for TFTP such that specifying a
- connect-timeout, a max-time or both options work correctly and as expected
- by passing the correct boolean value to Curl_timeleft via the
- 'duringconnect' parameter.
-
- With this small change, curl TFTP now behaves as expected (and likely as
- originally-designed):
-
- 1) For non-existent or unreachable dotted IP addresses:
-
- a) With no options, follows the default curl 300s timeout...
- b) With --connect-timeout only, follows that value...
- c) With --max-time only, follows that value...
- d) With both --connect-timeout and --max-time, follows the smaller value...
-
- and times out with a "curl: (7) Couldn't connect to server" error.
-
- 2) For transfers to/from a valid host:
-
- a) With no options, follows default curl 300s timeout for the
- first XRQ/DATA/ACK transaction and the default TFTP 3600s
- timeout for the remainder of the transfer...
-
- b) With --connect-time only, follows that value for the
- first XRQ/DATA/ACK transaction and the default TFTP 3600s
- timeout for the remainder of the transfer...
-
- c) With --max-time only, follows that value for the first
- XRQ/DATA/ACK transaction and for the remainder of the
- transfer...
-
- d) With both --connect-timeout and --max-time, follows the former
- for the first XRQ/DATA/ACK transaction and the latter for the
- remainder of the transfer...
-
- and times out with a "curl: (28) Timeout was reached" error as
- appropriate.
-
-Daniel Stenberg (13 Jan 2009)
-- Michael Wallner fixed a NULL pointer deref when calling
- curl_easy_setup(curl, CURLOPT_COOKIELIST, "SESS") on a CURL handle with no
- cookies data.
-
-- Stefan Teleman brought a patch to fix the default curlbuild.h file for the
- SunPro compilers.
-
-Daniel Stenberg (12 Jan 2009)
-- Based on bug report #2498665 (http://curl.haxx.se/bug/view.cgi?id=2498665)
- by Daniel Black, I've now added magic to the configure script that makes it
- use pkg-config to detect gnutls details as well if the existing method
- (using libgnutls-config) fails. While doing this, I cleaned up and unified
- the pkg-config usage when detecting openssl and nss as well.
-
-Daniel Stenberg (11 Jan 2009)
-- Karl Moerder brought the patch that creates vc9 Makefiles, and I made
- 'maketgz' now use the actual makefile targets to do the VC8 and VC9
- makefiles.
-
-Daniel Stenberg (10 Jan 2009)
-- Emil Romanus fixed:
-
- When using the multi interface over HTTP and the server returns a Location
- header, the running easy handle will get stuck in the CURLM_STATE_PERFORM
- state, leaving the external event loop stuck waiting for data from the
- ingoing socket (when using the curl_multi_socket_action stuff). While this
- bug was pretty hard to find, it seems to require only a one-line fix. The
- break statement on line 1374 in multi.c caused the function to skip the call
- to multistate().
-
- How to reproduce this bug? Well, that's another question. evhiperfifo.c in
- the examples directory chokes on this bug only _sometimes_, probably
- depending on how fast the URLs are added. One way of testing the bug out is
- writing to hiper.fifo from more than one source at the same time.
-
-Daniel Fandrich (7 Jan 2009)
-- Unified much of the SessionHandle initialization done in Curl_open() and
- curl_easy_reset() by creating Curl_init_userdefined(). This had the side
- effect of fixing curl_easy_reset() so it now also resets
- CURLOPT_FTP_FILEMETHOD and CURLOPT_SSL_SESSIONID_CACHE
-
-Daniel Stenberg (7 Jan 2009)
-- Rob Crittenden did once again provide an NSS update:
-
- I have to jump through a few hoops now with the NSS library initialization
- since another part of an application may have already initialized NSS by the
- time Curl gets invoked. This patch is more careful to only shutdown the NSS
- library if Curl did the initialization.
-
- It also adds in a bit of code to set the default ciphers if the app that
- call NSS_Init* did not call NSS_SetDomesticPolicy() or set specific
- ciphers. One might argue that this lets other application developers get
- lazy and/or they aren't using the NSS API correctly, and you'd be right.
- But still, this will avoid terribly difficult-to-trace crashes and is
- generally helpful.
-
-Daniel Stenberg (1 Jan 2009)
-- 'reconf' is removed since we rather have users use 'buildconf'
-
-Daniel Stenberg (31 Dec 2008)
-- Bas Mevissen reported http://curl.haxx.se/bug/view.cgi?id=2479030 pointing
- out that 'reconf' didn't properly point out the m4 subdirectory when running
- aclocal.
-
-Daniel Stenberg (29 Dec 2008)
- - Phil Lisiecki filed bug report #2413067
- (http://curl.haxx.se/bug/view.cgi?id=2413067) that identified a problem that
- would cause libcurl to mark a DNS cache entry "in use" eternally if the
- subsequence TCP connect failed. It would thus never get pruned and refreshed
- as it should've been.
-
- Phil provided his own patch to this problem that while it seemed to work
- wasn't complete and thus I wrote my own fix to the problem.
-
-Daniel Stenberg (28 Dec 2008)
-- Peter Korsgaard fixed building libcurl with "configure --with-ssl
- --disable-verbose".
-
-- Anthony Bryan fixed more language and spelling flaws in man pages.
-
-Daniel Stenberg (22 Dec 2008)
-- Given a recent enough libssh2, libcurl can now seek/resume with SFTP even
- on file indexes beyond 2 or 4GB.
-
-- Anthony Bryan provided a set of patches that cleaned up manual language,
- corrected spellings and more.
-
-Daniel Stenberg (20 Dec 2008)
-- Igor Novoseltsev fixed a bad situation for the multi_socket() API when doing
- pipelining, as libcurl could then easily get confused and A) work on the
- handle that was not "first in queue" on a pipeline, or even B) tell the app
- to REMOVE a socket while it was in use by a second handle in a pipeline. Both
- errors caused hanging or stalling applications.
-
-Daniel Stenberg (19 Dec 2008)
-- curl_multi_timeout() could return a timeout value of 0 even though nothing
- was actually ready to get done, as the internal time resolution is higher
- than the returned millisecond timer. Therefore it could cause applications
- running on fast processors to do short bursts of busy-loops.
- curl_multi_timeout() will now only return 0 if the timeout is actually
- alreay triggered.
-
-- Using the libssh2 0.19 function libssh2_session_block_directions(), libcurl
- now has an improved ability to do right when the multi interface (both
- "regular" and multi_socket) is used for SCP and SFTP transfers. This should
- result in (much) less busy-loop situations and thus less CPU usage with no
- speed loss.
-
-Daniel Stenberg (17 Dec 2008)
-- SCP and SFTP with the multi interface had the same flaw: the 'DONE'
- operation didn't complete properly if the EAGAIN equivalent was returned but
- libcurl would simply continue with a half-completed close operation
- performed. This ruined persistent connection re-use and cause some
- SSH-protocol errors in general. The correction is unfortunately adding a
- blocking function - doing it entirely non-blocking should be considered for
- a better fix.
-
-Gisle Vanem (16 Dec 2008)
-- Added the possibility to use the Watt-32 tcp/ip stack under Windows.
- The change simply involved adding a USE_WATT32 section in the
- config-win32.h files (under ./lib and ./src). This section disables
- the use of any Winsock headers.
-
-Daniel Stenberg (16 Dec 2008)
-- libssh2_sftp_last_error() was wrongly used at some places in libcurl which
- made libcurl sometimes not properly abort problematic SFTP transfers.
-
-Daniel Stenberg (12 Dec 2008)
-- More work with Igor Novoseltsev to first fix the remaining stuff for
- removing easy handles from multi handles when the easy handle is/was within
- a HTTP pipeline. His bug report #2351653
- (http://curl.haxx.se/bug/view.cgi?id=2351653) was also related and was
- eventually fixed by a patch by Igor himself.
-
-Yang Tse (12 Dec 2008)
-- Patrick Monnerat fixed a build regression, introduced in 7.19.2, affecting
- OS/400 compilations with IPv6 enabled.
-
-Daniel Stenberg (12 Dec 2008)
-- Mark Karpeles filed bug report #2416182 titled "crash in ConnectionExists
- when using duphandle+curl_mutli"
- (http://curl.haxx.se/bug/view.cgi?id=2416182) which showed that
- curl_easy_duphandle() wrongly also copied the pointer to the connection
- cache, which was plain wrong and caused a segfault if the handle would be
- used in a different multi handle than the handle it was duplicated from.
-
-Daniel Stenberg (11 Dec 2008)
-- Keshav Krity found out that libcurl failed to deal with dotted IPv6
- addresses if they were very long (>39 letters) due to a too strict address
- validity parser. It now accepts addresses up to 45 bytes long.
-
-Daniel Stenberg (11 Dec 2008)
-- Internet Explorer had a broken HTTP digest authentication before v7 and
- there are servers "out there" that relies on the client doing this broken
- Digest authentication. Apache even comes with an option to work with such
- broken clients.
-
- The difference is only for URLs that contain a query-part (a '?'-letter and
- text to the right of it).
-
- libcurl now supports this quirk, and you enable it by setting the
- CURLAUTH_DIGEST_IE bit in the bitmask you pass to the CURLOPT_HTTPAUTH or
- CURLOPT_PROXYAUTH options. They are thus individually controlled to server
- and proxy.
-
- (note that there's no way to activate this with the curl tool yet)
-
-Daniel Fandrich (9 Dec 2008)
-- Added test cases 1089 and 1090 to test --write-out after a redirect to
- test a report that the size didn't work, but these test cases pass.
-
-- Documented CURLOPT_CONNECT_ONLY as being useful only on HTTP URLs.
-
-Daniel Stenberg (9 Dec 2008)
-- Ken Hirsch simplified how libcurl does FTPS: now it doesn't assume any
- particular state for the control connection like it did before for implicit
- FTPS (libcurl assumed such control connections to be encrypted while some
- FTPS servers such as FileZilla assumes such connections to be clear
- mode). Use the CURLOPT_USE_SSL option to set your desired level.
-
-Daniel Stenberg (8 Dec 2008)
-- Fred Machado posted about a weird FTP problem on the curl-users list and when
- researching it, it turned out he got a 550 response back from a SIZE command
- and then I fell over the text in RFC3659 that says:
-
- The presence of the 550 error response to a SIZE command MUST NOT be taken
- by the client as an indication that the file cannot be transferred in the
- current MODE and TYPE.
-
- In other words: the change I did on September 30th 2008 and that has been
- included in the last two releases were a regression and a bad idea. We MUST
- NOT take a 550 response from SIZE as a hint that the file doesn't exist.
-
-- Christian Krause filed bug #2221237
- (http://curl.haxx.se/bug/view.cgi?id=2221237) that identified an infinite
- loop during GSS authentication given some specific conditions. With his
- patience and great feedback I managed to narrow down the problem and
- eventually fix it although I can't test any of this myself!
-
-Daniel Fandrich (3 Dec 2008)
-- Fixed the getifaddrs version of Curl_if2ip to work on systems without IPv6
- support (e.g. Minix)
-
-Daniel Stenberg (3 Dec 2008)
-- Igor Novoseltsev filed bug #2351645
- (http://curl.haxx.se/bug/view.cgi?id=2351645) that identified a problem with
- the multi interface that occured if you removed an easy handle while in
- progress and the handle was used in a HTTP pipeline.
-
-- Pawel Kierski pointed out a mistake in the cookie code that could lead to a
- bad fclose() after a fatal error had occured.
- (http://curl.haxx.se/bug/view.cgi?id=2382219)
-
-Daniel Fandrich (25 Nov 2008)
-- If a HTTP request is Basic and num is already >=1000, the HTTP test
- server adds 1 to num to get the data section to return. This allows
- testing authentication negotiations using the Basic authentication
- method.
-
-- Added tests 1087 and 1088 to test Basic authentication on a redirect
- with and without --location-trusted
-
-Daniel Stenberg (24 Nov 2008)
-- Based on a patch by Vlad Grachov, libcurl now uses a new libssh2 0.19
- function when built to support SCP and SFTP that helps the library to know
- in which direction a particular libssh2 operation would return EAGAIN so
- that libcurl knows what socket conditions to wait for before trying the
- function call again. Previously (and still when using libssh2 0.18 or
- earlier), libcurl will busy-loop in this situation when the easy interface
- is used!
-
-Daniel Fandrich (20 Nov 2008)
-- Automatically detect OpenBSD's CA cert bundle.
-
-Daniel Stenberg (19 Nov 2008)
-- I removed the default use of "Pragma: no-cache" from libcurl when a proxy is
- used. It has been used since forever but it was never a good idea to use
- unless explicitly asked for.
-
-- Josef Wolf's extension that allows a $TESTDIR/gdbinit$testnum file that when
- you use runtests.pl -g, will be sourced by gdb to allow additional fancy or
- whatever you see fit
-
-- Christian Krause reported and fixed a memory leak that would occur with HTTP
- GSS/kerberos authentication (http://curl.haxx.se/bug/view.cgi?id=2284386)
-
-- Andreas Wurf and Markus Koetter helped me analyze a problem that Andreas got
- when uploading files to a single FTP server using multiple easy handle
- handles with the multi interface. Occasionally a handle would stall in
- mysterious ways.
-
- The problem turned out to be a side-effect of the ConnectionExists()
- function's eagerness to re-use a handle for HTTP pipelining so it would
- select it even if already being in use, due to an inadequate check for its
- chances of being used for pipelnining.
-
-Daniel Fandrich (17 Nov 2008)
-- Added more compiler warning options for gcc 4.3
-
-Yang Tse (17 Nov 2008)
-- Fix a remaining problem in the inet_pton() runtime configure check. And
- fix internal Curl_inet_pton() failures to reject certain malformed literals.
-
-- Make configure script check if ioctl with the SIOCGIFADDR command can be
- used, and define HAVE_IOCTL_SIOCGIFADDR if appropriate.
-
-Daniel Stenberg (16 Nov 2008)
-- Christian Krause fixed a build failure when building with gss support
- enabled and FTP disabled.
-
-- Added check for NULL returns from strdup() in src/main.c and lib/formdata.c
- - reported by Jim Meyering also prevent buffer overflow on MSDOS when you do
- for example -O on a url with a file name part longer than PATH_MAX letters
-
-- lib/nss.c fixes based on the report by Jim Meyering: I went over and added
- checks for return codes for all calls to malloc and strdup that were
- missing. I also changed a few malloc(13) to use arrays on the stack and a
- few malloc(PATH_MAX) to instead use aprintf() to lower memory use.
-
-- I fixed a memory leak in Curl_nss_connect() when CURLOPT_ISSUERCERT is
- in use.
-
-Daniel Fandrich (14 Nov 2008)
-- Added .xml as one of the few common file extensions known by the multipart
- form generator.
-
-- Added some #ifdefs around header files and change the EAGAIN test to
- fix compilation on Cell (reported by Jeff Curley).
-
-Yang Tse (14 Nov 2008)
-- Fixed several configure script issues affecting checks for inet_ntoa_r(),
- inet_ntop(), inet_pton(), getifaddrs(), fcntl() and getaddrinfo().
-
-Yang Tse (13 Nov 2008)
-- Refactored configure script detection of functions used to set sockets into
- non-blocking mode, and decouple function detection from function capability.
+Jay Satiro (12 Apr 2016)
+- http2: Use size_t type for data drain count
+
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
+
+- http2: Improve header parsing
+
+ - Error if a header line is larger than supported.
+
+ - Warn if cumulative header line length may be larger than supported.
+
+ - Allow spaces when parsing the path component.
+
+ - Make sure each header line ends in \r\n. This fixes an out of bounds.
+
+ - Disallow header continuation lines until we decide what to do.
+
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
+
+- http2: Add Curl_http2_strerror for HTTP/2 error codes
+
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Don't increment drain when one header field is received
+
+ Sicne we write header field in temporary location, not in the memory
+ that upper layer provides, incrementing drain should not happen.
+
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Ensure that http2_handle_stream_close is called
+
+ This commit ensures that streams which was closed in on_stream_close
+ callback gets passed to http2_handle_stream_close. Previously, this
+ might not happen. To achieve this, we increment drain property to
+ forcibly call recv function for that stream.
+
+ To more accurately check that we have no pending event before shutting
+ down HTTP/2 session, we sum up drain property into
+ http_conn.drain_total. We only shutdown session if that value is 0.
+
+ With this commit, when stream was closed before reading response
+ header fields, error code CURLE_HTTP2_STREAM is returned even if
+ HTTP/2 level error is NO_ERROR. This signals the upper layer that
+ stream was closed by error just like TCP connection close in HTTP/1.
+
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Process paused data first before tear down http2 session
+
+ This commit ensures that data from network are processed before HTTP/2
+ session is terminated. This is achieved by pausing nghttp2 whenever
+ different stream than current easy handle receives data.
+
+ This commit also fixes the bug that sometimes processing hangs when
+ multiple HTTP/2 streams are multiplexed.
+
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Check session closure early in http2_recv
+
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Add handling stream level error
+
+ Previously, when a stream was closed with other than NGHTTP2_NO_ERROR
+ by RST_STREAM, underlying TCP connection was dropped. This is
+ undesirable since there may be other streams multiplexed and they are
+ very much fine. This change introduce new error code
+ CURLE_HTTP2_STREAM, which indicates stream error that only affects the
+ relevant stream, and connection should be kept open. The existing
+ CURLE_HTTP2 means connection error in general.
+
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
+
+Daniel Stenberg (11 Apr 2016)
+- http2: drain the socket better...
+
+ ... but ignore EAGAIN if the stream has ended so that we don't end up in
+ a loop. This is a follow-up to c8ab613 in order to avoid the problem
+ d261652 was made to fix.
+
+ Reported-by: Jay Satiro
+ Clues-provided-by: Tatsuhiro Tsujikawa
+
+ Discussed in #750
+
+- KNOWN_BUGS: added info for "Hangs with PolarSSL"
+
+- KNOWN_BUGS: 1.9 HTTP/2 frames while in the connection pool kill reuse
+
+ Closes #750
+
+- build: include scripts/ in the dist
+
+Steve Holme (9 Apr 2016)
+- CURLOPT_SOCKS5_GSSAPI_SERVICE: Merged with CURLOPT_PROXY_SERVICE_NAME
+
+ As these two options provide identical functionality, the former for
+ SOCK5 proxies and the latter for HTTP proxies, merged the two options
+ together.
+
+ As such CURLOPT_SOCKS5_GSSAPI_SERVICE is marked as deprecated as of
+ 7.49.0.
+
+- urldata: Use bool for socks5_gssapi_nec as it is a flag
+
+ This value is set to TRUE or FALSE so should be a bool and not a long.
+
+- url: Ternary operator code style changes
+
+- CODE_STYLE: Added ternary operator example to 'Space around operators'
+
+ Following conversation on the libcurl mailing list.
+
+- sasl: Fixed compilation errors from commit 9d89a0387
+
+ ...when GSS-API or Windows SSPI are not used.
+
+- url: Corrected comments following 9d89a0387
+
+- docs: Added clarification following commit 9d89a0387
+
+- Makefile: Fixed echo of checksrc check
+
+- checksrc: Fix issue with the autobuilds not picking up the whitelist
+
+- checksrc: Added missing vauth and vtls directories
+
+- ftp/imap/pop3/smtp: Allow the service name to be overridden
+
+ Allow the service name to be overridden for DIGIST-MD5 and Kerberos 5
+ authentication in FTP, IMAP, POP3 and SMTP.
+
+- http_negotiate: Calculate service name and proxy service name locally
+
+ Calculate the service name and proxy service names locally, rather than
+ in url.c which will allow for us to support overriding the service name
+ for other protocols such as FTP, IMAP, POP3 and SMTP.
+
+- ROADMAP: Updated following the move of the authentication code
+
+Patrick Monnerat (8 Apr 2016)
+- KNOWN_BUGS: openldap hangs. TODO: binary SASL.
+
+Daniel Stenberg (8 Apr 2016)
+- KNOWN_BUGS: 5.6 Improper use of Autoconf cache variables
+
+ Closes #603
+
+- KNOWN_BUGS: 11.2 error buffer not set...
+
+ Closes #544
+
+- KNOWN_BUGS: 11.1 Curl leaks .onion hostnames in DNS
+
+ Closes #543
+
+- KNOWN_BUGS: 1.8 DNS timing is wrong for HTTP redirects
+
+ Closes #522
+
+- TODO: HTTP/2 "prior knowledge" is implemented!
+
+- [Damien Vielpeau brought this change]
+
+ mbedtls: fix MBEDTLS_DEBUG builds
+
+- mbedtls: implement and provide *_data_pending()
+
+ ... as otherwise we might get stuck thinking there's no more data to
+ handle.
+
+ Reported-by: Damien Vielpeau
+
+ Fixes #737
+
+- mbedtls: follow-up for the previous commit
+
+- mbedtls.c: name space pollution fix, Use 'Curl_'
+
+- mbedtls.c: changed private prefix to mbed_
+
+ mbedtls_ is the prefix used by the mbedTLS library itself so we should
+ avoid using that for our private functions.
+
+- mbedtls.h: fix compiler warnings
+
+- Revert "winbuild: trying to set some files eol=crlf for git"
+
+ This reverts commit 9c08b4f1e7eced5a4d3782a3e0daa484c9d77d21.
+
+ Didn't help. Caused problems.
+
+ Fixes #756
+
+- curl.1: use example.com more
+
+ Make (most) example snippets use the example.com domain instead of the
+ random ones picked and used before. Some of those were probably
+ legitimate sites and some not. example.com is designed for this purpose.
+
+- [Michael Kaufmann brought this change]
+
+ HTTP2: Add a space character after the status code
+
+ The space character after the status code is mandatory, even if the
+ reason phrase is empty (see RFC 7230 section 3.1.2)
+
+ Closes #755
+
+- [Viktor Szakats brought this change]
+
+ URLs: change http to https in many places
+
+ Closes #754
+
+- winbuild: trying to set some files eol=crlf for git
+
+ Thinking it might help to apply patches etc with git.
+- [Theodore Dubois brought this change]
+
+ curl.1: change example for -F
+
+ It's a bad idea to send your passwords anywhere, especially over HTTP.
+ Modified example to send a picture instead.
+
+ Fixes #752
+
+- KNOWN_BUGS: reorganized and cleaned up
+
+ Now sorted into categories and organized in the same style we do the
+ TODO document. It will make each issue linked properly on the
+ https://curl.haxx.se/docs/knownbugs.html web page.
+
+ The sections should make it easier to find issues and issues related to
+ areas of the reader's specific interest.
+
+Jay Satiro (6 Apr 2016)
+- KNOWN_BUGS: #95 curl in Windows can't handle Unicode arguments
+
+Steve Holme (6 Apr 2016)
+- KNOWN_BUGS: Use https://curl.haxx.se URL for github based issues
+
+- CHECKSRC.md: Corrected some typos
+
+- RELEASE-NOTES: Corrected last updated
+
+ Included a summary of the checksrc.bat updates and combined two krb5
+ changes as they should have been implemented at the same time.
+
+- vauth: Corrected a number of typos in comments
+
+ Reported-by: Michael Osipov
+
+Jay Satiro (5 Apr 2016)
+- KNOWN_BUGS: #94 IMAP custom requests use the LIST handler
+
+ Bug: https://github.com/curl/curl/issues/536
+ Reported-by: eXeC64@users.noreply.github.com
+
+Daniel Stenberg (5 Apr 2016)
+- KNOWN_BUGS: remove 68, 70 and 72.
+
+ Due to their age (we don't fully know if they actually remain) and lack
+ of detail - very few people will bother to find out what they're about
+ or work on them. If people truly still suffer from any of these, I
+ assume they will be reported again and then we'll deal with them.
+
+ 72. "Pausing pipeline problems."
+ https://curl.haxx.se/mail/lib-2009-07/0214.html
+
+ 70. Problem re-using easy handle after call to curl_multi_remove_handle
+ https://curl.haxx.se/mail/lib-2009-07/0249.html
+
+ 68. "More questions about ares behavior".
+ https://curl.haxx.se/mail/lib-2009-08/0012.html
+
+- KNOWN_BUGS: remove 92 and 88, fixed
+
+- http2: fix connection reuse when PING comes after last DATA
+
+ It turns out the google GFE HTTP/2 servers send a PING frame immediately
+ after a stream ends and its last DATA has been received by curl. So if
+ we don't drain that from the socket, it makes the socket readable in
+ subsequent checks and libcurl then (wrongly) assumes the connection is
+ dead when trying to reuse the connection.
+
+ Reported-by: Joonas Kuorilehto
+
+ Discussed in #750
+
+- multi: remove trailing space in debug output
+
+- RELEASE-NOTES: synced with 86e97b642fb
+
+- CHECKSRC.md: mention cmdline options, fix the bullet list
+
+- docs/CHECKSRC.md: initial version
+
+Steve Holme (3 Apr 2016)
+- checksrc.bat: Added support for the examples
+
+Daniel Stenberg (3 Apr 2016)
+- lib/src: fix the checksrc invoke
+
+ ... now works correctly when invoke from the root makefile