Changelog
-Version 7.40.0 (7 Jan 2015)
+Version 7.53.1 (24 Feb 2017)
-Daniel Stenberg (7 Jan 2015)
-- RELEASE-NOTES: version 7.40.0
+Daniel Stenberg (24 Feb 2017)
+- release: 7.53.1
-- darwinssl: fix session ID keys to only reuse identical sessions
+- Revert "tests: use consistent environment variables for setting charset"
- ...to avoid a session ID getting cached without certificate checking and
- then after a subsequent _enabling_ of the check libcurl could still
- re-use the session done without cert checks.
+ This reverts commit ecd1d020abdae3c3ce3643ddab3106501e62e7c0.
- Bug: http://curl.haxx.se/docs/adv_20150108A.html
- Reported-by: Marc Hesse
+ That commit caused test failures on my Debian Linux machine for all
+ changed test cases. We need to reconsider how that should get done.
-- tests: make sure CRLFs can't be used in URLs passed to proxy
+Dan Fandrich (23 Feb 2017)
+- tests: use consistent environment variables for setting charset
- Bug: http://curl.haxx.se/docs/adv_20150108B.html
+ Character set in POSIX is set by the locale defined (in decreasing order
+ of precedence) by the LC_ALL, LC_CTYPE and LANG environment variables (I
+ believe CHARSET is only historic). LC_ALL is cleared to ensure that
+ LC_CTYPE takes effect, but LC_ALL is not used to set the locale to
+ ensure that other parts of the locale aren't overriden, if set. Since
+ there doesn't seem to be a cross-platform way of specifying a UTF-8
+ locale, and not all systems may support UTF-8, a <precheck> is used
+ (where relevant) to skip the test if UTF-8 isn't in use. Test 1035 was
+ also converted to UTF-8 for consistency, as the actual character set
+ used there is irrelevant to the test.
-- url-parsing: reject CRLFs within URLs
+Jay Satiro (23 Feb 2017)
+- url: Default the CA proxy bundle location to CURL_CA_BUNDLE
- Bug: http://curl.haxx.se/docs/adv_20150108B.html
- Reported-by: Andrey Labunets
-
-Steve Holme (7 Jan 2015)
-- ldap: Convert attribute output to UTF-8 when Unicode
+ If the compile-time CURL_CA_BUNDLE location is defined use it as the
+ default value for the proxy CA bundle location, which is the same as
+ what we already do for the regular CA bundle location.
+
+ Ref: https://github.com/curl/curl/pull/1257
-- ldap: Convert DN output to UTF-8 when Unicode
+Daniel Stenberg (23 Feb 2017)
+- [Sergii Pylypenko brought this change]
-Daniel Stenberg (7 Jan 2015)
-- hostip: remove 'stale' argument from Curl_fetch_addr proto
+ rand: added missing #ifdef HAVE_FCNTL_H around fcntl.h header
- Also, remove the log output of the resolved name is NOT in the cache in
- the spirit of only telling when something is actually happening.
+ Closes #1285
-Steve Holme (7 Jan 2015)
-- ldap/imap: Fixed spelling mistake in comments and variable names
+- TODO: "OPTIONS *"
- Reported-by: Michael Osipov
+ Closes #1280
-Daniel Stenberg (7 Jan 2015)
-- RELEASE-NOTES: updated with ./contributors.sh output
+- RELEASE-NOTES: synced with 443e5b03a7d441
-Dan Fandrich (5 Jan 2015)
-- curl_multibyte.h: Eliminated some trailing whitespace
+- THANKS-filter: shachaf
-Steve Holme (4 Jan 2015)
-- RELEASE-NOTES: Synced with ea93252ef1
+- [İsmail Dönmez brought this change]
-- ldap: Fixed Unicode usage for all Win32 builds
+ tests: Set CHARSET & LANG to UTF-8 in 1035, 2046 and 2047
- Otherwise, the fixes in the previous commits would only be applicable
- to IDN and SSPI based builds and not others such as OpenSSL with LDAP
- enabled.
+ Closes #1283
+ Fixes #1277
-- ldap: Fixed memory leak from commit efb64fdf80
-
-- ldap: Fix memory leak from commit 3a805c5cc1
-
-- ldap: Fixed attribute variable warnings when Unicode is enabled
+- bump: 7.53.1 coming up
- Use 'TCHAR *' for local attribute variable rather than 'char *'.
+ synced with df665f4df0f7a352
-- ldap: Fixed DN variable warnings when Unicode is enabled
+- formdata: check for EOF when reading from stdin
- Use 'TCHAR *' for local DN variable rather than 'char *'.
-
-- ldap: Remove the unescape_elements() function
+ Reported-by: shachaf@users.noreply.github.com
- Due to the recent modifications this function is no longer used.
+ Fixes #1281
-- ldap.c: Fixed compilation warning
+Jay Satiro (22 Feb 2017)
+- docs: gitignore curl.1
- ldap.c:98: warning: extra tokens at end of #endif directive
+ curl.1 is generated by the cmdline-opts script since 4c49b83.
-- ldap: Fixed support for Unicode filter in Win32 search call
+Daniel Stenberg (22 Feb 2017)
+- TODO: HTTP Digest using SHA-256
-- ldap.c: Fixed compilation warning
-
- ldap.c:802: warning: comparison between signed and unsigned integer
- expressions
+- TODO: brotli is deployed widely now
-- ldap: Fixed support for Unicode attributes in Win32 search call
+Jay Satiro (21 Feb 2017)
+- [Viktor Szakats brought this change]
-- ldap: Fixed memory leak from commit efb64fdf80
+ urldata: include curl_sspi.h when Windows SSPI is enabled
- The unescapped DN was not freed after a successful character conversion.
-
-- ldap.c: Fixed compilation error
+ f77dabe broke builds in Windows using Windows SSPI but not Windows SSL.
- ldap.c:738: error: macro "LDAP_TRACE" passed 2 arguments, but takes
- just 1
+ Bug: https://github.com/curl/curl/issues/1276
+ Reported-by: jveazey@users.noreply.github.com
-- ldap.c: Fixed compilation warning
+- url: Improve CURLOPT_PROXY_CAPATH error handling
- ldap.c:89: warning: extra tokens at end of #endif directive
-
-- ldap: Fixed support for Unicode DN in Win32 search call
+ - Change CURLOPT_PROXY_CAPATH to return CURLE_NOT_BUILT_IN if the option
+ is not supported, which is the same as what we already do for
+ CURLOPT_CAPATH.
+
+ - Change the curl tool to handle CURLOPT_PROXY_CAPATH error
+ CURLE_NOT_BUILT_IN as a warning instead of as an error, which is the
+ same as what we already do for CURLOPT_CAPATH.
+
+ - Fix CAPATH docs to show that CURLE_NOT_BUILT_IN is returned when the
+ respective CAPATH option is not supported by the SSL library.
+
+ Ref: https://github.com/curl/curl/pull/1257
-- ldap: Fixed Unicode user and password in Win32 bind calls
+- cyassl: fix typo
-- ldap: Fixed Unicode host name in Win32 initialisation calls
+Version 7.53.0 (22 Feb 2017)
-- ldap: Use host.dispname for infof() connection failure messages
-
- As host.name may be encoded use dispname for infof() failure messages.
+Daniel Stenberg (22 Feb 2017)
+- release: 7.53.0
-- ldap: Prefer 'CURLcode result' for curl result codes
+- cookie: fix declaration of 'dup' shadows a global declaration
-- ldap: Pass write length in all Curl_client_write() calls
+- TLS: make SSL_VERIFYSTATUS work again
- As we get the length for the DN and attribute variables, and we know
- the length for the line terminator, pass the length values rather than
- zero as this will save Curl_client_write() from having to perform an
- additional strlen() call.
-
-- ldap: Fixed attribute memory leaks on failed client write
+ The CURLOPT_SSL_VERIFYSTATUS option was not properly handled by libcurl
+ and thus even if the status couldn't be verified, the connection would
+ be allowed and the user would not be told about the failed verification.
+
+ Regression since cb4e2be7c6d42ca
- Fixed memory leaks from commit 086ad79970 as was noted in the commit
- comments.
+ CVE-2017-2629
+ Bug: https://curl.haxx.se/docs/adv_20170222.html
+
+ Reported-by: Marcus Hoffmann
-- ldap: Fixed DN memory leaks on failed client write
+Jay Satiro (21 Feb 2017)
+- digest_sspi: Handle 'stale=TRUE' directive in HTTP digest
+
+ - If the server has provided another challenge use it as the replacement
+ input token if stale=TRUE. Otherwise previous credentials have failed
+ so return CURLE_LOGIN_DENIED.
+
+ Prior to this change the stale directive was ignored and if another
+ challenge was received it would cause error CURLE_BAD_CONTENT_ENCODING.
+
+ Ref: https://tools.ietf.org/html/rfc2617#page-10
- Fixed memory leaks from commit 086ad79970 as was noted in the commit
- comments.
+ Bug: https://github.com/curl/curl/issues/928
+ Reported-by: tarek112@users.noreply.github.com
-- curl_ntlm_core.c: Fixed compilation warning from commit 1cb17b2a5d
+Daniel Stenberg (20 Feb 2017)
+- smb: use getpid replacement for windows UWP builds
- curl_ntlm_core.c:146: warning: passing 'DES_cblock' (aka 'unsigned char
- [8]') to parameter of type 'char *' converts
- between pointers to integer types with different
- sign
+ Source: https://github.com/Microsoft/vcpkg/blob/7676b8780db1e1e591c4fc7eba4f96f73c428cb4/ports/curl/0002_fix_uwp.patch
-- ntlm: Use extend_key_56_to_64() for all cryptography engines
+- TODO: CURLOPT_RESOLVE for any port number
- Rather than duplicate the code in setup_des_key() for OpenSSL and in
- extend_key_56_to_64() for non-OpenSSL based crypto engines, as it is
- the same, use extend_key_56_to_64() for all engines.
+ Closes #1264
-- RELEASE-NOTES: Synced with 34f0bd110f
+- RELEASE-NOTES: synced with af30f1152d43dcdb
-- curl_ntlm_core.c: Fixed compilation warning
-
- curl_ntlm_core.c:458: warning: 'ascii_uppercase_to_unicode_le' defined
- but not used
+- [Jean Gressmann brought this change]
-- endian: Fixed bit-shift in 64-bit integer read functions
+ sftp: improved checks for create dir failures
- From commit 43792592ca and 4bb5a351b2.
+ Since negative values are errors and not only -1. This makes SFTP upload
+ with --create-dirs work (again).
- Reported-by: Michael Osipov
+ Closes #1269
-- smb: Use endian functions for reading NBT and message size values
+Jay Satiro (20 Feb 2017)
+- [Max Khon brought this change]
-- endian: Added big endian read functions
+ digest_sspi: Fix nonce-count generation in HTTP digest
+
+ - on the first invocation: keep security context returned by
+ InitializeSecurityContext()
+
+ - on subsequent invocations: use MakeSignature() instead of
+ InitializeSecurityContext() to generate HTTP digest response
+
+ Bug: https://github.com/curl/curl/issues/870
+ Reported-by: Andreas Roth
+
+ Closes https://github.com/curl/curl/pull/1251
-- endian: Added 64-bit integer read function
+- examples/multi-uv: checksrc compliance
-- COPYING: Bumped copyright year to 2015
+Michael Kaufmann (19 Feb 2017)
+- string formatting: fix 4 printf-style format strings
-- version: Bump copyright year to 2015
+Dan Fandrich (18 Feb 2017)
+- tests: removed the obsolete name parameter
-- smb.c: Fixed compilation warnings
+Michael Kaufmann (18 Feb 2017)
+- speed caps: update the timeouts if the speed is too low/high
- smb.c:780: warning: passing 'char *' to parameter of type 'unsigned
- char *' converts between pointers to integer types with
- different sign
- smb.c:781: warning: passing 'char *' to parameter of type 'unsigned
- char *' converts between pointers to integer types with
- different sign
- smb.c:804: warning: passing 'char *' to parameter of type 'unsigned
- char *' converts between pointers to integer types with
- different sign
-
-- smb: Use endian functions for reading length and offset values
+ Follow-up to 4b86113
+
+ Fixes https://github.com/curl/curl/issues/793
+ Fixes https://github.com/curl/curl/issues/942
-- endian: Added 16-bit integer write function
+- docs: fix timeout handling in multi-uv example
-- endian: Fixed Linux compilation issues
+- proxy: fix hostname resolution and IDN conversion
- Having files named endian.[c|h] seemed to cause issues under Linux so
- renamed them both to have the curl_ prefix in the filenames.
+ Properly resolve, convert and log the proxy host names.
+ Support the "--connect-to" feature for SOCKS proxies and for passive FTP
+ data transfers.
+
+ Follow-up to cb4e2be
+
+ Reported-by: Jay Satiro
+ Fixes https://github.com/curl/curl/issues/1248
-- [Julien Nabet brought this change]
+Jay Satiro (17 Feb 2017)
+- [Isaac Boukris brought this change]
- lib1900.c: Fixed cppcheck error
+ http: fix missing 'Content-Length: 0' while negotiating auth
+
+ - While negotiating auth during PUT/POST if a user-specified
+ Content-Length header is set send 'Content-Length: 0'.
+
+ This is what we do already in HTTPREQ_POST_FORM and what we did in the
+ HTTPREQ_POST case (regression since afd288b).
- lib1900.c:182: (style) Array index 'handlenum' is used before limits
- check
+ Prior to this change no Content-Length header would be sent in such a
+ case.
- Bug: https://github.com/bagder/curl/pull/133
+ Bug: https://curl.haxx.se/mail/lib-2017-02/0006.html
+ Reported-by: Dominik Hölzl
+
+ Closes https://github.com/curl/curl/pull/1242
-- endian: Added standard function descriptions
+Daniel Stenberg (16 Feb 2017)
+- [Simon Warta brought this change]
-- endian: Renamed functions for curl API naming convention
+ winbuild: add note on auto-detection of MACHINE in Makefile.vc
+
+ Closes #1265
-- endian: Moved write functions to new module
+- RELEASE-PROCEDURE: update the upcoming release calendar
-- endian: Moved read functions to new module
+- TODO: consider file name from the redirected URL with -O ?
+
+ It isn't easily solved, but with some thinking someone could probably
+ come up with a working approach?
+
+ Closes #1241
-- endian: Introduced endian module
+Jay Satiro (15 Feb 2017)
+- tool_urlglob: Allow a glob range with the same start and stop
- To allow the little endian functions, currently used in two of the NTLM
- source files, to be used by other modules such as the SMB module.
+ For example allow ranges like [1-1] and [a-a] etc.
+
+ Regression since 5ca96cb.
+
+ Bug: https://github.com/curl/curl/issues/1238
+ Reported-by: R. Dennis Steed
-- sepheaders.c: Applied curl oding standards
+Daniel Stenberg (15 Feb 2017)
+- axtls: adapt to API changes
+
+ Builds with axTLS 2.1.2. This then also breaks compatibility with axTLS
+ < 2.1.0 (the older API)
+
+ ... and fix the session_id mixup brought in 04b4ee549
+
+ Fixes #1220
-- [Julien Nabet brought this change]
+- RELEASE-NOTES: synced with 690935390c29c
- sepheaders.c: Fixed resource leak on failure
+- [Nick Draffen brought this change]
-- vtls: Use '(void) arg' for unused parameters
+ curl: fix typo in time condition warning message
- Prefer void for unused parameters, rather than assigning an argument to
- itself as a) unintelligent compilers won't optimize it out, b) it can't
- be used for const parameters, c) it will cause compilation warnings for
- clang with -Wself-assign and d) is inconsistent with other areas of the
- curl source code.
-
-- smb.c: Fixed compilation warning
+ The warning message had a typo. The argument long form is --time-cond
+ not --timecond
- smb.c:586: warning: conversion to 'short unsigned int' from 'int' may
- alter its value
+ Closes #1263
-- [Bill Nagel brought this change]
+- smb: code indent
- smb: Use the connection's upload buffer
+Jay Satiro (14 Feb 2017)
+- configure: Allow disabling pthreads, fall back on Win32 threads
- Use the connection's upload buffer instead of allocating our own send
- buffer.
-
-- RELEASE-NOTES: Synced with 1933f9d33c
+ When the threaded resolver option is specified for configure the default
+ thread library is pthreads. This change makes it possible to
+ --disable-pthreads and then configure can fall back on Win32 threads for
+ native Windows builds.
+
+ Closes https://github.com/curl/curl/pull/1260
-- schannel: Moved the ISC return flag definitions to the SSPI module
+Daniel Stenberg (13 Feb 2017)
+- http2: fix memory-leak when denying push streams
- Moved our Initialize Security Context return attribute definitions to
- the SSPI module, as a) these can be used by other SSPI based providers
- and b) the ISC required attributes are defined there.
+ Reported-by: zelinchen@users.noreply.github.com
+ Fixes #1229
-- [Bill Nagel brought this change]
+Jay Satiro (11 Feb 2017)
+- tool_operate: Show HTTPS-Proxy options on CURLE_SSL_CACERT
+
+ When CURLE_SSL_CACERT occurs the tool shows a lengthy error message to
+ the user explaining possible solutions such as --cacert and --insecure.
+
+ This change appends to that message similar options --proxy-cacert and
+ --proxy-insecure when there's a specified HTTPS proxy.
+
+ Closes https://github.com/curl/curl/issues/1258
- smb: Close the connection after a failed client write
+Daniel Stenberg (10 Feb 2017)
+- cmdline-opts/page-footer: ftp.sunet.se is no longer an FTP mirror
-- darwinssl: Fixed compilation warning
+- URL: only accept ";options" in SMTP/POP3/IMAP URL schemes
- vtls.c:683:43: warning: unused parameter 'data'
+ Fixes #1252
-- sockfilt.c: Fixed compilation warnings
+Jay Satiro (9 Feb 2017)
+- cmdline-opts/socks*: Mention --preproxy in --socks* opts
- sockfilt.c:288: warning: conversion to 'DWORD' from 'size_t' may alter
- its value
- sockfilt.c:291: warning: conversion to 'DWORD' from 'size_t' may alter
- its value
- sockfilt.c:323: warning: conversion to 'DWORD' from 'size_t' may alter
- its value
- sockfilt.c:326: warning: conversion to 'DWORD' from 'size_t' may alter
- its value
-
-- test1509: Fixed compilation warning
+ - Document in --socks* opts they're still mutually exclusive of --proxy.
- lib1509.c:93:18: warning: conversion to 'long int' from 'size_t' may
- alter its value
-
-- test556: Fixed compilation warning
+ Partial revert of 423a93c; I had misinterpreted the SOCKS proxy +
+ HTTP/HTTPS proxy combination.
- lib556.c:90: warning: conversion to 'unsigned int' from 'size_t' may
- alter its value
+ - Document in --socks* opts that --preproxy can be used to specify a
+ SOCKS proxy at the same time --proxy is used with an HTTP/HTTPS proxy.
-- sasl_gssapi: Fixed use of dummy username with real username
+Daniel Stenberg (9 Feb 2017)
+- CURLOPT_SSL_VERIFYPEER.3: also the https proxy version
-- vtls: Fixed compilation warning and an ignored return code
+Kamil Dudka (9 Feb 2017)
+- nss: make FTPS work with --proxytunnel
- curl_schannel.h:123: warning: right-hand operand of comma expression
- has no effect
+ If the NSS code was in the middle of a non-blocking handshake and it
+ was asked to finish the handshake in blocking mode, it unexpectedly
+ continued in the non-blocking mode, which caused a FTPS connection
+ over CONNECT to fail with "(81) Socket not ready for send/recv".
- Some instances of the curlssl_close_all() function were declared with a
- void return type whilst others as int. The schannel version returned
- CURLE_NOT_BUILT_IN and others simply returned zero, but in all cases the
- return code was ignored by the calling function Curl_ssl_close_all().
+ Bug: https://bugzilla.redhat.com/1420327
+
+Daniel Stenberg (9 Feb 2017)
+- examples/multithread.c: link to our multi-thread docs
- For the time being and to keep the internal API consistent, changed all
- declarations to use a void return type.
+ ... instead of the OpenSSL mutex page.
+
+- http_proxy: avoid freeing static memory
- To reduce code we might want to consider removing the unimplemented
- versions and use a void #define like schannel does.
+ Follow up to 7fe81ec298e0: make sure 'host' is either NULL or malloced.
-Daniel Stenberg (28 Dec 2014)
-- TODO: 2.3 Better support for same name resolves
+- [Cameron MacMinn brought this change]
-Steve Holme (28 Dec 2014)
-- test1520: Fixed initial teething problems
+ http_proxy: Fix tiny memory leak upon edge case connecting to proxy
- * Missing initialisation of upload status caused a seg fault
- * Missing data termination caused corrupt data to be uploaded
- * Data verification should be performed in <upload> element
- * Added missing recipient list cleanup
+ Fixes #1255
-- test1520: Fixed compilation errors
+Michael Kaufmann (8 Feb 2017)
+- polarssl, mbedtls: Fix detection of pending data
+
+ Reported-by: Dan Fandrich
+ Bug: https://curl.haxx.se/mail/lib-2017-02/0032.html
-- tests: Added test for bug #1456
+Dan Fandrich (7 Feb 2017)
+- test1139: Added the --manual keyword since the manual is required
-- checksrc.bat: Fixed a problem opening files with spaces in the filename
+Daniel Stenberg (7 Feb 2017)
+- RELEASE-NOTES: synced with 102454459dd688c
-- openldap: Prefer use of 'CURLcode result'
+- THANKS-filter: polish some recent contributors
-- openldap: Use 'LDAPMessage *msg' for messages
+- http2: reset push header counter fixes crash
- This frees up the 'result' variable for CURLcode based result codes.
-
-- nss: Don't ignore Curl_extract_certinfo() OOM failure
+ When removing an easy handler from a multi before it completed its
+ transfer, and it had pushed streams, it would segfault due to the pushed
+ counted not being cleared.
+
+ Fixed-by: zelinchen@users.noreply.github.com
+ Fixes #1249
-- nss: Don't ignore Curl_ssl_init_certinfo() OOM failure
+- [Markus Westerlind brought this change]
-- nss: Use 'CURLcode result' for curl result codes
+ transfer: only retry nobody-requests for HTTP
- ...and don't use CURLE_OK in failure/success comparisons.
-
-- getinfo: Code style policing
+ Using sftp to delete a file with CURLOPT_NOBODY set with a reused
+ connection would fail as curl expected to get some data. Thus it would
+ retry the command again which fails as the file has already been
+ deleted.
+
+ Fixes #1243
-- getinfo: Use 'CURLcode result' for curl result codes
+Jay Satiro (7 Feb 2017)
+- [Daniel Gustafsson brought this change]
-- darwinssl: Use 'CURLcode result' for curl result codes
+ telnet: Fix typos
+
+ Ref: https://github.com/curl/curl/pull/1245
-- polarssl: Use 'CURLcode result' for curl result codes
+- [Daniel Gustafsson brought this change]
-- docs: Updated following the addition of SASL GSSAPI via GSS-API libraries
+ test552: Fix typos
- As this feature has been implemented for 7.40.0.
+ Closes https://github.com/curl/curl/pull/1245
-- asiohiper.cpp: No need to initialise members of ConnInfo
-
- ...as calloc() automatically clears the area of memory with zeros.
+- [Daniel Gustafsson brought this change]
-- asiohiper.cpp: Updated for curl coding standards
+ darwinssl: Avoid parsing certificates when not in verbose mode
- ...with the exception of the start of block statement curly brackets.
-
-- code/docs: Use correct case for IPv4 and IPv6
+ The information extracted from the server certificates in step 3 is only
+ used when in verbose mode, and there is no error handling or validation
+ performed as that has already been done. Only run the certificate
+ information extraction when in verbose mode and libcurl was built with
+ verbose strings.
- For consistency, as we seem to have a bit of a mixed bag, changed all
- instances of ipv4 and ipv6 in comments and documentations to use the
- correct case.
+ Closes https://github.com/curl/curl/pull/1246
-- runtests: Fixed detection of Unix Sockets feature
-
- ...following change in curl --version output.
+- [JDepooter brought this change]
-- code/docs: Use Unix rather than UNIX to avoid use of the trademark
+ schannel: Remove incorrect SNI disabled message
- Use Unix when generically writing about Unix based systems as UNIX is
- the trademark and should only be used in a particular product's name.
-
-- ip2ip.c: Fixed compilation warning when IPv6 Scope ID not supported
+ - Remove the SNI disabled when host verification disabled message
+ since that is incorrect.
- if2ip.c:119: warning: unused parameter 'remote_scope_id'
+ - Show a message for legacy versions of Windows <= XP that connections
+ may fail since those versions of WinSSL lack SNI, algorithms, etc.
- ...and some minor code style policing in the same function.
+ Bug: https://github.com/curl/curl/pull/1240
-- vtls: Don't set cert info count until memory allocation is successful
-
- Otherwise Curl_ssl_init_certinfo() can fail and set the num_of_certs
- member variable to the requested count, which could then be used
- incorrectly as libcurl closes down.
+Daniel Stenberg (7 Feb 2017)
+- CHANGES: spell fix, use correct path to script
-- vtls: Use CURLcode for Curl_ssl_init_certinfo() return type
+- CHANGES.0: removed
- The return type for this function was 0 on success and 1 on error. This
- was then examined by the calling functions and, in most cases, used to
- return CURLE_OUT_OF_MEMORY.
-
- Instead use CURLcode for the return type and return the out of memory
- error directly, propagating it up the call stack.
+ This is the previously manually edited changelog, not touched since Aug
+ 2015. Still present in git for those who wants it.
+
+Dan Fandrich (6 Feb 2017)
+- cmdline-opts: Fixed build and test in out of source tree builds
-- configure: Use camel case for UNIX sockets feature output
+Viktor Szakats (6 Feb 2017)
+- use *.sourceforge.io and misc URL updates
- To match the curl --version output.
+ Ref: https://sourceforge.net/blog/introducing-https-for-project-websites/
+ Closes: https://github.com/curl/curl/pull/1247
-Marc Hoersken (26 Dec 2014)
-- sockfilt.c: Reduce the number of individual memory allocations
+Jay Satiro (6 Feb 2017)
+- docs: Add more HTTPS proxy documentation
- Merge multiple internal arrays into one, even if some variables
- will not not be used. They are all created with the number of
- file descriptors as their size.
+ - Document HTTPS proxy type.
- Also fix possible thread handle leak in CloseHandle-loop.
-
-- sockfilt.c: Replace 100ms sleep with thread throttle
+ - Document --write-out %{proxy_ssl_verify_result}.
- Improves performance of test cases 574 and 575 by 50%.
+ - Document SOCKS proxy + HTTP/HTTPS proxy combination.
- A value of zero causes the thread to relinquish the remainder
- of its time slice to any other thread of equal priority that is
- ready to run. If there are no other threads of equal priority
- ready to run, the function returns immediately, and the thread
- continues execution.
+ HTTPS proxy support was added in 7.52.0 for OpenSSL, GnuTLS and NSS.
- http://msdn.microsoft.com/library/windows/desktop/ms686307.aspx
+ Ref: https://github.com/curl/curl/commit/cb4e2be
-Steve Holme (25 Dec 2014)
-- tool_help: Use camel case for UNIX sockets feature output
+- OS400: Fix symbols
- In line with the other features listed in the --version output,
- capitalise the UNIX socket feature.
-
-- vtls: Use bool for Curl_ssl_getsessionid() return type
+ - s/CURLOPT_SOCKS_PROXY/CURLOPT_PRE_PROXY
+ Follow-up to 7907a2b and 845522c.
- The return type of this function is a boolean value, and even uses a
- bool internally, so use bool in the function declaration as well as
- the variables that store the return value, to avoid any confusion.
-
-- schannel: Minor code style policing for casts
+ - Fix incorrect id for CURLOPT_PROXY_PINNEDPUBLICKEY.
+
+ - Add id for CURLOPT_ABSTRACT_UNIX_SOCKET.
+
+ Bug: https://github.com/curl/curl/issues/1237
+ Reported-by: jonrumsey@users.noreply.github.com
-- schannel: Prefer 'CURLcode result' for curl result codes
+- [Sean Burford brought this change]
-- cyassl: Prefer 'CURLcode result' for curl result codes
+ cmake: Support curl --xattr when built with cmake
+
+ - Test for and set HAVE_FSETXATTR when support for extended file
+ attributes is present.
+
+ Closes https://github.com/curl/curl/pull/1176
-- tool_xattr: Use 'CURLcode result' for curl result codes
+- [Adam Langley brought this change]
-- curl_ntlm_core.c: Fixed compilation warnings
+ openssl: Don't use certificate after transferring ownership
- curl_ntlm_core.c:301: warning: pointer targets in passing argument 2 of
- 'CryptImportKey' differ in signedness
- curl_ntlm_core.c:310: warning: passing argument 6 of 'CryptEncrypt' from
- incompatible pointer type
- curl_ntlm_core.c:540: warning: passing argument 4 of 'CryptGetHashParam'
- from incompatible pointer type
-
-- RELEASE-NOTES: Synced with 8830df8b66
+ SSL_CTX_add_extra_chain_cert takes ownership of the given certificate
+ while, despite the similar name, SSL_CTX_add_client_CA does not. Thus
+ it's best to call SSL_CTX_add_client_CA before
+ SSL_CTX_add_extra_chain_cert, while the code still has ownership of the
+ argument.
+
+ Closes https://github.com/curl/curl/pull/1236
-- gtls: Use preferred 'CURLcode result'
+Daniel Stenberg (29 Jan 2017)
+- [Antoine Aubert brought this change]
-- openldap: Use standard naming for setup connection function
+ mbedtls: implement CTR-DRBG and HAVEGE random generators
- Renamed ldap_setup() to ldap_setup_connection() to follow more widely
- used function naming.
+ closes #1227
-- rtmp: Use standard naming for setup connection function
+- docs: we no longer ship HTML versions of man pages
- Renamed rtmp_setup() to rtmp_setup_connection() to follow more widely
- used function naming.
+ ... refer to the web site for the web versions.
+
+- [railsnewbie257 brought this change]
-- smb: Use standard naming for setup connection function
+ docs: proofread README.netware README.win32
- Renamed smb_setup() to smb_setup_connection() to follow more widely
- used function naming.
+ Closes #1231
-- config-win32.h: Fixed line length > 79 columns
+- RELEASE-NOTES; synced with ab08d82648
-- openssl: Prefer we don't use NULL in comparisons
+Michael Kaufmann (28 Jan 2017)
+- mbedtls: disable TLS session tickets
+
+ SSL session reuse with TLS session tickets is not supported yet.
+ Use SSL session IDs instead.
+
+ See https://github.com/curl/curl/issues/1109
-- build: Removed WIN32 definition from the Visual Studio projects
+- gnutls: disable TLS session tickets
- As this pre-processor definition is defined in curl_setup.h there is no
- need to include it in the Visual Studio project files.
+ SSL session reuse with TLS session tickets is not supported yet.
+ Use SSL session IDs instead.
+
+ Fixes https://github.com/curl/curl/issues/1109
-- build: Removed WIN64 definition from the libcurl Visual Studio projects
+- polarssl: fix hangs
- Removed the WIN64 pre-processor definition from the libcurl project
- files as:
+ This bugfix is similar to commit c111178bd4.
+
+Daniel Stenberg (27 Jan 2017)
+- cookies: do not assume a valid domain has a dot
- * WIN64 is not used in our source code
- * The curl projects files don't define it
- * It isn't required by or used in the platform SDK
- * For backwards compatability curl_setup.h defines WIN32
- * The compiler automatically defines _WIN64 for x64 builds
+ This repairs cookies for localhost.
- Historically Visual Studio projects have defined WIN32, in addition to
- the compiler defined _WIN32 definition, and I had incorrectly changed
- that to WIN64 for the x64 libcurl builds but not in the curl projects.
+ Non-PSL builds will now only accept "localhost" without dots, while PSL
+ builds okeys everything not listed as PSL.
- As such, it is questionable whether this should be defined or not. For
- more information see the following cache of a discussion that took
- place on the microsoft.public.vc.mfc newsgroup:
+ Added test 1258 to verify.
- http://www.tech-archive.net/Archive/VC/microsoft.public.vc.mfc/2008-06/msg00074.html
+ This was a regression brought in a76825a5efa6b4
-- openssl.c Fix for compilation errors with older versions of OpenSSL
+- TODO: remove "Support TLS v1.3"
- openssl.c:1408: error: 'TLS1_1_VERSION' undeclared
- openssl.c:1411: error: 'TLS1_2_VERSION' undeclared
+ Support is trickling in already.
-Daniel Stenberg (22 Dec 2014)
-- [John Malmberg brought this change]
+- [railsnewbie257 brought this change]
- Fix comment edit in vms/backup_gnv_curl_src.com
+ INTERNALS.md: language improvements
- packages/vms/backup_gnv_curl_src.com: Originally copied from Bash port.
+ Closes #1226
-- curl: show size of inhibited data when using -v
+- telnet: fix windows compiler warnings
- To offer some more info and yet it doesn't use more lines.
-
-- openssl: fix SSL/TLS versions in verbose output
-
-- openssl: make it compile against openssl 1.1.0-DEV master branch
-
-Marc Hoersken (22 Dec 2014)
-- sshserver.pl: clarify and streamline variable names
-
-Daniel Stenberg (21 Dec 2014)
-- openssl: warn for SRP set if SSLv3 is used, not for TLS version
+ Thumbs-up-by: Jay Satiro
- ... as it requires TLS and it was was left to warn on the default from
- when default was SSL...
+ Closes #1225
-- smb: use memcpy() instead of strncpy()
+- VC: remove the makefile.vc6 build infra
- ... as it never copies the trailing zero anyway and always just the four
- bytes so let's not mislead anyone into thinking it is actually treated
- as a string.
+ The winbuild/ build files is now the single MSVC makefile build choice.
- Coverity CID: 1260214
+ Closes #1215
-- [John E. Malmberg brought this change]
+- [Jay Satiro brought this change]
- VMS: Updates for 0740-0D1220
-
- lib/setup-vms.h : VAX HP OpenSSL port is ancient, needs help.
- More defines to set symbols to uppercase.
-
- src/tool_main.c : Fix parameter to vms_special_exit() call.
-
- packages/vms/ :
- backup_gnv_curl_src.com : Fix the error message to have the correct package.
+ cmdline-opts/gen.pl: Open input files in CRLF mode
- build_curl-config_script.com : Rewrite to be more accurate.
+ On Windows it's possible to have input files with CRLF line endings and
+ a perl that defaults to LF line endings (eg msysgit). Currently that
+ results in generator output of mixed line endings of CR, LF and CRLF.
- build_libcurl_pc.com : Use tool_version.h now.
-
- build_vms.com : Fix to handle lib/vtls directory.
+ This change fixes that issue in the most succinct way by opening the
+ files in :crlf text mode even when the perl being used does not default
+ to that mode. (On operating systems that don't have a separate text mode
+ it's essentially a no-op.) The output continues to be in the perl's
+ native line ending.
+
+- docs/curl.1: generate from the cmdline-opts script
+
+- vtls: source indentation fix
+
+- contri*.sh: cut off parentheses from names too
+
+- RELEASE-NOTES: synced with 01ab7c30bba6f
+
+- vtls: fix PolarSSL non-blocking handling
- curl_gnv_build_steps.txt : Updated build procedure documentation.
+ A regression brought in cb4e2be
- generate_config_vms_h_curl.com :
- * VAX does not support 64 bit ints, so no NTLM support for now.
- * VAX HP SSL port is ancient, needs some help.
- * Disable NGHTTP2 for now, not ported to VMS.
- * Disable UNIX_SOCKETS, not available on VMS yet.
- * HP GSSAPI port does not have gss_nt_service_name.
+ Reported-by: Michael Kaufmann
+ Bug: https://github.com/curl/curl/issues/1174#issuecomment-274018791
+
+- [Antoine Aubert brought this change]
+
+ vtls: fix mbedtls multi non blocking handshake.
- gnv_link_curl.com : Update for new curl structure.
+ When using multi, mbedtls handshake is in non blocking mode. vtls must
+ set wait for read/write flags for the socket.
- pcsi_product_gnv_curl.com : Set up to optionally do a complete build.
+ Closes #1223
-Marc Hoersken (21 Dec 2014)
-- sockfilt.c: use non-Ex functions that are available before WinXP
-
- It was initially reported by Guenter that GetFileSizeEx
- requires (_WIN32_WINNT >= 0x0500) to be true.
+- [Richy Kim brought this change]
-- tests: use Cygwin-style paths in SSH, SSHD and SFTP config files
+ CURLOPT_BUFFERSIZE: support enlarging receive buffer
- Second patch to enable Windows support using Cygwin-based OpenSSH.
+ Replace use of fixed macro BUFSIZE to define the size of the receive
+ buffer. Reappropriate CURLOPT_BUFFERSIZE to include enlarging receive
+ buffer size. Upon setting, resize buffer if larger than the current
+ default size up to a MAX_BUFSIZE (512KB). This can benefit protocols
+ like SFTP.
- Tested with CopSSH 5.0.0 free edition using an msys shell on Windows 7.
+ Closes #1222
-- tests: support spaces in paths to SSH, SSHD and SFTP binaries
+- sws: use SOCKERRNO, not errno
- First patch to enable Windows support using Cygwin-based OpenSSH.
+ Reported-by: Gisle Vanem
-Steve Holme (20 Dec 2014)
-- non-ascii: Reduce variable usage
+Michael Kaufmann (19 Jan 2017)
+- KNOWN_BUGS: HTTP/2 server push enabled when no pushes can be accepted
- Removed 'next' variable in Curl_convert_form(). Rather than setting it
- from 'form->next' and using that to set 'form' after the conversion
- just use 'form = form->next' instead.
+ This has been implemented with commit 9ad034e.
-- non-ascii: Prefer while loop rather than a do loop
+Viktor Szakats (19 Jan 2017)
+- *.rc: escape non-ASCII/non-UTF-8 character for clarity
- This also removes the need to check that the 'form' argument is valid.
+ Closes https://github.com/curl/curl/pull/1217
-- non-ascii: Reduce variable scope
+Kamil Dudka (19 Jan 2017)
+- docs: non-blocking SSL handshake is now supported with NSS
- As 'result' isn't used out side the conversion callback code and
- previously caused variable shadowing in the libiconv based code.
-
-- non-ascii: We prefer 'CURLcode result'
+ Implemented since curl-7_36_0-130-g8868a22
- This also fixes a variable shadowing issue when HAVE_ICONV is defined
- as rc was declared for the result code of libiconv based functions.
+ Reported-by: Fahim Chandurwala
-Marc Hoersken (19 Dec 2014)
-- secureserver.pl: clean up formatting of config and fix verbose output
+Michael Kaufmann (18 Jan 2017)
+- CURLOPT_CONNECT_TO: Fix compile warnings
- Verbose output was not matching the actual configuration file,
- because FIPS and Windows conditions were ignored.
+ Fix compile warnings that appeared only when curl has been configured
+ with '--disable-verbose'.
-- secureserver.pl: update Windows detection and fix path conversion
+Daniel Stenberg (18 Jan 2017)
+- usercertinmem.c: improve the short description
-- secureserver.pl: make OpenSSL CApath and cert absolute path values
+- parseurl: move back buffer to function scope
- Recent stunnel versions (5.08) seem to have trouble with relative
- paths on Windows. This turns the relative paths into absolute ones.
-
-Patrick Monnerat (18 Dec 2014)
-- if2ip: dummy scope parameter for Curl_if2ip() call in SIOCGIFADDR-enabled code.
-
-- [Kyle J. McKay brought this change]
-
- parseurlandfillconn(): fix improper non-numeric scope_id stripping.
- Fixes SF bug 1149: http://sourceforge.net/p/curl/bugs/1449/
-
-- IPV6: address scope != scope id
- There was a confusion between these: this commit tries to disambiguate them.
- - Scope can be computed from the address itself.
- - Scope id is scope dependent: it is currently defined as 1-based local
- interface index for link-local scoped addresses, and as a site index(?) for
- (obsolete) site-local addresses. Linux only supports it for link-local
- addresses.
- The URL parser properly parses a scope id as an interface index, but stores it
- in a field named "scope": confusion. The field has been renamed into "scope_id".
- Curl_if2ip() used the scope id as it was a scope. This caused failures
- to bind to an interface.
- Scope is now computed from the addresses and Curl_if2ip() matches them.
- If redundantly specified in the URL, scope id is check for mismatch with
- the interface index.
+ Regression since 1d4202ad, which moved the buffer into a more narrow
+ scope, but the data in that buffer was used outside of that more narrow
+ scope.
- This commit should fix SF bug #1451.
-
-- connect: singleipconnect(): properly try other address families after failure
+ Reported-by: Dan Fandrich
+ Bug: https://curl.haxx.se/mail/lib-2017-01/0093.html
-Daniel Stenberg (16 Dec 2014)
-- SFTP: work-around servers that return zero size on STAT
+Jay Satiro (17 Jan 2017)
+- openssl: Fix random generation
- Bug: http://curl.haxx.se/mail/lib-2014-12/0103.html
- Pathed-by: Marc Renault
+ - Fix logic error in Curl_ossl_random.
+
+ Broken a few days ago in 807698d.
-- glob_next_url: make the loop count upwards
+Daniel Stenberg (17 Jan 2017)
+- TODO: share OpenSSL contexts
+
+ By supporting this, subsequent connects would load a lot less data from
+ disk.
- As the former contruct apparently caused a compiler warning, mentioned
- in d8efde07e556c.
+ Closes #1110
-- tool_operate: we prefer 'CURLcode result'
+- bump: next release will be 7.53.0
-- tool_urlglob: unify return codes to use CURLcode
-
- There was a mix of GlobCode, CURLcode and ints and they were mostly
- passing around CURLcode errors. This change makes the functions use only
- CURLcode and removes the GlobCode type completely.
+Kamil Dudka (15 Jan 2017)
+- nss: use the correct lock in nss_find_slot_by_name()
-- tool_urlglob.c: partly reverse dc19789444
+Alessandro Ghedini (15 Jan 2017)
+- http2: disable server push if not requested
- The loop in glob_next_url() needs to be done backwards to maintain the
- logic. dc19789444 caused test 1235 to fail.
+ Ref: https://github.com/curl/curl/pull/1160
-- KNOWN_BUGS: the SFTP code doesn't support CURLINFO_FILETIME
+Daniel Stenberg (14 Jan 2017)
+- [railsnewbie257 brought this change]
-- [Jay Satiro brought this change]
+ docs: improved language in README.md HISTORY.md CONTRIBUTE.md
+
+ Closes #1211
- opts: Warn CURLOPT_TIMEOUT overrides when set after CURLOPT_TIMEOUT_MS
+Alessandro Ghedini (14 Jan 2017)
+- http: print correct HTTP string in verbose output when using HTTP/2
- Change CURLOPT_TIMEOUT doc to warn that if CURLOPT_TIMEOUT and
- CURLOPT_TIMEOUT_MS are both set whichever one is set last is the one
- that will be used.
+ Before:
+ ```
+ % src/curl https://sigsegv.ninja/ -v --http2
+ ...
+ > GET / HTTP/1.1
+ > Host: sigsegv.ninja
+ > User-Agent: curl/7.52.2-DEV
+ > Accept: */*
+ >
+ ...
+ ```
- Prior to this change that behavior was only noted in the
- CURLOPT_TIMEOUT_MS doc.
+ After:
+ ```
+ % src/curl https://sigsegv.ninja/ -v --http2
+ ...
+ > GET / HTTP/2
+ > Host: sigsegv.ninja
+ > User-Agent: curl/7.52.2-DEV
+ > Accept: */*
+ >
+ ```
-Nick Zitzmann (15 Dec 2014)
-- darwinssl: fix incorrect usage of aprintf()
+Daniel Stenberg (14 Jan 2017)
+- TODO: send only part of --data
- Commit b13923f changed an snprintf() to use aprintf(), but the API usage
- wasn't correct, and was causing a crash to occur. This fixes it.
+ Closes #1200
-Steve Holme (14 Dec 2014)
-- copyright: Updated the copyright year following recent updates
+- TODO: implemened "--fail-fast to exit on first transfer fail"
+
+ Even though it is called --fail-early
-Daniel Stenberg (14 Dec 2014)
-- tool_urlglob.c: reverse two loops
+- TODO: Chunked transfer multipart formpost
- By counting from 0 and up instead of backwards like before, we remove
- the need for the "funny" check of the unsigned variable when decreased
- passed zero. Easier to read and less risk for compiler warnings.
+ Closes #1139
-Marc Hoersken (14 Dec 2014)
-- tool_urlglob.c: Added braces to clarify the conditions
+- TODO: Improve formpost API, not just add an easy argument
-- tool_urlglob.c: Silence warning C6293: Ill-defined for-loop
+- addrinfo: fix compiler warning on offsetof() use
- The >= 0 is actually not required, since i underflows and
- the for-loop is stopped using the < condition, but this
- makes the VS2012 compiler and code analysis happy.
-
-- tool_binmode.c: Explicitly ignore the return code of setmode
+ curl_addrinfo.c:519:20: error: conversion to ‘curl_socklen_t {aka
+ unsigned int}’ from ‘long unsigned int’ may alter its value
+ [-Werror=conversion]
- Fixes code analysis warning C6031:
- return value ignored: <function> could return unexpected value
+ Follow-up to 1d786faee1046f
-- lib: Fixed multiple code analysis warnings if SAL are available
-
- warning C28252: Inconsistent annotation for function:
- parameter has another annotation on this instance
+- THANKS-filter: Jiri Malak
-Steve Holme (14 Dec 2014)
-- smb.c: Fixed code analysis warning
-
- smb.c:320: warning C6297: Arithmetic overflow: 32-bit value is shifted,
- then cast to 64-bit value. Result may not be an expected
- value
+- RELEASE-NOTES: synced with a7c73ae309c
-Marc Hoersken (14 Dec 2014)
-- tool_util.c: Use GetTickCount64 if it is available
+Peter Wu (13 Jan 2017)
+- [Isaac Boukris brought this change]
-Steve Holme (14 Dec 2014)
-- smb: Use HAVE_PROCESS_H for process.h inclusion
+ unix_socket: add support for abstract unix domain socket
- Rather than testing against _WIN32 use the preferred HAVE_PROCESS_H
- pre-processor define when including process.h.
-
-Daniel Stenberg (14 Dec 2014)
-- darwinssl: aprintf() to allocate the session key
+ In addition to unix domain sockets, Linux also supports an
+ abstract namespace which is independent of the filesystem.
- ... to avoid using a fixed memory size that risks being too large or too
- small.
-
-Marc Hoersken (14 Dec 2014)
-- curl_schannel: Improvements to memory re-allocation strategy
+ In order to support it, add new CURLOPT_ABSTRACT_UNIX_SOCKET
+ option which uses the same storage as CURLOPT_UNIX_SOCKET_PATH
+ internally, along with a flag to specify abstract socket.
- - do not grow memory by doubling its size
- - do not leak previously allocated memory if reallocation fails
- - replace while-loop with a single check to make sure
- that the requested amount of data fits into the buffer
+ On non-supporting platforms, the abstract address will be
+ interpreted as an empty string and fail gracefully.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1450
- Reported-by: Warren Menzer
-
-Steve Holme (14 Dec 2014)
-- asyn-ares: We prefer use of 'CURLcode result'
+ Also add new --abstract-unix-socket tool parameter.
+
+ Signed-off-by: Isaac Boukris <iboukris@gmail.com>
+ Reported-by: Chungtsun Li (typeless)
+ Reviewed-by: Daniel Stenberg
+ Reviewed-by: Peter Wu
+ Closes #1197
+ Fixes #1061
-Marc Hoersken (14 Dec 2014)
-- curl_schannel.c: Data may be available before connection shutdown
+Daniel Stenberg (13 Jan 2017)
+- write-out.d: 'time_total' is not always shown with ms precision
+
+ We have higher resolution since 7.52.0
-Steve Holme (14 Dec 2014)
-- http2: Use 'CURLcode result' for curl result codes
+- next.d: --trace and --trace-ascii are also global
-- asyn-thread: We prefer 'CURLcode result'
+- [Isaac Boukris brought this change]
-- smb: Fixed unnecessary initialisation of struct member variables
+ curl: reset the easy handle at --next
- There is no need to set the 'state' and 'result' member variables to
- SMB_REQUESTING (0) and CURLE_OK (0) after the allocation via calloc()
- as calloc() initialises the contents to zero.
+ So that only "global" options (verbose mostly) survive into the next
+ transfer, and the others have to be set again unless default is fine.
-- ntlm: Fixed return code for bad type-2 Target Info
-
- Use CURLE_BAD_CONTENT_ENCODING for bad type-2 Target Info security
- buffers just like we do for bad decodes.
+- [Frank Gevaerts brought this change]
-- ntlm: Remove unnecessary casts in readshort_le()
+ docs: Add note about libcurl copying strings to CURLOPT_* manpages
- I don't think both of my fix ups from yesterday were needed to fix the
- compilation warning, so remove the one that I think is unnecessary and
- let the next Android autobuild prove/disprove it.
+ Closes #1169
-- curl_ntlm_msgs.c: Another attempt to fix compilation warning
-
- curl_ntlm_msgs.c:170: warning: conversion to 'short unsigned int' from
- 'int' may alter its value
+- [Frank Gevaerts brought this change]
-Guenter Knauf (13 Dec 2014)
-- synctime.c: added own user-agent string.
+ CURLOPT_PREQUOTE.3: takes a struct curl_slist*, not a char*
-Steve Holme (13 Dec 2014)
-- smb.c: Fixed line longer than 79 columns
+- IDN: Use TR46 non-transitional
+
+ Assisted-by: Tim Rühsen
-- curl_ntlm_msgs.c: Fixed compilation warning from commit 783b5c3b11
+- IDN: revert use of the transitional option
- curl_ntlm_msgs.c:169: warning: conversion to 'short unsigned int' from
- 'int' may alter its value
+ It made the german ß get converted to ss, IDNA2003 style, and we can't
+ have that for the .de TLD - a primary reason for our switch to IDNA2008.
+
+ Test 165 verifies.
-Guenter Knauf (13 Dec 2014)
-- mk-ca-bundle.pl: restored forced run again.
+- [Tim Rühsen brought this change]
-- synctime.c: removed another timeserver URL.
+ IDN: Fix compile time detection of linidn2 TR46
- worldtimeserver.com seems also no longer available.
-
-- synctime.c: fixed timeserver URLs.
+ Follow-up to f30cbcac1
- For getting the date header its not necessary to access special
- pages or even CGI scripts - all pages including the main index
- reply with the date header, therefore shortened URLs to domain.
- Removed worldtime.com; added pool.ntp.org.
+ Closes #1207
-Steve Holme (13 Dec 2014)
-- ftp.c: Fixed compilation warning when no verbose string support
-
- ftp.c:819: warning: unused parameter 'lineno'
+- [ERAMOTO Masaya brought this change]
-- smb: Added state change functions to assist with debugging
+ url: --noproxy option overrides NO_PROXY environment variable
- For debugging purposes, and as per other protocols within curl, added
- state change functions rather than changing the states directly.
-
-- ntlm: Use short integer when decoding 16-bit values
+ Under condition using http_proxy env var, noproxy list was the
+ combination of --noproxy option and NO_PROXY env var previously. Since
+ this commit, --noproxy option overrides NO_PROXY environment variable
+ even if use http_proxy env var.
+
+ Closes #1140
-- RELEASE-NOTES: Synced with 6291a16b20
+- [ERAMOTO Masaya brought this change]
-- smtp.c: Fixed compilation warnings
+ url: Refactor detect_proxy()
- smtp.c:2357 warning: adding 'size_t' (aka 'unsigned long') to a string
- does not append to the string
- smtp.c:2375 warning: adding 'size_t' (aka 'unsigned long') to a string
- does not append to the string
- smtp.c:2386 warning: adding 'size_t' (aka 'unsigned long') to a string
- does not append to the string
+ If defined CURL_DISABLE_HTTP, detect_proxy() returned NULL. If not
+ defined CURL_DISABLE_HTTP, detect_proxy() checked noproxy list.
- Used array index notation instead.
+ Thus refactor to set proxy to NULL instead of calling detect_proxy() if
+ define CURL_DISABLE_HTTP, and refactor to call detect_proxy() if not
+ define CURL_DISABLE_HTTP and the host is not in the noproxy list.
-- smb: Disable SMB when 64-bit integers are not supported
-
- This fixes compilation issues with compilers that don't support 64-bit
- integers through long long or __int64.
+- [ERAMOTO Masaya brought this change]
-- ntlm: Disable NTLM v2 when 64-bit integers are not supported
+ url: Fix NO_PROXY env var to work properly with --proxy option.
- This fixes compilation issues with compilers that don't support 64-bit
- integers through long long or __int64 which was introduced in commit
- 07b66cbfa4.
+ The combination of --noproxy option and http_proxy env var works well
+ both for proxied hosts and non-proxied hosts.
+
+ However, when combining NO_PROXY env var with --proxy option,
+ non-proxied hosts are not reachable while proxied host is OK.
+
+ This patch allows us to access non-proxied hosts even if using NO_PROXY
+ env var with --proxy option.
-- ntlm: Allow NTLM2Session messages when USE_NTRESPONSES manually defined
+- [Tim Rühsen brought this change]
+
+ IDN: Use TR46 'transitional' for toASCII translations
+
+ References: http://unicode.org/faq/idn.html
+ http://unicode.org/reports/tr46
- Previously USE_NTLM2SESSION would only be defined automatically when
- USE_NTRESPONSES wasn't already defined. Separated the two definitions
- so that the user can manually set USE_NTRESPONSES themselves but
- USE_NTLM2SESSION is defined automatically if they don't define it.
+ Closes #1206
-- smtp.c: Fixed line longer than 79 columns
+- [railsnewbie257 brought this change]
-- config-win32.h: Don't enable Windows Crypt API if using OpenSSL
+ docs: FAQ MAIL-ETIQUETTE language fixes
- As the OpenSSL and NSS Crypto engines are prefered by the core NTLM
- routines, to the Windows Crypt API, don't define USE_WIN32_CRYPT
- automatically when either OpenSSL or NSS are in use - doing so would
- disable NTLM2Session responses in NTLM type-3 messages.
+ Closes #1194
-- smtp: Fixed inappropriate free of the scratch buffer
+- [Marcus Hoffmann brought this change]
+
+ gnutls: check for alpn and ocsp in configure
+
+ Check for presence of gnutls_alpn_* and gnutls_ocsp_* functions during
+ configure instead of relying on the version number. GnuTLS has options
+ to turn these features off and we ca just work with with such builds
+ like we work with older versions.
- If the scratch buffer was allocated in a previous call to
- Curl_smtp_escape_eob(), a new buffer not allocated in the subsequent
- call and no action taken by that call, then an attempt would be made to
- try and free the buffer which, by now, would be part of the data->state
- structure.
+ Signed-off-by: Marcus Hoffmann <m.hoffmann@cartelsol.com>
- This bug was introduced in commit 4bd860a001.
+ Closes #1204
-- smtp: Fixed dot stuffing when EOL characters were at end of input buffers
+Jay Satiro (12 Jan 2017)
+- url: Fix parsing for when 'file' is the default protocol
- Fixed a problem with the CRLF. detection when multiple buffers were
- used to upload an email to libcurl and the line ending character(s)
- appeared at the end of each buffer. This meant any lines which started
- with . would not be escaped into .. and could be interpreted as the end
- of transmission string instead.
+ Follow-up to 3463408.
- This only affected libcurl based applications that used a read function
- and wasn't reproducible with the curl command-line tool.
+ Prior to 3463408 file:// hostnames were silently stripped.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1456
- Assisted-by: Patrick Monnerat
-
-Daniel Stenberg (11 Dec 2014)
-- telnet: fix "cast increases required alignment of target type"
-
-- ntlm_wb_response: fix "statement not reached"
+ Prior to this commit it did not work when a schemeless url was used with
+ file as the default protocol.
- ... and I could use a break instead of a goto to end the loop.
+ Ref: https://curl.haxx.se/mail/lib-2016-11/0081.html
+ Closes https://github.com/curl/curl/pull/1124
- Bug: http://curl.haxx.se/mail/lib-2014-12/0089.html
- Reported-by: Tor Arntsen
-
-Steve Holme (10 Dec 2014)
-- RELEASE-NOTES: Synced with 1cc5194337
+ Also fix for drive letters:
- Added some bug fixes that I had missed in previous synchronisations.
-
-Daniel Stenberg (10 Dec 2014)
-- Curl_unix2addr: avoid using the variable name 'sun'
+ - Support --proto-default file c:/foo/bar.txt
- I suspect this causes compile failures on Solaris:
+ - Support file://c:/foo/bar.txt
- Bug: http://curl.haxx.se/mail/lib-2014-12/0081.html
-
-Steve Holme (10 Dec 2014)
-- url.c: Fixed compilation warning when USE_NTLM is not defined
+ - Fail when a file:// drive letter is detected and not MSDOS/Windows.
- url.c:3078: warning: variable 'credentialsMatch' set but not used
+ Bug: https://github.com/curl/curl/issues/1187
+ Reported-by: Anatol Belski
+ Assisted-by: Anatol Belski
-- parsedate.c: Fixed compilation warning
+Daniel Stenberg (12 Jan 2017)
+- rand: make it work without TLS backing
- parsedate.c:548: warning: 'parsed' may be used uninitialized in this
- function
+ Regression introduced in commit f682156a4fc6c4
- As curl_getdate() returns -1 when parsedate() fails we can initialise
- parsed to -1.
+ Reported-by: John Kohl
+ Bug: https://curl.haxx.se/mail/lib-2017-01/0055.html
-Daniel Stenberg (10 Dec 2014)
-- TODO: Cache negative name resolves
+Jay Satiro (12 Jan 2017)
+- STARTTLS: Don't print response character in denied messages
- Worth exploring
-
-- ldap: check Curl_client_write() return codes
+ Both IMAP and POP3 response characters are used internally, but when
+ appended to the STARTTLS denial message likely could confuse the user.
- There might be one or two memory leaks left in the error paths.
+ Closes https://github.com/curl/curl/pull/1203
-- ldap: rename variables to comply to curl standards
-
-Dan Fandrich (10 Dec 2014)
-- sws.c: Fixed 'rc' may be used uninitialized warning
-
-- cookies: Improved OOM handling in cookies
+- smtp: Fix STARTTLS denied error message
- This fixes the test 506 torture test. The internal cookie API really
- ought to be improved to separate cookie parsing errors (which may be
- ignored) with OOM errors (which should be fatal).
+ - Format the numeric denial code as an integer instead of a character.
-Guenter Knauf (9 Dec 2014)
-- synctime.c: fixed user-agent setting.
+Daniel Stenberg (11 Jan 2017)
+- http2_send: avoid unsigned integer wrap around
- Some websites meanwhile refuse to reply to requests from ancient
- browsers like IE6, therefore I've comment out this setting, but
- also fixed the string to now fake IE8 if someone enables it.
-
-Daniel Stenberg (9 Dec 2014)
-- smb: fix unused return code warning
-
-Patrick Monnerat (9 Dec 2014)
-- Curl_client_write() & al.: chop long data, convert data only once.
+ ... when checking for a too large request.
-Guenter Knauf (9 Dec 2014)
-- VC build: added sspi define for winssl-zlib builds.
+Jay Satiro (9 Jan 2017)
+- [Jiri Malak brought this change]
-Daniel Stenberg (9 Dec 2014)
-- schannel_recv: return the correct code
+ cmake: Fix passing _WINSOCKAPI_ macro to compiler
- Bug: http://curl.haxx.se/bug/view.cgi?id=1462
- Reported-by: Tae Hyoung Ahn
-
-- http2: avoid logging neg "failure" if h2 was not requested
-
-- openldap: do not ignore Curl_client_write() return codes
-
-- compile: warn on unused return code from Curl_client_write()
-
-Patrick Monnerat (8 Dec 2014)
-- SMB: Fix a data size mismatch that broke SMB on big-endian platforms
+ Define _WINSOCKAPI_ blank rather than to 1 in order to match the value
+ used by Microsoft's winsock header files.
+
+ Closes https://github.com/curl/curl/pull/1195
-Steve Holme (7 Dec 2014)
-- smb: Fixed Windows autoconf builds following commit eb88d778e7
+Daniel Stenberg (9 Jan 2017)
+- sws: retry send() on EWOULDBLOCK
- As Windows based autoconf builds don't yet define USE_WIN32_CRYPTO
- either explicitly through --enable-win32-cypto or automatically on
- _WIN32 based platforms, subsequent builds broke with the following
- error message:
+ Fixes spurious test 1060 and 1061 failures on OpenBSD, Solaris and more.
- "Can't compile NTLM support without a crypto library."
-
-- RELEASE-NOTES: Synced with 526603ff05
+ Bug: https://curl.haxx.se/mail/lib-2017-01/0009.html
+ Reported-by: Christian Weisgerber
-- [Bill Nagel brought this change]
+- RELEASE-NOTES: synced with a41e8592d6b3e58
- smb: Build with SSPI enabled
+- examples: make the C++ examples follow our code style too
- Build SMB/CIFS protocol support when SSPI is enabled.
+ At least mostly, not counting // comments.
-- [Bill Nagel brought this change]
+- [Aulddays brought this change]
- ntlm: Use Windows Crypt API
+ asiohiper: improved socket handling
- Allow the use of the Windows Crypt API for NTLMv1 functions.
-
-Dan Fandrich (7 Dec 2014)
-- cookie.c: Refactored cleanup code to simplify
+ libcurl requires CURLMOPT_SOCKETFUNCTION to KEEP watching socket events
+ and notify back. Modify event_cb() to continue watching events when
+ fired.
- Also, fixed the outdated comments on the cookie API.
+ Fixes #1191
+ Closes #1192
+ Fixed-by: Mingliang Zhu
-- get_url_file_name: Fixed crash on OOM on debug build
-
- This caused a null-pointer dereference which caused a few dozen
- torture tests to fail.
+- [Jiří Malák brought this change]
-Steve Holme (6 Dec 2014)
-- sws.c: Fixed compilation warning
+ lib506: fix build for Open Watcom
- sws.c:2191 warning: 'rc' may be used uninitialized in this function
-
-- ftp.c: Fixed compilation warnings when proxy support disabled
+ Rename symbol lock to locks to not clash with OW CRTL function name.
- ftp.c:1827 warning: unused parameter 'newhost'
- ftp.c:1827 warning: unused parameter 'newport'
+ Closes #1196
-- smb: Fixed a problem with large file transfers
-
- Fixed an issue with the message size calculation where the raw bytes
- from the buffer were interpreted as signed values rather than unsigned
- values.
+- ROADMAP: 2017 cleanup
- Reported-by: Gisle Vanem
- Assisted-by: Bill Nagel
-
-- smb: Moved the URL decoding into a separate function
+ Removed items already fixed, clarified a few others.
-- smb: Fixed URL encoded URLs not working
+- COPYING: update the generic copyright year range
-- Makefile.inc: Added our standard header and updated file formatting
-
-- Makefile.inc: Updated file formatting
+- docs/silent: mention --show-error in --silent description
- Aligned continuation character and used space as the separator
- character as per other makefile files.
+ Reported in #1190
+ Reported-by: Dan Jacobson
-- curl_md4.h: Updated copyright year following recent edit
+- docs/page-header: mention how to disable the progress meter
- ...and minor layout adjustment.
-
-Patrick Monnerat (5 Dec 2014)
-- SMB: Fix big endian problems. Make it OS/400 aware.
+ curl.1 is regenerated
+
+ Fixes #1190
-- OS400: enable NTLM authentication
+Dan Fandrich (7 Jan 2017)
+- wolfssl: display negotiated SSL version and cipher
-Steve Holme (5 Dec 2014)
-- multi.c: Fixed compilation warning
-
- multi.c:2695: warning: declaration of `exp' shadows a global declaration
+- wolfssl: support setting cipher list
-Guenter Knauf (5 Dec 2014)
-- build: updated dependencies in makefiles.
+Patrick Monnerat (6 Jan 2017)
+- CIPHERS.md: document GSKit ciphers
-Steve Holme (5 Dec 2014)
-- sasl: Corrected formatting of function descriptions
+Jay Satiro (5 Jan 2017)
+- [peterpih brought this change]
-- sasl_gssapi: Added missing function description
+ TheArtOfHttpScripting: grammar
-- RELEASE-NOTES: Provided better descriptions
+Nick Zitzmann (3 Jan 2017)
+- darwinssl: --insecure overrides --cacert if both settings are in use
- As it is often difficult to choose the best description for a single
- feature when it spans many commits, updated the descriptions for the
- recent SMB/CIFS protocol and GSS-API additions.
+ Fixes #1184
-- sasl_sspi: Corrected some typos
+Jay Satiro (2 Jan 2017)
+- docs/libcurl: TCP_KEEPALIVE start and interval default to 60
+
+ Since the TCP keep-alive options were added in 705f0f7 the start and
+ interval default values have been 60, but that wasn't documented.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-01/0000.html
+ Reported-by: Praveen Pvs
-- sasl_sspi: Don't use hard coded sizes in Kerberos V5 security data
+Daniel Stenberg (29 Dec 2016)
+- curl.h: CURLE_FUNCTION_NOT_FOUND is no longer in use
- Don't use a hard coded size of 4 for the security layer and buffer size
- in Curl_sasl_create_gssapi_security_message(), instead, use sizeof() as
- we have done in the sasl_gssapi module.
+ This error code was once introduced when some library was dynamically
+ loaded and a funciton within said library couldn't be found.
-- sasl_sspi: Free the Kerberos V5 challenge as soon as we're done with it
+- content_encoding: change return code on a failure
- Reduced the amount of free's required for the decoded challenge message
- in Curl_sasl_create_gssapi_security_message() as a result of coding it
- differently in the sasl_gssapi module.
+ Failure to decompress is now a write error instead of the weird
+ "function not found".
-- gssapi: Corrected typo in comments
+- page-footer: error 36 is protocol agnostic!
-- sasl_gssapi: Added body to Curl_sasl_create_gssapi_security_message()
+Jay Satiro (28 Dec 2016)
+- tool_operate: Fix --remote-time incorrect times on Windows
+
+ - Use Windows API SetFileTime to set the file time instead of utime.
+
+ Avoid utime on Windows if possible because it may apply a daylight
+ saving time offset to our UTC file time.
+
+ Bug: https://curl.haxx.se/mail/archive-2016-11/0033.html
+ Reported-by: Tim
+
+ Closes https://github.com/curl/curl/pull/1121
-Daniel Stenberg (4 Dec 2014)
-- [Stefan Bühler brought this change]
+Daniel Stenberg (29 Dec 2016)
+- [Max Khon brought this change]
- http_perhapsrewind: don't abort CONNECT requests
+ digest_sspi: copy terminating NUL as well
- ...they never have a body
+ Curl_auth_decode_digest_http_message(): copy terminating NUL as later
+ Curl_override_sspi_http_realm() expects a NUL-terminated string.
+
+ Fixes #1180
+
+- curl_formadd.3: CURLFORM_CONTENTSLENGTH not needed when chunked
+
+ Mentioned in #1013
-- [Stefan Bühler brought this change]
+- [Kyselgov E.N brought this change]
- HTTP: Free (proxy)userpwd for NTLM/Negotiate after sending a request
+ cmake: use crypt32.lib when building with OpenSSL on windows
- Sending NTLM/Negotiate header again after successful authentication
- breaks the connection with certain Proxies and request types (POST to MS
- Forefront).
+ Reviewed-by: Peter Wu
+ Closes #1149
+ Fixes #1147
-- [Stefan Bühler brought this change]
+- [Chris Araman brought this change]
- HTTP: don't abort connections with pending Negotiate authentication
+ darwinssl: fix CFArrayRef leak
- ... similarly to how NTLM works as Negotiate is in fact often NTLM with
- another name.
+ Reviewed-by: Nick Zitzmann
+ Closes #1173
-- [Stefan Bühler brought this change]
+- [Chris Araman brought this change]
- fix gdb libtool invocation path
+ darwinssl: fix iOS build
+
+ Reviewed-by: Nick Zitzmann
+ Fixes #1172
-Steve Holme (4 Dec 2014)
-- sasl_gssapi: Fixed missing include from commit d3cca934ee
+- curl: remove superfluous include file
+
+ The <netinet/tcp.h> is a leftover from the past when TCP socket options
+ were set in this file. This include causes build issues on AIX 4.3.
+
+ Reported-by: Kim Minjoong
+
+ Closes #1178
-Daniel Stenberg (4 Dec 2014)
-- [Jay Satiro brought this change]
+- RELEASE-NOTES: synced with a7b38c9dc98481e
- examples: remove sony.com from 10-at-a-time
+- vtls: s/SSLEAY/OPENSSL
- Prior to this change the 10-at-a-time example showed CURLE_RECV_ERROR
- for the sony website because it ends the connection when the request is
- missing a user agent.
+ Fixed an old leftover use of the USE_SSLEAY define which would make a
+ socket get removed from the applications sockets to monitor when the
+ multi_socket API was used, leading to timeouts.
+
+ Bug: #1174
-Steve Holme (4 Dec 2014)
-- sasl_gssapi: Fixed missing decoding debug failure message
+- docs/ciphers: link to our own new page about ciphers
+
+ ... as the former ones always go stale!
-- sasl_gssapi: Fixed honouring of no mutual authentication
+- cmdline-opts/page-footer: add three more exit codes
+
+ ... and regenerated curl.1
-- sasl_sspi: Added more Kerberos V5 decoding debug failure messages
+- formdata: use NULL, not 0, when returning pointers
-Daniel Stenberg (4 Dec 2014)
-- [Anthon Pang brought this change]
+- ftp: failure to resolve proxy should return that error code
- docs: Fix FAILONERROR typos
+- configure: accept --with-libidn2 instead
- It returns error for >= 400 HTTP responses.
+ ... which the help text already implied since we switched to libidn2
+ from libidn in commit 9c91ec778104ae3b back in October 2016.
- Bug: https://github.com/bagder/curl/pull/129
+ Reported-by: Christian Weisgerber
+ Bug: https://curl.haxx.se/mail/lib-2016-12/0110.html
-- [Peter Wu brought this change]
+- test1282: verify the ftp-gss check
- tool: fix CURLOPT_UNIX_SOCKET_PATH in --libcurl output
+- ftp-gss: check for init before use
- Mark CURLOPT_UNIX_SOCKET_PATH as string to ensure that it ends up as
- option in the file generated by --libcurl.
+ To avoid dereferencing a NULL pointer.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
-
-- [Peter Wu brought this change]
+ Reported-by: Daniel Romero
- opts: fix CURLOPT_UNIX_SOCKET_PATH formatting
+Jay Satiro (24 Dec 2016)
+- build-wolfssl: Sync config with wolfSSL 3.10
- Add .nf and .fi such that the code gets wrapped in a pre on the web.
- Fixed grammar, fixed formatting of the "See also" items.
+ wolfSSL configure script relevant changes from 3.9 to 3.10:
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
-
-Patrick Monnerat (4 Dec 2014)
-- OS400: enable Unix sockets.
+ - DES3 no longer enabled by default
+ - Shamir no longer enabled by default
+ - Extended master secret enabled by default
+ - RSA and ECC timing protections enabled by default
+
+ For backwards compatibility I enabled DES3 and ECC shamir config options
+ (ie no change from 3.9), and the other changes are included.
-Daniel Stenberg (3 Dec 2014)
-- RELEASE-NOTES: synced with b216427e73b5e9
+- cyassl: use time_t instead of long for timeout
-- opts: added CURLOPT_UNIX_SOCKET_PATH to Makefile.am
+Daniel Stenberg (23 Dec 2016)
+- bump: toward next release
-- updateconninfo: clear destination struct before getsockname()
+- http: remove "Curl_http_done: called premature" message
- Otherwise we may read uninitialized bytes later in the unix-domain
- sockets case.
+ ... it only confuses people.
-- curl.1: added --unix-socket
+- openssl-random: check return code when asking for random
+
+ and fail appropriately if it returns error
-- [Peter Wu brought this change]
+- gnutls-random: check return code for failed random
- tool: add --unix-socket option
-
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+Version 7.52.1 (22 Dec 2016)
-- [Peter Wu brought this change]
+Daniel Stenberg (22 Dec 2016)
+- RELEASE-NOTES: curl 7.52.1
- libcurl: add UNIX domain sockets support
-
- The ability to do HTTP requests over a UNIX domain socket has been
- requested before, in Apr 2008 [0][1] and Sep 2010 [2]. While a
- discussion happened, no patch seems to get through. I decided to give it
- a go since I need to test a nginx HTTP server which listens on a UNIX
- domain socket.
-
- One patch [3] seems to make it possible to use the
- CURLOPT_OPENSOCKETFUNCTION function to gain a UNIX domain socket.
- Another person wrote a Go program which can do HTTP over a UNIX socket
- for Docker[4] which uses a special URL scheme (though the name contains
- cURL, it has no relation to the cURL library).
-
- This patch considers support for UNIX domain sockets at the same level
- as HTTP proxies / IPv6, it acts as an intermediate socket provider and
- not as a separate protocol. Since this feature affects network
- operations, a new feature flag was added ("unix-sockets") with a
- corresponding CURL_VERSION_UNIX_SOCKETS macro.
-
- A new CURLOPT_UNIX_SOCKET_PATH option is added and documented. This
- option enables UNIX domain sockets support for all requests on the
- handle (replacing IP sockets and skipping proxies).
+- lib557.c: use a shorter MAXIMIZE representation
- A new configure option (--enable-unix-sockets) and CMake option
- (ENABLE_UNIX_SOCKETS) can disable this optional feature. Note that I
- deliberately did not mark this feature as advanced, this is a
- feature/component that should easily be available.
+ Since several compilers had problems with the previous one
- [0]: http://curl.haxx.se/mail/lib-2008-04/0279.html
- [1]: http://daniel.haxx.se/blog/2008/04/14/http-over-unix-domain-sockets/
- [2]: http://sourceforge.net/p/curl/feature-requests/53/
- [3]: http://curl.haxx.se/mail/lib-2008-04/0361.html
- [4]: https://github.com/Soulou/curl-unix-socket
+ Reported-by: Ray Satiro
+ Bug: https://curl.haxx.se/mail/lib-2016-12/0098.html
+
+- runtests: remove the valgrind parser
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Old legacy parsing that 1) hid problems for us and 2) probably isn't
+ needed anymore.
-- [Peter Wu brought this change]
+- [Kamil Dudka brought this change]
- tests: add two HTTP over UNIX socket tests
-
- test1435: a simple test that checks whether a HTTP request can be
- performed over the UNIX socket. The hostname/port are interpreted
- by sws and should be ignored by cURL.
+ randit: store the value in the buffer
+
+- tests/Makefile: run checksrc on debug builds
- test1436: test for the ability to do two requests to the same host,
- interleaved with one to a different hostname.
+ ... just like we already do in src/ and lib/
+
+- lib557: move the "enable LONGLINE" to allow more long lines
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ This file is riddled with them...
-- [Peter Wu brought this change]
+- bump: toward next release
- tests: add HTTP UNIX socket server testing support
+Marcel Raad (21 Dec 2016)
+- lib: fix MSVC compiler warnings
- The variable `$ipvnum` can now contain "unix" besides the integers 4
- and 6 since the variable. Functions which receive this parameter
- have their `$port` parameter renamed to `$port_or_path` to support a
- path to the UNIX domain socket (as a "port" is only meaningful for TCP).
-
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Visual C++ complained:
+ warning C4267: '=': conversion from 'size_t' to 'long', possible loss of data
+ warning C4701: potentially uninitialized local variable 'path' used
-- [Peter Wu brought this change]
+Version 7.52.0 (20 Dec 2016)
- sws: try to remove socket and retry bind
-
- If sws is killed it might leave a stale socket file on the filesystem
- which would cause an EADDRINUSE error. After this patch, it is checked
- whether the socket is really stale and if so, the socket file gets
- removed and another bind is executed.
-
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+Daniel Stenberg (20 Dec 2016)
+- THANKS: 13 new contributors from 7.52.0
-- [Peter Wu brought this change]
+- RELEASE-NOTES: 7.52.0
- sws: add UNIX domain socket support
-
- This extends sws with a --unix-socket option which causes the port to
- be ignored (as the server now listens on the path specified by
- --unix-socket). This feature will be available in the following patch
- that enables checking for UNIX domain socket support.
+- ssh: inhibit coverity warning with (void)
- Proxy support (CONNECT) is not considered nor tested. It does not make
- sense anyway, first connecting through a TCP proxy, then let that TCP
- proxy connect to a UNIX socket.
+ CID 1397391 (#1 of 1): Unchecked return value (CHECKED_RETURN)
+
+- Curl_recv_has_postponed_data: silence compiler warnings
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Follow-up to d00f2a8f2
-- [Peter Wu brought this change]
+Jay Satiro (19 Dec 2016)
+- tests: checksrc compliance
- sws: restrict TCP_NODELAY to IP sockets
+- http_proxy: Fix proxy CONNECT hang on pending data
- TCP_NODELAY does not make sense for Unix sockets, so enable it only if
- the socket is using IP.
+ - Check for pending data before waiting on the socket.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
-
-Dan Fandrich (3 Dec 2014)
-- [Dave Reisner brought this change]
+ Bug: https://github.com/curl/curl/issues/1156
+ Reported-by: Adam Langley
- curl.1: fix trivial typo
+Daniel Stenberg (19 Dec 2016)
+- cmdline-opts/tlsv1.d: rephrased
-Steve Holme (3 Dec 2014)
-- sasl_gssapi: Added body to Curl_sasl_create_gssapi_user_message()
+- [Dan McNulty brought this change]
-- sasl_gssapi: Added body to Curl_sasl_gssapi_cleanup()
-
-- sasl_gssapi: Added Curl_sasl_build_gssapi_spn() function
+ schannel: fix wildcard cert name validation on Win CE
- Added helper function for returning a GSS-API compatible SPN.
+ Fixes a few issues in manual wildcard cert name validation in
+ schannel support code for Win32 CE:
+ - when comparing the wildcard name to the hostname, the wildcard
+ character was removed from the cert name and the hostname
+ was checked to see if it ended with the modified cert name.
+ This allowed cert names like *.com to match the connection
+ hostname. This violates recommendations from RFC 6125.
+ - when the wildcard name in the certificate is longer than the
+ connection hostname, a buffer overread of the connection
+ hostname buffer would occur during the comparison of the
+ certificate name and the connection hostname.
-Daniel Stenberg (3 Dec 2014)
-- NSS: enable the CAPATH option
+- printf: fix floating point buffer overflow issues
- Bug: http://curl.haxx.se/bug/view.cgi?id=1457
- Patch-by: Tomasz Kojm
-
-Steve Holme (3 Dec 2014)
-- sasl_gssapi: Enable USE_KERBEROS5 for GSS-API based builds
+ ... and add a bunch of floating point printf tests
-- sasl_gssapi: Added GSS-API based Kerberos V5 variables
+- config-amigaos.h: (embarrassed) made the line shorter
-- sws.c: Fixed compilation warning when IPv6 is disabled
-
- sws.c:69: warning: comma at end of enumerator list
+- config-amigaos.h: fix bug report email reference
-- sasl_gssapi: Made log_gss_error() a common GSS-API function
-
- Made log_gss_error() a common function so that it can be used in both
- the http_negotiate code as well as the curl_sasl_gssapi code.
+- RELEASE-NOTES: synced with 4517158abfeba
-- sasl_gssapi: Introduced GSS-API based SASL module
-
- Added the initial version of curl_sasl_gssapi.c and updated the project
- files in preparation for adding GSS-API based Kerberos V5 support.
+- CIPHERS.md: backtick the names to show underscores fine
-- smb: Don't try to connect with empty credentials
+- form-string.d: fix format mistake
- On some platforms curl would crash if no credentials were used. As such
- added detection of such a use case to prevent this from happening.
+ and regenerated curl.1
Reported-by: Gisle Vanem
-- smb.c: Coding policing of pointer usage
-
-- configure: Fixed inclusion of SMB when no crypto engines available
+Michael Kaufmann (18 Dec 2016)
+- openssl: simplify expression in Curl_ossl_version
-Guenter Knauf (1 Dec 2014)
-- build: in Makefile.m32 simplified autodetection.
-
-Daniel Stenberg (30 Nov 2014)
-- [Peter Wu brought this change]
-
- sws: move away from IPv4/IPv4-only assumption
+- curl_easy_recv: Improve documentation and example program
- Instead of depending the socket domain type on use_ipv6, specify the
- domain type (AF_INET / AF_INET6) as variable. An enum is used here with
- switch to avoid compiler warnings in connect_to, complaining that rc
- is possibly undefined (which is not possible as socket_domain is
- always set).
+ Follow-up to 82245ea: Fix the example program sendrecv.c (handle
+ CURLE_AGAIN, handle incomplete send). Improve the documentation
+ for curl_easy_recv() and curl_easy_send().
- Besides abstracting the socket type, make the debugging messages be
- independent on IP (introduce location_str which points to "port XXXXX").
- Rename "ipv_inuse" to "socket_type" and tighten the scope (main).
+ Reviewed-by: Frank Meier
+ Assisted-by: Jay Satiro
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ See https://github.com/curl/curl/pull/1134
-- [Peter Wu brought this change]
+- [Isaac Boukris brought this change]
- lib/connect: restrict IP/TCP options to said sockets
+ Curl_getconnectinfo: avoid checking if the connection is closed
- This patch prepares for adding UNIX domain sockets support.
+ It doesn't benefit us much as the connection could get closed at
+ any time, and also by checking we lose the ability to determine
+ if the socket was closed by reading zero bytes.
- TCP_NODELAY and TCP_KEEPALIVE are specific to TCP/IP sockets, so do not
- apply these to other socket types. bindlocal only works for IP sockets
- (independent of TCP/UDP), so filter that out too for other types.
+ Reported-by: Michael Kaufmann
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Closes https://github.com/curl/curl/pull/1134
-- smb.c: use size_t as input argument types for msg sizes
+Daniel Stenberg (18 Dec 2016)
+- CIPHERS.md: attempt to document TLS cipher names
- This fixes warnings about conversions to int
+ As the official docs seems really hard to keep track of and link to over
+ time
-Steve Holme (30 Nov 2014)
-- version: The next release will become 7.40.0
+- curl.1: generated after 6cce4dbf830
-- [Bill Nagel brought this change]
+- cmdline-opts/post30X.d: fix the RFC references
- docs: Updated for the SMB protocol
+- curl.1: regenerated
- This patch updates the documentation for the SMB/CIFS protocol.
+ Fixed trailing whitespace and numerous formatting glitches
-- curl tool: Exclude SMB from the protocol redirect
-
- As local files could be accessed through \\localhost\c$.
+- cmdline-opts: formatting fixes
-- [Bill Nagel brought this change]
+- curl_easy_setopt.3: removed CURLOPT_SOCKS_PROXYTYPE
- curl tool: Enable support for the SMB protocol
-
- This patch enables SMB/CIFS support in the curl command-line tool.
+- tool_getparam.c: make comments use the up-to-date option names
-- smb.c: Fixed compilation warnings
+- manpage-scan.pl: allow deprecated options to get removed from curl.1
- smb.c:398: warning: comparison of integers of different signs:
- 'ssize_t' (aka 'long') and 'unsigned long'
- smb.c:443: warning: comparison of integers of different signs:
- 'ssize_t' (aka 'long') and 'unsigned long'
+ --krb4, --ftp-ssl and --ftp-ssl-reqd no longer need to be documented in the
+ man page
-- libcurl: Exclude SMB from the protocol redirect
-
- As local files could be accessed through \\localhost\c$.
+- cmdline-opts/gen.pl: trim off trailing spaces
-- [Bill Nagel brought this change]
+- cmdline-opts/proxy-tlsuser.d: remove trailing .d
- libcurl: Enable support for the SMB protocol
-
- This patch enables SMB/CIFS support in libcurl.
+- curl_easy_setopt.3: CURLOPT_PRE_PROXY instead of CURLOPT_SOCKS_PROXY
-- smb.c: Fixed compilation warnings
-
- smb.c:322: warning: conversion to 'short unsigned int' from 'unsigned
- int' may alter its value
- smb.c:323: warning: conversion to 'short unsigned int' from 'unsigned
- int' may alter its value
- smb.c:482: warning: conversion to 'short unsigned int' from 'int' may
- alter its value
- smb.c:521: warning: conversion to 'unsigned int' from 'curl_off_t' may
- alter its value
- smb.c:549: warning: conversion to 'unsigned int' from 'curl_off_t' may
- alter its value
- smb.c:550: warning: conversion to 'short unsigned int' from 'int' may
- alter its value
+- symbols: removed two, added one
-- smb.c: Renamed SMB command message variables to avoid compiler warnings
-
- smb.c:489: warning: declaration of 'close' shadows a global declaration
- smb.c:511: warning: declaration of 'read' shadows a global declaration
- smb.c:528: warning: declaration of 'write' shadows a global declaration
+- cmdline-opts: include the man page split up files in the dist
-- smb.c: Fixed compilation warnings
+- curl.1: generated with gen.pl
- smb.c:212: warning: unused parameter 'done'
- smb.c:380: warning: ISO C does not allow extra ';' outside of a function
- smb.c:812: warning: unused parameter 'premature'
- smb.c:822: warning: unused parameter 'dead'
-
-- smb.c: Fixed compilation warnings
+ This is the first time we replace the manually edited curt.1 with the
+ generated one created by gen.pl and the individual option documentation
+ pages.
- smb.c:311: warning: conversion from 'unsigned __int64' to 'u_short',
- possible loss of data
- smb.c:425: warning: conversion from '__int64' to 'unsigned short',
- possible loss of data
- smb.c:452: warning: conversion from '__int64' to 'unsigned short',
- possible loss of data
-
-- smb.c: Fixed compilation warnings
+ Do not edit this file, edit the individual pages and regenerate this
+ output.
- smb.c:162: error: comma at end of enumerator list
- smb.c:469: warning: conversion from 'size_t' to 'unsigned short',
- possible loss of data
- smb.c:517: warning: conversion from 'curl_off_t' to 'unsigned int',
- possible loss of data
- smb.c:545: warning: conversion from 'curl_off_t' to 'unsigned int',
- possible loss of data
+ This file will be generated by the build system soon and then removed
+ from git.
-- [Bill Nagel brought this change]
+- cmdline-opts: added some missing info
- smb: Added initial SMB functionality
-
- Initial implementation of the SMB/CIFS protocol.
+- CURLINFO_SSL_VERIFYRESULT.3: language
-- [Bill Nagel brought this change]
+- HTTPS-PROXY docs: update/polish
- smb: Added SMB handler interfaces
+- cmdline-opts/page-header: mention it is generated
- Added the SMB and SMBS handler interface structures and associated
- functions required for SMB/CIFS operation.
+ ... to avoid people from trying to edit the pending curl.1 version that
+ gets generated by gen.pl
-- transfer: Code style policing
+- preproxy: renamed what was added as SOCKS_PROXY
- Prefer ! rather than NULL in if statements, added comments and updated
- function spacing, argument spacing and line spacing to be more readble.
-
-- transfer: Fixed existing scratch buffer being checked for NULL twice
+ CURLOPT_SOCKS_PROXY -> CURLOPT_PRE_PROXY
- If the scratch buffer already existed when the CRLF conversion was
- performed then the buffer pointer would be checked twice for NULL. This
- second check is only necessary if the call to malloc() was performed by
- the first check.
+ Added the corresponding --preroxy command line option. Sets a SOCKS
+ proxy to connect to _before_ connecting to a HTTP(S) proxy.
-- smtp: Fixed dot stuffing being performed when no new data read
+- curl: normal socks proxies still use CURLOPT_PROXY
- Whilst I had moved the dot stuffing code from being performed before
- CRLF conversion takes place to after it, in commit 4bd860a001, I had
- moved it outside the 'when something read' block of code when meant
- it could perform the dot stuffing twice on partial send if nread
- happened to contain the right values. It also meant the function could
- potentially read past the end of buffer. This was highlighted by the
- following warning:
+ ... the newly introduced CURLOPT_SOCKS_PROXY is special and should be
+ asked for specially. (Needs new code.)
- warning: `nread' might be used uninitialized in this function
+ Unified proxy type to a single variable in the config struct.
-Daniel Stenberg (29 Nov 2014)
-- smb.h: fixed picky compiler warning
+- CURLOPT_SOCKS_PROXYTYPE: removed
- smb.h:30:16: error: comma at end of enumerator list [-Werror=pedantic]
-
-Steve Holme (29 Nov 2014)
-- tests: Disable test 1013 until SMB is fully added
+ This was added as part of the SOCKS+HTTPS proxy merge but there's no
+ need to support this as we prefer to have the protocol specified as a
+ prefix instead.
-- [Bill Nagel brought this change]
+- curl_multi_socket.3: fix typo
- smb: Added SMB protocol and port definitions
+- checksrc: warn for assignments within if() expressions
- Added the necessary protocol and port definitions in order to support
- SMB/CIFS.
-
-- [Bill Nagel brought this change]
+ ... they're already frowned upon in our source code style guide, this
+ now enforces the rule harder.
- smb: Added internal SMB definitions and structures
+- checksrc: stricter no-space-before-paren enforcement
- Added the internal definitions and structures necessary for SMB/CIFS
- support.
+ In order to make the code style more uniform everywhere
-- [Bill Nagel brought this change]
+- ISSUE_TEMPLATE: try mentioning known bugs/todo in new issue template
- smb: Added SMB connection structure
-
- Added the connection structure that will be required in urldata.h for
- SMB/CIFS based connections.
+- RELEASE-NOTES: synced with 71a55534fa6
-- [Bill Nagel brought this change]
+- [Adam Langley brought this change]
- smb: Added initial source files for SMB
+ openssl: don't use OpenSSL's ERR_PACK.
- Added the initial source files and updated the relevant project files in
- order to support SMB/CIFS.
+ ERR_PACK is an internal detail of OpenSSL. Also, when using it, a
+ function name must be specified which is overly specific: the test will
+ break whenever OpenSSL internally change things so that a different
+ function creates the error.
+
+ Closes #1157
-- [Bill Nagel brought this change]
+Dan Fandrich (5 Dec 2016)
+- test2032: Mark test as flaky
- smb: Added configuration options for SMB
+Jay Satiro (3 Dec 2016)
+- [Jeremy Pearson brought this change]
+
+ libcurl-multi.3: typo
- Added --enable-smb and --disable-smb configuration options for the
- upcoming SMB/CIFS protocol support.
+ Closes https://github.com/curl/curl/pull/1153
-Daniel Stenberg (28 Nov 2014)
-- [Peter Wu brought this change]
+Dan Fandrich (2 Dec 2016)
+- test1281: added http as a required feature
- runtests.pl: fix startup of IPv6 servers
-
- Commit curl-7_23_1-143-g8218064 changed the parameter of
- responsive_http_server to accept types other than IPv6 (converting
- from a boolean to a string), but only considered the lower-case "ipv6"
- and not the "IPv6" variant. This caused all servers to start in IPv4
- mode instead.
+Daniel Stenberg (2 Dec 2016)
+- curl: support zero-length argument strings in config files
- This patch converts the remaining cases to "ipv6". While not strictly
- necessary for the run*server variants, these got also converted for
- consistency and to prevent future errors.
+ ... like 'user-agent = ""'
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Adjusted test 71 to verify.
-- [Peter Wu brought this change]
+- http_proxy: simplify CONNECT response reading
+
+ Since it now reads responses one byte a time, a loop could be removed
+ and it is no longer limited to get the whole response within 16K, it is
+ now instead only limited to 16K maximum header line lengths.
- runtests.pl: fix warning message, remove duplicate value
+- tests: fix CONNECT test cases to be more strict
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ ... as they broke with the cleaned up CONNECT handling
-Steve Holme (27 Nov 2014)
-- http.c: Fixed compilation warnings from features being disabled
+- CONNECT: read responses one byte at a time
- warning: unused variable 'data'
- warning: variable 'addcookies' set but not used
+ ... so that it doesn't read data that is actually coming from the
+ remote. 2xx responses have no body from the proxy, that data is from the
+ peer.
- ...and some very minor coding style policing.
+ Fixes #1132
-- RELEASE-NOTES: Synced with c5399c827d
+- CONNECT: reject TE or CL in 2xx responses
+
+ A server MUST NOT send any Transfer-Encoding or Content-Length header
+ fields in a 2xx (Successful) response to CONNECT. (RFC 7231 section
+ 4.3.6)
+
+ Also fixes the three test cases that did this.
-- tests: Added SMTP with --crlf test case
+- URL parser: reject non-numerical port numbers
+
+ Test 1281 added to verify
-- docs: Updated for commit 4bd860a001 and SMTP Unix line ending conversion
+Dan Fandrich (30 Nov 2016)
+- runtests: made Servers: output be more consistent by removing OFF
-- smtp: Fixed const'ness of nread parameter in Curl_smtp_escape_eob()
-
- ...and some comment typos!
+- cyassl: fixed typo introduced in 4f8b1774
-- smtp: Added support for the conversion of Unix newlines during mail send
+Michael Kaufmann (30 Nov 2016)
+- CURLOPT_CONNECT_TO: Skip non-matching "connect-to" entries properly
- Added support for the automatic conversion of Unix newlines to CRLF
- during mail uploads.
+ If a port number in a "connect-to" entry does not match, skip this
+ entry instead of connecting to port 0.
- Feature: http://curl.haxx.se/bug/view.cgi?id=1456
-
-- CURLOPT_CRLF.3: Fixed inclusion of SMTP in listed protocols
-
-Daniel Stenberg (25 Nov 2014)
-- curl*3: added small examples
+ If a port number in a "connect-to" entry matches, use this entry
+ and look no further.
- and some minor edits
-
-- libcurl.3: fix formatting
+ Reported-by: Jay Satiro
+ Assisted-by: Jay Satiro, Daniel Stenberg
- refer to functions with the man page section properly
+ Closes #1148
-- man pages: SEE ALSO curl_multi_wait
+Daniel Stenberg (29 Nov 2016)
+- BUGS: describe bug handling process
-- curl_multi_wait.3: clarify numfds being used if not NULL
+- RELEASE-NOTES: synced with 19613fb3
-- multi-single.c: switch to use curl_multi_wait
+Jay Satiro (28 Nov 2016)
+- http2: check nghttp2_session_set_local_window_size exists
- Makes the example much easier and straight-forward!
+ The function only exists since nghttp2 1.12.0.
+
+ Bug: https://github.com/curl/curl/commit/a4d8888#commitcomment-19985676
+ Reported-by: Michael Kaufmann
-- testcurl: bump the version of this script!
+Daniel Stenberg (28 Nov 2016)
+- [Anders Bakken brought this change]
-- testcurl: skip reading the setup file if given enough cmdline info
+ http2: Fix crashes when parent stream gets aborted
- This makes it much easier to run multiple tests in the same directory,
- just altering the command lines used.
+ Closes #1125
-- select.c: fix compilation for VxWorks
+- cmdline-docs: more options converted and fixed
- Reported-by: Brian
- Bug: http://curl.haxx.se/bug/view.cgi?id=1455
+ Now all options are in the new system.
-Patrick Monnerat (24 Nov 2014)
-- [moparisthebest brought this change]
+- gen: include footer in mainpage output
- SSL: Add PEM format support for public key pinning
+Jay Satiro (28 Nov 2016)
+- lib1536: checksrc compliance
-Kamil Dudka (24 Nov 2014)
-- Revert "repository: ignore patch files generated by git"
+Daniel Stenberg (28 Nov 2016)
+- cmdline-opts: more command line options documented
- This reverts commit 217024a687ce86eb6d2317822ed81c7e5abc4b61.
-
- Bug: https://github.com/bagder/curl/commit/217024a6#commitcomment-8693738
+ Moved over to the new format
-Steve Holme (23 Nov 2014)
-- multi.c: Fixed compilation warnings when no verbose string support
+- curl: remove --proxy-ssl* options
- warning: variable 'connection_id' set but not used
- warning: unused parameter 'lineno'
-
-- RELEASE-NOTES: Synced with 1450712e76
+ There's mostly likely no need to allow setting SSLv2/3 version for HTTPS
+ proxy. Those protocols are insecure by design and deprecated.
-- sasl: Tidied up some parameter comments
+- CURLOPT_PROXY_*.3: polished some proxy option man pages
-- sasl: Reduced the need for two sets of NTLM functions
-
-- ntlm: Moved NSS initialisation to base decode function
-
-- http_ntlm: Fixed additional NSS initialisation call when decoding type-2
+Patrick Monnerat (26 Nov 2016)
+- os400: support CURLOPT_PROXY_PINNEDPUBLICKEY
- After commit 48d19acb7c the HTTP code would call Curl_nss_force_init()
- twice when decoding a NTLM type-2 message, once directly and the other
- through the call to Curl_sasl_decode_ntlm_type2_message().
+ Also define it in ILE/RPG binding.
-- ntlm: Fixed static'ness of local decode function
+Daniel Stenberg (26 Nov 2016)
+- [Okhin Vasilij brought this change]
-- ntlm: Corrected some parameter names and comments
+ curl_version_info: add CURL_VERSION_HTTPS_PROXY
+
+ Closes #1142
-- runtests.pl: Re-aligned feature support comments
+- [Frank Gevaerts brought this change]
-- runtests.pl: Use Kerberos and SPNEGO as proxies for the crypto feature
+ tests: Add some testcases for recent new features.
- In addition to NTLM, use Kerberos and SPNEGO as proxies to the crypto
- feature.
+ Add missing tests for CURLINFO_SCHEME, CURLINFO_PROTOCOL, %{scheme},
+ and %{http_version}
- ...and converted tab characters, from commit 4b4e8a5853, to spaces.
+ closes #1143
-- runtests.pl: Added support for SPNEGO
+- [Frank Gevaerts brought this change]
-- runtests.pl: Added Kerberos detection
+ curl_easy_reset: clear info for CULRINFO_PROTOCOL and CURLINFO_SCHEME
-- runtests.pl: Added GSS-API detection
+- CURLOPT_PROXY_CAINFO.3: clarify proxy use
-- FILEFORMAT: Added SSPI, GSS-API and Kerberos to the features list
+- CURLOPT_PROXY_CRLFILE.3: clarify https proxy and availability
-- FILEFORMAT: Added test requires feature not present information
+- curl_easy_setopt.3: add CURLOPT_PROXY_PINNEDPUBLICKEY
- Such as !SSPI as we do for the NTLM and Digest tests.
+ Follow-up to 4f8b17743d7c55a
-Daniel Stenberg (20 Nov 2014)
-- http.c: log if it notices HTTP 1.1 after a upgrade to http2
+- docs: include all opts man pages in dist
+
+ Sorted the lists too.
+
+ ... and include the new ones in the PDF and HTML generation targets
-- test1801: first real http2 test case
+- [Thomas Glanzmann brought this change]
-- sws: initial tiny steps toward http2 support
+ HTTPS Proxy: Implement CURLOPT_PROXY_PINNEDPUBLICKEY
-- FILEFORMAT: mention the new upgrade support
+- [Thomas Glanzmann brought this change]
-- test1800: first plain-text http2 test case
-
- Verifies the upgrade request, but gets a plain 1.1 response
+ url: proxy: Use 443 as default port for https proxies
-- [Tatsuhiro Tsujikawa brought this change]
+- TODO: removed "HTTPS proxy"
- http: Disable pipelining for HTTP/2 and upgraded connections
-
- This commit disables pipelining for HTTP/2 or upgraded connections. For
- HTTP/2, we do not support multiplexing. In general, requests cannot be
- pipelined in an upgraded connection, since it is now different protocol.
+- [Jan-E brought this change]
-- [Brad Harder brought this change]
+ winbuild: add config option ENABLE_NGHTTP2
+
+ Closes #1141
- CURLOPT_POSTFIELDS.3: mention the COPYPOSTFIELDS option
+Jay Satiro (24 Nov 2016)
+- tool_urlglob: Improve sanity check in glob_range
+
+ Prior to this change we depended on errno if strtol could not perform a
+ conversion. POSIX says EINVAL *may* be set. Some implementations like
+ Microsoft's will not set it if there's no conversion.
+
+ Ref: https://github.com/curl/curl/commit/ee4f7660#commitcomment-19658189
-Steve Holme (19 Nov 2014)
-- multi-uv.c: Updated for curl coding standards
+- tool_help: Change description for --retry-connrefused
+
+ Ref: https://github.com/curl/curl/pull/1064#issuecomment-260052409
-- conncache: Fixed specifiers in infof() for long and size_t variables
+Patrick Monnerat (25 Nov 2016)
+- os400: sync ILE/RPG binding
-- [Peter Wu brought this change]
+Jay Satiro (24 Nov 2016)
+- test1135: Fix curl_easy_duphandle prototype for code style
+
+ Follow-up to dbadaeb which changed the style.
- cmake: add Kerberos to the supported features
+- x509asn1: Restore the parameter check in Curl_getASN1Element
- Updated following commit eda919f and a4b7f71.
+ - Restore the removed parts of the parameter check.
- Acked-by: Brad King <brad.king@kitware.com>
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Follow-up to 945f60e which altered the parameter check.
+
+Daniel Stenberg (25 Nov 2016)
+- RELEASE-NOTES: update option counters
-- [Peter Wu brought this change]
+- [Frank Gevaerts brought this change]
- cmake: fix NTLM detection when CURL_DISABLE_HTTP defined
+ add CURLINFO_SCHEME, CURLINFO_PROTOCOL, and %{scheme}
+
+ Adds access to the effectively used protocol/scheme to both libcurl and
+ curl, both in string and numeric (CURLPROTO_*) form.
- Updated following changes in commit f0d860d.
+ Note that the string form will be uppercase, as it is just the internal
+ string.
- Acked-by: Brad King <brad.king@kitware.com>
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ As these strings are declared internally as const, and all other strings
+ returned by curl_easy_getinfo() are de-facto const as well, string
+ handling in getinfo.c got const-ified.
+
+ Closes #1137
-Daniel Stenberg (19 Nov 2014)
-- RELEASE-NOTES: synced with cb13fad733e
+- RELEASE-NOTES: synced with 63198a4750aeb
-- [Jay Satiro brought this change]
+- curl.1: the new --proxy options ship in 7.52.0
- examples: Wait recommended 100ms when no file descriptors are ready
+- checksrc: move open braces to comply with function declaration style
+
+- checksrc: detect wrongly placed open braces in func declarations
+
+- checksrc: white space edits to comply to stricter checksrc
+
+- checksrc: verify ASTERISKNOSPACE
- Prior to this change when no file descriptors were ready on platforms
- other than Windows the multi examples would sleep whatever was in
- timeout, which may or may not have been less than the minimum
- recommended value [1] of 100ms.
+ Detects (char*) and 'char*foo' uses.
+
+- checksrc: code style: use 'char *name' style
+
+- checksrc: add ASTERISKSPACE
- [1]: http://curl.haxx.se/libcurl/c/curl_multi_fdset.html
+ Verifies a 'char *name' style, with no space after the asterisk.
-- [Waldek Kozba brought this change]
+- openssl: remove dead code
+
+ Coverity CID 1394666
- multi-uv.c: close the file handle after download
+- [Okhin Vasilij brought this change]
-- [Jon Spencer brought this change]
+ HTTPS-proxy: fixed mbedtls and polishing
- multi: inform about closed sockets before they are closed
+- darwinssl: adopted to the HTTPS proxy changes
- When the connection code decides to close a socket it informs the multi
- system via the Curl_multi_closed function. The multi system may, in
- turn, invoke the CURLMOPT_SOCKETFUNCTION function with
- CURL_POLL_REMOVE. This happens after the socket has already been
- closed. Reorder the code so that CURL_POLL_REMOVE is called before the
- socket is closed.
+ It builds and runs all test cases. No adaptations for actual HTTPS proxy
+ support has been made.
-Guenter Knauf (19 Nov 2014)
-- build: in Makefile.m32 moved target autodetection.
+- gtls: fix indent to silence compiler warning
- Moved target autodetection block after defining CC macro.
+ vtls/gtls.c: In function ‘Curl_gtls_data_pending’:
+ vtls/gtls.c:1429:3: error: this ‘if’ clause does not guard... [-Werror=misleading-indentation]
+ if(conn->proxy_ssl[connindex].session &&
+ ^~
+ vtls/gtls.c:1433:5: note: ...this statement, but the latter is misleadingly indented as if it is guarded by the ‘if’
+ return res;
-- build: in Makefile.m32 simplify platform flags.
+- [Thomas Glanzmann brought this change]
-- build: in Makefile.m32 try to detect 64bit target.
+ mbedtls: Fix compile errors
-Daniel Stenberg (19 Nov 2014)
-- [Brad King brought this change]
+- [Alex Rousskov brought this change]
- CMake: Simplify if() conditions on check result variables
+ proxy: Support HTTPS proxy and SOCKS+HTTP(s)
- Remove use of an old hack that takes advantage of the auto-dereference
- behavior of the if() command to detect if a variable is defined. The
- hack has the form:
+ * HTTPS proxies:
- if("${VAR} MATCHES "^${VAR}$")
+ An HTTPS proxy receives all transactions over an SSL/TLS connection.
+ Once a secure connection with the proxy is established, the user agent
+ uses the proxy as usual, including sending CONNECT requests to instruct
+ the proxy to establish a [usually secure] TCP tunnel with an origin
+ server. HTTPS proxies protect nearly all aspects of user-proxy
+ communications as opposed to HTTP proxies that receive all requests
+ (including CONNECT requests) in vulnerable clear text.
- where "${VAR}" is a macro argument reference. Use if(DEFINED) instead.
- This also avoids warnings for CMake Policy CMP0054 in CMake 3.1.
-
-- TODO-RELEASE: removed
-
-- [Carlo Wood brought this change]
-
- debug: added new connection cache output, plus fixups
+ With HTTPS proxies, it is possible to have two concurrent _nested_
+ SSL/TLS sessions: the "outer" one between the user agent and the proxy
+ and the "inner" one between the user agent and the origin server
+ (through the proxy). This change adds supports for such nested sessions
+ as well.
- Debug output 'typo' fix.
+ A secure connection with a proxy requires its own set of the usual SSL
+ options (their actual descriptions differ and need polishing, see TODO):
- Don't print an extra "0x" in
- * Pipe broke: handle 0x0x2546d88, url = /
+ --proxy-cacert FILE CA certificate to verify peer against
+ --proxy-capath DIR CA directory to verify peer against
+ --proxy-cert CERT[:PASSWD] Client certificate file and password
+ --proxy-cert-type TYPE Certificate file type (DER/PEM/ENG)
+ --proxy-ciphers LIST SSL ciphers to use
+ --proxy-crlfile FILE Get a CRL list in PEM format from the file
+ --proxy-insecure Allow connections to proxies with bad certs
+ --proxy-key KEY Private key file name
+ --proxy-key-type TYPE Private key file type (DER/PEM/ENG)
+ --proxy-pass PASS Pass phrase for the private key
+ --proxy-ssl-allow-beast Allow security flaw to improve interop
+ --proxy-sslv2 Use SSLv2
+ --proxy-sslv3 Use SSLv3
+ --proxy-tlsv1 Use TLSv1
+ --proxy-tlsuser USER TLS username
+ --proxy-tlspassword STRING TLS password
+ --proxy-tlsauthtype STRING TLS authentication type (default SRP)
- Add debug output.
- Print the number of connections in the connection cache when
- adding one, and not only when one is removed.
+ All --proxy-foo options are independent from their --foo counterparts,
+ except --proxy-crlfile which defaults to --crlfile and --proxy-capath
+ which defaults to --capath.
- Fix typos in comments.
-
-- multi: move the ending condition into the loop as well
+ Curl now also supports %{proxy_ssl_verify_result} --write-out variable,
+ similar to the existing %{ssl_verify_result} variable.
- ... as it was before I changed the loop in commit e04ccbd50. It caused
- test 2030 and 2032 to fail.
-
-Steve Holme (18 Nov 2014)
-- multi: Prefer we don't use CURLE_OK and NULL in comparisons
-
-Daniel Stenberg (18 Nov 2014)
-- multi_runsingle: use 'result' for local CURLcode storage
+ Supported backends: OpenSSL, GnuTLS, and NSS.
- ... and assign data->result only at the end. Makes the code more compact
- (easier to read) and more similar to other code.
-
-- multi_runsingle: rename result to rc
+ * A SOCKS proxy + HTTP/HTTPS proxy combination:
- save 'result' for CURLcode types
-
-- multi: make multi_runsingle loop internally
+ If both --socks* and --proxy options are given, Curl first connects to
+ the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS
+ proxy.
- simplifies the use of this function at little cost.
+ TODO: Update documentation for the new APIs and --proxy-* options.
+ Look for "Added in 7.XXX" marks.
-- [Carlo Wood brought this change]
+Patrick Monnerat (24 Nov 2016)
+- Declare endian read functions argument as a const pointer.
+ This is done for all functions of the form Curl_read[136][624]_[lb]e.
- multi: when leaving for timeout, close accordingly
-
- Fixes the problem when a transfer in a pipeline times out.
+- Limit ASN.1 structure sizes to 256K. Prevent some allocation size overflows.
+ See CRL-01-006.
-Guenter Knauf (18 Nov 2014)
-- build: in Makefile.m32 add -m32 flag for 32bit.
+Jay Satiro (22 Nov 2016)
+- url: Fix conn reuse for local ports and interfaces
+
+ - Fix connection reuse for when the proposed new conn 'needle' has a
+ specified local port but does not have a specified device interface.
+
+ Bug: https://curl.haxx.se/mail/lib-2016-11/0137.html
+ Reported-by: bjt3[at]hotmail.com
-- mk-ca-bundle.vbs: update copyright year.
+Daniel Stenberg (21 Nov 2016)
+- rand: pass in number of randoms as an unsigned argument
-- build: in Makefile.m32 pass -F flag to windres.
+Jay Satiro (20 Nov 2016)
+- rand: Fix potentially uninitialized result warning
-Steve Holme (17 Nov 2014)
-- config-win32: Fixed build targets for the VS2012+ Windows XP toolset
+Marcel Raad (19 Nov 2016)
+- vtls: fix build warnings
- Even though commit 23e70e1cc6 mentioned the v110_xp toolset, I had
- forgotten to include the relevant pre-processor definitions.
-
-- sasl_sspi: Removed note about the NTLM functions being a wrapper
-
-- connect.c: Fixed compilation warning when no verbose string support
+ Fix warnings about conversions from long to time_t in openssl.c and
+ schannel.c.
- warning: unused parameter 'reason'
+ Follow-up to de4de4e3c7c
-- easy.c: Fixed compilation warning when no verbose string support
-
- warning: unused parameter 'easy'
+Daniel Stenberg (18 Nov 2016)
+- [Marcel Raad brought this change]
-- win32: Updated some legacy APIs to use the newer extended versions
+ lib: fix compiler warnings after de4de4e3c7c
- Updated the usage of some legacy APIs, that are preventing curl from
- compiling for Windows Store and Windows Phone build targets.
+ Visual C++ now complains about implicitly casting time_t (64-bit) to
+ long (32-bit). Fix this by changing some variables from long to time_t,
+ or explicitly casting to long where the public interface would be
+ affected.
- Suggested-by: Stefan Neis
- Feature: http://sourceforge.net/p/curl/feature-requests/82/
+ Closes #1131
+
+Peter Wu (17 Nov 2016)
+- [Isaac Boukris brought this change]
-- config-win32: Introduce build targets for VS2012+
+ Don't mix unix domain sockets with regular ones
- Visual Studio 2012 introduced support for Windows Store apps as well as
- supporting Windows Phone 8. Introduced build targets that allow more
- modern APIs to be used as certain legacy ones are not available on these
- new platforms.
+ When reusing a connection, make sure the unix domain
+ socket option matches.
-- sasl_sspi: Fixed compilation warnings when no verbose string support
+Jay Satiro (17 Nov 2016)
+- tests: Fix HTTP2-Settings header for huge window size
+
+ Follow-up to a4d8888. Changing the window size in that commit resulted
+ in a different HTTP2-Settings upgrade header, causing test 1800 to fail.
-- sasl_sspi: Added base64 decoding debug failure messages
+- http2: Use huge HTTP/2 windows
+
+ - Improve performance by using a huge HTTP/2 window size.
- Just like in the NTLM code, added infof() failure messages for
- DIGEST-MD5 and GSSAPI authentication when base64 decoding fails.
+ Bug: https://github.com/curl/curl/issues/1102
+ Reported-by: afrind@users.noreply.github.com
+ Assisted-by: Tatsuhiro Tsujikawa
-- ntlm: Moved the SSPI based Type-3 message generation into the SASL module
+Daniel Stenberg (16 Nov 2016)
+- cmdline-docs: more conversion
-- ntlm: Moved the SSPI based Type-2 message decoding into the SASL module
+- gen: support 'protos'
+
+ and warn on unrecognized lines
-- ntlm: Moved the SSPI based Type-1 message generation into the SASL module
+- gen: support 'single' to make an individual page man page
-- [Michael Osipov brought this change]
+- cmdline-docs: more options converted over
- kerberos: Use symbol qualified with _KERBEROS5
+- gen: support 'redirect'
- For consistency renamed USE_KRB5 to USE_KERBEROS5.
+ ... and warn for too long --help lines
-Daniel Stenberg (15 Nov 2014)
-- [Jay Satiro brought this change]
+- cmdline/gen: replace options in texts better
- examples: Don't call select() to sleep on windows
+Jay Satiro (16 Nov 2016)
+- http2: Fix address sanitizer memcpy warning
- Windows does not support using select() for sleeping without a dummy
- socket. Instead use Windows' Sleep() and sleep for 100ms which is the
- minimum suggested value in the curl_multi_fdset() doc.
+ - In Curl_http2_switched don't call memcpy when src is NULL.
- Prior to this change the multi examples would exit prematurely since
- select() would error instead of sleeping when called without an fd.
+ Curl_http2_switched can be called like:
- Reported-by: Johan Lantz
- Bug: http://curl.haxx.se/mail/lib-2014-11/0221.html
-
-- [Tatsuhiro Tsujikawa brought this change]
-
- http2: Don't send Upgrade headers when we already do HTTP/2
-
-Steve Holme (15 Nov 2014)
-- sasl: Corrected Curl_sasl_build_spn() function description
+ Curl_http2_switched(conn, NULL, 0);
- There was a mismatch in function parameter names.
-
-- tool: Removed krb4 from the supported features
+ .. and prior to this change memcpy was then called like:
- Although libcurl would never return CURL_VERSION_KERBEROS4 after 7.33,
- so would not be output with --version, removed krb4 from the supported
- features output.
+ memcpy(dest, NULL, 0)
+
+ .. causing address sanitizer to warn:
+
+ http2.c:2057:3: runtime error: null pointer passed as argument 2, which
+ is declared to never be null
-- [Michael Osipov brought this change]
+- tool_help: Clarify --dump-header only writes received headers
- tool: Use Kerberos for supported features
+- curl.1: Clarify --dump-header only writes received headers
-- urldata: Don't define sec_complete when no GSS-API support present
-
- This variable is only used with HAVE_GSSAPI is defined by the FTP code
- so let's place the definition with the other GSS-API based variables.
+Daniel Stenberg (15 Nov 2016)
+- [Alex Chan brought this change]
-- [Michael Osipov brought this change]
+ docs: Spelling fixes
- docs: Use consistent naming for Kerberos
+Kamil Dudka (15 Nov 2016)
+- docs: the next release will be 7.52.0
-- TODO: Lets support QOP options in GSSAPI authentication
+Daniel Stenberg (15 Nov 2016)
+- cmdline-opts: support generating the --help output
-- sasl_sspi: Corrected a couple of comment typos
+- [David Schweikert brought this change]
-- sasl: Moved Curl_sasl_gssapi_cleanup() definition into header file
+ darwinssl: fix SSL client certificate not found on MacOS Sierra
- Rather than define the function as extern in the source files that use
- it, moved the function declaration into the SASL header file just like
- the Digest and NTLM clean-up functions.
+ Reviewed-by: Nick Zitzmann
- Additionally, added a function description comment block.
-
-- sasl_sspi: Added missing RFC reference for HTTP Digest authentication
-
-- ntlm: Clean-up and standardisation of base64 decoding
-
-- ntlm: We prefer 'CURLcode result'
+ Closes #1105
-Daniel Stenberg (13 Nov 2014)
-- [Brad King brought this change]
+- curl: add --fail-early to help output
+
+ Fixes test 1139 failures
+
+ Follow-up to f82bbe01c8835
- CMake: Restore order-dependent library checks
+- glob: fix [a-c] globbing regression
- Revert commit 2257deb502 (Cmake: Avoid cycle directory dependencies,
- 2014-08-22) and add a comment explaining the purpose of the original
- code.
+ Brought in ee4f76606cf
- The check_library_exists_concat macro is intended to be called multiple
- times on a sequence of possibly dependent libraries. Later libraries
- may depend on earlier libraries when they are static. They cannot be
- safely linked in reverse order on some platforms.
+ Added test case 1280 to verify
- Signed-off-by: Brad King <brad.king@kitware.com>
+ Reported-by: Dave Reisner
+
+ Bug: https://github.com/curl/curl/commit/ee4f76606cfa4ee068bf28edd37c8dae7e8db317#commitcomment-19823146
-- [Brad King brought this change]
+- curl: add --fail-early
+
+ Exit with an error on the first transfer error instead of continuing to
+ do the rest of the URLs.
+
+ Discussion: https://curl.haxx.se/mail/archive-2016-11/0038.html
- CMake: Restore order-dependent header checks
+- Curl_rand: fixed and moved to rand.c
- Revert commit 1269df2e3b (Cmake: Don't check for all headers each
- time, 2014-08-15) and add a comment explaining the purpose of the
- original code.
+ Now Curl_rand() is made to fail if it cannot get the necessary random
+ level.
- The check_include_file_concat macro is intended to be called multiple
- times on a sequence of possibly dependent headers. Later headers
- may depend on earlier headers to provide declarations. They cannot
- be safely included independently on some platforms.
+ Changed the proto of Curl_rand() slightly to provide a number of ints at
+ once.
- For example, many POSIX APIs document including sys/types.h before some
- other headers. Also on some OS X versions sys/socket.h must be included
- before net/if.h or the check for the latter will fail.
+ Moved out from vtls, since it isn't a TLS function and vtls provides
+ Curl_ssl_random() for this to use.
- Signed-off-by: Brad King <brad.king@kitware.com>
+ Discussion: https://curl.haxx.se/mail/lib-2016-11/0119.html
-- [Peter Wu brought this change]
+- cmdline-opts: first test version of a new man page generator kit
+
+ See MANPAGE.md for the description of how this works. Each command line
+ option is now described in a separate .d file.
- test22: expand a backtick command
+- time_t fix: follow-up to de4de4e3c7c
- This is the only user of the backtick operator in the command. As the
- commands will soon not be executed by a shell anymore (but by perl),
- replace the command with its output.
+ Blah, I accidentally wrote size_t instead of time_t for two variables.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Reported-by: Dave Reisner
-- RELEASE-NOTES: synced with 2ee3c63b13
+- timeval: prefer time_t to hold seconds instead of long
+
+ ... as long is still 32bit on modern 64bit windows machines, while
+ time_t is generally 64bit.
-- http2: fix switched macro when http2 is not enabled
+Dan Fandrich (12 Nov 2016)
+- tests: fixed variable might be clobbered warning
+
+ This stops the compiler from potentially making invalid assumptions
+ about the immutability of sdp and sap across the longjmp boundary.
-- [Tatsuhiro Tsujikawa brought this change]
+Daniel Stenberg (12 Nov 2016)
+- RELEASE-NOTES: synced with 346340808c
- http2: Deal with HTTP/2 data inside response header buffer
+- URL-parser: for file://[host]/ URLs, the [host] must be localhost
- Previously if HTTP/2 traffic is appended to HTTP Upgrade response header
- (thus they are in the same buffer), the trailing HTTP/2 traffic is not
- processed and lost. The appended data is most likely SETTINGS frame.
- If it is lost, nghttp2 library complains server does not obey the HTTP/2
- protocol and issues GOAWAY frame and curl eventually drops connection.
- This commit fixes this problem and now trailing data is processed.
-
-Steve Holme (11 Nov 2014)
-- configure: Fixed inclusion of krb5 when CURL_DISABLE_CRYPTO_AUTH is defined
+ Previously, the [host] part was just ignored which made libcurl accept
+ strange URLs misleading users. like "file://etc/passwd" which might've
+ looked like it refers to "/etc/passwd" but is just "/passwd" since the
+ "etc" is an ignored host name.
- Commit fe0f8967bf fixed a problem with krb5 not being defined as a
- supported feature when HAVE_GSSAPI is defined, however, it should
- only be included if CURL_DISABLE_CRYPTO_AUTH is not set, like when
- SPNEGO is listed as a feature.
+ Reported-by: Mike Crowe
+ Assisted-by: Kamil Dudka
+
+- test558: adapt to 0649433da
+
+- openssl: make sure to fail in the unlikely event that PRNG seeding fails
-Daniel Stenberg (10 Nov 2014)
-- multi: removed Curl_multi_set_easy_connection
+- openssl: avoid unnecessary seeding if already done
- It isn't used anywhere!
+ 1.1.0+ does more of this by itself so we can avoid extra processing this
+ way.
+
+- openssl: RAND_status always exists in OpenSSL >= 0.9.7
- Reported-by: Carlo Wood
+ and remove RAND_screen from configure since nothing is using that
+ function
-- [Peter Wu brought this change]
+- Curl_pgrsUpdate: use dedicated function for time passed
- symbol-scan.pl: do not require autotools
+- realloc: use Curl_saferealloc to avoid common mistakes
- Makes test1119 pass when building with cmake.
+ Discussed: https://curl.haxx.se/mail/lib-2016-11/0087.html
+
+- [Daniel Hwang brought this change]
+
+ curl: Add --retry-connrefused
- configurehelp.pm is generated by configure (autotools). As cmake does
- not provide a separate variable for the C preprocessor, default to cpp.
- Before commit ef24ecde68a5f577a7f0f423a767620f09a0ab16 ("symbol-scan:
- use configure script knowledge about how to run the C preprocessor"),
- this tool would also use 'cpp'.
+ to consider ECONNREFUSED as a transient error.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Closes #1064
-- [Peter Wu brought this change]
+- openssl: raise the max_version to 1.3 if asked for
+
+ Now I've managed to negotiate TLS 1.3 with https://enabled.tls13.com/ when
+ using boringssl.
- cmake: add ENABLE_THREADED_RESOLVER, rename ARES
+Jay Satiro (9 Nov 2016)
+- vtls: Fail on unrecognized param for CURLOPT_SSLVERSION
- Fix detection of the AsynchDNS feature which not just depends on
- pthreads support, but also on whether USE_POSIX_THREADS is set or not.
- Caught by test 1014.
+ - Fix GnuTLS code for CURL_SSLVERSION_TLSv1_2 that broke when the
+ TLS 1.3 support was added in 6ad3add.
- This patch adds a new ENABLE_THREADED_RESOLVER option (corresponding to
- --enable-threaded-resolver of autotools) which also needs a check for
- HAVE_PTHREAD_H.
+ - Homogenize across code for all backends the error message when TLS 1.3
+ is not available to "<backend>: TLS 1.3 is not yet supported".
- For symmetry with autotools, CURL_USE_ARES is renamed to ENABLE_ARES
- (--enable-ares). Checks that test for the availability actually use
- USE_ARES instead as that is the result of whether a-res is available or
- not (in practice this does not matter as CARES is marked as required
- package, but nevertheless it is better to write the intent).
+ - Return an error when a user-specified ssl version is unrecognized.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ ---
+
+ Prior to this change our code for some of the backends used the
+ 'default' label in the switch statement (ie ver unrecognized) for
+ ssl.version and treated it the same as CURL_SSLVERSION_DEFAULT.
+
+ Bug: https://curl.haxx.se/mail/lib-2016-11/0048.html
+ Reported-by: Kamil Dudka
-- [Peter Wu brought this change]
+Daniel Stenberg (9 Nov 2016)
+- [Isaac Boukris brought this change]
- cmake: build libhostname for test suite
+ SPNEGO: Fix memory leak when authentication fails
- Used by some test cases via LD_PRELOAD in order to fake the host name.
+ If SPNEGO fails, cleanup the negotiate handle right away.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Fixes #1115
+
+ Signed-off-by: Isaac Boukris <iboukris@gmail.com>
+ Reported-by: ashman-p
+
+- CODE_STYLE.md: link to INTERNALS.md correctly
-- [Peter Wu brought this change]
+- bump: next version will be 7.52.0
- cmake: fix HAVE_GETHOSTNAME definition
+- RELEASE-NOTES: synced with dfcdaaba371e9a3
+
+- examples/fileupload.c: fclose the file as well
+
+- printf: fix ".*f" handling
- Otherwise Curl_gethostname always fails. Windows has gethostname
- since Vista according to
- http://msdn.microsoft.com/en-us/library/ms738527%28VS.85%29.aspx, but
- accordings to byte_bucket's VC 2005 documentation, it is available even
- in Windows 95. (possibly after installing a Platform SDK, the
- Windows Server 2003 SP1 Platform SDK should be sufficient).
+ It would always use precision 1 instead of reading it from the argument
+ list as intended.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Reported-by: Ray Satiro
+
+ Bug: #1113
-- [Peter Wu brought this change]
+- curl_formadd.3: *_FILECONTENT and *_FILE need the file to be kept
+
+ Reported-by: Frank Gevaerts
- tests: fix libhostname visibility
+Kamil Dudka (7 Nov 2016)
+- nss: silence warning 'SSL_NEXT_PROTO_EARLY_VALUE not handled in switch'
- I noticed that a patched cmake build would pass tests with a fake local
- hostname, but the autotools build skips them:
+ ... with nss-3.26.0 and newer
- got unexpected host name back, LD_PRELOAD failed
+ Reported-by: Daniel Stenberg
+
+Daniel Stenberg (7 Nov 2016)
+- openssl: initial TLS 1.3 adaptions
- It turns out that -fvisibility=hidden hides the symbol, and since the
- tests are not part of libcurl, it fails too. Just remove the LIBCURL
- guard.
+ BoringSSL supports TLSv1.3 already, but these changes don't seem to be anough
+ to get it working.
+
+- ssh: check md5 fingerprints case insensitively (regression)
- Broken since cURL 7.30 (commit 83a42ee20ea7fc25abb61c0b7ef56ebe712d7093,
- "curl.h: stricter CURL_EXTERN linkage decorations logic").
+ Revert the change from ce8d09483eea but use the new function
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Reported-by: Kamil Dudka
+ Bug: https://github.com/curl/curl/commit/ce8d09483eea2fcb1b50e323e1a8ed1f3613b2e3#commitcomment-19666146
-- [Peter Wu brought this change]
+Kamil Dudka (7 Nov 2016)
+- curl: introduce the --tlsv1.3 option to force TLS 1.3
+
+ Fully implemented with the NSS backend only for now.
+
+ Reviewed-by: Ray Satiro
- tests: fix memleak in server/resolve.c
+- vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3
- This makes LeakSanitizer happy.
+ Fully implemented with the NSS backend only for now.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Reviewed-by: Ray Satiro
-- configure: assume krb5 when gss-api works
+- nss: map CURL_SSLVERSION_DEFAULT to NSS default
+
+ ... but make sure we use at least TLSv1.0 according to libcurl API
- To please test 1014 while we work out if this is truly the a correct
- assumption.
+ Reported-by: Cure53
+ Reviewed-by: Ray Satiro
-Steve Holme (9 Nov 2014)
-- vtls.h: Fixed compiler warning when compiled without SSL
+Daniel Stenberg (7 Nov 2016)
+- s/cURL/curl
- vtls.c:185:46: warning: unused parameter 'data'
+ We're mostly saying just "curl" in lower case these days so here's a big
+ cleanup to adapt to this reality. A few instances are left as the
+ project could still formally be considered called cURL.
-- RELEASE-NOTES: Synced with 2fbf23875f
+Jay Satiro (7 Nov 2016)
+- [Tatsuhiro Tsujikawa brought this change]
-- ntlm: Added separate SSPI based functions
+ http2: Don't send header fields prohibited by HTTP/2 spec
- In preparation for moving the NTLM message code into the SASL module,
- and separating the native code from the SSPI code, added functions that
- simply call the functions in curl_ntlm_msg.c.
-
-- http_ntlm: Use the SASL functions instead
+ Previously, we just ignored "Connection" header field. But HTTP/2
+ specification actually prohibits few more header fields. This commit
+ ignores all of them so that we don't send these bad header fields.
- In preparation for moving the NTLM message code into the SASL module
- use the SASL functions in the HTTP code instead.
-
-Daniel Stenberg (9 Nov 2014)
-- libssh2: detect features based on version, not configure checks
+ Bug: https://curl.haxx.se/mail/archive-2016-10/0033.html
+ Reported-by: Ricki Hirner
- ... so that non-configure builds get the correct functions too based on
- the libssh2 version used.
+ Closes https://github.com/curl/curl/pull/1092
-- [Nobuhiro Ban brought this change]
+Daniel Stenberg (7 Nov 2016)
+- curl.1: explain the SMTP data expected for -T
+
+ Fixes #1107
+
+ Reported-by: Adam Piggott
- SSH: use the port number as well for known_known checks
+Peter Wu (6 Nov 2016)
+- cmake: disable poll for macOS
- ... if the libssh2 version is new enough.
+ Mirrors the autotools behavior introduced with curl-7_50_3-83-ga34c7ce.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1448
+ Fixes #1089
-Steve Holme (9 Nov 2014)
-- INSTALL: Updated pre-processor references to the old VC6 project files
+Jay Satiro (5 Nov 2016)
+- easy: Initialize info variables on easy init and duphandle
+
+ - Call Curl_initinfo on init and duphandle.
- Reworked the two sections that discuss modifying the Visual Studio pre-
- processor settings, and vc6libcurl.dsw/vc6libcurl.dsp, to remove the
- project files references as they have been superseded by a more thorough
- set of project files for VC6 through VC12, but to also give the correct
- reference to this setting in later versions of Visual Studio.
+ Prior to this change the statistical and informational variables were
+ simply zeroed by calloc on easy init and duphandle. While zero is the
+ correct default value for almost all info variables, there is one where
+ it isn't (filetime initializes to -1).
+
+ Bug: https://github.com/curl/curl/issues/1103
+ Reported-by: Neal Poole
+
+Daniel Stenberg (5 Nov 2016)
+- [Mauro Rappa brought this change]
-- INSTALL: Added email protocols to the "Disabling in Win32 builds" section
+ curl -w: added more decimal digits to timing counters
+
+ Now showing microsecond resolution.
+
+ Closes #1106
-- configure: Fixed NTLM missing from features when CURL_DISABLE_HTTP defined
+Jakub Zakrzewski (4 Nov 2016)
+- dist: add CMakeLists.txt to the tarball
-- build: Fixed no NTLM support for email when CURL_DISABLE_HTTP is defined
+Daniel Stenberg (4 Nov 2016)
+- mbedtls: fix build with mbedtls versions < 2.4.0
- USE_NTLM would only be defined if: HTTP support was enabled, NTLM and
- cryptography weren't disabled, and either a supporting cryptography
- library or Windows SSPI was being compiled against.
+ Regression added in 62a8095e714
- This means it was not possible to build libcurl without HTTP support
- and use NTLM for other protocols such as IMAP, POP3 and SMTP. Rather
- than introduce a new SASL pre-processor definition, removed the HTTP
- prerequisite just like USE_SPNEGO and USE_KRB5.
+ Reported-by: Tony Kelman
- Note: Winbind support still needs to be dependent on CURL_DISABLE_HTTP
- as it is only available to HTTP at present.
+ Discussed in #1087
+
+- configure: verify that compiler groks -Werror=partial-availability
+
+ Reported-by: bemoody
- This bug dates back to August 2011 when I started to add support for
- NTLM to SMTP.
+ Fixes #1104
-- ntlm: Removed an unnecessary free of native Target Info
+- docs: shorten and simplify the top comment in multi-uv.c
- Due to commit 40ee1ba0dc the free in Curl_ntlm_decode_type2_target() is
- longer required.
+ and change URL to use https
-- ntlm: Moved the native Target Info clean-up from HTTP specific function
+- [Andrei Sedoi brought this change]
-- ntlm: Moved SSPI clean-up code into SASL module
+ docs: handle CURL_POLL_INOUT in multi-uv example
-- Makefile.dist: Added support for WinIDN
+- [Andrei Sedoi brought this change]
-- Makefile.vc6: Added support for WinIDN
+ docs: multi-uv: don't use CURLMsg after cleanup
-- Makefile.dist: Added some missing SSPI configurations
+- [Andrei Sedoi brought this change]
-- Makefile.dist: Separated the groups of SSL configurations from each other
+ docs: remove unused variables in multi-uv example
-- Makefile.dist: Grouped the x64 configurations next to their x86 counterparts
+- bump: start working on 7.51.1
-- curl.h: Tidy up of CURL_VERSION_* flags
+- winbuild: remove strcase.obj from curl build
- As the list has gotten a little messy and hard to read, especially with
- the introduction of deprecated items, aligned the values and comments
- into clean columns and reworked some of the comments in the process.
-
-- curl_tool: Added krb5 to the supported features
+ Reported-by: Bruce Stephens
+
+ Fixes #1098
-- configure: Added krb5 to the supported features
+Dan Fandrich (2 Nov 2016)
+- msvc: removed a straggling reference to strequal.c
+
+ Follow-up to 502acba2
-- version info: Added Kerberos V5 to the supported features
+Version 7.51.0 (2 Nov 2016)
-Guenter Knauf (7 Nov 2014)
-- mk-ca-bundle.vbs: switch to new certdata.txt url.
+Daniel Stenberg (2 Nov 2016)
+- THANKS: synced with 7.51.0
-Steve Holme (7 Nov 2014)
-- RELEASE-NOTES: Synced with dcad09e125
+- RELEASE-NOTES: 7.51.0
-- http_digest: Fixed some memory leaks introduced in commit 6f8d8131b1
+- ftp_done: don't clobber the passed in error code
- Fixed a couple of memory leaks as a result of moving code that used to
- populate allocuserpwd and relied on it's clean up.
-
-- docs: Updated following the addition of SSPI based HTTP digest auth
+ Coverity CID 1374359 pointed out the unused result value.
-- sasl_sspi: Tidy up of the existing digest code
+- ftp: remove dead code in ftp_done
- Following the addition of SSPI support for HTTP digest, synchronised
- elements of the email digest code with that of the new HTTP code.
+ Coverity CID 1374358
-- http_digest: Post SSPI support tidy up
+Jay Satiro (1 Nov 2016)
+- generate.bat: Include include/curl in libcurl VS projects
- Post tidy up to ensure commonality of code style and variable names.
+ .. because including those headers helps Visual Studio's Intellisense.
-Dan Fandrich (6 Nov 2014)
-- test552: Don't run HTTP digest tests for SSPI based builds
+- generate.bat: Remove strcase.[ch] from curl tool VS projects
- Technical difficulties prevented this from going into the
- previous commit.
-
-Steve Holme (6 Nov 2014)
-- tests: Don't run HTTP digest tests for SSPI based builds
+ ..because they're no longer needed in the tool build. strcase is still
+ built by the libcurl project and exports curl_str(n)equal which is used
+ by the curl tool.
- Added !SSPI to the features list of the HTTP digest tests, as SSPI
- based builds now use the Windows SSPI messaging API rather than the
- internal functions, and we can't control the random numbers that get
- used as part of the digest.
-
-Daniel Stenberg (6 Nov 2014)
-- curl.1: show zone index use in a URL
+ Bug: https://github.com/curl/curl/commit/9363f1a#all_commit_comments
-Steve Holme (6 Nov 2014)
-- http_digest: Fixed auth retry loop when SSPI based authentication fails
-
-- http_digest: Reworked the SSPI based input token storage
+Daniel Stenberg (2 Nov 2016)
+- metalink: simplify the hex parsing function
- Reworked the input token (challenge message) storage as what is passed
- to the buf and desc in the response generation are typically blobs of
- data rather than strings, so this is more in keeping with other areas
- of the SSPI code, such as the NTLM message functions.
+ ... and now it avoids using the libcurl toupper() function
-- sasl_sspi: Fixed compilation warning from commit 2d2a62e3d9
+Michael Kaufmann (1 Nov 2016)
+- file: fix compiler warning
- Added void reference to unused 'data' parameter back to fix compilation
- warning.
-
-- sspi: Align definition values to even columns as we use 2 char spacing
+ follow-up to 46133aa5
-- sspi: Fixed missing definition of ISC_REQ_USE_HTTP_STYLE
+Dan Fandrich (1 Nov 2016)
+- strcase: fixed Metalink builds by redefining checkprefix()
- Some versions of Microsoft's sspi.h don't define this.
-
-- sasl: Removed non-SSPI Digest functions and defines from SSPI based builds
+ ...to use the public function curl_strnequal(). This isn't ideal because
+ it adds extra overhead to any internal calls to checkprefix.
- Introduced in commit 7e6d51a73c these functions and definitions are only
- required by the internal challenge-response functions now.
-
-- sasl_sspi: Added HTTP digest response generation code
+ follow-up to 95bd2b3e
-- http_digest: Added SSPI based challenge decoding code
+Daniel Stenberg (1 Nov 2016)
+- curl.1: typo
-- http_digest: Added SSPI based clean-up code
+- curl.1: expand on how multiple uses of -o looks
+
+ Suggested-by: Dan Jacobson
+ Issue: https://github.com/curl/curl/issues/1097
-- http_digest: Added SSPI based authentication functions
+- tests/util: get a private strncasecompare clone
- This temporarily breaks HTTP digest authentication in SSPI based builds,
- causing CURLE_NOT_BUILT_IN to be returned. A follow up commit will
- resume normal operation.
+ ... since the curlx_* code no longer provides one and we don't link
+ libcurl to these test servers.
-- http_digest: Added required SSPI based variables to digest structure
+- strcase: make the tool use curl_str[n]equal instead
+
+ As they are after all part of the public API. Saves space and reduces
+ complexity. Remove the strcase defines from the curlx_ family.
+
+ Suggested-by: Dan Fandrich
+ Idea: https://curl.haxx.se/mail/lib-2016-10/0136.html
-Daniel Stenberg (6 Nov 2014)
-- [Frank Gevaerts brought this change]
+Kamil Dudka (31 Oct 2016)
+- gskit, nss: do not include strequal.h
+
+ follow-up to 811a693b80
- contributors.sh: --releasenotes reads in names from RELEASE-NOTES
+Dan Fandrich (31 Oct 2016)
+- strcasecompare: include curl.h in strcase.c
- This is very handy when updating the RELEASE-NOTES as then we sometimes
- have names added manually in the existing list and we use this script to
- update the set.
+ This should fix the "warning: 'curl_strequal' redeclared without
+ dllimport attribute: previous dllimport ignored" message and subsequent
+ link error on Windows because of the missing CURL_EXTERN on the
+ prototype.
-- RELEASE-NOTES: synced with 68542e72a9
+Daniel Stenberg (31 Oct 2016)
+- strcase: fix the remaining rawstr users
-- curl_easy_setopt.3: add CURLOPT_PINNEDPUBLICKEY
+- msvc builds: s/rawstr/strcase
- Reported-by: Christian Hägele
- Bug: http://curl.haxx.se/mail/lib-2014-11/0078.html
+ Follow-up to 811a693b
-Steve Holme (5 Nov 2014)
-- build: Fixed Visual Studio project file generation of strdup.[c|h]
+Dan Fandrich (31 Oct 2016)
+- strcasecompare: replaced remaining rawstr.h with strcase.h
- As the curl command-line tool now includes it's own version of strdup(),
- for platforms that don't have it, fixed up the git respository Visual
- Studio project file generator to not include the version from lib in the
- tool project files, rather than having both lib\strdup.[c|h] and
- src\tool_strdup.[c|h] present.
+ This is a followup to commit 811a693b
-Daniel Stenberg (5 Nov 2014)
-- tool_strdup.c: include the tool strdup.h
+Marcel Raad (31 Oct 2016)
+- digest_sspi: fix include
- ... not the lib/ one that the tool no longer uses!
-
-- THANKS-filter: added another Michał Górny version we've used
+ Fix compile break from 811a693b80
-- contributors.sh: split lists using " and "
+Dan Fandrich (31 Oct 2016)
+- libauthretry: use the external function curl_strequal
- ... and require the space after the filtering to make the filter able to
- remove names.
+ The internal version strcasecompare isn't available outside libcurl
-Steve Holme (5 Nov 2014)
-- http_digest: Fixed memory leaks from commit 6f8d8131b1
+Daniel Stenberg (31 Oct 2016)
+- RELEASE-NOTES: synced with d14538d2501ef0da
-- sasl: Fixed compilation warning from commit 25264131e2
-
- Added forward declaration of digestdata to overcome the following
- compilation warning:
-
- warning: 'struct digestdata' declared inside parameter list
+- configure: raise the default minimum version for macos to 10.8
- Additionally made the ntlmdata forward declaration dependent on
- USE_NTLM similar to how digestdata and kerberosdata are.
+ follow-up to 4f8d0b6f02aa7043. Since the darwinssl code breaks
+ otherwise. If you build without darwinssl 10.5 works fine.
-- sasl: Fixed HTTP digest challenges with spaces between auth parameters
+- unit1301: keep testing curl_strequal
- Broken as part of the rework, in commit 7e6d51a73c, to assist with the
- addition of HTTP digest via Windows SSPI.
+ as that is still part of the API, fix from 8fe4bd084412f30
-- http_digest: Fixed compilation errors from commit 6f8d8131b1
+- ldap: fix include
- error: invalid operands to binary
- warning: pointer targets in assignment differ in signedness
+ Fix bug from 811a693b80
-- http_digest: Moved response generation into SASL module
+- url: remove unconditional idn2.h include
+
+ Mistake brought by 9c91ec778104a
-- http_digest: Moved challenge decoding into SASL module
+- curl_strequal: part of public API/ABI, needs to be kept
+
+ These two public functions have been mentioned as deprecated since a
+ very long time but since they are still part of the API and ABI we need
+ to keep them around.
-- http_digest: Moved clean-up function into SASL module
+- strcase: s/strequal/strcasecompare
+
+ some more follow-ups to 811a693b80
-- http_digest: Moved algorithm definitions to SASL module
+- ldap: fix strcase use
+
+ follow-up to 811a693b80
-- [Gisle Vanem brought this change]
+- test165: adapted to the libidn2 use and IDNA2008 fix
- ssh: Fixed build on platforms where R_OK is not defined
+- cookie: replace use of fgets() with custom version
- Bug: http://curl.haxx.se/mail/lib-2014-11/0035.html
- Reported-by: Jan Ehrhardt
-
-- strdup: Removed irrelevant comment
+ ... that will ignore lines that are too long to fit in the buffer.
- ...as Curl_memdup() duplicates an area of fix size memory, that may be
- binary, and not a null terminated string.
-
-- url.c: Fixed compilation warning
+ CVE-2016-8615
- conversion from 'curl_off_t' to 'size_t', possible loss of data
+ Bug: https://curl.haxx.se/docs/adv_20161102A.html
+ Reported-by: Cure53
-- http_digest: Use CURLcode instead of CURLdigest
+- strcasecompare: all case insensitive string compares ignore locale now
- To provide consistent behaviour between the various HTTP authentication
- functions use CURLcode based error codes for Curl_input_digest()
- especially as the calling code doesn't use the specific error code just
- that it failed.
+ We had some confusions on when each function was used. We should not act
+ differently on different locales anyway.
-Daniel Stenberg (5 Nov 2014)
-- contributors.sh: filter common alternative name spellings
+- strcasecompare: is the new name for strequal()
- docs/THANKS-filter is a new filter file for converting contributor names
- we get or have recorded in alternative formats to the one we already use
- in THANKS. To help us show individual contributors using a single
- presentation of their names.
+ ... to make it less likely that we forget that the function actually
+ does case insentive compares. Also replaced several invokes of the
+ function with a plain strcmp when case sensitivity is not an issue (like
+ comparing with "-").
-- THANKS: added missing contributor from 2012
+- ftp: check for previous patch must be case sensitive!
+
+ ... otherwise example.com/PATH and example.com/path would be assumed to
+ be the same and they usually aren't!
-- [Frank Gevaerts brought this change]
+- SSH: check md5 fingerprint case sensitively
- Remove duplicate names.
+- connectionexists: use case sensitive user/password comparisons
+
+ CVE-2016-8616
- The removed names also appear as:
- Andrés García, François Charlier, Gökhan Şengün, Michał Górny, Sébastien
- Willemijns, Christopher Conroy, John E. Malmberg, Luca Altea, Peter Su,
- S. Moonesamy, Samuel Listopad, Yasuharu Yamada, Karl Moerder
+ Bug: https://curl.haxx.se/docs/adv_20161102B.html
+ Reported-by: Cure53
-Steve Holme (5 Nov 2014)
-- sspi: Define authentication package name constants
+- base64: check for integer overflow on large input
- These were previously hard coded, and whilst defined in security.h,
- they may or may not be present in old header files given that these
- defines were never used in the original code.
+ CVE-2016-8617
- Not only that, but there appears to be some ambiguity between the ANSI
- and UNICODE NTLM definition name in security.h.
+ Bug: https://curl.haxx.se/docs/adv_20161102C.html
+ Reported-by: Cure53
-Patrick Monnerat (5 Nov 2014)
-- Adjust OS400-specific support to last release
-
-Daniel Stenberg (5 Nov 2014)
-- THANKS: added two missing names and removed a duplicate
+- krb5: avoid realloc(0)
- ./contributors.sh found these extra ones that somehow had fallen
- through the cracks and never gotten added here.
+ If the requested size is zero, bail out with error instead of doing a
+ realloc() that would cause a double-free: realloc(0) acts as a free()
+ and then there's a second free in the cleanup path.
- Reported-by: Frank Gevaerts
-
-- bump: towards next release
-
-- THANKS: added names from 7.39.0 release notes
-
-Version 7.39.0 (5 Nov 2014)
-
-Daniel Stenberg (5 Nov 2014)
-- RELEASE-NOTES: 7.39.0 release (commit b3875606925)
+ CVE-2016-8619
+
+ Bug: https://curl.haxx.se/docs/adv_20161102E.html
+ Reported-by: Cure53
-- curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of bounds
+- aprintf: detect wrap-around when growing allocation
- When duplicating a handle, the data to post was duplicated using
- strdup() when it could be binary and contain zeroes and it was not even
- zero terminated! This caused read out of bounds crashes/segfaults.
+ On 32bit systems we could otherwise wrap around after 2GB and allocate 0
+ bytes and crash.
- Since the lib/strdup.c file no longer is easily shared with the curl
- tool with this change, it now uses its own version instead.
+ CVE-2016-8618
- Bug: http://curl.haxx.se/docs/adv_20141105.html
- CVE: CVE-2014-3707
- Reported-By: Symeon Paraschoudis
+ Bug: https://curl.haxx.se/docs/adv_20161102D.html
+ Reported-by: Cure53
-- lib544.c: use duphandle for test 545
+- range: reject char globs with missing end like '[L-]'
- To verify that curl_easy_duphandle() works fine on a handle that has
- gotten data stored with *_COPYPOSTFIELDS.
-
-- tests: add new feature 'SSLpinning'
+ ... which previously would lead to out of boundary reads.
- ... and make test 2034 and 2035 require it, and have it set when built
- with OpenSSL or GnuTLS.
+ Reported-by: Luật Nguyễn
-- buildconf: update copyright year
+- glob_next_url: make sure to stay within the given output buffer
-Steve Holme (4 Nov 2014)
-- INSTALL: Consistent spacing in section headings, paragraphs and examples
-
-Daniel Stenberg (4 Nov 2014)
-- buildconf: stop checking for libtool
+- range: prevent negative end number in a glob range
- As we only use libtoolize, only check for that!
-
-Steve Holme (4 Nov 2014)
-- INSTALL: Corrected MIT Kerberos and Heimdal package names
-
-- README: Corrected inconsistent use of --help
+ CVE-2016-8620
+
+ Bug: https://curl.haxx.se/docs/adv_20161102F.html
+ Reported-by: Luật Nguyễn
-- INSTALL: Use GSS-API rather than GSSAPI
+- parsedate: handle cut off numbers better
- As implementations are refereed to GSS-API libraries as per the RFC and
- GSSAPI typically refers to the SASL authentication mechanism.
+ ... and don't read outside of the given buffer!
- ...and minor rewording on the same paragraph.
-
-- README: Added note about using Visual Studio projects out of git repository
+ CVE-2016-8621
+
+ bug: https://curl.haxx.se/docs/adv_20161102G.html
+ Reported-by: Luật Nguyễn
-Daniel Stenberg (4 Nov 2014)
-- [K. R. Walker brought this change]
+- escape: avoid using curl_easy_unescape() internally
+
+ Since the internal Curl_urldecode() function has a better API.
- cmake: fix ZLIB_INCLUDE_DIRS use
+- unescape: avoid integer overflow
- CMake 2.8's FindZLIB.cmake documents ZLIB_INCLUDE_DIRS, see
- http://www.cmake.org/cmake/help/v2.8.0/cmake.html#module:FindZLIB
+ CVE-2016-8622
- Bug: https://github.com/bagder/curl/pull/123
-
-- [Jay Satiro brought this change]
+ Bug: https://curl.haxx.se/docs/adv_20161102H.html
+ Reported-by: Cure53
- SSL: PolarSSL default min SSL version TLS 1.0
+- cookies: getlist() now holds deep copies of all cookies
- - Prior to this change no SSL minimum version was set by default at
- runtime for PolarSSL. Therefore in most cases PolarSSL would probably
- have defaulted to a minimum version of SSLv3 which is no longer secure.
-
-- opts-Makefile: put more man pages into dist and make hmtl+pdf
-
-- curl_multi_setopt.3: refer to stand-alone pages
+ Previously it only held references to them, which was reckless as the
+ thread lock was released so the cookies could get modified by other
+ handles that share the same cookie jar over the share interface.
- ... instead of duplicating info.
-
-- opts: more multi options as stand-alone man pages
-
-- Makefile.am: two cmake files are gone
+ CVE-2016-8623
- 8cb010144 removed the CurlCheckCSourceCompiles.cmake and
- CurlCheckCSourceRuns.cmake files
-
-- opts: made stand-alone man-pages for several multi options
+ Bug: https://curl.haxx.se/docs/adv_20161102I.html
+ Reported-by: Cure53
-- [Carlo Wood brought this change]
+- TODO: remove IDNA2008
- Curl_single_getsock: fix hold/pause sock handling
+- idn: switch to libidn2 use and IDNA2008 support
- The previous condition that checked if the socket was marked as readable
- when also adding a writable one, was incorrect and didn't take the pause
- bits properly into account.
+ CVE-2016-8625
+
+ Bug: https://curl.haxx.se/docs/adv_20161102K.html
+ Reported-by: Christian Heimes
-- [Peter Wu brought this change]
+- test1246: verify URL parsing with host name ending with '#'
- cmake: fix struct sockaddr_storage check
-
- CHECK_TYPE_SIZE_PREINCLUDE is an internal, undocumented variable which
- was removed in cmake 2.8.1. According to the MSDN docs[1], inclusion
- of winsock2.h is sufficient. WIN32_LEAN_AND_MEAN does not really seem
- to affect the tests, so remove it too[2].
+- urlparse: accept '#' as end of host name
- For the non-windows case, remove inet headers as POSIX only requires
- sys/socket.h.
+ 'http://example.com#@127.0.0.1/x.txt' equals a request to example.com
+ for the '/' document with the rest of the URL being a fragment.
- [1]: http://msdn.microsoft.com/en-us/library/windows/desktop/ms740504%28v=vs.85%29.aspx
- [2]: http://stackoverflow.com/questions/11040133/what-does-defining-win32-lean-and-mean-exclude-exactly
+ CVE-2016-8624
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Bug: https://curl.haxx.se/docs/adv_20161102J.html
+ Reported-by: Fernando Muñoz
-- [Peter Wu brought this change]
-
- cmake: clean OtherTests, fixing -Werror
-
- There were several -Wunused warnings and one duplicate macro definition.
- The EXTRA_DEFINES variable of the CurlCheckCSources macro was being
- abused ("__unused1\n#undef inline\n#define __unused2", seriously?) to
- insert extra C code. Avoid this broken abstraction and use cmake's
- check_c_source_compiles directly (works fine with CMake 2.8, maybe
- even cmake 2.6).
+Jay Satiro (31 Oct 2016)
+- INTERNALS: better markdown (follow-up)
- After cleaning up all related variables (EXTRA_DEFINES,
- HEADER_INCLUDES, auxiliary headers_hack), also remove a duplicate
- add_headers_include macro and remove duplicate header additions before
- the struct timeval check.
+ - Wrap more words with underscores in backticks.
- Oh, and now the code is converted to use CheckCSourceRuns and
- CheckCSourceCompiles, the two curl-specific helpers can be removed.
- Unfortunately, the cmake output is now slightly more verbose. Before:
+ Follow-up to 13f4913.
+
+Daniel Stenberg (30 Oct 2016)
+- INTERNALS: better markdown
- Performing Test int send(int, const void *, size_t, int) (curl_cv_func_send_test)
- Performing Test int send(int, const void *, size_t, int) (curl_cv_func_send_test) - Failed
+ words with underscore need to be within `these`
- Since check_c_source_compiles prints the varname, now you see:
+ Bug: https://github.com/curl/curl-www/issues/19
+ Reported-by : Jay Satiro
+
+Jay Satiro (30 Oct 2016)
+- mk-ca-bundle.vbs: Fix UTF-8 output
- Performing Test curl_cv_func_send_test
- Performing Test curl_cv_func_send_test - Failed
- Tested: int send(int, const void *, size_t, int)
+ - Change initial message box to mention delay when downloading/parsing.
- Compared cmake output with each other using vimdiff, no functional
- differences were found. Tested with GCC 4.9.1 and Clang 3.5.0.
+ Since there is no progress meter it was somewhat unexpected that after
+ choosing a filename nothing appears to happen, when actually the cert
+ data is in the process of being downloaded and parsed.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
-
-- [Peter Wu brought this change]
-
- cmake: fix gethostby{addr,name}_r in CurlTests
+ - Warn if OpenSSL is not present.
- This patch cleans up the automatically-generated (?) code and fixes one
- case that will always fail due to syntax error.
+ - Use a UTF-8 stream to make the ca-bundle data.
- HAVE_GETHOSTBYADDR_R_5_REENTRANT always failed because of a trailing
- character ("int length;q"). Several parameter type and unused variable
- warnings popped up. This causes a detection failure with -Werror.
+ - Save the UTF-8 ca-bundle stream as binary so that no BOM is added.
- Observe that the REENTRANT cases are exactly the same as their
- non-REENTRANT cases except for a `_REENTRANT` macro definition.
- Merge all these pieces and build one big main function with different
- cases, but reusing variables where logical.
+ ---
- For the cases where the parameters where NULL, I looked at
- lib/hostip4.c to get an idea of the parameters types.
+ This is a follow-up to d2c6d15 which switched mk-ca-bundle.vbs output to
+ ANSI due to corrupt UTF-8 output, now fixed.
- void-cast variables such as 'rc' to avoid -Wuninitialized errors.
+ This change completes making the default certificate bundle output of
+ mk-ca-bundle.vbs as close as possible to that of mk-ca-bundle.pl, which
+ should make it easier to review any difference between their output.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Ref: https://github.com/curl/curl/pull/1012
-- [Peter Wu brought this change]
+Daniel Stenberg (28 Oct 2016)
+- BINDINGS: converted to markdown
+
+ To make it render better on the web site, at the price of it becoming
+ slightly less readable as text.
- cmake: drop _BSD_SOURCE macro usage
+Jay Satiro (27 Oct 2016)
+- CURLMOPT_MAX_PIPELINE_LENGTH.3: Clarify it's not for HTTP/2
- autotools does not use features.h nor _BSD_SOURCE. As this macro
- triggers warnings since glibc 2.20, remove it. It should not have
- functional differences.
+ - Clarify that this option is only for HTTP/1.1 pipelining.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
-
-Steve Holme (2 Nov 2014)
-- RELEASE-NOTES: Synced with d71ea7c01e
+ Bug: https://github.com/curl/curl/issues/1059
+ Reported-by: Jeroen Ooms
- Additionally, updated "GSSAPI" to "GSS-API" for a Cmake related change
- as GSSAPI can be confused with the authentication mechanism rather than
- a GSS-API implementation library such as MIT or Heimdal.
+ Assisted-by: Daniel Stenberg
-- build: Added WinIDN build configuration options
+Daniel Stenberg (27 Oct 2016)
+- KNOWN_BUGS: HTTP/2 server push enabled when no pushes can be accepted
- Added support for WinIDN build configurations to the VC6 project files.
+ Closes #927
-- build: Added WinIDN build configuration options
+- KNOWN_BUGS: c-ares deviates from stock resolver on http://1346569778
- Added support for WinIDN build configurations to the VC7 and VC7.1
- project files.
+ Closes #893
-- build: Fixed the pre-processor separator in Visual Studio project files
+Michael Osipov (27 Oct 2016)
+- configure.in: Fix test syntax
- A left over from the VC6 project files, so mainly cosmetic in Visual
- Studio .NET as it can handle both comma and semi-colon characters for
- separating multiple pre-processor definitions.
+ Some versions of test allow == for equality, but others (such as the HP-UX
+ version) do not. Use a single = for correctness.
- However, the IDE uses semi-colons if the value is edited, and as such,
- this may cause problems in future for anyone updating the files or
- merging patches.
-
- Used the Visual Studio IDE to correct the separator character.
+ Error output:
+ checking for monotonic clock_gettime... ./configure[20445]: ==: A test command parameter is not valid.
-- build: Added optional specific version generation of VC project files
+Daniel Stenberg (27 Oct 2016)
+- SECURITY: minor updates
- ..when working from the git repository. This is particularly useful
- for single development environments where the project files for all
- supported versions of Visual Studio may not be required.
-
-- [Jay Satiro brought this change]
-
- build-openssl.bat: Fix x64 release build
+ - we allow the security push up to 48 hours before the release
- Prior to this change if x64 release was specified a failed attempt was
- made to build x86 release instead.
-
-- CURLOPT_XOAUTH2_BEARER.3: Corrected the OAuth version number
-
-- CURLOPT_SASL_IR.3: Added supported mechanism information
+ - add a mention about possible pre-notifications
- ...and removed duplication of what protocols are supported from the
- description text.
+ - lower case the 'curl-security' title
-- opts: Use common wording for MAIL related names
+- [Andrei Sedoi brought this change]
-- opts: Use common wording for TLS user/password option names
+ docs: fix req->data in multi-uv example
- ...and revised the proxy wording a little as well.
+ Closes #1088
-- CURLOPT_MAXCONNECTS.3: Reworked the description to be less confusing
+- mbedtls: stop using deprecated include file
- ...and corrected a related typo in curl_easy_setopt.3.
+ Reported-by: wyattoday
+ Fixes #1087
-Guenter Knauf (2 Nov 2014)
-- RELEASE-NOTES: removed obsolete entry; fixed entry.
+Kamil Dudka (25 Oct 2016)
+- [Martin Frodl brought this change]
-Steve Holme (2 Nov 2014)
-- RELEASE-NOTES: Synced with e7da67f5d3
-
-- docs: Added mention of Kerberos for CURL_VERSION_SSPI
+ nss: fix tight loop in non-blocking TLS handhsake over proxy
- As this has been present for SOCKSv5 proxy since v7.19.4 and for IMAP,
- POP3 and SMTP authentication since v7.38.0.
-
-- CURL_VERSION_KERBEROS4: Mark as deprecated
+ ... in case the handshake completes before entering
+ CURLM_STATE_PROTOCONNECT
- Support for Kerberos V4 was removed in v7.33.0.
+ Bug: https://bugzilla.redhat.com/1388162
-- sasl: Fixed Kerberos V5 inclusion when CURL_DISABLE_CRYPTO_AUTH is used
+Jay Satiro (25 Oct 2016)
+- mk-ca-bundle: Update the vbscript version
- Typically the USE_WINDOWS_SSPI definition would not be used when the
- CURL_DISABLE_CRYPTO_AUTH define is, however, it is still a valid build
- configuration and, as such, the SASL Kerberos V5 (GSSAPI) authentication
- data structures and functions would incorrectly be used when they
- shouldn't be.
+ Bring the VBScript version more in line with the perl version:
- Introduced a new USE_KRB5 definition that takes into account the use of
- CURL_DISABLE_CRYPTO_AUTH like USE_SPNEGO and USE_NTLM do.
-
-- openssl: Use 'CURLcode result'
+ - Change timestamp to UTC.
- More CURLcode fixes.
-
-Daniel Stenberg (1 Nov 2014)
-- resume: consider a resume from [content-length] to be OK
+ - Change URL retrieval to HTTPS-only by default.
- Basically since servers often then don't respond well to this and
- instead send the full contents and then libcurl would instead error out
- with the assumption that the server doesn't support resume. As the data
- is then already transfered, this is now considered fine.
+ - Comment out the options that disabled SSL cert checking by default.
- Test case 1434 added to verify this. Test case 1042 slightly modified.
+ - Assume OpenSSL is present, get SHA256. And add a flag to toggle it.
- Reported-by: hugo
- Bug: http://curl.haxx.se/bug/view.cgi?id=1443
-
-Steve Holme (1 Nov 2014)
-- openssl: Use 'CURLcode result'
+ - Fix cert issuer name output.
- More standardisation of CURLcode usage and coding style.
-
-- openssl: Use 'CURLcode result'
+ The cert issuer output is now ansi, converted from UTF-8. Prior to this
+ it was corrupt UTF-8. It turns out though we can work with UTF-8 the
+ FSO object that writes ca-bundle can't write UTF-8, so there will have
+ to be some alternative if UTF-8 is needed (like an ADODB.Stream).
- ...and some minor code style changes.
+ - Disable the certificate text info feature.
+
+ The certificate text info doesn't work properly with any recent OpenSSL.
-- ftplistparser: We prefer 'CURLcode result'
+Daniel Stenberg (24 Oct 2016)
+- TODO: indent code to make it render properly
-- opts: Use common wording for user/password option names
+- TODO: Remove the generated include file
-- CURLOPT_CONNECT_ONLY.3: Removed "This option is implemented for..." text
+- TODO: add "--retry should resume"
- As this is covered by the PROTOCOLS section and saves having to update
- two parts of the document with the same information in future.
+ See #1084
-- CURLOPT_GSSAPI_DELEGATION.3: Use GSS-API rather than GSSAPI
+- mk-ca-bundle.1: document -k
- As implementations are refereed to GSS-API libraries as per the RFC and
- GSSAPI typically refers to an authentication mechanism.
+ Brought in 1ad2bdcf110266c. Now does HTTPS by default and needs -k to
+ fall back to plain HTTP.
+
+- [Jay Satiro brought this change]
-- CURLOPT_CONNECT_ONLY.3: Fixed incomplete protocol list
+ mk-ca-bundle: Change URL retrieval to HTTPS-only by default
+
+ - Change all predefined Mozilla URLs to HTTPS (Gregory Szorc).
+
+ - New option -k to allow URLs other than HTTPS and enable HTTP fallback.
+
+ Prior to this change the default URL retrieval mode was to fall back to
+ HTTP if HTTPS didn't work.
+
+ Reported-by: Gregory Szorc
+
+ Closes #1012
+
+- RELEASE-NOTES: synced with 50ee3aaf1a9b22d
+
+Dan Fandrich (23 Oct 2016)
+- INSTALL.md: Updated minimum file sizes for 7.50.3
+
+Daniel Stenberg (22 Oct 2016)
+- multi: force connections to get closed in close_all_connections
+
+ Several independent reports on infinite loops hanging in the
+ close_all_connections() function when closing a multi handle, can be
+ fixed by first marking the connection to get closed before calling
+ Curl_disconnect.
+
+ This is more fixing-the-symptom rather than the underlying problem
+ though.
+
+ Bug: https://curl.haxx.se/mail/lib-2016-10/0011.html
+ Bug: https://curl.haxx.se/mail/lib-2016-10/0059.html
+
+ Reported-by: Dan Fandrich, Valentin David, Miloš Ljumović
+
+- [Anders Bakken brought this change]
+
+ curl_multi_remove_handle: fix a double-free
+
+ In short the easy handle needs to be disconnected from its connection at
+ this point since the connection still is serving other easy handles.
+
+ In our app we can reliably reproduce a crash in our http2 stress test
+ that is fixed by this change. I can't easily reproduce the same test in
+ a small example.
+
+ This is the gdb/asan output:
+
+ ==11785==ERROR: AddressSanitizer: heap-use-after-free on address 0xe9f4fb80 at pc 0x09f41f19 bp 0xf27be688 sp 0xf27be67c
+ READ of size 4 at 0xe9f4fb80 thread T13 (RESOURCE_HTTP)
+ #0 0x9f41f18 in curl_multi_remove_handle /path/to/source/3rdparty/curl/lib/multi.c:666
+
+ 0xe9f4fb80 is located 0 bytes inside of 1128-byte region [0xe9f4fb80,0xe9f4ffe8)
+ freed by thread T13 (RESOURCE_HTTP) here:
+ #0 0xf7b1b5c2 in __interceptor_free /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_malloc_linux.cc:45
+ #1 0x9f7862d in conn_free /path/to/source/3rdparty/curl/lib/url.c:2808
+ #2 0x9f78c6a in Curl_disconnect /path/to/source/3rdparty/curl/lib/url.c:2876
+ #3 0x9f41b09 in multi_done /path/to/source/3rdparty/curl/lib/multi.c:615
+ #4 0x9f48017 in multi_runsingle /path/to/source/3rdparty/curl/lib/multi.c:1896
+ #5 0x9f490f1 in curl_multi_perform /path/to/source/3rdparty/curl/lib/multi.c:2123
+ #6 0x9c4443c in perform /path/to/source/src/net/resourcemanager/ResourceManagerCurlThread.cpp:854
+ #7 0x9c445e0 in ...
+ #8 0x9c4cf1d in ...
+ #9 0xa2be6b5 in ...
+ #10 0xf7aa5780 in asan_thread_start /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_interceptors.cc:226
+ #11 0xf4d3a16d in __clone (/lib/i386-linux-gnu/libc.so.6+0xe716d)
+
+ previously allocated by thread T13 (RESOURCE_HTTP) here:
+ #0 0xf7b1ba27 in __interceptor_calloc /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_malloc_linux.cc:70
+ #1 0x9f7dfa6 in allocate_conn /path/to/source/3rdparty/curl/lib/url.c:3904
+ #2 0x9f88ca0 in create_conn /path/to/source/3rdparty/curl/lib/url.c:5797
+ #3 0x9f8c928 in Curl_connect /path/to/source/3rdparty/curl/lib/url.c:6438
+ #4 0x9f45a8c in multi_runsingle /path/to/source/3rdparty/curl/lib/multi.c:1411
+ #5 0x9f490f1 in curl_multi_perform /path/to/source/3rdparty/curl/lib/multi.c:2123
+ #6 0x9c4443c in perform /path/to/source/src/net/resourcemanager/ResourceManagerCurlThread.cpp:854
+ #7 0x9c445e0 in ...
+ #8 0x9c4cf1d in ...
+ #9 0xa2be6b5 in ...
+ #10 0xf7aa5780 in asan_thread_start /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_interceptors.cc:226
+ #11 0xf4d3a16d in __clone (/lib/i386-linux-gnu/libc.so.6+0xe716d)
+
+ SUMMARY: AddressSanitizer: heap-use-after-free /path/to/source/3rdparty/curl/lib/multi.c:666 in curl_multi_remove_handle
+ Shadow bytes around the buggy address:
+ 0x3d3e9f20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9f30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9f40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
+ 0x3d3e9f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+ =>0x3d3e9f70:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9f80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ Shadow byte legend (one shadow byte represents 8 application bytes):
+ Addressable: 00
+ Partially addressable: 01 02 03 04 05 06 07
+ Heap left redzone: fa
+ Heap right redzone: fb
+ Freed heap region: fd
+ Stack left redzone: f1
+ Stack mid redzone: f2
+ Stack right redzone: f3
+ Stack partial redzone: f4
+ Stack after return: f5
+ Stack use after scope: f8
+ Global redzone: f9
+ Global init order: f6
+ Poisoned by user: f7
+ Container overflow: fc
+ Array cookie: ac
+ Intra object redzone: bb
+ ASan internal: fe
+ Left alloca redzone: ca
+ Right alloca redzone: cb
+ ==11785==ABORTING
+
+ Thread 14 "RESOURCE_HTTP" received signal SIGABRT, Aborted.
+ [Switching to Thread 0xf27bfb40 (LWP 12324)]
+ 0xf7fd8be9 in __kernel_vsyscall ()
+ (gdb) bt
+ #0 0xf7fd8be9 in __kernel_vsyscall ()
+ #1 0xf4c7ee89 in __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:54
+ #2 0xf4c803e7 in __GI_abort () at abort.c:89
+ #3 0xf7b2ef2e in __sanitizer::Abort () at /opt/toolchain/src/gcc-6.2.0/libsanitizer/sanitizer_common/sanitizer_posix_libcdep.cc:122
+ #4 0xf7b262fa in __sanitizer::Die () at /opt/toolchain/src/gcc-6.2.0/libsanitizer/sanitizer_common/sanitizer_common.cc:145
+ #5 0xf7b21ab3 in __asan::ScopedInErrorReport::~ScopedInErrorReport (this=0xf27be171, __in_chrg=<optimized out>) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_report.cc:689
+ #6 0xf7b214a5 in __asan::ReportGenericError (pc=166993689, bp=4068206216, sp=4068206204, addr=3925146496, is_write=false, access_size=4, exp=0, fatal=true) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_report.cc:1074
+ #7 0xf7b21fce in __asan::__asan_report_load4 (addr=3925146496) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_rtl.cc:129
+ #8 0x09f41f19 in curl_multi_remove_handle (multi=0xf3406080, data=0xde582400) at /path/to/source3rdparty/curl/lib/multi.c:666
+ #9 0x09f6b277 in Curl_close (data=0xde582400) at /path/to/source3rdparty/curl/lib/url.c:415
+ #10 0x09f3354e in curl_easy_cleanup (data=0xde582400) at /path/to/source3rdparty/curl/lib/easy.c:860
+ #11 0x09c6de3f in ...
+ #12 0x09c378c5 in ...
+ #13 0x09c48133 in ...
+ #14 0x09c4d092 in ...
+ #15 0x0a2be6b6 in ...
+ #16 0xf7aa5781 in asan_thread_start (arg=0xf2d22938) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_interceptors.cc:226
+ #17 0xf5de52b5 in start_thread (arg=0xf27bfb40) at pthread_create.c:333
+ #18 0xf4d3a16e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:114
+
+ Fixes #1083
+
+- testcurl.1: fix the URL to the autobuild summary
+
+- testcurl.1: update URLs
+
+- INSTALL: converted to markdown => INSTALL.md
+
+ Also heavily edited for content. Removed lots of old cruft that we added
+ like 10+ years ago that is likely incorrect by now.
+
+ Also removed INSTALL.devcpp for same reason.
+
+- [Martin Storsjo brought this change]
+
+ configure: Check for other variants of the -m*os*-version-min flags
- Added missing IMAP to the protocol list.
+ In addition to -miphoneos-version-min, the same version can be set
+ using -mios-version-min. And for WatchOS and TvOS, there's
+ -mwatchos-version-min and -mtvos-version-min.
-- code cleanup: Use 'CURLcode result'
+- configure: set min version flags for builds on mac
+
+ This helps building binaries that can work on multiple macOS versions.
+
+ Help-by: Martin Storsjö
+
+ Fixes #1069
-- curl_easy_setopt.3: Fixed lots of typos
+- curl_multi_add_handle: set timeouts in closure handles
+
+ The closure handle only ever has default timeouts set. To improve the
+ state somewhat we clone the timeouts from each added handle so that the
+ closure handle always has the same timeouts as the most recently added
+ easy handle.
+
+ Fixes #739
-- curl_easy_setopt.3: Moved CURLOPT_DIRLISTONLY into PROTOCOL OPTIONS
+- configure/CURL_CHECK_FUNC_POLL: disable poll completely on mac
- ...as this option affects more that just FTP.
+ ... so that the same libcurl build easier can run on any version.
+
+ Follow-up to issue #1057
-Guenter Knauf (30 Oct 2014)
-- build: added Watcom support to build with WinSSL.
+- RELEASE-NOTES: synced with f36f8c14551efc6772
-Daniel Stenberg (30 Oct 2014)
-- CURLOPT_PINNEDPUBLICKEY.3: added details
+- test14xx: fixed --libcurl output tests again after 8e8afa82cbb
-Steve Holme (30 Oct 2014)
-- CURLOPT_CUSTOMREQUEST.3: Fixed incomplete protocol list
+- s/cURL/curl
- Whilst the description included information about SMTP, the protocol
- list only showed "TTP, FTP, IMAP, POP3".
+ The tool was never called cURL, only the project. But even so, we have
+ more and more over time switched to just use lower case.
-- CURLOPT_DIRLISTONLY.3: Added information about the usage in POP3
+- polarssl: indented code, removed unused variables
-Daniel Stenberg (29 Oct 2014)
-- openssl: enable NPN separately from ALPN
-
- ... and allow building with nghttp2 but completely without NPN and ALPN,
- as nghttp2 can still be used for plain-text HTTP.
-
- Reported-by: Lucas Pardue
+- polarssl: reduce #ifdef madness with a macro
+
+- polarssl: fix unaligned SSL session-id lock
-- configure.ac: remove checks for OpenSSL NPN/ALPN funcs again
+- Curl_polarsslthreadlock_thread_setup: clear array at init
- ... since the conditional in the code are now based on OpenSSL versions
- instead to better support non-configure builds.
+ ... since if it fails to init the entire array and then tries to clean
+ it up, it would attempt to work on an uninitialized pointer.
-- opts: added some "SEE ALSO" references
+- curl: set INTERLEAVEDATA too
+
+ As otherwise the callback could be called with a NULL pointer when RTSP
+ data is provided.
-Steve Holme (29 Oct 2014)
-- RELEASE-NOTES: Synced with 32913182dc
+- gopher: properly return error for poll failures
-- vtls.c: Fixed compilation warning
+- select: switch to macros in uppercase
- conversion from 'size_t' to 'unsigned int', possible loss of data
-
-- sspi: Return CURLE_LOGIN_DENIED on AcquireCredentialsHandle() failure
+ Curl_select_ready() was the former API that was replaced with
+ Curl_select_check() a while back and the former arg setup was provided
+ with a define (in order to leave existing code unmodified).
- Return a more appropriate error, rather than CURLE_OUT_OF_MEMORY when
- acquiring the credentials handle fails. This is then consistent with
- the code prior to commit f7e24683c4 when log-in credentials were empty.
+ Now we instead offer SOCKET_READABLE and SOCKET_WRITABLE for the most
+ common shortcuts where only one socket is checked. They're also more
+ visibly macros.
-- sasl_sspi: Allow DIGEST-MD5 to use current windows credentials
+- select: use more proper macro-looking names
- Fixed the ability to use the current log-in credentials with DIGEST-MD5.
- I had previously disabled this functionality in commit 607883f13c as I
- couldn't get this to work under Windows 8, however, from testing HTTP
- Digest authentication through Windows SSPI and then further testing of
- this code I have found it works in Windows 7.
-
- Some further investigation is required to see what the differences are
- between Windows 7 and 8, but for now enable this functionality as the
- code will return an error when AcquireCredentialsHandle() fails.
+ ... so that it becomes more obvious in the code what is what. Also added
+ a typecast for one of the calculations.
+
+- Curl_socket_check: add extra check to avoid integer overflow
-Kamil Dudka (29 Oct 2014)
-- transfer: drop the code handling the ssl_connect_retry flag
+- maketgz: make it support "only" generating version info
- Its last use has been removed by the previous commit.
+ ... to allow you to update the local repository with the given version
+ number data.
-- nss: drop the code for libcurl-level downgrade to SSLv3
+Jay Satiro (17 Oct 2016)
+- url: skip to-be-closed connections when pipelining (follow-up)
- This code was already deactivated by commit
- ec783dc142129d3860e542b443caaa78a6172d56.
+ - Change back behavior so that pipelining is considered possible for
+ connections that have not yet reached the protocol level.
+
+ This is a follow-up to e5f0b1a which had changed the behavior of
+ checking if pipelining is possible to ignore connections that had
+ 'bits.close' set. Connections that have not yet reached the protocol
+ level also have that bit set, and we need to consider pipelining
+ possible on those connections.
-- openssl: fix a line length warning
+Daniel Stenberg (17 Oct 2016)
+- HTTP2: mention the tool's limited support
-Guenter Knauf (29 Oct 2014)
-- Added NetWare support to build with nghttp2.
+- RELEASE-NOTES: synced with a1a5cd04877fd6fd
-- Fixed error message since we require ALPN support.
+- [David Woodhouse brought this change]
-- Check for ALPN via OpenSSL version number.
+ curl: do not set CURLOPT_SSLENGINEDEFAULT automatically
- This check works also with to non-configure platforms.
+ There were bugs in the PKCS#11 engine, and fixing them triggers bugs in
+ OpenSSL. Just don't get involved; there's no need to be making the
+ engine methods the default anyway.
+
+ https://github.com/OpenSC/libp11/pull/108
+ https://github.com/openssl/openssl/pull/1639
+
+ Merges #1042
-Steve Holme (28 Oct 2014)
-- sasl_sspi: Fixed typo in comment
+- KNOWN_BUGS: two more existing problems
-- code cleanup: We prefer 'CURLcode result'
+Marcel Raad (16 Oct 2016)
+- win: fix Universal Windows Platform build
+
+ This fixes a merge error in commit 7f3df80 caused by commit 332e8d6.
+
+ Additionally, this changes Curl_verify_windows_version for Windows App
+ builds to assume to always be running on the target Windows version.
+ There seems to be no way to determine the Windows version from a
+ UWP app. Neither GetVersion(Ex), nor VerifyVersionInfo, nor the
+ Version Helper functions are supported.
+
+ Bug: https://github.com/curl/curl/pull/820#issuecomment-250889878
+ Reported-by: Paul Joyce
+
+ Closes https://github.com/curl/curl/pull/1048
-Daniel Stenberg (28 Oct 2014)
-- TODO: consider supporting STAT
+Daniel Stenberg (16 Oct 2016)
+- KNOWN_BUGS: minor formatting edit
-- mk-ca-bundle: spell fix "version"
+Jay Satiro (14 Oct 2016)
+- [Rider Linden brought this change]
-- HTTP: return larger than 3 digit response codes too
+ url: skip to-be-closed connections when pipelining
- HTTP 1.1 is clearly specified to only allow three digit response codes,
- and libcurl used sscanf("%3d") for that purpose. This made libcurl
- support smaller numbers but not larger. It does now, but we will not
- make any specific promises nor document this further since it is going
- outside of what HTTP is.
+ No longer attempt to use "doomed" to-be-closed connections when
+ pipelining. Prior to this change connections marked for deletion (e.g.
+ timeout) would be erroneously used, resulting in sporadic crashes.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1441
- Reported-by: Balaji
-
-- src/: remove version.h.dist from gitignore
+ As originally reported and fixed by Carlo Wood (origin unknown).
+
+ Bug: https://github.com/curl/curl/issues/627
+ Reported-by: Rider Linden
- It has not been used since commit f7bfdbab in 2011
+ Closes https://github.com/curl/curl/pull/1075
+ Participation-by: nopjmp@users.noreply.github.com
-Steve Holme (26 Oct 2014)
-- ntlm: We prefer 'CURLcode result'
+Daniel Stenberg (13 Oct 2016)
+- vtls: only re-use session-ids using the same scheme
- Continuing commit 0eb3d15ccb more return code variable name changes.
+ To make it harder to do cross-protocol mistakes
-Guenter Knauf (26 Oct 2014)
-- Cosmetics: lowercase non-special subroutine names.
+Jay Satiro (11 Oct 2016)
+- [Torben Dannhauer brought this change]
-Steve Holme (26 Oct 2014)
-- RELEASE-NOTES: Synced with 07ac29a058
+ dist: add missing cmake modules to the tarball
+
+ Closes https://github.com/curl/curl/pull/1070
-- http_negotiate: We prefer 'CURLcode result'
+Daniel Stenberg (11 Oct 2016)
+- configure: detect the broken poll() in macOS 10.12
- Continuing commit 0eb3d15ccb more return code variable name changes.
+ Fixes #1057
-- http_negotiate: Fixed missing check for USE_SPNEGO
+- dist: remove PDF and HTML converted docs from the releases
-- sspi: Synchronization of cleanup code between auth mechanisms
+- [Remo E brought this change]
-- sspi: Renamed max token length variables
+ cmake: add nghttp2 support
- Code cleanup to try and synchronise code between the different SSPI
- based authentication mechanisms.
+ Closes #922
+
+- [Andreas Streichardt brought this change]
-- sspi: Renamed expiry time stamp variables
+ resolve: add error message when resolving using SIGALRM
- Code cleanup to try and synchronise code between the different SSPI
- based authentication mechanisms.
+ Closes #1066
-- sspi: Only call CompleteAuthToken() when complete is needed
+- GIT-INFO: remove the Mac 10.1-specific details
- Don't call CompleteAuthToken() after InitializeSecurityContext() has
- returned SEC_I_CONTINUE_NEEDED as this return code only indicates the
- function should be called again after receiving a response back from
- the server.
+ There shouldn't be many devs out there anymore using such outdated macOS
+ versions. And it removes the dead link.
- This only affected the Digest and NTLM authentication code.
+ Closes #1049
-Dan Fandrich (26 Oct 2014)
-- Added the "flaky" keyword to a number of tests
-
- Each shows evidence of flakiness on at least one platform on
- the autobuilds. Users can use this keyword to skip these tests
- if desired.
+- RELEASE-NOTES: spellfix
-Steve Holme (26 Oct 2014)
-- ntlm: Return all errors from Curl_ntlm_core_mk_nt_hash()
+- RELEASE-NOTES: synced with 82720490628cb53a
- For consistency with other areas of the NTLM code propagate all errors
- from Curl_ntlm_core_mk_nt_hash() up the call stack rather than just
- CURLE_OUT_OF_MEMORY.
+ 5 more fixes, 2 more contributors
-- ntlm: Return CURLcode from Curl_ntlm_core_mk_lm_hash()
+- [Tobias Stoeckmann brought this change]
-- ntlm: Use 'CURLcode result'
+ smb: properly check incoming packet boundaries
+
+ Not all reply messages were properly checked for their lengths, which
+ made it possible to access uninitialized memory (but this does not lead
+ to out of boundary accesses).
- Continuing commit 0eb3d15ccb more return code variable name changes.
+ Closes #1052
-- ntlm: Only define ntlm data structure when USE_NTLM is defined
+- test557: verify printf() with 128 and 129 arguments
-- ntlm: Changed handles to be dynamic like other SSPI handles
+- mprintf: return error on too many arguments
- Code cleanup to try and synchronise code between the different SSPI
- based authentication mechanisms.
+ 128 arguments should be enough for everyone
-- ntlm: Renamed handle variables to match other SSPI structures
+- ftp: fix Curl_ftpsendf()
- Code cleanup to try and synchronise code between the different SSPI
- based authentication mechanisms.
-
-- ntlm: Renamed SSPI based input token variables
+ ... it no longer takes printf() arguments since it was only really taken
+ advantage by one user and it was not written and used in a safe
+ way. Thus the 'f' is removed from the function name and the proto is
+ changed.
- Code cleanup to try and synchronise code between the different SSPI
- based authentication mechanisms.
+ Although the current code wouldn't end up in badness, it was a risk that
+ future changes could end up springf()ing too large data or passing in a
+ format string inadvertently.
-- ntlm: We prefer 'CURLcode result'
+- formpost: avoid silent snprintf() truncation
- Continuing commit 0eb3d15ccb more return code variable name changes.
-
-- build: Added WinIDN build configuration options
+ The previous use of snprintf() could make libcurl silently truncate some
+ input data and not report that back on overly large input, which could
+ make data get sent over the network in a bad format.
- Added support for WinIDN build configurations to the VC8 and VC9
- project files.
-
-Nick Zitzmann (24 Oct 2014)
-- darwinssl: detect possible future removal of SSLv3 from the framework
+ Example:
- If Apple ever drops SSLv3 support from the Security framework, we'll fail with an error if the user insists on using SSLv3.
+ $ curl --form 'a=b' -H "Content-Type: $(perl -e 'print "A"x4100')"
-Patrick Monnerat (24 Oct 2014)
-- gskit.c: remove SSLv3 from SSL default.
+- TODO: build: Enable PIE and RELRO by default
-- gskit.c: use 'CURLcode result'
+- TODO: Support better than MD5 hostkey hash (for ssh)
-Daniel Stenberg (24 Oct 2014)
-- [Jay Satiro brought this change]
+- [Daniel Gustafsson brought this change]
- SSL: Remove SSLv3 from SSL default due to POODLE attack
+ tests: Fix a small typo in the tests README (#1060)
- - Remove SSLv3 from SSL default in darwinssl, schannel, cyassl, nss,
- openssl effectively making the default TLS 1.x. axTLS is not affected
- since it supports only TLS, and gnutls is not affected since it already
- defaults to TLS 1.x.
+ The subdirectory for logs in tests/ is named log/ without an 's'
+ at the end.
+
+- TODO: Introduce --fail-fast to exit on first transfer fail
- - Update CURLOPT_SSLVERSION doc
+ See #1054
-- pipelining: only output "is not blacklisted" in debug builds
+- TODO: Leave secure cookies alone
-- *.3: add/extend "SEE ALSO" sections
+- [Rainer Müller brought this change]
-- curl_easy_pause.3: minor wording edit
+ CURLOPT_DEBUGFUNCTION.3: unused argument warning (#1056)
+
+ The 'userp' argument is unused in this example code.
-- curl_getdate.3: provide a "SEE ALSO" section
+- TODO: TCP Fast Open for windows
-- curl_global_init.3: minor formatting fix, add version info
+- RELEASE-NOTES: synced with 8fd2a754f0de
-- url.c: use 'CURLcode result'
+- CURLOPT_KEEP_SENDING_ON_ERROR.3: mention when it is added
-- code cleanup: we prefer 'CURLcode result'
-
- ... for the local variable name in functions holding the return
- code. Using the same name universally makes code easier to read and
- follow.
-
- Also, unify code for checking for CURLcode errors with:
+- memdup: use 'void *' as return and source type
+
+- TODO: Add easy argument to formpost functions
+
+- formpost: trying to attach a directory no longer crashes
- if(result) or if(!result)
+ The error path would previously add a freed entry to the linked list.
- instead of
+ Reported-by: Toby Peterson
- if(result == CURLE_OK), if(CURLE_OK == result) or if(result != CURLE_OK)
+ Fixes #1053
-- Curl_add_timecondition: skip superfluous varible assignment
-
- Detected by cppcheck.
+- [Sergei Kuzmin brought this change]
-- Curl_pp_flushsend: skip superfluous assignment
+ cookies: same domain handling changed to match browser behavior
- Detected by cppcheck.
-
-- Curl_pp_readresp: remove superfluous assignment
+ Cokie with the same domain but different tailmatching property are now
+ considered different and do not replace each other. If header contains
+ following lines then two cookies will be set: Set-Cookie: foo=bar;
+ domain=.foo.com; expires=Thu Mar 3 GMT 8:56:27 2033 Set-Cookie: foo=baz;
+ domain=foo.com; expires=Thu Mar 3 GMT 8:56:27 2033
- Variable already assigned a few lines up.
+ This matches Chrome, Opera, Safari, and Firefox behavior. When sending
+ stored tokens to foo.com Chrome, Opera, Firefox store send them in the
+ stored order, while Safari pre-sort the cookies.
- Detected by cppcheck.
+ Closes #1050
-- Curl_proxyCONNECT: remove superfluous statement
-
- The variable is already assigned, skip the duplicate assignment.
+- [Stephen Brokenshire brought this change]
+
+ FAQ: Fix typos in section 5.14 (#1047)
- Pointed out by cppcheck.
+ Type required for YourClass::func C++ function (using size_t in line
+ with the documentation for CURLOPT_WRITEFUNCTION) and missing second
+ colon when specifying the static function for CURLOPT_WRITEFUNCTION.
-Guenter Knauf (24 Oct 2014)
-- Added MinGW support to build with nghttp2.
+- [Sebastian Mundry brought this change]
-- Added VC ssh2 target to main Makefile.
+ KNOWN_BUGS: Fix typos in section 5.8.
+
+ Closes #1046
-- Some cosmetics and simplifies.
+- [mundry brought this change]
-- Remove dependency on openssl and cut.
-
- Prefer usage of Perl modules for sha1 calculation since there
- might be systems where openssl is not installed or not in path.
- If openssl is used for sha1 calculation then dont rely on cut
- since it is usually not available on other systems than Linux.
+ CONTRIBUTE.md: Fix typo in 'About pull requests' section. (#1045)
-Daniel Stenberg (23 Oct 2014)
-- RELEASE-NOTES: synced with e116d0a62
+- curl.1: --trace supports % for sending to stderr!
-- CURLOPT_RESOLVE.3: add an example
+- KNOWN_BUGS: 5.8 configure finding libs in wrong directory
-- gnutls: removed dead code
+Dan Fandrich (24 Sep 2016)
+- configure: Fixed builds with libssh2 in a custom location
- Bug: http://curl.haxx.se/bug/view.cgi?id=1437
- Reported-by: Julien
+ A libssh2 library in the standard system location was being used in
+ preference to the desired one while linking.
+
+Daniel Stenberg (23 Sep 2016)
+- SECURITY: remove the top ascii logo
-- Curl_rand: Uninitialized variable: r
+Michael Kaufmann (22 Sep 2016)
+- New libcurl option to keep sending on error
- This is not actually used uninitialized but we silence warnings.
+ Add the new option CURLOPT_KEEP_SENDING_ON_ERROR to control whether
+ sending the request body shall be completed when the server responds
+ early with an error status code.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1437
- Reported-by: Julien
-
-- opts: provide more and updated examples
-
-- CURLOPT_RANGE.3: works for SFTP as well
+ This is suitable for manual NTLM authentication.
- ... and added a small example
-
-- curl.1: edited for clarity
-
-- CURLOPT_SSLVERSION.3: provide an example
-
-- docs/libcurl/ABI: more markdown friendly
+ Reviewed-by: Jay Satiro
+
+ Closes https://github.com/curl/curl/pull/904
-- docs: edited lots of libcurl docs for clarity
+Kamil Dudka (22 Sep 2016)
+- nss: add chacha20-poly1305 cipher suites if supported by NSS
-- opts: added examples
+- nss: add cipher suites using SHA384 if supported by NSS
-- HISTORY: two glimpses in 2014
+- nss: fix typo in ecdhe_rsa_null cipher suite string
+
+ As it seems to be a rarely used cipher suite (for securely established
+ but _unencrypted_ connections), I believe it is fine not to provide an
+ alias for the misspelled variant.
-Kamil Dudka (20 Oct 2014)
-- nss: reset SSL handshake state machine
+Jay Satiro (21 Sep 2016)
+- docs: Remove that --proto is just used for initial retrieval
- ... when the handshake succeeds
+ .. and add that --proto-redir and CURLOPT_REDIR_PROTOCOLS do not
+ override protocols denied by --proto and CURLOPT_PROTOCOLS.
- This fixes a connection failure when FTPS handle is reused.
-
-Daniel Stenberg (20 Oct 2014)
-- [Peter Wu brought this change]
+ - Add a test to enforce: --proto deny must override --proto-redir allow
+
+ Closes https://github.com/curl/curl/pull/1031
- cmake: generate pkg-config and curl-config
+Daniel Stenberg (21 Sep 2016)
+- dist: add CurlSymbolHiding.cmake to the tarball
- Initial work to generate a pkg-config and curl-config script. Static
- linking (`curl-config --static-libs` and `pkg-config --shared --libs
- libcurl`) is broken and therefore disabled.
+ Follow-up to 6140dfcf3e784
- CONFIGURE_OPTIONS does not make sense for CMake, use an empty string
- for now.
+ Reported-by: Alexander Sinditskiy
+
+- curl_global_cleanup.3: don't unload the lib with sub threads running
- At least `curl-config --features` and `curl-config --protocols` work
- which is needed by runtests.pl.
+ Discussed in #997
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Assisted-by: Jay Satiro
-- [Peter Wu brought this change]
+- MAIL-ETIQUETTE: language
- cmake: use LIBCURL_VERSION from curlver.h
+Jay Satiro (20 Sep 2016)
+- easy: Reset all statistical session info in curl_easy_reset
- This matches the behavior from autotools. The auxiliary major, minor
- and patch components are not needed anymore and therefore removed.
+ Bug: https://github.com/curl/curl/issues/1017
+ Reported-by: Jeroen Ooms
+
+Daniel Stenberg (19 Sep 2016)
+- RELEASE-NOTES: synced with 79607eec51055
+
+Jay Satiro (19 Sep 2016)
+- [Daniel Gustafsson brought this change]
+
+ darwinssl: Fix typo in comment
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Closes https://github.com/curl/curl/pull/1028
-- [Peter Wu brought this change]
+Daniel Stenberg (19 Sep 2016)
+- [Bernard Spil brought this change]
- cmake: add SUPPORT_FEATURES and SUPPORT_PROTOCOLS
+ libressl: fix version output
- For compatibility with autoconf, it will be used later for curl-config
- and pkg-config. Not all features and or protocols can be enabled as
- these are missing additional checks (see new TODOs).
+ LibreSSL defines `OPENSSL_VERSION_NUMBER` as `0x20000000L` for all
+ versions returning `LibreSSL/2.0.0` for any LibreSSL version.
- SUPPORT_PROTOCOLS is partially scripted (grep for SUPPORT_PROTOCOLS=)
- and manually verified/modified. SUPPORT_FEATURES is manually added.
+ This change provides a local OpenSSL_version_num function replacement
+ returning LIBRESSL_VERSION_NUMBER instead.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Closes #1029
+
+- [rugk brought this change]
-- cmake: add CMake/Macros.cmake to the release tarball
+ TODO: Add PINNEDPUBLICKEY - HPKP compatibility, HSTS & HPKP
+
+ Closes #1025
+ Closes #1026
+ Closes #1027
-- test545: make it not use a trailing zero
+- openssl: don't call ERR_remote_thread_state on >= 1.1.0
- CURLOPT_COPYPOSTFIELDS with a given CURLOPT_POSTFIELDSIZE does not
- require a trailing zero of the data and by making sure this test doesn't
- use one we know it works (combined with valgrind).
+ Follow-up fix to d9321562
-Steve Holme (16 Oct 2014)
-- ntlm: Fixed empty type-2 decoded message info text
+- openssl: don’t call CRYTPO_cleanup_all_ex_data
+
+ The OpenSSL function CRYTPO_cleanup_all_ex_data() cannot be called
+ multiple times without crashing - and other libs might call it! We
+ basically cannot call it without risking a crash. The function is a
+ no-op since OpenSSL 1.1.0.
- Updated the info text when the base-64 decode of the type-2 message
- returns a null buffer to be more specific.
+ Not calling this function only risks a small memory leak with OpenSSL <
+ 1.1.0.
+
+ Bug: https://curl.haxx.se/mail/lib-2016-09/0045.html
+ Reported-by: Todd Short
-- ntlm: Fixed empty/bad base-64 decoded buffer return codes
+- TODO: Support SSLKEYLOGFILE
-- ntlm: Avoid unnecessary buffer allocation for SSPI based type-2 token
+Jay Satiro (18 Sep 2016)
+- CURLOPT_PINNEDPUBLICKEY.3: fix the AVAILABILITY formatting
-Daniel Stenberg (16 Oct 2014)
-- httpcustomheader.c: make use of more CURLOPT_HTTPHEADER features
+Nick Zitzmann (18 Sep 2016)
+- darwinssl: disable RC4 cipher-suite support
- ... and only do a single request for clarity.
-
-Steve Holme (15 Oct 2014)
-- sasl_sspi: Fixed some typos
+ RC4 was a nice alternative to CBC back in the days of BEAST, but it's insecure and obsolete now.
-- sasl_sspi: Fixed Kerberos response buffer not being allocated when using SSO
+- configure: change "iOS/Mac OS X native" to "Apple OS native"
+
+ Since I first wrote that text, Apple introduced tvOS and watchOS, and renamed "Mac OS X" to "macOS." Let's make the text a little more inclusive, since curl can be built for all four operating systems.
-Daniel Stenberg (15 Oct 2014)
-- [Bruno Thomsen brought this change]
+Jay Satiro (18 Sep 2016)
+- test2048: fix url
- mk-ca-bundle: added SHA-384 signature algorithm
+- examples/imap-append: Set size of data to be uploaded
- Certificates based on SHA-1 are being phased out[1].
- So we should expect a rise in certificates based on SHA-2.
- Adding SHA-384 as a valid signature algorithm.
+ Prior to this commit this example failed with error
+ 'Cannot APPEND with unknown input file size'.
- [1] https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/
+ Bug: https://github.com/curl/curl/issues/1008
+ Reported-by: lukaszgn@users.noreply.github.com
- Signed-off-by: Bruno Thomsen <bth@kamstrup.dk>
+ Closes https://github.com/curl/curl/pull/1011
+
+Daniel Stenberg (16 Sep 2016)
+- [Tony Kelman brought this change]
-Patrick Monnerat (14 Oct 2014)
-- OS400: fix bugs in curl_*escape_ccsid() and reduce variables scope
+ LICENSE-MIXING.md: update with mbedTLS dual licensing
+
+ Recent versions of mbedTLS are available under either Apache 2.0 or GPL
+ 2.0, see https://tls.mbed.org/how-to-get
+
+ Closes #1019
-- Implement pinned public key in GSKit backend
+- KNOWN_BUGS: chunked-encoded requests with HTTP/2 is fixed
-Daniel Stenberg (14 Oct 2014)
-- CURLOPT_TLSAUTH_*.3: fix reference typos
+- http2: debug ouput sent HTTP/2 request headers
-- cleanups: reduce variable scope
+- http: accept "Transfer-Encoding: chunked" for HTTP/2 as well
- cppcheck pointed these out.
+ ... but don't send the actual header over the wire as it isn't accepted.
+ Chunked uploading is still triggered using this method.
+
+ Fixes #1013
+ Fixes #662
-- singleipconnect: remove dead assignment never used
+- openssl: fix per-thread memory leak usiong 1.0.1 or 1.0.2
+
+ OpenSSL 1.0.1 and 1.0.2 build an error queue that is stored per-thread
+ so we need to clean it when easy handles are freed, in case the thread
+ will be killed in which the easy handle was used. All OpenSSL code in
+ libcurl should extract the error in association with the error already
+ so clearing this queue here should be harmless at worst.
- cppcheck pointed this out.
+ Fixes #964
-- pinning: minor code style policing
+- RELEASE-NOTES: reset and go toward 7.51.0 (again)
-Patrick Monnerat (13 Oct 2014)
-- Factorize pinned public key code into generic file handling and backend specific
+Version 7.50.3 (14 Sep 2016)
-- vtls: remove QsoSSL
+Daniel Stenberg (14 Sep 2016)
+- THANKS: updated with curl 7.50.3 contributors
-- gskit: supply dummy randomization function
+- RELEASE-NOTES: curl 7.50.3
-- vtls/*: deprecate have_curlssl_md5sum and set-up default md5sum implementation
+- test1605: verify negative input lengths to (un)escape functions
-Daniel Stenberg (13 Oct 2014)
-- [Peter Wu brought this change]
+- curl_easy_unescape: deny negative string lengths as input
+
+ CVE-2016-7167
+
+ Bug: https://curl.haxx.se/docs/adv_20160914.html
- tests: move TESTCASES to Makefile.inc, add show for cmake
+- curl_easy_escape: deny negative string lengths as input
- This change allows runtests.pl to be run from the CMake builddir:
+ CVE-2016-7167
- export srcdir=/tmp/curl/tests;
- perl -I$srcdir $srcdir/runtests.pl -l
+ Bug: https://curl.haxx.se/docs/adv_20160914.html
+
+- curl: make --create-dirs on windows grok both forward and backward slashes
- In order to make this possible, all test cases have been moved from
- Makefile.am to Makefile.inc.
+ Reported-by: Ryan Scott
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Fixes #1007
-- [Peter Wu brought this change]
+- RELEASE-NOTES: synced with 665694979b6
- cmake: enable IPv6 by default if available
-
- ENABLE_IPV6 depends on HAVE_GETADDRINFO or you will get a
- Curl_getaddrinfo_ex error. Enable IPv6 by default, disabling it if
- struct sockaddr_in6 is not found in netinet/in.h.
+- [Tony Kelman brought this change]
+
+ mbedtls: switch off NTLM in build if md4 isn't available
- Note that HAVE_GETADDRINFO_THREADSAFE is still not set as it needs more
- platform checks even though POSIX requires a thread-safe getaddrinfo.
+ NTLM support with mbedTLS was added in 497e7c9 but requires that mbedTLS
+ is built with the MD4 functions available, which it isn't in default
+ builds. This now adapts if the funtion isn't there and builds libcurl
+ without NTLM support if so.
- Verified on Arch Linux x86_64 with glibc 2.20-2 and Linux 3.16-rc7.
+ Fixes #1004
+
+Jay Satiro (12 Sep 2016)
+- CODE_STYLE: fix long-line guideline
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ - Change maximum allowed line length from 80 to 79.
-- [Peter Wu brought this change]
+- CODE_STYLE: add column alignment section
+
+ Note that since the added examples are for column alignment I had to
+ encapsulate with ~~~c markdown to preserve their alignment.
- cmake: build tool_hugehelp (ENABLE_MANUAL)
+Peter Wu (11 Sep 2016)
+- cmake: fix curl-config --static-libs
- Rather than always outputting an empty manual page for the '-M' option,
- generate a full manual page as done by autotools. For simplicity in
- CMake, always generate the gzipped page as it will not be used anyway
- when zlib is not available.
+ The `curl-config --static-libs` command should not output paths like
+ -l/usr/lib/libssl.so, instead print the absolute path without `-l`.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
-
-- [Peter Wu brought this change]
+ This also removes the confusing message "Static linking is broken" which
+ was printed because curl-config --static-libs was disfunctional even
+ though the static libcurl.a library works properly.
+
+ Fixes https://github.com/curl/curl/issues/841
- tests/http_pipe.py: Python 3 support
+Daniel Stenberg (11 Sep 2016)
+- http: refuse to pass on response body with NO_NODY was set
- The 2to3 tool converted socketserver (which I manually fixed up with an
- import fallback) and the print(e) line. The xrange option was converted
- to range, but it seems better to use the '*' operator here for
- simplicity.
+ ... like when a HTTP/0.9 response comes back without any headers at all
+ and just a body this now prevents that body from being sent to the
+ callback etc.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
-
-- SECURITY: slightly nicer markdown format
+ Adapted test 1144 to verify.
+
+ Fixes #973
+
+ Assisted-by: Ray Satiro
-- RELEASE-PROCEDURE: better markdown, more content
+- RELEASE-NOTES: synced with 257bf3ac67eb6
-- RELEASE-NOTES: synced with 6637b237e6eb
+Jakub Zakrzewski (10 Sep 2016)
+- CMake: Don't build unit tests if private symbols are hidden
- ... and bumped the planned release version.
-
-- vtls: have vtls.h include the backend header files
+ This only excludes building unit tests from default build ( 'all' Make
+ target or "Build Solution" in VisualStudio). The projects and Make
+ targets will still be generated and shown in supporting IDEs.
- It turned out some features were not enabled in the build since for
- example url.c #ifdefs on features that are defined on a per-backend
- basis but vtls.h didn't include the backend headers.
+ Fixes https://github.com/curl/curl/issues/981
+ Reported-by: Randy Armstrong
- CURLOPT_CERTINFO was one such feature that was accidentally disabled.
+ Closes https://github.com/curl/curl/pull/990
-- test2036: verify -O with no slash at all in the URL
+- CMake: Try to (un-)hide private library symbols
- Similar to test 76 but that test's URL has a slash just no file name
- part.
-
-- get_url_file_name: make no slash equal empty string
+ Detect support for compiler symbol visibility flags and apply those
+ according to CURL_HIDDEN_SYMBOLS option.
+ It should work true to the autotools build except it tries to unhide
+ symbols on Windows when requested and prints warning if it fails.
+
+ Ref: https://github.com/curl/curl/issues/981#issuecomment-242665951
+ Reported-by: Daniel Stenberg
-- get_url_file_name: never return a NULL string *and* OK
+Daniel Stenberg (9 Sep 2016)
+- openssl: fix bad memory free (regression)
- Change 987a4a73 assumes that as it simplifies life in the calling
- function.
+ ... by partially reverting f975f06033b1. The allocation could be made by
+ OpenSSL so the free must be made with OPENSSL_free() to avoid problems.
- Reported-by: Fabian Keil
+ Reported-by: Harold Stuart
+ Fixes #1005
-- [Jakub Zakrzewski brought this change]
+- http2: support > 64bit sized uploads
+
+ ... by making sure we don't count down the "upload left" counter when the
+ uploaded size is unknown and then it can be allowed to continue forever.
+
+ Fixes #996
- Cmake: Build with GSSAPI (MIT or Heimdal)
+Jay Satiro (7 Sep 2016)
+- errors: new alias CURLE_WEIRD_SERVER_REPLY (8)
- It tries hard to recognise SDK's on different platforms. On windows MIT
- Kerberos installs SDK with other things and puts path into registry.
- Heimdal have separate zip archive. On linux pkg-config is tried, then
- krb5-config script and finally old-style libs and headers detection.
+ Since we're using CURLE_FTP_WEIRD_SERVER_REPLY in imap, pop3 and smtp as
+ more of a generic "failed to parse" introduce an alias without FTP in
+ the name.
- Command line args:
- * CMAKE_USE_GSSAPI - enables GSSAPI detection
- * GSS_ROOT_DIR - if set, should point to the root of GSSAPI installation
- (the one with include and lib directories)
+ Closes https://github.com/curl/curl/pull/975
-- [Jakub Zakrzewski brought this change]
+Daniel Stenberg (7 Sep 2016)
+- bump: toward 7.51.0
- Cmake: Got rid of setup_curl_dependencies
-
- There is no need for such function. Include_directories propagate by
- themselves and having a function with one simple link statement makes
- little sense.
+- HISTORY: remove ascii logo to render nicer on web
-- [Jakub Zakrzewski brought this change]
+- curl: whitelist use of strtok() in non-threaded context
- Cmake: Avoid cycle directory dependencies.
+- checksrc: detect strtok() use
- Because we prepended libraries to list, CMake had troubles resolving
- link directory order as it detected some cycles. Appending to list ensures
- that dependencies will preceed dependees.
+ ... as that function slipped through once before.
-- [Jakub Zakrzewski brought this change]
+GitHub (7 Sep 2016)
+- [Viktor Szakats brought this change]
- Cmake: Fix library list provided to cURL tests.
+ mk-ca-bundle.pl: use SHA256 instead of SHA1
- The list must be set after those nice CMake tests as we mess with
- CMAKE_REQUIRED_LIBRARIES there.
+ This hash is used to verify the original downloaded certificate bundle
+ and also included in the generated bundle's comment header. Also
+ rename related internal symbols to algorithm-agnostic names.
-- [Jakub Zakrzewski brought this change]
+Version 7.50.2 (7 Sep 2016)
- Cmake: Check for OpenSSL before OpenLDAP.
-
- OpenLDAP might have been build with OpenSSL. Checking for OpenLDAP first
- may result in undefined symbols. Of course, the found OpenSSL libraries
- must also be linked whenever OpenLDAP is.
+Daniel Stenberg (7 Sep 2016)
+- RELEASE-NOTES: curl 7.50.2 release
-- curl_multi_fdset.3: improved the formatting slightly
+- THANKS: updated for 7.50.2
-- curl_multi_fdset: explain the fd_set arguments
+Jay Satiro (6 Sep 2016)
+- [Gaurav Malhotra brought this change]
-Kamil Dudka (8 Oct 2014)
-- nss: do not fail if a CRL is already cached
+ openssl: fix CURLINFO_SSL_VERIFYRESULT
+
+ CURLINFO_SSL_VERIFYRESULT does not get the certificate verification
+ result when SSL_connect fails because of a certificate verification
+ error.
+
+ This fix saves the result of SSL_get_verify_result so that it is
+ returned by CURLINFO_SSL_VERIFYRESULT.
- This fixes a copy-paste mistake from commit 2968f957.
+ Closes https://github.com/curl/curl/pull/995
-Patrick Monnerat (8 Oct 2014)
-- OS400: upgrade interface for pinned public key (no implementation yet)
+Daniel Stenberg (6 Sep 2016)
+- [Daniel Gustafsson brought this change]
-Daniel Stenberg (8 Oct 2014)
-- FormAdd: precaution against memdup() of NULL pointer
+ darwinssl: test for errSecSuccess in PKCS12 import rather than noErr (#993)
- Coverity CID 252518. This function is in general far too complicated for
- its own good and really should be broken down into several smaller
- funcitons instead - but I'm adding this protection here now since it
- seems there's a risk the code flow can end up here and dereference a
- NULL pointer.
+ While noErr and errSecSuccess are defined as the same value, the API
+ documentation states that SecPKCS12Import() returns errSecSuccess if
+ there were no errors in importing. Ensure that a future change of the
+ defined value doesn't break (however unlikely) and be consistent with
+ the API docs.
-- operate: avoid NULL dereference
-
- Coverity CID 1241948. dumpeasysrc() would get called with
- config->current set to NULL which could be dereferenced by a warnf()
- call.
+- [Daniel Gustafsson brought this change]
-- do_sec_send: remove dead code
-
- Coverity CID 1241951. The condition 'len >= 0' would always be true at
- that point and thus not necessary to check for.
+ docs: Fix link to CONTRIBUTE in Github contribution guidelines (#994)
-- krb5_encode: remove unused argument
-
- Coverity CID 1241957. Removed the unused argument. As this struct and
- pointer now are used only for krb5, there's no need to keep unused
- function arguments around.
+- [Marcel Raad brought this change]
-- operate_do: skip superfluous check for NULL pointer
+ openssl: Fix compilation with OPENSSL_API_COMPAT=0x10100000L
- Coverity CID 1243583. get_url_file_name() cannot fail and return a NULL
- file name pointer so skip the check for that - it tricks coverity into
- believing it can happen and it then warns later on when we use 'outfile'
- without checking for NULL.
+ With OPENSSL_API_COMPAT=0x10100000L (OpenSSL 1.1 API), the cleanup
+ functions are unavailable (they're no-ops anyway in OpenSSL 1.1). The
+ replacements for SSL_load_error_strings, SSLeay_add_ssl_algorithms, and
+ OpenSSL_add_all_algorithms are called automatically [1][2]. SSLeay() is
+ now called OpenSSL_version_num().
+
+ [1]: https://www.openssl.org/docs/man1.1.0/ssl/OPENSSL_init_ssl.html
+ [2]: https://www.openssl.org/docs/man1.1.0/crypto/OPENSSL_init_crypto.html
+
+ Closes #992
-- curl_easy_getinfo.3: spell-fix
+- RELEASE-NOTES: synced with 3d4c0c8b9bc1d
+
+- http2: return EOF when done uploading without known size
- Reported-By: Luan Cestari
+ Fixes #982
-- [moparisthebest brought this change]
+- http2: skip the content-length parsing, detect unknown size
- GnuTLS: Implement public key pinning
+- http2: minor white space edit
-- [moparisthebest brought this change]
+- http2: use named define instead of magic constant in read callback
- SSL: implement public key pinning
-
- Option --pinnedpubkey takes a path to a public key in DER format and
- only connect if it matches (currently only implemented with OpenSSL).
+- [Craig Davison brought this change]
+
+ configure: make the cpp -P detection not clobber CPPFLAGS
- Provides CURLOPT_PINNEDPUBLICKEY for curl_easy_setopt().
+ CPPPFLAGS is now CPPPFLAG. Fixes CURL_CHECK_DEF.
- Extract a public RSA key from a website like so:
- openssl s_client -connect google.com:443 2>&1 < /dev/null | \
- sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -pubkey \
- | openssl rsa -pubin -outform DER > google.com.der
+ Fixes #958
-- multi_runsingle: fix possible memory leak
-
- Coverity CID 1202837. 'newurl' can in fact be allocated even when
- Curl_retry_request() returns failure so free it if need be.
+- [Olivier Brunel brought this change]
-- ares::Curl_resolver_cancel: skip checking for NULL conn
+ speed caps: not based on average speeds anymore
- Coverity CID 1243581. 'conn' will never be NULL here, and if it would be
- the subsequent statement would dereference it!
-
-- parseconfig: skip a NULL check
+ Speed limits (from CURLOPT_MAX_RECV_SPEED_LARGE &
+ CURLOPT_MAX_SEND_SPEED_LARGE) were applied simply by comparing limits
+ with the cumulative average speed of the entire transfer; While this
+ might work at times with good/constant connections, in other cases it
+ can result to the limits simply being "ignored" for more than "short
+ bursts" (as told in man page).
+
+ Consider a download that goes on much slower than the limit for some
+ time (because bandwidth is used elsewhere, server is slow, whatever the
+ reason), then once things get better, curl would simply ignore the limit
+ up until the average speed (since the beginning of the transfer) reached
+ the limit. This could prove the limit useless to effectively avoid
+ using the entire bandwidth (at least for quite some time).
+
+ So instead, we now use a "moving starting point" as reference, and every
+ time at least as much as the limit as been transferred, we can reset
+ this starting point to the current position. This gets a good limiting
+ effect that applies to the "current speed" with instant reactivity (in
+ case of sudden speed burst).
- Coverity CID 1154198. This NULL check implies that the pointer _can_ be
- NULL at this point, which it can't. Thus it is dead code. It tricks
- static analyzers to warn about dereferencing the pointer since the code
- seems to imply it can be NULL.
+ Closes #971
-- [Waldek Kozba brought this change]
+- HISTORY.md: the multi socket was put in the wrong year!
- multi-uv.c: call curl_multi_info_read() better
-
- Improves it for low-latency cases (like the communication with
- localhost)
+- [Mark Hamilton brought this change]
-- tool_go_sleep: use (void) to spell out we ignore the return value
-
- Coverity CID 1222080.
+ tool_helpers.c: fix comment typo (#989)
-- ssh_statemach_act: split out assignment from check
-
- just a minor code style thing to make the code clearer
+- [Mark Hamilton brought this change]
+
+ libtest/test.h: fix typo (#988)
-Marc Hoersken (4 Oct 2014)
-- curl_schannel.c: Fixed possible memory or handle leak
+- CURLMOPT_PIPELINING.3: language
+
+- CURLMOPT_PIPELINING.3: extended and clarified
- First try to fix possible memory leaks, in this case:
- Only connssl->ctxt xor onnssl->cred being initialized.
+ Especially in regards to the multiplexing part.
-Daniel Stenberg (4 Oct 2014)
-- getparameter: remove dead code
+Steve Holme (31 Aug 2016)
+- curl_sspi.c: Updated function description comments
- Coverity CID 1061126. 'parse' will always be non-NULL here.
+ * Added description to Curl_sspi_free_identity()
+ * Added parameter and return explanations to Curl_sspi_global_init()
+ * Added parameter explaination to Curl_sspi_global_cleanup()
-- getparameter: comment a switch FALLTHROUGH
+- README: Corrected the supported Visual Studio versions
- Coverity CID 1061118. Point out that it is on purpose.
+ Missed from commit 8356022d17.
+
+- KNOWN_BUGS: Move the Visual Studio project shortcomings from local README
-- choose_mech: fix return code
+- KNOWN_BUGS: Expand 6.4 to include Kerberos V5
- Coverity CID 1241950. The pointer is never NULL but it might point to
- NULL.
+ ...and discuss a possible solution.
-- Curl_sec_read_msg: spell out that we ignore return code
+Daniel Stenberg (30 Aug 2016)
+- connect: fix #ifdefs for debug versions of conn/streamclose() macros
+
+ CURLDEBUG is for the memory debugging
+
+ DEBUGBUILD is for the extra debug stuff
- Coverity CID 1241947. Since if sscanf() fails, the previously set value
- remains set.
+ Pointed-out-by: Steve Holme
-- nonblock: call with (void) to show we ignore the return code
+- KNOWN_BUGS: mention some cmake "support gaps"
+
+Nick Zitzmann (28 Aug 2016)
+- darwinssl: add documentation stating that the --cainfo option is intended for backward compatibility only
- Coverity pointed out several of these.
+ In other news, I changed one other reference to "Mac OS X" in the documentation (that I previously wrote) to say "macOS" instead.
-- parse_proxy: remove dead code.
+Daniel Stenberg (28 Aug 2016)
+- http2: return CURLE_HTTP2_STREAM for unexpected stream close
+
+ Follow-up to c3e906e9cd0f, seems like a more appropriate error code
- Coverity CID 982331.
+ Suggested-by: Jay Satiro
-- Curl_debug: document switch fallthroughs
+- [Tatsuhiro Tsujikawa brought this change]
-- curl_multi_remove_handle: remove dead code
+ http2: handle closed streams when uploading
- Coverify CID 1157776. Removed a superfluous if() that always evaluated
- true (and an else clause that never ran), and then re-indented the
- function accordingly.
+ Fixes #986
-- Curl_pipeline_server_blacklisted: handle a NULL server name
+- http2: make sure stream errors don't needlessly close the connection
- Coverity CID 1215284. The server name is extracted with
- Curl_copy_header_value() and passed in to this function, and
- copy_header_value can actually can fail and return NULL.
+ With HTTP/2 each transfer is made in an indivial logical stream over the
+ connection, making most previous errors that caused the connection to get
+ forced-closed now instead just kill the stream and not the connection.
+
+ Fixes #941
-- ssh: comment "fallthrough" in switch statement
+- Curl_verify_windows_version: minor edit to avoid compiler warnings
+
+ ... instead of if() before the switch(), add a default to the switch so
+ that the compilers don't warn on "warning: enumeration value
+ 'PLATFORM_DONT_CARE' not handled in switch" anymore.
-- [Jeremy Lin brought this change]
+Steve Holme (27 Aug 2016)
+- RELEASE-NOTES: Added missing fix from commit 15592143f
- ssh: improve key file search
+Jay Satiro (26 Aug 2016)
+- schannel: Disable ALPN for Wine since it is causing problems
- For private keys, use the first match from: user-specified key file
- (if provided), ~/.ssh/id_rsa, ~/.ssh/id_dsa, ./id_rsa, ./id_dsa
+ - Disable ALPN on Wine.
- Note that the previous code only looked for id_dsa files. id_rsa is
- now generally preferred, as it supports larger key sizes.
+ - Don't pass input secbuffer when ALPN is disabled.
- For public keys, use the user-specified key file, if provided.
- Otherwise, try to extract the public key from the private key file.
- This means that passing --pubkey is typically no longer required,
- and makes the key-handling behavior more like OpenSSH.
+ When ALPN support was added a change was made to pass an input secbuffer
+ to initialize the context. When ALPN is enabled the buffer contains the
+ ALPN information, and when it's disabled the buffer is empty. In either
+ case this input buffer caused problems with Wine and connections would
+ not complete.
+
+ Bug: https://github.com/curl/curl/issues/983
+ Reported-by: Christian Fillion
-- CURLOPT_HTTPHEADER.3: libcurl doesn't copy the whole list
+Kamil Dudka (26 Aug 2016)
+- [Peter Wang brought this change]
-- detect_proxy: fix possible single-byte memory leak
+ nss: work around race condition in PK11_FindSlotByName()
- Coverity CID 1202836. If the proxy environment variable returned an empty
- string, it would be leaked. While an empty string is not really a proxy, other
- logic in this function already allows a blank string to be returned so allow
- that here to avoid the leak.
-
-- multi_runsingle: fix memory leak
+ Serialise the call to PK11_FindSlotByName() to avoid spurious errors in
+ a multi-threaded environment. The underlying cause is a race condition
+ in nssSlot_IsTokenPresent().
- Coverity CID 1202837. There's a potential risk that 'newurl' gets
- overwritten when it was already pointing to allocated memory.
-
-- pop3_perform_authentication: fix memory leak
+ Bug: https://bugzilla.mozilla.org/1297397
- Coverity CID 1215287. There's a potential risk for a memory leak in
- here, and moving the free call to be unconditional seems like a cheap
- price to remove the risk.
+ Closes #985
-- imap_perform_authentication: fix memory leak
+- nss: refuse previously loaded certificate from file
- Coverity CID 1215296. There's a potential risk for a memory leak in
- here, and moving the free call to be unconditional seems like a cheap
- price to remove the risk.
+ ... when we are not asked to use a certificate from file
-- wait_or_timeout: return failure when Curl_poll() fails
-
- Coverity detected this. CID 1241954. When Curl_poll() returns a negative value
- 'mcode' was uninitialized. Pretty harmless since this is debug code only and
- would at worst cause an error to _not_ be returned...
+Daniel Stenberg (26 Aug 2016)
+- ftp_done: remove dead code
-- curl.1: mention quoting in the URL section
-
- and separate the example URLs with newlines
+- TLS: random file/egd doesn't have to match for conn reuse
-Steve Holme (30 Sep 2014)
-- [Bill Nagel brought this change]
+- test161: add comment for the exit code
+
+Dan Fandrich (26 Aug 2016)
+- test219: Add http as a required feature
- smtp: Fixed intermittent "SSL3_WRITE_PENDING: bad write retry" error
+Daniel Stenberg (25 Aug 2016)
+- [Michael Kaufmann brought this change]
+
+ HTTP: stop parsing headers when switching to unknown protocols
- This patch fixes the "SSL3_WRITE_PENDING: bad write retry" error that
- sometimes occurs when sending an email over SMTPS with OpenSSL. OpenSSL
- appears to require the same pointer on a write that follows a retry
- (CURLE_AGAIN) as discussed here:
+ - unknown protocols probably won't send more headers (e.g. WebSocket)
+ - improved comments and moved them to the correct case statements
- http://stackoverflow.com/questions/2997218/why-am-i-getting-error1409f07fssl-routinesssl3-write-pending-bad-write-retr
+ Closes #899
-Daniel Stenberg (30 Sep 2014)
-- RELEASE-NOTES: synced with 53cbea22310f15
+- openssl: make build with 1.1.0 again
+
+ synced with OpenSSL git master commit cc06906707
-- file: reject paths using embedded %00
+- INTERNALS: fix title
+
+- configure: detect zlib with our pkg-config macros
- Mostly because we use C strings and they end at a binary zero so we know
- we can't open a file name using an embedded binary zero.
+ ... instead of relying on the pkg-config autoconf macros to be present.
- Reported-by: research@g0blin.co.uk
+ Fixes #972 (again...)
-Dan Fandrich (26 Sep 2014)
-- test506: Fixed a couple of memory leaks in test
+Jay Satiro (25 Aug 2016)
+- http2: Remove incorrect comments
+
+ .. also remove same from scp
-Daniel Stenberg (25 Sep 2014)
-- [Yousuke Kimoto brought this change]
+Daniel Stenberg (23 Aug 2016)
+- [Ales Novak brought this change]
- CURLOPT_COOKIELIST: Added "RELOAD" command
+ ftp: fix wrong poll on the secondary socket
+
+ When we're uploading using FTP and the server issues a tiny pause
+ between opening the connection to the client's secondary socket, the
+ client's initial poll() times out, which leads to second poll() which
+ does not wait for POLLIN on the secondary socket. So that poll() also
+ has to time out, creating a long (200ms) pause.
+
+ This patch adds the correct flag to the secondary socket, making the
+ second poll() correctly wait for the connection there too.
+
+ Signed-off-by: Ales Novak <alnovak@suse.cz>
+
+ Closes #978
-- [Michael Wallner brought this change]
+- RELEASE-NOTES: synced with 95ded2c56
- CURLOPT_POSTREDIR.3: Added availability for CURL_REDIR_POST_303
+- configure: make it work without PKG_CHECK_MODULES
+
+ With commit c2f9b78 we added a new dependency on pkg-config for
+ developers which may be unwanted. This change make the configure script
+ still work as before if pkg-config isn't installed, it'll just use the
+ old zlib detection logic without pkg-config.
+
+ Reported-by: Marc Hörsken
+
+ Fixes #972
-- threaded-resolver: revert Curl_expire_latest() switch
+Marc Hoersken (21 Aug 2016)
+- Revert "KNOWN_BUGS: SOCKS proxy not working via IPv6"
- The switch to using Curl_expire_latest() in commit cacdc27f52b was a
- mistake and was against the advice even mentioned in that commit. The
- comparison in asyn-thread.c:Curl_resolver_is_resolved() makes
- Curl_expire() the suitable function to use.
+ This reverts commit 9cb1059f92286a6eb5d28c477fdd3f26aed1d554.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1426
- Reported-By: graysky
+ As discussed in #835 SOCKS5 supports IPv6 proxies and destinations.
-- libcurl docs: improvements all over
+Daniel Stenberg (21 Aug 2016)
+- [Marco Deckel brought this change]
-Steve Holme (19 Sep 2014)
-- build: Added WinIDN build configuration options
+ win: Basic support for Universal Windows Platform apps
- Added initial support for WinIDN build configurations to the VC10+
- project files.
-
-Daniel Stenberg (19 Sep 2014)
-- tutorial: signals aren't used for the threaded resolver
+ Closes #820
-- FAQ: update the pronunciation section
+Steve Holme (21 Aug 2016)
+- sasl: Don't use GSSAPI authentication when domain name not specified
- As we weren't using the correct phonetic description and doing it correctly
- involves funny letters that I'm sure will cause problems for people in a text
- document so I instead rephrased it and link to a WAV file with a person
- actually saying 'curl'.
+ Only choose the GSSAPI authentication mechanism when the user name
+ contains a Windows domain name or the user is a valid UPN.
- Reported-By: Dimitar Boevski
+ Fixes #718
-- CURLOPT_COOKIE*: added more cross-references
-
-- BINDINGS: add node-libcurl
+- vauth: Added check for supported SSPI based authentication mechanisms
- Reported-By: Jonathan Cardoso Machado
- URL: http://curl.haxx.se/mail/lib-2014-09/0102.html
+ Completing commit 00417fd66c and 2708d4259b.
-- README.http2: updated to reflect current status
+- http.c: Remove duplicate (authp->avail & CURLAUTH_DIGEST) check
+
+ From commit 2708d4259b.
-- formdata: removed unnecessary USE_SSLEAY use
+Marc Hoersken (20 Aug 2016)
+- socks.c: display the hostname returned by the SOCKS5 proxy server
+
+ Instead of displaying the requested hostname the one returned
+ by the SOCKS5 proxy server is used in case of connection error.
+ The requested hostname is displayed earlier in the connection sequence.
+
+ The upper-value of the port is moved to a temporary variable and
+ replaced with a 0-byte to make sure the hostname is 0-terminated.
-- curlssl: make tls backend symbols use curlssl in the name
+Steve Holme (20 Aug 2016)
+- urldata.h: Corrected comment for httpcode which is also populated by SMTP
+
+ As of 7.25.0 and commit 5430007222.
-- url: let the backend decide CURLOPT_SSL_CTX_ support
+Marc Hoersken (20 Aug 2016)
+- socks.c: use Curl_printable_address in SOCKS5 connection sequence
- ... to further remove specific TLS backend knowledge from url.c
+ Replace custom string formatting with Curl_printable_address.
+ Add additional debug and error output in case of failures.
-- vtls: have the backend tell if it supports CERTINFO
+- socks.c: align SOCKS4 connection sequence with SOCKS5
+
+ Calling sscanf is not required since the raw IPv4 address is
+ available and the protocol can be detected using ai_family.
-- [Catalin Patulea brought this change]
+Steve Holme (20 Aug 2016)
+- http.c: Corrected indentation change from commit 2708d4259b
+
+ Made by Visual Studio's auto-correct feature and missed by me in my own
+ code reviews!
- configure: allow --with-ca-path with PolarSSL too
+- http: Added calls to Curl_auth_is_<mechansism>_supported()
- Missed this in af45542c.
+ Hooked up the HTTP authentication layer to query the new 'is mechanism
+ supported' functions when deciding what mechanism to use.
- Signed-off-by: Catalin Patulea <cat@vv.carleton.ca>
+ As per commit 00417fd66c existing functionality is maintained for now.
-- CURLOPT_CAPATH: return failure if set without backend support
+Marc Hoersken (20 Aug 2016)
+- socks.c: improve verbose output of SOCKS5 connection sequence
-- [Tatsuhiro Tsujikawa brought this change]
+- configure.ac: add missing quotes to PKG_CHECK_MODULES
- http2: Fix busy loop when EOF is encountered
+Steve Holme (20 Aug 2016)
+- sasl: Added calls to Curl_auth_is_<mechansism>_supported()
- Previously we did not handle EOF from underlying transport socket and
- wrongly just returned error code CURL_AGAIN from http2_recv, which
- caused busy loop since socket has been closed. This patch adds the
- code to handle EOF situation and tells the upper layer that we got
- EOF.
-
-Steve Holme (13 Sep 2014)
-- build: Added batch wrapper to checksrc.pl
+ Hooked up the SASL authentication layer to query the new 'is mechanism
+ supported' functions when deciding what mechanism to use.
+
+ For now existing functionality is maintained.
-- RELEASE-NOTES: Synced with bd3df5ec6d
+Daniel Stenberg (19 Aug 2016)
+- [Miroslav Franc brought this change]
-- [Marcel Raad brought this change]
+ spnego_sspi: fix memory leak in case *outlen is zero (#970)
- sasl_sspi: Fixed Unicode build
-
- Bug: http://curl.haxx.se/bug/view.cgi?id=1422
- Verified-by: Steve Holme
+- CURLMOPT_MAX_TOTAL_CONNECTIONS.3: mention it can also multiplex
-Daniel Stenberg (12 Sep 2014)
-- libcurl-tutorial.3: fix GnuTLS link to thread-safety guidelines
+Steve Holme (18 Aug 2016)
+- vauth: Introduced Curl_auth_is_<mechansism>_supported() functions
- The former link was turned into a 404 at some point.
+ As Windows SSPI authentication calls fail when a particular mechanism
+ isn't available, introduced these functions for DIGEST, NTLM, Kerberos 5
+ and Negotiate to allow both HTTP and SASL authentication the opportunity
+ to query support for a supported mechanism before selecting it.
- Reported-By: Askar Safin
+ For now each function returns TRUE to maintain compatability with the
+ existing code when called.
+
+Daniel Stenberg (18 Aug 2016)
+- test1144: verify HEAD with body-only response
-- contributors.sh: split list of names at comma
+Steve Holme (17 Aug 2016)
+- RELEASE-PROCEDURE: Added some more future release dates
- ... to support a list of names provided in a commit message.
+ ...and removed some old ones
-Steve Holme (12 Sep 2014)
-- [Ulrich Telle brought this change]
+Daniel Stenberg (17 Aug 2016)
+- [David Woodhouse brought this change]
- ntlm: Fixed HTTP proxy authentication when using Windows SSPI
+ curl: allow "pkcs11:" prefix for client certificates
+
+ RFC7512 provides a standard method to reference certificates in PKCS#11
+ tokens, by means of a URI starting 'pkcs11:'.
- Removed ISC_REQ_* flags from calls to InitializeSecurityContext to fix
- bug in NTLM handshake for HTTP proxy authentication.
+ We're working on fixing various applications so that whenever they would
+ have been able to use certificates from a file, users can simply insert
+ a PKCS#11 URI instead and expect it to work. This expectation is now a
+ part of the Fedora packaging guidelines, for example.
- NTLM handshake for HTTP proxy authentication failed with error
- SEC_E_INVALID_TOKEN from InitializeSecurityContext for certain proxy
- servers on generating the NTLM Type-3 message.
+ This doesn't work with cURL because of the way that the colon is used
+ to separate the certificate argument from the passphrase. So instead of
- The flag ISC_REQ_CONFIDENTIALITY seems to cause the problem according
- to the observations and suggestions made in a bug report for the
- QT project (https://bugreports.qt-project.org/browse/QTBUG-17322).
+ curl -E 'pkcs11:manufacturer=piv_II;id=%01' …
- Removing all the flags solved the problem.
+ I instead need to invoke cURL with the colon escaped, like this:
- Bug: http://curl.haxx.se/mail/lib-2014-08/0273.html
- Reported-by: Ulrich Telle
- Assisted-by: Steve Holme, Daniel Stenberg
+ curl -E 'pkcs11\:manufacturer=piv_II;id=%01' …
+
+ This is suboptimal because we want *consistency* — the URI should be
+ usable in place of a filename anywhere, without having strange
+ differences for different applications.
+
+ This patch therefore disables the processing in parse_cert_parameter()
+ when the string starts with 'pkcs11:'. It means you can't pass a
+ passphrase with an unescaped PKCS#11 URI, but there's no need to do so
+ because RFC7512 allows a PIN to be given as a 'pin-value' attribute in
+ the URI itself.
+
+ Also, if users are already using RFC7512 URIs with the colon escaped as
+ in the above example — even providing a passphrase for cURL to handling
+ instead of using a pin-value attribute, that will continue to work
+ because their string will start 'pkcs11\:' and won't match the check.
+
+ What *does* break with this patch is the extremely unlikely case that a
+ user has a file which is in the local directory and literally named
+ just "pkcs11", and they have a passphrase on it. If that ever happened,
+ the user would need to refer to it as './pkcs11:<passphrase>' instead.
-Daniel Stenberg (12 Sep 2014)
-- [Ray Satiro brought this change]
+- nss: make the global variables static
- newlines: fix mixed newlines to LF-only
+- openssl: use regular malloc instead of OPENSSL_malloc
- I use the curl repo mainly on Windows with the typical Windows git
- checkout which converts the LF line endings in the curl repo to CRLF
- automatically on checkout. The automatic conversion is not done on files
- in the repo with mixed line endings. I recently noticed some weird
- output with projects/build-openssl.bat that I traced back to mixed line
- endings, so I scanned the repo and there are files (excluding the
- test data) that have mixed line endings.
+ This allows for better memmory debugging and torture tests.
+
+- proxy: fix tests as follow-up to 93b0d907d5
- I used this command below to do the scan. Unfortunately it's not as easy
- as git grep, at least not on Windows. This gets the names of all the
- files in the repo's HEAD, gets each of those files raw from HEAD, checks
- for mixed line endings of both LF and CRLF, and prints the name if
- mixed. I excluded path tests/data/test* because those can have mixed
- line endings if I understand correctly.
+ This fixes tests that were added after 113f04e664b as the tests would
+ fail otherwise.
- for f in `git ls-tree --name-only --full-tree -r HEAD`;
- do if [ -n "${f##tests/data/test*}" ];
- then git show "HEAD:$f" | \
- perl -0777 -ne 'exit 1 if /([^\r]\n.*\r\n)|(\r\n.*[^\r]\n)/';
- if [ $? -ne 0 ];
- then echo "$f";
- fi;
- fi;
- done
-
-- [Viktor Szakáts brought this change]
+ We bring back "Proxy-Connection: Keep-Alive" now unconditionally to fix
+ regressions with old and stupid proxies, but we could possibly switch to
+ using it only for CONNECT or only for NTLM in a future if we want to
+ gradually reduce it.
+
+ Fixes #954
+
+ Reported-by: János Fekete
- mk-ca-bundle.pl: converted tabs to spaces, deleted trailing spaces
+- Revert "Proxy-Connection: stop sending this header by default"
+
+ This reverts commit 113f04e664b16b944e64498a73a4dab990fe9a68.
-- ROADMAP: markdown eats underscores
+- CURLOPT_PROXY.3: unsupported schemes cause errors now
- It interprets them as italic indictors unless we backtick the word.
+ Follow-up to a96319ebb9 (document the new behavior)
-- ROADMAP: tiny formatting edit for nicer web output
+- tests/README: mention nghttpx for HTTP/2 tests
-Steve Holme (10 Sep 2014)
-- ROADMAP.md: Updated GSSAPI authentication following 7.38.0 additions
+- README.md: add our CII Best Practices badge
+
+- proxy: polished the error message for unsupported schemes
+
+ Follow up to a96319ebb93
-- INTERNALS: Added email and updated Kerberos details
+- test219: verify unsupported scheme for proxies get rejected
-- FEATURES: Updated Kerberos details
+- proxy: reject attempts to use unsupported proxy schemes
- Added support for Kerberos 5 to the email protocols following the recent
- additions in 7.38.0.
+ I discovered some people have been using "https://example.com" style
+ strings as proxy and it "works" (curl doesn't complain) because curl
+ ignores unknown schemes and then assumes plain HTTP instead.
- Removed Kerberos 4 as this has been gone for a while now.
+ I think this misleads users into believing curl uses HTTPS to proxies
+ when it doesn't. Now curl rejects proxy strings using unsupported
+ schemes instead of just ignoring and defaulting to HTTP.
-Daniel Stenberg (10 Sep 2014)
-- [Paul Howarth brought this change]
+- RELEASE-NOTES: synced with b7ee5316c2fd5b
- openssl: build fix for versions < 0.9.8e
+Marc Hoersken (14 Aug 2016)
+- socks.c: Correctly calculate position of port in response packet
- Bug: http://curl.haxx.se/mail/lib-2014-09/0064.html
-
-- mk-ca-bundle.pl: first, try downloading HTTPS with curl
+ Third commit to fix issue #944 regarding SOCKS5 error handling.
- As a sort of step forward, this script will now first try to get the
- data from the HTTPS URL using curl, and only if that fails it will
- switch back to the HTTP transfer using perl's native LWP functionality.
- To reduce the risk of this script being tricked.
+ Reported-by: David Kalnischkies
+
+- socks.c: Do not modify and invalidate calculated response length
- Using HTTPS to get a cert bundle introduces a chicken-and-egg problem so
- we can't really ever completely disable HTTP, but chances are that most
- users already have a ca cert bundle that trusts the mozilla.org site
- that this script downloads from.
+ Second commit to fix issue #944 regarding SOCKS5 error handling.
- A future version of this script will probably switch to require a
- dedicated "insecure" command line option to allow downloading over HTTP
- (or unverified HTTPS).
+ Reported-by: David Kalnischkies
-- LICENSE-MIXING: removed krb4 info
+- socks.c: Move error output after reading the whole response packet
- krb4 has been dropped since a while now
+ First commit to fix issue #944 regarding SOCKS5 error handling.
+
+ Reported-by: David Kalnischkies
-- bump: on the 7.38.1-DEV train now!
+Daniel Stenberg (13 Aug 2016)
+- [Ronnie Mose brought this change]
-- SSLCERTS: minor updates
+ MANUAL: Remove invalid link to LDAP documentation (#962)
- Edited format to look better on the web, added a "it is about trust"
- section.
+ The server developer.netscape.com does not resolve into any
+ ip address and can be removed.
-Version 7.38.0 (10 Sep 2014)
+Jay Satiro (13 Aug 2016)
+- openssl: accept subjectAltName iPAddress if no dNSName match
+
+ Undo change introduced in d4643d6 which caused iPAddress match to be
+ ignored if dNSName was present but did not match.
+
+ Also, if iPAddress is present but does not match, and dNSName is not
+ present, fail as no-match. Prior to this change in such a case the CN
+ would be checked for a match.
+
+ Bug: https://github.com/curl/curl/issues/959
+ Reported-by: wmsch@users.noreply.github.com
-Daniel Stenberg (10 Sep 2014)
-- dist: two cmake files are no more
+Daniel Stenberg (12 Aug 2016)
+- [Dambaev Alexander brought this change]
+
+ configure.ac: add zlib search with pkg-config
- CMake/FindOpenSSL.cmake and FindZLIB.cmake are gone since 14aa8f0c117b
+ Closes #956
-- RELEASE-NOTES: final update for 7.38.0
+- rtsp: ignore whitespace in session id
+
+ Follow-up to e577c43bb to fix test case 569 brekage: stop the parser at
+ whitespace as well.
+
+ Help-by: Erik Janssen
-- cookies: reject incoming cookies set for TLDs
+- HTTP: retry failed HEAD requests too
- Test 61 was modified to verify this.
+ Mark's new document about HTTP Retries
+ (https://mnot.github.io/I-D/httpbis-retry/) made me check our code and I
+ spotted that we don't retry failed HEAD requests which seems totally
+ inconsistent and I can't see any reason for that separate treatment.
- CVE-2014-3620
+ So, no separate treatment for HEAD starting now. A HTTP request sent
+ over a reused connection that gets cut off before a single byte is
+ received will be retried on a fresh connection.
- Reported-by: Tim Ruehsen
- URL: http://curl.haxx.se/docs/adv_20140910B.html
+ Made-aware-by: Mark Nottingham
+
+- mk-ca-bundle.1: document -m, added in 1.26
+
+- RELEASE-NOTES: synced with e577c43bb5
-- [Tim Ruehsen brought this change]
+- [Erik Janssen brought this change]
- cookies: only use full host matches for hosts used as IP address
+ rtsp: accept any RTSP session id
- By not detecting and rejecting domain names for partial literal IP
- addresses properly when parsing received HTTP cookies, libcurl can be
- fooled to both send cookies to wrong sites and to allow arbitrary sites
- to set cookies for others.
+ Makes libcurl work in communication with gstreamer-based RTSP
+ servers. The original code validates the session id to be in accordance
+ with the RFC. I think it is better not to do that:
- CVE-2014-3613
+ - For curl the actual content is a don't care.
- Bug: http://curl.haxx.se/docs/adv_20140910A.html
+ - The clarity of the RFC is debatable, is $ allowed or only as \$, that
+ is imho not clear
+
+ - Gstreamer seems to url-encode the session id but % is not allowed by
+ the RFC
+
+ - less code
+
+ With this patch curl will correctly handle real-life lines like:
+ Session: biTN4Kc.8%2B1w-AF.; timeout=60
+
+ Bug: https://curl.haxx.se/mail/lib-2016-08/0076.html
-- HISTORY: fix the 1998 title position
+- symbols-in-versions: add CURL_STRICTER
+
+ Added in 5fce88aa8c12564
-- HISTORY: extended and now markdown
+- [Simon Warta brought this change]
-- SSLCERTS: converted to markdown
+ winbuild: Allow changing C compiler via environment variable CC (#952)
- Only minor edits to make it generate nice HTML output using markdown, as
- this document serves both in source release tarballs as on the web site.
+ This makes it possible to use specific compilers or a cache.
- URL: http://curl.haxx.se/docs/sslcerts.html
+ Sample use for clcache:
+ set CC=clcache.bat
+ nmake /f Makefile.vc DEBUG=no MODE=static VC=14 GEN_PDB=no
-- ftp-wildcard.c: spell fix
-
- Reported-By: Frank Gevaerts
+- LICENSE-MIXING.md: switched to markdown
+
+- docs-make: have markdown files use .md
+
+- curl.h: make CURL_NO_OLDIES define CURL_STRICTER
+
+- HISTORY.md: use markdown extension
+
+- SSLCERTS.md: renamed to markdown extension
+
+- INTERNALS.md: use markdown extension for markdown content
+
+- CONTRIBUTE.md: markdown extension
+
+- CONTRIBUTE: changed to markdown
+
+- CONTRIBUTE: refreshed
+
+- TODO: added an SSH section and two SFTP things to do
-- RELEASE-NOTES: synced with 921a0c22a6f
+- TODO: remove the 1.22 duplicated item
-- THANKS: synced with RELEASE-NOTES for 921a0c22a6f
+- TODO: move "CURLOPT_MAIL_CLIENT" to SMTP section
-- polarassl: avoid memset() when clearing the first byte is enough
+- TODO: API for URL parsing/splitting
-- [Catalin Patulea brought this change]
+- TODO: move QUIC to the HTTP section
- polarssl: support CURLOPT_CAPATH / --capath
+- [Simon Warta brought this change]
+
+ winbuild: Free name $(CC) in Makefile (#950)
+
+ In the old line number 290, CC and CURL_CC had the same value. After
+ that, /DCURL_STATICLIB was added to CC but not CURL_CC (intended?).
- Signed-off-by: Catalin Patulea <cat@vv.carleton.ca>
+ This gets rid of the CC variable entirely. It is a first step to make it
+ possible to manualyl set a CC variable in order to be able to change the
+ compiler.
-- SECURITY: eh, make more sense!
+- TODO: Use huge HTTP/2 windows
-- SECURITY: how to join the curl-security list
+- [Simon Warta brought this change]
-- RELEASE-NOTES: fix the required nghttp2 version typo
+ winbuild: Avoid setting redundant CFLAGS to compile commands (#949)
+
+ $(CURL_CC) is always used with $(CURL_CFLAGS) appended, so before this,
+ all arguments in CURL_CFLAGS have been added twice.
-- [Brandon Casey brought this change]
+Jay Satiro (8 Aug 2016)
+- cmake: Enable win32 threaded resolver by default
+
+ - Turn on USE_THREADS_WIN32 in Windows if ares isn't on
+
+ This change is similar to what we already do in the autotools build.
- Ensure progress.size_dl/progress.size_ul are always >= 0
+- cmake: Enable win32 large file support by default
- Historically the default "unknown" value for progress.size_dl and
- progress.size_ul has been zero, since these values are initialized
- implicitly by the calloc that allocates the curl handle that these
- variables are a part of. Users of curl that install progress
- callbacks may expect these values to always be >= 0.
+ All compilers used by cmake in Windows should support large files.
- Currently it is possible for progress.size_dl and progress.size_ul
- to by set to a value of -1, if Curl_pgrsSetDownloadSize() or
- Curl_pgrsSetUploadSize() are passed a "size" of -1 (which a few
- places currently do, and a following patch will add more). So
- lets update Curl_pgrsSetDownloadSize() and Curl_pgrsSetUploadSize()
- so they make sure that these variables always contain a value that
- is >= 0.
+ - Add test SIZEOF_OFF_T
+ - Remove outdated test SIZEOF_CURL_OFF_T
+ - Turn on USE_WIN32_LARGE_FILES in Windows
+ - Check for 'Largefile' during the features output
+
+Daniel Stenberg (7 Aug 2016)
+- TODO: added several ideas, removed SPDY
+
+- http2: always wait for readable socket
- Updates test579 and test599.
+ Since the server can at any time send a HTTP/2 frame to us, we need to
+ wait for the socket to be readable during all transfers so that we can
+ act on incoming frames even when uploading etc.
- Signed-off-by: Brandon Casey <drafnel@gmail.com>
+ Reminded-by: Tatsuhiro Tsujikawa
-Steve Holme (7 Sep 2014)
-- tests: Added test1420 to the makefile
+- RELEASE-NOTES: synced with 7b4bf37a44791
-- test1420: Removed unnecessary CURLOPT setting
+- [Thomas Glanzmann brought this change]
-- tests: Added more "Clear Text" authentication keywords
+ mbedtls: set debug threshold to 4 (verbose) when MBEDTLS_DEBUG is defined
+
+ In order to make MBEDTLS_DEBUG work, the debug threshold must be unequal
+ to 0. This patch also adds a comment how mbedtls must be compiled in
+ order to make debugging work, and explains the possible debug levels.
-- tests: Updated "based on" text due to email test renumbering
+- CURLOPT_TCP_NODELAY: now enabled by default
+
+ After a few wasted hours hunting down the reason for slowness during a
+ TLS handshake that turned out to be because of TCP_NODELAY not being
+ set, I think we have enough motivation to toggle the default for this
+ option. We now enable TCP_NODELAY by default and allow applications to
+ switch it off.
+
+ This also makes --tcp-nodelay unnecessary, but --no-tcp-nodelay can be
+ used to disable it.
+
+ Thanks-to: Tim Rühsen
+ Bug: https://curl.haxx.se/mail/lib-2016-06/0143.html
-- tests: For consistency added --libcurl to test name
+- [Serj Kalichev brought this change]
-- tests: Added --libcurl for IMAP test case
+ TFTP: Fix upload problem with piped input
+
+ When input stream for curl is stdin and input stream is not a file but
+ generated by a script then curl can truncate data transfer to arbitrary
+ size since a partial packet is treated as end of transfer by TFTP.
+
+ Fixes #857
-- multi.c: Avoid invalid memory read after free() from commit 3c8c873252
+- mk-ca-bundle.pl: -m keeps ca cert meta data in output
+
+ Makes the script pass on comments holding meta data to the output
+ file. Like fingerprinters, issuer, date ranges etc.
- As the current element in the list is free()d by Curl_llist_remove(),
- when the associated connection is pending, reworked the loop to avoid
- accessing the next element through e->next afterward.
+ Closes #937
-- multi.c: Fixed compilation warning from commit 3c8c873252
+- multi: make Curl_expire() work with 0 ms timeouts
+
+ Previously, passing a timeout of zero to Curl_expire() was a magic code
+ for clearing all timeouts for the handle. That is now instead made with
+ the new Curl_expire_clear() function and thus a 0 timeout is fine to set
+ and will trigger a timeout ASAP.
- warning: implicit conversion from enumeration type 'CURLMcode' to
- different enumeration type 'CURLcode'
+ This will help removing short delays, in particular notable when doing
+ HTTP/2.
-- url.c: Use CURLAUTH_NONE constant rather than 0
+- transfer: return without select when the read loop reached maxcount
- Small follow up to commit 898808fa8c to use auth constants rather than
- hard code value when clearing picked authentication mechanism.
+ Regression added in 790d6de48515. The was then added to avoid one
+ particular transfer to starve out others. But when aborting due to
+ reading the maxcount, the connection must be marked to be read from
+ again without first doing a select as for some protocols (like SFTP/SCP)
+ the data may already have been read off the socket.
+
+ Reported-by: Dan Donahue
+ Bug: https://curl.haxx.se/mail/lib-2016-07/0057.html
+
+Steve Holme (3 Aug 2016)
+- [Bill Nagel brought this change]
-- RELEASE-NOTES: Synced with fd1ce3856a
+ mbedtls: Added support for NTLM
-Nick Zitzmann (4 Sep 2014)
-- [Vilmos Nebehaj brought this change]
+Daniel Stenberg (3 Aug 2016)
+- [Sergei Nikulov brought this change]
- darwinssl: Use CopyCertSubject() to check CA cert.
-
- SecCertificateCopyPublicKey() is not available on iPhone. Use
- CopyCertSubject() instead to see if the certificate returned by
- SecCertificateCreateWithData() is valid.
+ travis: removed option to rebuild autotool from source
- Reported-by: Toby Peterson
+ Fixes #943
+
+- bump: start working toward 7.50.2
-Steve Holme (4 Sep 2014)
-- RELEASE-NOTES: Clarify email Kerberos support is currently via Windows SSPI
+Version 7.50.1 (3 Aug 2016)
-Daniel Stenberg (4 Sep 2014)
-- MAIL-ETIQUETTE: "1.8 I posted, now what?"
+Daniel Stenberg (3 Aug 2016)
+- THANKS: 7 new contributors from the 7.50.1 release
-- CURLOPT_CA*: better refering between *CAINFO and *CAPATH
+- RELEASE-NOTES: 7.50.1
+
+- TLS: only reuse connections with the same client cert
- ... and a minor wording edit
+ CVE-2016-5420
+ Bug: https://curl.haxx.se/docs/adv_20160803B.html
-- THANKS: added Dennis Clarke
+- TLS: switch off SSL session id when client cert is used
- Dennis Clarke from Blastwave.org for ensuring that nightly builds run
- smooth on Solaris!
+ CVE-2016-5419
+ Bug: https://curl.haxx.se/docs/adv_20160803A.html
+ Reported-by: Bru Rom
+ Contributions-by: Eric Rescorla and Ray Satiro
-- curl_multi_cleanup: remove superfluous NULL assigns
+- curl_multi_cleanup: clear connection pointer for easy handles
- ... as the struct is free()d in the end anyway. It was first pointed out
- to me that one of the ->msglist assignments were supposed to have been
- ->pending but was a copy and paste mistake when I realized none of the
- clearing of pointers had to be there.
+ CVE-2016-5421
+ Bug: https://curl.haxx.se/docs/adv_20160803C.html
+ Reported-by: Marcelo Echeverria and Fernando Muñoz
-- multi: convert CURLM_STATE_CONNECT_PEND handling to a list
+- KNOWN_BUGS: SOCKS proxy not working via IPv6
- ... instead of scanning through all handles, stash only the actual
- handles that are in that state in the new ->pending list and scan that
- list only. It should be mostly empty or very short. And only used for
- pipelining.
+ Closes #835
+
+- KNOWN_BUGS: CURLOPT_SEEKFUNCTION not called with CURLFORM_STREAM
- This avoids a rather hefty slow-down especially notable if you add many
- handles to the same multi handle. Regression introduced in commit
- 0f147887 (version 7.30.0).
+ Closes #768
+
+- KNOWN_BUGS: transfer-encoding: chunked in HTTP/2
+
+ Closes #662
+
+- TODO: Provide cmake config-file
- Bug: http://curl.haxx.se/mail/lib-2014-07/0206.html
- Reported-by: David Meyer
+ Closes #885
+
+Patrick Monnerat (2 Aug 2016)
+- os400: define BUILDING_LIBCURL in make script.
-- RELEASE-NOTES: synced with e608324f9f9
+Daniel Stenberg (1 Aug 2016)
+- RELEASE-NOTES: synced with aa9f536a18b
-- [Andre Heinecke brought this change]
+Jay Satiro (1 Aug 2016)
+- [Thomas Glanzmann brought this change]
- polarssl: implement CURLOPT_SSLVERSION
+ mbedtls: Fix debug function name
- Forwards the setting as minimum ssl version (if set) to polarssl. If
- the server does not support the requested version the SSL Handshake will
- fail.
+ This patch is necessary so that curl compiles if MBEDTLS_DEBUG is
+ defined.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1419
+ Bug: https://curl.haxx.se/mail/lib-2016-08/0001.html
-nickzman (1 Sep 2014)
-- Merge pull request #115 from ldx/darwinsslfixpr
-
- darwinssl: now accepts cacert bundles in PEM format in addition to single certs
+Daniel Stenberg (1 Aug 2016)
+- [Sergei Nikulov brought this change]
-Vilmos Nebehaj (1 Sep 2014)
-- Check CA certificate in curl_darwinssl.c.
+ travis: fix OSX build by re-installing libtool
+
+ Apparently due to a broken homebrew install
- SecCertificateCreateWithData() returns a non-NULL SecCertificateRef even
- if the buffer holds an invalid or corrupt certificate. Call
- SecCertificateCopyPublicKey() to make sure cacert is a valid
- certificate.
+ fixes #934
+ Closes #939
+
+- [Martin Vejnár brought this change]
-Daniel Stenberg (31 Aug 2014)
-- low-speed-limit: avoid timeout flood
+ win32: fix a potential memory leak in Curl_load_library
- Introducing Curl_expire_latest(). To be used when we the code flow only
- wants to get called at a later time that is "no later than X" so that
- something can be checked (and another timeout be added).
+ If a call to GetSystemDirectory fails, the `path` pointer that was
+ previously allocated would be leaked. This makes sure that `path` is
+ always freed.
- The low-speed logic for example could easily be made to set very many
- expire timeouts if it would be called faster or sooner than what it had
- set its own timer and this goes for a few other timers too that aren't
- explictiy checked for timer expiration in the code.
+ Closes #938
+
+- include: revert 9adf3c4 and make public types void * again
+
+ Many applications assume the actual contents of the public types and use
+ that do for example forward declarations (saving them from including our
+ public header) which then breaks when we switch from void * to a struct
+ *.
- If there's no condition the code that says if(time-passed >= TIME), then
- Curl_expire_latest() is preferred to Curl_expire().
+ I'm not convinced we were wrong, but since this practise seems
+ widespread enough I'm willing to (partly) step down.
- If there exists such a condition, it is on the other hand important that
- Curl_expire() is used and not the other.
+ Now libcurl uses the struct itself when it is built and it allows
+ applications to use the struct type if CURL_STRICTER is defined at the
+ time of the #include.
- Bug: http://curl.haxx.se/mail/lib-2014-06/0235.html
- Reported-by: Florian Weimer
+ Reported-by: Peter Frühberger
+ Fixes #926
-- [Michael Wallner brought this change]
+Jay Satiro (28 Jul 2016)
+- [Yonggang Luo brought this change]
- resolve: cache lookup for async resolvers
+ cmake: Fix for schannel support
+
+ The check_library_exists_concat do not check crypt32 library properly.
+ So include it directly.
- While waiting for a host resolve, check if the host cache may have
- gotten the name already (by someone else), for when the same name is
- resolved by several simultanoues requests.
+ Bug: https://github.com/curl/curl/pull/917
+ Reported-by: Yonggang Luo
- The resolver thread occasionally gets stuck in getaddrinfo() when the
- DNS or anything else is crappy or slow, so when a host is found in the
- DNS cache, leave the thread alone and let itself cleanup the mess.
+ Bug: https://github.com/curl/curl/issues/935
+ Reported-by: Alain Danteny
-Vilmos Nebehaj (30 Aug 2014)
-- Fix CA certificate bundle handling in darwinssl.
+- Revert "travis: Install libtool for OS X builds"
- If the --cacert option is used with a CA certificate bundle that
- contains multiple CA certificates, iterate through it, adding each
- certificate as a trusted root CA.
+ Didn't work.
+
+ This reverts commit 50723585ed380744358de054e2a55dccee65dfd7.
-Daniel Stenberg (29 Aug 2014)
-- [Askar Safin brought this change]
+- travis: Install libtool for OS X builds
+
+ CI is failing due to missing libtoolize, so I'm trying this.
- getinfo-times: Typo fixed
+Daniel Stenberg (26 Jul 2016)
+- [Viktor Szakats brought this change]
-- [Askar Safin brought this change]
+ TODO: minor typo in last commit
+
+ merged #931
- libcurl.3: Typo fixed
+- TODO: Timeout idle connections from the pool
-- curl_formadd.3: setting CURLFORM_CONTENTSLENGTH 0 zero means strlen
+Patrick Monnerat (25 Jul 2016)
+- os400: minimum supported OS version: V6R1M0.
+ Do not log compilation informational messages.
-- curl.1: add an example for -H
+Jay Satiro (24 Jul 2016)
+- tests: Fix for http/2 feature
+
+ Bug: https://curl.haxx.se/mail/lib-2016-07/0070.html
+ Reported-by: Paul Howarth
-- FAQ: mention -w in the 4.20 answer as well
+Steve Holme (23 Jul 2016)
+- README: Mention wolfSSL in the 'Dependencies' section
-- FAQ: 4.20 curl doesn't return error for HTTP non-200 responses
+- vauth.h: No need to query HAVE_GSSAPI || USE_WINDOWS_SSPI for SPNEGO
+
+ As SPNEGO is only defined when these pre-processor variables are defined
+ there is no need to query them explicitly.
-- CURLOPT_NOBODY.3: clarify this option is for downloads
+- spnego: Corrected miss-placed * in Curl_auth_spnego_cleanup() declaration
- When enabling CURLOPT_NOBODY, libcurl effectively switches off upload
- mode and will do a download (without a body). This is now better
- explained in this man page.
+ Typo introduced in commit ad5e9bfd5d.
+
+Daniel Stenberg (22 Jul 2016)
+- SECURITY: mention how to get windows-specific CVEs
- Bug: http://curl.haxx.se/mail/lib-2014-08/0236.html
- Reported-by: John Coffey
+ ... and make the distros link a proper link
-- INTERNALS: nghttp2 must be 0.6.0 or later
+Dan Fandrich (21 Jul 2016)
+- test558: fix test by stripping file paths from FD lines
-- [Tatsuhiro Tsujikawa brought this change]
+Kamil Dudka (21 Jul 2016)
+- tests: distribute the http2-server.pl script, too
- Compile with latest nghttp2
+- docs: distribute the CURLINFO_HTTP_VERSION(3) man page, too
-Dan Fandrich (26 Aug 2014)
-- THANKS: removed a few more duplicates
+Daniel Stenberg (21 Jul 2016)
+- bump: start working on 7.50.1
-Daniel Stenberg (26 Aug 2014)
-- RELEASE-NOTES: synced with 007242257683a
-
- ... and bumped the contributor amount after recount
+Version 7.50.0 (21 Jul 2016)
-- THANKS: added 52 missing contributors
+Daniel Stenberg (21 Jul 2016)
+- RELEASE-NOTES: version 7.50.0 ready
+
+- THANKS: 13 new contributors from the 7.50.0 release
+
+Jay Satiro (21 Jul 2016)
+- winbuild: fix embedded manifest option
+
+ Embedded manifest option didn't work due to typo.
- I re-ran contributors.sh on all changes since 7.10 and I found these
- contributors who are mentioned in the commits but never were added to
- THANKS before!
+ Reported-by: Stefan Kanthak
+
+- vauth: Fix memleak by freeing credentials if out of memory
- I also removed a couple of duplicates (mostly due to different
- spellings).
+ This is a follow up to the parent commit dcdd4be which fixes one leak
+ but creates another by failing to free the credentials handle if out of
+ memory. Also there's a second location a few lines down where we fail to
+ do same. This commit fixes both of those issues.
-- contributors: grep and sort case insensitively
+Daniel Stenberg (20 Jul 2016)
+- [Saurav Babu brought this change]
-- [Michael Osipov brought this change]
+ vauth: Fixed memory leak due to function returning without free
+
+ This patch allocates memory to "output_token" only when it is required
+ so that memory is not leaked if function returns.
- configure.ac: Add support for recent GSS-API implementations for HP-UX
+- test558: updated after ipv6-check move
- By default, configure script assumes that libcurl will use the
- HP-supplied GSS-API implementation which does not have krb5-config.
- If a dev needs a more recent version which has that config script,
- the change will allow to pass an appropriate GSSAPI_ROOT.
+ Follow-up commit to c50980807c5 to make this test pass.
-- CONNECT: close proxy connections that fail to CONNECT
+Jay Satiro (20 Jul 2016)
+- connect: disable TFO on Linux when using SSL
- This is usually due to failed auth. There's no point in us keeping such
- a connection alive since it shouldn't be re-used anyway.
+ - Linux TFO + TLS is not implemented yet.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1381
- Reported-by: Marcel Raad
+ Bug: https://github.com/curl/curl/issues/907
-- RELEASE-NOTES: added two missing HTTP/2 bug fixes
-
- And renamed all http2 references to HTTP/2 in this file
+Daniel Stenberg (19 Jul 2016)
+- ROADMAP: QUIC and TLS 1.3
-- RELEASE-NOTES: synced with f646e9075f47
+- RELEASE-NOTES: synced with c50980807c5
-- [Jakub Zakrzewski brought this change]
+Jay Satiro (18 Jul 2016)
+- [Brian Prodoehl brought this change]
- Cmake: Possibility to use OpenLDAP, OpenSSL, LibSSH2 on windows
+ curl_global_init: Check if IPv6 works
- At this point I can build libcurl on windows. It provides at least the same
- list of protocols as for linux build and works with our software.
+ - Curl_ipv6works() is not thread-safe until after the first call, so
+ call it once during global init to avoid a possible race condition.
+
+ Bug: https://github.com/curl/curl/issues/915
+ PR: https://github.com/curl/curl/pull/918
-- [Jakub Zakrzewski brought this change]
+- [Timothy Polich brought this change]
- Cmake: Removed repeated content from ending blocks
+ CURLMOPT_SOCKETFUNCTION.3: fix typo
- They are unnecesary in modern CMake and removing them improves readability.
+ Closes https://github.com/curl/curl/pull/914
-- [Jakub Zakrzewski brought this change]
+- [Miroslav Franc brought this change]
- Cmake: Removed some useless empty SET statements.
+ library: Fix memory leaks found during static analysis
- Undefined variables resolve to empty strings and we do not ever test if
- the variable is defined thus those SETs are superfluous.
+ Closes https://github.com/curl/curl/pull/913
-- [Jakub Zakrzewski brought this change]
+- [Viktor Szakats brought this change]
- Cmake: Removed useless comments from CMakeLists.txt
+ cookie.c: Fix misleading indentation
- They look like some relics after changes.
-
-- [Jakub Zakrzewski brought this change]
+ Closes https://github.com/curl/curl/pull/911
- Cmake: Don't check for all headers each time
+- FAQ: Update FTP directory listing section for MLSD command
- One header at a time is the right way. Apart from that the output on
- windows goes from:
- ...
- -- Looking for include files I:/src/libssh2-1.4.3/include/libssh2.h, ws2tcpip.h
- -- Looking for include files I:/src/libssh2-1.4.3/include/libssh2.h, ws2tcpip.h
- - found
- -- Looking for 3 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., wins
- ock2.h
- -- Looking for 3 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., wins
- ock2.h - found
- -- Looking for 4 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., stdi
- o.h
- -- Looking for 4 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., stdi
- o.h - found
- -- Looking for 5 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., wind
- ows.h
- -- Looking for 5 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., wind
- ows.h - found
- -- Looking for 6 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., wins
- ock.h
- -- Looking for 6 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., wins
- ock.h - found
- -- Looking for 7 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., sys/
- filio.h
- -- Looking for 7 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., sys/
- filio.h - not found
- -- Looking for 7 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., sys/
- ioctl.h
- -- Looking for 7 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., sys/
- ioctl.h - not found
- -- Looking for 7 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., sys/
- resource.h
- ...
+ Explain how some FTP servers support the machine readable listing
+ format MLSD from RFC 3659 and compare it to LIST.
- To much nicer:
- ...
- -- Looking for ws2tcpip.h
- -- Looking for ws2tcpip.h - found
- -- Looking for winsock2.h
- -- Looking for winsock2.h - found
- -- Looking for stdio.h
- -- Looking for stdio.h - found
- -- Looking for windows.h
- -- Looking for windows.h - found
- -- Looking for winsock.h
- -- Looking for winsock.h - found
- -- Looking for sys/filio.h
- -- Looking for sys/filio.h - not found
- -- Looking for sys/ioctl.h
- -- Looking for sys/ioctl.h - not found
- -- Looking for sys/resource.h
+ Ref: https://github.com/curl/curl/issues/906
-- [Jakub Zakrzewski brought this change]
+Daniel Stenberg (1 Jul 2016)
+- [Sergei Nikulov brought this change]
- Cmake: Append OpenSSL include directory to search path
+ Appveyor: Updates for options - CURL_STATICLIB/BUILD_TESTING
- At this point I can build libcurl with OpenSSL, OpenLDAP and LibSSH2.
- Supported protocols are at least:
- HTTP, HTTPS, FTP, SFTP, TFTP, LDAP, LDAPS, POP3, SMTP
- (those are the ones we have regression tests for
- in our product's testsuite)
+ Closes #892
-- [Jakub Zakrzewski brought this change]
+- TODO: 17.4 also brings more HTTP/2 support
- Cmake: Search for liblber, LDAP SSL headers, swith for using OpenLDAP code.
+- TODO: try next proxy if one doesn't work
+
+ Closes #896
-- [Jakub Zakrzewski brought this change]
+- conn: don't free easy handle data in handler->disconnect
+
+ Reported-by: Gou Lingfeng
+ Bug: https://curl.haxx.se/mail/lib-2016-06/0139.html
- Cmake: LibSSH2 detection and use.
+- test1244: test different proxy ports same URL
-- [Jakub Zakrzewski brought this change]
+- curl_global_init.3: improved formatting of the flags
- Cmake: Moved macros out of the main CMakeLists.txt
+- curl_global_init.3: expand on the SSL and WIN32 bits purpose
+
+ Reported-by: Richard Gray
+ Bug: https://curl.haxx.se/mail/lib-2016-06/0136.html
-- [Jakub Zakrzewski brought this change]
+- [Michael Kaufmann brought this change]
- Cmake: Added missing protocol-disable switches
+ cleanup: minor code cleanup in Curl_http_readwrite_headers()
- They already have their defines in config.h. This makes it possible to
- disable the protocols from command line during configure step.
-
-- [Jakub Zakrzewski brought this change]
+ - the expression of an 'if' was always true
+ - a 'while' contained a condition that was always true
+ - use 'if(k->exp100 > EXP100_SEND_DATA)' instead of 'if(k->exp100)'
+ - fixed a typo
+
+ Closes #889
- Cmake: Made boolean defines be defined to "1" instead of "ON"
+- SFTP: set a generic error when no SFTP one exists...
+
+ ... as otherwise we could get a 0 which would count as no error and we'd
+ wrongly continue and could end up segfaulting.
- It's by convention, for compatibility and because the comments say so.
- Just mabe someone have written a test like "#if HAVE_XX==1"
+ Bug: https://curl.haxx.se/mail/lib-2016-06/0052.html
+ Reported-by: 暖和的和暖
-- [Jakub Zakrzewski brought this change]
+- ROADMAP: http2 tests are merged, mention http2 perf
- Cmake: Require at least CMake 2.8.
+- docs/README.md: to render nicer pages on github
- CMake 2.6 is already a bit old. Many bugs have been fixed since
- its release. We use 2.8 in our company and we have no intention
- of polluting our environment with old software, so 2.6 would
- not be tested. This shouldn't be a problem since all one need
- to build CMake from source is C and C++ compiler.
+ ... as previously the README.cmake would be picked and put at the bottom
+ of the docs page there and it wasn't very representative!
-- disconnect: don't touch easy-related state on disconnects
+- README.md: change host name for the svg logo
- This was done to make sure NTLM state that is bound to a connection
- doesn't survive and gets used for the subsequent request - but
- disconnects can also be done to for example make room in the connection
- cache and thus that connection is not strictly related to the easy
- handle's current operation.
+ rawgit.com asks to use the domain cdn.rawgit.com for production
- The http authentication state is still kept in the easy handle since all
- http auth _except_ NTLM is connection independent and thus survive over
- multiple connections.
-
- Bug: http://curl.haxx.se/mail/lib-2014-08/0148.html
- Reported-by: Paras S
+ See #900
-- curl.1: clarify --limit-rate's effect on both directions
-
- Bug: http://curl.haxx.se/bug/view.cgi?id=1414
- Reported-by: teo8976
+- [Viktor Szakats brought this change]
+
+ README.md: use the SVG logo
+
+- README.md: logo on top!
-- curl.1: mention the --post30x options within the --location desc
+- KNOWN_BUGS: 3.4 POP3 expects "CRLF.CRLF" eob for some
+
+ Closes #740
-Dan Fandrich (22 Aug 2014)
-- sasl: Fixed a memory leak on OOM
+- RELEASE-NOTES: synced with d61c80515aa8
-Daniel Stenberg (22 Aug 2014)
-- [Frank Meier brought this change]
+- [Michael Osipov brought this change]
- NTLM: ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth
+ acinclude.m4: improve autodetection of CA bundle on FreeBSD
- Problem: if CURLOPT_FORBID_REUSE is set, requests using NTLM failed
- since NTLM requires multiple requests that re-use the same connection
- for the authentication to work
+ The FreeBSD Port security/ca_root_nss installs the Mozilla NSS CA bundle
+ to /usr/local/share/certs/ca-root-nss.crt. Use this bundle in the
+ discovery process.
- Solution: Ignore the forbid reuse flag in case the NTLM authentication
- handshake is in progress, according to the NTLM state flag.
+ This change also removes the former FreeBSD path that has been obsolete
+ for 8 years since this FreeBSD ports commit:
+ https://svnweb.freebsd.org/ports/head/security/?view=revision&revision=215953
- Fixed known bug #77.
+ Closes #894
-Steve Holme (22 Aug 2014)
-- openssl.c: Fixed longer than 79 columns
+- configure: don't specify .lib for libs on windows
+
+ Another follow up for crypt32.lib linking with winssl
-- openssl.c: Fixed compilation warning
+- configure: fix winssl LIBS change typo
- warning: declaration of 'minor' shadows a global declaration
+ follow-up from 120bf29e
-Daniel Stenberg (21 Aug 2014)
-- [Haris Okanovic brought this change]
+- TODO: "TCP Fast Open" is done, add monitor pool connections
- win32: Fixed WinSock 2 #if
-
- A conditionally compiled block in connect.c references WinSock 2
- symbols, but used `#ifdef HAVE_WINSOCK_H` instead of `#ifdef
- HAVE_WINSOCK2_H`.
+- configure: add crypt32.lib for winssl builds
- Bug: http://curl.haxx.se/mail/lib-2014-08/0155.html
+ Necessary since 6cabd78531f
-- Curl_disconnect: don't free the URL
+- Makefile.vc: link with crypt32.lib for winssl builds
- The URL is not a property of the connection so it should not be freed in
- the connection disconnect but in the Curl_close() that frees the easy
- handle.
+ Necessary since 6cabd78531f
- Bug: http://curl.haxx.se/mail/lib-2014-08/0148.html
- Reported-by: Paras S
+ Fixes #853
-- help output: minor whitespace edits
-
- Should've been amended in the previous commit but wasn't due to a
- mistake.
+- [Joel Depooter brought this change]
-- [Zearin brought this change]
+ VC: Add crypt32.lib to Visual Sudio project template files
+
+ Closes #854
- help output: use ≥2 spaces between option and description
+- vc: fix the build for schannel certinfo support
- ... and some other cleanups
+ Broken since 6cabd785, which adds use of the Curl_extract_certinfo
+ function from the x509asn1.c file.
-- FAQ: some actually sometimes get paid...
+- typedefs: use the full structs in internal code...
+
+ ... and save the typedef'ed names for headers and external APIs.
-Steve Holme (17 Aug 2014)
-- sasl_sspi: Fixed a memory leak with the GSSAPI base-64 decoded challenge
+- internals: rename the SessionHandle struct to Curl_easy
-- sasl_sspi: Renamed GSSAPI mutual authentication parameter
+- headers: forward declare CURL, CURLM and CURLSH as structs
- ...From "mutual" to "mutual_auth" which better describes what it is.
+ Instead of typedef'ing to void, typedef to their corresponding actual
+ struct names to allow compilers to type-check.
+
+ Assisted-by: Reinhard Max
-- sasl_sspi: Corrected some of the GSSAPI security message error codes
+Jay Satiro (22 Jun 2016)
+- vtls: Only call add/getsession if session id is enabled
+
+ Prior to this change we called Curl_ssl_getsessionid and
+ Curl_ssl_addsessionid regardless of whether session ID reusing was
+ enabled. According to comments that is in case session ID reuse was
+ disabled but then later enabled.
- Corrected a number of the error codes that can be returned from the
- Curl_sasl_create_gssapi_security_message() function when things go
- wrong.
+ The old way was not intuitive and probably not something users expected.
+ When a user disables session ID caching I'd guess they don't expect the
+ session ID to be cached anyway in case the caching is later enabled.
+
+Daniel Stenberg (22 Jun 2016)
+- curl.1: the used progress meter suffix is k in lower case
- It makes more sense to return CURLE_BAD_CONTENT_ENCODING when the
- inbound security challenge can't be decoded correctly or doesn't
- contain the KERB_WRAP_NO_ENCRYPT flag and CURLE_OUT_OF_MEMORY when
- EncryptMessage() fails. Unfortunately the previous error code of
- CURLE_RECV_ERROR was a copy and paste mistakes on my part and should
- have been correct in commit 4b491c675f :(
+ Closes #883
-- docs: Escaped single backslash
+- [Sergei Nikulov brought this change]
-- TODO: Updated following GSSAPI (Kerberos V5) additions
+ cmake: now using BUILD_TESTING=ON/OFF
- Updated "FTP 4.6 GSSAPI via Windows SSPI" and "SASL 14.1 Other
- authentication mechanisms" following recent additions.
+ CMake build now using BUILD_TESTING=ON/OFF (default is OFF) to build
+ tests and enabling CTest integration. Options BUILD_CURL_TESTS and
+ BUILD_DASHBOARD_REPORTS was removed.
- Added SASL 14.2 GSSAPI via GSS-API libraries.
+ Closes #882
+
+ Reviewed-by: Brad King
+
+- [Michael Kaufmann brought this change]
-- CURLOPT_USERNAME.3: Added Kerberos V5 and NTLM domain information
+ cleanup: fix method names in code comments
- This repeats what has already been documented in both the curl manpage
- and CURLOPT_USERPWD documentation but is provided here for completeness
- as someone may not especially read the latter when using libcurl.
+ Closes #887
-- CURLOPT_USERPWD.3: Updated following Kerberos V5 SSPI changes
+Kamil Dudka (21 Jun 2016)
+- curl-compilers.m4: improve detection of GCC's -fvisibility= flag
- Added information about Kerberos V5 requiring the domain part in the
- user name.
+ Some builds of GCC produce output on both stdout and stderr when --help
+ --verbose is used. The 2>&1 redirection caused them to be arbitrarily
+ interleaved with each other because of stream buffering. Consequently,
+ grep failed to match the fvisibility= string in the mixed output, even
+ though the string was present in GCC's standard output.
- Mentioned that the user name can be specified in UPN format, and not
- just in Down-Level Logon Name format, following the information
- added in commit 7679cb3fa8 reworking the exisitng information in the
- process.
+ This led to silently disabling symbol hiding in some builds of curl.
-- docs: Added Kerberos V5 and NTLM domain information to --user
+Daniel Stenberg (19 Jun 2016)
+- tests: fix the HTTP/2 tests
+
+ The HTTP/2 tests brought with commit bf05606ef1f were using the internal
+ name 'http2' for the HTTP/2 server, while in fact that name was already
+ used for the second instance of the HTTP server. This made tests using
+ the second instance (like test 2050) fail after a HTTP/2 test had run.
+
+ The server is now known as HTTP/2 internally and within the <server>
+ section in test cases. 1700, 1701 and 1702 were updated accordingly.
-- docs: Added Kerberos V5 to the --user SSPI current credentials usage
+- openssl: use more 'const' to fix build warnings with 1.1.0 branch
-- sasl_sspi: Tell the server we don't support a GSSAPI receive buffer
+- curl.1: missed 'T' in the progress unit suffixes
-- smtp: Added support for GSSAPI (Kerberos V5) authentication via Windows SSPI
+- curl.1: mention the unix for the progress meter
-- pop3: Added support for GSSAPI (Kerberos V5) authentication via Windows SSPI
+Patrick Monnerat (16 Jun 2016)
+- os400: add new definitions to ILE/RPG binding.
-- imap: Added support for GSSAPI (Kerberos V5) authentication via Windows SSPI
+Daniel Stenberg (16 Jun 2016)
+- openssl: fix cert check with non-DNS name fields present
+
+ Regression introduced in 5f5b62635 (released in 7.48.0)
+
+ Reported-by: Fabian Ruff
+ Fixes #875
-- email: Added mutual authentication flag
+Dan Fandrich (16 Jun 2016)
+- axtls: Use Curl_wait_ms instead of the less-portable usleep
-Daniel Stenberg (15 Aug 2014)
-- RELEASE-NOTES: synced with 0187c9e11d079
+- axtls: Fixed compile after compile 31c521b0
-- http: fix the Content-Range: parser
-
- ... to handle "*/[total]". Also, removed the strange hack that made
- CURLOPT_FAILONERROR on a 416 response after a *RESUME_FROM return
- CURLE_OK.
-
- Reported-by: Dimitrios Siganos
- Bug: http://curl.haxx.se/mail/lib-2014-06/0221.html
+- tests: Added HTTP proxy keywords to tests 1141 & 1142
-Steve Holme (14 Aug 2014)
-- email: Introduced the GSSAPI states
+Jay Satiro (15 Jun 2016)
+- [Sergei Nikulov brought this change]
-- curl_sasl_sspi.c: Fixed more compilation warnings from commit 4b491c675f
+ cmake: Fix build with winldap
- warning: unused variable 'resp'
-
- warning: no previous prototype for 'Curl_sasl_gssapi_cleanup'
+ Bug: https://github.com/curl/curl/pull/874
+ Reported-by: Sergei Nikulov
-- SHA-1: 61c93383b7f6cf79d12ff99e9dced1d1cc2a7064
+- CURLOPT_POSTFIELDS.3: Clarify what happens when set empty
+
+ When CURLOPT_POSTFIELDS is set to an empty string libcurl will send a
+ zero-byte POST. Prior to this change it was documented as sending data
+ from the read callback.
- * curl_sasl_sspi.c: Fixed compilation warning from commit 4b491c675f
+ This also changes the wording of what happens when empty or NULL so that
+ it's hopefully easier to understand for people whose primary language
+ isn't English.
- warning: declaration of 'result' shadows a previous local
+ Bug: https://github.com/curl/curl/issues/862
+ Reported-by: Askar Safin
+
+- [Michael Wallner brought this change]
-- curl_sasl.h: Fixed compilation error from commit 4b491c675f
+ curl_multi_socket_action.3: Fix rewording
- warning: 'struct kerberos5data' declared inside parameter list
+ - Remove some erroneous text.
- Due to missing forward declaration.
+ Closes https://github.com/curl/curl/pull/865
-- urldata.h: Fixed compilation warnings from commit 3ec253532e
+- [Luo Jinghua brought this change]
+
+ resolve: enable protocol family logic for synthesized IPv6
+
+ - Enable protocol family logic for IPv6 resolves even when support
+ for synthesized addresses is enabled.
+
+ This is a follow up to the parent commit that added support for
+ synthesized IPv6 addresses from IPv4 on iOS/OS X. The protocol family
+ logic needed for IPv6 was inadvertently excluded if support for
+ synthesized addresses was enabled.
- warning: extra tokens at end of #endif directive
+ Bug: https://github.com/curl/curl/issues/863
+ Ref: https://github.com/curl/curl/pull/866
+ Ref: https://github.com/curl/curl/pull/867
-- sasl_sspi: Added GSSAPI message functions
+Daniel Stenberg (7 Jun 2016)
+- [Luo Jinghua brought this change]
-- urldata: Introduced a GSSAPI (Kerberos V5) data structure
+ resolve: add support for IPv6 DNS64/NAT64 Networks on OS X + iOS
- Added a kerberos5data structure which is similar in nature to the
- ntlmdata and negotiatedata structures.
+ Use getaddrinfo() to resolve the IPv4 address literal on iOS/Mac OS X.
+ If the current network interface doesn’t support IPv4, but supports
+ IPv6, NAT64, and DNS64.
+
+ Closes #866
+ Fixes #863
-- sspi: Moved KERB_WRAP_NO_ENCRYPT from socks_sspi module
+- tests: two more HTTP/2 tests
- In preparation for the upcoming SSPI implementation of GSSAPI
- authentication, moved the definition of KERB_WRAP_NO_ENCRYPT from
- socks_sspi.c to curl_sspi.h allowing it to be shared amongst other
- SSPI based code.
+ 1701 and 1702
-Daniel Stenberg (13 Aug 2014)
-- mk-ca-bundle.pl: add missing $
+- runtests: don't display logs when http2 server fails to start
-- mk-ca-bundle.pl: switched to using hg.mozilla.org
+- runtests: make stripfile work on stdout as well
- ... as mxr.mozilla.org is due to be retired.
+ ... and have test 1700 use that to strip out the nghttpx server: headers
+
+- http2-tests: test1700 is the first real HTTP/2 test
- The new host doesn't support If-Modified-Since nor ETags, meaning that
- the script will now defer to download and do a post-transfer checksum
- check to see if a new output is to be generated. The new output format
- will hold the SHA1 checksum of the source file for that purpose.
+ It requires that 'nghttpx' is in the PATH, and it will run the tests
+ using nghttpx as a front-end proxy in front of the standard HTTP/1 test
+ server. This uses HTTP/2 over plain TCP.
- We call this version 1.22
+ If you like me have nghttpx installed in a custom path, you can run test 1700
+ like this:
- Reported-by: Ed Morley
- Bug: http://curl.haxx.se/bug/view.cgi?id=1409
+ $ PATH=$PATH:$HOME/build-nghttp2/bin/ ./runtests.pl 1700
-- [Jose Alf brought this change]
+- RELEASE-NOTES: synced with 34855feeb4c299
- openssl: fix version report for the 0.9.8 branch
+Steve Holme (6 Jun 2016)
+- schannel: Disable ALPN on Windows < 8.1
+
+ Calling QueryContextAttributes with SECPKG_ATTR_APPLICATION_PROTOCOL
+ fails on Windows < 8.1 so we need to disable ALPN on these OS versions.
+
+ Inspiration provide by: Daniel Seither
- Fixed libcurl to correctly output the newer versions of OpenSSL 0.9.8,
- starting from openssl-0.9.8za.
+ Closes #848
+ Fixes #840
-- [Frank Meier brought this change]
+Jay Satiro (5 Jun 2016)
+- checksrc: Add LoadLibrary to the banned functions list
+
+ LoadLibrary was supplanted by Curl_load_library for security
+ reasons in 6df916d.
- create_conn: prune dead connections
+- http: Fix HTTP/2 connection reuse
- Bringing back the old functionality that was mistakenly removed when the
- connection cache was remade. When creating a new connection, all the
- existing ones are checked and those that are known to be dead get
- disconnected for real and removed from the connection cache. It helps
- the cache from holding on to very many stale connections and aids in
- keeping down the number of system sockets in wait states.
+ - Change the parser to not require a minor version for HTTP/2.
- Help-by: Jonatan Vela <jonatan.vela@ergon.ch>
+ HTTP/2 connection reuse broke when we changed from HTTP/2.0 to HTTP/2
+ in 8243a95 because the parser still expected a minor version.
- Bug: http://curl.haxx.se/mail/lib-2014-06/0189.html
+ Bug: https://github.com/curl/curl/issues/855
+ Reported-by: Andrew Robbins, Frank Gevaerts
-Kamil Dudka (11 Aug 2014)
-- docs/SSLCERTS: update the section about NSS database
+Steve Holme (4 Jun 2016)
+- connect.c: Fixed compilation warning from commit 332e8d6164
- Bug: http://curl.haxx.se/mail/lib-2014-07/0335.html
- Reported-by: David Shaw
+ connect.c:952:5: warning: suggest explicit braces to avoid ambiguous 'else'
-Daniel Stenberg (11 Aug 2014)
-- [Peter Wang brought this change]
+- win32: Used centralised verify windows version function
+
+ Closes #845
+
+- win32: Added verify windows version functionality
- Curl_poll + Curl_wait_ms: fix timeout return value
+- win32: Introduced centralised verify windows version function
+
+Kamil Dudka (3 Jun 2016)
+- tool_urlglob: fix off-by-one error in glob_parse()
+
+ ... causing SIGSEGV while parsing URL with too many globs.
+ Minimal example:
- Curl_poll and Curl_wait_ms require the fix applied to Curl_socket_check
- in commits b61e8b8 and c771968:
+ $ curl $(for i in $(seq 101); do printf '{a}'; done)
- When poll or select are interrupted and coincides with the timeout
- elapsing, the functions return -1 indicating an error instead of 0 for
- the timeout.
+ Reported-by: Romain Coltel
+ Bug: https://bugzilla.redhat.com/1340757
-Steve Holme (10 Aug 2014)
-- config-tpf.h: Fixed up line lengths > 79 characters
+Daniel Stenberg (1 Jun 2016)
+- [Benjamin Kircher brought this change]
+
+ libcurl-multi.3: fix small typo
+
+ Closes #850
-- config-symbian.h: Fixed up line lengths > 79 characters
+- [Viktor Szakats brought this change]
-- tool_hugehelp.c.cvs: Added copyright
+ makefile.m32: add crypt32 for winssl builds
- Added copyright due to warning from checksrc.pl.
+ Dependency added by 6cabd78
+
+ Closes #849
-- RELEASE-NOTES: Synced with cd6ecf6a89
+- [Ivan Avdeev brought this change]
-- sasl_sspi: Fixed hard coded buffer for response generation
+ vtls: fix ssl session cache race condition
+
+ Sessionid cache management is inseparable from managing individual
+ session lifetimes. E.g. for reference-counted sessions (like those in
+ SChannel and OpenSSL engines) every session addition and removal
+ should be accompanied with refcount increment and decrement
+ respectively. Failing to do so synchronously leads to a race condition
+ that causes symptoms like use-after-free and memory corruption.
+ This commit:
+ - makes existing session cache locking explicit, thus allowing
+ individual engines to manage lock's scope.
+ - fixes OpenSSL and SChannel engines by putting refcount management
+ inside this lock's scope in relevant places.
+ - adds these explicit locking calls to other engines that use
+ sessionid cache to accommodate for this change. Note, however,
+ that it is unknown whether any of these engines could also have
+ this race.
- Given the SSPI package info query indicates a token size of 4096 bytes,
- updated to use a dynamic buffer for the response message generation
- rather than a fixed buffer of 1024 bytes.
+ Bug: https://github.com/curl/curl/issues/815
+ Fixes #815
+ Closes #847
-- sasl_sspi: Fixed missing free of challenge buffer on SPN failure
+- [Andrew Kurushin brought this change]
-- http_negotiate_sspi: Tidy up to remove the get_gss_name() function
+ schannel: add CURLOPT_CERTINFO support
- Due to the reduction of code in commit 3b924b29 of get_gss_name() the
- function isn't necessary anymore.
+ Closes #822
+
+- RELEASE-NOTES: synced with 142ee9fa15002315
-- http_negotiate_sspi: Use a dynamic buffer for SPN generation
+- openssl: rename the private SSL_strerror
- Updated to use a dynamic buffer for the SPN generation via the recently
- introduced Curl_sasl_build_spn() function rather than a fixed buffer of
- 1024 characters, which should have been more than enough, but by using
- the new function removes the need for another variable sname to do the
- wide character conversion in Unicode builds.
+ ... to make it not look like an OpenSSL function
-- sasl: Tidy up to rename SPN variable from URI
+- [Michael Kaufmann brought this change]
-- sasl: Use a dynamic buffer for SPN generation
+ openssl: Use correct buffer sizes for error messages
- Updated Curl_sasl_create_digest_md5_message() to use a dynamic buffer
- for the SPN generation via the recently introduced Curl_sasl_build_spn()
- function rather than a fixed buffer of 128 characters.
+ Closes #844
-- sasl_sspi: Fixed SPN not being converted to wchar under Unicode builds
+- curl: fix -q [regression]
- Curl_sasl_create_digest_md5_message() would simply cast the SPN variable
- to a TCHAR when calling InitializeSecurityContext(). This meant that,
- under Unicode builds, it would not be valid wide character string.
+ This broke in 7.49.0 with commit e200034425a7625
- Updated to use the recently introduced Curl_sasl_build_spn() function
- which performs the correct conversion for us.
+ Fixes #842
-- sasl: Introduced Curl_sasl_build_spn() for building a SPN
+- URL parser: allow URLs to use one, two or three slashes
- Various parts of the libcurl source code build a SPN for inclusion in
- authentication data. This information is either used by our own native
- generation routines or passed to authentication functions in third-party
- libraries such as SSPI. However, some of these instances use fixed
- buffers rather than dynamically allocated ones and not all of those that
- should, convert to wide character strings in Unicode builds.
+ Mostly in order to support broken web sites that redirect to broken URLs
+ that are accepted by browsers.
- Implemented a common function that generates a SPN and performs the
- wide character conversion where necessary.
-
-- sasl_sspi: Fixed memory leak with not releasing Package Info struct
+ Browsers are typically even more leniant than this as the WHATWG URL
+ spec they should allow an _infinite_ amount. I tested 8000 slashes with
+ Firefox and it just worked.
+
+ Added test case 1141, 1142 and 1143 to verify the new parser.
- Curl_sasl_create_digest_md5_message() wouldn't free the Package Info
- structure after QuerySecurityPackageInfo() had allocated it.
+ Closes #791
-- [Michael Osipov brought this change]
+- [Renaud Lehoux brought this change]
- docs: Update SPNEGO and GSS-API related doc sections
+ cmake: Added missing mbedTLS support
- Reflect recent changes in SPNEGO and GSS-API code in the docs.
- Update them with appropriate namings and remove visible spots for
- GSS-Negotiate.
+ Closes #837
-- sspi: Minor code tidy up to standardise coding style
-
- Following the recent changes and in attempt to align the SSPI based
- authentication code performed the following:
-
- * Use NULL and SECBUFFVERSION rather than hard coded constants.
- * Avoid comparison of zero in if statements.
- * Standardised the buf and desc setup code.
+- [Renaud Lehoux brought this change]
-- schannel: Fixed compilation warning in vtls.c
+ mbedtls: removed unused variables
- vtls.c:688:43: warning: unused parameter 'data'
+ Closes #838
+
+- [Frank Gevaerts brought this change]
-- tool_getparam.c: Fixed compilation warning
+ http: add CURLINFO_HTTP_VERSION and %{http_version}
+
+ Adds access to the effectively used http version to both libcurl and
+ curl.
- warning: `orig_opt' might be used uninitialized in this function
+ Closes #799
-- RELEASE-NOTES: Synced with 159c3aafd8
+- bump: start the journey toward 7.50.0
-Daniel Stenberg (8 Aug 2014)
-- curl_ntlm_msgs: make < 80 columns wide
+- [Marcel Raad brought this change]
-Steve Holme (8 Aug 2014)
-- ntlm: Fixed hard coded buffer for SSPI based auth packet generation
+ openssl: fix build with OPENSSL_NO_COMP
+
+ With OPENSSL_NO_COMP defined, there is no function
+ SSL_COMP_free_compression_methods
- Given the SSPI package info query indicates a token size of 2888 bytes,
- and as with the Winbind code and commit 9008f3d56, use a dynamic buffer
- for the Type-1 and Type-3 message generation rather than a fixed buffer
- of 1024 bytes.
+ Closes #836
+
+- [Gisle Vanem brought this change]
-- ntlm: Added support for SSPI package info query
+ memdebug: fix MSVC crash with -DMEMDEBUG_LOG_SYNC
- Just as with the SSPI implementations of Digest and Negotiate added a
- package info query so that libcurl can a) return a more appropriate
- error code when the NTLM package is not supported and b) it can be of
- use later to allocate a dynamic buffer for the Type-1 and Type-3
- output tokens rather than use a fixed buffer of 1024 bytes.
+ Fixes #828
-Daniel Stenberg (7 Aug 2014)
-- http2: added some more logging for debugging stream problems
+- [Jonathan brought this change]
-- [Tatsuhiro Tsujikawa brought this change]
+ README.md: polish
+
+ Closes #834
- HTTP/2: Reset promised stream, not its associated stream.
+- RELEASE-NOTES: fix vuln link
-- [Tatsuhiro Tsujikawa brought this change]
+Version 7.49.1 (30 May 2016)
- HTTP/2: Move :authority before non-pseudo header fields
+Daniel Stenberg (30 May 2016)
+- RELEASE-NOTES: 7.49.1
-- http2: show the received header for better debugging
+- [Steve Holme brought this change]
-- openssl: replace call to OPENSSL_config
+ loadlibrary: Only load system DLLs from the system directory
- OPENSSL_config() is "strongly recommended" to use but unfortunately that
- function makes an exit() call on wrongly formatted config files which
- makes it hard to use in some situations. OPENSSL_config() itself calls
- CONF_modules_load_file() and we use that instead and we ignore its
- return code!
+ Inspiration provided by: Daniel Stenberg and Ray Satiro
- Reported-by: Jan Ehrhardt
- Bug: http://curl.haxx.se/bug/view.cgi?id=1401
-
-Dan Fandrich (7 Aug 2014)
-- [Fabian Keil brought this change]
-
- runtests.pl: Pad test case numbers with up to three zeroes
+ Bug: https://curl.haxx.se/docs/adv_20160530.html
- Test case numbers with four digits have been available for a
- while now.
+ Ref: Windows DLL hijacking with curl, CVE-2016-4802
-Steve Holme (7 Aug 2014)
-- docs: Added Negotiate to the SSPI current credentials usage description
+- ssh: fix version number check typo
-- TODO: HTTP Digest via Windows SSPI
-
-- TODO: FTP GSSAPI via Windows SSPI
+Jay Satiro (29 May 2016)
+- curl_share_setopt.3: Add min ver needed for ssl session lock
+
+ Bug: https://github.com/curl/curl/issues/826
+ Reported-by: Michael Wallner
-- http_negotiate_sspi: Fixed specific username and password not working
+Daniel Stenberg (29 May 2016)
+- ssh: fix build for libssh2 before 1.2.6
- Bug: http://curl.haxx.se/mail/lib-2014-06/0224.html
- Reported-by: Leonardo Rosati
+ The statvfs functionality was added to libssh2 in that version, so we
+ switch off that functionality when built with older libraries.
+
+ Fixes #831
-- http_negotiate_sspi: Fixed endless unauthorized loop in commit 6bc76194e8
+- mbedtls: fix includes so snprintf() works
+
+ Regression from the previous *printf() rearrangements, this file missed to
+ include the correct header to make sure snprintf() works universally.
- If the server rejects our authentication attempt and curl hasn't
- called CompleteAuthToken() then the status variable will be
- SEC_I_CONTINUE_NEEDED and not SEC_E_OK.
+ Reported-by: Moti Avrahami
+ Bug: https://curl.haxx.se/mail/lib-2016-05/0196.html
+
+Steve Holme (23 May 2016)
+- checksrc.pl: Added variants of strcat() & strncat() to banned function list
- As such the existing detection mechanism for determining whether or not
- the authentication process has finished is not sufficient.
+ Added support for checking the tchar, unicode and mbcs variants of
+ strcat() and strncat() in the banned function list.
+
+Daniel Stenberg (23 May 2016)
+- smtp: minor ident (white space) fixes
+
+- THANKS: updated after script fixes
- However, the WWW-Authenticate: Negotiate header line will not contain
- any data when the server has exhausted the negotiation, so we can use
- that coupled with the already allocated context pointer.
+ Now giving credit properly to github user names, fixed some UTF-8 issues
+ and added names discovered when contrithanks was improved.
+
+- THANKS-filter: more name cleanups
+
+- contrithanks.sh: exclude existing names case insensitively
-Daniel Stenberg (5 Aug 2014)
-- RELEASE-NOTES: synced with 5b37db44a3eb
+- contrithanks.sh: use same grep pattern and -a flag as contributors.sh
-Dan Fandrich (5 Aug 2014)
-- parsedate.c: fix the return code for an overflow edge condition
+- contributors.sh: better grep pattern, use grep -a
-Daniel Stenberg (5 Aug 2014)
-- [Toby Peterson brought this change]
+- THANKS-filter: fix more names
- darwinssl: don't use strtok()
+- contrithanks.sh: do the same github fix as contributors.sh
- The GetDarwinVersionNumber() function uses strtok, which is not
- thread-safe.
+ from 1577bfa35ba
-- Curl_ossl_version: adapted to detect BoringSSL
+Jay Satiro (23 May 2016)
+- contributors: Show GitHub username if real name unknown
- This seems to be the way it should work. Right now we can't build with
- BoringSSL and try this out properly due to a minor API breakage.
+ Prior to this change if a GitHub contributor's real name was unknown
+ they would be omitted from the list.
+
+ Bug: https://github.com/curl/curl/issues/824
+
+Daniel Stenberg (21 May 2016)
+- RELEASE-NOTES: synced with 3caaeffbe8ded4
-- Curl_ossl_version: detect and show libressl
+Jay Satiro (20 May 2016)
+- openssl: cleanup must free compression methods
+
+ - Free compression methods if OpenSSL 1.0.2 to avoid a memory leak.
- LibreSSL is otherwise OpenSSL API compliant (so far)
+ Bug: https://github.com/curl/curl/issues/817
+ Reported-by: jveazey@users.noreply.github.com
-- [Tatsuhiro Tsujikawa brought this change]
+Daniel Stenberg (20 May 2016)
+- [Gisle Vanem brought this change]
- HTTP/2: Fix infinite loop in readwrite_data()
+ curl_multibyte: fix compiler error
+
+ While compiling lib/curl_multibyte.c with '-DUSE_WIN32_IDN' etc. I was
+ getting:
+
+ f:\mingw32\src\inet\curl\lib\memdebug.h(38): error C2054: expected '('
+ to follow 'CURL_EXTERN'
- To prevent infinite loop in readwrite_data() function when stream is
- reset before any response body comes, reset closed flag to false once
- it is evaluated to true.
+ f:\mingw32\src\inet\curl\lib\memdebug.h(38): error C2085:
+ 'curl_domalloc': not in formal parameter list
-Dan Fandrich (3 Aug 2014)
-- gtls: only define Curl_gtls_seed if Nettle is not being used
+- THANKS-filter: make Jan-E get proper credit
-- ssl: provide Curl_ssl_backend even if no SSL library is available
+- [Jan-E brought this change]
-Daniel Stenberg (2 Aug 2014)
-- [Tatsuhiro Tsujikawa brought this change]
+ winbuild/Makefile.vc: Fix check on SSL, MBEDTLS, WINSSL exclusivity
+
+ Closes #818
- HTTP2: Support expect: 100-continue
+- [Alexander Traud brought this change]
+
+ libcurl.m4: Avoid obsolete warning
- "Expect: 100-continue", which was once deprecated in HTTP/2, is now
- resurrected in HTTP/2 draft 14. This change adds its support to
- HTTP/2 code. This change also includes stricter header field
- checking.
+ Closes #821
-- CURLOPT_SSL_VERIFYPEER.3. add a warning about disabling it
+Jay Satiro (20 May 2016)
+- [Michael Kaufmann brought this change]
-- FEATURES: minor update
+ CURLOPT_CONNECT_TO.3: user must not free the list prematurely
+
+ The connect-to list isn't copied so as long as the handle may be used
+ for a transfer the list must be valid.
+
+ Bug: https://github.com/curl/curl/pull/819
+ Reported-by: Michael Kaufmann
+
+Daniel Stenberg (19 May 2016)
+- RELEASE-NOTES: synced with 48114a8634242c
-- openssl: make ossl_send return CURLE_OK better
+- openssl: ERR_remove_thread_state() is deprecated in latest 1.1.0
- Previously it only returned a CURLcode for errors, which is when it
- returns a different size than what was passed in to it.
+ See OpenSSL commit 21e001747d4a
+
+- http2: use HTTP/2 in the HTTP/1.1-alike header
- The http2 code only checked the curlcode and thus failed.
+ ... when generating them, not "2.0" as the protocol is called just
+ HTTP/2 and nothing else.
-- RELEASE-NOTES: synced with 7bb4c8cadb5d0
+Jay Satiro (19 May 2016)
+- dist: include curl_multi_socket_all.3
+
+ Closes https://github.com/curl/curl/pull/816
-- [Michael Wallner brought this change]
+Steve Holme (18 May 2016)
+- bump: Start work on 7.49.1
- CURLOPT_HEADEROPT.3: typo: do -> to
+Daniel Stenberg (18 May 2016)
+- curlbuild.h.dist: check __LP64__ as well to fix MIPS build
+
+ The preprocessor check that sets up the 32bit defines for non-configure
+ builds didn't work properly for MIPS systems as __mips__ is defined for
+ both 32bit and 64bit. Now __LP64__ is also checked and indicates 64bit.
+
+ Reported-by: Tomas Jakobsson
+ Fixes #813
- [Marcel Raad brought this change]
- schannel: use CryptGenRandom for random numbers
+ schannel: fix compile break with MSVC XP toolset
- This function is available for every Windows version since Windows 95/NT.
+ For the Windows XP toolset of Visual C++ 2013/2015, the old Windows SDK
+ 7.1 is used. In this case, _USING_V110_SDK71_ is defined.
- reference:
- http://msdn.microsoft.com/en-us/library/windows/desktop/aa379942.aspx
+ Closes #812
-- curl_version_info.3: 'ssl_version_num' is always 0
+- dist: include CHECKSRC.md
- ... and has been so since 2005
+ Reported-by: Paul Howarth
+ Bug: https://curl.haxx.se/mail/lib-2016-05/0116.html
-- ssl: generalize how the ssl backend identifier is set
+- test/Makefile.am: include manpage-scan.pl and nroff-scan.pl in dist
- Each backend now defines CURL_SSL_BACKEND accordingly. Added the *AXTLS
- one which was missing previously.
+ Reported-by: Ray Satiro
+ Bug: https://curl.haxx.se/mail/lib-2016-05/0113.html
-Dan Fandrich (31 Jul 2014)
-- axtls: define curlssl_random using axTLS's PRNG
+Version 7.49.0 (17 May 2016)
-- cyassl: fix the test for ASN_NO_SIGNER_E
-
- It's an enum so a macro test won't work. The CyaSSL changelog doesn't
- say exactly when this error code was introduced, but it's likely
- to be 2.7.0.
-
-- cyassl: use RNG_GenerateBlock to generate a good random number
+Daniel Stenberg (17 May 2016)
+- THANKS: 24 new names from 7.49.0 release notes
-- opts: fixed some typos
+- RELEASE-NOTES: 7.49.0
-- smtp: fixed a segfault during test 1320 torture test
+- mbedtls/polarssl: set "hostname" unconditionally
- Under these circumstances, the connection hasn't been fully established
- and smtp_connect hasn't been called, yet smtp_done still calls the state
- machine which dereferences the NULL conn pointer in struct pingpong.
-
-Daniel Stenberg (30 Jul 2014)
-- vtls: repair build without TLS support
+ ...as otherwise the TLS libs will skip the CN/SAN check and just allow
+ connection to any server. curl previously skipped this function when SNI
+ wasn't used or when connecting to an IP address specified host.
+
+ CVE-2016-3739
- ... by defining Curl_ssl_random() properly
+ Bug: https://curl.haxx.se/docs/adv_20160518A.html
+ Reported-by: Moti Avrahami
-- polarssl: provide a (weak) random function
+- [Frank Gevaerts brought this change]
+
+ CURLOPT_RESOLVE.3: fix typo
- This now provides a weak random function since PolarSSL doesn't have a
- quick and easy way to provide a good one. It does however provide the
- framework to make one so it _can_ and _should_ be done...
+ Closes #811
-- [Michael Wallner brought this change]
+- docs: CURLOPT_RESOLVE overrides CURLOPT_IPRESOLVE
- curl_tlsinfo -> curl_tlssessioninfo
+- KNOWN_BUGS: GnuTLS backend skips really long certificate fields
+
+ Closes #762
-- cyassl: use the default (weeker) random
+- CURLOPT_HTTPPOST.3: the data needs to be around while in use
+
+- openssl: get_cert_chain: fix NULL dereference
- I couldn't find any dedicated function in its API to get a "good" random
- with.
+ CID 1361815: Explicit null dereferenced (FORWARD_NULL)
-- cyassl: made it compile with version 2.0.6 again
+- openssl: get_cert_chain: avoid NULL dereference
- ASN_NO_SIGNER_E didn't exist back then!
+ CID 1361811: Explicit null dereferenced (FORWARD_NULL)
-- vtls: make the random function mandatory in the TLS backend
+- dprintf_formatf: fix (false?) Coverity warning
- To force each backend implementation to really attempt to provide proper
- random. If a proper random function is missing, then we can explicitly
- make use of the default one we use when TLS support is missing.
+ CID 1024412: Memory - illegal accesses (OVERRUN). Claimed to happen when
+ we run over 'workend' but the condition says <= workend and for all I
+ can see it should be safe. Compensating for the warning by adding a byte
+ margin in the buffer.
- This commit makes sure it works for darwinssl, gnutls, nss and openssl.
+ Also, removed the extra brace level indentation in the code and made it
+ so that 'workend' is only assigned once within the function.
-- libcurl.m4: include the standard source header
-
- ... with permission from David Shaw
+- RELEASE-NOTES: synced with 2dcb5adc72d6
-Kamil Dudka (28 Jul 2014)
-- nss: do not check the version of NSS at run time
-
- The minimal required version of NSS is 3.14.x so it does not make sense
- to check for NSS 3.12.0+ at run time.
+- THANKS-filter: fixed Jonathan Cardoso
-Daniel Stenberg (28 Jul 2014)
-- [Anthon Pang brought this change]
+Jay Satiro (15 May 2016)
+- ftp: fix incorrect out-of-memory code in Curl_pretransfer
+
+ - Return value type must match function type.
+
+ s/CURLM_OUT_OF_MEMORY/CURLE_OUT_OF_MEMORY/
+
+ Caught by Travis CI
- curl.h: bring back CURLE_OBSOLETE16
+Daniel Stenberg (15 May 2016)
+- ftp wildcard: segfault due to init only in multi_perform
+
+ The proper FTP wildcard init is now more properly done in Curl_pretransfer()
+ and the corresponding cleanup in Curl_close().
- Removing defines, even obsolete ones that haven't been used for a very
- long time, still break a lot of applications.
+ The previous place of init/cleanup code made the internal pointer to be NULL
+ when this feature was used with the multi_socket() API, as it was made within
+ the curl_multi_perform() function.
- Bug: https://github.com/bagder/curl/pull/106
+ Reported-by: Jonathan Cardoso Machado
+ Fixes #800
-Dan Fandrich (26 Jul 2014)
-- [Fabian Keil brought this change]
+Jay Satiro (13 May 2016)
+- libcurl-tlibcurl-thread: Update OpenSSL links
+
+ Because the old OpenSSL link now redirects to their master documentation
+ (currently 1.1.0), which does not document the required actions for
+ OpenSSL <= 1.0.2.
- tests: Fix a couple of incomplete response lines
+Daniel Stenberg (13 May 2016)
+- [Viktor Szakats brought this change]
-- [Fabian Keil brought this change]
+ darwinssl.c: fix OS X codename typo in comment
- runtests.pl: Remove filteroff() which hasn't been used since 2001
+- RELEASE-NOTES: synced with 68701e51c1f7
+
+ Added 8 bug fixes and 5 more contrbutors
-- [Fabian Keil brought this change]
+- [Jay Satiro brought this change]
- runtests.pl: Don't expect $TESTDIR/DISABLED to exist
+ mprintf: Fix processing of width and prec args
- If a non-standard $TESTDIR is used the file may not be necessary.
+ Prior to this change a width arg could be erroneously output, and also
+ width and precision args could not be used together without crashing.
- Previously a "missing" file resulted in the warning:
- readline() on closed filehandle D at ./runtests.pl line 4940.
-
-- [Fabian Keil brought this change]
+ "%0*d%s", 2, 9, "foo"
+
+ Before: "092"
+ After: "09foo"
+
+ "%*.*s", 5, 2, "foo"
+
+ Before: crash
+ After: " fo"
+
+ Test 557 is updated to verify this and more
- getpart.pm: Fix a comment typo
+- [Michael Kaufmann brought this change]
-Daniel Stenberg (25 Jul 2014)
-- c-ares: fix build without IPv6 support
+ ConnectionExists: follow-up fix for proxy re-use
- Bug: http://curl.haxx.se/mail/lib-2014-07/0337.html
- Reported-by: Spork Schivago
+ Follow-up commit to 5823179
+
+ Closes #648
-- Curl_base64url_encode: unit-tested in 1302
+- [Per Malmberg brought this change]
-- base64: added Curl_base64url_encode()
+ darwinssl: fix certificate verification disable on OS X 10.8
- This is now used by the http2 code. It has two different symbols at the
- end of the base64 table to make the output "url safe".
+ The new way of disabling certificate verification doesn't work on
+ Mountain Lion (OS X 10.8) so we need to use the old way in that version
+ too. I've tested this solution on versions 10.7.5, 10.8, 10.9, 10.10.2
+ and 10.11.
- Bug: https://github.com/tatsuhiro-t/nghttp2/issues/62
+ Closes #802
-- [Marcel Raad brought this change]
+- [Cory Benfield brought this change]
- SSPI Negotiate: Fix 3 memory leaks
+ http2: Add space between colon and header value
+
+ curl's representation of HTTP/2 responses involves transforming the
+ response to a format that is similar to HTTP/1.1. Prior to this change,
+ curl would do this by separating header names and values with only a
+ colon, without introducing a space after the colon.
+
+ While this is technically a valid way to represent a HTTP/1.1 header
+ block, it is much more common to see a space following the colon. This
+ change introduces that space, to ensure that incautious tools are safely
+ able to parse the header block.
- Curl_base64_decode allocates the output string by itself and two other
- strings were not freed either.
+ This also ensures that the difference between the HTTP/1.1 and HTTP/2
+ response layout is as minimal as possible.
+
+ Bug: https://github.com/curl/curl/issues/797
+
+ Closes #798
+ Fixes #797
-- symbols: CURL_VERSION_GSSNEGOTIATE is deprecated
+Kamil Dudka (12 May 2016)
+- openssl: fix compile-time warning in Curl_ossl_check_cxn()
+
+ ... introduced in curl-7_48_0-293-g2968c83:
+
+ Error: COMPILER_WARNING:
+ lib/vtls/openssl.c: scope_hint: In function ‘Curl_ossl_check_cxn’
+ lib/vtls/openssl.c:767:15: warning: conversion to ‘int’ from ‘ssize_t’
+ may alter its value [-Wconversion]
-- test1013.pl: GSS-Negotiate doesn't exist as a feature anymore
+Jay Satiro (11 May 2016)
+- openssl: stricter connection check function
+
+ - In the case of recv error, limit returning 'connection still in place'
+ to EINPROGRESS, EAGAIN and EWOULDBLOCK.
+
+ This is an improvement on the parent commit which changed the openssl
+ connection check to use recv MSG_PEEK instead of SSL_peek.
+
+ Ref: https://github.com/curl/curl/commit/856baf5#comments
-- [Sergey Nikulov brought this change]
+Daniel Stenberg (11 May 2016)
+- [Anders Bakken brought this change]
- libtest: fixed duplicated line in Makefile
+ TLS: SSL_peek is not a const operation
- Bug: https://github.com/bagder/curl/pull/105
+ Calling SSL_peek can cause bytes to be read from the raw socket which in
+ turn can upset the select machinery that determines whether there's data
+ available on the socket.
+
+ Since Curl_ossl_check_cxn only tries to determine whether the socket is
+ alive and doesn't actually need to see the bytes SSL_peek seems like
+ the wrong function to call.
+
+ We're able to occasionally reproduce a connect timeout due to this
+ bug. What happens is that Curl doesn't know to call SSL_connect again
+ after the peek happens since data is buffered in the SSL buffer and thus
+ select won't fire for this socket.
+
+ Closes #795
-Patrick Monnerat (23 Jul 2014)
-- GSSAPI: remove useless *_MECHANISM defines.
+Jay Satiro (9 May 2016)
+- [Daniel Stenberg brought this change]
-Daniel Stenberg (23 Jul 2014)
-- findprotocol: show unsupported protocol within quotes
+ TLS: move the ALPN/NPN enable bits to the connection
- ... to aid when for example prefixed with a space or other weird
- character.
+ Only protocols that actually have a protocol registered for ALPN and NPN
+ should try to get that negotiated in the TLS handshake. That is only
+ HTTPS (well, http/1.1 and http/2) right now. Previously ALPN and NPN
+ would wrongly be used in all handshakes if libcurl was built with it
+ enabled.
+
+ Reported-by: Jay Satiro
+
+ Fixes #789
-Patrick Monnerat (23 Jul 2014)
-- GSSAPI: private export mechanisms OIDs. OS400: Make RPG binding up to date.
+Daniel Stenberg (8 May 2016)
+- libcurl-thread.3: openssl 1.1.0 is safe, and so is boringssl
-Daniel Stenberg (23 Jul 2014)
-- [Marcel Raad brought this change]
+- [Antonio Larrosa brought this change]
- conncache: fix compiler warning
+ connect: fix invalid "Network is unreachable" errors
- warning C4267: '=' : conversion from 'size_t' to 'long', possible loss
- of data
+ Sometimes, in systems with both ipv4 and ipv6 addresses but where the
+ network doesn't support ipv6, Curl_is_connected returns an error
+ (intermittently) even if the ipv4 socket connects successfully.
- The member connection_id of struct connectdata is a long (always a
- 32-bit signed integer on Visual C++) and the member next_connection_id
- of struct conncache is a size_t, so one of them should be changed to
- match the other.
+ This happens because there's a for-loop that iterates on the sockets but
+ the error variable is not resetted when the ipv4 is checked and is ok.
- This patch the size_t in struct conncache to long (the less invasive
- change as that variable is only ever used in a single code line).
+ This patch fixes this problem by setting error to 0 when checking the
+ second socket and not having a result yet.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1399
+ Fixes #794
-- RELEASE-NOTES: synced with 81cd24adb8b
+Jay Satiro (5 May 2016)
+- FAQ: refer to thread safety guidelines
-- http2: more and better error checking
+Daniel Stenberg (3 May 2016)
+- connections: non-HTTP proxies on different ports aren't reused either
- 1 - fixes the warnings when built without http2 support
+ Reported-by: Oleg Pudeyev and fuchaoqun
- 2 - adds CURLE_HTTP2, a new error code for errors detected by nghttp2
- basically when they are about http2 specific things.
+ Fixes #648
-Dan Fandrich (23 Jul 2014)
-- cyassl.c: return the correct error code on no CA cert
+- http: make sure a blank header overrides accept_decoding
- CyaSSL 3.0.0 returns a unique error code if no CA cert is available,
- so translate that into CURLE_SSL_CACERT_BADFILE when peer verification
- is requested.
+ Reported-by: rcanavan
+ Assisted-by: Isaac Boukris
+ Closes #785
-Daniel Stenberg (23 Jul 2014)
-- symbols-in-versions: new SPNEGO/GSS-API symbols in 7.38.0
+- CHECKSRC.md: clarified, explained the whitelist file
-- test1013.pl: remove SPNEGO/GSS-API tweaks
-
- No longer necessary after Michael Osipov's rework
+- nroff-scan.pl: verify that references are made with \fI
-- http_negotiate: remove unused variable
+- docs: unified man page references to use \fI
-- [Michael Osipov brought this change]
+- TODO: 17.14 --fail without --location should treat 3xx as a failure
+
+ Closes #727
- docs: Improve inline GSS-API naming in code documentation
+- RELEASE-NOTES: synced with 7987f5cb14d
-- [Michael Osipov brought this change]
+- [Isaac Boukris brought this change]
- curl.h/features: Deprecate GSS-Negotiate macros due to bad naming
+ CURLOPT_ACCEPT_ENCODING.3: Follow-up clarification
- - Replace CURLAUTH_GSSNEGOTIATE with CURLAUTH_NEGOTIATE
- - CURL_VERSION_GSSNEGOTIATE is deprecated which
- is served by CURL_VERSION_SSPI, CURL_VERSION_GSSAPI and
- CURUL_VERSION_SPNEGO now.
- - Remove display of feature 'GSS-Negotiate'
+ Mention possible content-length mismatch with sum of bytes reported
+ by write callbacks when auto decoding is enabled.
+
+ See #785
-- [Michael Osipov brought this change]
+- test1140: run nroff-scan to verify man pages
- configure/features: Add feature and version info for GSS-API and SPNEGO
+- nroff-scan.pl: verify the .BR references as well
-- [Michael Osipov brought this change]
+- CURLOPT_CONV_TO_NETWORK_FUNCTION.3: fix bad man page reference
- HTTP: Remove checkprefix("GSS-Negotiate")
-
- That auth mech has never existed neither on MS nor on Unix side.
- There is only Negotiate over SPNEGO.
+- CURLOPT_BUFFERSIZE.3: fix reference to CURLOPT_MAX_RECV_SPEED_LARGE
-- [Michael Osipov brought this change]
+- curl_easy_pause.3: fix man page reference
- curl_gssapi: Add macros for common mechs and pass them appropriately
+Jay Satiro (1 May 2016)
+- tool_cb_hdr: Fix --remote-header-name with schemeless URL
+
+ - Move the existing scheme check from tool_operate.
- Macros defined: KRB5_MECHANISM and SPNEGO_MECHANISM called from
- HTTP, FTP and SOCKS on Unix
+ In the case of --remote-header-name we want to parse Content-disposition
+ for a filename, but only if the scheme is http or https. A recent
+ adjustment 0dc4d8e was made to account for schemeless URLs however it's
+ not 100% accurate. To remedy that I've moved the scheme check to the
+ header callback, since at that point the library has already determined
+ the scheme.
+
+ Bug: https://github.com/curl/curl/issues/760
+ Reported-by: Kai Noda
-- CONNECT: Revert Curl_proxyCONNECT back to 7.29.0 design
+Daniel Stenberg (1 May 2016)
+- tls: make setting pinnedkey option fail if not supported
- This reverts commit cb3e6dfa3511 and instead fixes the problem
- differently.
+ to make it obvious to users trying to use the feature with TLS backends
+ not supporting it.
- The reverted commit addressed a test failure in test 1021 by simplifying
- and generalizing the code flow in a way that damaged the
- performance. Now we modify the flow so that Curl_proxyCONNECT() again
- does as much as possible in one go, yet still do test 1021 with and
- without valgrind. It failed due to mistakes in the multi state machine.
+ Discussed in #781
+ Reported-by: Travis Burtrum
+
+- nroff-scan.pl: verifies nroff pages
- Bug: http://curl.haxx.se/bug/view.cgi?id=1397
- Reported-by: Paul Saab
+ ... not used by any test yet but can be used stand-alone.
-- [Marcel Raad brought this change]
+- opts: fix broken/bad references
+
+- [Michael Kaufmann brought this change]
- url.c: use the preferred symbol name: *READDATA
+ docs: fix bugs in CURLOPT_HTTP_VERSION.3 and CURLOPT_PIPEWAIT.3
- with CURL_NO_OLDIES defined, it doesn't compile because this deprecated
- symbol (*INFILE) is used
+ Closes #786
+
+- CURLOPT_ACCEPT_ENCODING.3: clarified
- Bug: http://curl.haxx.se/bug/view.cgi?id=1398
+ As discussed in #785
-Dan Fandrich (19 Jul 2014)
-- [Alessandro Ghedini brought this change]
+- curl.1: --mail-rcpt can be used multiple times
+
+ Reported-by: mgendre
+ Closes #784
- CURLOPT_CHUNK_BGN_FUNCTION: fix typo
+- [Karlson2k brought this change]
-Kamil Dudka (18 Jul 2014)
-- [Alessandro Ghedini brought this change]
+ tests: Use 'pathhelp' for paths conversions in secureserver.pl
+
+ Closes #675
- build: link curl to NSS libraries when NSS support is enabled
+- [Karlson2k brought this change]
+
+ tests: Use 'pathhelp' for paths conversions in sshserver.pl
+
+- [Karlson2k brought this change]
+
+ tests: Use 'pathhelp' for current path in runtests.pl
+
+- [Karlson2k brought this change]
+
+ tests: pathhelp.pm to process paths on Msys/Cygwin
+
+- lib: include curl_printf.h as one of the last headers
+
+ curl_printf.h defines printf to curl_mprintf, etc. This can cause
+ problems with external headers which may use
+ __attribute__((format(printf, ...))) markers etc.
+
+ To avoid that they cause problems with system includes, we include
+ curl_printf.h after any system headers. That makes the three last
+ headers to always be, and we keep them in this order:
- This fixes a build failure on Debian caused by commit
- 24c3cdce88f39731506c287cb276e8bf4a1ce393.
+ curl_printf.h
+ curl_memory.h
+ memdebug.h
- Bug: http://curl.haxx.se/mail/lib-2014-07/0209.html
+ None of them include system headers, they all do funny #defines.
+
+ Reported-by: David Benjamin
+
+ Fixes #743
-Steve Holme (17 Jul 2014)
-- build: Removed unnecessary XML Documentation file directive from VC8 to VC12
+- memdebug.h: remove inclusion of other headers
- The curl tool project files for VC8 to VC12 would set this setting to
- $(IntDir) which is the Visual Studio default value. To avoid confusion
- when viewing settings from within Visual Studio and for consistency
- with the libcurl project files removed this setting.
+ Mostly because they're not needed, because memdebug.h is always included
+ last of all headers so the others already included the correct ones.
- Conflicts:
- projects/Windows/VC10/src/curlsrc.tmpl
- projects/Windows/VC11/src/curlsrc.tmpl
- projects/Windows/VC12/src/curlsrc.tmpl
- projects/Windows/VC8/src/curlsrc.tmpl
- projects/Windows/VC9/src/curlsrc.tmpl
+ But also, starting now we don't want this to accidentally include any
+ system headers, as the header included _before_ this header may add
+ defines and other fun stuff that we won't want used in system includes.
+
+- [Jay Satiro brought this change]
-- build: Removed unnecessary Precompiled Header file directive in VC7 to VC12
+ curl -J: make it work even without http:// scheme on URL
- The curl tool project files for VC7 to VC12 would set this settings to
- $(IntDir)$(TargetName).pch which is the Visual Studio default value. To
- avoid confusion when viewing settings from within Visual Studio and for
- consistency with the libcurl project files removed this setting.
+ It does open up a miniscule risk that one of the other protocols that
+ libcurl could use would send back a Content-Disposition header and then
+ curl would act on it even if not HTTP.
- Conflicts:
- projects/Windows/VC10/src/curlsrc.tmpl
- projects/Windows/VC11/src/curlsrc.tmpl
- projects/Windows/VC12/src/curlsrc.tmpl
- projects/Windows/VC8/src/curlsrc.tmpl
- projects/Windows/VC9/src/curlsrc.tmpl
+ A future mitigation for this risk would be to allow the callback to ask
+ libcurl which protocol is being used.
+
+ Verified with test 1312
+
+ Closes #760
-- build: Removed unnecessary ASM and Object file directives in VC7 to VC12
+- manpage-scan.pl: also verify the command line option docs
- The curl tool project files for VC7 to VC12 would set these settings to
- $(IntDir) which is the Visual Studio default value. To avoid confusion
- when viewing settings from within Visual Studio and for consistency
- with the libcurl project files removed these two settings.
+ This script now also scans src/tool_getparam.c, docs/curl.1 and
+ src/tool_help.c and will warn if any of them lists a command line option
+ not mentioned in one of the other places.
-Daniel Stenberg (17 Jul 2014)
-- [Dave Reisner brought this change]
+- curl: show the long option version of -q in the -h list
- src/Makefile.am: add .DELETE_ON_ERROR
+- curl: remove "--socks" as "--socks5" turned 8
- This prevents targets like tool_hugehelp.c from leaving around
- half-constructed files if the rule fails with GNU make.
+ In commit 2e42b0a2524 (Jan 2008) we made the option "--socks" deprecated
+ and it has not been documented since. The more explicit socks options
+ (like --socks4 or --socks5) should be used.
+
+- curl.1: document the deprecated --ftp-ssl option
+
+- curl: remove --http-request
- Reported-by: Rafaël Carré <funman@videolan.org>
+ It was mentioned as deprecated already in commit ae1912cb0d4 from
+ 1999. It has not been documented in this millennium.
-- THANKS: added new contributors from 7.37.1 announcement
+- curl: mention --ntlm-wb in -h list
-Dan Fandrich (17 Jul 2014)
-- testcurl.pl: log the value of --runtestopts in the test header
+- curl: -h output lacked --proxy-header
-Daniel Stenberg (16 Jul 2014)
-- RELEASE-NOTES: cleared, working towards next release
+- curl.1: document --ntlm-wb
-- curl_gssapi.c: make line shorter than 80 columns
+- curl.1: document the long format of -q: --disable
-- [David Woodhouse brought this change]
+- curl.1: mention the deprecated --krb4 option
- Fix negotiate auth to proxies to track correct state
+- curl.1: document --ftp-ssl-reqd
+
+ Even if deprecated, document it so that people will find it as old
+ scripts may still use it.
-- [David Woodhouse brought this change]
+- curl: use --telnet-option as documented
+
+ The code said "telnet-options" but no documentation ever said so. It
+ worked fine since the code is fine with a unique match of the first
+ part.
- Don't abort Negotiate auth when the server has a response for us
+- getparam: remove support for --ftpport
- It's wrong to assume that we can send a single SPNEGO packet which will
- complete the authentication. It's a *negotiation* — the clue is in the
- name. So make sure we handle responses from the server.
+ It has been deprecated and undocumented since commit ad5ead8bed7 (Dec
+ 2003). --ftp-port is the proper long option name.
+
+- curl: make --disable work as long form of -q
- Curl_input_negotiate() will already handle bailing out if it thinks the
- state is GSS_S_COMPLETE (or SEC_E_OK on Windows) and the server keeps
- talking to us, so we should avoid endless loops that way.
+ To make the aliases list reflect reality.
-- [David Woodhouse brought this change]
+- aliases: remove trailing space from capath string
- Don't clear GSSAPI state between each exchange in the negotiation
+- cmdline parse: only single letter options have single-letter strings
- GSSAPI doesn't work very well if we forget everything ever time.
+ ... moved around options so that parsing the code to find all
+ single-letter options easier.
+
+Jay Satiro (28 Apr 2016)
+- CURLINFO_TLS_SSL_PTR.3: Clarify SSL pointer availability
- XX: Is Curl_http_done() the right place to do the final cleanup?
+ Bug: https://curl.haxx.se/mail/lib-2016-04/0126.html
+ Reported-by: Bru Rom
-- [David Woodhouse brought this change]
+Daniel Stenberg (28 Apr 2016)
+- curl_easy_getinfo.3: remove superfluous blank lines
- Use SPNEGO for HTTP Negotiate
+- test1139: verifies libcurl option man page presence
- This is the correct way to do SPNEGO. Just ask for it
+ - checks that each option has its own man page present
- Now I correctly see it trying NTLMSSP authentication when a Kerberos ticket
- isn't available. Of course, we bail out when the server responds with the
- challenge packet, since we don't expect that. But I'll fix that bug next...
+ - checks that each option is mentioned in its corresponding index man
+ page
-- [David Woodhouse brought this change]
+- curl_easy_getinfo.3: added missing mention of CURLINFO_TLS_SESSION
+
+ ... although it is deprecated.
- Remove all traces of FBOpenSSL SPNEGO support
+Jay Satiro (28 Apr 2016)
+- mbedtls: Fix session resume
- This is just fundamentally broken. SPNEGO (RFC4178) is a protocol which
- allows client and server to negotiate the underlying mechanism which will
- actually be used to authenticate. This is *often* Kerberos, and can also
- be NTLM and other things. And to complicate matters, there are various
- different OIDs which can be used to specify the Kerberos mechanism too.
+ This also fixes PolarSSL session resume.
- A SPNEGO exchange will identify *which* GSSAPI mechanism is being used,
- and will exchange GSSAPI tokens which are appropriate for that mechanism.
+ Prior to this change the TLS session information wasn't properly
+ saved and restored for PolarSSL and mbedTLS.
- But this SPNEGO implementation just strips the incoming SPNEGO packet
- and extracts the token, if any. And completely discards the information
- about *which* mechanism is being used. Then we *assume* it was Kerberos,
- and feed the token into gss_init_sec_context() with the default
- mechanism (GSS_S_NO_OID for the mech_type argument).
+ Bug: https://curl.haxx.se/mail/lib-2016-01/0070.html
+ Reported-by: Thomas Glanzmann
- Furthermore... broken as this code is, it was never even *used* for input
- tokens anyway, because higher layers of curl would just bail out if the
- server actually said anything *back* to us in the negotiation. We assume
- that we send a single token to the server, and it accepts it. If the server
- wants to continue the exchange (as is required for NTLM and for SPNEGO
- to do anything useful), then curl was broken anyway.
+ Bug: https://curl.haxx.se/mail/lib-2016-04/0095.html
+ Reported-by: Moti Avrahami
+
+Daniel Stenberg (27 Apr 2016)
+- RELEASE-NOTES: synced with f4298fcc6d2
+
+- [Michael Kaufmann brought this change]
+
+ opts: Fix some syntax errors in example code fragments
- So the only bit which actually did anything was the bit in
- Curl_output_negotiate(), which always generates an *initial* SPNEGO
- token saying "Hey, I support only the Kerberos mechanism and this is its
- token".
+ Fixes #779
+
+- openssl: avoid BN_print a NULL bignum
- You could have done that by manually just prefixing the Kerberos token
- with the appropriate bytes, if you weren't going to do any proper SPNEGO
- handling. There's no need for the FBOpenSSL library at all.
+ OpenSSL 1.1.0-pre seems to return NULL(?) for a whole lot of those
+ numbers so make sure the function handles this.
- The sane way to do SPNEGO is just to *ask* the GSSAPI library to do
- SPNEGO. That's what the 'mech_type' argument to gss_init_sec_context()
- is for. And then it should all Just Work™.
+ Reported-by: Linus Nordberg
+
+- [Marcel Raad brought this change]
+
+ CONNECT_ONLY: don't close connection on GSS 401/407 reponses
- That 'sane way' will be added in a subsequent patch, as will bug fixes
- for our failure to handle any exchange other than a single outbound
- token to the server which results in immediate success.
+ Previously, connections were closed immediately before the user had a
+ chance to extract the socket when the proxy required Negotiate
+ authentication.
+
+ This regression was brought in with the security fix in commit
+ 79b9d5f1a42578f
+
+ Closes #655
-- [David Woodhouse brought this change]
+- CURLINFO_TLS_SESSION.3: clarify TLS library support before 7.48.0
- ntlm_wb: Avoid invoking ntlm_auth helper with empty username
+- mbedtls.c: silly spellfix of a comment
-- [David Woodhouse brought this change]
+- KNOWN_BUGS: 1.10 Strips trailing dot from host name
+
+ Closes #716
+
+- test1322: verify stripping of trailing dot from host name
+
+ While being debated (in #716) and a violation of RFC 7230 section 5.4,
+ this test verifies that the existing functionality works as intended. It
+ strips the dot from the host name and uses the host without dot
+ throughout the internals.
+
+- multi: accidentally used resolved host name instead of proxy
+
+ Regression introduced in 09b5a998
+
+ Bug: https://curl.haxx.se/mail/lib-2016-04/0084.html
+ Reported-by: BoBo
- ntlm_wb: Fix hard-coded limit on NTLM auth packet size
+- symbols-in-versions: added new CURLSSLBACKEND_ symbols
+
+- test148: fixed after the --ftp-create-dirs retry change
+
+ follow-up commit to 3c1e84f569 as it made curl try a little harder
+
+- curl.h: clarify curl_sslbackend for openssl clones and renames
+
+- [Karlson2k brought this change]
+
+ url.c: fixed DEBUGASSERT() for WinSock workaround
+
+ If buffer is allocated, but nothing is received during prereceive
+ stage, than number of processed bytes must be zero.
+
+ Closes #778
+
+- KNOWN_BUGS: --interface for ipv6 binds to unusable IP address
- Bumping it to 1KiB in commit aaaf9e50ec is all very well, but having hit
- a hard limit once let's just make it cope by reallocating as necessary.
+ Closes #686 for now.
+
+- TODO: 1.17 Add support for IRIs
+
+ Adding support for IRIs is a mouthful, but is probably interesting at
+ least for areas and countries where the use of such "URLs" are growing
+ popularity.
+
+ Closes #776
+
+- THANKS-filter: Travis Burtrum
+
+- lib1517: checksrc compliance
+
+- [moparisthebest brought this change]
-Version 7.37.1 (16 Jul 2014)
+ PolarSSL: Implement public key pinning
-Daniel Stenberg (16 Jul 2014)
-- RELEASE-NOTES: synced with 4cb2521595
+Patrick Monnerat (22 Apr 2016)
+- os400: upgrade ILE/RPG binding
-- test506: verify aa6884845168
+- curl.h: CURLOPT_CONNECT_TO sets a struct slist *, not a string
+
+Daniel Stenberg (22 Apr 2016)
+- contributors.sh: make --releasenotes implied
- After the fixed cookie lock deadlock, this test now passes and it
- detects double-locking and double-unlocking of mutexes.
+ It got too annoying to type =)
-- [Yousuke Kimoto brought this change]
+- RELEASE-NOTES: synced with 3c1e84f5693d8093
- cookie: avoid mutex deadlock
+- curl: make --ftp-create-dirs retry on failure
+
+ The underlying libcurl option used for this feature is
+ CURLOPT_FTP_CREATE_MISSING_DIRS which has the ability to retry the dir
+ creation, but it was never set to do that by the command line tool.
- ... by removing the extra mutex locks around th call to
- Curl_flush_cookies() which takes care of the locking itself already.
+ Now it does.
- Bug: http://curl.haxx.se/mail/lib-2014-02/0184.html
+ Bug: https://curl.haxx.se/mail/archive-2016-04/0021.html
+ Reported-by: John Wanghui
+ Help-by: Leif W
-- gnutls: fix compiler warning
+- [Henrik Gaßmann brought this change]
+
+ winbuild: add mbedtls support
+
+ Add WITH_MBEDTLS option. Make WITH_SSL, WITH_MBEDTLS and ENABLE_WINSSL
+ options mutual exclusive.
- conversion to 'int' from 'long int' may alter its value
+ Closes #606
-Dan Fandrich (15 Jul 2014)
-- test320: strip off the actual negotiated cipher width
+- KNOWN_BUGS: fixed "5.6 Improper use of Autoconf cache variables"
- It's irrelevant to the test, and will change depending on which SSL
- library is being used by libcurl.
+ As of commit d9f3b365a3
-- gnutls: detect lack of SRP support in GnuTLS at run-time and try without
+- [Irfan Adilovic brought this change]
+
+ configure: ac_cv_ -> curl_cv_ for write-only vars
+
+ These configure vars are modified in a curl-specific way but never
+ evaluated or loaded from cache, even though they are designated as
+ _cv_. We could either implement proper AC_CACHE_CHECKs for them, or
+ remove them completely.
+
+ Fixes #603 as ac_cv_func_gethostbyname is no longer clobbered, and
+ AC_CHECK_FUNC(gethostbyname...) will no longer spuriously succeed after
+ the first configure run with caching.
+
+ `ac_cv_func_strcasecmp` is curious, see #770.
- Reported-by: David Woodhouse
+ `eval "ac_cv_func_$func=yes"` can still cause problems as it works in
+ tandem with AC_CHECK_FUNCS and then potentially modifies its result. It
+ would be best to rewrite this test to use a new CURL_CHECK_FUNCS macro,
+ which works the same as AC_CHECK_FUNCS but relies on caching the values
+ of curl_cv_func_* variables, without modifiying ac_cv_func_*.
-Daniel Stenberg (14 Jul 2014)
-- [Michał Górny brought this change]
+- [Irfan Adilovic brought this change]
- configure: respect host tool prefix for krb5-config
+ configure: ac_cv_ -> curl_cv_ for r/w vars
- Use ${host_alias}-krb5-config if available. This improves cross-
- compilation support and fixes multilib on Gentoo (at least).
+ These configure vars are modified in a curl-specific way and modified by
+ the configure process, but are never loaded from cache, even though they
+ are designated as _cv_. We should implement proper AC_CACHE_CHECKs for
+ them eventually.
-- [David Woodhouse brought this change]
+- [Irfan Adilovic brought this change]
- gnutls: handle IP address in cert name check
+ configure: ac_cv_func_clock_gettime -> curl_...
- Before GnuTLS 3.3.6, the gnutls_x509_crt_check_hostname() function
- didn't actually check IP addresses in SubjectAltName, even though it was
- explicitly documented as doing so. So do it ourselves...
+ This variable must not be cached in its current form, as any cached
+ information will prevent the next configure run from determining the
+ correct LIBS needed for the function. Thus, rename prefix `ac_cv_` to
+ just `curl_`.
-Dan Fandrich (14 Jul 2014)
-- build: set _POSIX_PTHREAD_SEMANTICS on Solaris to get proper getpwuid_r
+- [Irfan Adilovic brought this change]
-Daniel Stenberg (14 Jul 2014)
-- RELEASE-NOTES: next one is called 7.37.1
+ configure: ac_cv_ -> curl_cv_ for all cached vars
+
+ This was automated by:
+
+ sed -b -i -f <(ack -A1 AC_CACHE_CHECK | \
+ ack -o 'ac_cv_.*?\b' | \
+ sort -u | xargs -n1 bash -c \
+ 'echo "s/$0/curl_cv_${0#ac_cv_}/g"') \
+ $(git ls-files)
+
+ This only changed the prefix for 16 variables actually checked with
+ AC_CACHE_CHECK.
+
+- openssl: builds with OpenSSL 1.1.0-pre5
+
+ The RSA, DSA and DH structs are now opaque and require use of new APIs
+
+ Fixes #763
-Dan Fandrich (13 Jul 2014)
-- gnutls: improved error message if setting cipher list fails
+Steve Holme (20 Apr 2016)
+- url.c: Prefer we don't use explicit NULLs in conditions
- Reported-by: David Woodhouse
+ Fixed commit fa5fa65a30 to not use NULLs in if condition.
-- netrc: fixed thread safety problem by using getpwuid_r if available
+Daniel Stenberg (20 Apr 2016)
+- [Isaac Boukris brought this change]
+
+ NTLM: check for NULL pointer before deferencing
- The old way using getpwuid could cause problems in programs that enable
- reading from netrc files simultaneously in multiple threads.
+ At ConnectionExists, both check->proxyuser and check->proxypasswd
+ could be NULL, so make sure to check first.
- Reported-by: David Woodhouse
+ Fixes #765
-- RELEASE-NOTES: add the reporter of the previous bug fix
+- [Karlson2k brought this change]
-- netrc: treat failure to find home dir same as missing netrc file
+ tests: added test1517
+
+ ... for checking ability to receive full HTTP response when POST request
+ is used with slow read callback function.
- This previously caused a fatal error (with a confusing error code, at
- that).
+ This test checks for bug #657 and verifies the work-around from
+ 72d5e144fbc6.
- Reported by: Glen A Johnson Jr.
+ Closes #720
-Steve Holme (12 Jul 2014)
-- RELEASE-NOTES: Synced with aaaf9e50ec
+- [Karlson2k brought this change]
-- ntlm_wb: Fixed buffer size not being large enough for NTLMv2 sessions
+ sendf.c: added ability to call recv() before send() as workaround
- Bug: http://curl.haxx.se/mail/lib-2014-07/0103.html
- Reported-by: David Woodhouse
+ WinSock destroys recv() buffer if send() is failed. As result - server
+ response may be lost if server sent it while curl is still sending
+ request. This behavior noticeable on HTTP server short replies if
+ libcurl use several send() for request (usually for POST request).
+ To workaround this problem, libcurl use recv() before every send() and
+ keeps received data in intermediate buffer for further processing.
+
+ Fixes: #657
+ Closes: #668
-- build: Fixed overridden compiler PDB settings in VC7 to VC12
+Kamil Dudka (19 Apr 2016)
+- connect: make sure that rc is initialized in singleipconnect()
- The curl tool project files for VC7 to VC12 would override the default
- setting with the output filename being the same as the linker PDB file.
- As such the compiler file would be overwritten with the linker file
- for all debug builds.
+ This commit fixes a Clang warning introduced in curl-7_48_0-190-g8f72b13:
- To avoid this overwrite and for consistency with the libcurl project
- files, removed the setting to force the default filename to be used.
+ Error: CLANG_WARNING:
+ lib/connect.c:1120:11: warning: The right operand of '==' is a garbage value
+ 1118| }
+ 1119|
+ 1120|-> if(-1 == rc)
+ 1121| error = SOCKERRNO;
+ 1122| }
-Dan Fandrich (12 Jul 2014)
-- tests: added globbing keyword to URL globbing tests
+Daniel Stenberg (19 Apr 2016)
+- make/checksrc: use $srcdir, not $top_srcdir
-- Fixed some "statement not reached" warnings
+- src/checksrc.whitelist: removed
-- gnutls: fixed a couple of uninitialized variable references
+- tool_operate: switch to inline checksrc ignore
-- gnutls: fixed compilation against versions < 2.12.0
+- lib/checksrc.whitelist: not needed anymore
- The AES-GCM ciphers were added to GnuTLS as late as ver. 3.0.1 but
- the code path in which they're referenced here is only ever used for
- somewhat older GnuTLS versions. This caused undeclared identifier errors
- when compiling against those.
+ ... as checksrc now skips comments
-- gnutls: explicitly added SRP to the priority string
+- vtls.h: remove a space before semicolon
- This seems to have become necessary for SRP support to work starting
- with GnuTLS ver. 2.99.0. Since support for SRP was added to GnuTLS
- before the function that takes this priority string, there should be no
- issue with backward compatibility.
+ ... that the new checksrc detected
-- tests: adjust for capitalization differences in newer gnutls-serv
+- darwinssl: removed commented out code
-- test320/1/2/4: fix the port number substitution variables
+- http_chunks: removed checksrc disable
- These tests have been broken since commit 1958fe57 in Oct. 2011
+ ... since checksrc now skips comments
+
+- imap: inlined checksrc disable instead of whitelist edit
-- tests: document more test identifiers and variables
+- checksrc: taught to skip comments
+
+ ... but output non-stripped version of the line, even if that then can
+ make the script identify the wrong position in the line at
+ times. Showing the line stripped (ie without comments) is just too
+ surprising.
-- gnutls: ignore invalid certificate dates with VERIFYPEER disabled
+- opts/Makefile.am: list all docs file one by one
- This makes the behaviour consistent with what happens if a date can
- be extracted from the certificate but is expired.
+ ... to make it easier to add lines in patches that won't just break all
+ other patches trying to add lines too.
-Steve Holme (10 Jul 2014)
-- CURLOPT_UPLOAD: Corrected argument type
+- curl_easy_setopt.3: mention CURLOPT_TCP_FASTOPEN
-Daniel Stenberg (9 Jul 2014)
-- FAQ: expand the thread-safe section
+- RELEASE-NOTES: synced with 03de4e4b219
- ... with a mention of *NOSIGNAL, based on talk in bug #1386
+ (since we just merged two major features)
+
+- [Alessandro Ghedini brought this change]
-Dan Fandrich (9 Jul 2014)
-- url.c: Fixed memory leak on OOM
+ connect: implement TCP Fast Open for Linux
- This showed itself on some systems with torture failures
- in tests 1060 and 1061
+ Closes #660
-- Update instances of some obsolete CURLOPTs to their new names
+- [Alessandro Ghedini brought this change]
-Daniel Stenberg (5 Jul 2014)
-- [Marcel Raad brought this change]
+ tool: add --tcp-fastopen option
+
+- [Alessandro Ghedini brought this change]
+
+ connect: implement TCP Fast Open for OS X
+
+- [Alessandro Ghedini brought this change]
+
+ url: add CURLOPT_TCP_FASTOPEN option
- compiler warnings: potentially uninitialized variables
+- checksrc: pass on -D so the whitelists are found correctly
+
+- configure: remove check for libresolve
+
+ 'strncasecmp' was once provided by libresolv (no trailing e) for SunOS,
+ but this check is broken and most likely adds nothing useful. Removing
+ now.
- ... pointed out by MSVC2013
+ Reported-by: Irfan Adilovic
- Bug: http://curl.haxx.se/bug/view.cgi?id=1391
+ Discussed in #770
-Kamil Dudka (4 Jul 2014)
-- nss: make the list of CRL items global
+- scripts/make: use $(EXEEXT) for executables
- Otherwise NSS could use an already freed item for another connection.
+ Reported-by: bodop
+
+ Fixes #771
-- nss: fix a memory leak when CURLOPT_CRLFILE is used
+- includes: avoid duplicate memory callback typdefs even harder
-- nss: make crl_der allocated on heap
+- checksrc/makefile.am: use $top_srcdir to find source files
- ... and spell it as crl_der instead of crlDER
+ ... to properly support out of source tree builds.
+
+- RELEASE-NOTES: synced with 26ec93dd6aeba8dfb5
-- nss: let nss_{cache,load}_crl return CURLcode
+- opts: fix option references missing (section)
-- tool: oops, forgot to include <plarenas.h>
+- [Michael Kaufmann brought this change]
+
+ news: CURLOPT_CONNECT_TO and --connect-to
- ... that contains the declaration of PL_ArenaFinish()
+ Makes curl connect to the given host+port instead of the host+port found
+ in the URL.
-- tool: call PL_ArenaFinish() on exit if NSPR is used
+- makefile.vc6: use d suffix on debug object
+
+ To allow both release and debug builds in parallel.
- This prevents valgrind from reporting still reachable memory allocated
- by NSPR arenas (mainly the freelist).
+ Reported-by: Rod Widdowson
- Reported-by: Hubert Kario
+ Fixes #769
-Daniel Stenberg (3 Jul 2014)
-- [Dimitrios Siganos brought this change]
+Jay Satiro (12 Apr 2016)
+- http2: Use size_t type for data drain count
+
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
- example: use correct type (long) for CURLOPT_FOLLOWLOCATION
+- http2: Improve header parsing
+
+ - Error if a header line is larger than supported.
+
+ - Warn if cumulative header line length may be larger than supported.
+
+ - Allow spaces when parsing the path component.
+
+ - Make sure each header line ends in \r\n. This fixes an out of bounds.
+
+ - Disallow header continuation lines until we decide what to do.
+
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-- [Dimitrios Siganos brought this change]
+- http2: Add Curl_http2_strerror for HTTP/2 error codes
+
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
- Document type of argument for CURLOPT_FOLLOWLOCATION.
+- [Tatsuhiro Tsujikawa brought this change]
-- [Dimitrios Siganos brought this change]
+ http2: Don't increment drain when one header field is received
+
+ Sicne we write header field in temporary location, not in the memory
+ that upper layer provides, incrementing drain should not happen.
+
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
- Document type of argument for CURLOPT_ERRORBUFFER.
+- [Tatsuhiro Tsujikawa brought this change]
-- [Dimitrios Siganos brought this change]
+ http2: Ensure that http2_handle_stream_close is called
+
+ This commit ensures that streams which was closed in on_stream_close
+ callback gets passed to http2_handle_stream_close. Previously, this
+ might not happen. To achieve this, we increment drain property to
+ forcibly call recv function for that stream.
+
+ To more accurately check that we have no pending event before shutting
+ down HTTP/2 session, we sum up drain property into
+ http_conn.drain_total. We only shutdown session if that value is 0.
+
+ With this commit, when stream was closed before reading response
+ header fields, error code CURLE_HTTP2_STREAM is returned even if
+ HTTP/2 level error is NO_ERROR. This signals the upper layer that
+ stream was closed by error just like TCP connection close in HTTP/1.
+
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
- Document type of argument for CURLOPT_COPYPOSTFIELDS.
+- [Tatsuhiro Tsujikawa brought this change]
-- [Dimitrios Siganos brought this change]
+ http2: Process paused data first before tear down http2 session
+
+ This commit ensures that data from network are processed before HTTP/2
+ session is terminated. This is achieved by pausing nghttp2 whenever
+ different stream than current easy handle receives data.
+
+ This commit also fixes the bug that sometimes processing hangs when
+ multiple HTTP/2 streams are multiplexed.
+
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
- Document type of argument for CURLOPT_ADDRESS_SCOPE.
+- [Tatsuhiro Tsujikawa brought this change]
-- curl.1: minor language fix
+ http2: Check session closure early in http2_recv
- Bug: http://curl.haxx.se/mail/archive-2014-07/0006.html
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-- [Ray Satiro brought this change]
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Add handling stream level error
+
+ Previously, when a stream was closed with other than NGHTTP2_NO_ERROR
+ by RST_STREAM, underlying TCP connection was dropped. This is
+ undesirable since there may be other streams multiplexed and they are
+ very much fine. This change introduce new error code
+ CURLE_HTTP2_STREAM, which indicates stream error that only affects the
+ relevant stream, and connection should be kept open. The existing
+ CURLE_HTTP2 means connection error in general.
+
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
- progress callback: skip last callback update on errors
+Daniel Stenberg (11 Apr 2016)
+- http2: drain the socket better...
- When an error has been detected, skip the final forced call to the
- progress callback by making sure to pass the current return code
- variable in the Curl_done() call in the CURLM_STATE_DONE state.
+ ... but ignore EAGAIN if the stream has ended so that we don't end up in
+ a loop. This is a follow-up to c8ab613 in order to avoid the problem
+ d261652 was made to fix.
- This avoids the "extra" callback that could occur even if you returned
- error from the progress callback.
+ Reported-by: Jay Satiro
+ Clues-provided-by: Tatsuhiro Tsujikawa
- Bug: http://curl.haxx.se/mail/lib-2014-06/0062.html
- Reported by: Jonathan Cardoso Machado
+ Discussed in #750
-Dan Fandrich (2 Jul 2014)
-- opts: fixed some CURLOPT references so they get turned into links
+- KNOWN_BUGS: added info for "Hangs with PolarSSL"
-Kamil Dudka (2 Jul 2014)
-- tool: call PR_Cleanup() on exit if NSPR is used
+- KNOWN_BUGS: 1.9 HTTP/2 frames while in the connection pool kill reuse
- This prevents valgrind from reporting possibly lost memory that NSPR
- uses for file descriptor cache and other globally allocated internal
- data structures.
+ Closes #750
+
+- build: include scripts/ in the dist
-- nss: make the fallback to SSLv3 work again
+Steve Holme (9 Apr 2016)
+- CURLOPT_SOCKS5_GSSAPI_SERVICE: Merged with CURLOPT_PROXY_SERVICE_NAME
- This feature was unintentionally disabled by commit ff92fcfb.
+ As these two options provide identical functionality, the former for
+ SOCK5 proxies and the latter for HTTP proxies, merged the two options
+ together.
+
+ As such CURLOPT_SOCKS5_GSSAPI_SERVICE is marked as deprecated as of
+ 7.49.0.
-- nss: do not abort on connection failure
+- urldata: Use bool for socks5_gssapi_nec as it is a flag
- ... due to calling SSL_VersionRangeGet() with NULL file descriptor
+ This value is set to TRUE or FALSE so should be a bool and not a long.
+
+- url: Ternary operator code style changes
+
+- CODE_STYLE: Added ternary operator example to 'Space around operators'
- reported-by: upstream tests 305 and 404
+ Following conversation on the libcurl mailing list.
-Dan Fandrich (1 Jul 2014)
-- opts: Document the socket callback function parameters
+- sasl: Fixed compilation errors from commit 9d89a0387
+
+ ...when GSS-API or Windows SSPI are not used.
-Steve Holme (28 Jun 2014)
-- opts: Fixed some typos
+- url: Corrected comments following 9d89a0387
-Dan Fandrich (25 Jun 2014)
-- curl_easy_setopt.3: fixed the error code for an unsupported option
+- docs: Added clarification following commit 9d89a0387
-- opts: added some DEFAULT and RETURN VALUE sections
+- Makefile: Fixed echo of checksrc check
-Daniel Stenberg (21 Jun 2014)
-- libcurl docs: man page edits
-
- mainly to improve how the web versions render
+- checksrc: Fix issue with the autobuilds not picking up the whitelist
-Dan Fandrich (21 Jun 2014)
-- curl_easy_setopt.3: fixed some typos
+- checksrc: Added missing vauth and vtls directories
-Daniel Stenberg (21 Jun 2014)
-- lib man pages: update easy setopt option references
+- ftp/imap/pop3/smtp: Allow the service name to be overridden
- ... by using the "\fIopt(3)\fP" syntax they will be linked properly when
- the web version of the page is generated.
+ Allow the service name to be overridden for DIGIST-MD5 and Kerberos 5
+ authentication in FTP, IMAP, POP3 and SMTP.
-- opts: the CURLOPT_SSL_ENABLE_*PN options are enabled by default
+- http_negotiate: Calculate service name and proxy service name locally
+
+ Calculate the service name and proxy service names locally, rather than
+ in url.c which will allow for us to support overriding the service name
+ for other protocols such as FTP, IMAP, POP3 and SMTP.
-- [Colin Hogben brought this change]
+- ROADMAP: Updated following the move of the authentication code
- lib: documentation updates in README.hostip
+Patrick Monnerat (8 Apr 2016)
+- KNOWN_BUGS: openldap hangs. TODO: binary SASL.
+
+Daniel Stenberg (8 Apr 2016)
+- KNOWN_BUGS: 5.6 Improper use of Autoconf cache variables
- c-ares now does support IPv6;
- avoid implying threaded resolver is Windows-only;
- two referenced source files were renamed in 7de2f92
+ Closes #603
-- curl_easy_setopt.3: CURLOPT_POSTFIELDS is the exception
+- KNOWN_BUGS: 11.2 error buffer not set...
- ... to the always-copy-char *-argument.
+ Closes #544
+
+- KNOWN_BUGS: 11.1 Curl leaks .onion hostnames in DNS
- And fix some minor mistakes.
+ Closes #543
-- curl_easy_setopt.3: refer to the individual man pages
+- KNOWN_BUGS: 1.8 DNS timing is wrong for HTTP redirects
- With all the new individual option man pages created, this now refers to
- each separate one instead of duplicaing the info. Also makes this page
- easier to overview.
+ Closes #522
+
+- TODO: HTTP/2 "prior knowledge" is implemented!
+
+- [Damien Vielpeau brought this change]
-Dan Fandrich (21 Jun 2014)
-- opts: fixed mancheck for out-of-tree builds
+ mbedtls: fix MBEDTLS_DEBUG builds
-Daniel Stenberg (21 Jun 2014)
-- curl_easy_setopt.3: shorten
+- mbedtls: implement and provide *_data_pending()
+
+ ... as otherwise we might get stuck thinking there's no more data to
+ handle.
+
+ Reported-by: Damien Vielpeau
- shorten descriptions, mostly refer to the separate descriptions
+ Fixes #737
-- CURLOPT_DNS_LOCAL_IP4.3: better short desc
+- mbedtls: follow-up for the previous commit
-Dan Fandrich (20 Jun 2014)
-- opts: document CURLE_OUT_OF_MEMORY among other return values
+- mbedtls.c: name space pollution fix, Use 'Curl_'
-- opts: fixed some typos
+- mbedtls.c: changed private prefix to mbed_
+
+ mbedtls_ is the prefix used by the mbedTLS library itself so we should
+ avoid using that for our private functions.
-Daniel Stenberg (20 Jun 2014)
-- opts: various corrections
+- mbedtls.h: fix compiler warnings
-- opts: add the rest of the options
+- Revert "winbuild: trying to set some files eol=crlf for git"
+
+ This reverts commit 9c08b4f1e7eced5a4d3782a3e0daa484c9d77d21.
- ... and fixed mancheck to ignore obsolete options
+ Didn't help. Caused problems.
+
+ Fixes #756
-- opts: the final bunch of options as man pages
+- curl.1: use example.com more
- Now all current options have their own man pages.
+ Make (most) example snippets use the example.com domain instead of the
+ random ones picked and used before. Some of those were probably
+ legitimate sites and some not. example.com is designed for this purpose.
-- opts: 37 additional man pages
+- [Michael Kaufmann brought this change]
-- CURLOPT_URL: move up the text from "Notes"
+ HTTP2: Add a space character after the status code
+
+ The space character after the status code is mandatory, even if the
+ reason phrase is empty (see RFC 7230 section 3.1.2)
+
+ Closes #755
-- ROADMAP: removed, now ROADMAP.md
+- [Viktor Szakats brought this change]
-- ROADMAP.md: make it markdown formatted
+ URLs: change http to https in many places
+
+ Closes #754
-- ROADMAP: initial commit of "curl the next few years"
+- winbuild: trying to set some files eol=crlf for git
- To be further discussed, debated and edited
+ Thinking it might help to apply patches etc with git.
-- opts: more man pages
+- [Theodore Dubois brought this change]
-- CURLOPT_UNRESTRICTED_AUTH.3: added missing 'T'
+ curl.1: change example for -F
+
+ It's a bad idea to send your passwords anywhere, especially over HTTP.
+ Modified example to send a picture instead.
+
+ Fixes #752
-- opts: makefile now includes all current man pages
+- KNOWN_BUGS: reorganized and cleaned up
+
+ Now sorted into categories and organized in the same style we do the
+ TODO document. It will make each issue linked properly on the
+ https://curl.haxx.se/docs/knownbugs.html web page.
+
+ The sections should make it easier to find issues and issues related to
+ areas of the reader's specific interest.
-- opts: 11 more man pages
+Jay Satiro (6 Apr 2016)
+- KNOWN_BUGS: #95 curl in Windows can't handle Unicode arguments
-Dan Fandrich (18 Jun 2014)
-- opts: document CURLE_OUT_OF_MEMORY as RETURN VALUE
+Steve Holme (6 Apr 2016)
+- KNOWN_BUGS: Use https://curl.haxx.se URL for github based issues
-- opts: fixed a couple of typos
+- CHECKSRC.md: Corrected some typos
-Patrick Monnerat (18 Jun 2014)
-- OS400: make it compilable again. Make RPG binding up to date.
+- RELEASE-NOTES: Corrected last updated
+
+ Included a summary of the checksrc.bat updates and combined two krb5
+ changes as they should have been implemented at the same time.
-- buildconf: do not search tools in current directory.
+- vauth: Corrected a number of typos in comments
+
+ Reported-by: Michael Osipov
-Dan Fandrich (18 Jun 2014)
-- curl.h: renamed CURLOPT_DEPRECATEDx to CURLOPT_OBSOLETEx
+Jay Satiro (5 Apr 2016)
+- KNOWN_BUGS: #94 IMAP custom requests use the LIST handler
- This is consistent with the existing obsolete error code naming
- convention.
+ Bug: https://github.com/curl/curl/issues/536
+ Reported-by: eXeC64@users.noreply.github.com
-Daniel Stenberg (18 Jun 2014)
-- opts: 16 more man pages
+Daniel Stenberg (5 Apr 2016)
+- KNOWN_BUGS: remove 68, 70 and 72.
+
+ Due to their age (we don't fully know if they actually remain) and lack
+ of detail - very few people will bother to find out what they're about
+ or work on them. If people truly still suffer from any of these, I
+ assume they will be reported again and then we'll deal with them.
+
+ 72. "Pausing pipeline problems."
+ https://curl.haxx.se/mail/lib-2009-07/0214.html
+
+ 70. Problem re-using easy handle after call to curl_multi_remove_handle
+ https://curl.haxx.se/mail/lib-2009-07/0249.html
+
+ 68. "More questions about ares behavior".
+ https://curl.haxx.se/mail/lib-2009-08/0012.html
+
+- KNOWN_BUGS: remove 92 and 88, fixed
+
+- http2: fix connection reuse when PING comes after last DATA
+
+ It turns out the google GFE HTTP/2 servers send a PING frame immediately
+ after a stream ends and its last DATA has been received by curl. So if
+ we don't drain that from the socket, it makes the socket readable in
+ subsequent checks and libcurl then (wrongly) assumes the connection is
+ dead when trying to reuse the connection.
+
+ Reported-by: Joonas Kuorilehto
+
+ Discussed in #750
+
+- multi: remove trailing space in debug output
+
+- RELEASE-NOTES: synced with 86e97b642fb
+
+- CHECKSRC.md: mention cmdline options, fix the bullet list
+
+- docs/CHECKSRC.md: initial version
+
+Steve Holme (3 Apr 2016)
+- checksrc.bat: Added support for the examples
+
+Daniel Stenberg (3 Apr 2016)
+- lib/src: fix the checksrc invoke
+
+ ... now works correctly when invoke from the root makefile