Changelog
-Version 7.44.0 (11 Aug 2015)
+Version 7.53.1 (24 Feb 2017)
-Daniel Stenberg (11 Aug 2015)
-- RELEASE-NOTES: synced with c75a1e775061
+Daniel Stenberg (24 Feb 2017)
+- release: 7.53.1
-- [Svyatoslav Mishyn brought this change]
-
- curl_formget.3: correct return code
+- Revert "tests: use consistent environment variables for setting charset"
- Closes #375
-
-- [Svyatoslav Mishyn brought this change]
-
- libcurl-tutorial.3: fix formatting
+ This reverts commit ecd1d020abdae3c3ce3643ddab3106501e62e7c0.
- Closes #374
-
-- [Svyatoslav Mishyn brought this change]
+ That commit caused test failures on my Debian Linux machine for all
+ changed test cases. We need to reconsider how that should get done.
- curl_easy_recv.3: fix formatting
-
-- [Anders Bakken brought this change]
-
- http2: discard frames with no SessionHandle
+Dan Fandrich (23 Feb 2017)
+- tests: use consistent environment variables for setting charset
- Return 0 instead of NGHTTP2_ERR_CALLBACK_FAILURE if we can't locate the
- SessionHandle. Apparently mod_h2 will sometimes send a frame for a
- stream_id we're finished with.
+ Character set in POSIX is set by the locale defined (in decreasing order
+ of precedence) by the LC_ALL, LC_CTYPE and LANG environment variables (I
+ believe CHARSET is only historic). LC_ALL is cleared to ensure that
+ LC_CTYPE takes effect, but LC_ALL is not used to set the locale to
+ ensure that other parts of the locale aren't overriden, if set. Since
+ there doesn't seem to be a cross-platform way of specifying a UTF-8
+ locale, and not all systems may support UTF-8, a <precheck> is used
+ (where relevant) to skip the test if UTF-8 isn't in use. Test 1035 was
+ also converted to UTF-8 for consistency, as the actual character set
+ used there is irrelevant to the test.
+
+Jay Satiro (23 Feb 2017)
+- url: Default the CA proxy bundle location to CURL_CA_BUNDLE
- Use nghttp2_session_get_stream_user_data and
- nghttp2_session_set_stream_user_data to identify SessionHandles instead
- of a hash.
+ If the compile-time CURL_CA_BUNDLE location is defined use it as the
+ default value for the proxy CA bundle location, which is the same as
+ what we already do for the regular CA bundle location.
- Closes #372
+ Ref: https://github.com/curl/curl/pull/1257
-- RELEASE-NOTES: synced with 9ee40ce2aba
+Daniel Stenberg (23 Feb 2017)
+- [Sergii Pylypenko brought this change]
-- [Viktor Szakats brought this change]
-
- build: refer to fixed libidn versions
+ rand: added missing #ifdef HAVE_FCNTL_H around fcntl.h header
- closes #371
+ Closes #1285
-- Revert "configure: disable libidn by default"
+- TODO: "OPTIONS *"
- This reverts commit e6749055d65398315fd77f5b5b8234c5552ac2d3.
-
- ... since libidn has since been fixed.
+ Closes #1280
+
+- RELEASE-NOTES: synced with 443e5b03a7d441
-- [Jakub Zakrzewski brought this change]
+- THANKS-filter: shachaf
- CMake: s/HAVE_GSS_API/HAVE_GSSAPI/ to match header define
+- [İsmail Dönmez brought this change]
+
+ tests: Set CHARSET & LANG to UTF-8 in 1035, 2046 and 2047
- Otherwise the build only pretended to use GSS-API
+ Closes #1283
+ Fixes #1277
+
+- bump: 7.53.1 coming up
- Closes #370
+ synced with df665f4df0f7a352
-- SFTP: fix range request off-by-one in size check
+- formdata: check for EOF when reading from stdin
- Reported-by: Tim Stack
+ Reported-by: shachaf@users.noreply.github.com
- Closes #359
+ Fixes #1281
-- test46: update cookie expire time
+Jay Satiro (22 Feb 2017)
+- docs: gitignore curl.1
- ... since it went old and thus was expired and caused the test to fail!
+ curl.1 is generated by the cmdline-opts script since 4c49b83.
-Steve Holme (9 Aug 2015)
-- generate.bat: Use buildconf.bat for prerequisite file generation
+Daniel Stenberg (22 Feb 2017)
+- TODO: HTTP Digest using SHA-256
-- buildconf.bat: Tidy up of comments after recent commits
+- TODO: brotli is deployed widely now
-- buildconf.bat: Added full generation of src\tool_hugehelp.c
-
- Added support for generating the full man page based on code from
- generate.bat.
+Jay Satiro (21 Feb 2017)
+- [Viktor Szakats brought this change]
-- buildconf.bat: Added detection of groff, nroff, perl and gzip
+ urldata: include curl_sspi.h when Windows SSPI is enabled
- To allow for the full generation of tool_hugehelp.c added detection of
- the required programs - based on code from generate.bat.
+ f77dabe broke builds in Windows using Windows SSPI but not Windows SSL.
+
+ Bug: https://github.com/curl/curl/issues/1276
+ Reported-by: jveazey@users.noreply.github.com
-- buildconf.bat: Move DOS variable clean-up code to separate function
+- url: Improve CURLOPT_PROXY_CAPATH error handling
+
+ - Change CURLOPT_PROXY_CAPATH to return CURLE_NOT_BUILT_IN if the option
+ is not supported, which is the same as what we already do for
+ CURLOPT_CAPATH.
+
+ - Change the curl tool to handle CURLOPT_PROXY_CAPATH error
+ CURLE_NOT_BUILT_IN as a warning instead of as an error, which is the
+ same as what we already do for CURLOPT_CAPATH.
+
+ - Fix CAPATH docs to show that CURLE_NOT_BUILT_IN is returned when the
+ respective CAPATH option is not supported by the SSL library.
- Rather than duplicate future variables, during clean-up of both success
- and error conditions, use a common function that can be called by both.
+ Ref: https://github.com/curl/curl/pull/1257
-- RELEASE-NOTES: Synced with 39dcf352d2
+- cyassl: fix typo
-- buildconf.bat: Added error messages on failure
+Version 7.53.0 (22 Feb 2017)
-- buildconf.bat: Generate and clean files in the same order
+Daniel Stenberg (22 Feb 2017)
+- release: 7.53.0
-- buildconf.bat: Maintain compatibility with DOS based systems
-
- Commit f08e30d7bc broke compatibility with DOS and non Windows NT based
- versions of Windows due to the use of the setlocal command.
+- cookie: fix declaration of 'dup' shadows a global declaration
-Jay Satiro (9 Aug 2015)
-- CURLOPT_RESOLVE.3: Note removal support was added in 7.42
+- TLS: make SSL_VERIFYSTATUS work again
+
+ The CURLOPT_SSL_VERIFYSTATUS option was not properly handled by libcurl
+ and thus even if the status couldn't be verified, the connection would
+ be allowed and the user would not be told about the failed verification.
+
+ Regression since cb4e2be7c6d42ca
+
+ CVE-2017-2629
+ Bug: https://curl.haxx.se/docs/adv_20170222.html
- Bug: http://curl.haxx.se/mail/lib-2015-08/0019.html
- Reported-by: Inca R
+ Reported-by: Marcus Hoffmann
-Steve Holme (8 Aug 2015)
-- checksrc.bat: Fixed error when missing *.c and *.h files
+Jay Satiro (21 Feb 2017)
+- digest_sspi: Handle 'stale=TRUE' directive in HTTP digest
- File Not Found
+ - If the server has provided another challenge use it as the replacement
+ input token if stale=TRUE. Otherwise previous credentials have failed
+ so return CURLE_LOGIN_DENIED.
+
+ Prior to this change the stale directive was ignored and if another
+ challenge was received it would cause error CURLE_BAD_CONTENT_ENCODING.
+
+ Ref: https://tools.ietf.org/html/rfc2617#page-10
+
+ Bug: https://github.com/curl/curl/issues/928
+ Reported-by: tarek112@users.noreply.github.com
-- checksrc.bat: Fixed incorrect 'lib\vtls' path check in commit 333c36b276
+Daniel Stenberg (20 Feb 2017)
+- smb: use getpid replacement for windows UWP builds
+
+ Source: https://github.com/Microsoft/vcpkg/blob/7676b8780db1e1e591c4fc7eba4f96f73c428cb4/ports/curl/0002_fix_uwp.patch
-- checksrc.bat: Fixed error when [directory] isn't a curl source directory
+- TODO: CURLOPT_RESOLVE for any port number
- The system cannot find the file specified.
+ Closes #1264
-- checksrc.bat: Added check for unknown arguments
+- RELEASE-NOTES: synced with af30f1152d43dcdb
-- scripts: Added missing comments
+- [Jean Gressmann brought this change]
-- scripts: Always perform setlocal and endlocal calls in pairs
+ sftp: improved checks for create dir failures
- Ensure that there isn't a mismatch between setlocal and endlocal calls,
- which could have happened due to setlocal being called after certain
- error conditions were checked for.
-
-- scripts: Allow -help to be specified in any argument
+ Since negative values are errors and not only -1. This makes SFTP upload
+ with --create-dirs work (again).
- Allow the -help command line argument to be specified in any argument
- and not just as the first.
+ Closes #1269
-Daniel Stenberg (6 Aug 2015)
-- [juef brought this change]
+Jay Satiro (20 Feb 2017)
+- [Max Khon brought this change]
- curl_multi_remove_handle.3: fix formatting
+ digest_sspi: Fix nonce-count generation in HTTP digest
- closes #366
-
-Steve Holme (6 Aug 2015)
-- README: Added notes about 'Running DLL based configurations'
+ - on the first invocation: keep security context returned by
+ InitializeSecurityContext()
- ...as well as a TODO for a future enhancement to the project files.
+ - on subsequent invocations: use MakeSignature() instead of
+ InitializeSecurityContext() to generate HTTP digest response
- Thanks-to: Jay Satiro
-
-- RELEASE-NOTES: Synced with cf8975387f
+ Bug: https://github.com/curl/curl/issues/870
+ Reported-by: Andreas Roth
+
+ Closes https://github.com/curl/curl/pull/1251
-- buildconf.bat: Synchronise no repository error with generate.bat
+- examples/multi-uv: checksrc compliance
-- generate.bat: Added a check for the presence of a git repository
+Michael Kaufmann (19 Feb 2017)
+- string formatting: fix 4 printf-style format strings
-- [Jay Satiro brought this change]
+Dan Fandrich (18 Feb 2017)
+- tests: removed the obsolete name parameter
- build: Added wolfSSL configurations to VC10+ project files
+Michael Kaufmann (18 Feb 2017)
+- speed caps: update the timeouts if the speed is too low/high
+
+ Follow-up to 4b86113
- URL: https://github.com/bagder/curl/pull/174
+ Fixes https://github.com/curl/curl/issues/793
+ Fixes https://github.com/curl/curl/issues/942
-- [Jay Satiro brought this change]
+- docs: fix timeout handling in multi-uv example
- build: Added wolfSSL build script for Visual Studio projects
+- proxy: fix hostname resolution and IDN conversion
- Added the wolfSSL build script, based on build-openssl.bat, as well as
- the property sheet and header file required for the upcoming additions
- to the Visual Studio project files.
-
-Daniel Stenberg (6 Aug 2015)
-- CHANGES: refer to the online changelog
+ Properly resolve, convert and log the proxy host names.
+ Support the "--connect-to" feature for SOCKS proxies and for passive FTP
+ data transfers.
- Suggested-by: mc0e
+ Follow-up to cb4e2be
+
+ Reported-by: Jay Satiro
+ Fixes https://github.com/curl/curl/issues/1248
+Jay Satiro (17 Feb 2017)
- [Isaac Boukris brought this change]
- NTLM: handle auth for only a single request
+ http: fix missing 'Content-Length: 0' while negotiating auth
- Currently when the server responds with 401 on NTLM authenticated
- connection (re-used) we consider it to have failed. However this is
- legitimate and may happen when for example IIS is set configured to
- 'authPersistSingleRequest' or when the request goes thru a proxy (with
- 'via' header).
+ - While negotiating auth during PUT/POST if a user-specified
+ Content-Length header is set send 'Content-Length: 0'.
- Implemented by imploying an additional state once a connection is
- re-used to indicate that if we receive 401 we need to restart
- authentication.
+ This is what we do already in HTTPREQ_POST_FORM and what we did in the
+ HTTPREQ_POST case (regression since afd288b).
- Closes #363
-
-Steve Holme (5 Aug 2015)
-- RELEASE-NOTES: Synced with 473807b95f
-
-- generate.bat: Use buildconf.bat for prerequisite file clean-up
-
-- buildconf.bat: Added support for file clean-up via -clean
-
-- buildconf.bat: Added progress output
-
-- buildconf.bat: Avoid using goto for file not in repository
-
-Daniel Stenberg (5 Aug 2015)
-- curl_slist_append.3: add error checking to the example
-
-Steve Holme (5 Aug 2015)
-- buildconf.bat: Added display of usage text with -help
-
-- buildconf.bat: Added exit codes for error handling
-
-- buildconf.bat: Added our standard copyright header
-
-- buildconf.bat: Use lower-case for commands and reserved keywords
-
-- generate.bat: Only clean prerequisite files when in ALL mode
-
-- generate.bat: Moved error messages out of sub-routines
+ Prior to this change no Content-Length header would be sent in such a
+ case.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-02/0006.html
+ Reported-by: Dominik Hölzl
+
+ Closes https://github.com/curl/curl/pull/1242
-- generate.bat: More use of lower-case for commands and reserved keywords
+Daniel Stenberg (16 Feb 2017)
+- [Simon Warta brought this change]
-Daniel Stenberg (3 Aug 2015)
-- libcurl.3: fix a single typo
+ winbuild: add note on auto-detection of MACHINE in Makefile.vc
- Closes #361
+ Closes #1265
-- RELEASE-NOTES: synced with c4eb10e2f06f
+- RELEASE-PROCEDURE: update the upcoming release calendar
-- SSH: three state machine fixups
+- TODO: consider file name from the redirected URL with -O ?
- The SSH state machine didn't clear the 'rc' variable appropriately in a
- two places which prevented it from looping the way it should. And it
- lacked an 'else' statement that made it possible to erroneously get
- stuck in the SSH_AUTH_AGENT state.
+ It isn't easily solved, but with some thinking someone could probably
+ come up with a working approach?
- Reported-by: Tim Stack
-
- Closes #357
+ Closes #1241
-- curl_gssapi: remove 'const' to fix compiler warnings
+Jay Satiro (15 Feb 2017)
+- tool_urlglob: Allow a glob range with the same start and stop
- initialization discards 'const' qualifier from pointer target type
-
-- docs: formpost needs the full size at start of upload
+ For example allow ranges like [1-1] and [a-a] etc.
- Closes #360
-
-Steve Holme (1 Aug 2015)
-- sspi: Fix typo from left over from old code which referenced NTLM
+ Regression since 5ca96cb.
- References to NTLM in the identity generation should have been removed
- in commit c469941293 but not all were.
+ Bug: https://github.com/curl/curl/issues/1238
+ Reported-by: R. Dennis Steed
-- win32: Fix compilation warnings from commit 40c921f8b8
+Daniel Stenberg (15 Feb 2017)
+- axtls: adapt to API changes
- connect.c:953:5: warning: initializer element is not computable at load
- time
- connect.c:953:5: warning: missing initializer for field 'dwMinorVersion'
- of 'OSVERSIONINFOEX'
- curl_sspi.c:97:5: warning: initializer element is not computable at load
- time
- curl_sspi.c:97:5: warning: missing initializer for field 'szCSDVersion'
- of 'OSVERSIONINFOEX'
-
-- schannel: Fix compilation warning from commit 7a8e861a56
+ Builds with axTLS 2.1.2. This then also breaks compatibility with axTLS
+ < 2.1.0 (the older API)
- schannel.c:1125:5: warning: missing initializer for field 'dwMinorVersion'
- of 'OSVERSIONINFOEX' [-Wmissing-field-initializers
+ ... and fix the session_id mixup brought in 04b4ee549
+
+ Fixes #1220
-Daniel Stenberg (31 Jul 2015)
-- libcurl-thread.3: minor reformatting
+- RELEASE-NOTES: synced with 690935390c29c
-Jay Satiro (31 Jul 2015)
-- curl_global_init_mem.3: Warn threaded resolver needs thread safe funcs
-
- Bug: http://curl.haxx.se/mail/lib-2015-07/0149.html
- Reported-by: Eric Ridge
+- [Nick Draffen brought this change]
-- libcurl-thread.3: Warn memory functions must be thread safe
+ curl: fix typo in time condition warning message
- Bug: http://curl.haxx.se/mail/lib-2015-07/0149.html
- Reported-by: Eric Ridge
+ The warning message had a typo. The argument long form is --time-cond
+ not --timecond
+
+ Closes #1263
-Steve Holme (31 Jul 2015)
-- RELEASE-NOTES: Synced with 8b1d00ac1a
+- smb: code indent
-- INSTALL: Minor formatting correction in 'Legacy Windows and SSL' section
+Jay Satiro (14 Feb 2017)
+- configure: Allow disabling pthreads, fall back on Win32 threads
+
+ When the threaded resolver option is specified for configure the default
+ thread library is pthreads. This change makes it possible to
+ --disable-pthreads and then configure can fall back on Win32 threads for
+ native Windows builds.
- ...as well as some rewording.
+ Closes https://github.com/curl/curl/pull/1260
-Kamil Dudka (30 Jul 2015)
-- http: move HTTP/2 cleanup code off http_disconnect()
+Daniel Stenberg (13 Feb 2017)
+- http2: fix memory-leak when denying push streams
- Otherwise it would never be called for an HTTP/2 connection, which has
- its own disconnect handler.
+ Reported-by: zelinchen@users.noreply.github.com
+ Fixes #1229
+
+Jay Satiro (11 Feb 2017)
+- tool_operate: Show HTTPS-Proxy options on CURLE_SSL_CACERT
- I spotted this while debugging <https://bugzilla.redhat.com/1248389>
- where the http_disconnect() handler was called on an FTP session handle
- causing 'dnf' to crash. conn->data->req.protop of type (struct FTP *)
- was reinterpreted as type (struct HTTP *) which resulted in SIGSEGV in
- Curl_add_buffer_free() after printing the "Connection cache is full,
- closing the oldest one." message.
+ When CURLE_SSL_CACERT occurs the tool shows a lengthy error message to
+ the user explaining possible solutions such as --cacert and --insecure.
- A previously working version of libcurl started to crash after it was
- recompiled with the HTTP/2 support despite the HTTP/2 protocol was not
- actually used. This commit makes it work again although I suspect the
- root cause (reinterpreting session handle data of incompatible protocol)
- still has to be fixed. Otherwise the same will happen when mixing FTP
- and HTTP/2 connections and exceeding the connection cache limit.
+ This change appends to that message similar options --proxy-cacert and
+ --proxy-insecure when there's a specified HTTPS proxy.
- Reported-by: Tomas Tomecek
- Bug: https://bugzilla.redhat.com/1248389
-
-Daniel Stenberg (30 Jul 2015)
-- [Viktor Szakats brought this change]
+ Closes https://github.com/curl/curl/issues/1258
- ABI doc: use secure URL
+Daniel Stenberg (10 Feb 2017)
+- cmdline-opts/page-footer: ftp.sunet.se is no longer an FTP mirror
-- ABI: remove the ascii logo
+- URL: only accept ";options" in SMTP/POP3/IMAP URL schemes
- and made the indent level to 1
+ Fixes #1252
-- libcurl-multi.3: mention curl_multi_wait
-
- ... and some general rewordings to improve this docs.
+Jay Satiro (9 Feb 2017)
+- cmdline-opts/socks*: Mention --preproxy in --socks* opts
- Reported-by: Tim Stack
+ - Document in --socks* opts they're still mutually exclusive of --proxy.
- Closes #356
-
-Steve Holme (30 Jul 2015)
-- maketgz: Fixed some VC makefiles missing from the release tarball
+ Partial revert of 423a93c; I had misinterpreted the SOCKS proxy +
+ HTTP/HTTPS proxy combination.
- VC7, VC11, VC12 and VC14 makefiles were missing from the release
- tarball.
-
-- RELEASE-NOTES: Synced with 2d7e165761
+ - Document in --socks* opts that --preproxy can be used to specify a
+ SOCKS proxy at the same time --proxy is used with an HTTP/HTTPS proxy.
-- build: Added VC14 project files to Makefile.am
+Daniel Stenberg (9 Feb 2017)
+- CURLOPT_SSL_VERIFYPEER.3: also the https proxy version
-- build: Added VC14 project files
+Kamil Dudka (9 Feb 2017)
+- nss: make FTPS work with --proxytunnel
- Updates to Makefile.am for the generation of the project files in
- the tarball to follow.
-
-Jay Satiro (29 Jul 2015)
-- libcurl-thread.3: Clarify CURLOPT_NOSIGNAL takes long value 1L
+ If the NSS code was in the middle of a non-blocking handshake and it
+ was asked to finish the handshake in blocking mode, it unexpectedly
+ continued in the non-blocking mode, which caused a FTPS connection
+ over CONNECT to fail with "(81) Socket not ready for send/recv".
+
+ Bug: https://bugzilla.redhat.com/1420327
-Steve Holme (28 Jul 2015)
-- generate.bat: Use lower-case for commands and reserved keywords
+Daniel Stenberg (9 Feb 2017)
+- examples/multithread.c: link to our multi-thread docs
- Whilst there are no coding standards for the batch files used in curl,
- most tend to use lower-case for keywords and upper-case for variables.
+ ... instead of the OpenSSL mutex page.
-- build: Added initial VC14 support to generate.bat
+- http_proxy: avoid freeing static memory
- Visual Studio project files and updates to makefile.am to follow.
+ Follow up to 7fe81ec298e0: make sure 'host' is either NULL or malloced.
-- build: Fixed missing .opensdf files from VC10+ .gitignore files
+- [Cameron MacMinn brought this change]
-- build: Use $(ProjectName) macro for curl.exe and curld.exe filenames
+ http_proxy: Fix tiny memory leak upon edge case connecting to proxy
- This wasn't possible with the old curlsrc project filenames, but like
- commit 2a615a2b64 and 11397eb6dd for libcurl use the built in Visual
- Studio macros for the output filenames.
+ Fixes #1255
-- build: Renamed curl src Visual Studio project files
+Michael Kaufmann (8 Feb 2017)
+- polarssl, mbedtls: Fix detection of pending data
- Following commit 957fcd9049 and in preparation for adding the VC14
- project files renamed the curl source project files.
+ Reported-by: Dan Fandrich
+ Bug: https://curl.haxx.se/mail/lib-2017-02/0032.html
-Daniel Stenberg (28 Jul 2015)
-- [Jay Satiro brought this change]
+Dan Fandrich (7 Feb 2017)
+- test1139: Added the --manual keyword since the manual is required
- libcurl-thread.3: Revert to stricter handle wording
-
- .. also update formatting and add WinSSL and wolfSSL to the SSL/TLS
- handlers list.
+Daniel Stenberg (7 Feb 2017)
+- RELEASE-NOTES: synced with 102454459dd688c
-- [Jay Satiro brought this change]
+- THANKS-filter: polish some recent contributors
- libcurl-thread.3: Consolidate thread safety info
+- http2: reset push header counter fixes crash
- This is a new document to consolidate our thread safety information from
- several documents (curl-www:features, libcurl.3, libcurl-tutorial.3).
- Each document's section on multi-threading will now point to this one.
-
-Steve Holme (27 Jul 2015)
-- README: Corrected formatting for 'Legacy Windows and SSL' section
+ When removing an easy handler from a multi before it completed its
+ transfer, and it had pushed streams, it would segfault due to the pushed
+ counted not being cleared.
- ...as well as some wording.
-
-- build-openssl.bat: Added support for VC14
+ Fixed-by: zelinchen@users.noreply.github.com
+ Fixes #1249
-Daniel Stenberg (26 Jul 2015)
-- RELEASE-NOTES: synced with 0f645adc95390e8
+- [Markus Westerlind brought this change]
-- test1902: attempt to make the test more reliable
+ transfer: only retry nobody-requests for HTTP
- Closes #355
-
-- comment: fix comment about adding new option support
+ Using sftp to delete a file with CURLOPT_NOBODY set with a reused
+ connection would fail as curl expected to get some data. Thus it would
+ retry the command again which fails as the file has already been
+ deleted.
+
+ Fixes #1243
-Jay Satiro (25 Jul 2015)
-- build-openssl.bat: Show syntax if required args are missing
+Jay Satiro (7 Feb 2017)
+- [Daniel Gustafsson brought this change]
-Daniel Stenberg (26 Jul 2015)
-- TODO: improve how curl works in a windows console window
+ telnet: Fix typos
- Closes #322 for now
+ Ref: https://github.com/curl/curl/pull/1245
-- 1.11 minimize dependencies with dynamicly loaded modules
-
- Closes #349 for now
+- [Daniel Gustafsson brought this change]
-Jay Satiro (25 Jul 2015)
-- tool_operate: Fix CURLOPT_SSL_OPTIONS for builds without HTTPS
+ test552: Fix typos
- - Set CURLOPT_SSL_OPTIONS only if the tool enabled an SSL option.
+ Closes https://github.com/curl/curl/pull/1245
+
+- [Daniel Gustafsson brought this change]
+
+ darwinssl: Avoid parsing certificates when not in verbose mode
- Broken by me several days ago in 172b2be.
- https://github.com/bagder/curl/commit/172b2be#diff-70b44ee478e58d4e1ddcf9c9a73d257b
+ The information extracted from the server certificates in step 3 is only
+ used when in verbose mode, and there is no error handling or validation
+ performed as that has already been done. Only run the certificate
+ information extraction when in verbose mode and libcurl was built with
+ verbose strings.
- Bug: http://curl.haxx.se/mail/lib-2015-07/0119.html
- Reported-by: Dan Fandrich
+ Closes https://github.com/curl/curl/pull/1246
-Daniel Stenberg (25 Jul 2015)
-- configure: check if OpenSSL linking wants -ldl
+- [JDepooter brought this change]
+
+ schannel: Remove incorrect SNI disabled message
+
+ - Remove the SNI disabled when host verification disabled message
+ since that is incorrect.
- To make it easier to link with static versions of OpenSSL, the configure
- script now checks if -ldl is needed for linking.
+ - Show a message for legacy versions of Windows <= XP that connections
+ may fail since those versions of WinSSL lack SNI, algorithms, etc.
- Help-by: TJ Saunders
+ Bug: https://github.com/curl/curl/pull/1240
-- [Michael Kaufmann brought this change]
+Daniel Stenberg (7 Feb 2017)
+- CHANGES: spell fix, use correct path to script
- HTTP: ignore "Content-Encoding: compress"
+- CHANGES.0: removed
- Currently, libcurl rejects responses with "Content-Encoding: compress"
- when CURLOPT_ACCEPT_ENCODING is set to "". I think that libcurl should
- treat the Content-Encoding "compress" the same as other
- Content-Encodings that it does not support, e.g. "bzip2". That means
- just ignoring it.
+ This is the previously manually edited changelog, not touched since Aug
+ 2015. Still present in git for those who wants it.
-- [Marcel Raad brought this change]
+Dan Fandrich (6 Feb 2017)
+- cmdline-opts: Fixed build and test in out of source tree builds
- openssl: work around MSVC warning
+Viktor Szakats (6 Feb 2017)
+- use *.sourceforge.io and misc URL updates
- MSVC 12 complains:
-
- lib\vtls\openssl.c(1554): warning C4701: potentially uninitialized local
- variable 'verstr' used It's a false positive, but as it's normally not,
- I have enabled warning-as-error for that warning.
-
-- [Michał Fita brought this change]
+ Ref: https://sourceforge.net/blog/introducing-https-for-project-websites/
+ Closes: https://github.com/curl/curl/pull/1247
- configure: add --disable-rt option
+Jay Satiro (6 Feb 2017)
+- docs: Add more HTTPS proxy documentation
- This option disables any attempts in configure to create dependency on
- stuff requiring linking to librt.so and libpthread.so, in this case this
- means clock_gettime(CLOCK_MONOTONIC, &mt).
+ - Document HTTPS proxy type.
- We were in need to build curl which doesn't link libpthread.so to avoid
- the following bug:
- https://sourceware.org/bugzilla/show_bug.cgi?id=16628.
-
-Kamil Dudka (23 Jul 2015)
-- http2: verify success of strchr() in http2_send()
+ - Document --write-out %{proxy_ssl_verify_result}.
+
+ - Document SOCKS proxy + HTTP/HTTPS proxy combination.
- Detected by Coverity.
+ HTTPS proxy support was added in 7.52.0 for OpenSSL, GnuTLS and NSS.
- Error: NULL_RETURNS:
- lib/http2.c:1301: returned_null: "strchr" returns null (checked 103 out of 109 times).
- lib/http2.c:1301: var_assigned: Assigning: "hdbuf" = null return value from "strchr".
- lib/http2.c:1302: dereference: Incrementing a pointer which might be null: "hdbuf".
- 1300|
- 1301| hdbuf = strchr(hdbuf, 0x0a);
- 1302|-> ++hdbuf;
- 1303|
- 1304| authority_idx = 0;
+ Ref: https://github.com/curl/curl/commit/cb4e2be
-Jay Satiro (22 Jul 2015)
-- Windows: Fix VerifyVersionInfo calls
+- OS400: Fix symbols
- - Fix the VerifyVersionInfo calls, which we use to test for the OS major
- version, to also test for the minor version as well as the service pack
- major and minor versions.
+ - s/CURLOPT_SOCKS_PROXY/CURLOPT_PRE_PROXY
+ Follow-up to 7907a2b and 845522c.
- MSDN: "If you are testing the major version, you must also test the
- minor version and the service pack major and minor versions."
+ - Fix incorrect id for CURLOPT_PROXY_PINNEDPUBLICKEY.
- https://msdn.microsoft.com/en-us/library/windows/desktop/ms725492.aspx
+ - Add id for CURLOPT_ABSTRACT_UNIX_SOCKET.
- Bug: https://github.com/bagder/curl/pull/353#issuecomment-123493098
- Reported-by: Marcel Raad <MarcelRaad@users.noreply.github.com>
+ Bug: https://github.com/curl/curl/issues/1237
+ Reported-by: jonrumsey@users.noreply.github.com
-- [Marcel Raad brought this change]
+- [Sean Burford brought this change]
- schannel: Replace deprecated GetVersion with VerifyVersionInfo
+ cmake: Support curl --xattr when built with cmake
+
+ - Test for and set HAVE_FSETXATTR when support for extended file
+ attributes is present.
+
+ Closes https://github.com/curl/curl/pull/1176
-Steve Holme (21 Jul 2015)
-- makefile: Added support for VC14
+- [Adam Langley brought this change]
-Patrick Monnerat (21 Jul 2015)
-- os400: ebcdic wrappers for new functions. Upgrade ILE/RPG bindings.
+ openssl: Don't use certificate after transferring ownership
+
+ SSL_CTX_add_extra_chain_cert takes ownership of the given certificate
+ while, despite the similar name, SSL_CTX_add_client_CA does not. Thus
+ it's best to call SSL_CTX_add_client_CA before
+ SSL_CTX_add_extra_chain_cert, while the code still has ownership of the
+ argument.
+
+ Closes https://github.com/curl/curl/pull/1236
-- libcurl: VERSIONINFO update
- Addition of new procedures curl_pushheader_bynum and curl_pushheader_byname
- requires VERSIONINFO updating.
+Daniel Stenberg (29 Jan 2017)
+- [Antoine Aubert brought this change]
-- http2: satisfy external references even if http2 is not compiled in.
+ mbedtls: implement CTR-DRBG and HAVEGE random generators
+
+ closes #1227
-Daniel Stenberg (20 Jul 2015)
-- http2: add stream != NULL checks for reliability
+- docs: we no longer ship HTML versions of man pages
- They should not trigger, but in case of internal problems we at least
- avoid crashes this way.
+ ... refer to the web site for the web versions.
-Jay Satiro (18 Jul 2015)
-- symbols-in-versions: Add new CURLSSLOPT_NO_REVOKE symbol
+- [railsnewbie257 brought this change]
-- SSL: Add an option to disable certificate revocation checks
+ docs: proofread README.netware README.win32
- New tool option --ssl-no-revoke.
- New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS.
+ Closes #1231
+
+- RELEASE-NOTES; synced with ab08d82648
+
+Michael Kaufmann (28 Jan 2017)
+- mbedtls: disable TLS session tickets
- Currently this option applies only to WinSSL where we have automatic
- certificate revocation checking by default. According to the
- ssl-compared chart there are other backends that have automatic checking
- (NSS, wolfSSL and DarwinSSL) so we could possibly accommodate them at
- some later point.
+ SSL session reuse with TLS session tickets is not supported yet.
+ Use SSL session IDs instead.
- Bug: https://github.com/bagder/curl/issues/264
- Reported-by: zenden2k <zenden2k@gmail.com>
+ See https://github.com/curl/curl/issues/1109
-- runtests: Allow for spaces in curl custom path
+- gnutls: disable TLS session tickets
- .. also fix some typos in test's FILEFORMAT spec.
+ SSL session reuse with TLS session tickets is not supported yet.
+ Use SSL session IDs instead.
+
+ Fixes https://github.com/curl/curl/issues/1109
-- [David Woodhouse brought this change]
+- polarssl: fix hangs
+
+ This bugfix is similar to commit c111178bd4.
- ntlm_wb: Fix theoretical memory leak
+Daniel Stenberg (27 Jan 2017)
+- cookies: do not assume a valid domain has a dot
- Static analysis indicated that my commit 9008f3d564 ("ntlm_wb: Fix
- hard-coded limit on NTLM auth packet size") introduced a potential
- memory leak on an error path, because we forget to free the buffer
- before returning an error.
+ This repairs cookies for localhost.
- Fix this.
+ Non-PSL builds will now only accept "localhost" without dots, while PSL
+ builds okeys everything not listed as PSL.
- Although actually, it never happens in practice because we never *get*
- here with state == NTLMSTATE_TYPE1. The state is always zero. That
- might want cleaning up in a separate patch.
+ Added test 1258 to verify.
- Reported-by: Terri Oda
-
-- strerror: Add CRYPT_E_REVOKED to SSPI error strings
+ This was a regression brought in a76825a5efa6b4
-Kamil Dudka (14 Jul 2015)
-- libtest: call PR_Cleanup() on exit if NSPR is used
+- TODO: remove "Support TLS v1.3"
- This prevents valgrind from reporting possibly lost memory that NSPR
- uses for file descriptor cache and other globally allocated internal
- data structures.
-
- Reported-by: Štefan Kremeň
+ Support is trickling in already.
-Jay Satiro (14 Jul 2015)
-- [John Malmberg brought this change]
+- [railsnewbie257 brought this change]
- openssl: VMS support for SHA256
+ INTERNALS.md: language improvements
- setup-vms.h: More symbols for SHA256, hacks for older VAX
+ Closes #1226
+
+- telnet: fix windows compiler warnings
- openssl.h: Use OpenSSL OPENSSL_NO_SHA256 macro to allow building on VAX.
+ Thumbs-up-by: Jay Satiro
- openssl.c: Use OpenSSL version checks and OPENSSL_NO_SHA256 macro to
- allow building on VAX and 64 bit VMS.
+ Closes #1225
-- examples: Fix typo in multi-single.c
+- VC: remove the makefile.vc6 build infra
+
+ The winbuild/ build files is now the single MSVC makefile build choice.
+
+ Closes #1215
-Daniel Stenberg (7 Jul 2015)
-- [Tatsuhiro Tsujikawa brought this change]
+- [Jay Satiro brought this change]
- http2: Fix memory leak in push header array
+ cmdline-opts/gen.pl: Open input files in CRLF mode
+
+ On Windows it's possible to have input files with CRLF line endings and
+ a perl that defaults to LF line endings (eg msysgit). Currently that
+ results in generator output of mixed line endings of CR, LF and CRLF.
+
+ This change fixes that issue in the most succinct way by opening the
+ files in :crlf text mode even when the perl being used does not default
+ to that mode. (On operating systems that don't have a separate text mode
+ it's essentially a no-op.) The output continues to be in the perl's
+ native line ending.
-Dan Fandrich (2 Jul 2015)
-- test2041: fixed line endings in protocol part
+- docs/curl.1: generate from the cmdline-opts script
-- cyassl: fixed mismatched sha256sum function prototype
+- vtls: source indentation fix
-Daniel Stenberg (1 Jul 2015)
-- [moparisthebest brought this change]
+- contri*.sh: cut off parentheses from names too
- SSL: Pinned public key hash support
+- RELEASE-NOTES: synced with 01ab7c30bba6f
-- examples: provide <DESC> sections
+- vtls: fix PolarSSL non-blocking handling
+
+ A regression brought in cb4e2be
+
+ Reported-by: Michael Kaufmann
+ Bug: https://github.com/curl/curl/issues/1174#issuecomment-274018791
-- [John Malmberg brought this change]
+- [Antoine Aubert brought this change]
- OpenVMS: VMS Software, Inc now the supplier.
+ vtls: fix mbedtls multi non blocking handshake.
- setup-vms.h: Symbol case fixups submitted by Michael Steve
+ When using multi, mbedtls handshake is in non blocking mode. vtls must
+ set wait for read/write flags for the socket.
- build_gnv_curl_pcsi_desc.com: VSI aka as VMS Software, is now the
- supplier of new versions of VMS. The install kit needs to accept
- VSI as a producer.
+ Closes #1223
+
+- [Richy Kim brought this change]
-Jay Satiro (30 Jun 2015)
-- multi: Move http2 push function declarations to header end
+ CURLOPT_BUFFERSIZE: support enlarging receive buffer
- This change necessary for binary compatibility.
+ Replace use of fixed macro BUFSIZE to define the size of the receive
+ buffer. Reappropriate CURLOPT_BUFFERSIZE to include enlarging receive
+ buffer size. Upon setting, resize buffer if larger than the current
+ default size up to a MAX_BUFSIZE (512KB). This can benefit protocols
+ like SFTP.
- Prior to this change test 1135 failed due to the order of functions.
+ Closes #1222
-- symbols-in-versions: Add new http2 push symbols
+- sws: use SOCKERRNO, not errno
- Prior to this change test 1119 failed due to the missing symbols.
-
-Daniel Stenberg (30 Jun 2015)
-- RELEASE-NOTES: synced with e6749055d653
+ Reported-by: Gisle Vanem
-- configure: disable libidn by default
+Michael Kaufmann (19 Jan 2017)
+- KNOWN_BUGS: HTTP/2 server push enabled when no pushes can be accepted
- For security reasons, until there is a fix.
-
- Bug: http://curl.haxx.se/mail/lib-2015-06/0143.html
- Reported-by: Gustavo Grieco, Feist Josselin
-
-- SSL-PROBLEMS: mention WinSSL problems in WinXP
+ This has been implemented with commit 9ad034e.
-- CODE_OF_CONDUCT.md: added
+Viktor Szakats (19 Jan 2017)
+- *.rc: escape non-ASCII/non-UTF-8 character for clarity
- Just to underscore how we treat each other in this project. Nothing new
- really, but could be useful for newcomers and outsiders to see our
- values.
+ Closes https://github.com/curl/curl/pull/1217
-- tool_header_cb: fflush the header stream
+Kamil Dudka (19 Jan 2017)
+- docs: non-blocking SSL handshake is now supported with NSS
- Flush the header stream when -D is used so that they are sent off
- earlier.
+ Implemented since curl-7_36_0-130-g8868a22
- Bug: https://github.com/bagder/curl/issues/324
- Reported-by: Cédric Connes
+ Reported-by: Fahim Chandurwala
-- [Roger Leigh brought this change]
+Michael Kaufmann (18 Jan 2017)
+- CURLOPT_CONNECT_TO: Fix compile warnings
+
+ Fix compile warnings that appeared only when curl has been configured
+ with '--disable-verbose'.
- tests: Distribute CMakeLists.txt files in subdirectories
+Daniel Stenberg (18 Jan 2017)
+- usercertinmem.c: improve the short description
-- CURLOPT_FAILONERROR.3: mention that it closes the connection
+- parseurl: move back buffer to function scope
- Reported-by: bemoody
- Bug: https://github.com/bagder/curl/issues/325
-
-- curl_multi_setopt.3: alpha sort the options
+ Regression since 1d4202ad, which moved the buffer into a more narrow
+ scope, but the data in that buffer was used outside of that more narrow
+ scope.
+
+ Reported-by: Dan Fandrich
+ Bug: https://curl.haxx.se/mail/lib-2017-01/0093.html
-- curl_multi_setopt.3: add the new push options
+Jay Satiro (17 Jan 2017)
+- openssl: Fix random generation
+
+ - Fix logic error in Curl_ossl_random.
+
+ Broken a few days ago in 807698d.
-- [Tatsuhiro Tsujikawa brought this change]
+Daniel Stenberg (17 Jan 2017)
+- TODO: share OpenSSL contexts
+
+ By supporting this, subsequent connects would load a lot less data from
+ disk.
+
+ Closes #1110
- http2: Use nghttp2 library error code for error return value
+- bump: next release will be 7.53.0
-- [Tatsuhiro Tsujikawa brought this change]
+Kamil Dudka (15 Jan 2017)
+- nss: use the correct lock in nss_find_slot_by_name()
- http2: Harden header validation for curl_pushheader_byname
+Alessandro Ghedini (15 Jan 2017)
+- http2: disable server push if not requested
- Since we do prefix match using given header by application code
- against header name pair in format "NAME:VALUE", and VALUE part can
- contain ":", we have to careful about existence of ":" in header
- parameter. ":" should be allowed to match HTTP/2 pseudo-header field,
- and other use of ":" in header must be treated as error, and
- curl_pushheader_byname should return NULL. This commit implements
- this behaviour.
+ Ref: https://github.com/curl/curl/pull/1160
-- [Tatsuhiro Tsujikawa brought this change]
+Daniel Stenberg (14 Jan 2017)
+- [railsnewbie257 brought this change]
- CURLMOPT_PUSHFUNCTION.3: Remove unused variable
+ docs: improved language in README.md HISTORY.md CONTRIBUTE.md
+
+ Closes #1211
-- CURLMOPT_PUSHFUNCTION.3: added example
+Alessandro Ghedini (14 Jan 2017)
+- http: print correct HTTP string in verbose output when using HTTP/2
+
+ Before:
+ ```
+ % src/curl https://sigsegv.ninja/ -v --http2
+ ...
+ > GET / HTTP/1.1
+ > Host: sigsegv.ninja
+ > User-Agent: curl/7.52.2-DEV
+ > Accept: */*
+ >
+ ...
+ ```
+
+ After:
+ ```
+ % src/curl https://sigsegv.ninja/ -v --http2
+ ...
+ > GET / HTTP/2
+ > Host: sigsegv.ninja
+ > User-Agent: curl/7.52.2-DEV
+ > Accept: */*
+ >
+ ```
-- http2: curl_pushheader_byname now takes a const char *
+Daniel Stenberg (14 Jan 2017)
+- TODO: send only part of --data
+
+ Closes #1200
-- http2-serverpush.c: example code
+- TODO: implemened "--fail-fast to exit on first transfer fail"
+
+ Even though it is called --fail-early
-- http2: free all header memory after the push callback
+- TODO: Chunked transfer multipart formpost
+
+ Closes #1139
-- http2: init the pushed transfer properly
+- TODO: Improve formpost API, not just add an easy argument
-- http2: fixed the header accessor functions for the push callback
+- addrinfo: fix compiler warning on offsetof() use
+
+ curl_addrinfo.c:519:20: error: conversion to ‘curl_socklen_t {aka
+ unsigned int}’ from ‘long unsigned int’ may alter its value
+ [-Werror=conversion]
+
+ Follow-up to 1d786faee1046f
-- http2: setup the new pushed stream properly
+- THANKS-filter: Jiri Malak
-- http2: initial implementation of the push callback
+- RELEASE-NOTES: synced with a7c73ae309c
-- http2: initial HTTP/2 server push types/docs
+Peter Wu (13 Jan 2017)
+- [Isaac Boukris brought this change]
-- test1531: verify POSTFIELDSIZE set after add_handle
+ unix_socket: add support for abstract unix domain socket
- Following the fix made in 903b6e05565bf.
-
-- pretransfer: init state.infilesize here, not in add_handle
+ In addition to unix domain sockets, Linux also supports an
+ abstract namespace which is independent of the filesystem.
- ... to properly support that options are set to the handle after it is
- added to the multi handle.
+ In order to support it, add new CURLOPT_ABSTRACT_UNIX_SOCKET
+ option which uses the same storage as CURLOPT_UNIX_SOCKET_PATH
+ internally, along with a flag to specify abstract socket.
- Bug: http://curl.haxx.se/mail/lib-2015-06/0122.html
- Reported-by: Stefan Bühler
-
-Jay Satiro (21 Jun 2015)
-- [Lior Kaplan brought this change]
-
- tool_help: fix --tlsv1 help text to use >= for TLSv1
-
-- INSTALL: Advise use of non-native SSL for Windows <= XP
+ On non-supporting platforms, the abstract address will be
+ interpreted as an empty string and fail gracefully.
- Advise that WinSSL in versions <= XP will not be able to connect to
- servers that no longer support the legacy handshakes and algorithms used
- by those versions, and to use an alternate backend like OpenSSL instead.
+ Also add new --abstract-unix-socket tool parameter.
- Bug: https://github.com/bagder/curl/issues/253
- Reported-by: zenden2k <zenden2k@gmail.com>
+ Signed-off-by: Isaac Boukris <iboukris@gmail.com>
+ Reported-by: Chungtsun Li (typeless)
+ Reviewed-by: Daniel Stenberg
+ Reviewed-by: Peter Wu
+ Closes #1197
+ Fixes #1061
-Kamil Dudka (19 Jun 2015)
-- curl_easy_setopt.3: restore contents removed by mistake
+Daniel Stenberg (13 Jan 2017)
+- write-out.d: 'time_total' is not always shown with ms precision
- ... in commit curl-7_43_0-18-g570076e
+ We have higher resolution since 7.52.0
+
+- next.d: --trace and --trace-ascii are also global
-Daniel Stenberg (19 Jun 2015)
-- curl_easy_setopt.3: mention CURLOPT_PIPEWAIT
+- [Isaac Boukris brought this change]
-Jay Satiro (18 Jun 2015)
-- cookie: Fix bug in export if any-domain cookie is present
+ curl: reset the easy handle at --next
- In 3013bb6 I had changed cookie export to ignore any-domain cookies,
- however the logic I used to do so was incorrect, and would lead to a
- busy loop in the case of exporting a cookie list that contained
- any-domain cookies. The result of that is worse though, because in that
- case the other cookies would not be written resulting in an empty file
- once the application is terminated to stop the busy loop.
+ So that only "global" options (verbose mostly) survive into the next
+ transfer, and the others have to be set again unless default is fine.
-Dan Fandrich (18 Jun 2015)
-- FTP: fixed compiling with --disable-proxy, broken in b88f980a
+- [Frank Gevaerts brought this change]
-Daniel Stenberg (18 Jun 2015)
-- tool: always provide negotiate/kerberos options
+ docs: Add note about libcurl copying strings to CURLOPT_* manpages
- libcurl can still be built with it, even if the tool is not. Maintain
- independence!
-
-- TODO: Support IDNA2008
+ Closes #1169
-- [Viktor Szakats brought this change]
+- [Frank Gevaerts brought this change]
- Makefile.m32: add support for CURL_LDFLAG_EXTRAS
-
- It is similar to existing CURL_CFLAG_EXTRAS, but for
- extra linker option.
+ CURLOPT_PREQUOTE.3: takes a struct curl_slist*, not a char*
-- RTSP: removed another piece of dead code
+- IDN: Use TR46 non-transitional
- Coverity CID 1306668
+ Assisted-by: Tim Rühsen
-- openssl: fix use of uninitialized buffer
+- IDN: revert use of the transitional option
- Make sure that the error buffer is always initialized and simplify the
- use of it to make the logic easier.
+ It made the german ß get converted to ss, IDNA2003 style, and we can't
+ have that for the .de TLD - a primary reason for our switch to IDNA2008.
- Bug: https://github.com/bagder/curl/issues/318
- Reported-by: sneis
+ Test 165 verifies.
-- examples: more descriptions
+- [Tim Rühsen brought this change]
-- examples: add descriptions with <DESC>
+ IDN: Fix compile time detection of linidn2 TR46
- Using this fixed format for example descriptions, we can generate a
- better list on the web site.
-
-- libcurl-errors.3: fix typo
+ Follow-up to f30cbcac1
+
+ Closes #1207
-- curl_easy_setopt.3: option order doesn't matter
+- [ERAMOTO Masaya brought this change]
-- openssl: fix build with BoringSSL
+ url: --noproxy option overrides NO_PROXY environment variable
- OPENSSL_load_builtin_modules does not exist in BoringSSL. Regression
- from cae43a1
+ Under condition using http_proxy env var, noproxy list was the
+ combination of --noproxy option and NO_PROXY env var previously. Since
+ this commit, --noproxy option overrides NO_PROXY environment variable
+ even if use http_proxy env var.
+
+ Closes #1140
-- [Paul Howarth brought this change]
+- [ERAMOTO Masaya brought this change]
- openssl: Fix build with openssl < ~ 0.9.8f
+ url: Refactor detect_proxy()
- The symbol SSL3_MT_NEWSESSION_TICKET appears to have been introduced at
- around openssl 0.9.8f, and the use of it in lib/vtls/openssl.c breaks
- builds with older openssls (certainly with 0.9.8b, which is the latest
- older version I have to try with).
-
-- FTP: do the HTTP CONNECT for data connection blocking
+ If defined CURL_DISABLE_HTTP, detect_proxy() returned NULL. If not
+ defined CURL_DISABLE_HTTP, detect_proxy() checked noproxy list.
- ** WORK-AROUND **
+ Thus refactor to set proxy to NULL instead of calling detect_proxy() if
+ define CURL_DISABLE_HTTP, and refactor to call detect_proxy() if not
+ define CURL_DISABLE_HTTP and the host is not in the noproxy list.
+
+- [ERAMOTO Masaya brought this change]
+
+ url: Fix NO_PROXY env var to work properly with --proxy option.
- The introduced non-blocking general behaviour for Curl_proxyCONNECT()
- didn't work for the data connection establishment unless it was very
- fast. The newly introduced function argument makes it operate in a more
- blocking manner, more like it used to work in the past. This blocking
- approach is only used when the FTP data connecting through HTTP proxy.
+ The combination of --noproxy option and http_proxy env var works well
+ both for proxied hosts and non-proxied hosts.
- Blocking like this is bad. A better fix would make it work more
- asynchronously.
+ However, when combining NO_PROXY env var with --proxy option,
+ non-proxied hosts are not reachable while proxied host is OK.
- Bug: https://github.com/bagder/curl/issues/278
+ This patch allows us to access non-proxied hosts even if using NO_PROXY
+ env var with --proxy option.
-- bump: start the journey toward 7.44.0
+- [Tim Rühsen brought this change]
-Jay Satiro (17 Jun 2015)
-- CURLOPT_ERRORBUFFER.3: Fix example, escape backslashes
-
-- CURLOPT_ERRORBUFFER.3: Improve example
-
-Version 7.43.0 (17 Jun 2015)
+ IDN: Use TR46 'transitional' for toASCII translations
+
+ References: http://unicode.org/faq/idn.html
+ http://unicode.org/reports/tr46
+
+ Closes #1206
-Daniel Stenberg (17 Jun 2015)
-- RELEASE-NOTES: 7.43.0 release
+- [railsnewbie257 brought this change]
-- THANKS: updated with 7.43.0 names
+ docs: FAQ MAIL-ETIQUETTE language fixes
+
+ Closes #1194
-- [Kamil Dudka brought this change]
+- [Marcus Hoffmann brought this change]
- http: do not leak basic auth credentials on re-used connections
+ gnutls: check for alpn and ocsp in configure
- CVE-2015-3236
+ Check for presence of gnutls_alpn_* and gnutls_ocsp_* functions during
+ configure instead of relying on the version number. GnuTLS has options
+ to turn these features off and we ca just work with with such builds
+ like we work with older versions.
- This partially reverts commit curl-7_39_0-237-g87c4abb
+ Signed-off-by: Marcus Hoffmann <m.hoffmann@cartelsol.com>
- Reported-by: Tomas Tomecek, Kamil Dudka
- Bug: http://curl.haxx.se/docs/adv_20150617A.html
-
-- [Kamil Dudka brought this change]
+ Closes #1204
- test2040: verify basic auth on re-used connections
-
-- SMB: rangecheck values read off incoming packet
+Jay Satiro (12 Jan 2017)
+- url: Fix parsing for when 'file' is the default protocol
- CVE-2015-3237
+ Follow-up to 3463408.
- Detected by Coverity. CID 1299430.
+ Prior to 3463408 file:// hostnames were silently stripped.
- Bug: http://curl.haxx.se/docs/adv_20150617B.html
-
-Jay Satiro (17 Jun 2015)
-- schannel: schannel_recv overhaul
+ Prior to this commit it did not work when a schemeless url was used with
+ file as the default protocol.
- This commit is several drafts squashed together. The changes from each
- draft are noted below. If any changes are similar and possibly
- contradictory the change in the latest draft takes precedence.
+ Ref: https://curl.haxx.se/mail/lib-2016-11/0081.html
+ Closes https://github.com/curl/curl/pull/1124
- Bug: https://github.com/bagder/curl/issues/244
- Reported-by: Chris Araman
+ Also fix for drive letters:
- %%
- %% Draft 1
- %%
- - return 0 if len == 0. that will have to be documented.
- - continue on and process the caches regardless of raw recv
- - if decrypted data will be returned then set the error code to CURLE_OK
- and return its count
- - if decrypted data will not be returned and the connection has closed
- (eg nread == 0) then return 0 and CURLE_OK
- - if decrypted data will not be returned and the connection *hasn't*
- closed then set the error code to CURLE_AGAIN --only if an error code
- isn't already set-- and return -1
- - narrow the Win2k workaround to only Win2k
+ - Support --proto-default file c:/foo/bar.txt
- %%
- %% Draft 2
- %%
- - Trying out a change in flow to handle corner cases.
+ - Support file://c:/foo/bar.txt
- %%
- %% Draft 3
- %%
- - Back out the lazier decryption change made in draft2.
+ - Fail when a file:// drive letter is detected and not MSDOS/Windows.
- %%
- %% Draft 4
- %%
- - Some formatting and branching changes
- - Decrypt all encrypted cached data when len == 0
- - Save connection closed state
- - Change special Win2k check to use connection closed state
+ Bug: https://github.com/curl/curl/issues/1187
+ Reported-by: Anatol Belski
+ Assisted-by: Anatol Belski
+
+Daniel Stenberg (12 Jan 2017)
+- rand: make it work without TLS backing
- %%
- %% Draft 5
- %%
- - Default to CURLE_AGAIN in cleanup if an error code wasn't set and the
- connection isn't closed.
+ Regression introduced in commit f682156a4fc6c4
- %%
- %% Draft 6
- %%
- - Save the last error only if it is an unrecoverable error.
+ Reported-by: John Kohl
+ Bug: https://curl.haxx.se/mail/lib-2017-01/0055.html
+
+Jay Satiro (12 Jan 2017)
+- STARTTLS: Don't print response character in denied messages
- Prior to this I saved the last error state in all cases; unfortunately
- the logic to cover that in all cases would lead to some muddle and I'm
- concerned that could then lead to a bug in the future so I've replaced
- it by only recording an unrecoverable error and that state will persist.
+ Both IMAP and POP3 response characters are used internally, but when
+ appended to the STARTTLS denial message likely could confuse the user.
- - Do not recurse on renegotiation.
+ Closes https://github.com/curl/curl/pull/1203
+
+- smtp: Fix STARTTLS denied error message
- Instead we'll continue on to process any trailing encrypted data
- received during the renegotiation only.
+ - Format the numeric denial code as an integer instead of a character.
+
+Daniel Stenberg (11 Jan 2017)
+- http2_send: avoid unsigned integer wrap around
- - Move the err checks in cleanup after the check for decrypted data.
+ ... when checking for a too large request.
+
+Jay Satiro (9 Jan 2017)
+- [Jiri Malak brought this change]
+
+ cmake: Fix passing _WINSOCKAPI_ macro to compiler
- In either case decrypted data is always returned but I think it's easier
- to understand when those err checks come after the decrypted data check.
+ Define _WINSOCKAPI_ blank rather than to 1 in order to match the value
+ used by Microsoft's winsock header files.
- %%
- %% Draft 7
- %%
- - Regardless of len value go directly to cleanup if there is an
- unrecoverable error or a close_notify was already received. Prior to
- this change we only acknowledged those two states if len != 0.
+ Closes https://github.com/curl/curl/pull/1195
+
+Daniel Stenberg (9 Jan 2017)
+- sws: retry send() on EWOULDBLOCK
- - Fix a bug in connection closed behavior: Set the error state in the
- cleanup, because we don't know for sure it's an error until that time.
+ Fixes spurious test 1060 and 1061 failures on OpenBSD, Solaris and more.
- - (Related to above) In the case the connection is closed go "greedy"
- with the decryption to make sure all remaining encrypted data has been
- decrypted even if it is not needed at that time by the caller. This is
- necessary because we can only tell if the connection closed gracefully
- (close_notify) once all encrypted data has been decrypted.
+ Bug: https://curl.haxx.se/mail/lib-2017-01/0009.html
+ Reported-by: Christian Weisgerber
+
+- RELEASE-NOTES: synced with a41e8592d6b3e58
+
+- examples: make the C++ examples follow our code style too
- - Do not renegotiate when an unrecoverable error is pending.
+ At least mostly, not counting // comments.
+
+- [Aulddays brought this change]
+
+ asiohiper: improved socket handling
- %%
- %% Draft 8
- %%
- - Don't show 'server closed the connection' info message twice.
+ libcurl requires CURLMOPT_SOCKETFUNCTION to KEEP watching socket events
+ and notify back. Modify event_cb() to continue watching events when
+ fired.
- - Show an info message if server closed abruptly (missing close_notify).
+ Fixes #1191
+ Closes #1192
+ Fixed-by: Mingliang Zhu
-Daniel Stenberg (16 Jun 2015)
-- [Paul Oliver brought this change]
+- [Jiří Malák brought this change]
- Fix typo in docs
+ lib506: fix build for Open Watcom
- s/curret/current/
-
-- [Viktor Szakats brought this change]
+ Rename symbol lock to locks to not clash with OW CRTL function name.
+
+ Closes #1196
- docs: update URLs
+- ROADMAP: 2017 cleanup
+
+ Removed items already fixed, clarified a few others.
-- RELEASE-NOTES: synced with f29f2cbd00dbe5f
+- COPYING: update the generic copyright year range
-- [Viktor Szakats brought this change]
+- docs/silent: mention --show-error in --silent description
+
+ Reported in #1190
+ Reported-by: Dan Jacobson
- README: use secure protocol for Git repository
+- docs/page-header: mention how to disable the progress meter
+
+ curl.1 is regenerated
+
+ Fixes #1190
-- [Viktor Szakats brought this change]
+Dan Fandrich (7 Jan 2017)
+- wolfssl: display negotiated SSL version and cipher
- HTTP2.md: use SSL/TLS IETF URLs
+- wolfssl: support setting cipher list
-- [Viktor Szakats brought this change]
+Patrick Monnerat (6 Jan 2017)
+- CIPHERS.md: document GSKit ciphers
- LICENSE-MIXING: update URLs
-
- * use SSL/TLS where available
- * follow permanent redirects
+Jay Satiro (5 Jan 2017)
+- [peterpih brought this change]
-- LICENSE-MIXING: refreshed
+ TheArtOfHttpScripting: grammar
-- curl_easy_duphandle: see also *reset
+Nick Zitzmann (3 Jan 2017)
+- darwinssl: --insecure overrides --cacert if both settings are in use
+
+ Fixes #1184
-- rtsp_do: fix DEAD CODE
+Jay Satiro (2 Jan 2017)
+- docs/libcurl: TCP_KEEPALIVE start and interval default to 60
- "At condition p_request, the value of p_request cannot be NULL."
+ Since the TCP keep-alive options were added in 705f0f7 the start and
+ interval default values have been 60, but that wasn't documented.
- Coverity CID 1306668.
+ Bug: https://curl.haxx.se/mail/lib-2017-01/0000.html
+ Reported-by: Praveen Pvs
-- security:choose_mech fix DEAD CODE warning
+Daniel Stenberg (29 Dec 2016)
+- curl.h: CURLE_FUNCTION_NOT_FOUND is no longer in use
- ... by removing the "do {} while (0)" block.
+ This error code was once introduced when some library was dynamically
+ loaded and a funciton within said library couldn't be found.
+
+- content_encoding: change return code on a failure
- Coverity CID 1306669
+ Failure to decompress is now a write error instead of the weird
+ "function not found".
-- curl.1: netrc is in man section 5
+- page-footer: error 36 is protocol agnostic!
-- curl.1: small format fix
+Jay Satiro (28 Dec 2016)
+- tool_operate: Fix --remote-time incorrect times on Windows
- use \fI-style instead of .BR for references
-
-- urldata: store POST size in state.infilesize too
+ - Use Windows API SetFileTime to set the file time instead of utime.
+
+ Avoid utime on Windows if possible because it may apply a daylight
+ saving time offset to our UTC file time.
- ... to simplify checking when PUT _or_ POST have completed.
+ Bug: https://curl.haxx.se/mail/archive-2016-11/0033.html
+ Reported-by: Tim
- Reported-by: Frank Meier
- Bug: http://curl.haxx.se/mail/lib-2015-06/0019.html
+ Closes https://github.com/curl/curl/pull/1121
-Dan Fandrich (14 Jun 2015)
-- test1530: added http to required features
+Daniel Stenberg (29 Dec 2016)
+- [Max Khon brought this change]
-Jay Satiro (14 Jun 2015)
-- [Drake Arconis brought this change]
+ digest_sspi: copy terminating NUL as well
+
+ Curl_auth_decode_digest_http_message(): copy terminating NUL as later
+ Curl_override_sspi_http_realm() expects a NUL-terminated string.
+
+ Fixes #1180
- build: Fix typo from OpenSSL 1.0.2 version detection fix
+- curl_formadd.3: CURLFORM_CONTENTSLENGTH not needed when chunked
+
+ Mentioned in #1013
-- [Drake Arconis brought this change]
+- [Kyselgov E.N brought this change]
- build: Properly detect OpenSSL 1.0.2 when using configure
+ cmake: use crypt32.lib when building with OpenSSL on windows
+
+ Reviewed-by: Peter Wu
+ Closes #1149
+ Fixes #1147
-- curl_multi_info_read.3: fix example formatting
+- [Chris Araman brought this change]
-Daniel Stenberg (13 Jun 2015)
-- BINDINGS: there's a new R binding in town!
+ darwinssl: fix CFArrayRef leak
+
+ Reviewed-by: Nick Zitzmann
+ Closes #1173
-- BINDINGS: added the Xojo binding
+- [Chris Araman brought this change]
-Jay Satiro (11 Jun 2015)
-- [Joel Depooter brought this change]
+ darwinssl: fix iOS build
+
+ Reviewed-by: Nick Zitzmann
+ Fixes #1172
- schannel: Add support for optional client certificates
+- curl: remove superfluous include file
- Some servers will request a client certificate, but not require one.
- This change allows libcurl to connect to such servers when using
- schannel as its ssl/tls backend. When a server requests a client
- certificate, libcurl will now continue the handshake without one,
- rather than terminating the handshake. The server can then decide
- if that is acceptable or not. Prior to this change, libcurl would
- terminate the handshake, reporting a SEC_I_INCOMPLETE_CREDENTIALS
- error.
+ The <netinet/tcp.h> is a leftover from the past when TCP socket options
+ were set in this file. This include causes build issues on AIX 4.3.
+
+ Reported-by: Kim Minjoong
+
+ Closes #1178
-Daniel Stenberg (11 Jun 2015)
-- curl_easy_cleanup.3: provide more SEE ALSO
+- RELEASE-NOTES: synced with a7b38c9dc98481e
-- debug: remove http2 debug leftovers
+- vtls: s/SSLEAY/OPENSSL
+
+ Fixed an old leftover use of the USE_SSLEAY define which would make a
+ socket get removed from the applications sockets to monitor when the
+ multi_socket API was used, leading to timeouts.
+
+ Bug: #1174
+
+- docs/ciphers: link to our own new page about ciphers
+
+ ... as the former ones always go stale!
-- VERSIONS: now using markdown
+- cmdline-opts/page-footer: add three more exit codes
+
+ ... and regenerated curl.1
-- RELEASE-PROCEDURE: remove ascii logo at the top of file
+- formdata: use NULL, not 0, when returning pointers
-- INTERNALS: absorbed docs/LIBCURL-STRUCTS
+- ftp: failure to resolve proxy should return that error code
-- INTERNALS: cat lib/README* >> INTERNALS
+- configure: accept --with-libidn2 instead
- and a conversion to markdown. Removed the lib/README.* files. The idea
- being to move toward having INTERNALS as the one and only "book" of
- internals documentation.
+ ... which the help text already implied since we switched to libidn2
+ from libidn in commit 9c91ec778104ae3b back in October 2016.
- Added a TOC to top of the document.
+ Reported-by: Christian Weisgerber
+ Bug: https://curl.haxx.se/mail/lib-2016-12/0110.html
+
+- test1282: verify the ftp-gss check
-Jay Satiro (8 Jun 2015)
-- openssl: LibreSSL and BoringSSL do not use TLS_client_method
+- ftp-gss: check for init before use
- Although OpenSSL 1.1.0+ deprecated SSLv23_client_method in favor of
- TLS_client_method LibreSSL and BoringSSL didn't and still use
- SSLv23_client_method.
+ To avoid dereferencing a NULL pointer.
- Bug: https://github.com/bagder/curl/commit/49a6642#commitcomment-11578009
- Reported-by: asavah@users.noreply.github.com
+ Reported-by: Daniel Romero
-Daniel Stenberg (9 Jun 2015)
-- RELEASE-NOTES: synced with 20ac3458068
-
-- CURLOPT_OPENSOCKETFUNCTION: return error at once
+Jay Satiro (24 Dec 2016)
+- build-wolfssl: Sync config with wolfSSL 3.10
+
+ wolfSSL configure script relevant changes from 3.9 to 3.10:
- When CURL_SOCKET_BAD is returned in the callback, it should be treated
- as an error (CURLE_COULDNT_CONNECT) if no other socket is subsequently
- created when trying to connect to a server.
+ - DES3 no longer enabled by default
+ - Shamir no longer enabled by default
+ - Extended master secret enabled by default
+ - RSA and ECC timing protections enabled by default
- Bug: http://curl.haxx.se/mail/lib-2015-06/0047.html
+ For backwards compatibility I enabled DES3 and ECC shamir config options
+ (ie no change from 3.9), and the other changes are included.
-- fopen.c: fix a few compiler warnings
+- cyassl: use time_t instead of long for timeout
-- [Ville Skyttä brought this change]
+Daniel Stenberg (23 Dec 2016)
+- bump: toward next release
- docs: Spelling fixes
+- http: remove "Curl_http_done: called premature" message
+
+ ... it only confuses people.
-- [Ville Skyttä brought this change]
+- openssl-random: check return code when asking for random
+
+ and fail appropriately if it returns error
- docs: man page indentation and syntax fixes
+- gnutls-random: check return code for failed random
-Linus Nielsen (8 Jun 2015)
-- help: Add --proxy-service-name and --service-name to the --help output
+Version 7.52.1 (22 Dec 2016)
-Jay Satiro (7 Jun 2015)
-- openssl: Fix verification of server-sent legacy intermediates
-
- - Try building a chain using issuers in the trusted store first to avoid
- problems with server-sent legacy intermediates.
+Daniel Stenberg (22 Dec 2016)
+- RELEASE-NOTES: curl 7.52.1
+
+- lib557.c: use a shorter MAXIMIZE representation
- Prior to this change server-sent legacy intermediates with missing
- legacy issuers would cause verification to fail even if the client's CA
- bundle contained a valid replacement for the intermediate and an
- alternate chain could be constructed that would verify successfully.
+ Since several compilers had problems with the previous one
- https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
+ Reported-by: Ray Satiro
+ Bug: https://curl.haxx.se/mail/lib-2016-12/0098.html
-Daniel Stenberg (5 Jun 2015)
-- BINDINGS: update several URLs
+- runtests: remove the valgrind parser
- Stop linking to the curl.haxx.se anchor pages, they are usually only
- themselves pointers to the real page so better point there directly
- instead.
+ Old legacy parsing that 1) hid problems for us and 2) probably isn't
+ needed anymore.
+
+- [Kamil Dudka brought this change]
-- BINDINGS: the curl-rust binding
+ randit: store the value in the buffer
-- curl.h: add CURL_HTTP_VERSION_2
+- tests/Makefile: run checksrc on debug builds
- The protocol is named "HTTP/2" after all. It is an alias for the
- existing CURL_HTTP_VERSION_2_0 enum.
+ ... just like we already do in src/ and lib/
-- openssl: removed error string #ifdef
+- lib557: move the "enable LONGLINE" to allow more long lines
- ERR_error_string_n() was introduced in 0.9.6, no need to #ifdef anymore
+ This file is riddled with them...
-- openssl: removed USERDATA_IN_PWD_CALLBACK kludge
+- bump: toward next release
+
+Marcel Raad (21 Dec 2016)
+- lib: fix MSVC compiler warnings
- Code for OpenSSL 0.9.4 serves no purpose anymore!
+ Visual C++ complained:
+ warning C4267: '=': conversion from 'size_t' to 'long', possible loss of data
+ warning C4701: potentially uninitialized local variable 'path' used
+
+Version 7.52.0 (20 Dec 2016)
+
+Daniel Stenberg (20 Dec 2016)
+- THANKS: 13 new contributors from 7.52.0
+
+- RELEASE-NOTES: 7.52.0
-- openssl: remove SSL_get_session()-using code
+- ssh: inhibit coverity warning with (void)
- It was present for OpenSSL 0.9.5 code but we only support 0.9.7 or
- later.
+ CID 1397391 (#1 of 1): Unchecked return value (CHECKED_RETURN)
-- openssl: remove dummy callback use from SSL_CTX_set_verify()
+- Curl_recv_has_postponed_data: silence compiler warnings
- The existing callback served no purpose.
+ Follow-up to d00f2a8f2
-- LIBCURL-STRUCTS: clarify for multiplexing
+Jay Satiro (19 Dec 2016)
+- tests: checksrc compliance
-Jay Satiro (3 Jun 2015)
-- cookie: Stop exporting any-domain cookies
+- http_proxy: Fix proxy CONNECT hang on pending data
- Prior to this change any-domain cookies (cookies without a domain that
- are sent to any domain) were exported with domain name "unknown".
+ - Check for pending data before waiting on the socket.
- Bug: https://github.com/bagder/curl/issues/292
+ Bug: https://github.com/curl/curl/issues/1156
+ Reported-by: Adam Langley
-Daniel Stenberg (3 Jun 2015)
-- RELEASE-PROCEDURE: refreshed 'coming dates'
+Daniel Stenberg (19 Dec 2016)
+- cmdline-opts/tlsv1.d: rephrased
-Jay Satiro (2 Jun 2015)
-- curl_setup: Change fopen text macros to use 't' for MSDOS
+- [Dan McNulty brought this change]
+
+ schannel: fix wildcard cert name validation on Win CE
- Bug: https://github.com/bagder/curl/pull/258#issuecomment-107915198
- Reported-by: Gisle Vanem
+ Fixes a few issues in manual wildcard cert name validation in
+ schannel support code for Win32 CE:
+ - when comparing the wildcard name to the hostname, the wildcard
+ character was removed from the cert name and the hostname
+ was checked to see if it ended with the modified cert name.
+ This allowed cert names like *.com to match the connection
+ hostname. This violates recommendations from RFC 6125.
+ - when the wildcard name in the certificate is longer than the
+ connection hostname, a buffer overread of the connection
+ hostname buffer would occur during the comparison of the
+ certificate name and the connection hostname.
-Daniel Stenberg (2 Jun 2015)
-- curl_multi_timeout.3: added example
+- printf: fix floating point buffer overflow issues
+
+ ... and add a bunch of floating point printf tests
-- curl_multi_perform.3: added example
+- config-amigaos.h: (embarrassed) made the line shorter
-- curl_multi_info_read.3: added example
+- config-amigaos.h: fix bug report email reference
-- checksrc: detect fopen() for text without the FOPEN_* macros
-
- Follow-up to e8423f9ce150 with discussionis in
- https://github.com/bagder/curl/pull/258
-
- This check scans for fopen() with a mode string without 'b' present, as
- it may indicate that an FOPEN_* define should rather be used.
+- RELEASE-NOTES: synced with 4517158abfeba
-- curl_getdate.3: update RFC reference
+- CIPHERS.md: backtick the names to show underscores fine
-Jay Satiro (1 Jun 2015)
-- curl_setup: Add macros for FOPEN_READTEXT, FOPEN_WRITETEXT
-
- - Change fopen calls to use FOPEN_READTEXT instead of "r" or "rt"
- - Change fopen calls to use FOPEN_WRITETEXT instead of "w" or "wt"
+- form-string.d: fix format mistake
- This change is to explicitly specify when we need to read/write text.
- Unfortunately 't' is not part of POSIX fopen so we can't specify it
- directly. Instead we now have FOPEN_READTEXT, FOPEN_WRITETEXT.
+ and regenerated curl.1
- Prior to this change we had an issue on Windows if an application that
- uses libcurl overrides the default file mode to binary. The default file
- mode in Windows is normally text mode (translation mode) and that's what
- libcurl expects.
-
- Bug: https://github.com/bagder/curl/pull/258#issuecomment-107093055
- Reported-by: Orgad Shaneh
+ Reported-by: Gisle Vanem
-Daniel Stenberg (1 Jun 2015)
-- http2-upload.c: use PIPEWAIT for playing HTTP/2 better
+Michael Kaufmann (18 Dec 2016)
+- openssl: simplify expression in Curl_ossl_version
-- http2-download: check for CURLPIPE_MULTIPLEX properly
+- curl_easy_recv: Improve documentation and example program
- Bug: http://curl.haxx.se/mail/lib-2015-06/0001.html
- Reported-by: Rafayel Mkrtchyan
+ Follow-up to 82245ea: Fix the example program sendrecv.c (handle
+ CURLE_AGAIN, handle incomplete send). Improve the documentation
+ for curl_easy_recv() and curl_easy_send().
+
+ Reviewed-by: Frank Meier
+ Assisted-by: Jay Satiro
+
+ See https://github.com/curl/curl/pull/1134
- [Isaac Boukris brought this change]
- HTTP-NTLM: fail auth on connection close instead of looping
+ Curl_getconnectinfo: avoid checking if the connection is closed
+
+ It doesn't benefit us much as the connection could get closed at
+ any time, and also by checking we lose the ability to determine
+ if the socket was closed by reading zero bytes.
+
+ Reported-by: Michael Kaufmann
- Bug: https://github.com/bagder/curl/issues/256
+ Closes https://github.com/curl/curl/pull/1134
-- 5.6 Refuse "downgrade" redirects
+Daniel Stenberg (18 Dec 2016)
+- CIPHERS.md: attempt to document TLS cipher names
+
+ As the official docs seems really hard to keep track of and link to over
+ time
-- README.pingpong: removed
+- curl.1: generated after 6cce4dbf830
-- ROADMAP: remove HTTP/2 multiplexing - its here now
+- cmdline-opts/post30X.d: fix the RFC references
-- HTTP2.md: formatted properly
+- curl.1: regenerated
+
+ Fixed trailing whitespace and numerous formatting glitches
-- HTTP2: moved docs into docs/ and make it markdown
+- cmdline-opts: formatting fixes
-- README.http2: refreshed and added multiplexing info
+- curl_easy_setopt.3: removed CURLOPT_SOCKS_PROXYTYPE
-- dist: add the http2 examples
+- tool_getparam.c: make comments use the up-to-date option names
-- http2 examples: clean up some comments
+- manpage-scan.pl: allow deprecated options to get removed from curl.1
+
+ --krb4, --ftp-ssl and --ftp-ssl-reqd no longer need to be documented in the
+ man page
-- examples: added two programs doing multiplexed HTTP/2
+- cmdline-opts/gen.pl: trim off trailing spaces
-- scripts: moved contributors.sh and contrithanks.sh into subdir
+- cmdline-opts/proxy-tlsuser.d: remove trailing .d
-- RELEASE-NOTES: synced with c005790ff1c0a
+- curl_easy_setopt.3: CURLOPT_PRE_PROXY instead of CURLOPT_SOCKS_PROXY
-- [Daniel Melani brought this change]
+- symbols: removed two, added one
- openssl: typo in comment
+- cmdline-opts: include the man page split up files in the dist
-Jay Satiro (27 May 2015)
-- openssl: Use TLS_client_method for OpenSSL 1.1.0+
+- curl.1: generated with gen.pl
+
+ This is the first time we replace the manually edited curt.1 with the
+ generated one created by gen.pl and the individual option documentation
+ pages.
- SSLv23_client_method is deprecated starting in OpenSSL 1.1.0. The
- equivalent is TLS_client_method.
+ Do not edit this file, edit the individual pages and regenerate this
+ output.
- https://github.com/openssl/openssl/commit/13c9bb3#diff-708d3ae0f2c2973b272b811315381557
+ This file will be generated by the build system soon and then removed
+ from git.
-Daniel Stenberg (26 May 2015)
-- FAQ: How do I port libcurl to my OS?
+- cmdline-opts: added some missing info
-Jay Satiro (25 May 2015)
-- CURLOPT_COOKIELIST.3: Explain Set-Cookie without a domain
-
- Document that if Set-Cookie is used without a domain then the cookie is
- sent for any domain and will not be modified.
-
- Bug: http://curl.haxx.se/mail/lib-2015-05/0137.html
- Reported-by: Alexander Dyagilev
+- CURLINFO_SSL_VERIFYRESULT.3: language
-Daniel Stenberg (25 May 2015)
-- [Tatsuhiro Tsujikawa brought this change]
+- HTTPS-PROXY docs: update/polish
- http2: Copy data passed in Curl_http2_switched into HTTP/2 connection buffer
+- cmdline-opts/page-header: mention it is generated
- Previously, after seeing upgrade to HTTP/2, we feed data followed by
- upgrade response headers directly to nghttp2_session_mem_recv() in
- Curl_http2_switched(). But it turns out that passed buffer, mem, is
- part of stream->mem, and callbacks called by
- nghttp2_session_mem_recv() will write stream specific data into
- stream->mem, overwriting input data. This will corrupt input, and
- most likely frame length error is detected by nghttp2 library. The
- fix is first copy the passed data to HTTP/2 connection buffer,
- httpc->inbuf, and call nghttp2_session_mem_recv().
+ ... to avoid people from trying to edit the pending curl.1 version that
+ gets generated by gen.pl
-Jay Satiro (24 May 2015)
-- CURLOPT_COOKIE.3: Explain that the cookies won't be modified
+- preproxy: renamed what was added as SOCKS_PROXY
- The CURLOPT_COOKIE doc says it "sets the cookie header explicitly in the
- outgoing request(s)." However there seems to be some user confusion
- about cookie modification. Document that the cookies set by this option
- are not modified by the cookie engine.
+ CURLOPT_SOCKS_PROXY -> CURLOPT_PRE_PROXY
- Bug: http://curl.haxx.se/mail/lib-2015-05/0115.html
- Reported-by: Alexander Dyagilev
+ Added the corresponding --preroxy command line option. Sets a SOCKS
+ proxy to connect to _before_ connecting to a HTTP(S) proxy.
-- CURLOPT_COOKIELIST.3: Add example
+- curl: normal socks proxies still use CURLOPT_PROXY
+
+ ... the newly introduced CURLOPT_SOCKS_PROXY is special and should be
+ asked for specially. (Needs new code.)
+
+ Unified proxy type to a single variable in the config struct.
-Dan Fandrich (24 May 2015)
-- testcurl.pl: use rel2abs to make the source directory absolute
+- CURLOPT_SOCKS_PROXYTYPE: removed
- This function makes a platform-specific absolute path which uses
- backslashes on Windows. This form works when passing it on the
- command-line, as well as if the source is on another drive.
+ This was added as part of the SOCKS+HTTPS proxy merge but there's no
+ need to support this as we prefer to have the protocol specified as a
+ prefix instead.
-- conncache: fixed memory leak on OOM (torture tests)
+- curl_multi_socket.3: fix typo
-Daniel Stenberg (24 May 2015)
-- perl: remove subdir, not touched in 9 years
+- checksrc: warn for assignments within if() expressions
+
+ ... they're already frowned upon in our source code style guide, this
+ now enforces the rule harder.
-- log2changes.pl: moved to scripts/
+- checksrc: stricter no-space-before-paren enforcement
+
+ In order to make the code style more uniform everywhere
-- [Alessandro Ghedini brought this change]
+- ISSUE_TEMPLATE: try mentioning known bugs/todo in new issue template
- scripts: add zsh.pl for generating zsh completion
+- RELEASE-NOTES: synced with 71a55534fa6
-Dan Fandrich (23 May 2015)
-- test1510: another flaky test
+- [Adam Langley brought this change]
-Daniel Stenberg (22 May 2015)
-- security: fix "Unchecked return value" from sscanf()
+ openssl: don't use OpenSSL's ERR_PACK.
- By (void) prefixing it and adding a comment. Did some minor related
- cleanups.
+ ERR_PACK is an internal detail of OpenSSL. Also, when using it, a
+ function name must be specified which is overly specific: the test will
+ break whenever OpenSSL internally change things so that a different
+ function creates the error.
- Coverity CID 1299423.
+ Closes #1157
-- security: simplify choose_mech
-
- Coverity CID 1299424 identified dead code because of checks that could
- never equal true (if the mechanism's name was NULL).
+Dan Fandrich (5 Dec 2016)
+- test2032: Mark test as flaky
+
+Jay Satiro (3 Dec 2016)
+- [Jeremy Pearson brought this change]
+
+ libcurl-multi.3: typo
- Simplified the function by removing a level of pointers and removing the
- loop and array that weren't used.
+ Closes https://github.com/curl/curl/pull/1153
-- RTSP: catch attempted unsupported requests better
+Dan Fandrich (2 Dec 2016)
+- test1281: added http as a required feature
+
+Daniel Stenberg (2 Dec 2016)
+- curl: support zero-length argument strings in config files
- Replace use of assert with code that properly catches bad input at
- run-time even in non-debug builds.
+ ... like 'user-agent = ""'
- This flaw was sort of detected by Coverity CID 1299425 which claimed the
- "case RTSPREQ_NONE" was dead code.
+ Adjusted test 71 to verify.
-- share_init: fix OOM crash
+- http_proxy: simplify CONNECT response reading
- A failed calloc() would lead to NULL pointer use.
+ Since it now reads responses one byte a time, a loop could be removed
+ and it is no longer limited to get the whole response within 16K, it is
+ now instead only limited to 16K maximum header line lengths.
+
+- tests: fix CONNECT test cases to be more strict
- Coverity CID 1299427.
+ ... as they broke with the cleaned up CONNECT handling
-- parse_proxy: switch off tunneling if non-HTTP proxy
+- CONNECT: read responses one byte at a time
- non-HTTP proxy implies not using CURLOPT_HTTPPROXYTUNNEL
+ ... so that it doesn't read data that is actually coming from the
+ remote. 2xx responses have no body from the proxy, that data is from the
+ peer.
- Bug: http://curl.haxx.se/mail/lib-2015-05/0056.html
- Reported-by: Sean Boudreau
+ Fixes #1132
-- curl: fix potential NULL dereference
+- CONNECT: reject TE or CL in 2xx responses
- Coverity CID 1299428: Dereference after null check (FORWARD_NULL)
-
-- http2: on_frame_recv: return early on stream 0
+ A server MUST NOT send any Transfer-Encoding or Content-Length header
+ fields in a 2xx (Successful) response to CONNECT. (RFC 7231 section
+ 4.3.6)
- Coverity CID 1299426 warned about possible NULL dereference otherwise,
- but that would only ever happen if we get invalid HTTP/2 data with
- frames for stream 0. Avoid this risk by returning early when stream 0 is
- used.
+ Also fixes the three test cases that did this.
-- http: removed self assignment
-
- Follow-up fix from b0143a2a33f0
+- URL parser: reject non-numerical port numbers
- Detected by coverity. CID 1299429
+ Test 1281 added to verify
-- [Tatsuhiro Tsujikawa brought this change]
+Dan Fandrich (30 Nov 2016)
+- runtests: made Servers: output be more consistent by removing OFF
- http2: Make HTTP Upgrade work
-
- This commit just add implicitly opened stream 1 to streams hash.
+- cyassl: fixed typo introduced in 4f8b1774
-Jay Satiro (22 May 2015)
-- strerror: Change SEC_E_ILLEGAL_MESSAGE description
+Michael Kaufmann (30 Nov 2016)
+- CURLOPT_CONNECT_TO: Skip non-matching "connect-to" entries properly
- Prior to this change the description for SEC_E_ILLEGAL_MESSAGE was OS
- and language specific, and invariably translated to something not very
- helpful like: "The message received was unexpected or badly formatted."
+ If a port number in a "connect-to" entry does not match, skip this
+ entry instead of connecting to port 0.
- Bug: https://github.com/bagder/curl/issues/267
- Reported-by: Michael Osipov
-
-- telnet: Fix read-callback change for Windows builds
+ If a port number in a "connect-to" entry matches, use this entry
+ and look no further.
- Refer to b0143a2 for more information on the read-callback change.
+ Reported-by: Jay Satiro
+ Assisted-by: Jay Satiro, Daniel Stenberg
+
+ Closes #1148
-Daniel Stenberg (21 May 2015)
-- CURLOPT_HTTPPROXYTUNNEL.3: only works with a HTTP proxy!
+Daniel Stenberg (29 Nov 2016)
+- BUGS: describe bug handling process
-Dan Fandrich (21 May 2015)
-- testcurl.pl: allow source to be in an arbitrary directory
-
- This way, the build directory can be located on an entirely different
- filesystem from the source code (e.g. a tmpfs).
+- RELEASE-NOTES: synced with 19613fb3
-Daniel Stenberg (20 May 2015)
-- read_callback: move to SessionHandle from connectdata
+Jay Satiro (28 Nov 2016)
+- http2: check nghttp2_session_set_local_window_size exists
- With many easy handles using the same connection for multiplexing, it is
- important we store and keep the transfer-oriented stuff in the
- SessionHandle so that callbacks and callback data work fine even when
- many easy handles share the same physical connection.
-
-- http2: show stream IDs in decimal
+ The function only exists since nghttp2 1.12.0.
- It makes them easier to match output from the nghttpd test server.
+ Bug: https://github.com/curl/curl/commit/a4d8888#commitcomment-19985676
+ Reported-by: Michael Kaufmann
-- [Tatsuhiro Tsujikawa brought this change]
+Daniel Stenberg (28 Nov 2016)
+- [Anders Bakken brought this change]
- http2: Faster http2 upload
+ http2: Fix crashes when parent stream gets aborted
- Previously, when we send all given buffer in data_source_callback, we
- return NGHTTP2_ERR_DEFERRED, and nghttp2 library removes this stream
- temporarily for writing. This itself is good. If this is the sole
- stream in the session, nghttp2_session_want_write() returns zero,
- which means that libcurl does not check writeability of the underlying
- socket. This leads to very slow upload, because it seems curl only
- upload 16k something per 1 second. To fix this, if we still have data
- to send, call nghttp2_session_resume_data after nghttp2_session_send.
- This makes nghttp2_session_want_write() returns nonzero (if connection
- window still opens), and as a result, socket writeability is checked,
- and upload speed becomes normal.
+ Closes #1125
-- [Dmitry Eremin-Solenikov brought this change]
+- cmdline-docs: more options converted and fixed
+
+ Now all options are in the new system.
- gtls: don't fail on non-fatal alerts during handshake
+- gen: include footer in mainpage output
+
+Jay Satiro (28 Nov 2016)
+- lib1536: checksrc compliance
+
+Daniel Stenberg (28 Nov 2016)
+- cmdline-opts: more command line options documented
- Stop curl from failing when non-fatal alert is received during
- handshake. This e.g. fixes lots of problems when working with https
- sites through proxies.
+ Moved over to the new format
-- curl_easy_unescape.3: update RFC reference
+- curl: remove --proxy-ssl* options
- Reported-by: bsammon
- Bug: https://github.com/bagder/curl/issues/282
+ There's mostly likely no need to allow setting SSLv2/3 version for HTTPS
+ proxy. Those protocols are insecure by design and deprecated.
+
+- CURLOPT_PROXY_*.3: polished some proxy option man pages
-Jay Satiro (20 May 2015)
-- CURLOPT_POSTFIELDS.3: Mention curl_easy_escape
+Patrick Monnerat (26 Nov 2016)
+- os400: support CURLOPT_PROXY_PINNEDPUBLICKEY
- .. also correct some variable naming in curl_easy_escape.3
+ Also define it in ILE/RPG binding.
+
+Daniel Stenberg (26 Nov 2016)
+- [Okhin Vasilij brought this change]
+
+ curl_version_info: add CURL_VERSION_HTTPS_PROXY
- Bug: https://github.com/bagder/curl/issues/281
- Reported-by: bsammon@users.noreply.github.com
+ Closes #1142
-Daniel Stenberg (19 May 2015)
-- [Brian Prodoehl brought this change]
+- [Frank Gevaerts brought this change]
- openssl: Use SSL_CTX_set_msg_callback and SSL_CTX_set_msg_callback_arg
+ tests: Add some testcases for recent new features.
- BoringSSL removed support for direct callers of SSL_CTX_callback_ctrl
- and SSL_CTX_ctrl, so move to a way that should work on BoringSSL and
- OpenSSL.
+ Add missing tests for CURLINFO_SCHEME, CURLINFO_PROTOCOL, %{scheme},
+ and %{http_version}
- re #275
+ closes #1143
-Jay Satiro (19 May 2015)
-- curl.1: fix missing space in section --data
+- [Frank Gevaerts brought this change]
-Daniel Stenberg (19 May 2015)
-- transfer: remove erroneous and misleading comment
+ curl_easy_reset: clear info for CULRINFO_PROTOCOL and CURLINFO_SCHEME
-Kamil Dudka (19 May 2015)
-- http: silence compile-time warnings without USE_NGHTTP2
-
- Error: CLANG_WARNING:
- lib/http.c:173:16: warning: Value stored to 'http' during its initialization is never read
+- CURLOPT_PROXY_CAINFO.3: clarify proxy use
+
+- CURLOPT_PROXY_CRLFILE.3: clarify https proxy and availability
+
+- curl_easy_setopt.3: add CURLOPT_PROXY_PINNEDPUBLICKEY
- Error: COMPILER_WARNING:
- lib/http.c: scope_hint: In function ‘http_disconnect’
- lib/http.c:173:16: warning: unused variable ‘http’ [-Wunused-variable]
+ Follow-up to 4f8b17743d7c55a
-Jay Satiro (19 May 2015)
-- transfer: Replace __func__ instances with function name
+- docs: include all opts man pages in dist
- .. also make __func__ replacement in multi.
+ Sorted the lists too.
- Prior to this change debug builds would fail to build if the compiler
- was building pre-c99 and didn't support __func__.
+ ... and include the new ones in the PDF and HTML generation targets
-Daniel Stenberg (19 May 2015)
-- [Viktor Szakats brought this change]
+- [Thomas Glanzmann brought this change]
- build: bump version in default nghttp2 paths
+ HTTPS Proxy: Implement CURLOPT_PROXY_PINNEDPUBLICKEY
-- INTERNALS: we require nghttp2 1.0.0+ now
+- [Thomas Glanzmann brought this change]
-Jay Satiro (18 May 2015)
-- http: Add some include guards for the new HTTP/2 stuff
+ url: proxy: Use 443 as default port for https proxies
-Daniel Stenberg (18 May 2015)
-- http2: store upload state per stream
-
- Use a curl_off_t for upload left
+- TODO: removed "HTTPS proxy"
-- http2: fix build when NOT h2-enabled
+- [Jan-E brought this change]
-- http2: switch to use Curl_hash_destroy()
+ winbuild: add config option ENABLE_NGHTTP2
- as after 4883f7019d3, the *_clean() function only flushes the hash.
+ Closes #1141
-- curlver: restore LIBCURL_VERSION_NUM defined as a full number
+Jay Satiro (24 Nov 2016)
+- tool_urlglob: Improve sanity check in glob_range
- As it breaks configure, curl-config and test 1023 if not.
-
-- [Anthony Avina brought this change]
-
- hostip: fix unintended destruction of hash table
+ Prior to this change we depended on errno if strtol could not perform a
+ conversion. POSIX says EINVAL *may* be set. Some implementations like
+ Microsoft's will not set it if there's no conversion.
- .. and added unit1602 for hash.c
+ Ref: https://github.com/curl/curl/commit/ee4f7660#commitcomment-19658189
-- curlver: introducing new version number (checking) macros
+- tool_help: Change description for --retry-connrefused
+
+ Ref: https://github.com/curl/curl/pull/1064#issuecomment-260052409
-- runtests.pl: use 'h2c' now, no -14 anymore
+Patrick Monnerat (25 Nov 2016)
+- os400: sync ILE/RPG binding
-- [Tatsuhiro Tsujikawa brought this change]
+Jay Satiro (24 Nov 2016)
+- test1135: Fix curl_easy_duphandle prototype for code style
+
+ Follow-up to dbadaeb which changed the style.
- http2: Ignore if we have stream ID not in hash in on_stream_close
+- x509asn1: Restore the parameter check in Curl_getASN1Element
+
+ - Restore the removed parts of the parameter check.
- We could get stream ID not in the hash in on_stream_close. For
- example, if we decided to reject stream (e.g., PUSH_PROMISE), then we
- don't create stream and store it in hash with its stream ID.
+ Follow-up to 945f60e which altered the parameter check.
-- [Tatsuhiro Tsujikawa brought this change]
+Daniel Stenberg (25 Nov 2016)
+- RELEASE-NOTES: update option counters
+
+- [Frank Gevaerts brought this change]
- Require nghttp2 v1.0.0
+ add CURLINFO_SCHEME, CURLINFO_PROTOCOL, and %{scheme}
- This commit requires nghttp2 v1.0.0 to compile, and migrate to v1.0.0,
- and utilize recent version of nghttp2 to simplify the code,
+ Adds access to the effectively used protocol/scheme to both libcurl and
+ curl, both in string and numeric (CURLPROTO_*) form.
- First we use nghttp2_option_set_no_recv_client_magic function to
- detect nghttp2 v1.0.0. That function only exists since v1.0.0.
+ Note that the string form will be uppercase, as it is just the internal
+ string.
- Since nghttp2 v0.7.5, nghttp2 ensures header field ordering, and
- validates received header field. If it found error, RST_STREAM with
- PROTOCOL_ERROR is issued. Since we require v1.0.0, we can utilize
- this feature to simplify libcurl code. This commit does this.
+ As these strings are declared internally as const, and all other strings
+ returned by curl_easy_getinfo() are de-facto const as well, string
+ handling in getinfo.c got const-ified.
- Migration from 0.7 series are done based on nghttp2 migration
- document. For libcurl, we removed the code sending first 24 bytes
- client magic. It is now done by nghttp2 library.
- on_invalid_frame_recv callback signature changed, and is updated
- accordingly.
+ Closes #1137
-- http2: infof length in on_frame_send()
+- RELEASE-NOTES: synced with 63198a4750aeb
-- pipeline: switch some code over to functions
-
- ... to "compartmentalize" a bit and make it easier to change behavior
- when multiplexing is used instead of good old pipelining.
+- curl.1: the new --proxy options ship in 7.52.0
-- symbols-in-versions: add CURLOPT_PIPEWAIT
+- checksrc: move open braces to comply with function declaration style
-- CURLOPT_PIPEWAIT: added
-
- By setting this option to 1 libcurl will wait for a connection to reveal
- if it is possible to pipeline/multiplex on before it continues.
+- checksrc: detect wrongly placed open braces in func declarations
-- Curl_http_readwrite_headers: minor code simplification
+- checksrc: white space edits to comply to stricter checksrc
-- IsPipeliningPossible: fixed for http2
+- checksrc: verify ASTERISKNOSPACE
+
+ Detects (char*) and 'char*foo' uses.
-- http2: bump the h2 buffer size to 32K for speed
+- checksrc: code style: use 'char *name' style
-- http2: remove the stream from the hash in stream_close callback
+- checksrc: add ASTERISKSPACE
- ... and suddenly things work much better!
+ Verifies a 'char *name' style, with no space after the asterisk.
-- http2: if there is paused data, do not clear the drain field
+- openssl: remove dead code
+
+ Coverity CID 1394666
-- http2: rename s/data/pausedata
+- [Okhin Vasilij brought this change]
-- http2: "stream %x" in all outputs to make it easier to search for
+ HTTPS-proxy: fixed mbedtls and polishing
+
+- darwinssl: adopted to the HTTPS proxy changes
+
+ It builds and runs all test cases. No adaptations for actual HTTPS proxy
+ support has been made.
-- http2: Curl_expire() all handles with incoming traffic
+- gtls: fix indent to silence compiler warning
- ... so that they'll get handled next in the multi loop.
+ vtls/gtls.c: In function ‘Curl_gtls_data_pending’:
+ vtls/gtls.c:1429:3: error: this ‘if’ clause does not guard... [-Werror=misleading-indentation]
+ if(conn->proxy_ssl[connindex].session &&
+ ^~
+ vtls/gtls.c:1433:5: note: ...this statement, but the latter is misleadingly indented as if it is guarded by the ‘if’
+ return res;
-- http2: don't signal settings change for same values
+- [Thomas Glanzmann brought this change]
-- http2: set default concurrency, fix ConnectionExists for multiplex
+ mbedtls: Fix compile errors
-- bundles: store no/default/pipeline/multiplex
+- [Alex Rousskov brought this change]
+
+ proxy: Support HTTPS proxy and SOCKS+HTTP(s)
- to allow code to act differently on the situation.
+ * HTTPS proxies:
- Also added some more info message for the connection re-use function to
- make it clearer when connections are not re-used.
-
-- http2: lazy init header_recvbuf
+ An HTTPS proxy receives all transactions over an SSL/TLS connection.
+ Once a secure connection with the proxy is established, the user agent
+ uses the proxy as usual, including sending CONNECT requests to instruct
+ the proxy to establish a [usually secure] TCP tunnel with an origin
+ server. HTTPS proxies protect nearly all aspects of user-proxy
+ communications as opposed to HTTP proxies that receive all requests
+ (including CONNECT requests) in vulnerable clear text.
- It makes us use less memory when not doing HTTP/2 and subsequently also
- makes us not have to cleanup HTTP/2 related data when not using HTTP/2!
-
-- http2: separate multiplex/pipelining + cleanup memory leaks
-
-- CURLMOPT_PIPELINE: bit 1 is for multiplexing
+ With HTTPS proxies, it is possible to have two concurrent _nested_
+ SSL/TLS sessions: the "outer" one between the user agent and the proxy
+ and the "inner" one between the user agent and the origin server
+ (through the proxy). This change adds supports for such nested sessions
+ as well.
+
+ A secure connection with a proxy requires its own set of the usual SSL
+ options (their actual descriptions differ and need polishing, see TODO):
+
+ --proxy-cacert FILE CA certificate to verify peer against
+ --proxy-capath DIR CA directory to verify peer against
+ --proxy-cert CERT[:PASSWD] Client certificate file and password
+ --proxy-cert-type TYPE Certificate file type (DER/PEM/ENG)
+ --proxy-ciphers LIST SSL ciphers to use
+ --proxy-crlfile FILE Get a CRL list in PEM format from the file
+ --proxy-insecure Allow connections to proxies with bad certs
+ --proxy-key KEY Private key file name
+ --proxy-key-type TYPE Private key file type (DER/PEM/ENG)
+ --proxy-pass PASS Pass phrase for the private key
+ --proxy-ssl-allow-beast Allow security flaw to improve interop
+ --proxy-sslv2 Use SSLv2
+ --proxy-sslv3 Use SSLv3
+ --proxy-tlsv1 Use TLSv1
+ --proxy-tlsuser USER TLS username
+ --proxy-tlspassword STRING TLS password
+ --proxy-tlsauthtype STRING TLS authentication type (default SRP)
+
+ All --proxy-foo options are independent from their --foo counterparts,
+ except --proxy-crlfile which defaults to --crlfile and --proxy-capath
+ which defaults to --capath.
+
+ Curl now also supports %{proxy_ssl_verify_result} --write-out variable,
+ similar to the existing %{ssl_verify_result} variable.
+
+ Supported backends: OpenSSL, GnuTLS, and NSS.
+
+ * A SOCKS proxy + HTTP/HTTPS proxy combination:
+
+ If both --socks* and --proxy options are given, Curl first connects to
+ the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS
+ proxy.
+
+ TODO: Update documentation for the new APIs and --proxy-* options.
+ Look for "Added in 7.XXX" marks.
-- [Tatsuhiro Tsujikawa brought this change]
+Patrick Monnerat (24 Nov 2016)
+- Declare endian read functions argument as a const pointer.
+ This is done for all functions of the form Curl_read[136][624]_[lb]e.
- http2: Fix bug that data to be drained are overwritten by pending "paused" data
+- Limit ASN.1 structure sizes to 256K. Prevent some allocation size overflows.
+ See CRL-01-006.
-- [Tatsuhiro Tsujikawa brought this change]
+Jay Satiro (22 Nov 2016)
+- url: Fix conn reuse for local ports and interfaces
+
+ - Fix connection reuse for when the proposed new conn 'needle' has a
+ specified local port but does not have a specified device interface.
+
+ Bug: https://curl.haxx.se/mail/lib-2016-11/0137.html
+ Reported-by: bjt3[at]hotmail.com
- http2: Don't call nghttp2_session_mem_recv while it is paused by a stream
+Daniel Stenberg (21 Nov 2016)
+- rand: pass in number of randoms as an unsigned argument
-- [Tatsuhiro Tsujikawa brought this change]
+Jay Satiro (20 Nov 2016)
+- rand: Fix potentially uninitialized result warning
- http2: Read data left in connection buffer after pause
+Marcel Raad (19 Nov 2016)
+- vtls: fix build warnings
+
+ Fix warnings about conversions from long to time_t in openssl.c and
+ schannel.c.
- Previously when we do pause because of out of buffer, we just throw
- away unread data in connection buffer. This just broke protocol
- framing, and I saw occasional FRAME_SIZE_ERROR. This commit fix this
- issue by remembering how much data read, and in the next iteration, we
- process remaining data.
+ Follow-up to de4de4e3c7c
-- [Tatsuhiro Tsujikawa brought this change]
+Daniel Stenberg (18 Nov 2016)
+- [Marcel Raad brought this change]
- http2: Fix streams get stuck
+ lib: fix compiler warnings after de4de4e3c7c
+
+ Visual C++ now complains about implicitly casting time_t (64-bit) to
+ long (32-bit). Fix this by changing some variables from long to time_t,
+ or explicitly casting to long where the public interface would be
+ affected.
- This commit fixes the bug that streams get stuck if stream gets some
- DATA, and stream->closed becomes true at the same time. Previously,
- in this condition, after we processed DATA, we are going to try to
- read data from underlying transport, but there is no data, and gets
- EAGAIN. There was no code path to evaludate stream->closed.
+ Closes #1131
-- http2: store incoming h2 SETTINGS
+Peter Wu (17 Nov 2016)
+- [Isaac Boukris brought this change]
-- pipeline: move function to pipeline.c and make static
+ Don't mix unix domain sockets with regular ones
- ... as it was only used from there.
-
-- IsPipeliningPossible: http2 can always "pipeline" (multiplex)
+ When reusing a connection, make sure the unix domain
+ socket option matches.
-- http2: remove debug logging from on_frame_recv
+Jay Satiro (17 Nov 2016)
+- tests: Fix HTTP2-Settings header for huge window size
+
+ Follow-up to a4d8888. Changing the window size in that commit resulted
+ in a different HTTP2-Settings upgrade header, causing test 1800 to fail.
-- http2: remove the closed check in http2_recv
+- http2: Use huge HTTP/2 windows
- With the "drained" functionality we can get here slightly asynchronously
- so the stream have have been closed but there is pending data left to
- read.
+ - Improve performance by using a huge HTTP/2 window size.
+
+ Bug: https://github.com/curl/curl/issues/1102
+ Reported-by: afrind@users.noreply.github.com
+ Assisted-by: Tatsuhiro Tsujikawa
-- http2: bump the h2 buffer to 8K
+Daniel Stenberg (16 Nov 2016)
+- cmdline-docs: more conversion
-- http2: Curl_read should not use the single buffer
+- gen: support 'protos'
- ... as it does for pipelining when we're multiplexing, as we need the
- different buffers to store incoming data correctly for all streams.
+ and warn on unrecognized lines
-- http2: more debug outputs
+- gen: support 'single' to make an individual page man page
-- http2: leave WAITPERFORM when conn is multiplexed
-
- No need to wait for our "spot" like for pipelining
+- cmdline-docs: more options converted over
-- http2: force "drainage" of streams
+- gen: support 'redirect'
- ... which is necessary since the socket won't be readable but there is
- data waiting in the buffer.
-
-- http2: move the mem+len pair to the stream struct
+ ... and warn for too long --help lines
-- http2: more stream-oriented data, stream ID 0 is for connections
+- cmdline/gen: replace options in texts better
-- http2: move lots of state data to the 'stream' struct
+Jay Satiro (16 Nov 2016)
+- http2: Fix address sanitizer memcpy warning
+
+ - In Curl_http2_switched don't call memcpy when src is NULL.
+
+ Curl_http2_switched can be called like:
+
+ Curl_http2_switched(conn, NULL, 0);
+
+ .. and prior to this change memcpy was then called like:
+
+ memcpy(dest, NULL, 0)
- ... from the connection struct. The stream one being the 'struct HTTP'
- which is kept in the SessionHandle struct (easy handle).
+ .. causing address sanitizer to warn:
- lookup streams for incoming frames in the stream hash, hashing is based
- on the stream id and we get the SessionHandle for the incoming stream
- that way.
+ http2.c:2057:3: runtime error: null pointer passed as argument 2, which
+ is declared to never be null
-- HTTP: partial start at fixing up hash-lookups on http2 frame receival
+- tool_help: Clarify --dump-header only writes received headers
-- http: a stream hash for h2 multiplexing
+- curl.1: Clarify --dump-header only writes received headers
-- http: a stream hash for h2 multiplexing
+Daniel Stenberg (15 Nov 2016)
+- [Alex Chan brought this change]
-- http2: debug log when receiving unexpected stream_id
+ docs: Spelling fixes
-- http2: move stream_id to the HTTP struct (per-stream)
+Kamil Dudka (15 Nov 2016)
+- docs: the next release will be 7.52.0
-- Curl_http2_setup: only do it once and enable multiplex on the server
-
- Once we know we are HTTP/2 enabled we know the server can multiplex.
+Daniel Stenberg (15 Nov 2016)
+- cmdline-opts: support generating the --help output
+
+- [David Schweikert brought this change]
-- http: switch on "pipelining" (multiplexing) for HTTP/2 servers
+ darwinssl: fix SSL client certificate not found on MacOS Sierra
- ... and do not blacklist any.
+ Reviewed-by: Nick Zitzmann
+
+ Closes #1105
-- README.pipelining: removed
+- curl: add --fail-early to help output
+
+ Fixes test 1139 failures
- All the details mentioned here are better documented in man pages
+ Follow-up to f82bbe01c8835
-Dan Fandrich (14 May 2015)
-- build: removed bundles.c from make files
+- glob: fix [a-c] globbing regression
+
+ Brought in ee4f76606cf
- This file was removed in commit fd137786
+ Added test case 1280 to verify
+
+ Reported-by: Dave Reisner
+
+ Bug: https://github.com/curl/curl/commit/ee4f76606cfa4ee068bf28edd37c8dae7e8db317#commitcomment-19823146
-Daniel Stenberg (14 May 2015)
-- Curl_conncache_add_conn: fix memory leak on OOM
+- curl: add --fail-early
+
+ Exit with an error on the first transfer error instead of continuing to
+ do the rest of the URLs.
+
+ Discussion: https://curl.haxx.se/mail/archive-2016-11/0038.html
-- CURLMOPT_MAX_HOST_CONNECTIONS: host = host name + port number
+- Curl_rand: fixed and moved to rand.c
+
+ Now Curl_rand() is made to fail if it cannot get the necessary random
+ level.
+
+ Changed the proto of Curl_rand() slightly to provide a number of ints at
+ once.
+
+ Moved out from vtls, since it isn't a TLS function and vtls provides
+ Curl_ssl_random() for this to use.
+
+ Discussion: https://curl.haxx.se/mail/lib-2016-11/0119.html
-- conncache: keep bundles on host+port bases, not only host names
+- cmdline-opts: first test version of a new man page generator kit
- Previously we counted all connections to a specific host name and that
- would be used for the CURLMOPT_MAX_HOST_CONNECTIONS check for example,
- while servers on different port numbers are normally considered
- different "origins" on the web and should thus be considered different
- hosts.
+ See MANPAGE.md for the description of how this works. Each command line
+ option is now described in a separate .d file.
-- bundles: merged into conncache.c
+- time_t fix: follow-up to de4de4e3c7c
- All the existing Curl_bundle* functions were only ever used from within
- the conncache.c file, so I moved them over and made them static (and
- removed the Curl_ prefix).
+ Blah, I accidentally wrote size_t instead of time_t for two variables.
+
+ Reported-by: Dave Reisner
-- hostcache: made all host caches use structs, not pointers
+- timeval: prefer time_t to hold seconds instead of long
- This avoids unnecessary dynamic allocs and as this also removed the last
- users of *hash_alloc() and *hash_destroy(), those two functions are now
- removed.
+ ... as long is still 32bit on modern 64bit windows machines, while
+ time_t is generally 64bit.
-- multi: converted socket hash into non-allocated struct
+Dan Fandrich (12 Nov 2016)
+- tests: fixed variable might be clobbered warning
- avoids extra dynamic allocation
+ This stops the compiler from potentially making invalid assumptions
+ about the immutability of sdp and sap across the longjmp boundary.
+
+Daniel Stenberg (12 Nov 2016)
+- RELEASE-NOTES: synced with 346340808c
-- connection cache: avoid Curl_hash_alloc()
+- URL-parser: for file://[host]/ URLs, the [host] must be localhost
- ... by using plain structs instead of pointers for the connection cache,
- we can avoid several dynamic allocations that weren't necessary.
+ Previously, the [host] part was just ignored which made libcurl accept
+ strange URLs misleading users. like "file://etc/passwd" which might've
+ looked like it refers to "/etc/passwd" but is just "/passwd" since the
+ "etc" is an ignored host name.
+
+ Reported-by: Mike Crowe
+ Assisted-by: Kamil Dudka
-- proxy: add newline to info message
+- test558: adapt to 0649433da
-Patrick Monnerat (8 May 2015)
-- FTP: fix dangling conn->ip_addr dereference on verbose EPSV.
+- openssl: make sure to fail in the unlikely event that PRNG seeding fails
-- FTP: Make EPSV use the control IP address rather than the original host.
- This ensures an alternate address is not used.
- Does not apply to proxy tunnel.
+- openssl: avoid unnecessary seeding if already done
+
+ 1.1.0+ does more of this by itself so we can avoid extra processing this
+ way.
-Daniel Stenberg (8 May 2015)
-- [Alessandro Ghedini brought this change]
+- openssl: RAND_status always exists in OpenSSL >= 0.9.7
+
+ and remove RAND_screen from configure since nothing is using that
+ function
- tool_help: fix formatting for --next option
+- Curl_pgrsUpdate: use dedicated function for time passed
-- [Egon Eckert brought this change]
+- realloc: use Curl_saferealloc to avoid common mistakes
+
+ Discussed: https://curl.haxx.se/mail/lib-2016-11/0087.html
- opts: improved the TCP keepalive examples
+- [Daniel Hwang brought this change]
-Jay Satiro (8 May 2015)
-- winbuild: Document the option used to statically link the CRT
+ curl: Add --retry-connrefused
- - Document option RTLIBCFG (runtime library configuration).
+ to consider ECONNREFUSED as a transient error.
- Bug: https://github.com/bagder/curl/issues/254
- Reported-by: Bert Huijben
+ Closes #1064
-- [Orgad Shaneh brought this change]
+- openssl: raise the max_version to 1.3 if asked for
+
+ Now I've managed to negotiate TLS 1.3 with https://enabled.tls13.com/ when
+ using boringssl.
+
+Jay Satiro (9 Nov 2016)
+- vtls: Fail on unrecognized param for CURLOPT_SSLVERSION
+
+ - Fix GnuTLS code for CURL_SSLVERSION_TLSv1_2 that broke when the
+ TLS 1.3 support was added in 6ad3add.
+
+ - Homogenize across code for all backends the error message when TLS 1.3
+ is not available to "<backend>: TLS 1.3 is not yet supported".
+
+ - Return an error when a user-specified ssl version is unrecognized.
+
+ ---
+
+ Prior to this change our code for some of the backends used the
+ 'default' label in the switch statement (ie ver unrecognized) for
+ ssl.version and treated it the same as CURL_SSLVERSION_DEFAULT.
+
+ Bug: https://curl.haxx.se/mail/lib-2016-11/0048.html
+ Reported-by: Kamil Dudka
+
+Daniel Stenberg (9 Nov 2016)
+- [Isaac Boukris brought this change]
- netrc: Read in text mode when cygwin
+ SPNEGO: Fix memory leak when authentication fails
- Use text mode when cygwin to eliminate trailing carriage returns.
+ If SPNEGO fails, cleanup the negotiate handle right away.
- Bug: https://github.com/bagder/curl/pull/258
+ Fixes #1115
+
+ Signed-off-by: Isaac Boukris <iboukris@gmail.com>
+ Reported-by: ashman-p
+
+- CODE_STYLE.md: link to INTERNALS.md correctly
+
+- bump: next version will be 7.52.0
-Patrick Monnerat (5 May 2015)
-- OS400: Add SPNEGO service name options to ILE/RPG binding.
+- RELEASE-NOTES: synced with dfcdaaba371e9a3
-Daniel Stenberg (4 May 2015)
-- curl_multi_info_read.3: fix typo
+- examples/fileupload.c: fclose the file as well
+
+- printf: fix ".*f" handling
+
+ It would always use precision 1 instead of reading it from the argument
+ list as intended.
- Reported-by: Liviu Chircu
+ Reported-by: Ray Satiro
+
+ Bug: #1113
-- MANUAL: language fix
+- curl_formadd.3: *_FILECONTENT and *_FILE need the file to be kept
- Reported-by: Fred Stluka
- Bug: https://github.com/bagder/curl/issues/255
+ Reported-by: Frank Gevaerts
-- [Alessandro Ghedini brought this change]
+Kamil Dudka (7 Nov 2016)
+- nss: silence warning 'SSL_NEXT_PROTO_EARLY_VALUE not handled in switch'
+
+ ... with nss-3.26.0 and newer
+
+ Reported-by: Daniel Stenberg
- gtls: properly retrieve certificate status
+Daniel Stenberg (7 Nov 2016)
+- openssl: initial TLS 1.3 adaptions
- Also print the revocation reason if appropriate.
+ BoringSSL supports TLSv1.3 already, but these changes don't seem to be anough
+ to get it working.
-- OpenSSL: conditional check for SSL3_RT_HEADER
+- ssh: check md5 fingerprints case insensitively (regression)
- The symbol is fairly new.
+ Revert the change from ce8d09483eea but use the new function
Reported-by: Kamil Dudka
+ Bug: https://github.com/curl/curl/commit/ce8d09483eea2fcb1b50e323e1a8ed1f3613b2e3#commitcomment-19666146
-- openssl: skip trace outputs for ssl_ver == 0
+Kamil Dudka (7 Nov 2016)
+- curl: introduce the --tlsv1.3 option to force TLS 1.3
- The OpenSSL trace callback is wonderfully undocumented but given a
- journey in the source code, it seems the cases were ssl_ver is zero
- doesn't follow the same pattern and thus turned out confusing and
- misleading. For now, we skip doing any CURLINFO_TEXT logging on those
- but keep sending them as CURLINFO_SSL_DATA_OUT/IN.
+ Fully implemented with the NSS backend only for now.
- Also, I added direction to the text info and I edited some functions
- slightly.
+ Reviewed-by: Ray Satiro
+
+- vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3
+
+ Fully implemented with the NSS backend only for now.
- Bug: https://github.com/bagder/curl/issues/219
- Reported-by: Jay Satiro, Ashish Shukla
+ Reviewed-by: Ray Satiro
-Marc Hoersken (2 May 2015)
-- schannel.c: Small changes
+- nss: map CURL_SSLVERSION_DEFAULT to NSS default
+
+ ... but make sure we use at least TLSv1.0 according to libcurl API
+
+ Reported-by: Cure53
+ Reviewed-by: Ray Satiro
-- schannel.c: Improve code path and readability
+Daniel Stenberg (7 Nov 2016)
+- s/cURL/curl
+
+ We're mostly saying just "curl" in lower case these days so here's a big
+ cleanup to adapt to this reality. A few instances are left as the
+ project could still formally be considered called cURL.
-- schannel.c: Improve error and return code handling upon aa99a63f03
+Jay Satiro (7 Nov 2016)
+- [Tatsuhiro Tsujikawa brought this change]
-- [Chris Araman brought this change]
+ http2: Don't send header fields prohibited by HTTP/2 spec
+
+ Previously, we just ignored "Connection" header field. But HTTP/2
+ specification actually prohibits few more header fields. This commit
+ ignores all of them so that we don't send these bad header fields.
+
+ Bug: https://curl.haxx.se/mail/archive-2016-10/0033.html
+ Reported-by: Ricki Hirner
+
+ Closes https://github.com/curl/curl/pull/1092
- schannel: fix regression in schannel_recv
+Daniel Stenberg (7 Nov 2016)
+- curl.1: explain the SMTP data expected for -T
- https://github.com/bagder/curl/issues/244
+ Fixes #1107
- Commit 145c263 changed the behavior when Curl_read_plain returns
- CURLE_AGAIN. We now handle CURLE_AGAIN and SEC_I_CONTEXT_EXPIRED
- correctly.
+ Reported-by: Adam Piggott
-- Bug born in changes made several days ago 9a91e80.
+Peter Wu (6 Nov 2016)
+- cmake: disable poll for macOS
- Commit: https://github.com/bagder/curl/commit/926cb9f
- Reported-by: Ray Satiro
+ Mirrors the autotools behavior introduced with curl-7_50_3-83-ga34c7ce.
+
+ Fixes #1089
-Daniel Stenberg (30 Apr 2015)
-- [Michael Osipov brought this change]
+Jay Satiro (5 Nov 2016)
+- easy: Initialize info variables on easy init and duphandle
+
+ - Call Curl_initinfo on init and duphandle.
+
+ Prior to this change the statistical and informational variables were
+ simply zeroed by calloc on easy init and duphandle. While zero is the
+ correct default value for almost all info variables, there is one where
+ it isn't (filetime initializes to -1).
+
+ Bug: https://github.com/curl/curl/issues/1103
+ Reported-by: Neal Poole
- configure: remove missing and make it autogenerate
+Daniel Stenberg (5 Nov 2016)
+- [Mauro Rappa brought this change]
+
+ curl -w: added more decimal digits to timing counters
+
+ Now showing microsecond resolution.
- The missing file has not been autogenerated because a temporary fix was
- employed in acinclude.m4 which blocked update. Removed that fix and a recent
- version of missing is copied to build root.
+ Closes #1106
-- [Michael Osipov brought this change]
+Jakub Zakrzewski (4 Nov 2016)
+- dist: add CMakeLists.txt to the tarball
- acinclude.m4: fix test for default CA cert bundle/path
+Daniel Stenberg (4 Nov 2016)
+- mbedtls: fix build with mbedtls versions < 2.4.0
+
+ Regression added in 62a8095e714
+
+ Reported-by: Tony Kelman
- test(1) on HP-UX requires a single equals sign and fails with two.
- Let's use one and make every OS happy.
+ Discussed in #1087
-- CONTRIBUTING.md: remove the sourceforge mention
+- configure: verify that compiler groks -Werror=partial-availability
- Reported-By: Michael Osipov
+ Reported-by: bemoody
+
+ Fixes #1104
+
+- docs: shorten and simplify the top comment in multi-uv.c
+
+ and change URL to use https
-Dan Fandrich (30 Apr 2015)
-- http_negotiate_sspi: added missing data variable
+- [Andrei Sedoi brought this change]
-Daniel Stenberg (30 Apr 2015)
-- [Michael Osipov brought this change]
+ docs: handle CURL_POLL_INOUT in multi-uv example
+
+- [Andrei Sedoi brought this change]
- configure: remove --automake from libtoolize call
+ docs: multi-uv: don't use CURLMsg after cleanup
+
+- [Andrei Sedoi brought this change]
+
+ docs: remove unused variables in multi-uv example
+
+- bump: start working on 7.51.1
+
+- winbuild: remove strcase.obj from curl build
- That option is not mentioned in the man page of libtoolize 2.4.4.19-fda4.
- Moveover, a comment in line 2623 says "--automake is for 1.5 compatibility".
+ Reported-by: Bruce Stephens
- This option is redundant now.
+ Fixes #1098
-- [Viktor Szakats brought this change]
-
- build: update depedency versions, urls, example makefiles
+Dan Fandrich (2 Nov 2016)
+- msvc: removed a straggling reference to strequal.c
- - update default versions of dependencies (except for rare/old platforms)
- - update urls
- - sync examples makefiles with main ones
- - remove line ending space
+ Follow-up to 502acba2
-- [Michael Osipov brought this change]
+Version 7.51.0 (2 Nov 2016)
+
+Daniel Stenberg (2 Nov 2016)
+- THANKS: synced with 7.51.0
- configure: remove autogenerated files by autoconf
+- RELEASE-NOTES: 7.51.0
+
+- ftp_done: don't clobber the passed in error code
- * install-sh is always regenerated
- * mkinstalldirs was already redudant years ago. Automake uses install for
- that. See: http://lists.gnu.org/archive/html/automake/2007-03/msg00015.html
+ Coverity CID 1374359 pointed out the unused result value.
-- [Anders Bakken brought this change]
+- ftp: remove dead code in ftp_done
+
+ Coverity CID 1374358
- curl_multi_add_handle: next is already NULL
+Jay Satiro (1 Nov 2016)
+- generate.bat: Include include/curl in libcurl VS projects
+
+ .. because including those headers helps Visual Studio's Intellisense.
-Jay Satiro (30 Apr 2015)
-- schannel: Fix out of bounds array
+- generate.bat: Remove strcase.[ch] from curl tool VS projects
- Bug born in changes made several days ago 9a91e80.
+ ..because they're no longer needed in the tool build. strcase is still
+ built by the libcurl project and exports curl_str(n)equal which is used
+ by the curl tool.
- Bug: http://curl.haxx.se/mail/lib-2015-04/0199.html
- Reported-by: Brian Chrisman
+ Bug: https://github.com/curl/curl/commit/9363f1a#all_commit_comments
-- docs/libcurl: gitignore libcurl-symbols.3
+Daniel Stenberg (2 Nov 2016)
+- metalink: simplify the hex parsing function
- Bug: http://curl.haxx.se/mail/lib-2015-04/0191.html
- Reported-by: Michael Osipov
+ ... and now it avoids using the libcurl toupper() function
-- [Viktor Szakats brought this change]
+Michael Kaufmann (1 Nov 2016)
+- file: fix compiler warning
+
+ follow-up to 46133aa5
- lib/makefile.m32: add arch -m32/-m64 to LDFLAGS
+Dan Fandrich (1 Nov 2016)
+- strcase: fixed Metalink builds by redefining checkprefix()
- This fixes using a multi-target mingw distro to build curl .dll for the
- non-default target.
- (mirroring the same patch present in src/makefile.m32)
+ ...to use the public function curl_strnequal(). This isn't ideal because
+ it adds extra overhead to any internal calls to checkprefix.
+
+ follow-up to 95bd2b3e
+
+Daniel Stenberg (1 Nov 2016)
+- curl.1: typo
-Daniel Stenberg (29 Apr 2015)
-- RELEASE-NOTES: synced with cd39b944afc
+- curl.1: expand on how multiple uses of -o looks
- I've not mentioned the bug fixes that were shipped in 7.42.1 from the
- 7_42 branch.
+ Suggested-by: Dan Jacobson
+ Issue: https://github.com/curl/curl/issues/1097
-- THANKS: merged from the 7.42.1 release
+- tests/util: get a private strncasecompare clone
+
+ ... since the curlx_* code no longer provides one and we don't link
+ libcurl to these test servers.
-- CURLOPT_HEADEROPT: default to separate
+- strcase: make the tool use curl_str[n]equal instead
- Make the HTTP headers separated by default for improved security and
- reduced risk for information leakage.
+ As they are after all part of the public API. Saves space and reduces
+ complexity. Remove the strcase defines from the curlx_ family.
- Bug: http://curl.haxx.se/docs/adv_20150429.html
- Reported-by: Yehezkel Horowitz, Oren Souroujon
+ Suggested-by: Dan Fandrich
+ Idea: https://curl.haxx.se/mail/lib-2016-10/0136.html
-Linus Nielsen (28 Apr 2015)
-- docs/libcurl: Corrected a typo in the CURLOPT_PROXY_SERVICE_NAME documentation
+Kamil Dudka (31 Oct 2016)
+- gskit, nss: do not include strequal.h
+
+ follow-up to 811a693b80
-Daniel Stenberg (28 Apr 2015)
-- hash: simplify Curl_str_key_compare()
+Dan Fandrich (31 Oct 2016)
+- strcasecompare: include curl.h in strcase.c
+
+ This should fix the "warning: 'curl_strequal' redeclared without
+ dllimport attribute: previous dllimport ignored" message and subsequent
+ link error on Windows because of the missing CURL_EXTERN on the
+ prototype.
-- dist: ship CURLOPT_PROXY_SERVICE_NAME and CURLOPT_SERVICE_NAME
+Daniel Stenberg (31 Oct 2016)
+- strcase: fix the remaining rawstr users
-- [Linus Nielsen brought this change]
+- msvc builds: s/rawstr/strcase
+
+ Follow-up to 811a693b
- Negotiate: custom service names for SPNEGO.
+Dan Fandrich (31 Oct 2016)
+- strcasecompare: replaced remaining rawstr.h with strcase.h
- * Add new options, CURLOPT_PROXY_SERVICE_NAME and CURLOPT_SERVICE_NAME.
- * Add new curl options, --proxy-service-name and --service-name.
+ This is a followup to commit 811a693b
-- http2: unify http_conn variable names to 'c'
+Marcel Raad (31 Oct 2016)
+- digest_sspi: fix include
+
+ Fix compile break from 811a693b80
-- ConnectionExists: call it multi-use instead of pipelining
+Dan Fandrich (31 Oct 2016)
+- libauthretry: use the external function curl_strequal
- So that it fits HTTP/2 as well
+ The internal version strcasecompare isn't available outside libcurl
-Kamil Dudka (27 Apr 2015)
-- [Paul Howarth brought this change]
+Daniel Stenberg (31 Oct 2016)
+- RELEASE-NOTES: synced with d14538d2501ef0da
- nss: fix compilation failure with old versions of NSS
+- configure: raise the default minimum version for macos to 10.8
- Bug: http://curl.haxx.se/mail/lib-2015-04/0095.html
+ follow-up to 4f8d0b6f02aa7043. Since the darwinssl code breaks
+ otherwise. If you build without darwinssl 10.5 works fine.
-Daniel Stenberg (27 Apr 2015)
-- sws: init http2 state properly
+- unit1301: keep testing curl_strequal
- It would otherwise cause problems when running tests after 1801 etc.
+ as that is still part of the API, fix from 8fe4bd084412f30
-- curl_easy_getinfo.3: document 'internals' in CURLINFO_TLS_SESSION
+- ldap: fix include
- ... as it was previouly undocumented what the pointer was.
+ Fix bug from 811a693b80
-- runtests: use a DISABLED.local file too
+- url: remove unconditional idn2.h include
- ... and have git ignore that. Allows for a dev to add tests to ignore in
- local tests and yet don't obstruct a normal git work flow.
+ Mistake brought by 9c91ec778104a
-Marc Hoersken (26 Apr 2015)
-- schannel.c: Fix typo introduced with 3447c973d0
+- curl_strequal: part of public API/ABI, needs to be kept
+
+ These two public functions have been mentioned as deprecated since a
+ very long time but since they are still part of the API and ABI we need
+ to keep them around.
-- schannel.c: Fix possible SEC_E_BUFFER_TOO_SMALL error
+- strcase: s/strequal/strcasecompare
- Reported-by: Brian Chrisman
+ some more follow-ups to 811a693b80
-Daniel Stenberg (26 Apr 2015)
-- schannel: re-indented file to follow curl style better
+- ldap: fix strcase use
- white space changes only
+ follow-up to 811a693b80
+
+- test165: adapted to the libidn2 use and IDNA2008 fix
-- Curl_ossl_init: load builtin modules
+- cookie: replace use of fgets() with custom version
- To have engine modules work, we must tell openssl to load builtin
- modules first.
+ ... that will ignore lines that are too long to fit in the buffer.
- Bug: https://github.com/bagder/curl/pull/206
-
-- configure: follow-up fix for krb5-config
+ CVE-2016-8615
- commit 5b66860652 was incomplete so here's a follow-up fix
+ Bug: https://curl.haxx.se/docs/adv_20161102A.html
+ Reported-by: Cure53
+
+- strcasecompare: all case insensitive string compares ignore locale now
- Reported-by: Dagobert Michelsen
- Bug: https://github.com/bagder/curl/commit/5b668606527613179d0349f21b4ab0df2971e3d2#commitcomment-10473445
+ We had some confusions on when each function was used. We should not act
+ differently on different locales anyway.
-- openssl: fix serial number output
+- strcasecompare: is the new name for strequal()
- The code extracting the cert serial number was broken and didn't display
- it properly.
+ ... to make it less likely that we forget that the function actually
+ does case insentive compares. Also replaced several invokes of the
+ function with a plain strcmp when case sensitivity is not an issue (like
+ comparing with "-").
+
+- ftp: check for previous patch must be case sensitive!
- Bug: https://github.com/bagder/curl/issues/235
- Reported-by: dkjjr89
+ ... otherwise example.com/PATH and example.com/path would be assumed to
+ be the same and they usually aren't!
-- [Grant Pannell brought this change]
+- SSH: check md5 fingerprint case sensitively
- sasl_sspi: Populate domain from the realm in the challenge
+- connectionexists: use case sensitive user/password comparisons
- Without this, SSPI based digest auth was broken.
+ CVE-2016-8616
- Bug: https://github.com/bagder/curl/pull/141.patch
+ Bug: https://curl.haxx.se/docs/adv_20161102B.html
+ Reported-by: Cure53
-Jay Satiro (25 Apr 2015)
-- [Anthony Avina brought this change]
+- base64: check for integer overflow on large input
+
+ CVE-2016-8617
+
+ Bug: https://curl.haxx.se/docs/adv_20161102C.html
+ Reported-by: Cure53
- tool: New option --data-raw to HTTP POST data, '@' allowed.
+- krb5: avoid realloc(0)
- Add new option --data-raw which is almost the same as --data but does
- not have a special interpretation of the @ character.
+ If the requested size is zero, bail out with error instead of doing a
+ realloc() that would cause a double-free: realloc(0) acts as a free()
+ and then there's a second free in the cleanup path.
- Prior to this change there was no (easy) way to pass the @ character as
- the first character in POST data without it being interpreted as a
- special character.
+ CVE-2016-8619
- Bug: https://github.com/bagder/curl/issues/198
- Reported-by: Jens Rantil
+ Bug: https://curl.haxx.se/docs/adv_20161102E.html
+ Reported-by: Cure53
-Dan Fandrich (25 Apr 2015)
-- test2039: fixed line endings that caused a test failure
+- aprintf: detect wrap-around when growing allocation
+
+ On 32bit systems we could otherwise wrap around after 2GB and allocate 0
+ bytes and crash.
+
+ CVE-2016-8618
+
+ Bug: https://curl.haxx.se/docs/adv_20161102D.html
+ Reported-by: Cure53
-Daniel Stenberg (24 Apr 2015)
-- [Viktor Szakats brought this change]
+- range: reject char globs with missing end like '[L-]'
+
+ ... which previously would lead to out of boundary reads.
+
+ Reported-by: Luật Nguyễn
- netrc: add unit tests for 'default' support
+- glob_next_url: make sure to stay within the given output buffer
-- [Viktor Szakats brought this change]
+- range: prevent negative end number in a glob range
+
+ CVE-2016-8620
+
+ Bug: https://curl.haxx.se/docs/adv_20161102F.html
+ Reported-by: Luật Nguyễn
- netrc: support 'default' token
+- parsedate: handle cut off numbers better
+
+ ... and don't read outside of the given buffer!
- The 'default' token has no argument and means to match _any_ domain.
- It must be placed last if there are 'machine <name>' tokens in the same file.
+ CVE-2016-8621
- See full description here:
- https://www.gnu.org/software/inetutils/manual/html_node/The-_002enetrc-File.html
+ bug: https://curl.haxx.se/docs/adv_20161102G.html
+ Reported-by: Luật Nguyễn
-- ROADMAP.md: extended the HTTP/2 section, reformatted
+- escape: avoid using curl_easy_unescape() internally
- Elaborated on several of the remaining HTTP/2 parts and made document
- use a format that ends up nicer on the web page:
- http://curl.haxx.se/dev/roadmap.html
+ Since the internal Curl_urldecode() function has a better API.
-Kamil Dudka (23 Apr 2015)
-- curl -z: do not write empty file on unmet condition
+- unescape: avoid integer overflow
- This commit fixes a regression introduced in curl-7_41_0-186-g261a0fe.
- It also introduces a regression test 1424 based on tests 78 and 1423.
+ CVE-2016-8622
- Reported-by: Viktor Szakats
- Bug: https://github.com/bagder/curl/issues/237
+ Bug: https://curl.haxx.se/docs/adv_20161102H.html
+ Reported-by: Cure53
-Dan Fandrich (23 Apr 2015)
-- tool: fixed a comment typo
+- cookies: getlist() now holds deep copies of all cookies
+
+ Previously it only held references to them, which was reckless as the
+ thread lock was released so the cookies could get modified by other
+ handles that share the same cookie jar over the share interface.
+
+ CVE-2016-8623
+
+ Bug: https://curl.haxx.se/docs/adv_20161102I.html
+ Reported-by: Cure53
-- README: convert to UTF-8
+- TODO: remove IDNA2008
-Jay Satiro (22 Apr 2015)
-- cyassl: Implement public key pinning
+- idn: switch to libidn2 use and IDNA2008 support
- Also add public key extraction example to CURLOPT_PINNEDPUBLICKEY doc.
-
-Dan Fandrich (22 Apr 2015)
-- [Alessandro Ghedini brought this change]
+ CVE-2016-8625
+
+ Bug: https://curl.haxx.se/docs/adv_20161102K.html
+ Reported-by: Christian Heimes
- curl.1: fix typo
+- test1246: verify URL parsing with host name ending with '#'
-Kamil Dudka (22 Apr 2015)
-- docs: distribute the CURLOPT_PINNEDPUBLICKEY(3) man page, too
+- urlparse: accept '#' as end of host name
+
+ 'http://example.com#@127.0.0.1/x.txt' equals a request to example.com
+ for the '/' document with the rest of the URL being a fragment.
+
+ CVE-2016-8624
+
+ Bug: https://curl.haxx.se/docs/adv_20161102J.html
+ Reported-by: Fernando Muñoz
-- tests/unit/.gitignore: hide unit1601 and above, too
+Jay Satiro (31 Oct 2016)
+- INTERNALS: better markdown (follow-up)
+
+ - Wrap more words with underscores in backticks.
+
+ Follow-up to 13f4913.
-Daniel Stenberg (22 Apr 2015)
-- connectionexists: follow-up to fd9d3a1ef1f
+Daniel Stenberg (30 Oct 2016)
+- INTERNALS: better markdown
- PROTOPT_CREDSPERREQUEST still needs to be checked even when NTLM is not
- enabled.
+ words with underscore need to be within `these`
- Mistake-caught-by: Kamil Dudka
+ Bug: https://github.com/curl/curl-www/issues/19
+ Reported-by : Jay Satiro
-- connectionexists: fix build without NTLM
+Jay Satiro (30 Oct 2016)
+- mk-ca-bundle.vbs: Fix UTF-8 output
+
+ - Change initial message box to mention delay when downloading/parsing.
+
+ Since there is no progress meter it was somewhat unexpected that after
+ choosing a filename nothing appears to happen, when actually the cert
+ data is in the process of being downloaded and parsed.
+
+ - Warn if OpenSSL is not present.
+
+ - Use a UTF-8 stream to make the ca-bundle data.
+
+ - Save the UTF-8 ca-bundle stream as binary so that no BOM is added.
+
+ ---
+
+ This is a follow-up to d2c6d15 which switched mk-ca-bundle.vbs output to
+ ANSI due to corrupt UTF-8 output, now fixed.
- Do not access NTLM-specific struct fields when built without NTLM
- enabled!
+ This change completes making the default certificate bundle output of
+ mk-ca-bundle.vbs as close as possible to that of mk-ca-bundle.pl, which
+ should make it easier to review any difference between their output.
- bug: http://curl.haxx.se/?i=231
- Reported-by: Patrick Rapin
+ Ref: https://github.com/curl/curl/pull/1012
-- bump: start working toward 7.43.0
+Daniel Stenberg (28 Oct 2016)
+- BINDINGS: converted to markdown
+
+ To make it render better on the web site, at the price of it becoming
+ slightly less readable as text.
-Kamil Dudka (22 Apr 2015)
-- nss: implement public key pinning for NSS backend
+Jay Satiro (27 Oct 2016)
+- CURLMOPT_MAX_PIPELINE_LENGTH.3: Clarify it's not for HTTP/2
+
+ - Clarify that this option is only for HTTP/1.1 pipelining.
+
+ Bug: https://github.com/curl/curl/issues/1059
+ Reported-by: Jeroen Ooms
- Bug: https://bugzilla.redhat.com/1195771
+ Assisted-by: Daniel Stenberg
-Daniel Stenberg (22 Apr 2015)
-- dist: include {src,lib}/checksrc.whitelist
+Daniel Stenberg (27 Oct 2016)
+- KNOWN_BUGS: HTTP/2 server push enabled when no pushes can be accepted
+
+ Closes #927
-Version 7.42.0 (22 Apr 2015)
+- KNOWN_BUGS: c-ares deviates from stock resolver on http://1346569778
+
+ Closes #893
-Daniel Stenberg (22 Apr 2015)
-- RELEASE-NOTES: updated for 7.42.0
+Michael Osipov (27 Oct 2016)
+- configure.in: Fix test syntax
+
+ Some versions of test allow == for equality, but others (such as the HP-UX
+ version) do not. Use a single = for correctness.
+
+ Error output:
+ checking for monotonic clock_gettime... ./configure[20445]: ==: A test command parameter is not valid.
-- THANKS: added contributors from 7.42.0 release notes
+Daniel Stenberg (27 Oct 2016)
+- SECURITY: minor updates
+
+ - we allow the security push up to 48 hours before the release
+
+ - add a mention about possible pre-notifications
+
+ - lower case the 'curl-security' title
-- THANKS-filter: a few more alterations to squash
+- [Andrei Sedoi brought this change]
-- contrithanks.sh: helper script for maintaining THANKS
+ docs: fix req->data in multi-uv example
+
+ Closes #1088
-- http_done: close Negotiate connections when done
+- mbedtls: stop using deprecated include file
- When doing HTTP requests Negotiate authenticated, the entire connnection
- may become authenticated and not just the specific HTTP request which is
- otherwise how HTTP works, as Negotiate can basically use NTLM under the
- hood. curl was not adhering to this fact but would assume that such
- requests would also be authenticated per request.
+ Reported-by: wyattoday
+ Fixes #1087
+
+Kamil Dudka (25 Oct 2016)
+- [Martin Frodl brought this change]
+
+ nss: fix tight loop in non-blocking TLS handhsake over proxy
- CVE-2015-3148
+ ... in case the handshake completes before entering
+ CURLM_STATE_PROTOCONNECT
- Bug: http://curl.haxx.se/docs/adv_20150422B.html
- Reported-by: Isaac Boukris
+ Bug: https://bugzilla.redhat.com/1388162
-- fix_hostname: zero length host name caused -1 index offset
+Jay Satiro (25 Oct 2016)
+- mk-ca-bundle: Update the vbscript version
- If a URL is given with a zero-length host name, like in "http://:80" or
- just ":80", `fix_hostname()` will index the host name pointer with a -1
- offset (as it blindly assumes a non-zero length) and both read and
- assign that address.
+ Bring the VBScript version more in line with the perl version:
- CVE-2015-3144
+ - Change timestamp to UTC.
- Bug: http://curl.haxx.se/docs/adv_20150422D.html
- Reported-by: Hanno Böck
-
-- cookie: cookie parser out of boundary memory access
+ - Change URL retrieval to HTTPS-only by default.
- The internal libcurl function called sanitize_cookie_path() that cleans
- up the path element as given to it from a remote site or when read from
- a file, did not properly validate the input. If given a path that
- consisted of a single double-quote, libcurl would index a newly
- allocated memory area with index -1 and assign a zero to it, thus
- destroying heap memory it wasn't supposed to.
+ - Comment out the options that disabled SSL cert checking by default.
- CVE-2015-3145
+ - Assume OpenSSL is present, get SHA256. And add a flag to toggle it.
- Bug: http://curl.haxx.se/docs/adv_20150422C.html
- Reported-by: Hanno Böck
-
-- ConnectionExists: for NTLM re-use, require credentials to match
+ - Fix cert issuer name output.
- CVE-2015-3143
+ The cert issuer output is now ansi, converted from UTF-8. Prior to this
+ it was corrupt UTF-8. It turns out though we can work with UTF-8 the
+ FSO object that writes ca-bundle can't write UTF-8, so there will have
+ to be some alternative if UTF-8 is needed (like an ADODB.Stream).
- Bug: http://curl.haxx.se/docs/adv_20150422A.html
- Reported-by: Paras Sethia
+ - Disable the certificate text info feature.
+
+ The certificate text info doesn't work properly with any recent OpenSSL.
-Jay Satiro (21 Apr 2015)
-- [byronhe brought this change]
+Daniel Stenberg (24 Oct 2016)
+- TODO: indent code to make it render properly
- openssl: add OPENSSL_NO_SSL3_METHOD check
+- TODO: Remove the generated include file
-Daniel Stenberg (20 Apr 2015)
-- CURLOPT_HEADERFUNCTION.3: match parameter name in synopsis and desc
+- TODO: add "--retry should resume"
- Bug: https://github.com/bagder/curl/issues/229
- Reported-by: bsammon
-
-Kamil Dudka (20 Apr 2015)
-- [Mostyn Bramley-Moore brought this change]
+ See #1084
- configure --with-nss: remove unneeded libs from the fallback
+- mk-ca-bundle.1: document -k
+
+ Brought in 1ad2bdcf110266c. Now does HTTPS by default and needs -k to
+ fall back to plain HTTP.
-Daniel Stenberg (20 Apr 2015)
-- contributors.sh: fix help output, filter out (-prefix from names
+- [Jay Satiro brought this change]
-- RELEASE-NOTES: synced with cc0e7ebc3be0
+ mk-ca-bundle: Change URL retrieval to HTTPS-only by default
+
+ - Change all predefined Mozilla URLs to HTTPS (Gregory Szorc).
+
+ - New option -k to allow URLs other than HTTPS and enable HTTP fallback.
+
+ Prior to this change the default URL retrieval mode was to fall back to
+ HTTP if HTTPS didn't work.
+
+ Reported-by: Gregory Szorc
+
+ Closes #1012
-- [Michael Stapelberg brought this change]
+- RELEASE-NOTES: synced with 50ee3aaf1a9b22d
- CURLMOPT_TIMERFUNCTION.3: Clarify, add an example
+Dan Fandrich (23 Oct 2016)
+- INSTALL.md: Updated minimum file sizes for 7.50.3
-- [Viktor Szakáts brought this change]
+Daniel Stenberg (22 Oct 2016)
+- multi: force connections to get closed in close_all_connections
+
+ Several independent reports on infinite loops hanging in the
+ close_all_connections() function when closing a multi handle, can be
+ fixed by first marking the connection to get closed before calling
+ Curl_disconnect.
+
+ This is more fixing-the-symptom rather than the underlying problem
+ though.
+
+ Bug: https://curl.haxx.se/mail/lib-2016-10/0011.html
+ Bug: https://curl.haxx.se/mail/lib-2016-10/0059.html
+
+ Reported-by: Dan Fandrich, Valentin David, Miloš Ljumović
- vtls/openssl: use https in URLs and a comment typo fixed
+- [Anders Bakken brought this change]
-- curl_version_info.3: fixed the 'protocols' variable type
+ curl_multi_remove_handle: fix a double-free
+
+ In short the easy handle needs to be disconnected from its connection at
+ this point since the connection still is serving other easy handles.
+
+ In our app we can reliably reproduce a crash in our http2 stress test
+ that is fixed by this change. I can't easily reproduce the same test in
+ a small example.
+
+ This is the gdb/asan output:
+
+ ==11785==ERROR: AddressSanitizer: heap-use-after-free on address 0xe9f4fb80 at pc 0x09f41f19 bp 0xf27be688 sp 0xf27be67c
+ READ of size 4 at 0xe9f4fb80 thread T13 (RESOURCE_HTTP)
+ #0 0x9f41f18 in curl_multi_remove_handle /path/to/source/3rdparty/curl/lib/multi.c:666
+
+ 0xe9f4fb80 is located 0 bytes inside of 1128-byte region [0xe9f4fb80,0xe9f4ffe8)
+ freed by thread T13 (RESOURCE_HTTP) here:
+ #0 0xf7b1b5c2 in __interceptor_free /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_malloc_linux.cc:45
+ #1 0x9f7862d in conn_free /path/to/source/3rdparty/curl/lib/url.c:2808
+ #2 0x9f78c6a in Curl_disconnect /path/to/source/3rdparty/curl/lib/url.c:2876
+ #3 0x9f41b09 in multi_done /path/to/source/3rdparty/curl/lib/multi.c:615
+ #4 0x9f48017 in multi_runsingle /path/to/source/3rdparty/curl/lib/multi.c:1896
+ #5 0x9f490f1 in curl_multi_perform /path/to/source/3rdparty/curl/lib/multi.c:2123
+ #6 0x9c4443c in perform /path/to/source/src/net/resourcemanager/ResourceManagerCurlThread.cpp:854
+ #7 0x9c445e0 in ...
+ #8 0x9c4cf1d in ...
+ #9 0xa2be6b5 in ...
+ #10 0xf7aa5780 in asan_thread_start /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_interceptors.cc:226
+ #11 0xf4d3a16d in __clone (/lib/i386-linux-gnu/libc.so.6+0xe716d)
+
+ previously allocated by thread T13 (RESOURCE_HTTP) here:
+ #0 0xf7b1ba27 in __interceptor_calloc /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_malloc_linux.cc:70
+ #1 0x9f7dfa6 in allocate_conn /path/to/source/3rdparty/curl/lib/url.c:3904
+ #2 0x9f88ca0 in create_conn /path/to/source/3rdparty/curl/lib/url.c:5797
+ #3 0x9f8c928 in Curl_connect /path/to/source/3rdparty/curl/lib/url.c:6438
+ #4 0x9f45a8c in multi_runsingle /path/to/source/3rdparty/curl/lib/multi.c:1411
+ #5 0x9f490f1 in curl_multi_perform /path/to/source/3rdparty/curl/lib/multi.c:2123
+ #6 0x9c4443c in perform /path/to/source/src/net/resourcemanager/ResourceManagerCurlThread.cpp:854
+ #7 0x9c445e0 in ...
+ #8 0x9c4cf1d in ...
+ #9 0xa2be6b5 in ...
+ #10 0xf7aa5780 in asan_thread_start /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_interceptors.cc:226
+ #11 0xf4d3a16d in __clone (/lib/i386-linux-gnu/libc.so.6+0xe716d)
+
+ SUMMARY: AddressSanitizer: heap-use-after-free /path/to/source/3rdparty/curl/lib/multi.c:666 in curl_multi_remove_handle
+ Shadow bytes around the buggy address:
+ 0x3d3e9f20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9f30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9f40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
+ 0x3d3e9f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+ =>0x3d3e9f70:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9f80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ Shadow byte legend (one shadow byte represents 8 application bytes):
+ Addressable: 00
+ Partially addressable: 01 02 03 04 05 06 07
+ Heap left redzone: fa
+ Heap right redzone: fb
+ Freed heap region: fd
+ Stack left redzone: f1
+ Stack mid redzone: f2
+ Stack right redzone: f3
+ Stack partial redzone: f4
+ Stack after return: f5
+ Stack use after scope: f8
+ Global redzone: f9
+ Global init order: f6
+ Poisoned by user: f7
+ Container overflow: fc
+ Array cookie: ac
+ Intra object redzone: bb
+ ASan internal: fe
+ Left alloca redzone: ca
+ Right alloca redzone: cb
+ ==11785==ABORTING
+
+ Thread 14 "RESOURCE_HTTP" received signal SIGABRT, Aborted.
+ [Switching to Thread 0xf27bfb40 (LWP 12324)]
+ 0xf7fd8be9 in __kernel_vsyscall ()
+ (gdb) bt
+ #0 0xf7fd8be9 in __kernel_vsyscall ()
+ #1 0xf4c7ee89 in __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:54
+ #2 0xf4c803e7 in __GI_abort () at abort.c:89
+ #3 0xf7b2ef2e in __sanitizer::Abort () at /opt/toolchain/src/gcc-6.2.0/libsanitizer/sanitizer_common/sanitizer_posix_libcdep.cc:122
+ #4 0xf7b262fa in __sanitizer::Die () at /opt/toolchain/src/gcc-6.2.0/libsanitizer/sanitizer_common/sanitizer_common.cc:145
+ #5 0xf7b21ab3 in __asan::ScopedInErrorReport::~ScopedInErrorReport (this=0xf27be171, __in_chrg=<optimized out>) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_report.cc:689
+ #6 0xf7b214a5 in __asan::ReportGenericError (pc=166993689, bp=4068206216, sp=4068206204, addr=3925146496, is_write=false, access_size=4, exp=0, fatal=true) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_report.cc:1074
+ #7 0xf7b21fce in __asan::__asan_report_load4 (addr=3925146496) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_rtl.cc:129
+ #8 0x09f41f19 in curl_multi_remove_handle (multi=0xf3406080, data=0xde582400) at /path/to/source3rdparty/curl/lib/multi.c:666
+ #9 0x09f6b277 in Curl_close (data=0xde582400) at /path/to/source3rdparty/curl/lib/url.c:415
+ #10 0x09f3354e in curl_easy_cleanup (data=0xde582400) at /path/to/source3rdparty/curl/lib/easy.c:860
+ #11 0x09c6de3f in ...
+ #12 0x09c378c5 in ...
+ #13 0x09c48133 in ...
+ #14 0x09c4d092 in ...
+ #15 0x0a2be6b6 in ...
+ #16 0xf7aa5781 in asan_thread_start (arg=0xf2d22938) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_interceptors.cc:226
+ #17 0xf5de52b5 in start_thread (arg=0xf27bfb40) at pthread_create.c:333
+ #18 0xf4d3a16e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:114
+
+ Fixes #1083
+
+- testcurl.1: fix the URL to the autobuild summary
+
+- testcurl.1: update URLs
+
+- INSTALL: converted to markdown => INSTALL.md
+
+ Also heavily edited for content. Removed lots of old cruft that we added
+ like 10+ years ago that is likely incorrect by now.
+
+ Also removed INSTALL.devcpp for same reason.
+
+- [Martin Storsjo brought this change]
+
+ configure: Check for other variants of the -m*os*-version-min flags
- Reported-by: John Marshall
- Bug: https://github.com/bagder/curl/issues/225
+ In addition to -miphoneos-version-min, the same version can be set
+ using -mios-version-min. And for WatchOS and TvOS, there's
+ -mwatchos-version-min and -mtvos-version-min.
-Dan Fandrich (18 Apr 2015)
-- test1423: added missing "file" to server section
-
-Daniel Stenberg (17 Apr 2015)
-- TheArtOfHttpScripting: Multiple URLs + Multiple HTTP methods
+- configure: set min version flags for builds on mac
+
+ This helps building binaries that can work on multiple macOS versions.
- ... and some minor edits
+ Help-by: Martin Storsjö
+
+ Fixes #1069
-- Revert "HTTP: don't abort connections with pending Negotiate authentication"
+- curl_multi_add_handle: set timeouts in closure handles
- This reverts commit 5dc68dd6092a789bb5e0a67a1c1356ba87fdcbc6.
+ The closure handle only ever has default timeouts set. To improve the
+ state somewhat we clone the timeouts from each added handle so that the
+ closure handle always has the same timeouts as the most recently added
+ easy handle.
- Bug: https://github.com/bagder/curl/issues/223
- Reported-by: Michael Osipov
+ Fixes #739
-Jay Satiro (17 Apr 2015)
-- cyassl: Fix include order
+- configure/CURL_CHECK_FUNC_POLL: disable poll completely on mac
- Prior to this change CyaSSL's build options could redefine some generic
- build symbols.
+ ... so that the same libcurl build easier can run on any version.
- http://curl.haxx.se/mail/lib-2015-04/0069.html
+ Follow-up to issue #1057
-Kamil Dudka (17 Apr 2015)
-- configure --with-nss: drop redundant if statement
+- RELEASE-NOTES: synced with f36f8c14551efc6772
-- configure --with-nss=PATH: query pkg-config if available
-
- Bug: https://github.com/bagder/curl/pull/171
+- test14xx: fixed --libcurl output tests again after 8e8afa82cbb
-Daniel Stenberg (17 Apr 2015)
-- parsecfg: do not continue past a zero termination
+- s/cURL/curl
- When a config file line ends without newline, the parsing function could
- continue reading beyond that point in memory.
-
- Reported-by: Hanno Böck
+ The tool was never called cURL, only the project. But even so, we have
+ more and more over time switched to just use lower case.
-Jay Satiro (16 Apr 2015)
-- gitignore: Ignore Windows build output directories
+- polarssl: indented code, removed unused variables
-Daniel Stenberg (15 Apr 2015)
-- RELEASE-NOTES: synced with 1ba6e4c88e0
+- polarssl: reduce #ifdef madness with a macro
-- TODO: 17.9 Choose the name of file in braces for complex URLs
+- polarssl: fix unaligned SSL session-id lock
-- TODO: a little caution that maybe not all ideas are still good
+- Curl_polarsslthreadlock_thread_setup: clear array at init
+
+ ... since if it fails to init the entire array and then tries to clean
+ it up, it would attempt to work on an uninitialized pointer.
-- TODO: 17.8 offer color-coded HTTP header output
+- curl: set INTERLEAVEDATA too
+
+ As otherwise the callback could be called with a NULL pointer when RTSP
+ data is provided.
-- TODO: 17.7 warning when sending binary output to terminal
+- gopher: properly return error for poll failures
-- KNOWN_BUGS: #90 IMAP "SEARCH ALL" truncates output on large boxes
+- select: switch to macros in uppercase
+
+ Curl_select_ready() was the former API that was replaced with
+ Curl_select_check() a while back and the former arg setup was provided
+ with a define (in order to leave existing code unmodified).
+
+ Now we instead offer SOCKET_READABLE and SOCKET_WRITABLE for the most
+ common shortcuts where only one socket is checked. They're also more
+ visibly macros.
-Jay Satiro (14 Apr 2015)
-- cyassl: Add support for TLS extension SNI
+- select: use more proper macro-looking names
+
+ ... so that it becomes more obvious in the code what is what. Also added
+ a typecast for one of the calculations.
-Daniel Stenberg (13 Apr 2015)
-- [Matthew Hall brought this change]
+- Curl_socket_check: add extra check to avoid integer overflow
- gitignore: ignore test-driver file
+- maketgz: make it support "only" generating version info
+
+ ... to allow you to update the local repository with the given version
+ number data.
-- [Matthew Hall brought this change]
+Jay Satiro (17 Oct 2016)
+- url: skip to-be-closed connections when pipelining (follow-up)
+
+ - Change back behavior so that pipelining is considered possible for
+ connections that have not yet reached the protocol level.
+
+ This is a follow-up to e5f0b1a which had changed the behavior of
+ checking if pipelining is possible to ignore connections that had
+ 'bits.close' set. Connections that have not yet reached the protocol
+ level also have that bit set, and we need to consider pipelining
+ possible on those connections.
- vtls_openssl: improve PKCS#12 load failure error message
+Daniel Stenberg (17 Oct 2016)
+- HTTP2: mention the tool's limited support
-- [Matthew Hall brought this change]
+- RELEASE-NOTES: synced with a1a5cd04877fd6fd
- vtls_openssl: fix minor typo in PKCS#12 load routine
+- [David Woodhouse brought this change]
-- [Matthew Hall brought this change]
+ curl: do not set CURLOPT_SSLENGINEDEFAULT automatically
+
+ There were bugs in the PKCS#11 engine, and fixing them triggers bugs in
+ OpenSSL. Just don't get involved; there's no need to be making the
+ engine methods the default anyway.
+
+ https://github.com/OpenSC/libp11/pull/108
+ https://github.com/openssl/openssl/pull/1639
+
+ Merges #1042
- vtls_openssl: improve client certificate load failure error messages
+- KNOWN_BUGS: two more existing problems
-- [Matthew Hall brought this change]
+Marcel Raad (16 Oct 2016)
+- win: fix Universal Windows Platform build
+
+ This fixes a merge error in commit 7f3df80 caused by commit 332e8d6.
+
+ Additionally, this changes Curl_verify_windows_version for Windows App
+ builds to assume to always be running on the target Windows version.
+ There seems to be no way to determine the Windows version from a
+ UWP app. Neither GetVersion(Ex), nor VerifyVersionInfo, nor the
+ Version Helper functions are supported.
+
+ Bug: https://github.com/curl/curl/pull/820#issuecomment-250889878
+ Reported-by: Paul Joyce
+
+ Closes https://github.com/curl/curl/pull/1048
- vtls_openssl: remove ambiguous SSL_CLIENT_CERT_ERR constant
+Daniel Stenberg (16 Oct 2016)
+- KNOWN_BUGS: minor formatting edit
-- BUGS: refer to the github issue tracker now as primary
+Jay Satiro (14 Oct 2016)
+- [Rider Linden brought this change]
-- firefox-db2pem: fix wildcard to find Firefox default profile
+ url: skip to-be-closed connections when pipelining
+
+ No longer attempt to use "doomed" to-be-closed connections when
+ pipelining. Prior to this change connections marked for deletion (e.g.
+ timeout) would be erroneously used, resulting in sporadic crashes.
+
+ As originally reported and fixed by Carlo Wood (origin unknown).
- At some point, Firefox has changed and generates different directory
- names for the default profile that made this script fail to find them.
+ Bug: https://github.com/curl/curl/issues/627
+ Reported-by: Rider Linden
- Bug: https://github.com/bagder/curl/issues/207
- Reported-by: sneakyimp
+ Closes https://github.com/curl/curl/pull/1075
+ Participation-by: nopjmp@users.noreply.github.com
-Jay Satiro (11 Apr 2015)
-- cyassl: Include the CyaSSL build config
+Daniel Stenberg (13 Oct 2016)
+- vtls: only re-use session-ids using the same scheme
- CyaSSL >= 2.6.0 may have an options.h that was generated during
- its build by configure.
+ To make it harder to do cross-protocol mistakes
-- build: Generate source prerequisites for Visual Studio in generate.bat
+Jay Satiro (11 Oct 2016)
+- [Torben Dannhauer brought this change]
+
+ dist: add missing cmake modules to the tarball
- Prior to this change Visual Studio builds could fail due to missing
- prerequisites src/tool_hugehelp.c and include/curl/curlbuild.h.
+ Closes https://github.com/curl/curl/pull/1070
+
+Daniel Stenberg (11 Oct 2016)
+- configure: detect the broken poll() in macOS 10.12
- http://curl.haxx.se/mail/lib-2015-04/0034.html
+ Fixes #1057
-Daniel Stenberg (9 Apr 2015)
-- [Viktor Szakats brought this change]
+- dist: remove PDF and HTML converted docs from the releases
- lib/makefile.m32: add missing libs to build libcurl.dll
+- [Remo E brought this change]
+
+ cmake: add nghttp2 support
- Add 'gdi32' and 'crypt32' Windows implibs to avoid failure
- while building libcurl.dll using the mingw compiler.
- The same logic is used in 'src/makefile.m32' when
- building curl.exe.
+ Closes #922
+
+- [Andreas Streichardt brought this change]
-Kamil Dudka (8 Apr 2015)
-- test142[23]: verify that an empty file is stored on success
+ resolve: add error message when resolving using SIGALRM
+
+ Closes #1066
-- src/tool_operate: create output file on successful download
+- GIT-INFO: remove the Mac 10.1-specific details
- ... of an empty file
+ There shouldn't be many devs out there anymore using such outdated macOS
+ versions. And it removes the dead link.
- Bug: https://github.com/bagder/curl/issues/183
+ Closes #1049
-- src/tool_cb_wrt: separate fnc for output file creation
+- RELEASE-NOTES: spellfix
-Daniel Stenberg (7 Apr 2015)
-- [Da-Yoon Chung brought this change]
+- RELEASE-NOTES: synced with 82720490628cb53a
+
+ 5 more fixes, 2 more contributors
- lib/transfer.c: Remove factor of 8 from sleep time calculation
+- [Tobias Stoeckmann brought this change]
+
+ smb: properly check incoming packet boundaries
- The factor of 8 is a bytes-to-bits conversion factor, but pkt_size and
- rate_bps are both in bytes. When using the rate limiting option, curl
- waits 8 times too long, and then transfers very quickly until the
- average rate reaches the limit. The average rate follows the limit over
- time, but the actual traffic is bursty.
+ Not all reply messages were properly checked for their lengths, which
+ made it possible to access uninitialized memory (but this does not lead
+ to out of boundary accesses).
- Thanks-to: Benjamin Gilbert
+ Closes #1052
-- [Jay Satiro brought this change]
+- test557: verify printf() with 128 and 129 arguments
- x509asn1: Silence x64 loss-of-data warning on RSA key length assignment
+- mprintf: return error on too many arguments
- The key length in bits will always fit in an unsigned long so the
- loss-of-data warning assigning the result of x64 pointer arithmetic to
- an unsigned long is unnecessary.
+ 128 arguments should be enough for everyone
-- [Jay Satiro brought this change]
+- ftp: fix Curl_ftpsendf()
+
+ ... it no longer takes printf() arguments since it was only really taken
+ advantage by one user and it was not written and used in a safe
+ way. Thus the 'f' is removed from the function name and the proto is
+ changed.
+
+ Although the current code wouldn't end up in badness, it was a risk that
+ future changes could end up springf()ing too large data or passing in a
+ format string inadvertently.
- cyassl: Use CYASSL_MAX_ERROR_SZ for error buffer size
+- formpost: avoid silent snprintf() truncation
- Also fix it so that all ERR_error_string calls use an error buffer.
- CyaSSL's implementation of ERR_error_string only writes the error when
- an error buffer is passed.
+ The previous use of snprintf() could make libcurl silently truncate some
+ input data and not report that back on overly large input, which could
+ make data get sent over the network in a bad format.
- http://www.yassl.com/forums/topic599-openssl-compatibility-and-errerrorstring.html
+ Example:
+
+ $ curl --form 'a=b' -H "Content-Type: $(perl -e 'print "A"x4100')"
-- [Jay Satiro brought this change]
+- TODO: build: Enable PIE and RELRO by default
- cyassl: Remove 'Connecting to' message from cyassl_connect_step2
-
- Prior to this change libcurl could show multiple 'CyaSSL: Connecting to'
- messages since cyassl_connect_step2 is called multiple times, typically.
- The message is superfluous even once since libcurl already informs the
- user elsewhere in code that it is connecting.
+- TODO: Support better than MD5 hostkey hash (for ssh)
-- [Viktor Szakats brought this change]
+- [Daniel Gustafsson brought this change]
- checksrc.bat: quotes to support an SRC_DIR with spaces
+ tests: Fix a small typo in the tests README (#1060)
+
+ The subdirectory for logs in tests/ is named log/ without an 's'
+ at the end.
-- hostip: fix compiler warnings
+- TODO: Introduce --fail-fast to exit on first transfer fail
- introduced in the previous mini-series of 3 commits
+ See #1054
+
+- TODO: Leave secure cookies alone
-- [Stefan Bühler brought this change]
+- [Rainer Müller brought this change]
- actually implement CURLOPT_RESOLVE removals
+ CURLOPT_DEBUGFUNCTION.3: unused argument warning (#1056)
- - also log when a CURLOPT_RESOLVE entry couldn't get parsed
+ The 'userp' argument is unused in this example code.
+
+- TODO: TCP Fast Open for windows
+
+- RELEASE-NOTES: synced with 8fd2a754f0de
-- [Stefan Bühler brought this change]
+- CURLOPT_KEEP_SENDING_ON_ERROR.3: mention when it is added
- move Curl_share_lock and ref counting into Curl_fetch_addr
+- memdup: use 'void *' as return and source type
-- [Stefan Bühler brought this change]
+- TODO: Add easy argument to formpost functions
- fix refreshing of obsolete dns cache entries
+- formpost: trying to attach a directory no longer crashes
- - cache entries must be also refreshed when they are in use
- - have the cache count as inuse reference too, freeing timestamp == 0 special
- value
- - use timestamp == 0 for CURLOPT_RESOLVE entries which don't get refreshed
- - remove CURLOPT_RESOLVE special inuse reference (timestamp == 0 will prevent refresh)
- - fix Curl_hostcache_clean - CURLOPT_RESOLVE entries don't have a special
- reference anymore, and it would also release non CURLOPT_RESOLVE references
- - fix locking in Curl_hostcache_clean
- - fix unit1305.c: hash now keeps a reference, need to set inuse = 1
+ The error path would previously add a freed entry to the linked list.
+
+ Reported-by: Toby Peterson
+
+ Fixes #1053
-- RELEASE-NOTES: synced with abf6bddc14a
+- [Sergei Kuzmin brought this change]
-- [Jay Satiro brought this change]
+ cookies: same domain handling changed to match browser behavior
+
+ Cokie with the same domain but different tailmatching property are now
+ considered different and do not replace each other. If header contains
+ following lines then two cookies will be set: Set-Cookie: foo=bar;
+ domain=.foo.com; expires=Thu Mar 3 GMT 8:56:27 2033 Set-Cookie: foo=baz;
+ domain=foo.com; expires=Thu Mar 3 GMT 8:56:27 2033
+
+ This matches Chrome, Opera, Safari, and Firefox behavior. When sending
+ stored tokens to foo.com Chrome, Opera, Firefox store send them in the
+ stored order, while Safari pre-sort the cookies.
+
+ Closes #1050
- checksrc.bat: Check lib\vtls source
+- [Stephen Brokenshire brought this change]
-- [Jay Satiro brought this change]
+ FAQ: Fix typos in section 5.14 (#1047)
+
+ Type required for YourClass::func C++ function (using size_t in line
+ with the documentation for CURLOPT_WRITEFUNCTION) and missing second
+ colon when specifying the static function for CURLOPT_WRITEFUNCTION.
+
+- [Sebastian Mundry brought this change]
- cyassl: Set minimum protocol version before CTX callback
+ KNOWN_BUGS: Fix typos in section 5.8.
- This change is to allow the user's CTX callback to change the minimum
- protocol version in the CTX without us later overriding it, as we did
- prior to this change.
+ Closes #1046
-- [Jay Satiro brought this change]
+- [mundry brought this change]
+
+ CONTRIBUTE.md: Fix typo in 'About pull requests' section. (#1045)
- build-openssl.bat: Fix mixed line endings
+- curl.1: --trace supports % for sending to stderr!
+
+- KNOWN_BUGS: 5.8 configure finding libs in wrong directory
+
+Dan Fandrich (24 Sep 2016)
+- configure: Fixed builds with libssh2 in a custom location
- Use LF not CRLF, throughout. msysgit will only convert a file to CRLF
- on checkout if it's not mixed.
+ A libssh2 library in the standard system location was being used in
+ preference to the desired one while linking.
-- [Jay Satiro brought this change]
+Daniel Stenberg (23 Sep 2016)
+- SECURITY: remove the top ascii logo
- cyassl: Fix certificate load check
+Michael Kaufmann (22 Sep 2016)
+- New libcurl option to keep sending on error
+
+ Add the new option CURLOPT_KEEP_SENDING_ON_ERROR to control whether
+ sending the request body shall be completed when the server responds
+ early with an error status code.
+
+ This is suitable for manual NTLM authentication.
+
+ Reviewed-by: Jay Satiro
- SSL_CTX_load_verify_locations can return negative values on fail,
- therefore to check for failure we check if load is != 1 (success)
- instead of if load is == 0 (failure), the latter being incorrect given
- that behavior.
+ Closes https://github.com/curl/curl/pull/904
-- [Tatsuhiro Tsujikawa brought this change]
+Kamil Dudka (22 Sep 2016)
+- nss: add chacha20-poly1305 cipher suites if supported by NSS
+
+- nss: add cipher suites using SHA384 if supported by NSS
- http2: Fix missing nghttp2_session_send call in Curl_http2_switched
+- nss: fix typo in ecdhe_rsa_null cipher suite string
+
+ As it seems to be a rarely used cipher suite (for securely established
+ but _unencrypted_ connections), I believe it is fine not to provide an
+ alias for the misspelled variant.
+
+Jay Satiro (21 Sep 2016)
+- docs: Remove that --proto is just used for initial retrieval
+
+ .. and add that --proto-redir and CURLOPT_REDIR_PROTOCOLS do not
+ override protocols denied by --proto and CURLOPT_PROTOCOLS.
- Previously in Curl_http2_switched, we called nghttp2_session_mem_recv to
- parse incoming data which were already received while curl was handling
- upgrade. But we didn't call nghttp2_session_send, and it led to make
- curl not send any response to the received frames. Most likely, we
- received SETTINGS from server at this point, so we missed opportunity to
- send SETTINGS + ACK. This commit adds missing nghttp2_session_send call
- in Curl_http2_switched to fix this issue.
+ - Add a test to enforce: --proto deny must override --proto-redir allow
- Bug: https://github.com/bagder/curl/issues/192
- Reported-by: Stefan Eissing
+ Closes https://github.com/curl/curl/pull/1031
-- cookie: handle spaces after the name in Set-Cookie
+Daniel Stenberg (21 Sep 2016)
+- dist: add CurlSymbolHiding.cmake to the tarball
- "name =value" is fine and the space should just be skipped.
+ Follow-up to 6140dfcf3e784
- Updated test 31 to also test for this.
+ Reported-by: Alexander Sinditskiy
+
+- curl_global_cleanup.3: don't unload the lib with sub threads running
+
+ Discussed in #997
- Bug: https://github.com/bagder/curl/issues/195
- Reported-by: cromestant
- Help-by: Frank Gevaerts
+ Assisted-by: Jay Satiro
-- [Jay Satiro brought this change]
+- MAIL-ETIQUETTE: language
- cyassl: Fix library initialization return value
+Jay Satiro (20 Sep 2016)
+- easy: Reset all statistical session info in curl_easy_reset
- (Curl_cyassl_init)
- - Return 1 on success, 0 in failure.
+ Bug: https://github.com/curl/curl/issues/1017
+ Reported-by: Jeroen Ooms
+
+Daniel Stenberg (19 Sep 2016)
+- RELEASE-NOTES: synced with 79607eec51055
+
+Jay Satiro (19 Sep 2016)
+- [Daniel Gustafsson brought this change]
+
+ darwinssl: Fix typo in comment
- Prior to this change the fail path returned an incorrect value and the
- evaluation to determine whether CyaSSL_Init had succeeded was incorrect.
- Ironically that combined with the way curl_global_init tests SSL library
- initialization (!Curl_ssl_init()) meant that CyaSSL having been
- successfully initialized would be seen as that even though the code path
- and return value in Curl_cyassl_init were wrong.
+ Closes https://github.com/curl/curl/pull/1028
-- [Thomas Ruecker brought this change]
+Daniel Stenberg (19 Sep 2016)
+- [Bernard Spil brought this change]
- CURLOPT_HTTP200ALIASES.3: Mainly SHOUTcast servers use "ICY 200"
+ libressl: fix version output
- Icecast versions 1.3.0 through 1.3.12 would reply with "ICY 200"
- under certain conditions:
+ LibreSSL defines `OPENSSL_VERSION_NUMBER` as `0x20000000L` for all
+ versions returning `LibreSSL/2.0.0` for any LibreSSL version.
- client_wants_icy_headers (connection_t *con)
- {
- const char *val;
+ This change provides a local OpenSSL_version_num function replacement
+ returning LIBRESSL_VERSION_NUMBER instead.
- if (!con)
- return 1;
+ Closes #1029
+
+- [rugk brought this change]
+
+ TODO: Add PINNEDPUBLICKEY - HPKP compatibility, HSTS & HPKP
- val = get_user_agent (con);
- if (!val || !val[0] || strcmp (val, "(null)") == 0)
- return 1;
+ Closes #1025
+ Closes #1026
+ Closes #1027
+
+- openssl: don't call ERR_remote_thread_state on >= 1.1.0
- if (con->food.client->use_icy)
- return 1;
- if (strncasecmp (val, "winamp", 6) == 0)
- return 1;
- if (strncasecmp (val, "Shoutcast", 9) == 0)
- return 1;
+ Follow-up fix to d9321562
+
+- openssl: don’t call CRYTPO_cleanup_all_ex_data
+
+ The OpenSSL function CRYTPO_cleanup_all_ex_data() cannot be called
+ multiple times without crashing - and other libs might call it! We
+ basically cannot call it without risking a crash. The function is a
+ no-op since OpenSSL 1.1.0.
- return 0;
- }
+ Not calling this function only risks a small memory leak with OpenSSL <
+ 1.1.0.
- So mainly if there is no 'user agent' or it is '(null)' or contains
- 'winamp' or 'Shoutcast'.
+ Bug: https://curl.haxx.se/mail/lib-2016-09/0045.html
+ Reported-by: Todd Short
+
+- TODO: Support SSLKEYLOGFILE
+
+Jay Satiro (18 Sep 2016)
+- CURLOPT_PINNEDPUBLICKEY.3: fix the AVAILABILITY formatting
+
+Nick Zitzmann (18 Sep 2016)
+- darwinssl: disable RC4 cipher-suite support
- No mainstream distribution carries Icecast 1.3.x anymore, after all
- it was released in 2002 and superseded by Icecast 2.x.
+ RC4 was a nice alternative to CBC back in the days of BEAST, but it's insecure and obsolete now.
-Dan Fandrich (31 Mar 2015)
-- axtls: add timeout within Curl_axtls_connect
+- configure: change "iOS/Mac OS X native" to "Apple OS native"
- This allows test 405 to pass on axTLS.
+ Since I first wrote that text, Apple introduced tvOS and watchOS, and renamed "Mac OS X" to "macOS." Let's make the text a little more inclusive, since curl can be built for all four operating systems.
-Daniel Stenberg (30 Mar 2015)
-- [Jay Satiro brought this change]
+Jay Satiro (18 Sep 2016)
+- test2048: fix url
- checksrc: Windows-specific input fixes
+- examples/imap-append: Set size of data to be uploaded
- lib/config-win32ce.h
- - Fix whitespace for checksrc compliance.
+ Prior to this commit this example failed with error
+ 'Cannot APPEND with unknown input file size'.
- lib/checksrc.pl
- - Remove trailing carriage returns from input.
+ Bug: https://github.com/curl/curl/issues/1008
+ Reported-by: lukaszgn@users.noreply.github.com
- projects/checksrc.bat
- - Ignore tool_hugehelp.c.
+ Closes https://github.com/curl/curl/pull/1011
-- [Dagobert Michelsen brought this change]
+Daniel Stenberg (16 Sep 2016)
+- [Tony Kelman brought this change]
- configure: Use KRB5CONFIG for krb5-config
+ LICENSE-MIXING.md: update with mbedTLS dual licensing
- Allows the user to easier override its path.
+ Recent versions of mbedTLS are available under either Apache 2.0 or GPL
+ 2.0, see https://tls.mbed.org/how-to-get
- Bug: http://curl.haxx.se/bug/view.cgi?id=1486
+ Closes #1019
-- multi: remove_handle: move pending connections
+- KNOWN_BUGS: chunked-encoded requests with HTTP/2 is fixed
+
+- http2: debug ouput sent HTTP/2 request headers
+
+- http: accept "Transfer-Encoding: chunked" for HTTP/2 as well
- If the handle removed from the multi handle happens to be the one
- "owning" the pipeline other transfers will be waiting indefinitely. Now
- we move such handles back to connect to have them race (again) for
- getting the connection and thus avoid hanging.
+ ... but don't send the actual header over the wire as it isn't accepted.
+ Chunked uploading is still triggered using this method.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1465
- Reported-by: Jiri Dvorak
+ Fixes #1013
+ Fixes #662
-- KNOWN_BUGS: 89 is bug #1411
+- openssl: fix per-thread memory leak usiong 1.0.1 or 1.0.2
+
+ OpenSSL 1.0.1 and 1.0.2 build an error queue that is stored per-thread
+ so we need to clean it when easy handles are freed, in case the thread
+ will be killed in which the easy handle was used. All OpenSSL code in
+ libcurl should extract the error in association with the error already
+ so clearing this queue here should be harmless at worst.
- Disabling pipelining on multi handle with in-progress pipelined requests
- leads to heap corruption and crash
+ Fixes #964
-- [Jay Satiro brought this change]
+- RELEASE-NOTES: reset and go toward 7.51.0 (again)
+
+Version 7.50.3 (14 Sep 2016)
- cyassl: CTX callback cosmetic changes and doc fix
+Daniel Stenberg (14 Sep 2016)
+- THANKS: updated with curl 7.50.3 contributors
+
+- RELEASE-NOTES: curl 7.50.3
+
+- test1605: verify negative input lengths to (un)escape functions
+
+- curl_easy_unescape: deny negative string lengths as input
- - More descriptive fail message for NO_FILESYSTEM builds.
- - Cosmetic changes.
- - Change more of CURLOPT_SSL_CTX_* doc to not be OpenSSL specific.
+ CVE-2016-7167
+
+ Bug: https://curl.haxx.se/docs/adv_20160914.html
-- RELEASE-NOTES: synced with d2feb71752f
+- curl_easy_escape: deny negative string lengths as input
+
+ CVE-2016-7167
+
+ Bug: https://curl.haxx.se/docs/adv_20160914.html
-Dan Fandrich (28 Mar 2015)
-- tool_operate: only set SSL options if SSL is enabled
+- curl: make --create-dirs on windows grok both forward and backward slashes
+
+ Reported-by: Ryan Scott
+
+ Fixes #1007
-- runtests.pl: detect WolfSSL as yassl
+- RELEASE-NOTES: synced with 665694979b6
-Daniel Stenberg (27 Mar 2015)
-- [Kyle L. Huff brought this change]
+- [Tony Kelman brought this change]
- cyassl: add SSL context callback support for CyaSSL
+ mbedtls: switch off NTLM in build if md4 isn't available
- Adds support for CURLOPT_SSL_CTX_FUNCTION when using CyaSSL, and better
- handles CyaSSL instances using NO_FILESYSTEM.
+ NTLM support with mbedTLS was added in 497e7c9 but requires that mbedTLS
+ is built with the MD4 functions available, which it isn't in default
+ builds. This now adapts if the funtion isn't there and builds libcurl
+ without NTLM support if so.
+
+ Fixes #1004
-- [Kyle L. Huff brought this change]
+Jay Satiro (12 Sep 2016)
+- CODE_STYLE: fix long-line guideline
+
+ - Change maximum allowed line length from 80 to 79.
- cyassl: remove undefined reference to CyaSSL_no_filesystem_verify
+- CODE_STYLE: add column alignment section
- CyaSSL_no_filesystem_verify is not (or no longer) defined by cURL or
- CyaSSL. This reference causes build errors when compiling with
- NO_FILESYSTEM.
+ Note that since the added examples are for column alignment I had to
+ encapsulate with ~~~c markdown to preserve their alignment.
-- [Jay Satiro brought this change]
+Peter Wu (11 Sep 2016)
+- cmake: fix curl-config --static-libs
+
+ The `curl-config --static-libs` command should not output paths like
+ -l/usr/lib/libssl.so, instead print the absolute path without `-l`.
+
+ This also removes the confusing message "Static linking is broken" which
+ was printed because curl-config --static-libs was disfunctional even
+ though the static libcurl.a library works properly.
+
+ Fixes https://github.com/curl/curl/issues/841
- build: Fix libcurl.sln erroneous mixed configurations
+Daniel Stenberg (11 Sep 2016)
+- http: refuse to pass on response body with NO_NODY was set
+
+ ... like when a HTTP/0.9 response comes back without any headers at all
+ and just a body this now prevents that body from being sent to the
+ callback etc.
+
+ Adapted test 1144 to verify.
- Prior to this change some Release configurations had an active
- configuration assignment to their Debug counterpart.
+ Fixes #973
+
+ Assisted-by: Ray Satiro
-- [Jay Satiro brought this change]
+- RELEASE-NOTES: synced with 257bf3ac67eb6
- vtls: Don't accept unknown CURLOPT_SSLVERSION values
+Jakub Zakrzewski (10 Sep 2016)
+- CMake: Don't build unit tests if private symbols are hidden
+
+ This only excludes building unit tests from default build ( 'all' Make
+ target or "Build Solution" in VisualStudio). The projects and Make
+ targets will still be generated and shown in supporting IDEs.
+
+ Fixes https://github.com/curl/curl/issues/981
+ Reported-by: Randy Armstrong
+
+ Closes https://github.com/curl/curl/pull/990
-- [Jay Satiro brought this change]
+- CMake: Try to (un-)hide private library symbols
+
+ Detect support for compiler symbol visibility flags and apply those
+ according to CURL_HIDDEN_SYMBOLS option.
+ It should work true to the autotools build except it tries to unhide
+ symbols on Windows when requested and prints warning if it fails.
+
+ Ref: https://github.com/curl/curl/issues/981#issuecomment-242665951
+ Reported-by: Daniel Stenberg
- url: Don't accept CURLOPT_SSLVERSION unless USE_SSL is defined
+Daniel Stenberg (9 Sep 2016)
+- openssl: fix bad memory free (regression)
+
+ ... by partially reverting f975f06033b1. The allocation could be made by
+ OpenSSL so the free must be made with OPENSSL_free() to avoid problems.
+
+ Reported-by: Harold Stuart
+ Fixes #1005
-- [Paul Howarth brought this change]
+- http2: support > 64bit sized uploads
+
+ ... by making sure we don't count down the "upload left" counter when the
+ uploaded size is unknown and then it can be allowed to continue forever.
+
+ Fixes #996
- build: link curl to openssl libraries when openssl support is enabled
+Jay Satiro (7 Sep 2016)
+- errors: new alias CURLE_WEIRD_SERVER_REPLY (8)
- This fixes a build failure where openssl and libmetalink are used
- together and the system linker does not do implicit linking (e.g.
- Fedora 13 and later releases). The MD5 functions required for
- metalink support must be pulled in from the openssl crypto library.
+ Since we're using CURLE_FTP_WEIRD_SERVER_REPLY in imap, pop3 and smtp as
+ more of a generic "failed to parse" introduce an alias without FTP in
+ the name.
- This is similar to commit c6e7cbb94e669b85d3eb8e015ec51d0072112133,
- which fixes the same sort of problem for NSS builds.
+ Closes https://github.com/curl/curl/pull/975
+
+Daniel Stenberg (7 Sep 2016)
+- bump: toward 7.51.0
+
+- HISTORY: remove ascii logo to render nicer on web
+
+- curl: whitelist use of strtok() in non-threaded context
-- multi: on a request completion, check all CONNECT_PEND transfers
+- checksrc: detect strtok() use
- ... even if they don't have an associated connection anymore. It could
- leave the waiting transfers pending with no active one on the
- connection.
-
- Bug: http://curl.haxx.se/bug/view.cgi?id=1465
- Reported-by: Jiri Dvorak
+ ... as that function slipped through once before.
-- [Emil Lerner brought this change]
+GitHub (7 Sep 2016)
+- [Viktor Szakats brought this change]
- globbing: fix url number calculation when using range with step
+ mk-ca-bundle.pl: use SHA256 instead of SHA1
- In function glob_range, the number of urls was multiplied by (max - min
- + 1), regardless of step. The correct formula is (max - min) / step + 1
+ This hash is used to verify the original downloaded certificate bundle
+ and also included in the generated bundle's comment header. Also
+ rename related internal symbols to algorithm-agnostic names.
-- README.http2: refreshed and added TODO items
+Version 7.50.2 (7 Sep 2016)
-- [Emil Lerner brought this change]
+Daniel Stenberg (7 Sep 2016)
+- RELEASE-NOTES: curl 7.50.2 release
- globbing: fix step parsing for character globbing ranges
-
- The glob_range function used wrong offset (3 instead of 4) for parsing
- integer step inside character range specification, which led to 'bad
- range' error when using character ranges with explicitly specified step
- (such as '[a-z:2]')
+- THANKS: updated for 7.50.2
-- polarssl: called mbedTLS in 1.3.10 and later
+Jay Satiro (6 Sep 2016)
+- [Gaurav Malhotra brought this change]
-- polarssl: remove dead code
-
- and simplify code by changing if-elses to a switch()
+ openssl: fix CURLINFO_SSL_VERIFYRESULT
- CID 1291706: Logically dead code. Execution cannot reach this statement
-
-- polarssl: remove superfluous for(;;) loop
+ CURLINFO_SSL_VERIFYRESULT does not get the certificate verification
+ result when SSL_connect fails because of a certificate verification
+ error.
- "unreachable: Since the loop increment is unreachable, the loop body
- will never execute more than once."
+ This fix saves the result of SSL_get_verify_result so that it is
+ returned by CURLINFO_SSL_VERIFYRESULT.
- Coverity CID 1291707
+ Closes https://github.com/curl/curl/pull/995
-- Curl_ssl_md5sum: return CURLcode
-
- ... since the funciton can fail on OOM. Check this return code.
+Daniel Stenberg (6 Sep 2016)
+- [Daniel Gustafsson brought this change]
+
+ darwinssl: test for errSecSuccess in PKCS12 import rather than noErr (#993)
- Coverity CID 1291705.
+ While noErr and errSecSuccess are defined as the same value, the API
+ documentation states that SecPKCS12Import() returns errSecSuccess if
+ there were no errors in importing. Ensure that a future change of the
+ defined value doesn't break (however unlikely) and be consistent with
+ the API docs.
-- [Jay Satiro brought this change]
+- [Daniel Gustafsson brought this change]
+
+ docs: Fix link to CONTRIBUTE in Github contribution guidelines (#994)
+
+- [Marcel Raad brought this change]
- cyassl: default to highest possible TLS version
+ openssl: Fix compilation with OPENSSL_API_COMPAT=0x10100000L
- (cyassl_connect_step1)
- - Use TLS 1.0-1.2 by default when available.
+ With OPENSSL_API_COMPAT=0x10100000L (OpenSSL 1.1 API), the cleanup
+ functions are unavailable (they're no-ops anyway in OpenSSL 1.1). The
+ replacements for SSL_load_error_strings, SSLeay_add_ssl_algorithms, and
+ OpenSSL_add_all_algorithms are called automatically [1][2]. SSLeay() is
+ now called OpenSSL_version_num().
- CyaSSL/wolfSSL >= v3.3.0 supports setting a minimum protocol downgrade
- version.
+ [1]: https://www.openssl.org/docs/man1.1.0/ssl/OPENSSL_init_ssl.html
+ [2]: https://www.openssl.org/docs/man1.1.0/crypto/OPENSSL_init_crypto.html
- cyassl/cyassl@322f79f
+ Closes #992
-- [Jay Satiro brought this change]
+- RELEASE-NOTES: synced with 3d4c0c8b9bc1d
- cyassl: Check for invalid length parameter in Curl_cyassl_random
+- http2: return EOF when done uploading without known size
+
+ Fixes #982
-- [Jay Satiro brought this change]
+- http2: skip the content-length parsing, detect unknown size
- cyassl: If wolfSSL then identify as such in version string
+- http2: minor white space edit
-Dan Fandrich (24 Mar 2015)
-- symbols-in-versions: added CURLOPT_PATH_AS_IS
+- http2: use named define instead of magic constant in read callback
-- testcurl.pl: add the --notes option to supply more info about a build
-
- Support for notes has been in place for a while, but it required
- being added to the setup file manually.
+- [Craig Davison brought this change]
-- curl_memory: make curl_memory.h the second-last header file loaded
+ configure: make the cpp -P detection not clobber CPPFLAGS
- This header file must be included after all header files except
- memdebug.h, as it does similar memory function redefinitions and can be
- similarly affected by conflicting definitions in system or dependent
- library headers.
-
-Daniel Stenberg (24 Mar 2015)
-- openssl: do the OCSP work-around for libressl too
+ CPPPFLAGS is now CPPPFLAG. Fixes CURL_CHECK_DEF.
- I tested with libressl git master now (v2.1.4-27-g34bf96c) and it seems to
- still require the work-around for stapling to work.
+ Fixes #958
+
+- [Olivier Brunel brought this change]
-- openssl: verifystatus: only use the OCSP work-around <= 1.0.2a
+ speed caps: not based on average speeds anymore
+
+ Speed limits (from CURLOPT_MAX_RECV_SPEED_LARGE &
+ CURLOPT_MAX_SEND_SPEED_LARGE) were applied simply by comparing limits
+ with the cumulative average speed of the entire transfer; While this
+ might work at times with good/constant connections, in other cases it
+ can result to the limits simply being "ignored" for more than "short
+ bursts" (as told in man page).
+
+ Consider a download that goes on much slower than the limit for some
+ time (because bandwidth is used elsewhere, server is slow, whatever the
+ reason), then once things get better, curl would simply ignore the limit
+ up until the average speed (since the beginning of the transfer) reached
+ the limit. This could prove the limit useless to effectively avoid
+ using the entire bandwidth (at least for quite some time).
- URL: http://curl.haxx.se/mail/lib-2015-03/0205.html
- Reported-by: Alessandro Ghedini
+ So instead, we now use a "moving starting point" as reference, and every
+ time at least as much as the limit as been transferred, we can reset
+ this starting point to the current position. This gets a good limiting
+ effect that applies to the "current speed" with instant reactivity (in
+ case of sudden speed burst).
+
+ Closes #971
-- openssl: adapt to ASN1/X509 things gone opaque in 1.1
+- HISTORY.md: the multi socket was put in the wrong year!
-Dan Fandrich (24 Mar 2015)
-- [Jay Satiro brought this change]
+- [Mark Hamilton brought this change]
- curl_easy_setopt.3: Fix misspelling in CURLOPT_PATH_AS_IS description
+ tool_helpers.c: fix comment typo (#989)
-- [Viktor Szakáts brought this change]
+- [Mark Hamilton brought this change]
- CURLOPT_HTTPHEADER.3: fix typo in recent commit
+ libtest/test.h: fix typo (#988)
-- [Viktor Szakáts brought this change]
+- CURLMOPT_PIPELINING.3: language
- CURLOPT_PATH_AS_IS.3: add type 'long' to prototype
+- CURLMOPT_PIPELINING.3: extended and clarified
+
+ Especially in regards to the multiplexing part.
-- vtls: fix compile with --disable-crypto-auth but with SSL
+Steve Holme (31 Aug 2016)
+- curl_sspi.c: Updated function description comments
- This is a strange combination of options, but is allowed.
+ * Added description to Curl_sspi_free_identity()
+ * Added parameter and return explanations to Curl_sspi_global_init()
+ * Added parameter explaination to Curl_sspi_global_cleanup()
-Patrick Monnerat (24 Mar 2015)
-- os400: define new options in ILE/RPG binding.
+- README: Corrected the supported Visual Studio versions
+
+ Missed from commit 8356022d17.
-Daniel Stenberg (24 Mar 2015)
-- RELEASE-NOTES: synced with f6878609361
+- KNOWN_BUGS: Move the Visual Studio project shortcomings from local README
-- curl_easy_setopt.3: Add CURLOPT_PATH_AS_IS
+- KNOWN_BUGS: Expand 6.4 to include Kerberos V5
+
+ ...and discuss a possible solution.
-- CURLOPT_PATH_AS_IS: added
+Daniel Stenberg (30 Aug 2016)
+- connect: fix #ifdefs for debug versions of conn/streamclose() macros
- --path-as-is is the command line option
+ CURLDEBUG is for the memory debugging
- Added docs in curl.1 and CURLOPT_PATH_AS_IS.3
+ DEBUGBUILD is for the extra debug stuff
- Added test in test 1241
+ Pointed-out-by: Steve Holme
-- [Yamada Yasuharu brought this change]
+- KNOWN_BUGS: mention some cmake "support gaps"
- curl_easy_recv/send: make them work with the multi interface
+Nick Zitzmann (28 Aug 2016)
+- darwinssl: add documentation stating that the --cainfo option is intended for backward compatibility only
- By making sure Curl_getconnectinfo() uses the correct connection cache
- to find the last connection.
+ In other news, I changed one other reference to "Mac OS X" in the documentation (that I previously wrote) to say "macOS" instead.
-- http2: move the init too for when its actually needed
+Daniel Stenberg (28 Aug 2016)
+- http2: return CURLE_HTTP2_STREAM for unexpected stream close
- ... it would otherwise lead to memory leakage if we never actually do
- the switch.
-
-Dan Fandrich (23 Mar 2015)
-- dict: rename byte to avoid compiler shadowed declaration warning
+ Follow-up to c3e906e9cd0f, seems like a more appropriate error code
- This conflicted with a WolfSSL typedef.
+ Suggested-by: Jay Satiro
-- cyassl: include version.h to ensure the version macros are defined
+- [Tatsuhiro Tsujikawa brought this change]
-- test1513: eliminated race condition in test run
+ http2: handle closed streams when uploading
- It seems that some systems (e.g. fairly consistently in some recent
- Solaris autobuilds) would manage to get to the connect phase before the
- progress callback was called, resulting in a CURLE_COULDNT_CONNECT
- error. Reworked the test to point at a test server that never returns a
- full result so the progress callback always gets a chance to be called
- before the transfer can complete in some other way.
+ Fixes #986
-Nick Zitzmann (21 Mar 2015)
-- darwinsssl: add support for TLS False Start
+- http2: make sure stream errors don't needlessly close the connection
- TLS False Start support requires iOS 7.0 or later, or OS X 10.9 or later.
-
-Daniel Stenberg (21 Mar 2015)
-- gtls: add check of return code
+ With HTTP/2 each transfer is made in an indivial logical stream over the
+ connection, making most previous errors that caused the connection to get
+ forced-closed now instead just kill the stream and not the connection.
- Coverity CID 1291167 pointed out that 'rc' was received but never used when
- gnutls_credentials_set() was used. Added return code check now.
+ Fixes #941
-- gtls: dereferencing NULL pointer
+- Curl_verify_windows_version: minor edit to avoid compiler warnings
- Coverity CID 1291165 pointed out 'chainp' could be dereferenced when
- NULL if gnutls_certificate_get_peers() had previously failed.
+ ... instead of if() before the switch(), add a default to the switch so
+ that the compilers don't warn on "warning: enumeration value
+ 'PLATFORM_DONT_CARE' not handled in switch" anymore.
-- gtls: avoid uninitialized variable.
-
- Coverity CID 1291166 pointed out that we could read this variable
- uninitialized.
+Steve Holme (27 Aug 2016)
+- RELEASE-NOTES: Added missing fix from commit 15592143f
-Dan Fandrich (21 Mar 2015)
-- tests/certs: rebuild certificates with modified key usage bits
+Jay Satiro (26 Aug 2016)
+- schannel: Disable ALPN for Wine since it is causing problems
- The certificates were missing the digitalSignature and keyAgreement
- usage types, of which at least digitalSignature was checked by CyaSSL.
- This caused the test server in test 310 (among others) to fail the
- startup verification and therefore run (see
- http://curl.haxx.se/mail/lib-2014-07/0303.html).
-
-- tests/certs: added make target to rebuild certificates
+ - Disable ALPN on Wine.
- The certificate generation scripts were also updated to better match the
- format of the certificates currently checked in.
-
-Daniel Stenberg (21 Mar 2015)
-- x509asn1: add /* fallthrough */ in switch() case
-
-- x509asn1: minor edit to unconfuse Coverity
+ - Don't pass input secbuffer when ALPN is disabled.
- CID 1202732 warns on the previous use, although I cannot fine any
- problems with it. I'm doing this change only to make the code use a more
- familiar approach to accomplish the same thing.
-
-- [Dagobert Michelsen brought this change]
-
- testcurl: Allow '=' in values given on command line
+ When ALPN support was added a change was made to pass an input secbuffer
+ to initialize the context. When ALPN is enabled the buffer contains the
+ ALPN information, and when it's disabled the buffer is empty. In either
+ case this input buffer caused problems with Wine and connections would
+ not complete.
+
+ Bug: https://github.com/curl/curl/issues/983
+ Reported-by: Christian Fillion
-- nss: error: unused variable 'connssl'
+Kamil Dudka (26 Aug 2016)
+- [Peter Wang brought this change]
-Dan Fandrich (21 Mar 2015)
-- test938: added missing closing tags
+ nss: work around race condition in PK11_FindSlotByName()
+
+ Serialise the call to PK11_FindSlotByName() to avoid spurious errors in
+ a multi-threaded environment. The underlying cause is a race condition
+ in nssSlot_IsTokenPresent().
+
+ Bug: https://bugzilla.mozilla.org/1297397
+
+ Closes #985
-- cyassl: use new library version macro when available
+- nss: refuse previously loaded certificate from file
+
+ ... when we are not asked to use a certificate from file
-Kamil Dudka (20 Mar 2015)
-- [Alessandro Ghedini brought this change]
+Daniel Stenberg (26 Aug 2016)
+- ftp_done: remove dead code
- curl: add --false-start option
+- TLS: random file/egd doesn't have to match for conn reuse
-- [Alessandro Ghedini brought this change]
+- test161: add comment for the exit code
- nss: add support for TLS False Start
+Dan Fandrich (26 Aug 2016)
+- test219: Add http as a required feature
-- [Alessandro Ghedini brought this change]
+Daniel Stenberg (25 Aug 2016)
+- [Michael Kaufmann brought this change]
- url: add CURLOPT_SSL_FALSESTART option
+ HTTP: stop parsing headers when switching to unknown protocols
- This option can be used to enable/disable TLS False Start defined in the RFC
- draft-bmoeller-tls-falsestart.
-
-Patrick Monnerat (20 Mar 2015)
-- [Alessandro Ghedini brought this change]
-
- gtls: implement CURLOPT_CERTINFO
+ - unknown protocols probably won't send more headers (e.g. WebSocket)
+ - improved comments and moved them to the correct case statements
+
+ Closes #899
-Daniel Stenberg (20 Mar 2015)
-- [Alessandro Ghedini brought this change]
+- openssl: make build with 1.1.0 again
+
+ synced with OpenSSL git master commit cc06906707
- openssl: try to avoid accessing OCSP structs when possible
+- INTERNALS: fix title
-- CURLOPT_URL.3: spelling!
+- configure: detect zlib with our pkg-config macros
- Reported-by: Frank Gevaerts
+ ... instead of relying on the pkg-config autoconf macros to be present.
+
+ Fixes #972 (again...)
-- CURLOPT_URL.3: Added "SECURITY CONCERNS"
+Jay Satiro (25 Aug 2016)
+- http2: Remove incorrect comments
+
+ .. also remove same from scp
-- CURLOPT_HTTPHEADER.3: add a "SECURITY CONCERNS" section
+Daniel Stenberg (23 Aug 2016)
+- [Ales Novak brought this change]
-Dan Fandrich (19 Mar 2015)
-- cyassl: detect the library as renamed wolfssl
+ ftp: fix wrong poll on the secondary socket
- This change was made in CyaSSL/WolfSSL ver. 3.4.0
-
-Daniel Stenberg (19 Mar 2015)
-- HTTP: don't switch to HTTP/2 from 1.1 until we get the 101
+ When we're uploading using FTP and the server issues a tiny pause
+ between opening the connection to the client's secondary socket, the
+ client's initial poll() times out, which leads to second poll() which
+ does not wait for POLLIN on the secondary socket. So that poll() also
+ has to time out, creating a long (200ms) pause.
+
+ This patch adds the correct flag to the secondary socket, making the
+ second poll() correctly wait for the connection there too.
- We prematurely changed protocol handler to HTTP/2 which made things very
- slow (and wrong).
+ Signed-off-by: Ales Novak <alnovak@suse.cz>
- Reported-by: Stefan Eissing
- Bug: https://github.com/bagder/curl/issues/169
+ Closes #978
-Dan Fandrich (19 Mar 2015)
-- axtls: version 1.5.2 now requires that config.h be manually included
+- RELEASE-NOTES: synced with 95ded2c56
-Daniel Stenberg (19 Mar 2015)
-- metalink: fix resource leak in OOM
+- configure: make it work without PKG_CHECK_MODULES
- Coverity CID 1288826
-
-Dan Fandrich (18 Mar 2015)
-- docs/libcurl: clean up libcurl-symbols.3
+ With commit c2f9b78 we added a new dependency on pkg-config for
+ developers which may be unwanted. This change make the configure script
+ still work as before if pkg-config isn't installed, it'll just use the
+ old zlib detection logic without pkg-config.
+
+ Reported-by: Marc Hörsken
+
+ Fixes #972
-- docs/libcurl: check that all options with man pages are referenced
+Marc Hoersken (21 Aug 2016)
+- Revert "KNOWN_BUGS: SOCKS proxy not working via IPv6"
+
+ This reverts commit 9cb1059f92286a6eb5d28c477fdd3f26aed1d554.
- If a man page exists in the opts/ directory, it must also be referenced
- either in curl_easy_setopt.3 or curl_multi_setopt.3
+ As discussed in #835 SOCKS5 supports IPv6 proxies and destinations.
-- curl_easy_setopt.3: added a few missing options
+Daniel Stenberg (21 Aug 2016)
+- [Marco Deckel brought this change]
-Kamil Dudka (18 Mar 2015)
-- nss: explicitly tell NSS to disable NPN/ALPN
+ win: Basic support for Universal Windows Platform apps
- ... if disabled at libcurl level. Otherwise, we would allow to
- negotiate NPN despite curl was invoked with the --no-npn option.
-
-Daniel Stenberg (18 Mar 2015)
-- [Jay Satiro brought this change]
+ Closes #820
- mkhelp: Remove trailing carriage return from every line of input
+Steve Holme (21 Aug 2016)
+- sasl: Don't use GSSAPI authentication when domain name not specified
- - Get rid of this flood of warnings in Windows mingw build:
- warning: missing terminating " character
+ Only choose the GSSAPI authentication mechanism when the user name
+ contains a Windows domain name or the user is a valid UPN.
- The warning is due to the carriage return. When msysgit checks out files
- from the repo by default it converts the line endings to CRLF. Prior to
- this change when mkhelp.pl processed the MANUAL and curl.1 in CRLF
- format the trailing carriage returns caused unnecessary CR in the
- output.
-
-- RELEASE-NOTES: synced with e539f01567
+ Fixes #718
-- [Christian Weisgerber brought this change]
+- vauth: Added check for supported SSPI based authentication mechanisms
+
+ Completing commit 00417fd66c and 2708d4259b.
- docs/libcurl: make portability fix
+- http.c: Remove duplicate (authp->avail & CURLAUTH_DIGEST) check
- Using $< in a non-suffix rule context is a GNU make idiom. This bug was
- introduced in 7.41.0.
+ From commit 2708d4259b.
-Dan Fandrich (17 Mar 2015)
-- checksrc: Fix whitelist on out-of-tree builds
+Marc Hoersken (20 Aug 2016)
+- socks.c: display the hostname returned by the SOCKS5 proxy server
+
+ Instead of displaying the requested hostname the one returned
+ by the SOCKS5 proxy server is used in case of connection error.
+ The requested hostname is displayed earlier in the connection sequence.
+
+ The upper-value of the port is moved to a temporary variable and
+ replaced with a 0-byte to make sure the hostname is 0-terminated.
-Daniel Stenberg (17 Mar 2015)
-- [Stefan Bühler brought this change]
+Steve Holme (20 Aug 2016)
+- urldata.h: Corrected comment for httpcode which is also populated by SMTP
+
+ As of 7.25.0 and commit 5430007222.
- Curl_sh_entry: remove unused 'timestamp'
+Marc Hoersken (20 Aug 2016)
+- socks.c: use Curl_printable_address in SOCKS5 connection sequence
+
+ Replace custom string formatting with Curl_printable_address.
+ Add additional debug and error output in case of failures.
-- HTTP: don't use Expect: headers when on HTTP/2
+- socks.c: align SOCKS4 connection sequence with SOCKS5
- Reported-by: Stefan Eissing
- Bug: https://github.com/bagder/curl/issues/169
+ Calling sscanf is not required since the raw IPv4 address is
+ available and the protocol can be detected using ai_family.
-- checksrc: detect and remove space before trailing semicolons
+Steve Holme (20 Aug 2016)
+- http.c: Corrected indentation change from commit 2708d4259b
+
+ Made by Visual Studio's auto-correct feature and missed by me in my own
+ code reviews!
-- checksrc: introduce a whitelisting concept
+- http: Added calls to Curl_auth_is_<mechansism>_supported()
+
+ Hooked up the HTTP authentication layer to query the new 'is mechanism
+ supported' functions when deciding what mechanism to use.
+
+ As per commit 00417fd66c existing functionality is maintained for now.
-- checksrc: use space after comma
+Marc Hoersken (20 Aug 2016)
+- socks.c: improve verbose output of SOCKS5 connection sequence
-- checksrc: use space before paren in "return (expr);"
+- configure.ac: add missing quotes to PKG_CHECK_MODULES
-- CONTRIBUTE: refer to git log instead of deprecated CHANGES file
+Steve Holme (20 Aug 2016)
+- sasl: Added calls to Curl_auth_is_<mechansism>_supported()
+
+ Hooked up the SASL authentication layer to query the new 'is mechanism
+ supported' functions when deciding what mechanism to use.
+
+ For now existing functionality is maintained.
-- CURLOPT_*.3: more examples and edits
+Daniel Stenberg (19 Aug 2016)
+- [Miroslav Franc brought this change]
-- CURLOPT_*.3: added lots of small example sections
+ spnego_sspi: fix memory leak in case *outlen is zero (#970)
-- CURLOPT_PRIVATE.3: provide an example
+- CURLMOPT_MAX_TOTAL_CONNECTIONS.3: mention it can also multiplex
-- CURLOPT_*TIMEOUT.3: provide examples
+Steve Holme (18 Aug 2016)
+- vauth: Introduced Curl_auth_is_<mechansism>_supported() functions
+
+ As Windows SSPI authentication calls fail when a particular mechanism
+ isn't available, introduced these functions for DIGEST, NTLM, Kerberos 5
+ and Negotiate to allow both HTTP and SASL authentication the opportunity
+ to query support for a supported mechanism before selecting it.
+
+ For now each function returns TRUE to maintain compatability with the
+ existing code when called.
-- CURLOPT_USERAGENT.3: added an example
+Daniel Stenberg (18 Aug 2016)
+- test1144: verify HEAD with body-only response
-- CURLOPT_STDERR.3: added an example
+Steve Holme (17 Aug 2016)
+- RELEASE-PROCEDURE: Added some more future release dates
+
+ ...and removed some old ones
-- curl_easy_perform.3: remove superfluous close brace from example
+Daniel Stenberg (17 Aug 2016)
+- [David Woodhouse brought this change]
-- free: instead of Curl_safefree()
+ curl: allow "pkcs11:" prefix for client certificates
- Since we just started make use of free(NULL) in order to simplify code,
- this change takes it a step further and:
+ RFC7512 provides a standard method to reference certificates in PKCS#11
+ tokens, by means of a URI starting 'pkcs11:'.
- - converts lots of Curl_safefree() calls to good old free()
- - makes Curl_safefree() not check the pointer before free()
+ We're working on fixing various applications so that whenever they would
+ have been able to use certificates from a file, users can simply insert
+ a PKCS#11 URI instead and expect it to work. This expectation is now a
+ part of the Fedora packaging guidelines, for example.
- The (new) rule of thumb is: if you really want a function call that
- frees a pointer and then assigns it to NULL, then use Curl_safefree().
- But we will prefer just using free() from now on.
-
-- [Markus Elfring brought this change]
-
- Bug #149: Deletion of unnecessary checks before a few calls of cURL functions
+ This doesn't work with cURL because of the way that the colon is used
+ to separate the certificate argument from the passphrase. So instead of
- The following functions return immediately if a null pointer was passed.
- * Curl_cookie_cleanup
- * curl_formfree
+ curl -E 'pkcs11:manufacturer=piv_II;id=%01' …
- It is therefore not needed that a function caller repeats a corresponding check.
+ I instead need to invoke cURL with the colon escaped, like this:
- This issue was fixed by using the software Coccinelle 1.0.0-rc24.
+ curl -E 'pkcs11\:manufacturer=piv_II;id=%01' …
- Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
-
-- [Markus Elfring brought this change]
-
- Bug #149: Deletion of unnecessary checks before calls of the function "free"
+ This is suboptimal because we want *consistency* — the URI should be
+ usable in place of a filename anywhere, without having strange
+ differences for different applications.
- The function "free" is documented in the way that no action shall occur for
- a passed null pointer. It is therefore not needed that a function caller
- repeats a corresponding check.
- http://stackoverflow.com/questions/18775608/free-a-null-pointer-anyway-or-check-first
+ This patch therefore disables the processing in parse_cert_parameter()
+ when the string starts with 'pkcs11:'. It means you can't pass a
+ passphrase with an unescaped PKCS#11 URI, but there's no need to do so
+ because RFC7512 allows a PIN to be given as a 'pin-value' attribute in
+ the URI itself.
- This issue was fixed by using the software Coccinelle 1.0.0-rc24.
+ Also, if users are already using RFC7512 URIs with the colon escaped as
+ in the above example — even providing a passphrase for cURL to handling
+ instead of using a pin-value attribute, that will continue to work
+ because their string will start 'pkcs11\:' and won't match the check.
- Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
+ What *does* break with this patch is the extremely unlikely case that a
+ user has a file which is in the local directory and literally named
+ just "pkcs11", and they have a passphrase on it. If that ever happened,
+ the user would need to refer to it as './pkcs11:<passphrase>' instead.
-- [Jay Satiro brought this change]
+- nss: make the global variables static
- connect: Fix happy eyeballs logic for IPv4-only builds
+- openssl: use regular malloc instead of OPENSSL_malloc
- Bug: https://github.com/bagder/curl/pull/168
+ This allows for better memmory debugging and torture tests.
+
+- proxy: fix tests as follow-up to 93b0d907d5
- (trynextip)
- - Don't try the "other" protocol family unless IPv6 is available. In an
- IPv4-only build the other family can only be IPv6 which is unavailable.
+ This fixes tests that were added after 113f04e664b as the tests would
+ fail otherwise.
- This change essentially stops IPv4-only builds from attempting the
- "happy eyeballs" secondary parallel connection that is supposed to be
- used by the "other" address family.
+ We bring back "Proxy-Connection: Keep-Alive" now unconditionally to fix
+ regressions with old and stupid proxies, but we could possibly switch to
+ using it only for CONNECT or only for NTLM in a future if we want to
+ gradually reduce it.
- Prior to this change in IPv4-only builds that secondary parallel
- connection attempt could be erroneously used by the same family (IPv4)
- which caused a bug where every address after the first for a host could
- be tried twice, often in parallel. This change fixes that bug. An
- example of the bug is shown below.
+ Fixes #954
- Assume MTEST resolves to 3 addresses 127.0.0.2, 127.0.0.3 and 127.0.0.4:
+ Reported-by: János Fekete
+
+- Revert "Proxy-Connection: stop sending this header by default"
- * STATE: INIT => CONNECT handle 0x64f4b0; line 1046 (connection #-5000)
- * Rebuilt URL to: http://MTEST/
- * Added connection 0. The cache now contains 1 members
- * STATE: CONNECT => WAITRESOLVE handle 0x64f4b0; line 1083
- (connection #0)
- * Trying 127.0.0.2...
- * STATE: WAITRESOLVE => WAITCONNECT handle 0x64f4b0; line 1163
- (connection #0)
- * Trying 127.0.0.3...
- * connect to 127.0.0.2 port 80 failed: Connection refused
- * Trying 127.0.0.3...
- * connect to 127.0.0.3 port 80 failed: Connection refused
- * Trying 127.0.0.4...
- * connect to 127.0.0.3 port 80 failed: Connection refused
- * Trying 127.0.0.4...
- * connect to 127.0.0.4 port 80 failed: Connection refused
- * connect to 127.0.0.4 port 80 failed: Connection refused
- * Failed to connect to MTEST port 80: Connection refused
- * Closing connection 0
- * The cache now contains 0 members
- * Expire cleared
- curl: (7) Failed to connect to MTEST port 80: Connection refused
+ This reverts commit 113f04e664b16b944e64498a73a4dab990fe9a68.
+
+- CURLOPT_PROXY.3: unsupported schemes cause errors now
- The bug was born in commit bagder/curl@2d435c7.
+ Follow-up to a96319ebb9 (document the new behavior)
-- mksymbolsmanpage.pl: use std header and generate better nroff header
+- tests/README: mention nghttpx for HTTP/2 tests
-- [Frank Meier brought this change]
+- README.md: add our CII Best Practices badge
- closesocket: call multi socket cb on close even with custom close
+- proxy: polished the error message for unsupported schemes
- In function Curl_closesocket() in connect.c the call to
- Curl_multi_closed() was wrongly omitted if a socket close function
- (CURLOPT_CLOSESOCKETFUNCTION) is registered.
-
- That would lead to not removing the socket from the internal hash table
- and not calling the multi socket callback appropriately.
-
- Bug: http://curl.haxx.se/bug/view.cgi?id=1493
+ Follow up to a96319ebb93
-- [Tobias Stoeckmann brought this change]
+- test219: verify unsupported scheme for proxies get rejected
- hostip: Fix signal race in Curl_resolv_timeout.
-
- A signal handler for SIGALRM is installed in Curl_resolv_timeout. It is
- configured to interrupt system calls and uses siglongjmp to return into
- the function if alarm() goes off.
+- proxy: reject attempts to use unsupported proxy schemes
- The signal handler is installed before curl_jmpenv is initialized.
- This means that an already installed alarm timer could trigger the
- newly installed signal handler, leading to undefined behavior when it
- accesses the uninitialized curl_jmpenv.
+ I discovered some people have been using "https://example.com" style
+ strings as proxy and it "works" (curl doesn't complain) because curl
+ ignores unknown schemes and then assumes plain HTTP instead.
- Even if there is no previously installed alarm available, the code in
- Curl_resolv_timeout itself installs an alarm before the environment is
- fully set up. If the process is sent into suspend right after that, the
- signal handler could be called too early as in previous scenario.
-
- To fix this, the signal handler should only be installed and the alarm
- timer only be set after sigsetjmp has been called.
+ I think this misleads users into believing curl uses HTTPS to proxies
+ when it doesn't. Now curl rejects proxy strings using unsupported
+ schemes instead of just ignoring and defaulting to HTTP.
-- http2: detect prematures close without data transfered
-
- ... by using the regular Curl_http_done() method which checks for
- that. This makes test 1801 fail consistently with error 56 (which seems
- fine) to that test is also updated here.
-
- Reported-by: Ben Darnell
- Bug: https://github.com/bagder/curl/issues/166
+- RELEASE-NOTES: synced with b7ee5316c2fd5b
-Dan Fandrich (13 Mar 2015)
-- test320: Expect the Host header to be the first header
+Marc Hoersken (14 Aug 2016)
+- socks.c: Correctly calculate position of port in response packet
- Required for the test to work after a5d994941c2b.
-
-Daniel Stenberg (12 Mar 2015)
-- RELEASE-NOTES: synced with 186e46d88dd
+ Third commit to fix issue #944 regarding SOCKS5 error handling.
+
+ Reported-by: David Kalnischkies
-- openssl: use colons properly in the ciphers list
+- socks.c: Do not modify and invalidate calculated response length
- While the previous string worked, this is the documented format.
+ Second commit to fix issue #944 regarding SOCKS5 error handling.
- Reported-by: Richard Moore
+ Reported-by: David Kalnischkies
-- openssl: sort the ciphers on strength
+- socks.c: Move error output after reading the whole response packet
- This makes curl pick better (stronger) ciphers by default. The strongest
- available ciphers are fine according to the HTTP/2 spec so an OpenSSL
- built curl is no longer rejected by string HTTP/2 servers.
+ First commit to fix issue #944 regarding SOCKS5 error handling.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1487
+ Reported-by: David Kalnischkies
-- [Fabian Keil brought this change]
+Daniel Stenberg (13 Aug 2016)
+- [Ronnie Mose brought this change]
- test203[0-3]: Expect the Host header to be the first header
+ MANUAL: Remove invalid link to LDAP documentation (#962)
- Required for the tests to work after a5d994941c2b.
-
-- openssl: show the cipher selection to use
+ The server developer.netscape.com does not resolve into any
+ ip address and can be removed.
-- http: always send Host: header as first header
+Jay Satiro (13 Aug 2016)
+- openssl: accept subjectAltName iPAddress if no dNSName match
- ...after the method line:
+ Undo change introduced in d4643d6 which caused iPAddress match to be
+ ignored if dNSName was present but did not match.
- "Since the Host field-value is critical information for handling a
- request, a user agent SHOULD generate Host as the first header field
- following the request-line." / RFC 7230 section 5.4
+ Also, if iPAddress is present but does not match, and dNSName is not
+ present, fail as no-match. Prior to this change in such a case the CN
+ would be checked for a match.
- Additionally, this will also make libcurl ignore multiple specified
- custom Host: headers and only use the first one. Test 1121 has been
- updated accordingly
-
- Bug: http://curl.haxx.se/bug/view.cgi?id=1491
- Reported-by: Rainer Canavan
+ Bug: https://github.com/curl/curl/issues/959
+ Reported-by: wmsch@users.noreply.github.com
+
+Daniel Stenberg (12 Aug 2016)
+- [Dambaev Alexander brought this change]
-- [Alexander Pepper brought this change]
+ configure.ac: add zlib search with pkg-config
+
+ Closes #956
- mk-ca-bundle bugfix: Don't report SHA1 numbers with "-q".
+- rtsp: ignore whitespace in session id
+
+ Follow-up to e577c43bb to fix test case 569 brekage: stop the parser at
+ whitespace as well.
- Also unified printing to STDERR by creating the helper method "report".
+ Help-by: Erik Janssen
-- proxy: re-use proxy connections (regression)
+- HTTP: retry failed HEAD requests too
- When checking for a connection to re-use, a proxy-using request must
- check for and use a proxy connection and not one based on the host
- name!
+ Mark's new document about HTTP Retries
+ (https://mnot.github.io/I-D/httpbis-retry/) made me check our code and I
+ spotted that we don't retry failed HEAD requests which seems totally
+ inconsistent and I can't see any reason for that separate treatment.
- Added test 1421 to verify
+ So, no separate treatment for HEAD starting now. A HTTP request sent
+ over a reused connection that gets cut off before a single byte is
+ received will be retried on a fresh connection.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1492
+ Made-aware-by: Mark Nottingham
-- [Jay Satiro brought this change]
+- mk-ca-bundle.1: document -m, added in 1.26
- memanalyze.pl: handle free(NULL)
+- RELEASE-NOTES: synced with e577c43bb5
-- [Jay Satiro brought this change]
+- [Erik Janssen brought this change]
- .travis.yml: Change CI make test to make test-full
+ rtsp: accept any RTSP session id
- - Change the continuous integration script to use 'make test-full'
- instead of just 'make test' so that the diagnostic log output is
- printed to stdout when a test fails.
+ Makes libcurl work in communication with gstreamer-based RTSP
+ servers. The original code validates the session id to be in accordance
+ with the RFC. I think it is better not to do that:
- - Change the continuous integration script to use
- './configure --enable-debug' instead of just './configure' so that the
- memory analyzer will work during testing.
+ - For curl the actual content is a don't care.
- Prior to this change Travis used its default C test script:
- ./configure && make && make test
-
-- [Alessandro Ghedini brought this change]
-
- gtls: correctly align certificate status verification messages
-
-- [Alessandro Ghedini brought this change]
+ - The clarity of the RFC is debatable, is $ allowed or only as \$, that
+ is imho not clear
+
+ - Gstreamer seems to url-encode the session id but % is not allowed by
+ the RFC
+
+ - less code
+
+ With this patch curl will correctly handle real-life lines like:
+ Session: biTN4Kc.8%2B1w-AF.; timeout=60
+
+ Bug: https://curl.haxx.se/mail/lib-2016-08/0076.html
- gtls: don't print double newline after certificate dates
+- symbols-in-versions: add CURL_STRICTER
+
+ Added in 5fce88aa8c12564
-- [Alessandro Ghedini brought this change]
+- [Simon Warta brought this change]
- gtls: print negotiated TLS version and full cipher suite name
+ winbuild: Allow changing C compiler via environment variable CC (#952)
- Instead of priting cipher and MAC algorithms names separately, print the
- whole cipher suite string which also includes the key exchange algorithm,
- along with the negotiated TLS version.
-
-- gtls: fix compiler warnings
+ This makes it possible to use specific compilers or a cache.
+
+ Sample use for clcache:
+ set CC=clcache.bat
+ nmake /f Makefile.vc DEBUG=no MODE=static VC=14 GEN_PDB=no
-- [Alessandro Ghedini brought this change]
+- LICENSE-MIXING.md: switched to markdown
- gtls: add support for CURLOPT_CAPATH
+- docs-make: have markdown files use .md
-- [stopiccot brought this change]
+- curl.h: make CURL_NO_OLDIES define CURL_STRICTER
- MacOSX-Framework: use @rpath instead of @executable_path
-
- Bug: https://github.com/bagder/curl/pull/157
+- HISTORY.md: use markdown extension
-- RELEASE-NOTES: synced with c19349951
+- SSLCERTS.md: renamed to markdown extension
-- multi: fix *getsock() with CONNECT
-
- The code used some happy eyeballs logic even _after_ CONNECT has been
- sent to a proxy, while the happy eyeball phase is already (should be)
- over by then.
-
- This is solved by splitting the multi state into two separate states
- introducing the new SENDPROTOCONNECT state.
-
- Bug: http://curl.haxx.se/mail/lib-2015-01/0170.html
- Reported-by: Peter Laser
+- INTERNALS.md: use markdown extension for markdown content
-- conncontrol: only log changes to the connection bit
+- CONTRIBUTE.md: markdown extension
-- http2: use CURL_HTTP_VERSION_* symbols instead of NPN_*
-
- Since they already exist and will make comparing easier
+- CONTRIBUTE: changed to markdown
-- http2: make the info-message about receiving HTTP2 headers debug-only
+- CONTRIBUTE: refreshed
-- [Alessandro Ghedini brought this change]
+- TODO: added an SSH section and two SFTP things to do
- urldata: remove unused asked_for_h2 field
+- TODO: remove the 1.22 duplicated item
-- [Alessandro Ghedini brought this change]
+- TODO: move "CURLOPT_MAIL_CLIENT" to SMTP section
- polarssl: make it possible to enable ALPN/NPN without HTTP2
+- TODO: API for URL parsing/splitting
-- [Alessandro Ghedini brought this change]
+- TODO: move QUIC to the HTTP section
- nss: make it possible to enable ALPN/NPN without HTTP2
+- [Simon Warta brought this change]
-- [Alessandro Ghedini brought this change]
+ winbuild: Free name $(CC) in Makefile (#950)
+
+ In the old line number 290, CC and CURL_CC had the same value. After
+ that, /DCURL_STATICLIB was added to CC but not CURL_CC (intended?).
+
+ This gets rid of the CC variable entirely. It is a first step to make it
+ possible to manualyl set a CC variable in order to be able to change the
+ compiler.
- gtls: make it possible to enable ALPN/NPN without HTTP2
+- TODO: Use huge HTTP/2 windows
-- [Alessandro Ghedini brought this change]
+- [Simon Warta brought this change]
- openssl: make it possible to enable ALPN/NPN without HTTP2
+ winbuild: Avoid setting redundant CFLAGS to compile commands (#949)
+
+ $(CURL_CC) is always used with $(CURL_CFLAGS) appended, so before this,
+ all arguments in CURL_CFLAGS have been added twice.
-- metalink: add some error checks
+Jay Satiro (8 Aug 2016)
+- cmake: Enable win32 threaded resolver by default
- malloc() and strdup() calls without checking return codes.
+ - Turn on USE_THREADS_WIN32 in Windows if ares isn't on
- Reported-by: Markus Elfring
- Bug: https://github.com/bagder/curl/issues/150
+ This change is similar to what we already do in the autotools build.
-- curl_easy_setopt.3: added CURLOPT_SSL_VERIFYSTATUS
+- cmake: Enable win32 large file support by default
- Reported-by: Jonathan Cardoso
-
-- urldata: fix gnutls build
-
-Steve Holme (5 Mar 2015)
-- openssl: Removed use of USE_SSLEAY from the Visual Studio project files
+ All compilers used by cmake in Windows should support large files.
- In addition to commit 709cf76f6b, removed the USE_SSLEAY preprocessor
- variable from the Visual Studio project files as it isn't required
- anymore.
+ - Add test SIZEOF_OFF_T
+ - Remove outdated test SIZEOF_CURL_OFF_T
+ - Turn on USE_WIN32_LARGE_FILES in Windows
+ - Check for 'Largefile' during the features output
+
+Daniel Stenberg (7 Aug 2016)
+- TODO: added several ideas, removed SPDY
-Daniel Stenberg (5 Mar 2015)
-- multi: fix memory-leak on timeout (regression)
+- http2: always wait for readable socket
- Since 1342a96ecfe0d44, a timeout detected in the multi state machine didn't
- necesarily clear everything up, like formpost data.
+ Since the server can at any time send a HTTP/2 frame to us, we need to
+ wait for the socket to be readable during all transfers so that we can
+ act on incoming frames even when uploading etc.
- Bug: https://github.com/bagder/curl/issues/147
- Reported-by: Michel Promonet
- Patched-by: Michel Promonet
+ Reminded-by: Tatsuhiro Tsujikawa
+
+- RELEASE-NOTES: synced with 7b4bf37a44791
+
+- [Thomas Glanzmann brought this change]
-- configure: follow-up fix from 709cf76f6
+ mbedtls: set debug threshold to 4 (verbose) when MBEDTLS_DEBUG is defined
- OpenSSL handling was a little broken.
+ In order to make MBEDTLS_DEBUG work, the debug threshold must be unequal
+ to 0. This patch also adds a comment how mbedtls must be compiled in
+ order to make debugging work, and explains the possible debug levels.
-- openssl: remove all uses of USE_SSLEAY
+- CURLOPT_TCP_NODELAY: now enabled by default
- SSLeay was the name of the library that was subsequently turned into
- OpenSSL many moons ago (1999). curl does not work with the old SSLeay
- library since years. This is now reflected by only using USE_OPENSSL in
- code that depends on OpenSSL.
+ After a few wasted hours hunting down the reason for slowness during a
+ TLS handshake that turned out to be because of TCP_NODELAY not being
+ set, I think we have enough motivation to toggle the default for this
+ option. We now enable TCP_NODELAY by default and allow applications to
+ switch it off.
+
+ This also makes --tcp-nodelay unnecessary, but --no-tcp-nodelay can be
+ used to disable it.
+
+ Thanks-to: Tim Rühsen
+ Bug: https://curl.haxx.se/mail/lib-2016-06/0143.html
-- [Sergei Nikulov brought this change]
+- [Serj Kalichev brought this change]
- cmake: handle build definitions CURLDEBUG/DEBUGBUILD
+ TFTP: Fix upload problem with piped input
- Acked-by: Brad King
-
-- FAQ: 4.21 Why is there a HTTP/1.1 in my HTTP/2 request?
+ When input stream for curl is stdin and input stream is not a file but
+ generated by a script then curl can truncate data transfer to arbitrary
+ size since a partial packet is treated as end of transfer by TFTP.
+
+ Fixes #857
-- symbols.pl: handle '-' in the deprecated field
+- mk-ca-bundle.pl: -m keeps ca cert meta data in output
- ... which otherwise made the script skip the _LAST define for some
- symbols.
+ Makes the script pass on comments holding meta data to the output
+ file. Like fingerprinters, issuer, date ranges etc.
- Reported-by: Jeroen Ooms
- Bug: http://curl.haxx.se/mail/lib-2015-03/0052.html
+ Closes #937
-- curl.1: fix "The the" typo
+- multi: make Curl_expire() work with 0 ms timeouts
- Reported-by: Jon Seymour
+ Previously, passing a timeout of zero to Curl_expire() was a magic code
+ for clearing all timeouts for the handle. That is now instead made with
+ the new Curl_expire_clear() function and thus a 0 timeout is fine to set
+ and will trigger a timeout ASAP.
+
+ This will help removing short delays, in particular notable when doing
+ HTTP/2.
-- vtls: use curl_printf.h all over
+- transfer: return without select when the read loop reached maxcount
+
+ Regression added in 790d6de48515. The was then added to avoid one
+ particular transfer to starve out others. But when aborting due to
+ reading the maxcount, the connection must be marked to be read from
+ again without first doing a select as for some protocols (like SFTP/SCP)
+ the data may already have been read off the socket.
- No need to use _MPRINTF_REPLACE internally.
+ Reported-by: Dan Donahue
+ Bug: https://curl.haxx.se/mail/lib-2016-07/0057.html
-- tool: use ENABLE_CURLX_PRINTF instead of _MPRINTF_REPLACE
+Steve Holme (3 Aug 2016)
+- [Bill Nagel brought this change]
-- tool_writeenv: remove _MPRINTF_REPLACE define, it wasn't used
+ mbedtls: Added support for NTLM
+Daniel Stenberg (3 Aug 2016)
- [Sergei Nikulov brought this change]
- libtest: fixed linker errors on msvc
+ travis: removed option to rebuild autotool from source
- Bug: https://github.com/bagder/curl/pull/144
+ Fixes #943
-- mprintf.h: remove #ifdef CURLDEBUG
-
- ... and as a consequence, introduce curl_printf.h with that re-define
- magic instead and make all libcurl code use that instead.
+- bump: start working toward 7.50.2
-- tool_getpass: remove unused curl/mprintf.h include
+Version 7.50.1 (3 Aug 2016)
-- CONTRIBUTING.md: file for advice on github
+Daniel Stenberg (3 Aug 2016)
+- THANKS: 7 new contributors from the 7.50.1 release
-- [Viktor Szakáts brought this change]
+- RELEASE-NOTES: 7.50.1
- BINDINGS: add link to Harbour bindings
+- TLS: only reuse connections with the same client cert
- And UTF8-fix a few names
+ CVE-2016-5420
+ Bug: https://curl.haxx.se/docs/adv_20160803B.html
-- CURLOPT_HEADERFUNCTION.3: typo in error code name
+- TLS: switch off SSL session id when client cert is used
- Reported-by: Jonathan Cardoso
+ CVE-2016-5419
+ Bug: https://curl.haxx.se/docs/adv_20160803A.html
+ Reported-by: Bru Rom
+ Contributions-by: Eric Rescorla and Ray Satiro
-- BINDINGS: tclcurl moved
+- curl_multi_cleanup: clear connection pointer for easy handles
- Reporte-by: Steve Havelka
-
-- [Jay Satiro brought this change]
+ CVE-2016-5421
+ Bug: https://curl.haxx.se/docs/adv_20160803C.html
+ Reported-by: Marcelo Echeverria and Fernando Muñoz
- opts: Fix pipelining examples
+- KNOWN_BUGS: SOCKS proxy not working via IPv6
+
+ Closes #835
-- [Jay Satiro brought this change]
+- KNOWN_BUGS: CURLOPT_SEEKFUNCTION not called with CURLFORM_STREAM
+
+ Closes #768
- curl_multi_setopt.3: Link to CURLMOPT_MAXCONNECTS
+- KNOWN_BUGS: transfer-encoding: chunked in HTTP/2
+
+ Closes #662
-- CONTRIBUTE: the new more github-friendly attitude!
+- TODO: Provide cmake config-file
+
+ Closes #885
-Steve Holme (28 Feb 2015)
-- RELEASE-NOTES: Synced with 921d195187
+Patrick Monnerat (2 Aug 2016)
+- os400: define BUILDING_LIBCURL in make script.
-Kamil Dudka (28 Feb 2015)
-- tool: wrap lines longer than 79 columns
-
- ... to avoid a build failure when configured with --enable-debug
+Daniel Stenberg (1 Aug 2016)
+- RELEASE-NOTES: synced with aa9f536a18b
-Steve Holme (27 Feb 2015)
-- [Tatsuhiro Tsujikawa brought this change]
+Jay Satiro (1 Aug 2016)
+- [Thomas Glanzmann brought this change]
- http2: Return error if stream was closed with other than NO_ERROR
+ mbedtls: Fix debug function name
- Previously, we just ignored error code passed to
- on_stream_close_callback and just return 0 (success) after stream
- closure even if stream was reset with error. This patch records error
- code in on_stream_close_callback, and return -1 and use CURLE_HTTP2
- error code on abnormal stream closure.
-
-- tool: Updated the warnf() function to use the GlobalConfig structure
+ This patch is necessary so that curl compiles if MBEDTLS_DEBUG is
+ defined.
- As the 'error' and 'mute' options are now part of the GlobalConfig,
- rather than per Operation, updated the warnf() function to use this
- structure rather than the OperationConfig.
+ Bug: https://curl.haxx.se/mail/lib-2016-08/0001.html
-- build: Removed DataExecutionPrevention directive from VC9+ project files
-
- Removed the DataExecutionPrevention directive from the project files for
- Visual Studio 2008 and above. The XML value in the VC9 project files was
- set to "0" (Default) whilst the VC10+ project files contained an empty
- XML element.
+Daniel Stenberg (1 Aug 2016)
+- [Sergei Nikulov brought this change]
-- build: Use default RandomizedBaseAddress directive in VC9+ project files
+ travis: fix OSX build by re-installing libtool
- Visual Studio 2008 introduced support for the address space layout
- randomization (ASLR) feature of Windows Vista. However, upgrading the
- VC8 project files to VC9 and above disabled this feature.
+ Apparently due to a broken homebrew install
- Removed the RandomizedBaseAddress directive to enabled the default
- setting (/DYNAMICBASE). Note: This doesn't appear to have any negative
- impact when compiled and ran on Windows XP.
+ fixes #934
+ Closes #939
-- build: Added support to Generate.bat for files in the upcoming vauth folder
+- [Martin Vejnár brought this change]
-Daniel Stenberg (25 Feb 2015)
-- http2: return recv error on unexpected EOF
+ win32: fix a potential memory leak in Curl_load_library
- Pointed-out-by: Tatsuhiro Tsujikawa
- Bug: http://curl.haxx.se/bug/view.cgi?id=1487
-
-Kamil Dudka (25 Feb 2015)
-- dist: add symbol-scan.pl to the tarball
+ If a call to GetSystemDirectory fails, the `path` pointer that was
+ previously allocated would be leaked. This makes sure that `path` is
+ always freed.
- ... in order to make test1135 succeed
-
-Daniel Stenberg (25 Feb 2015)
-- http2: move lots of verbose output to be debug-only
+ Closes #938
-Kamil Dudka (25 Feb 2015)
-- curl-config.in: eliminate double quotes around CURL_CA_BUNDLE
+- include: revert 9adf3c4 and make public types void * again
- Otherwise it expands to:
+ Many applications assume the actual contents of the public types and use
+ that do for example forward declarations (saving them from including our
+ public header) which then breaks when we switch from void * to a struct
+ *.
- echo ""/etc/pki/tls/certs/ca-bundle.crt""
+ I'm not convinced we were wrong, but since this practise seems
+ widespread enough I'm willing to (partly) step down.
- Detected by ShellCheck:
+ Now libcurl uses the struct itself when it is built and it allows
+ applications to use the struct type if CURL_STRICTER is defined at the
+ time of the #include.
- curl-config:74:16: warning: The double quotes around this do
- nothing. Remove or escape them. [SC2140]
+ Reported-by: Peter Frühberger
+ Fixes #926
-- nss: do not skip Curl_nss_seed() if data is NULL
-
- In that case, we only skip writing the error message for failed NSS
- initialization (while still returning the correct error code).
+Jay Satiro (28 Jul 2016)
+- [Yonggang Luo brought this change]
-- nss: improve error handling in Curl_nss_random()
+ cmake: Fix for schannel support
+
+ The check_library_exists_concat do not check crypt32 library properly.
+ So include it directly.
- The vtls layer now checks the return value, so it is no longer necessary
- to abort if a random number cannot be provided by NSS. This also fixes
- the following Coverity report:
+ Bug: https://github.com/curl/curl/pull/917
+ Reported-by: Yonggang Luo
- Error: FORWARD_NULL (CWE-476):
- lib/vtls/nss.c:1918: var_compare_op: Comparing "data" to null implies that "data" might be null.
- lib/vtls/nss.c:1923: var_deref_model: Passing null pointer "data" to "Curl_failf", which dereferences it.
- lib/sendf.c:154:3: deref_parm: Directly dereferencing parameter "data".
+ Bug: https://github.com/curl/curl/issues/935
+ Reported-by: Alain Danteny
-Daniel Stenberg (25 Feb 2015)
-- RELEASE-PROCEDURE: add some more future release dates
+- Revert "travis: Install libtool for OS X builds"
- ... and remove some old ones
+ Didn't work.
+
+ This reverts commit 50723585ed380744358de054e2a55dccee65dfd7.
-- sws: timeout idle CONNECT connections
+- travis: Install libtool for OS X builds
+
+ CI is failing due to missing libtoolize, so I'm trying this.
-- bump: start working toward 7.42.0
+Daniel Stenberg (26 Jul 2016)
+- [Viktor Szakats brought this change]
-Version 7.41.0 (25 Feb 2015)
+ TODO: minor typo in last commit
+
+ merged #931
-Daniel Stenberg (25 Feb 2015)
-- THANKS: added contributors from the 7.41.0 RELEASE-NOTES
+- TODO: Timeout idle connections from the pool
-- RELEASE-NOTES: sync with ffc2aeec6e (7.41.0 release time!)
+Patrick Monnerat (25 Jul 2016)
+- os400: minimum supported OS version: V6R1M0.
+ Do not log compilation informational messages.
-Marc Hoersken (25 Feb 2015)
-- Revert "telnet.c: fix handling of 0 being returned from custom read function"
+Jay Satiro (24 Jul 2016)
+- tests: Fix for http/2 feature
- This reverts commit 03fa576833643c67579ae216c4e7350fa9b5f2fe.
+ Bug: https://curl.haxx.se/mail/lib-2016-07/0070.html
+ Reported-by: Paul Howarth
-- telnet.c: fix invalid use of custom read function if not being set
-
- obj_count can be 1 if the custom read function is set or the stdin
- handle is a reference to a pipe. Since the pipe should be handled
- using the PeekNamedPipe-check below, the custom read function should
- only be used if it is actually enabled.
+Steve Holme (23 Jul 2016)
+- README: Mention wolfSSL in the 'Dependencies' section
-- telnet.c: fix handling of 0 being returned from custom read function
-
- According to [1]: "Returning 0 will signal end-of-file to the library
- and cause it to stop the current transfer."
- This change makes the Windows telnet code handle this case accordingly.
+- vauth.h: No need to query HAVE_GSSAPI || USE_WINDOWS_SSPI for SPNEGO
- [1] http://curl.haxx.se/libcurl/c/CURLOPT_READFUNCTION.html
+ As SPNEGO is only defined when these pre-processor variables are defined
+ there is no need to query them explicitly.
-Daniel Stenberg (24 Feb 2015)
-- sws: stop logging about TPC_NODELAY nonsense
-
-- lib530: make it less timing sensible
+- spnego: Corrected miss-placed * in Curl_auth_spnego_cleanup() declaration
- ... by making sure the first request is completed before doing the
- remainder.
+ Typo introduced in commit ad5e9bfd5d.
-Kamil Dudka (23 Feb 2015)
-- connect: wait for IPv4 connection attempts
-
- ... even if the last IPv6 connection attempt has failed.
+Daniel Stenberg (22 Jul 2016)
+- SECURITY: mention how to get windows-specific CVEs
- Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1187531#c4
+ ... and make the distros link a proper link
-- connect: avoid skipping an IPv4 address
-
- ... in case the protocol versions are mixed in a DNS response
- (IPv6 -> IPv4 -> IPv6).
-
- Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1187531#c3
+Dan Fandrich (21 Jul 2016)
+- test558: fix test by stripping file paths from FD lines
-Daniel Stenberg (23 Feb 2015)
-- RELEASE-NOTES: synced with 5e4395eab839d
+Kamil Dudka (21 Jul 2016)
+- tests: distribute the http2-server.pl script, too
-- ROADMAP: curl_easy_setopt.3 has already been split up
-
- Remove cmake as marked for removal. It is in much better state now.
+- docs: distribute the CURLINFO_HTTP_VERSION(3) man page, too
+
+Daniel Stenberg (21 Jul 2016)
+- bump: start working on 7.50.1
-- ROADMAP: extend the HTTP/2 stuff, remove SPDY
+Version 7.50.0 (21 Jul 2016)
-- [Julian Ospald brought this change]
+Daniel Stenberg (21 Jul 2016)
+- RELEASE-NOTES: version 7.50.0 ready
- configure: allow both --with-ca-bundle and --with-ca-path
+- THANKS: 13 new contributors from the 7.50.0 release
+
+Jay Satiro (21 Jul 2016)
+- winbuild: fix embedded manifest option
- SSL_CTX_load_verify_locations by default (and if given non-Null
- parameters) searches the CAfile first and falls back to CApath. This
- allows for CAfile to be a basis (e.g. installed by the package manager)
- and CApath to be a user configured directory.
+ Embedded manifest option didn't work due to typo.
- This wasn't reflected by the previous configure constraint which this
- patch fixes.
+ Reported-by: Stefan Kanthak
+
+- vauth: Fix memleak by freeing credentials if out of memory
- Bug: https://github.com/bagder/curl/pull/139
+ This is a follow up to the parent commit dcdd4be which fixes one leak
+ but creates another by failing to free the credentials handle if out of
+ memory. Also there's a second location a few lines down where we fail to
+ do same. This commit fixes both of those issues.
-- [Ben Boeckel brought this change]
+Daniel Stenberg (20 Jul 2016)
+- [Saurav Babu brought this change]
- cmake: install the dll file to the correct directory
+ vauth: Fixed memory leak due to function returning without free
+
+ This patch allocates memory to "output_token" only when it is required
+ so that memory is not leaked if function returns.
-- [Alessandro Ghedini brought this change]
+- test558: updated after ipv6-check move
+
+ Follow-up commit to c50980807c5 to make this test pass.
- nss: fix NPN/ALPN protocol negotiation
+Jay Satiro (20 Jul 2016)
+- connect: disable TFO on Linux when using SSL
- Correctly check for memcmp() return value (it returns 0 if the strings match).
+ - Linux TFO + TLS is not implemented yet.
- This is not really important, since curl is going to use http/1.1 anyway, but
- it's still a bug I guess.
+ Bug: https://github.com/curl/curl/issues/907
-- [Alessandro Ghedini brought this change]
+Daniel Stenberg (19 Jul 2016)
+- ROADMAP: QUIC and TLS 1.3
- polarssl: fix ALPN protocol negotiation
-
- Correctly check for strncmp() return value (it returns 0 if the strings
- match).
+- RELEASE-NOTES: synced with c50980807c5
-- [Sergei Nikulov brought this change]
+Jay Satiro (18 Jul 2016)
+- [Brian Prodoehl brought this change]
- CMake: Fix generation of tool_hugehelp.c on windows
+ curl_global_init: Check if IPv6 works
- Use "cmake -E echo" instead of "echo".
+ - Curl_ipv6works() is not thread-safe until after the first call, so
+ call it once during global init to avoid a possible race condition.
- Reviewed-by: Brad King <brad.king@kitware.com>
+ Bug: https://github.com/curl/curl/issues/915
+ PR: https://github.com/curl/curl/pull/918
-- [Sergei Nikulov brought this change]
+- [Timothy Polich brought this change]
- CMake: fix winsock2 detection on windows
+ CURLMOPT_SOCKETFUNCTION.3: fix typo
- Set CMAKE_REQUIRED_DEFINITIONS to include definitions needed to get
- the winsock2 API from windows.h. Simplify the order of checks to
- avoid extra conditions.
-
- Use check_include_file instead of check_include_file_concat to look
- for OpenSSL headers. They do not need to participate in a sequence
- of dependent system headers. Also they may cause winsock.h to be
- included before ws2tcpip.h, causing the latter to not be detected
- in the sequence.
-
- Reviewed-by: Brad King <brad.king@kitware.com>
+ Closes https://github.com/curl/curl/pull/914
-- [Alessandro Ghedini brought this change]
+- [Miroslav Franc brought this change]
- gtls: fix build with HTTP2
+ library: Fix memory leaks found during static analysis
+
+ Closes https://github.com/curl/curl/pull/913
-Steve Holme (16 Feb 2015)
-- Makefile.vc6: Corrected typos in rename of darwinssl.obj
+- [Viktor Szakats brought this change]
-Nick Zitzmann (15 Feb 2015)
-- By request, change the name of "curl_darwinssl.[ch]" to "darwinssl.[ch]"
+ cookie.c: Fix misleading indentation
+
+ Closes https://github.com/curl/curl/pull/911
-Steve Holme (14 Feb 2015)
-- RELEASE-NOTES: Synced with 6f89f86c3d
+- FAQ: Update FTP directory listing section for MLSD command
+
+ Explain how some FTP servers support the machine readable listing
+ format MLSD from RFC 3659 and compare it to LIST.
+
+ Ref: https://github.com/curl/curl/issues/906
-- tests/README: Updated to reflect email test ranges
+Daniel Stenberg (1 Jul 2016)
+- [Sergei Nikulov brought this change]
-- [Alessandro Ghedini brought this change]
+ Appveyor: Updates for options - CURL_STATICLIB/BUILD_TESTING
+
+ Closes #892
- curl.1: --cert-status is also supported by OpenSSL now
+- TODO: 17.4 also brings more HTTP/2 support
-- build: Removed Visual Studio SuppressStartupBanner directive for VC8+
+- TODO: try next proxy if one doesn't work
- Visual Studio 2005 and above defaults to disabling the startup banner
- for the Compiler, Linker and MIDL tools (with /NOLOGO). As such there
- is no need to explicitly set the SuppressStartupBanner directive, as
- this is a leftover from the VC7 and VC7.1 projects being upgraded to
- VC8 and above.
+ Closes #896
-Kamil Dudka (12 Feb 2015)
-- openssl: fix a compile-time warning
+- conn: don't free easy handle data in handler->disconnect
- lib/vtls/openssl.c:1450:7: warning: extra tokens at end of #endif directive
+ Reported-by: Gou Lingfeng
+ Bug: https://curl.haxx.se/mail/lib-2016-06/0139.html
-Steve Holme (11 Feb 2015)
-- openssl: Use OPENSSL_IS_BORINGSSL for BoringSSL detection
-
- For consistency with other conditionally compiled code in openssl.c,
- use OPENSSL_IS_BORINGSSL rather than HAVE_BORINGSSL and try to use
- HAVE_BORINGSSL outside of openssl.c when the OpenSSL header files are
- not included.
+- test1244: test different proxy ports same URL
-Patrick Monnerat (11 Feb 2015)
-- ftp: accept all 2xx responses to the PORT command
+- curl_global_init.3: improved formatting of the flags
-Steve Holme (9 Feb 2015)
-- openssl: Disable OCSP in old versions of OpenSSL
+- curl_global_init.3: expand on the SSL and WIN32 bits purpose
- Versions of OpenSSL prior to v0.9.8h do not support the necessary
- functions for OCSP stapling.
+ Reported-by: Richard Gray
+ Bug: https://curl.haxx.se/mail/lib-2016-06/0136.html
-Daniel Stenberg (9 Feb 2015)
-- [Tatsuhiro Tsujikawa brought this change]
+- [Michael Kaufmann brought this change]
- http2: Fix bug that associated stream canceled on PUSH_PROMISE
+ cleanup: minor code cleanup in Curl_http_readwrite_headers()
- Previously we don't ignore PUSH_PROMISE header fields in on_header
- callback. It makes header values mixed with following HEADERS,
- resulting protocol error.
-
-- [Jay Satiro brought this change]
+ - the expression of an 'if' was always true
+ - a 'while' contained a condition that was always true
+ - use 'if(k->exp100 > EXP100_SEND_DATA)' instead of 'if(k->exp100)'
+ - fixed a typo
+
+ Closes #889
- polarssl: Fix exclusive SSL protocol version options
+- SFTP: set a generic error when no SFTP one exists...
- Prior to this change the options for exclusive SSL protocol versions did
- not actually set the protocol exclusive.
+ ... as otherwise we could get a 0 which would count as no error and we'd
+ wrongly continue and could end up segfaulting.
- http://curl.haxx.se/mail/lib-2015-01/0002.html
- Reported-by: Dan Fandrich
-
-- [Jay Satiro brought this change]
+ Bug: https://curl.haxx.se/mail/lib-2016-06/0052.html
+ Reported-by: 暖和的和暖
- gskit: Fix exclusive SSLv3 option
+- ROADMAP: http2 tests are merged, mention http2 perf
-- curl.1: clarify that -X is used for all requests
+- docs/README.md: to render nicer pages on github
- Reported-by: Jon Seymour
+ ... as previously the README.cmake would be picked and put at the bottom
+ of the docs page there and it wasn't very representative!
-- curl.1: add warning when using -H and redirects
-
-Steve Holme (7 Feb 2015)
-- schannel: Removed curl_ prefix from source files
+- README.md: change host name for the svg logo
- Removed the curl_ prefix from the schannel source files as discussed
- with Marc and Daniel at FOSDEM.
-
-Daniel Stenberg (6 Feb 2015)
-- md5: use axTLS's own MD5 functions when available
+ rawgit.com asks to use the domain cdn.rawgit.com for production
+
+ See #900
-- MD(4|5): make the MD4_* and MD5_* functions static
+- [Viktor Szakats brought this change]
-- axtls: fix conversion from size_t to int warning
+ README.md: use the SVG logo
-Steve Holme (5 Feb 2015)
-- ftp: Use 'CURLcode result' for curl result codes
+- README.md: logo on top!
-Daniel Stenberg (5 Feb 2015)
-- openssl: SSL_SESSION->ssl_version no longer exist
+- KNOWN_BUGS: 3.4 POP3 expects "CRLF.CRLF" eob for some
- The struct went private in 1.0.2 so we cannot read the version number
- from there anymore. Use SSL_version() instead!
-
- Reported-by: Gisle Vanem
- Bug: http://curl.haxx.se/mail/lib-2015-02/0034.html
+ Closes #740
-Dan Fandrich (4 Feb 2015)
-- unit1600: Fix compilation when NTLM is disabled
+- RELEASE-NOTES: synced with d61c80515aa8
-Daniel Stenberg (4 Feb 2015)
-- MD5: fix compiler warnings and code style nits
+- [Michael Osipov brought this change]
-- MD5: replace implementation
+ acinclude.m4: improve autodetection of CA bundle on FreeBSD
- The previous one was "encumbered" by RSA Inc - to avoid the licensing
- restrictions it has being replaced. This is the initial import,
- inserting the md5.c and md5.h files from
- http://openwall.info/wiki/people/solar/software/public-domain-source-code/md5
+ The FreeBSD Port security/ca_root_nss installs the Mozilla NSS CA bundle
+ to /usr/local/share/certs/ca-root-nss.crt. Use this bundle in the
+ discovery process.
- Code-by: Alexander Peslyak
-
-- MD4: fix compiler warnings and code style nits
-
-- MD4: replace implementation
+ This change also removes the former FreeBSD path that has been obsolete
+ for 8 years since this FreeBSD ports commit:
+ https://svnweb.freebsd.org/ports/head/security/?view=revision&revision=215953
- The previous one was "encumbered" by RSA Inc - to avoid the licensing
- restrictions it has being replaced. This is the initial import,
- inserting the md4.c and md4.h files from
- http://openwall.info/wiki/people/solar/software/public-domain-source-code/md4
+ Closes #894
+
+- configure: don't specify .lib for libs on windows
- Code-by: Alexander Peslyak
+ Another follow up for crypt32.lib linking with winssl
-Steve Holme (4 Feb 2015)
-- telnet: Prefer 'CURLcode result' for curl result codes
+- configure: fix winssl LIBS change typo
+
+ follow-up from 120bf29e
-- hostasyn: Prefer 'CURLcode result' for curl result codes
+- TODO: "TCP Fast Open" is done, add monitor pool connections
-- schannel: Prefer 'CURLcode result' for curl result codes
+- configure: add crypt32.lib for winssl builds
+
+ Necessary since 6cabd78531f
-Daniel Stenberg (3 Feb 2015)
-- unit1601: MD5 unit tests
+- Makefile.vc: link with crypt32.lib for winssl builds
+
+ Necessary since 6cabd78531f
+
+ Fixes #853
-- unit1600: unit test for Curl_ntlm_core_mk_nt_hash
+- [Joel Depooter brought this change]
-- unit1600: NTLM unit test
+ VC: Add crypt32.lib to Visual Sudio project template files
+
+ Closes #854
-- tests/README: add a new range, clean up some language
+- vc: fix the build for schannel certinfo support
+
+ Broken since 6cabd785, which adds use of the Curl_extract_certinfo
+ function from the x509asn1.c file.
-- [Jay Satiro brought this change]
+- typedefs: use the full structs in internal code...
+
+ ... and save the typedef'ed names for headers and external APIs.
- opts: CURLOPT_CAINFO availability depends on SSL engine
+- internals: rename the SessionHandle struct to Curl_easy
-- getpass: protect include with proper #ifdef
+- headers: forward declare CURL, CURLM and CURLSH as structs
+
+ Instead of typedef'ing to void, typedef to their corresponding actual
+ struct names to allow compilers to type-check.
- Reported-by: Tamir
+ Assisted-by: Reinhard Max
-- getpass_r: read from stdin, not stdout!
+Jay Satiro (22 Jun 2016)
+- vtls: Only call add/getsession if session id is enabled
- The file number used was wrong. This bug was introduced over 10 years
- ago, proving this function isn't used much...
+ Prior to this change we called Curl_ssl_getsessionid and
+ Curl_ssl_addsessionid regardless of whether session ID reusing was
+ enabled. According to comments that is in case session ID reuse was
+ disabled but then later enabled.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1476
- Reported-by: Tamir
+ The old way was not intuitive and probably not something users expected.
+ When a user disables session ID caching I'd guess they don't expect the
+ session ID to be cached anyway in case the caching is later enabled.
-- test1135: verify the CURL_EXTERN order in header files
+Daniel Stenberg (22 Jun 2016)
+- curl.1: the used progress meter suffix is k in lower case
+
+ Closes #883
+
+- [Sergei Nikulov brought this change]
-- Makefile.am: fix 'make distcheck'
+ cmake: now using BUILD_TESTING=ON/OFF
- ... by removing generated files from the *_DIST variable [*] and instead
- generate them with a .dist suffix, since that is then handled and put
- into the release archive by our generic dist-hook.
+ CMake build now using BUILD_TESTING=ON/OFF (default is OFF) to build
+ tests and enabling CTest integration. Options BUILD_CURL_TESTS and
+ BUILD_DASHBOARD_REPORTS was removed.
- [*] = 'make distcheck' fails with non-existing files listed there
-
-Steve Holme (2 Feb 2015)
-- curl_sasl.c: More code policing
+ Closes #882
- Better use of 80 character line limit, comment corrections and line
- spacing preferences.
+ Reviewed-by: Brad King
-Daniel Stenberg (2 Feb 2015)
-- libcurl-symbols: first basic shot for autogenerated docs
-
-- FAQ: minor edit of 3.22
+- [Michael Kaufmann brought this change]
-Steve Holme (2 Feb 2015)
-- build: Added removal of Visual Studio project files
+ cleanup: fix method names in code comments
- Added the removal of the locally generated project files so one
- may revert to a clean repository.
+ Closes #887
-- build: Renamed top level Visual Studio solution files
+Kamil Dudka (21 Jun 2016)
+- curl-compilers.m4: improve detection of GCC's -fvisibility= flag
- In preparation for adding the test suite and examples projects renamed
- the top level "all" solution files to better describe what they are.
+ Some builds of GCC produce output on both stdout and stderr when --help
+ --verbose is used. The 2>&1 redirection caused them to be arbitrarily
+ interleaved with each other because of stream buffering. Consequently,
+ grep failed to match the fvisibility= string in the mixed output, even
+ though the string was present in GCC's standard output.
- This will also enable us to use "curl" rather than "curlsrc" for the
- command line tool solution and project files, which will simplify some
- of the configuration.
+ This led to silently disabling symbol hiding in some builds of curl.
-- build: Enabled DEBUGBUILD in Visual Studio debug builds
+Daniel Stenberg (19 Jun 2016)
+- tests: fix the HTTP/2 tests
- Defined the DEBUGBUILD pre-processor variable to allow extra logging,
- which is particularly useful in debug builds, as we use this and Visual
- Studio typically uses _DEBUG.
+ The HTTP/2 tests brought with commit bf05606ef1f were using the internal
+ name 'http2' for the HTTP/2 server, while in fact that name was already
+ used for the second instance of the HTTP server. This made tests using
+ the second instance (like test 2050) fail after a HTTP/2 test had run.
- We could define DEBUBBUILD, in curl_setup.h, when _MSC_VER and _DEBUG is
- defined but that would also affect the makefile based builds which we
- probably don't want to do.
+ The server is now known as HTTP/2 internally and within the <server>
+ section in test cases. 1700, 1701 and 1702 were updated accordingly.
-- build: Removed unused Visual Studio bscmake settings
-
-Daniel Stenberg (2 Feb 2015)
-- CURLOPT_HTTP_VERSION.3: CURL_HTTP_VERSION_2_0 added in 7.33.0
-
- And modify the text to refer to HTTP 2 as it isn't called "2.0".
-
- Reported-By: Michael Wallner
+- openssl: use more 'const' to fix build warnings with 1.1.0 branch
-Marc Hoersken (31 Jan 2015)
-- TODO: moved WinSSL/SChannel todo items into docs
+- curl.1: missed 'T' in the progress unit suffixes
-Daniel Stenberg (29 Jan 2015)
-- [Michael Kaufmann brought this change]
+- curl.1: mention the unix for the progress meter
- CURLOPT_SEEKFUNCTION.3: also when server closes a connection
+Patrick Monnerat (16 Jun 2016)
+- os400: add new definitions to ILE/RPG binding.
-Steve Holme (29 Jan 2015)
-- curl_sasl.c: Fixed compilation warning when cryptography is disabled
+Daniel Stenberg (16 Jun 2016)
+- openssl: fix cert check with non-DNS name fields present
- curl_sasl.c:1506: warning: unused variable 'chlg'
-
-- curl_sasl.c: Fixed compilation warning when verbose debug output disabled
+ Regression introduced in 5f5b62635 (released in 7.48.0)
- curl_sasl.c:1317: warning: unused parameter 'conn'
+ Reported-by: Fabian Ruff
+ Fixes #875
+
+Dan Fandrich (16 Jun 2016)
+- axtls: Use Curl_wait_ms instead of the less-portable usleep
-- ntlm_core: Use own odd parity function when crypto engine doesn't have one
+- axtls: Fixed compile after compile 31c521b0
-- ntlm_core: Prefer sizeof(key) rather than hard coded sizes
+- tests: Added HTTP proxy keywords to tests 1141 & 1142
-- ntlm_core: Added consistent comments to DES functions
+Jay Satiro (15 Jun 2016)
+- [Sergei Nikulov brought this change]
-- des: Added Curl_des_set_odd_parity()
+ cmake: Fix build with winldap
- Added Curl_des_set_odd_parity() for use when cryptography engines
- don't include this functionality.
+ Bug: https://github.com/curl/curl/pull/874
+ Reported-by: Sergei Nikulov
-- tests: Grouped SMTP SASL EXTERNAL tests with other SMTP tests
+- CURLOPT_POSTFIELDS.3: Clarify what happens when set empty
+
+ When CURLOPT_POSTFIELDS is set to an empty string libcurl will send a
+ zero-byte POST. Prior to this change it was documented as sending data
+ from the read callback.
+
+ This also changes the wording of what happens when empty or NULL so that
+ it's hopefully easier to understand for people whose primary language
+ isn't English.
+
+ Bug: https://github.com/curl/curl/issues/862
+ Reported-by: Askar Safin
-- tests: Grouped POP3 SASL EXTERNAL tests with other POP3 tests
+- [Michael Wallner brought this change]
-- tests: Grouped IMAP SASL EXTERNAL tests with other IMAP tests
+ curl_multi_socket_action.3: Fix rewording
+
+ - Remove some erroneous text.
+
+ Closes https://github.com/curl/curl/pull/865
-- sasl: Minor code policing and grammar corrections
+- [Luo Jinghua brought this change]
-Daniel Stenberg (28 Jan 2015)
-- [Gisle Vanem brought this change]
+ resolve: enable protocol family logic for synthesized IPv6
+
+ - Enable protocol family logic for IPv6 resolves even when support
+ for synthesized addresses is enabled.
+
+ This is a follow up to the parent commit that added support for
+ synthesized IPv6 addresses from IPv4 on iOS/OS X. The protocol family
+ logic needed for IPv6 was inadvertently excluded if support for
+ synthesized addresses was enabled.
+
+ Bug: https://github.com/curl/curl/issues/863
+ Ref: https://github.com/curl/curl/pull/866
+ Ref: https://github.com/curl/curl/pull/867
- ldap: build with BoringSSL
+Daniel Stenberg (7 Jun 2016)
+- [Luo Jinghua brought this change]
-- security: avoid compiler warning
+ resolve: add support for IPv6 DNS64/NAT64 Networks on OS X + iOS
- Possible access to uninitialised memory '&nread' at line 140 of
- lib/security.c in function 'ftp_send_command'.
+ Use getaddrinfo() to resolve the IPv4 address literal on iOS/Mac OS X.
+ If the current network interface doesn’t support IPv4, but supports
+ IPv6, NAT64, and DNS64.
- Reported-by: Rich Burridge
+ Closes #866
+ Fixes #863
-- runtests: identify BoringSSL and libressl
-
-Patrick Monnerat (27 Jan 2015)
-- docs: cite SASL external authentication.
+- tests: two more HTTP/2 tests
+
+ 1701 and 1702
-- sasl: remove XOAUTH2 from default enabled authentication mechanism.
+- runtests: don't display logs when http2 server fails to start
-- test: add test cases for sasl external authentication (imap/pop3/smtp).
+- runtests: make stripfile work on stdout as well
+
+ ... and have test 1700 use that to strip out the nghttpx server: headers
-- imap: remove automatic password setting: it breaks external sasl authentication
+- http2-tests: test1700 is the first real HTTP/2 test
+
+ It requires that 'nghttpx' is in the PATH, and it will run the tests
+ using nghttpx as a front-end proxy in front of the standard HTTP/1 test
+ server. This uses HTTP/2 over plain TCP.
+
+ If you like me have nghttpx installed in a custom path, you can run test 1700
+ like this:
+
+ $ PATH=$PATH:$HOME/build-nghttp2/bin/ ./runtests.pl 1700
-- sasl: implement EXTERNAL authentication mechanism.
- Its use is only enabled by explicit requirement in URL (;AUTH=EXTERNAL) and
- by not setting the password.
+- RELEASE-NOTES: synced with 34855feeb4c299
-Steve Holme (27 Jan 2015)
-- openssl: Fixed Curl_ossl_cert_status_request() not returning FALSE
+Steve Holme (6 Jun 2016)
+- schannel: Disable ALPN on Windows < 8.1
- Modified the Curl_ossl_cert_status_request() function to return FALSE
- when built with BoringSSL or when OpenSSL is missing the necessary TLS
- extensions.
-
-- openssl: Fixed compilation errors when OpenSSL built with 'no-tlsext'
+ Calling QueryContextAttributes with SECPKG_ATTR_APPLICATION_PROTOCOL
+ fails on Windows < 8.1 so we need to disable ALPN on these OS versions.
- Fixed the build of openssl.c when OpenSSL is built without the necessary
- TLS extensions for OCSP stapling.
+ Inspiration provide by: Daniel Seither
- Reported-by: John E. Malmberg
+ Closes #848
+ Fixes #840
-- [Brad Spencer brought this change]
+Jay Satiro (5 Jun 2016)
+- checksrc: Add LoadLibrary to the banned functions list
+
+ LoadLibrary was supplanted by Curl_load_library for security
+ reasons in 6df916d.
- curl_setup: Disable SMB/CIFS support when HTTP only
+- http: Fix HTTP/2 connection reuse
+
+ - Change the parser to not require a minor version for HTTP/2.
+
+ HTTP/2 connection reuse broke when we changed from HTTP/2.0 to HTTP/2
+ in 8243a95 because the parser still expected a minor version.
+
+ Bug: https://github.com/curl/curl/issues/855
+ Reported-by: Andrew Robbins, Frank Gevaerts
-- RELEASE-NOTES: Synced with 37824498a3
+Steve Holme (4 Jun 2016)
+- connect.c: Fixed compilation warning from commit 332e8d6164
+
+ connect.c:952:5: warning: suggest explicit braces to avoid ambiguous 'else'
-Daniel Stenberg (22 Jan 2015)
-- configure: remove detection of the old yassl emulation API
+- win32: Used centralised verify windows version function
- ... as that is ancient history and not used.
+ Closes #845
-- OCSP stapling: disabled when build with BoringSSL
+- win32: Added verify windows version functionality
-- [Alessandro Ghedini brought this change]
+- win32: Introduced centralised verify windows version function
- openssl: add support for the Certificate Status Request TLS extension
+Kamil Dudka (3 Jun 2016)
+- tool_urlglob: fix off-by-one error in glob_parse()
+
+ ... causing SIGSEGV while parsing URL with too many globs.
+ Minimal example:
- Also known as "status_request" or OCSP stapling, defined in RFC6066
- section 8.
+ $ curl $(for i in $(seq 101); do printf '{a}'; done)
- Thanks-to: Joe Mason
- - for the work-around for the OpenSSL bug.
+ Reported-by: Romain Coltel
+ Bug: https://bugzilla.redhat.com/1340757
-- BoringSSL: fix build for non-configure builds
+Daniel Stenberg (1 Jun 2016)
+- [Benjamin Kircher brought this change]
+
+ libcurl-multi.3: fix small typo
- HAVE_BORINGSSL gets defined now by configure and should be defined by
- other build systems in case a BoringSSL build is desired.
+ Closes #850
-- configure: fix BoringSSL detection and detect libresssl
+- [Viktor Szakats brought this change]
-Steve Holme (22 Jan 2015)
-- curl_sasl: Reinstate the sasl_ prefix for locally scoped functions
+ makefile.m32: add crypt32 for winssl builds
- Commit 7a8b2885e2 made some functions static and removed the public
- Curl_ prefix. Unfortunately, it also removed the sasl_ prefix, which
- is the naming convention we use in this source file.
-
-- curl_sasl: Minor code policing following recent commits
+ Dependency added by 6cabd78
+
+ Closes #849
-Daniel Stenberg (22 Jan 2015)
-- [John Malmberg brought this change]
+- [Ivan Avdeev brought this change]
- openvms: Handle openssl/0.8.9zb version parsing
+ vtls: fix ssl session cache race condition
- packages/vms/gnv_link_curl.com was assuming only a single letter suffix
- in the openssl version. That assumption has been fixed for 7.40.
+ Sessionid cache management is inseparable from managing individual
+ session lifetimes. E.g. for reference-counted sessions (like those in
+ SChannel and OpenSSL engines) every session addition and removal
+ should be accompanied with refcount increment and decrement
+ respectively. Failing to do so synchronously leads to a race condition
+ that causes symptoms like use-after-free and memory corruption.
+ This commit:
+ - makes existing session cache locking explicit, thus allowing
+ individual engines to manage lock's scope.
+ - fixes OpenSSL and SChannel engines by putting refcount management
+ inside this lock's scope in relevant places.
+ - adds these explicit locking calls to other engines that use
+ sessionid cache to accommodate for this change. Note, however,
+ that it is unknown whether any of these engines could also have
+ this race.
+
+ Bug: https://github.com/curl/curl/issues/815
+ Fixes #815
+ Closes #847
-- BoringSSL: detected by configure, switches off NTLM
+- [Andrew Kurushin brought this change]
-- BoringSSL: no PKCS12 support nor ERR_remove_state
+ schannel: add CURLOPT_CERTINFO support
+
+ Closes #822
-- [Leith Bade brought this change]
+- RELEASE-NOTES: synced with 142ee9fa15002315
- BoringSSL: fix build
+- openssl: rename the private SSL_strerror
+
+ ... to make it not look like an OpenSSL function
-Steve Holme (20 Jan 2015)
-- curl_sasl.c: chlglen is not used when cryptography is disabled
+- [Michael Kaufmann brought this change]
-- curl_sasl.c: Fixed compilation warning when cyptography is disabled
+ openssl: Use correct buffer sizes for error messages
- curl_sasl.c:1453: warning C4101: 'serverdata' : unreferenced local
- variable
+ Closes #844
-- curl_sasl.c: Fixed compilation error when USE_WINDOWS_SSPI defined
+- curl: fix -q [regression]
- curl_sasl.c:1221: error C2065: 'mechtable' : undeclared identifier
+ This broke in 7.49.0 with commit e200034425a7625
- This error could also happen for non-SSPI builds when cryptography is
- disabled (CURL_DISABLE_CRYPTO_AUTH is defined).
+ Fixes #842
-Patrick Monnerat (20 Jan 2015)
-- SASL: make some procedures local-scoped
+- URL parser: allow URLs to use one, two or three slashes
+
+ Mostly in order to support broken web sites that redirect to broken URLs
+ that are accepted by browsers.
+
+ Browsers are typically even more leniant than this as the WHATWG URL
+ spec they should allow an _infinite_ amount. I tested 8000 slashes with
+ Firefox and it just worked.
+
+ Added test case 1141, 1142 and 1143 to verify the new parser.
+
+ Closes #791
-- SASL: common state engine for imap/pop3/smtp
+- [Renaud Lehoux brought this change]
-- SASL: common URL option and auth capabilities decoders for all protocols
+ cmake: Added missing mbedTLS support
+
+ Closes #837
-- IMAP/POP3/SMTP: use a per-connection sub-structure for SASL parameters.
+- [Renaud Lehoux brought this change]
-Daniel Stenberg (20 Jan 2015)
-- ipv6: enclose AF_INET6 uses with proper #ifdefs for ipv6
+ mbedtls: removed unused variables
- Reported-by: Chris Young
+ Closes #838
-- [Chris Young brought this change]
+- [Frank Gevaerts brought this change]
- timeval: typecast for better type (on Amiga)
+ http: add CURLINFO_HTTP_VERSION and %{http_version}
- There is an issue with conflicting "struct timeval" definitions with
- certain AmigaOS releases and C libraries, depending on what gets
- included when. It's a minor difference - the OS one is unsigned,
- whereas the common structure has signed elements. If the OS one ends up
- getting defined, this causes a timing calculation error in curl.
+ Adds access to the effectively used http version to both libcurl and
+ curl.
- It's easy enough to resolve this at the curl end, by casting the
- potentially errorneous calculation to a signed long.
+ Closes #799
+
+- bump: start the journey toward 7.50.0
+
+- [Marcel Raad brought this change]
-- openssl: do public key pinning check independently
+ openssl: fix build with OPENSSL_NO_COMP
- ... of the other cert verification checks so that you can set verifyhost
- and verifypeer to FALSE and still check the public key.
+ With OPENSSL_NO_COMP defined, there is no function
+ SSL_COMP_free_compression_methods
- Bug: http://curl.haxx.se/bug/view.cgi?id=1471
- Reported-by: Kyle J. McKay
+ Closes #836
-Patrick Monnerat (19 Jan 2015)
-- OS400: CURLOPT_SSL_VERIFYSTATUS for ILE/RPG too.
+- [Gisle Vanem brought this change]
-Steve Holme (18 Jan 2015)
-- ldap: Renamed the CURL_LDAP_WIN definition to USE_WIN32_LDAP
+ memdebug: fix MSVC crash with -DMEMDEBUG_LOG_SYNC
- For consistency with other USE_WIN32_ defines as well as the
- USE_OPENLDAP define.
+ Fixes #828
+
+- [Jonathan brought this change]
-- http_negotiate: Use dynamic buffer for SPN generation
+ README.md: polish
- Use a dynamicly allocated buffer for the temporary SPN variable similar
- to how the SASL GSS-API code does, rather than using a fixed buffer of
- 2048 characters.
+ Closes #834
-- sasl_gssapi: Make Curl_sasl_build_gssapi_spn() public
+- RELEASE-NOTES: fix vuln link
-- sasl_gssapi: Fixed memory leak with local SPN variable
+Version 7.49.1 (30 May 2016)
-Daniel Stenberg (17 Jan 2015)
-- http_negotiate.c: unused variable 'ret'
+Daniel Stenberg (30 May 2016)
+- RELEASE-NOTES: 7.49.1
-Steve Holme (17 Jan 2015)
-- gskit.h: Code policing of function pointer arguments
+- [Steve Holme brought this change]
-- vtls: Removed unimplemented overrides of curlssl_close_all()
+ loadlibrary: Only load system DLLs from the system directory
- Carrying on from commit 037cd0d991, removed the following unimplemented
- instances of curlssl_close_all():
+ Inspiration provided by: Daniel Stenberg and Ray Satiro
- Curl_axtls_close_all()
- Curl_darwinssl_close_all()
- Curl_cyassl_close_all()
- Curl_gskit_close_all()
- Curl_gtls_close_all()
- Curl_nss_close_all()
- Curl_polarssl_close_all()
-
-- vtls: Separate the SSL backend definition from the API setup
+ Bug: https://curl.haxx.se/docs/adv_20160530.html
- Slight code cleanup as the SSL backend #define is mixed up with the API
- function setup.
+ Ref: Windows DLL hijacking with curl, CVE-2016-4802
+
+- ssh: fix version number check typo
-- vtls: Fixed compilation errors when SSL not used
+Jay Satiro (29 May 2016)
+- curl_share_setopt.3: Add min ver needed for ssl session lock
- Fixed the following warning and error from commit 3af90a6e19 when SSL
- is not being used:
+ Bug: https://github.com/curl/curl/issues/826
+ Reported-by: Michael Wallner
+
+Daniel Stenberg (29 May 2016)
+- ssh: fix build for libssh2 before 1.2.6
- url.c:2004: warning C4013: 'Curl_ssl_cert_status_request' undefined;
- assuming extern returning int
+ The statvfs functionality was added to libssh2 in that version, so we
+ switch off that functionality when built with older libraries.
- error LNK2019: unresolved external symbol Curl_ssl_cert_status_request
- referenced in function Curl_setopt
-
-- http_negotiate: Added empty decoded challenge message info text
+ Fixes #831
-- http_negotiate: Return CURLcode in Curl_input_negotiate() instead of int
-
-- http_negotiate_sspi: Prefer use of 'attrs' for context attributes
+- mbedtls: fix includes so snprintf() works
- Use the same variable name as other areas of SSPI code.
-
-- http_negotiate_sspi: Use correct return type for QuerySecurityPackageInfo()
+ Regression from the previous *printf() rearrangements, this file missed to
+ include the correct header to make sure snprintf() works universally.
- Use the SECURITY_STATUS typedef rather than a unsigned long for the
- QuerySecurityPackageInfo() return and rename the variable as per other
- areas of SSPI code.
+ Reported-by: Moti Avrahami
+ Bug: https://curl.haxx.se/mail/lib-2016-05/0196.html
-- http_negotiate_sspi: Use 'CURLcode result' for CURL result code
-
-- curl_endian: Fixed build when 64-bit integers are not supported (Part 2)
+Steve Holme (23 May 2016)
+- checksrc.pl: Added variants of strcat() & strncat() to banned function list
- Missed Curl_read64_be() in commit bb12d44471 :(
+ Added support for checking the tchar, unicode and mbcs variants of
+ strcat() and strncat() in the banned function list.
-Daniel Stenberg (16 Jan 2015)
-- CURLOPT_SSL_VERIFYSTATUS.3: mention it is added in version 7.41.0
+Daniel Stenberg (23 May 2016)
+- smtp: minor ident (white space) fixes
-- curlver.h: next release is 7.41.0 due to the changes
+- THANKS: updated after script fixes
+
+ Now giving credit properly to github user names, fixed some UTF-8 issues
+ and added names discovered when contrithanks was improved.
-- RELEASE-NOTES: mention the new OCSP stapling options, bump version
+- THANKS-filter: more name cleanups
-- opts: add CURLOPT_SSL_VERIFYSTATUS* to docs/Makefile
+- contrithanks.sh: exclude existing names case insensitively
-- help: add --cert-status to --help output
+- contrithanks.sh: use same grep pattern and -a flag as contributors.sh
-- copyright years: after OCSP stapling changes
+- contributors.sh: better grep pattern, use grep -a
-- [Alessandro Ghedini brought this change]
+- THANKS-filter: fix more names
- curl: add --cert-status option
+- contrithanks.sh: do the same github fix as contributors.sh
- This enables the CURLOPT_SSL_VERIFYSTATUS functionality.
-
-- [Alessandro Ghedini brought this change]
+ from 1577bfa35ba
- nss: add support for the Certificate Status Request TLS extension
+Jay Satiro (23 May 2016)
+- contributors: Show GitHub username if real name unknown
- Also known as "status_request" or OCSP stapling, defined in RFC6066 section 8.
+ Prior to this change if a GitHub contributor's real name was unknown
+ they would be omitted from the list.
- This requires NSS 3.15 or higher.
+ Bug: https://github.com/curl/curl/issues/824
-- [Alessandro Ghedini brought this change]
+Daniel Stenberg (21 May 2016)
+- RELEASE-NOTES: synced with 3caaeffbe8ded4
- gtls: add support for the Certificate Status Request TLS extension
+Jay Satiro (20 May 2016)
+- openssl: cleanup must free compression methods
- Also known as "status_request" or OCSP stapling, defined in RFC6066 section 8.
+ - Free compression methods if OpenSSL 1.0.2 to avoid a memory leak.
- This requires GnuTLS 3.1.3 or higher to build, however it's recommended to use
- at least GnuTLS 3.3.11 since previous versions had a bug that caused the OCSP
- response verfication to fail even on valid responses.
+ Bug: https://github.com/curl/curl/issues/817
+ Reported-by: jveazey@users.noreply.github.com
-- [Alessandro Ghedini brought this change]
+Daniel Stenberg (20 May 2016)
+- [Gisle Vanem brought this change]
- url: add CURLOPT_SSL_VERIFYSTATUS option
+ curl_multibyte: fix compiler error
- This option can be used to enable/disable certificate status verification using
- the "Certificate Status Request" TLS extension defined in RFC6066 section 8.
+ While compiling lib/curl_multibyte.c with '-DUSE_WIN32_IDN' etc. I was
+ getting:
- This also adds the CURLE_SSL_INVALIDCERTSTATUS error, to be used when the
- certificate status verification fails, and the Curl_ssl_cert_status_request()
- function, used to check whether the SSL backend supports the status_request
- extension.
+ f:\mingw32\src\inet\curl\lib\memdebug.h(38): error C2054: expected '('
+ to follow 'CURL_EXTERN'
+
+ f:\mingw32\src\inet\curl\lib\memdebug.h(38): error C2085:
+ 'curl_domalloc': not in formal parameter list
-- TheArtOfHttpScripting: skip the date at the top, we have git
+- THANKS-filter: make Jan-E get proper credit
-- TheArtOfHttpScripting: phrase it TLS lib agnostic
+- [Jan-E brought this change]
-Steve Holme (16 Jan 2015)
-- TODO: Added some SMB ideas
+ winbuild/Makefile.vc: Fix check on SSL, MBEDTLS, WINSSL exclusivity
+
+ Closes #818
-- RELEASE-NOTES: Synced with 5f09947d28
+- [Alexander Traud brought this change]
-- build-openssl.bat: Added check for Perl installation
+ libcurl.m4: Avoid obsolete warning
+
+ Closes #821
-- checksrc.bat: Better detection of Perl installation
+Jay Satiro (20 May 2016)
+- [Michael Kaufmann brought this change]
-- curl_endian: Fixed build when 64-bit integers are not supported
+ CURLOPT_CONNECT_TO.3: user must not free the list prematurely
- Bug: http://curl.haxx.se/mail/lib-2015-01/0094.html
- Reported-by: John E. Malmberg
-
-Daniel Stenberg (15 Jan 2015)
-- [Yun SangHo brought this change]
+ The connect-to list isn't copied so as long as the handle may be used
+ for a transfer the list must be valid.
+
+ Bug: https://github.com/curl/curl/pull/819
+ Reported-by: Michael Kaufmann
- curl.h: remove extra space
+Daniel Stenberg (19 May 2016)
+- RELEASE-NOTES: synced with 48114a8634242c
-- Curl_pretransfer: reset expected transfer sizes
+- openssl: ERR_remove_thread_state() is deprecated in latest 1.1.0
- Reported-by: Mohammad AlSaleh
- Bug: http://curl.haxx.se/mail/lib-2015-01/0065.html
+ See OpenSSL commit 21e001747d4a
-Marc Hoersken (12 Jan 2015)
-- curl_schannel.c: mark session as removed from cache if not freed
+- http2: use HTTP/2 in the HTTP/1.1-alike header
- If the session is still used by active SSL/TLS connections, it
- cannot be closed yet. Thus we mark the session as not being cached
- any longer so that the reference counting mechanism in
- Curl_schannel_shutdown is used to close and free the session.
+ ... when generating them, not "2.0" as the protocol is called just
+ HTTP/2 and nothing else.
+
+Jay Satiro (19 May 2016)
+- dist: include curl_multi_socket_all.3
- Reported-by: Jean-Francois Durand
+ Closes https://github.com/curl/curl/pull/816
-Steve Holme (9 Jan 2015)
-- RELEASE-NOTES: Synced with d21b66835f
+Steve Holme (18 May 2016)
+- bump: Start work on 7.49.1
-Guenter Knauf (9 Jan 2015)
-- Merge pull request #134 from vszakats/mingw-m64
+Daniel Stenberg (18 May 2016)
+- curlbuild.h.dist: check __LP64__ as well to fix MIPS build
- add -m64 CFLAGS when targeting mingw64, add -m32/-m64 to LDFLAGS
-
-- Merge pull request #136 from vszakats/mingw-allow-custom-cflags
+ The preprocessor check that sets up the 32bit defines for non-configure
+ builds didn't work properly for MIPS systems as __mips__ is defined for
+ both 32bit and 64bit. Now __LP64__ is also checked and indicates 64bit.
- mingw build: allow to pass custom CFLAGS
+ Reported-by: Tomas Jakobsson
+ Fixes #813
-Daniel Stenberg (9 Jan 2015)
-- NSS: fix compiler error when built http2-enabled
+- [Marcel Raad brought this change]
-Steve Holme (9 Jan 2015)
-- gssapi: Remove need for duplicated GSS_C_NT_HOSTBASED_SERVICE definitions
+ schannel: fix compile break with MSVC XP toolset
- Better code reuse and consistency in calls to gss_import_name().
-
-Viktor Szakats (9 Jan 2015)
-- mingw build: allow to pass custom CFLAGS
+ For the Windows XP toolset of Visual C++ 2013/2015, the old Windows SDK
+ 7.1 is used. In this case, _USING_V110_SDK71_ is defined.
+
+ Closes #812
-Daniel Stenberg (8 Jan 2015)
-- FTP: if EPSV fails on IPV6 connections, bail out
+- dist: include CHECKSRC.md
- ... instead of trying PASV, since PASV can't work with IPv6.
+ Reported-by: Paul Howarth
+ Bug: https://curl.haxx.se/mail/lib-2016-05/0116.html
+
+- test/Makefile.am: include manpage-scan.pl and nroff-scan.pl in dist
- Reported-by: Vojtěch Král
+ Reported-by: Ray Satiro
+ Bug: https://curl.haxx.se/mail/lib-2016-05/0113.html
+
+Version 7.49.0 (17 May 2016)
+
+Daniel Stenberg (17 May 2016)
+- THANKS: 24 new names from 7.49.0 release notes
+
+- RELEASE-NOTES: 7.49.0
-- FTP: fix IPv6 host using link-local address
+- mbedtls/polarssl: set "hostname" unconditionally
- ... and make sure we can connect the data connection to a host name that
- is longer than 48 bytes.
+ ...as otherwise the TLS libs will skip the CN/SAN check and just allow
+ connection to any server. curl previously skipped this function when SNI
+ wasn't used or when connecting to an IP address specified host.
- Also simplifies the code somewhat by re-using the original host name
- more, as it is likely still in the DNS cache.
+ CVE-2016-3739
- Original-Patch-by: Vojtěch Král
- Bug: http://curl.haxx.se/bug/view.cgi?id=1468
+ Bug: https://curl.haxx.se/docs/adv_20160518A.html
+ Reported-by: Moti Avrahami
-Steve Holme (8 Jan 2015)
-- [Sam Schanken brought this change]
+- [Frank Gevaerts brought this change]
- winbuild: Added option to build with c-ares
+ CURLOPT_RESOLVE.3: fix typo
- Added support for a WITH_CARES option to be used when invoking nmake
- via Makefile.vc. This option enables linking against both the DLL and
- static versions of the c-ares libraries, as well as the debug and
- release varients, depending on the value of DEBUG. The USE_ARES
- preprocessor symbol is also defined.
+ Closes #811
-Guenter Knauf (8 Jan 2015)
-- NetWare build: added TLS-SRP enabled build.
+- docs: CURLOPT_RESOLVE overrides CURLOPT_IPRESOLVE
-Steve Holme (8 Jan 2015)
-- sasl_gssapi: Fixed build on NetBSD with built-in GSS-API
+- KNOWN_BUGS: GnuTLS backend skips really long certificate fields
- Bug: http://curl.haxx.se/bug/view.cgi?id=1469
- Reported-by: Thomas Klausner
+ Closes #762
-Viktor Szakats (8 Jan 2015)
-- add -m64 clags when targeting mingw64, add -m32/-m64 to LDFLAGS
+- CURLOPT_HTTPPOST.3: the data needs to be around while in use
-Daniel Stenberg (8 Jan 2015)
-- bump: start working towards 7.40.1
+- openssl: get_cert_chain: fix NULL dereference
+
+ CID 1361815: Explicit null dereferenced (FORWARD_NULL)
+
+- openssl: get_cert_chain: avoid NULL dereference
+
+ CID 1361811: Explicit null dereferenced (FORWARD_NULL)
-- THANKS: 14 new contributors from the 7.40.0 release notes
+- dprintf_formatf: fix (false?) Coverity warning
+
+ CID 1024412: Memory - illegal accesses (OVERRUN). Claimed to happen when
+ we run over 'workend' but the condition says <= workend and for all I
+ can see it should be safe. Compensating for the warning by adding a byte
+ margin in the buffer.
+
+ Also, removed the extra brace level indentation in the code and made it
+ so that 'workend' is only assigned once within the function.
-Version 7.40.0 (7 Jan 2015)
+- RELEASE-NOTES: synced with 2dcb5adc72d6
-Daniel Stenberg (7 Jan 2015)
-- RELEASE-NOTES: version 7.40.0
+- THANKS-filter: fixed Jonathan Cardoso
-- darwinssl: fix session ID keys to only reuse identical sessions
+Jay Satiro (15 May 2016)
+- ftp: fix incorrect out-of-memory code in Curl_pretransfer
+
+ - Return value type must match function type.
- ...to avoid a session ID getting cached without certificate checking and
- then after a subsequent _enabling_ of the check libcurl could still
- re-use the session done without cert checks.
+ s/CURLM_OUT_OF_MEMORY/CURLE_OUT_OF_MEMORY/
- Bug: http://curl.haxx.se/docs/adv_20150108A.html
- Reported-by: Marc Hesse
+ Caught by Travis CI
-- tests: make sure CRLFs can't be used in URLs passed to proxy
+Daniel Stenberg (15 May 2016)
+- ftp wildcard: segfault due to init only in multi_perform
+
+ The proper FTP wildcard init is now more properly done in Curl_pretransfer()
+ and the corresponding cleanup in Curl_close().
+
+ The previous place of init/cleanup code made the internal pointer to be NULL
+ when this feature was used with the multi_socket() API, as it was made within
+ the curl_multi_perform() function.
- Bug: http://curl.haxx.se/docs/adv_20150108B.html
+ Reported-by: Jonathan Cardoso Machado
+ Fixes #800
-- url-parsing: reject CRLFs within URLs
+Jay Satiro (13 May 2016)
+- libcurl-tlibcurl-thread: Update OpenSSL links
- Bug: http://curl.haxx.se/docs/adv_20150108B.html
- Reported-by: Andrey Labunets
+ Because the old OpenSSL link now redirects to their master documentation
+ (currently 1.1.0), which does not document the required actions for
+ OpenSSL <= 1.0.2.
-Steve Holme (7 Jan 2015)
-- ldap: Convert attribute output to UTF-8 when Unicode
+Daniel Stenberg (13 May 2016)
+- [Viktor Szakats brought this change]
-- ldap: Convert DN output to UTF-8 when Unicode
+ darwinssl.c: fix OS X codename typo in comment
-Daniel Stenberg (7 Jan 2015)
-- hostip: remove 'stale' argument from Curl_fetch_addr proto
+- RELEASE-NOTES: synced with 68701e51c1f7
- Also, remove the log output of the resolved name is NOT in the cache in
- the spirit of only telling when something is actually happening.
+ Added 8 bug fixes and 5 more contrbutors
+
+- [Jay Satiro brought this change]
-Steve Holme (7 Jan 2015)
-- ldap/imap: Fixed spelling mistake in comments and variable names
+ mprintf: Fix processing of width and prec args
- Reported-by: Michael Osipov
+ Prior to this change a width arg could be erroneously output, and also
+ width and precision args could not be used together without crashing.
+
+ "%0*d%s", 2, 9, "foo"
+
+ Before: "092"
+ After: "09foo"
+
+ "%*.*s", 5, 2, "foo"
+
+ Before: crash
+ After: " fo"
+
+ Test 557 is updated to verify this and more
-Daniel Stenberg (7 Jan 2015)
-- RELEASE-NOTES: updated with ./contributors.sh output
+- [Michael Kaufmann brought this change]
-Dan Fandrich (5 Jan 2015)
-- curl_multibyte.h: Eliminated some trailing whitespace
+ ConnectionExists: follow-up fix for proxy re-use
+
+ Follow-up commit to 5823179
+
+ Closes #648
-Steve Holme (4 Jan 2015)
-- RELEASE-NOTES: Synced with ea93252ef1
+- [Per Malmberg brought this change]
-- ldap: Fixed Unicode usage for all Win32 builds
+ darwinssl: fix certificate verification disable on OS X 10.8
- Otherwise, the fixes in the previous commits would only be applicable
- to IDN and SSPI based builds and not others such as OpenSSL with LDAP
- enabled.
-
-- ldap: Fixed memory leak from commit efb64fdf80
+ The new way of disabling certificate verification doesn't work on
+ Mountain Lion (OS X 10.8) so we need to use the old way in that version
+ too. I've tested this solution on versions 10.7.5, 10.8, 10.9, 10.10.2
+ and 10.11.
+
+ Closes #802
-- ldap: Fix memory leak from commit 3a805c5cc1
+- [Cory Benfield brought this change]
-- ldap: Fixed attribute variable warnings when Unicode is enabled
+ http2: Add space between colon and header value
- Use 'TCHAR *' for local attribute variable rather than 'char *'.
-
-- ldap: Fixed DN variable warnings when Unicode is enabled
+ curl's representation of HTTP/2 responses involves transforming the
+ response to a format that is similar to HTTP/1.1. Prior to this change,
+ curl would do this by separating header names and values with only a
+ colon, without introducing a space after the colon.
- Use 'TCHAR *' for local DN variable rather than 'char *'.
+ While this is technically a valid way to represent a HTTP/1.1 header
+ block, it is much more common to see a space following the colon. This
+ change introduces that space, to ensure that incautious tools are safely
+ able to parse the header block.
+
+ This also ensures that the difference between the HTTP/1.1 and HTTP/2
+ response layout is as minimal as possible.
+
+ Bug: https://github.com/curl/curl/issues/797
+
+ Closes #798
+ Fixes #797
-- ldap: Remove the unescape_elements() function
+Kamil Dudka (12 May 2016)
+- openssl: fix compile-time warning in Curl_ossl_check_cxn()
+
+ ... introduced in curl-7_48_0-293-g2968c83:
- Due to the recent modifications this function is no longer used.
+ Error: COMPILER_WARNING:
+ lib/vtls/openssl.c: scope_hint: In function ‘Curl_ossl_check_cxn’
+ lib/vtls/openssl.c:767:15: warning: conversion to ‘int’ from ‘ssize_t’
+ may alter its value [-Wconversion]
-- ldap.c: Fixed compilation warning
+Jay Satiro (11 May 2016)
+- openssl: stricter connection check function
+
+ - In the case of recv error, limit returning 'connection still in place'
+ to EINPROGRESS, EAGAIN and EWOULDBLOCK.
- ldap.c:98: warning: extra tokens at end of #endif directive
+ This is an improvement on the parent commit which changed the openssl
+ connection check to use recv MSG_PEEK instead of SSL_peek.
+
+ Ref: https://github.com/curl/curl/commit/856baf5#comments
-- ldap: Fixed support for Unicode filter in Win32 search call
+Daniel Stenberg (11 May 2016)
+- [Anders Bakken brought this change]
-- ldap.c: Fixed compilation warning
+ TLS: SSL_peek is not a const operation
- ldap.c:802: warning: comparison between signed and unsigned integer
- expressions
+ Calling SSL_peek can cause bytes to be read from the raw socket which in
+ turn can upset the select machinery that determines whether there's data
+ available on the socket.
+
+ Since Curl_ossl_check_cxn only tries to determine whether the socket is
+ alive and doesn't actually need to see the bytes SSL_peek seems like
+ the wrong function to call.
+
+ We're able to occasionally reproduce a connect timeout due to this
+ bug. What happens is that Curl doesn't know to call SSL_connect again
+ after the peek happens since data is buffered in the SSL buffer and thus
+ select won't fire for this socket.
+
+ Closes #795
-- ldap: Fixed support for Unicode attributes in Win32 search call
+Jay Satiro (9 May 2016)
+- [Daniel Stenberg brought this change]
-- ldap: Fixed memory leak from commit efb64fdf80
+ TLS: move the ALPN/NPN enable bits to the connection
- The unescapped DN was not freed after a successful character conversion.
-
-- ldap.c: Fixed compilation error
+ Only protocols that actually have a protocol registered for ALPN and NPN
+ should try to get that negotiated in the TLS handshake. That is only
+ HTTPS (well, http/1.1 and http/2) right now. Previously ALPN and NPN
+ would wrongly be used in all handshakes if libcurl was built with it
+ enabled.
- ldap.c:738: error: macro "LDAP_TRACE" passed 2 arguments, but takes
- just 1
-
-- ldap.c: Fixed compilation warning
+ Reported-by: Jay Satiro
- ldap.c:89: warning: extra tokens at end of #endif directive
+ Fixes #789
-- ldap: Fixed support for Unicode DN in Win32 search call
+Daniel Stenberg (8 May 2016)
+- libcurl-thread.3: openssl 1.1.0 is safe, and so is boringssl
-- ldap: Fixed Unicode user and password in Win32 bind calls
+- [Antonio Larrosa brought this change]
-- ldap: Fixed Unicode host name in Win32 initialisation calls
-
-- ldap: Use host.dispname for infof() connection failure messages
+ connect: fix invalid "Network is unreachable" errors
+
+ Sometimes, in systems with both ipv4 and ipv6 addresses but where the
+ network doesn't support ipv6, Curl_is_connected returns an error
+ (intermittently) even if the ipv4 socket connects successfully.
- As host.name may be encoded use dispname for infof() failure messages.
+ This happens because there's a for-loop that iterates on the sockets but
+ the error variable is not resetted when the ipv4 is checked and is ok.
+
+ This patch fixes this problem by setting error to 0 when checking the
+ second socket and not having a result yet.
+
+ Fixes #794
-- ldap: Prefer 'CURLcode result' for curl result codes
+Jay Satiro (5 May 2016)
+- FAQ: refer to thread safety guidelines
-- ldap: Pass write length in all Curl_client_write() calls
+Daniel Stenberg (3 May 2016)
+- connections: non-HTTP proxies on different ports aren't reused either
- As we get the length for the DN and attribute variables, and we know
- the length for the line terminator, pass the length values rather than
- zero as this will save Curl_client_write() from having to perform an
- additional strlen() call.
-
-- ldap: Fixed attribute memory leaks on failed client write
+ Reported-by: Oleg Pudeyev and fuchaoqun
- Fixed memory leaks from commit 086ad79970 as was noted in the commit
- comments.
+ Fixes #648
-- ldap: Fixed DN memory leaks on failed client write
+- http: make sure a blank header overrides accept_decoding
- Fixed memory leaks from commit 086ad79970 as was noted in the commit
- comments.
+ Reported-by: rcanavan
+ Assisted-by: Isaac Boukris
+ Closes #785
-- curl_ntlm_core.c: Fixed compilation warning from commit 1cb17b2a5d
-
- curl_ntlm_core.c:146: warning: passing 'DES_cblock' (aka 'unsigned char
- [8]') to parameter of type 'char *' converts
- between pointers to integer types with different
- sign
+- CHECKSRC.md: clarified, explained the whitelist file
-- ntlm: Use extend_key_56_to_64() for all cryptography engines
-
- Rather than duplicate the code in setup_des_key() for OpenSSL and in
- extend_key_56_to_64() for non-OpenSSL based crypto engines, as it is
- the same, use extend_key_56_to_64() for all engines.
+- nroff-scan.pl: verify that references are made with \fI
-- RELEASE-NOTES: Synced with 34f0bd110f
+- docs: unified man page references to use \fI
-- curl_ntlm_core.c: Fixed compilation warning
+- TODO: 17.14 --fail without --location should treat 3xx as a failure
- curl_ntlm_core.c:458: warning: 'ascii_uppercase_to_unicode_le' defined
- but not used
+ Closes #727
+
+- RELEASE-NOTES: synced with 7987f5cb14d
+
+- [Isaac Boukris brought this change]
-- endian: Fixed bit-shift in 64-bit integer read functions
+ CURLOPT_ACCEPT_ENCODING.3: Follow-up clarification
- From commit 43792592ca and 4bb5a351b2.
+ Mention possible content-length mismatch with sum of bytes reported
+ by write callbacks when auto decoding is enabled.
- Reported-by: Michael Osipov
+ See #785
-- smb: Use endian functions for reading NBT and message size values
+- test1140: run nroff-scan to verify man pages
-- endian: Added big endian read functions
+- nroff-scan.pl: verify the .BR references as well
-- endian: Added 64-bit integer read function
+- CURLOPT_CONV_TO_NETWORK_FUNCTION.3: fix bad man page reference
-- COPYING: Bumped copyright year to 2015
+- CURLOPT_BUFFERSIZE.3: fix reference to CURLOPT_MAX_RECV_SPEED_LARGE
-- version: Bump copyright year to 2015
+- curl_easy_pause.3: fix man page reference
-- smb.c: Fixed compilation warnings
+Jay Satiro (1 May 2016)
+- tool_cb_hdr: Fix --remote-header-name with schemeless URL
- smb.c:780: warning: passing 'char *' to parameter of type 'unsigned
- char *' converts between pointers to integer types with
- different sign
- smb.c:781: warning: passing 'char *' to parameter of type 'unsigned
- char *' converts between pointers to integer types with
- different sign
- smb.c:804: warning: passing 'char *' to parameter of type 'unsigned
- char *' converts between pointers to integer types with
- different sign
-
-- smb: Use endian functions for reading length and offset values
-
-- endian: Added 16-bit integer write function
-
-- endian: Fixed Linux compilation issues
+ - Move the existing scheme check from tool_operate.
- Having files named endian.[c|h] seemed to cause issues under Linux so
- renamed them both to have the curl_ prefix in the filenames.
-
-- [Julien Nabet brought this change]
+ In the case of --remote-header-name we want to parse Content-disposition
+ for a filename, but only if the scheme is http or https. A recent
+ adjustment 0dc4d8e was made to account for schemeless URLs however it's
+ not 100% accurate. To remedy that I've moved the scheme check to the
+ header callback, since at that point the library has already determined
+ the scheme.
+
+ Bug: https://github.com/curl/curl/issues/760
+ Reported-by: Kai Noda
- lib1900.c: Fixed cppcheck error
+Daniel Stenberg (1 May 2016)
+- tls: make setting pinnedkey option fail if not supported
- lib1900.c:182: (style) Array index 'handlenum' is used before limits
- check
+ to make it obvious to users trying to use the feature with TLS backends
+ not supporting it.
- Bug: https://github.com/bagder/curl/pull/133
-
-- endian: Added standard function descriptions
-
-- endian: Renamed functions for curl API naming convention
+ Discussed in #781
+ Reported-by: Travis Burtrum
-- endian: Moved write functions to new module
-
-- endian: Moved read functions to new module
-
-- endian: Introduced endian module
+- nroff-scan.pl: verifies nroff pages
- To allow the little endian functions, currently used in two of the NTLM
- source files, to be used by other modules such as the SMB module.
+ ... not used by any test yet but can be used stand-alone.
-- sepheaders.c: Applied curl oding standards
+- opts: fix broken/bad references
-- [Julien Nabet brought this change]
+- [Michael Kaufmann brought this change]
- sepheaders.c: Fixed resource leak on failure
+ docs: fix bugs in CURLOPT_HTTP_VERSION.3 and CURLOPT_PIPEWAIT.3
+
+ Closes #786
-- vtls: Use '(void) arg' for unused parameters
+- CURLOPT_ACCEPT_ENCODING.3: clarified
- Prefer void for unused parameters, rather than assigning an argument to
- itself as a) unintelligent compilers won't optimize it out, b) it can't
- be used for const parameters, c) it will cause compilation warnings for
- clang with -Wself-assign and d) is inconsistent with other areas of the
- curl source code.
+ As discussed in #785
-- smb.c: Fixed compilation warning
+- curl.1: --mail-rcpt can be used multiple times
- smb.c:586: warning: conversion to 'short unsigned int' from 'int' may
- alter its value
+ Reported-by: mgendre
+ Closes #784
-- [Bill Nagel brought this change]
+- [Karlson2k brought this change]
- smb: Use the connection's upload buffer
+ tests: Use 'pathhelp' for paths conversions in secureserver.pl
- Use the connection's upload buffer instead of allocating our own send
- buffer.
+ Closes #675
-- RELEASE-NOTES: Synced with 1933f9d33c
+- [Karlson2k brought this change]
-- schannel: Moved the ISC return flag definitions to the SSPI module
-
- Moved our Initialize Security Context return attribute definitions to
- the SSPI module, as a) these can be used by other SSPI based providers
- and b) the ISC required attributes are defined there.
+ tests: Use 'pathhelp' for paths conversions in sshserver.pl
-- [Bill Nagel brought this change]
+- [Karlson2k brought this change]
- smb: Close the connection after a failed client write
+ tests: Use 'pathhelp' for current path in runtests.pl
-- darwinssl: Fixed compilation warning
-
- vtls.c:683:43: warning: unused parameter 'data'
+- [Karlson2k brought this change]
-- sockfilt.c: Fixed compilation warnings
-
- sockfilt.c:288: warning: conversion to 'DWORD' from 'size_t' may alter
- its value
- sockfilt.c:291: warning: conversion to 'DWORD' from 'size_t' may alter
- its value
- sockfilt.c:323: warning: conversion to 'DWORD' from 'size_t' may alter
- its value
- sockfilt.c:326: warning: conversion to 'DWORD' from 'size_t' may alter
- its value
+ tests: pathhelp.pm to process paths on Msys/Cygwin
-- test1509: Fixed compilation warning
+- lib: include curl_printf.h as one of the last headers
- lib1509.c:93:18: warning: conversion to 'long int' from 'size_t' may
- alter its value
-
-- test556: Fixed compilation warning
+ curl_printf.h defines printf to curl_mprintf, etc. This can cause
+ problems with external headers which may use
+ __attribute__((format(printf, ...))) markers etc.
- lib556.c:90: warning: conversion to 'unsigned int' from 'size_t' may
- alter its value
-
-- sasl_gssapi: Fixed use of dummy username with real username
-
-- vtls: Fixed compilation warning and an ignored return code
+ To avoid that they cause problems with system includes, we include
+ curl_printf.h after any system headers. That makes the three last
+ headers to always be, and we keep them in this order:
- curl_schannel.h:123: warning: right-hand operand of comma expression
- has no effect
+ curl_printf.h
+ curl_memory.h
+ memdebug.h
- Some instances of the curlssl_close_all() function were declared with a
- void return type whilst others as int. The schannel version returned
- CURLE_NOT_BUILT_IN and others simply returned zero, but in all cases the
- return code was ignored by the calling function Curl_ssl_close_all().
+ None of them include system headers, they all do funny #defines.
- For the time being and to keep the internal API consistent, changed all
- declarations to use a void return type.
+ Reported-by: David Benjamin
- To reduce code we might want to consider removing the unimplemented
- versions and use a void #define like schannel does.
+ Fixes #743
-Daniel Stenberg (28 Dec 2014)
-- TODO: 2.3 Better support for same name resolves
-
-Steve Holme (28 Dec 2014)
-- test1520: Fixed initial teething problems
+- memdebug.h: remove inclusion of other headers
+
+ Mostly because they're not needed, because memdebug.h is always included
+ last of all headers so the others already included the correct ones.
- * Missing initialisation of upload status caused a seg fault
- * Missing data termination caused corrupt data to be uploaded
- * Data verification should be performed in <upload> element
- * Added missing recipient list cleanup
+ But also, starting now we don't want this to accidentally include any
+ system headers, as the header included _before_ this header may add
+ defines and other fun stuff that we won't want used in system includes.
-- test1520: Fixed compilation errors
+- [Jay Satiro brought this change]
-- tests: Added test for bug #1456
+ curl -J: make it work even without http:// scheme on URL
+
+ It does open up a miniscule risk that one of the other protocols that
+ libcurl could use would send back a Content-Disposition header and then
+ curl would act on it even if not HTTP.
+
+ A future mitigation for this risk would be to allow the callback to ask
+ libcurl which protocol is being used.
+
+ Verified with test 1312
+
+ Closes #760
-- checksrc.bat: Fixed a problem opening files with spaces in the filename
+- manpage-scan.pl: also verify the command line option docs
+
+ This script now also scans src/tool_getparam.c, docs/curl.1 and
+ src/tool_help.c and will warn if any of them lists a command line option
+ not mentioned in one of the other places.
-- openldap: Prefer use of 'CURLcode result'
+- curl: show the long option version of -q in the -h list
-- openldap: Use 'LDAPMessage *msg' for messages
+- curl: remove "--socks" as "--socks5" turned 8
- This frees up the 'result' variable for CURLcode based result codes.
+ In commit 2e42b0a2524 (Jan 2008) we made the option "--socks" deprecated
+ and it has not been documented since. The more explicit socks options
+ (like --socks4 or --socks5) should be used.
-- nss: Don't ignore Curl_extract_certinfo() OOM failure
+- curl.1: document the deprecated --ftp-ssl option
-- nss: Don't ignore Curl_ssl_init_certinfo() OOM failure
-
-- nss: Use 'CURLcode result' for curl result codes
+- curl: remove --http-request
- ...and don't use CURLE_OK in failure/success comparisons.
+ It was mentioned as deprecated already in commit ae1912cb0d4 from
+ 1999. It has not been documented in this millennium.
+
+- curl: mention --ntlm-wb in -h list
-- getinfo: Code style policing
+- curl: -h output lacked --proxy-header
-- getinfo: Use 'CURLcode result' for curl result codes
+- curl.1: document --ntlm-wb
-- darwinssl: Use 'CURLcode result' for curl result codes
+- curl.1: document the long format of -q: --disable
-- polarssl: Use 'CURLcode result' for curl result codes
+- curl.1: mention the deprecated --krb4 option
-- docs: Updated following the addition of SASL GSSAPI via GSS-API libraries
+- curl.1: document --ftp-ssl-reqd
- As this feature has been implemented for 7.40.0.
+ Even if deprecated, document it so that people will find it as old
+ scripts may still use it.
-- asiohiper.cpp: No need to initialise members of ConnInfo
+- curl: use --telnet-option as documented
- ...as calloc() automatically clears the area of memory with zeros.
+ The code said "telnet-options" but no documentation ever said so. It
+ worked fine since the code is fine with a unique match of the first
+ part.
-- asiohiper.cpp: Updated for curl coding standards
+- getparam: remove support for --ftpport
- ...with the exception of the start of block statement curly brackets.
+ It has been deprecated and undocumented since commit ad5ead8bed7 (Dec
+ 2003). --ftp-port is the proper long option name.
-- code/docs: Use correct case for IPv4 and IPv6
+- curl: make --disable work as long form of -q
- For consistency, as we seem to have a bit of a mixed bag, changed all
- instances of ipv4 and ipv6 in comments and documentations to use the
- correct case.
+ To make the aliases list reflect reality.
-- runtests: Fixed detection of Unix Sockets feature
+- aliases: remove trailing space from capath string
+
+- cmdline parse: only single letter options have single-letter strings
- ...following change in curl --version output.
+ ... moved around options so that parsing the code to find all
+ single-letter options easier.
-- code/docs: Use Unix rather than UNIX to avoid use of the trademark
+Jay Satiro (28 Apr 2016)
+- CURLINFO_TLS_SSL_PTR.3: Clarify SSL pointer availability
- Use Unix when generically writing about Unix based systems as UNIX is
- the trademark and should only be used in a particular product's name.
+ Bug: https://curl.haxx.se/mail/lib-2016-04/0126.html
+ Reported-by: Bru Rom
+
+Daniel Stenberg (28 Apr 2016)
+- curl_easy_getinfo.3: remove superfluous blank lines
-- ip2ip.c: Fixed compilation warning when IPv6 Scope ID not supported
+- test1139: verifies libcurl option man page presence
- if2ip.c:119: warning: unused parameter 'remote_scope_id'
+ - checks that each option has its own man page present
- ...and some minor code style policing in the same function.
+ - checks that each option is mentioned in its corresponding index man
+ page
-- vtls: Don't set cert info count until memory allocation is successful
+- curl_easy_getinfo.3: added missing mention of CURLINFO_TLS_SESSION
- Otherwise Curl_ssl_init_certinfo() can fail and set the num_of_certs
- member variable to the requested count, which could then be used
- incorrectly as libcurl closes down.
+ ... although it is deprecated.
-- vtls: Use CURLcode for Curl_ssl_init_certinfo() return type
+Jay Satiro (28 Apr 2016)
+- mbedtls: Fix session resume
- The return type for this function was 0 on success and 1 on error. This
- was then examined by the calling functions and, in most cases, used to
- return CURLE_OUT_OF_MEMORY.
+ This also fixes PolarSSL session resume.
- Instead use CURLcode for the return type and return the out of memory
- error directly, propagating it up the call stack.
+ Prior to this change the TLS session information wasn't properly
+ saved and restored for PolarSSL and mbedTLS.
+
+ Bug: https://curl.haxx.se/mail/lib-2016-01/0070.html
+ Reported-by: Thomas Glanzmann
+
+ Bug: https://curl.haxx.se/mail/lib-2016-04/0095.html
+ Reported-by: Moti Avrahami
+
+Daniel Stenberg (27 Apr 2016)
+- RELEASE-NOTES: synced with f4298fcc6d2
+
+- [Michael Kaufmann brought this change]
-- configure: Use camel case for UNIX sockets feature output
+ opts: Fix some syntax errors in example code fragments
- To match the curl --version output.
+ Fixes #779
-Marc Hoersken (26 Dec 2014)
-- sockfilt.c: Reduce the number of individual memory allocations
+- openssl: avoid BN_print a NULL bignum
- Merge multiple internal arrays into one, even if some variables
- will not not be used. They are all created with the number of
- file descriptors as their size.
+ OpenSSL 1.1.0-pre seems to return NULL(?) for a whole lot of those
+ numbers so make sure the function handles this.
- Also fix possible thread handle leak in CloseHandle-loop.
+ Reported-by: Linus Nordberg
+
+- [Marcel Raad brought this change]
-- sockfilt.c: Replace 100ms sleep with thread throttle
+ CONNECT_ONLY: don't close connection on GSS 401/407 reponses
- Improves performance of test cases 574 and 575 by 50%.
+ Previously, connections were closed immediately before the user had a
+ chance to extract the socket when the proxy required Negotiate
+ authentication.
- A value of zero causes the thread to relinquish the remainder
- of its time slice to any other thread of equal priority that is
- ready to run. If there are no other threads of equal priority
- ready to run, the function returns immediately, and the thread
- continues execution.
+ This regression was brought in with the security fix in commit
+ 79b9d5f1a42578f
- http://msdn.microsoft.com/library/windows/desktop/ms686307.aspx
+ Closes #655
-Steve Holme (25 Dec 2014)
-- tool_help: Use camel case for UNIX sockets feature output
-
- In line with the other features listed in the --version output,
- capitalise the UNIX socket feature.
+- CURLINFO_TLS_SESSION.3: clarify TLS library support before 7.48.0
-- vtls: Use bool for Curl_ssl_getsessionid() return type
-
- The return type of this function is a boolean value, and even uses a
- bool internally, so use bool in the function declaration as well as
- the variables that store the return value, to avoid any confusion.
+- mbedtls.c: silly spellfix of a comment
-- schannel: Minor code style policing for casts
+- KNOWN_BUGS: 1.10 Strips trailing dot from host name
+
+ Closes #716
-- schannel: Prefer 'CURLcode result' for curl result codes
+- test1322: verify stripping of trailing dot from host name
+
+ While being debated (in #716) and a violation of RFC 7230 section 5.4,
+ this test verifies that the existing functionality works as intended. It
+ strips the dot from the host name and uses the host without dot
+ throughout the internals.
-- cyassl: Prefer 'CURLcode result' for curl result codes
+- multi: accidentally used resolved host name instead of proxy
+
+ Regression introduced in 09b5a998
+
+ Bug: https://curl.haxx.se/mail/lib-2016-04/0084.html
+ Reported-by: BoBo
-- tool_xattr: Use 'CURLcode result' for curl result codes
+- symbols-in-versions: added new CURLSSLBACKEND_ symbols
-- curl_ntlm_core.c: Fixed compilation warnings
+- test148: fixed after the --ftp-create-dirs retry change
- curl_ntlm_core.c:301: warning: pointer targets in passing argument 2 of
- 'CryptImportKey' differ in signedness
- curl_ntlm_core.c:310: warning: passing argument 6 of 'CryptEncrypt' from
- incompatible pointer type
- curl_ntlm_core.c:540: warning: passing argument 4 of 'CryptGetHashParam'
- from incompatible pointer type
+ follow-up commit to 3c1e84f569 as it made curl try a little harder
-- RELEASE-NOTES: Synced with 8830df8b66
+- curl.h: clarify curl_sslbackend for openssl clones and renames
-- gtls: Use preferred 'CURLcode result'
+- [Karlson2k brought this change]
-- openldap: Use standard naming for setup connection function
+ url.c: fixed DEBUGASSERT() for WinSock workaround
- Renamed ldap_setup() to ldap_setup_connection() to follow more widely
- used function naming.
+ If buffer is allocated, but nothing is received during prereceive
+ stage, than number of processed bytes must be zero.
+
+ Closes #778
-- rtmp: Use standard naming for setup connection function
+- KNOWN_BUGS: --interface for ipv6 binds to unusable IP address
- Renamed rtmp_setup() to rtmp_setup_connection() to follow more widely
- used function naming.
+ Closes #686 for now.
-- smb: Use standard naming for setup connection function
+- TODO: 1.17 Add support for IRIs
+
+ Adding support for IRIs is a mouthful, but is probably interesting at
+ least for areas and countries where the use of such "URLs" are growing
+ popularity.
- Renamed smb_setup() to smb_setup_connection() to follow more widely
- used function naming.
+ Closes #776
-- config-win32.h: Fixed line length > 79 columns
+- THANKS-filter: Travis Burtrum
-- openssl: Prefer we don't use NULL in comparisons
+- lib1517: checksrc compliance
-- build: Removed WIN32 definition from the Visual Studio projects
+- [moparisthebest brought this change]
+
+ PolarSSL: Implement public key pinning
+
+Patrick Monnerat (22 Apr 2016)
+- os400: upgrade ILE/RPG binding
+
+- curl.h: CURLOPT_CONNECT_TO sets a struct slist *, not a string
+
+Daniel Stenberg (22 Apr 2016)
+- contributors.sh: make --releasenotes implied
- As this pre-processor definition is defined in curl_setup.h there is no
- need to include it in the Visual Studio project files.
+ It got too annoying to type =)
+
+- RELEASE-NOTES: synced with 3c1e84f5693d8093
-- build: Removed WIN64 definition from the libcurl Visual Studio projects
+- curl: make --ftp-create-dirs retry on failure
- Removed the WIN64 pre-processor definition from the libcurl project
- files as:
+ The underlying libcurl option used for this feature is
+ CURLOPT_FTP_CREATE_MISSING_DIRS which has the ability to retry the dir
+ creation, but it was never set to do that by the command line tool.
- * WIN64 is not used in our source code
- * The curl projects files don't define it
- * It isn't required by or used in the platform SDK
- * For backwards compatability curl_setup.h defines WIN32
- * The compiler automatically defines _WIN64 for x64 builds
+ Now it does.
- Historically Visual Studio projects have defined WIN32, in addition to
- the compiler defined _WIN32 definition, and I had incorrectly changed
- that to WIN64 for the x64 libcurl builds but not in the curl projects.
+ Bug: https://curl.haxx.se/mail/archive-2016-04/0021.html
+ Reported-by: John Wanghui
+ Help-by: Leif W
+
+- [Henrik Gaßmann brought this change]
+
+ winbuild: add mbedtls support
- As such, it is questionable whether this should be defined or not. For
- more information see the following cache of a discussion that took
- place on the microsoft.public.vc.mfc newsgroup:
+ Add WITH_MBEDTLS option. Make WITH_SSL, WITH_MBEDTLS and ENABLE_WINSSL
+ options mutual exclusive.
- http://www.tech-archive.net/Archive/VC/microsoft.public.vc.mfc/2008-06/msg00074.html
+ Closes #606
-- openssl.c Fix for compilation errors with older versions of OpenSSL
+- KNOWN_BUGS: fixed "5.6 Improper use of Autoconf cache variables"
- openssl.c:1408: error: 'TLS1_1_VERSION' undeclared
- openssl.c:1411: error: 'TLS1_2_VERSION' undeclared
+ As of commit d9f3b365a3
-Daniel Stenberg (22 Dec 2014)
-- [John Malmberg brought this change]
+- [Irfan Adilovic brought this change]
- Fix comment edit in vms/backup_gnv_curl_src.com
+ configure: ac_cv_ -> curl_cv_ for write-only vars
- packages/vms/backup_gnv_curl_src.com: Originally copied from Bash port.
-
-- curl: show size of inhibited data when using -v
+ These configure vars are modified in a curl-specific way but never
+ evaluated or loaded from cache, even though they are designated as
+ _cv_. We could either implement proper AC_CACHE_CHECKs for them, or
+ remove them completely.
- To offer some more info and yet it doesn't use more lines.
-
-- openssl: fix SSL/TLS versions in verbose output
-
-- openssl: make it compile against openssl 1.1.0-DEV master branch
+ Fixes #603 as ac_cv_func_gethostbyname is no longer clobbered, and
+ AC_CHECK_FUNC(gethostbyname...) will no longer spuriously succeed after
+ the first configure run with caching.
+
+ `ac_cv_func_strcasecmp` is curious, see #770.
+
+ `eval "ac_cv_func_$func=yes"` can still cause problems as it works in
+ tandem with AC_CHECK_FUNCS and then potentially modifies its result. It
+ would be best to rewrite this test to use a new CURL_CHECK_FUNCS macro,
+ which works the same as AC_CHECK_FUNCS but relies on caching the values
+ of curl_cv_func_* variables, without modifiying ac_cv_func_*.
-Marc Hoersken (22 Dec 2014)
-- sshserver.pl: clarify and streamline variable names
+- [Irfan Adilovic brought this change]
-Daniel Stenberg (21 Dec 2014)
-- openssl: warn for SRP set if SSLv3 is used, not for TLS version
+ configure: ac_cv_ -> curl_cv_ for r/w vars
- ... as it requires TLS and it was was left to warn on the default from
- when default was SSL...
+ These configure vars are modified in a curl-specific way and modified by
+ the configure process, but are never loaded from cache, even though they
+ are designated as _cv_. We should implement proper AC_CACHE_CHECKs for
+ them eventually.
-- smb: use memcpy() instead of strncpy()
-
- ... as it never copies the trailing zero anyway and always just the four
- bytes so let's not mislead anyone into thinking it is actually treated
- as a string.
+- [Irfan Adilovic brought this change]
+
+ configure: ac_cv_func_clock_gettime -> curl_...
- Coverity CID: 1260214
+ This variable must not be cached in its current form, as any cached
+ information will prevent the next configure run from determining the
+ correct LIBS needed for the function. Thus, rename prefix `ac_cv_` to
+ just `curl_`.
-- [John E. Malmberg brought this change]
+- [Irfan Adilovic brought this change]
- VMS: Updates for 0740-0D1220
-
- lib/setup-vms.h : VAX HP OpenSSL port is ancient, needs help.
- More defines to set symbols to uppercase.
+ configure: ac_cv_ -> curl_cv_ for all cached vars
- src/tool_main.c : Fix parameter to vms_special_exit() call.
+ This was automated by:
- packages/vms/ :
- backup_gnv_curl_src.com : Fix the error message to have the correct package.
+ sed -b -i -f <(ack -A1 AC_CACHE_CHECK | \
+ ack -o 'ac_cv_.*?\b' | \
+ sort -u | xargs -n1 bash -c \
+ 'echo "s/$0/curl_cv_${0#ac_cv_}/g"') \
+ $(git ls-files)
- build_curl-config_script.com : Rewrite to be more accurate.
-
- build_libcurl_pc.com : Use tool_version.h now.
+ This only changed the prefix for 16 variables actually checked with
+ AC_CACHE_CHECK.
+
+- openssl: builds with OpenSSL 1.1.0-pre5
- build_vms.com : Fix to handle lib/vtls directory.
+ The RSA, DSA and DH structs are now opaque and require use of new APIs
- curl_gnv_build_steps.txt : Updated build procedure documentation.
+ Fixes #763
+
+Steve Holme (20 Apr 2016)
+- url.c: Prefer we don't use explicit NULLs in conditions
- generate_config_vms_h_curl.com :
- * VAX does not support 64 bit ints, so no NTLM support for now.
- * VAX HP SSL port is ancient, needs some help.
- * Disable NGHTTP2 for now, not ported to VMS.
- * Disable UNIX_SOCKETS, not available on VMS yet.
- * HP GSSAPI port does not have gss_nt_service_name.
+ Fixed commit fa5fa65a30 to not use NULLs in if condition.
+
+Daniel Stenberg (20 Apr 2016)
+- [Isaac Boukris brought this change]
+
+ NTLM: check for NULL pointer before deferencing
- gnv_link_curl.com : Update for new curl structure.
+ At ConnectionExists, both check->proxyuser and check->proxypasswd
+ could be NULL, so make sure to check first.
- pcsi_product_gnv_curl.com : Set up to optionally do a complete build.
+ Fixes #765
-Marc Hoersken (21 Dec 2014)
-- sockfilt.c: use non-Ex functions that are available before WinXP
-
- It was initially reported by Guenter that GetFileSizeEx
- requires (_WIN32_WINNT >= 0x0500) to be true.
+- [Karlson2k brought this change]
-- tests: use Cygwin-style paths in SSH, SSHD and SFTP config files
+ tests: added test1517
- Second patch to enable Windows support using Cygwin-based OpenSSH.
+ ... for checking ability to receive full HTTP response when POST request
+ is used with slow read callback function.
- Tested with CopSSH 5.0.0 free edition using an msys shell on Windows 7.
-
-- tests: support spaces in paths to SSH, SSHD and SFTP binaries
+ This test checks for bug #657 and verifies the work-around from
+ 72d5e144fbc6.
- First patch to enable Windows support using Cygwin-based OpenSSH.
+ Closes #720
-Steve Holme (20 Dec 2014)
-- non-ascii: Reduce variable usage
-
- Removed 'next' variable in Curl_convert_form(). Rather than setting it
- from 'form->next' and using that to set 'form' after the conversion
- just use 'form = form->next' instead.
+- [Karlson2k brought this change]
-- non-ascii: Prefer while loop rather than a do loop
+ sendf.c: added ability to call recv() before send() as workaround
- This also removes the need to check that the 'form' argument is valid.
-
-- non-ascii: Reduce variable scope
+ WinSock destroys recv() buffer if send() is failed. As result - server
+ response may be lost if server sent it while curl is still sending
+ request. This behavior noticeable on HTTP server short replies if
+ libcurl use several send() for request (usually for POST request).
+ To workaround this problem, libcurl use recv() before every send() and
+ keeps received data in intermediate buffer for further processing.
- As 'result' isn't used out side the conversion callback code and
- previously caused variable shadowing in the libiconv based code.
+ Fixes: #657
+ Closes: #668
-- non-ascii: We prefer 'CURLcode result'
+Kamil Dudka (19 Apr 2016)
+- connect: make sure that rc is initialized in singleipconnect()
- This also fixes a variable shadowing issue when HAVE_ICONV is defined
- as rc was declared for the result code of libiconv based functions.
-
-Marc Hoersken (19 Dec 2014)
-- secureserver.pl: clean up formatting of config and fix verbose output
+ This commit fixes a Clang warning introduced in curl-7_48_0-190-g8f72b13:
- Verbose output was not matching the actual configuration file,
- because FIPS and Windows conditions were ignored.
+ Error: CLANG_WARNING:
+ lib/connect.c:1120:11: warning: The right operand of '==' is a garbage value
+ 1118| }
+ 1119|
+ 1120|-> if(-1 == rc)
+ 1121| error = SOCKERRNO;
+ 1122| }
-- secureserver.pl: update Windows detection and fix path conversion
+Daniel Stenberg (19 Apr 2016)
+- make/checksrc: use $srcdir, not $top_srcdir
-- secureserver.pl: make OpenSSL CApath and cert absolute path values
-
- Recent stunnel versions (5.08) seem to have trouble with relative
- paths on Windows. This turns the relative paths into absolute ones.
+- src/checksrc.whitelist: removed
+
+- tool_operate: switch to inline checksrc ignore
-Patrick Monnerat (18 Dec 2014)
-- if2ip: dummy scope parameter for Curl_if2ip() call in SIOCGIFADDR-enabled code.
+- lib/checksrc.whitelist: not needed anymore
+
+ ... as checksrc now skips comments
-- [Kyle J. McKay brought this change]
+- vtls.h: remove a space before semicolon
+
+ ... that the new checksrc detected
- parseurlandfillconn(): fix improper non-numeric scope_id stripping.
- Fixes SF bug 1149: http://sourceforge.net/p/curl/bugs/1449/
+- darwinssl: removed commented out code
-- IPV6: address scope != scope id
- There was a confusion between these: this commit tries to disambiguate them.
- - Scope can be computed from the address itself.
- - Scope id is scope dependent: it is currently defined as 1-based local
- interface index for link-local scoped addresses, and as a site index(?) for
- (obsolete) site-local addresses. Linux only supports it for link-local
- addresses.
- The URL parser properly parses a scope id as an interface index, but stores it
- in a field named "scope": confusion. The field has been renamed into "scope_id".
- Curl_if2ip() used the scope id as it was a scope. This caused failures
- to bind to an interface.
- Scope is now computed from the addresses and Curl_if2ip() matches them.
- If redundantly specified in the URL, scope id is check for mismatch with
- the interface index.
+- http_chunks: removed checksrc disable
- This commit should fix SF bug #1451.
+ ... since checksrc now skips comments
-- connect: singleipconnect(): properly try other address families after failure
+- imap: inlined checksrc disable instead of whitelist edit
-Daniel Stenberg (16 Dec 2014)
-- SFTP: work-around servers that return zero size on STAT
+- checksrc: taught to skip comments
- Bug: http://curl.haxx.se/mail/lib-2014-12/0103.html
- Pathed-by: Marc Renault
+ ... but output non-stripped version of the line, even if that then can
+ make the script identify the wrong position in the line at
+ times. Showing the line stripped (ie without comments) is just too
+ surprising.
-- glob_next_url: make the loop count upwards
+- opts/Makefile.am: list all docs file one by one
- As the former contruct apparently caused a compiler warning, mentioned
- in d8efde07e556c.
+ ... to make it easier to add lines in patches that won't just break all
+ other patches trying to add lines too.
-- tool_operate: we prefer 'CURLcode result'
+- curl_easy_setopt.3: mention CURLOPT_TCP_FASTOPEN
-- tool_urlglob: unify return codes to use CURLcode
+- RELEASE-NOTES: synced with 03de4e4b219
- There was a mix of GlobCode, CURLcode and ints and they were mostly
- passing around CURLcode errors. This change makes the functions use only
- CURLcode and removes the GlobCode type completely.
+ (since we just merged two major features)
-- tool_urlglob.c: partly reverse dc19789444
+- [Alessandro Ghedini brought this change]
+
+ connect: implement TCP Fast Open for Linux
- The loop in glob_next_url() needs to be done backwards to maintain the
- logic. dc19789444 caused test 1235 to fail.
+ Closes #660
-- KNOWN_BUGS: the SFTP code doesn't support CURLINFO_FILETIME
+- [Alessandro Ghedini brought this change]
-- [Jay Satiro brought this change]
+ tool: add --tcp-fastopen option
- opts: Warn CURLOPT_TIMEOUT overrides when set after CURLOPT_TIMEOUT_MS
-
- Change CURLOPT_TIMEOUT doc to warn that if CURLOPT_TIMEOUT and
- CURLOPT_TIMEOUT_MS are both set whichever one is set last is the one
- that will be used.
-
- Prior to this change that behavior was only noted in the
- CURLOPT_TIMEOUT_MS doc.
+- [Alessandro Ghedini brought this change]
-Nick Zitzmann (15 Dec 2014)
-- darwinssl: fix incorrect usage of aprintf()
-
- Commit b13923f changed an snprintf() to use aprintf(), but the API usage
- wasn't correct, and was causing a crash to occur. This fixes it.
+ connect: implement TCP Fast Open for OS X
-Steve Holme (14 Dec 2014)
-- copyright: Updated the copyright year following recent updates
+- [Alessandro Ghedini brought this change]
-Daniel Stenberg (14 Dec 2014)
-- tool_urlglob.c: reverse two loops
-
- By counting from 0 and up instead of backwards like before, we remove
- the need for the "funny" check of the unsigned variable when decreased
- passed zero. Easier to read and less risk for compiler warnings.
+ url: add CURLOPT_TCP_FASTOPEN option
-Marc Hoersken (14 Dec 2014)
-- tool_urlglob.c: Added braces to clarify the conditions
+- checksrc: pass on -D so the whitelists are found correctly
-- tool_urlglob.c: Silence warning C6293: Ill-defined for-loop
+- configure: remove check for libresolve
- The >= 0 is actually not required, since i underflows and
- the for-loop is stopped using the < condition, but this
- makes the VS2012 compiler and code analysis happy.
-
-- tool_binmode.c: Explicitly ignore the return code of setmode
+ 'strncasecmp' was once provided by libresolv (no trailing e) for SunOS,
+ but this check is broken and most likely adds nothing useful. Removing
+ now.
- Fixes code analysis warning C6031:
- return value ignored: <function> could return unexpected value
-
-- lib: Fixed multiple code analysis warnings if SAL are available
+ Reported-by: Irfan Adilovic
- warning C28252: Inconsistent annotation for function:
- parameter has another annotation on this instance
+ Discussed in #770
-Steve Holme (14 Dec 2014)
-- smb.c: Fixed code analysis warning
+- scripts/make: use $(EXEEXT) for executables
- smb.c:320: warning C6297: Arithmetic overflow: 32-bit value is shifted,
- then cast to 64-bit value. Result may not be an expected
- value
-
-Marc Hoersken (14 Dec 2014)
-- tool_util.c: Use GetTickCount64 if it is available
-
-Steve Holme (14 Dec 2014)
-- smb: Use HAVE_PROCESS_H for process.h inclusion
+ Reported-by: bodop
- Rather than testing against _WIN32 use the preferred HAVE_PROCESS_H
- pre-processor define when including process.h.
+ Fixes #771
-Daniel Stenberg (14 Dec 2014)
-- darwinssl: aprintf() to allocate the session key
-
- ... to avoid using a fixed memory size that risks being too large or too
- small.
+- includes: avoid duplicate memory callback typdefs even harder
-Marc Hoersken (14 Dec 2014)
-- curl_schannel: Improvements to memory re-allocation strategy
-
- - do not grow memory by doubling its size
- - do not leak previously allocated memory if reallocation fails
- - replace while-loop with a single check to make sure
- that the requested amount of data fits into the buffer
+- checksrc/makefile.am: use $top_srcdir to find source files
- Bug: http://curl.haxx.se/bug/view.cgi?id=1450
- Reported-by: Warren Menzer
+ ... to properly support out of source tree builds.
-Steve Holme (14 Dec 2014)
-- asyn-ares: We prefer use of 'CURLcode result'
+- RELEASE-NOTES: synced with 26ec93dd6aeba8dfb5
-Marc Hoersken (14 Dec 2014)
-- curl_schannel.c: Data may be available before connection shutdown
+- opts: fix option references missing (section)
-Steve Holme (14 Dec 2014)
-- http2: Use 'CURLcode result' for curl result codes
-
-- asyn-thread: We prefer 'CURLcode result'
+- [Michael Kaufmann brought this change]
-- smb: Fixed unnecessary initialisation of struct member variables
+ news: CURLOPT_CONNECT_TO and --connect-to
- There is no need to set the 'state' and 'result' member variables to
- SMB_REQUESTING (0) and CURLE_OK (0) after the allocation via calloc()
- as calloc() initialises the contents to zero.
+ Makes curl connect to the given host+port instead of the host+port found
+ in the URL.
-- ntlm: Fixed return code for bad type-2 Target Info
+- makefile.vc6: use d suffix on debug object
+
+ To allow both release and debug builds in parallel.
+
+ Reported-by: Rod Widdowson
- Use CURLE_BAD_CONTENT_ENCODING for bad type-2 Target Info security
- buffers just like we do for bad decodes.
+ Fixes #769
-- ntlm: Remove unnecessary casts in readshort_le()
+Jay Satiro (12 Apr 2016)
+- http2: Use size_t type for data drain count
- I don't think both of my fix ups from yesterday were needed to fix the
- compilation warning, so remove the one that I think is unnecessary and
- let the next Android autobuild prove/disprove it.
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-- curl_ntlm_msgs.c: Another attempt to fix compilation warning
+- http2: Improve header parsing
+
+ - Error if a header line is larger than supported.
+
+ - Warn if cumulative header line length may be larger than supported.
+
+ - Allow spaces when parsing the path component.
+
+ - Make sure each header line ends in \r\n. This fixes an out of bounds.
- curl_ntlm_msgs.c:170: warning: conversion to 'short unsigned int' from
- 'int' may alter its value
+ - Disallow header continuation lines until we decide what to do.
+
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-Guenter Knauf (13 Dec 2014)
-- synctime.c: added own user-agent string.
+- http2: Add Curl_http2_strerror for HTTP/2 error codes
+
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-Steve Holme (13 Dec 2014)
-- smb.c: Fixed line longer than 79 columns
+- [Tatsuhiro Tsujikawa brought this change]
-- curl_ntlm_msgs.c: Fixed compilation warning from commit 783b5c3b11
+ http2: Don't increment drain when one header field is received
+
+ Sicne we write header field in temporary location, not in the memory
+ that upper layer provides, incrementing drain should not happen.
- curl_ntlm_msgs.c:169: warning: conversion to 'short unsigned int' from
- 'int' may alter its value
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-Guenter Knauf (13 Dec 2014)
-- mk-ca-bundle.pl: restored forced run again.
+- [Tatsuhiro Tsujikawa brought this change]
-- synctime.c: removed another timeserver URL.
+ http2: Ensure that http2_handle_stream_close is called
- worldtimeserver.com seems also no longer available.
-
-- synctime.c: fixed timeserver URLs.
+ This commit ensures that streams which was closed in on_stream_close
+ callback gets passed to http2_handle_stream_close. Previously, this
+ might not happen. To achieve this, we increment drain property to
+ forcibly call recv function for that stream.
- For getting the date header its not necessary to access special
- pages or even CGI scripts - all pages including the main index
- reply with the date header, therefore shortened URLs to domain.
- Removed worldtime.com; added pool.ntp.org.
-
-Steve Holme (13 Dec 2014)
-- ftp.c: Fixed compilation warning when no verbose string support
+ To more accurately check that we have no pending event before shutting
+ down HTTP/2 session, we sum up drain property into
+ http_conn.drain_total. We only shutdown session if that value is 0.
- ftp.c:819: warning: unused parameter 'lineno'
-
-- smb: Added state change functions to assist with debugging
+ With this commit, when stream was closed before reading response
+ header fields, error code CURLE_HTTP2_STREAM is returned even if
+ HTTP/2 level error is NO_ERROR. This signals the upper layer that
+ stream was closed by error just like TCP connection close in HTTP/1.
- For debugging purposes, and as per other protocols within curl, added
- state change functions rather than changing the states directly.
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-- ntlm: Use short integer when decoding 16-bit values
-
-- RELEASE-NOTES: Synced with 6291a16b20
+- [Tatsuhiro Tsujikawa brought this change]
-- smtp.c: Fixed compilation warnings
+ http2: Process paused data first before tear down http2 session
- smtp.c:2357 warning: adding 'size_t' (aka 'unsigned long') to a string
- does not append to the string
- smtp.c:2375 warning: adding 'size_t' (aka 'unsigned long') to a string
- does not append to the string
- smtp.c:2386 warning: adding 'size_t' (aka 'unsigned long') to a string
- does not append to the string
+ This commit ensures that data from network are processed before HTTP/2
+ session is terminated. This is achieved by pausing nghttp2 whenever
+ different stream than current easy handle receives data.
- Used array index notation instead.
-
-- smb: Disable SMB when 64-bit integers are not supported
+ This commit also fixes the bug that sometimes processing hangs when
+ multiple HTTP/2 streams are multiplexed.
- This fixes compilation issues with compilers that don't support 64-bit
- integers through long long or __int64.
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-- ntlm: Disable NTLM v2 when 64-bit integers are not supported
-
- This fixes compilation issues with compilers that don't support 64-bit
- integers through long long or __int64 which was introduced in commit
- 07b66cbfa4.
+- [Tatsuhiro Tsujikawa brought this change]
-- ntlm: Allow NTLM2Session messages when USE_NTRESPONSES manually defined
+ http2: Check session closure early in http2_recv
- Previously USE_NTLM2SESSION would only be defined automatically when
- USE_NTRESPONSES wasn't already defined. Separated the two definitions
- so that the user can manually set USE_NTRESPONSES themselves but
- USE_NTLM2SESSION is defined automatically if they don't define it.
-
-- smtp.c: Fixed line longer than 79 columns
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-- config-win32.h: Don't enable Windows Crypt API if using OpenSSL
-
- As the OpenSSL and NSS Crypto engines are prefered by the core NTLM
- routines, to the Windows Crypt API, don't define USE_WIN32_CRYPT
- automatically when either OpenSSL or NSS are in use - doing so would
- disable NTLM2Session responses in NTLM type-3 messages.
+- [Tatsuhiro Tsujikawa brought this change]
-- smtp: Fixed inappropriate free of the scratch buffer
+ http2: Add handling stream level error
- If the scratch buffer was allocated in a previous call to
- Curl_smtp_escape_eob(), a new buffer not allocated in the subsequent
- call and no action taken by that call, then an attempt would be made to
- try and free the buffer which, by now, would be part of the data->state
- structure.
+ Previously, when a stream was closed with other than NGHTTP2_NO_ERROR
+ by RST_STREAM, underlying TCP connection was dropped. This is
+ undesirable since there may be other streams multiplexed and they are
+ very much fine. This change introduce new error code
+ CURLE_HTTP2_STREAM, which indicates stream error that only affects the
+ relevant stream, and connection should be kept open. The existing
+ CURLE_HTTP2 means connection error in general.
- This bug was introduced in commit 4bd860a001.
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-- smtp: Fixed dot stuffing when EOL characters were at end of input buffers
+Daniel Stenberg (11 Apr 2016)
+- http2: drain the socket better...
- Fixed a problem with the CRLF. detection when multiple buffers were
- used to upload an email to libcurl and the line ending character(s)
- appeared at the end of each buffer. This meant any lines which started
- with . would not be escaped into .. and could be interpreted as the end
- of transmission string instead.
+ ... but ignore EAGAIN if the stream has ended so that we don't end up in
+ a loop. This is a follow-up to c8ab613 in order to avoid the problem
+ d261652 was made to fix.
- This only affected libcurl based applications that used a read function
- and wasn't reproducible with the curl command-line tool.
+ Reported-by: Jay Satiro
+ Clues-provided-by: Tatsuhiro Tsujikawa
- Bug: http://curl.haxx.se/bug/view.cgi?id=1456
- Assisted-by: Patrick Monnerat
+ Discussed in #750
-Daniel Stenberg (11 Dec 2014)
-- telnet: fix "cast increases required alignment of target type"
+- KNOWN_BUGS: added info for "Hangs with PolarSSL"
-- ntlm_wb_response: fix "statement not reached"
+- KNOWN_BUGS: 1.9 HTTP/2 frames while in the connection pool kill reuse
- ... and I could use a break instead of a goto to end the loop.
-
- Bug: http://curl.haxx.se/mail/lib-2014-12/0089.html
- Reported-by: Tor Arntsen
+ Closes #750
-Steve Holme (10 Dec 2014)
-- RELEASE-NOTES: Synced with 1cc5194337
-
- Added some bug fixes that I had missed in previous synchronisations.
+- build: include scripts/ in the dist
-Daniel Stenberg (10 Dec 2014)
-- Curl_unix2addr: avoid using the variable name 'sun'
+Steve Holme (9 Apr 2016)
+- CURLOPT_SOCKS5_GSSAPI_SERVICE: Merged with CURLOPT_PROXY_SERVICE_NAME
- I suspect this causes compile failures on Solaris:
+ As these two options provide identical functionality, the former for
+ SOCK5 proxies and the latter for HTTP proxies, merged the two options
+ together.
- Bug: http://curl.haxx.se/mail/lib-2014-12/0081.html
+ As such CURLOPT_SOCKS5_GSSAPI_SERVICE is marked as deprecated as of
+ 7.49.0.
-Steve Holme (10 Dec 2014)
-- url.c: Fixed compilation warning when USE_NTLM is not defined
+- urldata: Use bool for socks5_gssapi_nec as it is a flag
- url.c:3078: warning: variable 'credentialsMatch' set but not used
+ This value is set to TRUE or FALSE so should be a bool and not a long.
-- parsedate.c: Fixed compilation warning
-
- parsedate.c:548: warning: 'parsed' may be used uninitialized in this
- function
-
- As curl_getdate() returns -1 when parsedate() fails we can initialise
- parsed to -1.
+- url: Ternary operator code style changes
-Daniel Stenberg (10 Dec 2014)
-- TODO: Cache negative name resolves
+- CODE_STYLE: Added ternary operator example to 'Space around operators'
- Worth exploring
+ Following conversation on the libcurl mailing list.
-- ldap: check Curl_client_write() return codes
+- sasl: Fixed compilation errors from commit 9d89a0387
- There might be one or two memory leaks left in the error paths.
+ ...when GSS-API or Windows SSPI are not used.
-- ldap: rename variables to comply to curl standards
+- url: Corrected comments following 9d89a0387
-Dan Fandrich (10 Dec 2014)
-- sws.c: Fixed 'rc' may be used uninitialized warning
+- docs: Added clarification following commit 9d89a0387
-- cookies: Improved OOM handling in cookies
+- Makefile: Fixed echo of checksrc check
+
+- checksrc: Fix issue with the autobuilds not picking up the whitelist
+
+- checksrc: Added missing vauth and vtls directories
+
+- ftp/imap/pop3/smtp: Allow the service name to be overridden
- This fixes the test 506 torture test. The internal cookie API really
- ought to be improved to separate cookie parsing errors (which may be
- ignored) with OOM errors (which should be fatal).
+ Allow the service name to be overridden for DIGIST-MD5 and Kerberos 5
+ authentication in FTP, IMAP, POP3 and SMTP.
-Guenter Knauf (9 Dec 2014)
-- synctime.c: fixed user-agent setting.
+- http_negotiate: Calculate service name and proxy service name locally
- Some websites meanwhile refuse to reply to requests from ancient
- browsers like IE6, therefore I've comment out this setting, but
- also fixed the string to now fake IE8 if someone enables it.
+ Calculate the service name and proxy service names locally, rather than
+ in url.c which will allow for us to support overriding the service name
+ for other protocols such as FTP, IMAP, POP3 and SMTP.
+
+- ROADMAP: Updated following the move of the authentication code
-Daniel Stenberg (9 Dec 2014)
-- smb: fix unused return code warning
+Patrick Monnerat (8 Apr 2016)
+- KNOWN_BUGS: openldap hangs. TODO: binary SASL.
-Patrick Monnerat (9 Dec 2014)
-- Curl_client_write() & al.: chop long data, convert data only once.
+Daniel Stenberg (8 Apr 2016)
+- KNOWN_BUGS: 5.6 Improper use of Autoconf cache variables
+
+ Closes #603
-Guenter Knauf (9 Dec 2014)
-- VC build: added sspi define for winssl-zlib builds.
+- KNOWN_BUGS: 11.2 error buffer not set...
+
+ Closes #544
-Daniel Stenberg (9 Dec 2014)
-- schannel_recv: return the correct code
+- KNOWN_BUGS: 11.1 Curl leaks .onion hostnames in DNS
- Bug: http://curl.haxx.se/bug/view.cgi?id=1462
- Reported-by: Tae Hyoung Ahn
+ Closes #543
-- http2: avoid logging neg "failure" if h2 was not requested
+- KNOWN_BUGS: 1.8 DNS timing is wrong for HTTP redirects
+
+ Closes #522
-- openldap: do not ignore Curl_client_write() return codes
+- TODO: HTTP/2 "prior knowledge" is implemented!
-- compile: warn on unused return code from Curl_client_write()
+- [Damien Vielpeau brought this change]
-Patrick Monnerat (8 Dec 2014)
-- SMB: Fix a data size mismatch that broke SMB on big-endian platforms
+ mbedtls: fix MBEDTLS_DEBUG builds
-Steve Holme (7 Dec 2014)
-- smb: Fixed Windows autoconf builds following commit eb88d778e7
+- mbedtls: implement and provide *_data_pending()
+
+ ... as otherwise we might get stuck thinking there's no more data to
+ handle.
- As Windows based autoconf builds don't yet define USE_WIN32_CRYPTO
- either explicitly through --enable-win32-cypto or automatically on
- _WIN32 based platforms, subsequent builds broke with the following
- error message:
+ Reported-by: Damien Vielpeau
- "Can't compile NTLM support without a crypto library."
+ Fixes #737
-- RELEASE-NOTES: Synced with 526603ff05
+- mbedtls: follow-up for the previous commit
-- [Bill Nagel brought this change]
+- mbedtls.c: name space pollution fix, Use 'Curl_'
- smb: Build with SSPI enabled
+- mbedtls.c: changed private prefix to mbed_
- Build SMB/CIFS protocol support when SSPI is enabled.
+ mbedtls_ is the prefix used by the mbedTLS library itself so we should
+ avoid using that for our private functions.
-- [Bill Nagel brought this change]
+- mbedtls.h: fix compiler warnings
- ntlm: Use Windows Crypt API
+- Revert "winbuild: trying to set some files eol=crlf for git"
+
+ This reverts commit 9c08b4f1e7eced5a4d3782a3e0daa484c9d77d21.
+
+ Didn't help. Caused problems.
- Allow the use of the Windows Crypt API for NTLMv1 functions.
+ Fixes #756
-Dan Fandrich (7 Dec 2014)
-- cookie.c: Refactored cleanup code to simplify
+- curl.1: use example.com more
- Also, fixed the outdated comments on the cookie API.
+ Make (most) example snippets use the example.com domain instead of the
+ random ones picked and used before. Some of those were probably
+ legitimate sites and some not. example.com is designed for this purpose.
-- get_url_file_name: Fixed crash on OOM on debug build
+- [Michael Kaufmann brought this change]
+
+ HTTP2: Add a space character after the status code
- This caused a null-pointer dereference which caused a few dozen
- torture tests to fail.
+ The space character after the status code is mandatory, even if the
+ reason phrase is empty (see RFC 7230 section 3.1.2)
+
+ Closes #755
+
+- [Viktor Szakats brought this change]
-Steve Holme (6 Dec 2014)
-- sws.c: Fixed compilation warning
+ URLs: change http to https in many places
- sws.c:2191 warning: 'rc' may be used uninitialized in this function
+ Closes #754
-- ftp.c: Fixed compilation warnings when proxy support disabled
+- winbuild: trying to set some files eol=crlf for git
- ftp.c:1827 warning: unused parameter 'newhost'
- ftp.c:1827 warning: unused parameter 'newport'
+ Thinking it might help to apply patches etc with git.
+
+- [Theodore Dubois brought this change]
-- smb: Fixed a problem with large file transfers
+ curl.1: change example for -F
- Fixed an issue with the message size calculation where the raw bytes
- from the buffer were interpreted as signed values rather than unsigned
- values.
+ It's a bad idea to send your passwords anywhere, especially over HTTP.
+ Modified example to send a picture instead.
- Reported-by: Gisle Vanem
- Assisted-by: Bill Nagel
+ Fixes #752
+
+- KNOWN_BUGS: reorganized and cleaned up
+
+ Now sorted into categories and organized in the same style we do the
+ TODO document. It will make each issue linked properly on the
+ https://curl.haxx.se/docs/knownbugs.html web page.
+
+ The sections should make it easier to find issues and issues related to
+ areas of the reader's specific interest.
-- smb: Moved the URL decoding into a separate function
+Jay Satiro (6 Apr 2016)
+- KNOWN_BUGS: #95 curl in Windows can't handle Unicode arguments
-- smb: Fixed URL encoded URLs not working
+Steve Holme (6 Apr 2016)
+- KNOWN_BUGS: Use https://curl.haxx.se URL for github based issues
-- Makefile.inc: Added our standard header and updated file formatting
+- CHECKSRC.md: Corrected some typos
+
+- RELEASE-NOTES: Corrected last updated
+
+ Included a summary of the checksrc.bat updates and combined two krb5
+ changes as they should have been implemented at the same time.
-- Makefile.inc: Updated file formatting
+- vauth: Corrected a number of typos in comments
- Aligned continuation character and used space as the separator
- character as per other makefile files.
+ Reported-by: Michael Osipov
-- curl_md4.h: Updated copyright year following recent edit
+Jay Satiro (5 Apr 2016)
+- KNOWN_BUGS: #94 IMAP custom requests use the LIST handler
- ...and minor layout adjustment.
+ Bug: https://github.com/curl/curl/issues/536
+ Reported-by: eXeC64@users.noreply.github.com
-Patrick Monnerat (5 Dec 2014)
-- SMB: Fix big endian problems. Make it OS/400 aware.
+Daniel Stenberg (5 Apr 2016)
+- KNOWN_BUGS: remove 68, 70 and 72.
+
+ Due to their age (we don't fully know if they actually remain) and lack
+ of detail - very few people will bother to find out what they're about
+ or work on them. If people truly still suffer from any of these, I
+ assume they will be reported again and then we'll deal with them.
+
+ 72. "Pausing pipeline problems."
+ https://curl.haxx.se/mail/lib-2009-07/0214.html
+
+ 70. Problem re-using easy handle after call to curl_multi_remove_handle
+ https://curl.haxx.se/mail/lib-2009-07/0249.html
+
+ 68. "More questions about ares behavior".
+ https://curl.haxx.se/mail/lib-2009-08/0012.html
-- OS400: enable NTLM authentication
+- KNOWN_BUGS: remove 92 and 88, fixed
-Steve Holme (5 Dec 2014)
-- multi.c: Fixed compilation warning
+- http2: fix connection reuse when PING comes after last DATA
+
+ It turns out the google GFE HTTP/2 servers send a PING frame immediately
+ after a stream ends and its last DATA has been received by curl. So if
+ we don't drain that from the socket, it makes the socket readable in
+ subsequent checks and libcurl then (wrongly) assumes the connection is
+ dead when trying to reuse the connection.
- multi.c:2695: warning: declaration of `exp' shadows a global declaration
+ Reported-by: Joonas Kuorilehto
+
+ Discussed in #750
+
+- multi: remove trailing space in debug output
-Guenter Knauf (5 Dec 2014)
-- build: updated dependencies in makefiles.
+- RELEASE-NOTES: synced with 86e97b642fb
-Steve Holme (5 Dec 2014)
-- sasl: Corrected formatting of function descriptions
+- CHECKSRC.md: mention cmdline options, fix the bullet list
+
+- docs/CHECKSRC.md: initial version
+
+Steve Holme (3 Apr 2016)
+- checksrc.bat: Added support for the examples
+
+Daniel Stenberg (3 Apr 2016)
+- lib/src: fix the checksrc invoke
+
+ ... now works correctly when invoke from the root makefile