Changelog
-Daniel Stenberg (15 Dec 2010)
-- RELEASE-NOTES: synced with a865bd9fbaaa43e5c
+Version 7.50.2 (7 Sep 2016)
-- IsPipeliningPossible: only for HTTP
-
- The function that checks if pipelining is possible now requires the HTTP
- bit to be set so that it doesn't mistakenly tries to do it for other
- protocols.
-
- Bug: http://curl.haxx.se/mail/lib-2010-12/0152.html
- Reported by: Dmitri Shubin
-
-- multi_runsingle: don't timeout completed handles
-
- The generic timeout code must not check easy handles that are already
- completed. Going to completed (again) within there risked decreasing the
- number of alive handles again and thus it could go negative.
-
- This regression bug was added in 7.21.2 in commit ca10e28f06f1
-
-- symbols-in-versions: CURLOPT_KEYPASSWD fixed
-
- It was added in 7.17.0 and is not deprecated
-
-- RELEASE-NOTES: synced with c28443c551825
+Daniel Stenberg (7 Sep 2016)
+- RELEASE-NOTES: curl 7.50.2 release
-Dan Fandrich (8 Dec 2010)
-- Mention that using other libraries can affect app licensing
+- THANKS: updated for 7.50.2
-Yang Tse (7 Dec 2010)
-- easy: fix compiler warning: end-of-loop code not reached
+Jay Satiro (6 Sep 2016)
+- [Gaurav Malhotra brought this change]
-Daniel Stenberg (6 Dec 2010)
-- disconnect: pass on the dead_connection argument
+ openssl: fix CURLINFO_SSL_VERIFYRESULT
- Cleanup fix after Kamil's commit 5c7c9a768d0093
-
-Yang Tse (6 Dec 2010)
-- sws: fix compier warning: external definition with no prior declaration
-
-Daniel Stenberg (6 Dec 2010)
-- [Heinrich Ko brought this change]
-
- ossl_connect_common: detect connection re-use
-
- ossl_connect_common() now checks whether or not 'struct
- connectdata->state' is equal 'ssl_connection_complete' and if so, will
- return CURLE_OK with 'done' set to 'TRUE'. This check prevents
- ossl_connect_common() from creating a new ssl connection on an existing
- ssl session which causes openssl to fail when it tries to parse an
- encrypted TLS packet since the cipher data was effectively thrown away
- when the new ssl connection was created.
+ CURLINFO_SSL_VERIFYRESULT does not get the certificate verification
+ result when SSL_connect fails because of a certificate verification
+ error.
- Bug: http://curl.haxx.se/mail/lib-2010-11/0169.html
-
-Kamil Dudka (6 Dec 2010)
-- url: provide dead_connection flag in Curl_handler::disconnect
+ This fix saves the result of SSL_get_verify_result so that it is
+ returned by CURLINFO_SSL_VERIFYRESULT.
- It helps to prevent a hangup with some FTP servers in case idle session
- timeout has exceeded. But it may be useful also for other protocols
- that send any quit message on disconnect. Currently used by FTP, POP3,
- IMAP and SMTP.
-
-Yang Tse (6 Dec 2010)
-- ssh: fix a download resume point calculation
+ Closes https://github.com/curl/curl/pull/995
-Daniel Stenberg (5 Dec 2010)
-- Curl_wait_for_resolv: correct timeout
-
- When looping in this function and checking for the timeout being
- expired, it was not updating the reference time when calculating the
- timediff since previous round which made it think each subsequent loop
- to have taken longer than it actually did.
-
- I also modified the function to use the generic Curl_timeleft() function
- instead of the custom logic.
-
- Bug: http://curl.haxx.se/bug/view.cgi?id=3112579
+Daniel Stenberg (6 Sep 2016)
+- [Daniel Gustafsson brought this change]
-- Curl_send/recv_plain: return errno on failure
-
- When send() and recv() fail, we now store the errno value to allow the
- app to access it.
+ darwinssl: test for errSecSuccess in PKCS12 import rather than noErr (#993)
- Bug: http://curl.haxx.se/bug/view.cgi?id=3128121
- Reported by: Yuri
+ While noErr and errSecSuccess are defined as the same value, the API
+ documentation states that SecPKCS12Import() returns errSecSuccess if
+ there were no errors in importing. Ensure that a future change of the
+ defined value doesn't break (however unlikely) and be consistent with
+ the API docs.
-Guenter Knauf (5 Dec 2010)
-- Updated OpenSSL version.
+- [Daniel Gustafsson brought this change]
-Yang Tse (4 Dec 2010)
-- fix compiler warning: conversion may lose significant bits
+ docs: Fix link to CONTRIBUTE in Github contribution guidelines (#994)
-- fix compiler warning: assignment within conditional expression
+- [Marcel Raad brought this change]
-- fix getinfo CURLINFO_LOCAL* for reused connections (take 2) follow-up
+ openssl: Fix compilation with OPENSSL_API_COMPAT=0x10100000L
- - Show address string from proper buffer in case of connection failure.
+ With OPENSSL_API_COMPAT=0x10100000L (OpenSSL 1.1 API), the cleanup
+ functions are unavailable (they're no-ops anyway in OpenSSL 1.1). The
+ replacements for SSL_load_error_strings, SSLeay_add_ssl_algorithms, and
+ OpenSSL_add_all_algorithms are called automatically [1][2]. SSLeay() is
+ now called OpenSSL_version_num().
- - Try next address when inet_ntop() fails.
-
-Daniel Stenberg (3 Dec 2010)
-- version-check: added brief documentation
+ [1]: https://www.openssl.org/docs/man1.1.0/ssl/OPENSSL_init_ssl.html
+ [2]: https://www.openssl.org/docs/man1.1.0/crypto/OPENSSL_init_crypto.html
- and the traditional source header
-
-Yang Tse (3 Dec 2010)
-- build: provide SIZEOF_SIZE_T DOS definition
-
-- build: lib/config.dos renamed to lib/config-dos.h
-
-- build: provide SIZEOF_SIZE_T VMS definition
-
-- build: move config-vms.h from subdir 'packages/vms' into 'lib'
-
-- build: provide SIZEOF_SIZE_T definition for non-configure builds
+ Closes #992
-- build: provide SIZEOF_SIZE_T netware definition
+- RELEASE-NOTES: synced with 3d4c0c8b9bc1d
-- configure: undo using autobuilds to temporarily verify strict aliasing warnings.
-
-- fix compiler warning: rounding, sign extension, or loss of accuracy may result
+- http2: return EOF when done uploading without known size
+
+ Fixes #982
-- fix compiler warning: statement is not reachable
+- http2: skip the content-length parsing, detect unknown size
-- fix compiler warning: conversion may lose significant bits
+- http2: minor white space edit
-- connect: fix compiler warning: unused variable
+- http2: use named define instead of magic constant in read callback
-- fix getinfo CURLINFO_LOCAL* for reused connections (take 2)
+- [Craig Davison brought this change]
-- fix getinfo CURLINFO_LOCAL* for reused connections follow-up
+ configure: make the cpp -P detection not clobber CPPFLAGS
- Reinstate IPV6 build variable that got removed.
-
-- fix getinfo CURLINFO_LOCAL* for reused connections
+ CPPPFLAGS is now CPPPFLAG. Fixes CURL_CHECK_DEF.
- Failed to commit this file changes along with the others.
+ Fixes #958
-- fix getinfo CURLINFO_LOCAL* for reused connections
+- [Olivier Brunel brought this change]
-- atoi: remove atoi usage
+ speed caps: not based on average speeds anymore
+
+ Speed limits (from CURLOPT_MAX_RECV_SPEED_LARGE &
+ CURLOPT_MAX_SEND_SPEED_LARGE) were applied simply by comparing limits
+ with the cumulative average speed of the entire transfer; While this
+ might work at times with good/constant connections, in other cases it
+ can result to the limits simply being "ignored" for more than "short
+ bursts" (as told in man page).
+
+ Consider a download that goes on much slower than the limit for some
+ time (because bandwidth is used elsewhere, server is slow, whatever the
+ reason), then once things get better, curl would simply ignore the limit
+ up until the average speed (since the beginning of the transfer) reached
+ the limit. This could prove the limit useless to effectively avoid
+ using the entire bandwidth (at least for quite some time).
+
+ So instead, we now use a "moving starting point" as reference, and every
+ time at least as much as the limit as been transferred, we can reset
+ this starting point to the current position. This gets a good limiting
+ effect that applies to the "current speed" with instant reactivity (in
+ case of sudden speed burst).
+
+ Closes #971
-- multi: fix compiler warning: conversion may lose significant bits follow-up
+- HISTORY.md: the multi socket was put in the wrong year!
-- ftp: fix 'bool' data type implementation dependant usage
+- [Mark Hamilton brought this change]
-- multi: fix compiler warning: conversion may lose significant bits
+ tool_helpers.c: fix comment typo (#989)
-- multi: fix compiler warning: enumerated type mixed with another type
+- [Mark Hamilton brought this change]
-- hostip: edit comment
+ libtest/test.h: fix typo (#988)
-- xattr: fix compiler warning: enumerated type mixed with another type
+- CURLMOPT_PIPELINING.3: language
-- s/isspace/ISSPACE
+- CURLMOPT_PIPELINING.3: extended and clarified
+
+ Especially in regards to the multiplexing part.
-- symbol-scan: use configure script knowledge about how to run the C preprocessor
+Steve Holme (31 Aug 2016)
+- curl_sspi.c: Updated function description comments
+
+ * Added description to Curl_sspi_free_identity()
+ * Added parameter and return explanations to Curl_sspi_global_init()
+ * Added parameter explaination to Curl_sspi_global_cleanup()
-- ignore file generated by configure
+- README: Corrected the supported Visual Studio versions
+
+ Missed from commit 8356022d17.
-- curl_multi_info_read: fix compiler warning: conversion may lose significant bits
+- KNOWN_BUGS: Move the Visual Studio project shortcomings from local README
-- inet_pton: fix compiler warning
+- KNOWN_BUGS: Expand 6.4 to include Kerberos V5
- warning C4146: unary minus operator applied to unsigned type, result still unsigned
+ ...and discuss a possible solution.
-- Curl_getaddrinfo_ex: sanitize function results follow-up.
-
-- Curl_getaddrinfo_ex: sanitize function results.
+Daniel Stenberg (30 Aug 2016)
+- connect: fix #ifdefs for debug versions of conn/streamclose() macros
- Ensure that spurious results from system's getaddrinfo() ares not propagated
- by Curl_getaddrinfo_ex() into the library.
+ CURLDEBUG is for the memory debugging
- Also ensure that the ai_addrlen member of Curl_getaddrinfo_ex()'s output linked
- list of Curl_addrinfo structures has appropriate family-specific address size.
-
-Kamil Dudka (22 Nov 2010)
-- openldap: use remote port in URL passed to ldap_init_fd()
+ DEBUGBUILD is for the extra debug stuff
- ... not the proxy port. It makes no difference unless a proxy is used.
+ Pointed-out-by: Steve Holme
-Yang Tse (20 Nov 2010)
-- gtls: define and use gtls_EAGAIN, gtls_EINTR and gtls_EIO.
-
- Winsock builds clobber some errno.h defines in setup_once.
+- KNOWN_BUGS: mention some cmake "support gaps"
-Dan Fandrich (19 Nov 2010)
-- Added a couple examples that were missing from the tar ball
+Nick Zitzmann (28 Aug 2016)
+- darwinssl: add documentation stating that the --cainfo option is intended for backward compatibility only
+
+ In other news, I changed one other reference to "Mac OS X" in the documentation (that I previously wrote) to say "macOS" instead.
-- Check for errors while preprocessing curl.h in test 1119
+Daniel Stenberg (28 Aug 2016)
+- http2: return CURLE_HTTP2_STREAM for unexpected stream close
- This showed a problem when running the test out-of-tree, so
- an include path is now being added to pick up the generated
- curlbuild.h file.
+ Follow-up to c3e906e9cd0f, seems like a more appropriate error code
+
+ Suggested-by: Jay Satiro
-- Use the 3-argument open for compatibility with older perls
+- [Tatsuhiro Tsujikawa brought this change]
-- [Matthias Bolte brought this change]
+ http2: handle closed streams when uploading
+
+ Fixes #986
- Detect socket errors in GnuTLS on Windows
+- http2: make sure stream errors don't needlessly close the connection
- On Windows, translate WSAGetLastError() to errno values as GNU
- TLS does it internally, too. This is necessary because send() and
- recv() on Windows don't set errno when they fail but GNU TLS
- expects a proper errno value.
+ With HTTP/2 each transfer is made in an indivial logical stream over the
+ connection, making most previous errors that caused the connection to get
+ forced-closed now instead just kill the stream and not the connection.
- Bug: http://curl.haxx.se/bug/view.cgi?id=3110991
+ Fixes #941
-Yang Tse (19 Nov 2010)
-- test servers: fix strict aliasing compiler warnings
-
-- configure: use autobuilds to temporarily verify strict aliasing warnings.
+- Curl_verify_windows_version: minor edit to avoid compiler warnings
- Temporarily, When cross-compiling with gcc 3.0 or later, enable strict aliasing
- rules and warnings. Given that cross-compiled targets autobuilds do not run the
+ ... instead of if() before the switch(), add a default to the switch so
+ that the compilers don't warn on "warning: enumeration value
+ 'PLATFORM_DONT_CARE' not handled in switch" anymore.
+
+Steve Holme (27 Aug 2016)
+- RELEASE-NOTES: Added missing fix from commit 15592143f
-Julien Chaffraix (17 Nov 2010)
-- configure: Prevent link errors with --librtmp.
+Jay Satiro (26 Aug 2016)
+- schannel: Disable ALPN for Wine since it is causing problems
+
+ - Disable ALPN on Wine.
+
+ - Don't pass input secbuffer when ALPN is disabled.
- If --librtmp was specified but pkg-config could not find the librtmp
- file, we would have undefined symbols when linking curl.
+ When ALPN support was added a change was made to pass an input secbuffer
+ to initialize the context. When ALPN is enabled the buffer contains the
+ ALPN information, and when it's disabled the buffer is empty. In either
+ case this input buffer caused problems with Wine and connections would
+ not complete.
- We prevent this error by disabling this case as suggested on the mailing
- list.
+ Bug: https://github.com/curl/curl/issues/983
+ Reported-by: Christian Fillion
-Daniel Stenberg (15 Nov 2010)
-- RELEASE-NOTES: synced with cbf4961bf3e4
+Kamil Dudka (26 Aug 2016)
+- [Peter Wang brought this change]
-- gnutls->handshake: improved timeout handling
+ nss: work around race condition in PK11_FindSlotByName()
- When no timeout is set, we call the socket_ready function with a timeout
- value of 0 during handshake, which makes it loop too much/fast in this
- function. It also made this function return CURLE_OPERATION_TIMEDOUT
- wrongly on a slow handshake.
+ Serialise the call to PK11_FindSlotByName() to avoid spurious errors in
+ a multi-threaded environment. The underlying cause is a race condition
+ in nssSlot_IsTokenPresent().
- However, the particular bug report that highlighted this problem is not
- solved by this fix, as this fix only makes the more proper error get
- reported instead.
+ Bug: https://bugzilla.mozilla.org/1297397
- Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594150
- Reported by: Johannes Ernst
+ Closes #985
-Julien Chaffraix (13 Nov 2010)
-- urldata: Capitalize enum protect_level values.
+- nss: refuse previously loaded certificate from file
- This makes it easier to spot the enum values from the variables.
- Removed some unneeded DEBUGASSERT added in the previous commit.
+ ... when we are not asked to use a certificate from file
-- security: tighten enum protection_level usage.
-
- While changing Curl_sec_read_msg to accept an enum protection_level
- instead of an int, I went ahead and fixed the usage of the associated
- fields.
-
- Some code was assuming that prot_clear == 0. Fixed those to use the
- proper value. Added assertions prior to any code that would set the
- protection level.
+Daniel Stenberg (26 Aug 2016)
+- ftp_done: remove dead code
+
+- TLS: random file/egd doesn't have to match for conn reuse
+
+- test161: add comment for the exit code
-Yang Tse (13 Nov 2010)
-- configure: fix autoconf 2.68 warning: no AC_LANG_SOURCE call detected in body
+Dan Fandrich (26 Aug 2016)
+- test219: Add http as a required feature
-Daniel Stenberg (12 Nov 2010)
-- curl.1: "a file", not an
+Daniel Stenberg (25 Aug 2016)
+- [Michael Kaufmann brought this change]
-- version-check.pl: display version number for symbols
+ HTTP: stop parsing headers when switching to unknown protocols
- This script is the start of a helper tool that scans a source code and
- outputs the most recent libcurl version it finds symbols for. Meaning
- that if there's no conditions in the code, that's the earliest libcurl
- version the scanned code requires.
+ - unknown protocols probably won't send more headers (e.g. WebSocket)
+ - improved comments and moved them to the correct case statements
- It is not added to the Makefile.am yet as it is still a bit crude, but
- I'm committing it to keep it and allow us to work on it.
+ Closes #899
-- [Adam Light brought this change]
+- openssl: make build with 1.1.0 again
+
+ synced with OpenSSL git master commit cc06906707
- Makefile.vc6: fixed the xattr.c compile
+- INTERNALS: fix title
-Julien Chaffraix (12 Nov 2010)
-- krb5: Use GSS_ERROR to check for error.
+- configure: detect zlib with our pkg-config macros
+
+ ... instead of relying on the pkg-config autoconf macros to be present.
- This is the advised way of checking for errors in the GSS-API RFC.
- Also added some '\n' to the error message so that they are not mixed
- with other outputs.
+ Fixes #972 (again...)
-- security: Pass the right parameter to init.
+Jay Satiro (25 Aug 2016)
+- http2: Remove incorrect comments
- init is expecting app_data. Passing it the struct connecdata would make
- us crash later.
+ .. also remove same from scp
-Daniel Stenberg (11 Nov 2010)
-- HTTP Auth: Add CURLAUTH_ONLY
+Daniel Stenberg (23 Aug 2016)
+- [Ales Novak brought this change]
+
+ ftp: fix wrong poll on the secondary socket
+
+ When we're uploading using FTP and the server issues a tiny pause
+ between opening the connection to the client's secondary socket, the
+ client's initial poll() times out, which leads to second poll() which
+ does not wait for POLLIN on the secondary socket. So that poll() also
+ has to time out, creating a long (200ms) pause.
- This is a meta symbol. OR this value together with a single specific
- auth value to force libcurl to probe for un-restricted auth and if not,
- only that single auth algorithm is acceptable.
+ This patch adds the correct flag to the secondary socket, making the
+ second poll() correctly wait for the connection there too.
- For example you can use CURLAUTH_DIGEST|CURLAUTH_ONLY to make libcurl
- first probe for what method to use, but yet only consider Digest to be
- acceptable.
+ Signed-off-by: Ales Novak <alnovak@suse.cz>
- Using _only_ CURLAUTH_DIGEST without the CURLAUTH_ONLY field, will make
- libcurl explicitly use Digest right away and not do any probing.
+ Closes #978
-- ip_version: moved to connection struct
+- RELEASE-NOTES: synced with 95ded2c56
+
+- configure: make it work without PKG_CHECK_MODULES
- The IP version choice was previously only in the UserDefined struct
- within the SessionHandle, but since we sometimes alter that option
- during a request we need to have it on a per-connection basis.
+ With commit c2f9b78 we added a new dependency on pkg-config for
+ developers which may be unwanted. This change make the configure script
+ still work as before if pkg-config isn't installed, it'll just use the
+ old zlib detection logic without pkg-config.
- I also moved more "init conn" code into the allocate_conn() function
- which is designed for that purpose more or less.
-
-Yang Tse (11 Nov 2010)
-- buildconf: MAC OS X requires libtool version 1.5.26 or newer
+ Reported-by: Marc Hörsken
- MAC OS X requires libtool version 1.5.26 or newer, otherwise
- configure will mishandle *.dSYM directories when it runs.
-
-- configure: remove temporary autobuilds exercising of xattr function tests
-
-- configure: use autobuilds to temporarily exercise xattr function tests
+ Fixes #972
-- xattr: portability fix
-
-- curl-functions: provide xattr function tests that also check number of arguments
-
-Daniel Stenberg (10 Nov 2010)
-- test1120: verify FTP response 421
+Marc Hoersken (21 Aug 2016)
+- Revert "KNOWN_BUGS: SOCKS proxy not working via IPv6"
- curl mustn't try to use the control connection after the 421 is received
-
-- ftpserver.pl: spellfix comment
-
-- [Rutger Hofman brought this change]
-
- TFTP: resend the correct data
+ This reverts commit 9cb1059f92286a6eb5d28c477fdd3f26aed1d554.
- I found a bug in tftp_tx() in tftp.c. If a data resend is done after
- reception of an ACK/OACK, the call to sendto is wrong.
+ As discussed in #835 SOCKS5 supports IPv6 proxies and destinations.
-- [Stefan Tomanek brought this change]
+Daniel Stenberg (21 Aug 2016)
+- [Marco Deckel brought this change]
- write extended attributes by using fsetxattr
+ win: Basic support for Universal Windows Platform apps
- Instead of reopening the downloaded file, fsetxattr uses the (already
- open) file descriptor to attach extended attributes. This makes the
- procedure more robust against errors caused by moved or deleted files.
-
-Dan Fandrich (9 Nov 2010)
-- Check for getinfo errors before setting attributes
+ Closes #820
-Kamil Dudka (9 Nov 2010)
-- ftp: treat server's response 421 as CURLE_OPERATION_TIMEDOUT
+Steve Holme (21 Aug 2016)
+- sasl: Don't use GSSAPI authentication when domain name not specified
- Bug: https://bugzilla.redhat.com/650255
- Reported by: Simon H.
+ Only choose the GSSAPI authentication mechanism when the user name
+ contains a Windows domain name or the user is a valid UPN.
+
+ Fixes #718
-Daniel Stenberg (9 Nov 2010)
-- symbols-in-version: add CURL_SOCKET_BAD
+- vauth: Added check for supported SSPI based authentication mechanisms
- I also documented the filtering logic in the symbol-scan.pl function to
- clarify why not all CURL_* symbols are included.
+ Completing commit 00417fd66c and 2708d4259b.
-Yang Tse (9 Nov 2010)
-- serial number bump
+- http.c: Remove duplicate (authp->avail & CURLAUTH_DIGEST) check
+
+ From commit 2708d4259b.
-Kamil Dudka (8 Nov 2010)
-- ftp: close connection as soon as ABOR has been sent
+Marc Hoersken (20 Aug 2016)
+- socks.c: display the hostname returned by the SOCKS5 proxy server
- ... and do not send ABOR unless really necessary.
+ Instead of displaying the requested hostname the one returned
+ by the SOCKS5 proxy server is used in case of connection error.
+ The requested hostname is displayed earlier in the connection sequence.
- Bug: https://bugzilla.redhat.com/649347
- Reported by: Simon H.
+ The upper-value of the port is moved to a temporary variable and
+ replaced with a 0-byte to make sure the hostname is 0-terminated.
-Daniel Stenberg (8 Nov 2010)
-- RELEASE-NOTES: synced with fc6c4c10f9faab08
+Steve Holme (20 Aug 2016)
+- urldata.h: Corrected comment for httpcode which is also populated by SMTP
- I also recounted and updated the command line and libcurl options.
+ As of 7.25.0 and commit 5430007222.
-- help: indent the --xattr option like the others
-
-- curl.1: --resolve documented
-
-- CURLOPT_RESOLVE: documented
-
-- CURLOPT_USE_SSL: move from FTP options to connection options
-
-- xattr-check: correct the comment as well
+Marc Hoersken (20 Aug 2016)
+- socks.c: use Curl_printable_address in SOCKS5 connection sequence
+
+ Replace custom string formatting with Curl_printable_address.
+ Add additional debug and error output in case of failures.
-- xattr: use const char * for const strings
+- socks.c: align SOCKS4 connection sequence with SOCKS5
+
+ Calling sscanf is not required since the raw IPv4 address is
+ available and the protocol can be detected using ai_family.
-- setxattr: fix the checks
+Steve Holme (20 Aug 2016)
+- http.c: Corrected indentation change from commit 2708d4259b
- My copy and paste job was a little too much copy and I missed to adjust
- it properly to sys/xattr.h all over and this is a fix to cure that.
+ Made by Visual Studio's auto-correct feature and missed by me in my own
+ code reviews!
-- CURLOPT_RESOLVE: added
+- http: Added calls to Curl_auth_is_<mechansism>_supported()
- CURLOPT_RESOLVE is a new option that sends along a curl_slist with
- name:port:address sets that will populate the DNS cache with entries so
- that request can be "fooled" to use another host than what otherwise
- would've been used. Previously we've encouraged the use of Host: for
- that when dealing with HTTP, but this new feature has the added bonus
- that it allows the name from the URL to be used for TLS SNI and server
- certificate name checks as well.
+ Hooked up the HTTP authentication layer to query the new 'is mechanism
+ supported' functions when deciding what mechanism to use.
- This is a first change. Surely more will follow to make it decent.
-
-Yang Tse (8 Nov 2010)
-- fix compiler warning
-
-Dan Fandrich (7 Nov 2010)
-- Added os-specific.c and xattr.c to the Symbian build files
+ As per commit 00417fd66c existing functionality is maintained for now.
-Yang Tse (7 Nov 2010)
-- xattr: fix VisualStudio builds
+Marc Hoersken (20 Aug 2016)
+- socks.c: improve verbose output of SOCKS5 connection sequence
-- fix snapshot generation
+- configure.ac: add missing quotes to PKG_CHECK_MODULES
-Daniel Stenberg (5 Nov 2010)
-- --libcurl: simplify output
+Steve Holme (20 Aug 2016)
+- sasl: Added calls to Curl_auth_is_<mechansism>_supported()
- Removed the code that was needed for libcurl before 7.19.0 which now is
- more than two years old.
+ Hooked up the SASL authentication layer to query the new 'is mechanism
+ supported' functions when deciding what mechanism to use.
- Simplified the top comment and corrected the URL.
+ For now existing functionality is maintained.
-- [Alfred Gebert brought this change]
+Daniel Stenberg (19 Aug 2016)
+- [Miroslav Franc brought this change]
- LDAP: detect non-binary attributes properly
-
- If the query result has a binary attribute, the binary attribute is
- base64 encoded. But all following non binary attributes are also base64
- encoded which is wrong.
+ spnego_sspi: fix memory leak in case *outlen is zero (#970)
+
+- CURLMOPT_MAX_TOTAL_CONNECTIONS.3: mention it can also multiplex
+
+Steve Holme (18 Aug 2016)
+- vauth: Introduced Curl_auth_is_<mechansism>_supported() functions
- This is a test (LDAP server is public).
+ As Windows SSPI authentication calls fail when a particular mechanism
+ isn't available, introduced these functions for DIGEST, NTLM, Kerberos 5
+ and Negotiate to allow both HTTP and SASL authentication the opportunity
+ to query support for a supported mechanism before selecting it.
- curl
- ldap://x500.bund.de:389/o=Bund,c=DE?userCertificate,certificateSerialNumber?sub
- ?cn=*Woehleke*
+ For now each function returns TRUE to maintain compatability with the
+ existing code when called.
+
+Daniel Stenberg (18 Aug 2016)
+- test1144: verify HEAD with body-only response
-- xattr: add configure check and #ifdefs
+Steve Holme (17 Aug 2016)
+- RELEASE-PROCEDURE: Added some more future release dates
- setxattr is a glibc call to set extended attributes, so configure now
- checks for it and the code is adapted to only build when the
- functionality is present.
+ ...and removed some old ones
-- [Stefan Tomanek brought this change]
+Daniel Stenberg (17 Aug 2016)
+- [David Woodhouse brought this change]
- save metadata to extended file attributes
+ curl: allow "pkcs11:" prefix for client certificates
- It is often convinient to track back the source of a once downloaded
- file; this patch makes curl store the source URL and other metadata
- alongside the retrieved file by using the extended attributes (if
- supported by the file system and enabled by --xattr).
-
-- test: remove test 580
+ RFC7512 provides a standard method to reference certificates in PKCS#11
+ tokens, by means of a URI starting 'pkcs11:'.
- Test 580 is removed again for two reasons:
+ We're working on fixing various applications so that whenever they would
+ have been able to use certificates from a file, users can simply insert
+ a PKCS#11 URI instead and expect it to work. This expectation is now a
+ part of the Fedora packaging guidelines, for example.
- 1) Some compilers aren't satisfied by just a data variable called 'test'
- when first.o wants a function called 'test'. The Solaris compiler says
- "ld: warning: symbol `test' has differing types:" while the AIX compiler
- downright rejects it.
+ This doesn't work with cURL because of the way that the colon is used
+ to separate the certificate argument from the passphrase. So instead of
- 2) Test case 1119 that was added after this test is way more complete
- and cover everything test 580 does and more without introducing the same
- problems.
-
-- Revert: use Host: name for SNI and cert name checks
+ curl -E 'pkcs11:manufacturer=piv_II;id=%01' …
- This reverts commit b0fd03f5b8d4520dd232a9d13567d16bd0ad8951,
- 4b2fbe1e97891f, afecd1aa13b4f, 68cde058f66b3
-
-- TODO-RELEASE: "TLS SNI use Host:" is done
+ I instead need to invoke cURL with the colon escaped, like this:
- 262 - Manual setting of TLS Server Name Indication - use Host:
-
-- RELEASE-NOTES: synced with 7b823badbcab9d330
-
-- curl.1: added a few missing exit codes
-
-- certcheck: use the custom Host: name for checks
+ curl -E 'pkcs11\:manufacturer=piv_II;id=%01' …
- If you use a custom Host: name in a request to a SSL server, libcurl
- will now use that given name when it verifies the server certificate to
- be correct rather than using the host name used in the actual URL.
-
-- SNI: simplify the custom host name use
+ This is suboptimal because we want *consistency* — the URI should be
+ usable in place of a filename anywhere, without having strange
+ differences for different applications.
- The redirect check is already done at the position where the customhost
- field is assigned so there's no point in doing that a second time.
-
-- host: get the custom Host: name more genericly
+ This patch therefore disables the processing in parse_cert_parameter()
+ when the string starts with 'pkcs11:'. It means you can't pass a
+ passphrase with an unescaped PKCS#11 URI, but there's no need to do so
+ because RFC7512 allows a PIN to be given as a 'pin-value' attribute in
+ the URI itself.
- When given a custom host name in a Host: header, we can use it for
- several different purposes other than just cookies, so we rename it and
- use it for SSL SNI etc.
+ Also, if users are already using RFC7512 URIs with the colon escaped as
+ in the above example — even providing a passphrase for cURL to handling
+ instead of using a pin-value attribute, that will continue to work
+ because their string will start 'pkcs11\:' and won't match the check.
+
+ What *does* break with this patch is the extremely unlikely case that a
+ user has a file which is in the local directory and literally named
+ just "pkcs11", and they have a passphrase on it. If that ever happened,
+ the user would need to refer to it as './pkcs11:<passphrase>' instead.
-- [Hongli Lai (Phusion) brought this change]
+- nss: make the global variables static
- SNI: set name to custom Host header
+- openssl: use regular malloc instead of OPENSSL_malloc
- OpenSSL SNI host name should be set to the custom Host header, if the
- user provided one.
+ This allows for better memmory debugging and torture tests.
-- fopen.c: re-indented, fixed previous mistake
+- proxy: fix tests as follow-up to 93b0d907d5
+
+ This fixes tests that were added after 113f04e664b as the tests would
+ fail otherwise.
- I've made the code intended using curl-style now to look more like other
- examples.
+ We bring back "Proxy-Connection: Keep-Alive" now unconditionally to fix
+ regressions with old and stupid proxies, but we could possibly switch to
+ using it only for CONNECT or only for NTLM in a future if we want to
+ gradually reduce it.
- My previous "fix" was a bit too invasive but is now fixed again.
+ Fixes #954
+
+ Reported-by: János Fekete
-- multi use: call multi_perform even on select() timeouts
+- Revert "Proxy-Connection: stop sending this header by default"
+
+ This reverts commit 113f04e664b16b944e64498a73a4dab990fe9a68.
-- example: add smtp-multi.c
+- CURLOPT_PROXY.3: unsupported schemes cause errors now
- An example application source code sending SMTP mail with the multi
- interface. It is based on the code Alona Rossen provided, which in turn
- is based on existing example/test code, and I converted it even more
- into a decent example with a fair multi API use, put the info required
- to edit at the top and I added some comments.
+ Follow-up to a96319ebb9 (document the new behavior)
-- CURLOPT_NOSIGNAL: add blurb about SIGPIPE
+- tests/README: mention nghttpx for HTTP/2 tests
-Dan Fandrich (3 Nov 2010)
-- Allow building test 580 out of tree
+- README.md: add our CII Best Practices badge
-Daniel Stenberg (3 Nov 2010)
-- dist: add symbol-scan.pl to the tarball
+- proxy: polished the error message for unsupported schemes
+
+ Follow up to a96319ebb93
-- test1119: verify symbols-in-versions
+- test219: verify unsupported scheme for proxies get rejected
-- runtests: allow tests written as perl scripts
+- proxy: reject attempts to use unsupported proxy schemes
- If a command is set type="perl", it can now specify a perl program that will
- be run instead of an ordinary curl or built tool.
+ I discovered some people have been using "https://example.com" style
+ strings as proxy and it "works" (curl doesn't complain) because curl
+ ignores unknown schemes and then assumes plain HTTP instead.
- A perl test automatically disables memory and valgrind debugging.
+ I think this misleads users into believing curl uses HTTPS to proxies
+ when it doesn't. Now curl rejects proxy strings using unsupported
+ schemes instead of just ignoring and defaulting to HTTP.
+
+- RELEASE-NOTES: synced with b7ee5316c2fd5b
-- symbol-scan: verifies symbols-in-versions
+Marc Hoersken (14 Aug 2016)
+- socks.c: Correctly calculate position of port in response packet
- This new script scans for all enums and #defines used by the curl/curl.h
- and curl/multi.h headers. Then it reads all symbols mentioned in
- symbols-in-vesions and make sure that there's no entries missing in
- there. It then proceeds to verify that the entries that
- symbols-in-vesions mentions but aren't found in the sources are truly
- documented as removed.
+ Third commit to fix issue #944 regarding SOCKS5 error handling.
- This script is used in the new test case 1119
+ Reported-by: David Kalnischkies
-- symbols-in-versions: added 119 missing symbols
+- socks.c: Do not modify and invalidate calculated response length
- I've developed a script I call symbol-scan.pl that scans the curl.h and
- multi.h header files and compare the symbols it finds in there with the
- symbols symbols-in-versions documents and outputs a report on the
- differences. Using this I've dug through the history to fill up
- symbols-in-versions with all the symbols my script found mismatches for.
+ Second commit to fix issue #944 regarding SOCKS5 error handling.
- I will commit symbol-scan.pl separatly and think of a way to put it to
- use in the build/tests so that we from now on will get this in-sync
- check automatically.
-
-Dan Fandrich (2 Nov 2010)
-- Added mk580.pl to the tar ball
-
-Daniel Stenberg (2 Nov 2010)
-- symbols-in-versions: added missing symbols
+ Reported-by: David Kalnischkies
-- ignore: lib580.c is generated by mk580.pl
-
-- test: added test 580 - verifies symbols-in-versions
+- socks.c: Move error output after reading the whole response packet
- The new perl script mk580.pl generates a C table in a fresh source file
- named lib580.c and if that compiles fine we know that the file
- docs/libcurl/symbols-in-versions at least doesn't include any symbols
- that are misspelled.
+ First commit to fix issue #944 regarding SOCKS5 error handling.
- An additional feature would be to somehow scan curl/curl.h and compare
- with symbols-in-versions to see if there are symbols missing.
+ Reported-by: David Kalnischkies
-- spellfix: CURLOPT_TFTP_BLKSIZE it is
+Daniel Stenberg (13 Aug 2016)
+- [Ronnie Mose brought this change]
-Kamil Dudka (29 Oct 2010)
-- ftp: prevent server from hanging on closed data connection
-
- Some FTP servers (e.g. Pure-ftpd) end up hanging if we close the data
- connection before transferring all the requested data. If we send ABOR
- in that case, it prevents the server from hanging.
+ MANUAL: Remove invalid link to LDAP documentation (#962)
- Bug: https://bugzilla.redhat.com/643656
- Reported by: Pasi Karkkainen, Patrick Monnerat
+ The server developer.netscape.com does not resolve into any
+ ip address and can be removed.
-Dan Fandrich (28 Oct 2010)
-- Removed a leftover mention of FTP in an error message
-
-- Removed the native Makefile.riscos files
+Jay Satiro (13 Aug 2016)
+- openssl: accept subjectAltName iPAddress if no dNSName match
- These haven't worked in at least 8 years due to missing source
- files, and most active RiscOS developers these days apparently
- cross-compile anyway.
+ Undo change introduced in d4643d6 which caused iPAddress match to be
+ ignored if dNSName was present but did not match.
- Signed-off-by: James Bursa <james@zamez.org>
-
-- Lightened the stack in wc_statemach to permit deeper recursion
+ Also, if iPAddress is present but does not match, and dNSName is not
+ present, fail as no-match. Prior to this change in such a case the CN
+ would be checked for a match.
- Also, added a few hints to help compilers to perform tail call
- recursion optimization.
+ Bug: https://github.com/curl/curl/issues/959
+ Reported-by: wmsch@users.noreply.github.com
-Daniel Stenberg (20 Oct 2010)
-- SSH: use libssh2_session_handshake()
-
- In libssh2 1.2.8, libssh2_session_handshake() replaces
- libssh2_session_startup() to fix the previous portability problem with
- the socket type that was too small for win64 and thus easily could cause
- crashes and more.
+Daniel Stenberg (12 Aug 2016)
+- [Dambaev Alexander brought this change]
-- SSH: avoid using the libssh2_ prefix
+ configure.ac: add zlib search with pkg-config
- It is a bad idea to use the public prefix used by another library and
- now we realize that libssh2 introduces a symbol in the upcoming version
- 1.2.8 that conflicts with our static function named libssh2_free.
+ Closes #956
-- formdata: provide error message
+- rtsp: ignore whitespace in session id
- When failing to build form post due to an error, the code now does a
- proper failf(). Previously libcurl would report an error like "failed
- creating formpost data" when a file wasn't possible to open which was
- not easy for users to figure out.
+ Follow-up to e577c43bb to fix test case 569 brekage: stop the parser at
+ whitespace as well.
- I also lower cased a function name to be named more curl-style and
- removed some unnecessary code.
+ Help-by: Erik Janssen
-- URL-parsing: consider ? a divider
+- HTTP: retry failed HEAD requests too
- The URL parser got a little stricter as it now considers a ? to be a
- host name divider so that the slightly sloppier URLs work too. The
- problem that made me do this change was the reported problem with an URL
- like: www.example.com?email=name@example.com This form of URL is not
- really a legal URL (due to the missing slash after the host name) but is
- widely accepted by all major browsers and libcurl also already accepted
- it, it was just the '@' letter that triggered the problem now.
+ Mark's new document about HTTP Retries
+ (https://mnot.github.io/I-D/httpbis-retry/) made me check our code and I
+ spotted that we don't retry failed HEAD requests which seems totally
+ inconsistent and I can't see any reason for that separate treatment.
- The side-effect of this change is that now libcurl no longer accepts the
- ? letter as part of user-name or password when given in the URL, which
- it used to accept (and is tested in test 191). That letter is however
- mentioned in RFC3986 to be required to be percent encoded since it is
- used as a divider.
+ So, no separate treatment for HEAD starting now. A HTTP request sent
+ over a reused connection that gets cut off before a single byte is
+ received will be retried on a fresh connection.
- Bug: http://curl.haxx.se/bug/view.cgi?id=3090268
-
-- curl_easy_setopt.3: spellfix
+ Made-aware-by: Mark Nottingham
-- curl_easy_setopt.3: CURLOPT_USE_SSL is not just for FTP
-
- It is for FTP, SMTP, POP3, IMAP at least.
+- mk-ca-bundle.1: document -m, added in 1.26
-- krb4.h: removed unused prototypes
+- RELEASE-NOTES: synced with e577c43bb5
-- krb4: make a few functions static
+- [Erik Janssen brought this change]
-- TODO-RELEASE: cleanup for 7.21.3 works
+ rtsp: accept any RTSP session id
- "SFTP resume with 4GB file does not work" is now removed as I'm sure
- this is really a libssh2 bug and not a libcurl bug.
+ Makes libcurl work in communication with gstreamer-based RTSP
+ servers. The original code validates the session id to be in accordance
+ with the RFC. I think it is better not to do that:
- 7.21.2 is released already
-
-- RELEASE-NOTES: sync with 09a2d93a0f17ca
-
-- http_chunks: remove debug output
+ - For curl the actual content is a don't care.
- Accidentally left in there during my previous debugging of this
-
-- Curl_setopt: disallow CURLOPT_USE_SSL without SSL support
+ - The clarity of the RFC is debatable, is $ allowed or only as \$, that
+ is imho not clear
- In order to avoid for example the pingpong protocols to issue STARTTLS
- (or equivalent) even though there's no SSL support built-in.
+ - Gstreamer seems to url-encode the session id but % is not allowed by
+ the RFC
- Reported by: Sune Ahlgren
- Bug: http://curl.haxx.se/mail/archive-2010-10/0045.html
-
-- options: check for features for some options
+ - less code
+
+ With this patch curl will correctly handle real-life lines like:
+ Session: biTN4Kc.8%2B1w-AF.; timeout=60
- Some options, such as the automatic decompression and some SSL related
- ones now will bail out if the underlying libcurl doesn't have support
- for the particular feature needed.
+ Bug: https://curl.haxx.se/mail/lib-2016-08/0076.html
-Dan Fandrich (14 Oct 2010)
-- Fixed the IPv6 host address in test1203
+- symbols-in-versions: add CURL_STRICTER
- Reported by: Christian Weisgerber
- Bug: http://curl.haxx.se/bug/view.cgi?id=3087479
+ Added in 5fce88aa8c12564
-Daniel Stenberg (14 Oct 2010)
-- curl_easy_setopt.3: clarify CURLOPT_CRLF
+- [Simon Warta brought this change]
+
+ winbuild: Allow changing C compiler via environment variable CC (#952)
- The option takes a parameter that should be 1 or 0 to enable or disable
- the feature.
+ This makes it possible to use specific compilers or a cache.
- URL: http://curl.haxx.se/bug/view.cgi?id=3086428
+ Sample use for clcache:
+ set CC=clcache.bat
+ nmake /f Makefile.vc DEBUG=no MODE=static VC=14 GEN_PDB=no
-Guenter Knauf (14 Oct 2010)
-- Some more small Watcom makefile fixes.
+- LICENSE-MIXING.md: switched to markdown
-- Added --noconfigure switch to testcurl.pl.
+- docs-make: have markdown files use .md
-- Modified Watcom makefiles to work on Linux too.
+- curl.h: make CURL_NO_OLDIES define CURL_STRICTER
-- Added MingW32 rtmp target; changed Watcom targets.
-
- Modified Watcom targets to avoid backslashs so that they can
- work on Linux too.
+- HISTORY.md: use markdown extension
+
+- SSLCERTS.md: renamed to markdown extension
+
+- INTERNALS.md: use markdown extension for markdown content
-Daniel Stenberg (13 Oct 2010)
-- gitignore: ignore Makefile.vc10.dist made by maketgz
+- CONTRIBUTE.md: markdown extension
-- curlver.h: start over at 7.21.3
+- CONTRIBUTE: changed to markdown
-- RELEASE-NOTES: start over towards 7.21.3
+- CONTRIBUTE: refreshed
-- THANKS: added contributors from 7.21.2
+- TODO: added an SSH section and two SFTP things to do
-Version 7.21.2 (12 Oct 2010)
+- TODO: remove the 1.22 duplicated item
-Daniel Stenberg (12 Oct 2010)
-- RELEASE-NOTES: synced with ecd624b8e774a85
+- TODO: move "CURLOPT_MAIL_CLIENT" to SMTP section
-- [Julien Chaffraix brought this change]
+- TODO: API for URL parsing/splitting
- CMake: Build fix.
+- TODO: move QUIC to the HTTP section
+
+- [Simon Warta brought this change]
+
+ winbuild: Free name $(CC) in Makefile (#950)
- Do not match the trailing '\n' in the regular expression as this would
- make us dump a ) parenthesis on a new line.
+ In the old line number 290, CC and CURL_CC had the same value. After
+ that, /DCURL_STATICLIB was added to CC but not CURL_CC (intended?).
- This fixes the following error:
+ This gets rid of the CC variable entirely. It is a first step to make it
+ possible to manualyl set a CC variable in order to be able to change the
+ compiler.
+
+- TODO: Use huge HTTP/2 windows
+
+- [Simon Warta brought this change]
+
+ winbuild: Avoid setting redundant CFLAGS to compile commands (#949)
- would get transformed into:
+ $(CURL_CC) is always used with $(CURL_CFLAGS) appended, so before this,
+ all arguments in CURL_CFLAGS have been added twice.
+
+Jay Satiro (8 Aug 2016)
+- cmake: Enable win32 threaded resolver by default
- )
+ - Turn on USE_THREADS_WIN32 in Windows if ares isn't on
- Bug: http://curl.haxx.se/mail/lib-2010-10/0065.html
- Reported by: Dimitre Dimitrov
+ This change is similar to what we already do in the autotools build.
-- header_callback: strip off file path separated with backslashes
+- cmake: Enable win32 large file support by default
- If the filename contains a backslash, only use filename portion. The
- idea is that even systems that don't handle backslashes as path
- separators probably want that path removed for convenience.
+ All compilers used by cmake in Windows should support large files.
- This flaw is considered a security problem, see the curl security
- vulnerability http://curl.haxx.se/docs/adv_20101013.html
+ - Add test SIZEOF_OFF_T
+ - Remove outdated test SIZEOF_CURL_OFF_T
+ - Turn on USE_WIN32_LARGE_FILES in Windows
+ - Check for 'Largefile' during the features output
-Dan Fandrich (12 Oct 2010)
-- Get the curl source files for Amiga from Makefile.inc
-
- This is similar to how it's done in the lib directory.
- The Amiga build appears to have been broken for a year because
- of a missing homedir.c
+Daniel Stenberg (7 Aug 2016)
+- TODO: added several ideas, removed SPDY
-- Added section on server-supplied names to security considerations
+- http2: always wait for readable socket
+
+ Since the server can at any time send a HTTP/2 frame to us, we need to
+ wait for the socket to be readable during all transfers so that we can
+ act on incoming frames even when uploading etc.
+
+ Reminded-by: Tatsuhiro Tsujikawa
-Guenter Knauf (12 Oct 2010)
-- Fixed Watcom makefile.
+- RELEASE-NOTES: synced with 7b4bf37a44791
-- Added build bits for librtmp / libssh2 to Watcom makefiles.
+- [Thomas Glanzmann brought this change]
-- Added build bits for librtmp to NetWare makefiles.
+ mbedtls: set debug threshold to 4 (verbose) when MBEDTLS_DEBUG is defined
+
+ In order to make MBEDTLS_DEBUG work, the debug threshold must be unequal
+ to 0. This patch also adds a comment how mbedtls must be compiled in
+ order to make debugging work, and explains the possible debug levels.
-Daniel Stenberg (12 Oct 2010)
-- SFTP: more ignoring negative file sizes
+- CURLOPT_TCP_NODELAY: now enabled by default
- As the change in 5f0ae7a0626cbe709 added a precaution against negative
- file sizes that for some reason managed to get returned, this change now
- introduces the same check at the second place in the code where the file
- size from the libssh2 stat call is used.
+ After a few wasted hours hunting down the reason for slowness during a
+ TLS handshake that turned out to be because of TCP_NODELAY not being
+ set, I think we have enough motivation to toggle the default for this
+ option. We now enable TCP_NODELAY by default and allow applications to
+ switch it off.
- This check might not be suitable for a 32 bit curl_off_t, but libssh2.h
- assumes long long to work and to be 64 bit so I believe such a small
- curl_off_t will be very unlikely to occur in the wild.
-
-- SMTP: debug output for no known auth mechanisms supported
+ This also makes --tcp-nodelay unnecessary, but --no-tcp-nodelay can be
+ used to disable it.
- ... and some minor source code whitespace edits
-
-- test: urlglob error messages have no extra newline anymore
+ Thanks-to: Tim Rühsen
+ Bug: https://curl.haxx.se/mail/lib-2016-06/0143.html
-Guenter Knauf (11 Oct 2010)
-- Added build bits for librtmp to MingW32 makefiles.
+- [Serj Kalichev brought this change]
-Daniel Stenberg (8 Oct 2010)
-- RELEASE-NOTES: synced with 61f4cdb73ae4
-
-- globbing: fix crash on unballanced open brace
+ TFTP: Fix upload problem with piped input
- Having an open brace without a closing brace caused a segfault.
+ When input stream for curl is stdin and input stream is not a file but
+ generated by a script then curl can truncate data transfer to arbitrary
+ size since a partial packet is treated as end of transfer by TFTP.
- Having a closing brace too many caused a silent error to occur, which
- caused curl to bail out and return an error code but no error message
- was shown. It does now!
+ Fixes #857
+
+- mk-ca-bundle.pl: -m keeps ca cert meta data in output
- All error message outputs no longer wrongly get _two_ newlines written
- after the error message.
+ Makes the script pass on comments holding meta data to the output
+ file. Like fingerprinters, issuer, date ranges etc.
- Reported by: Vlad Ureche
- Bug: http://curl.haxx.se/bug/view.cgi?id=3083942
+ Closes #937
-- [Dan Locks brought this change]
+- multi: make Curl_expire() work with 0 ms timeouts
+
+ Previously, passing a timeout of zero to Curl_expire() was a magic code
+ for clearing all timeouts for the handle. That is now instead made with
+ the new Curl_expire_clear() function and thus a 0 timeout is fine to set
+ and will trigger a timeout ASAP.
+
+ This will help removing short delays, in particular notable when doing
+ HTTP/2.
- libcurl.m4: AC_PATH_PROG fixes
+- transfer: return without select when the read loop reached maxcount
- The invocation of autoconf's AC_PATH_PROG( ) is not quite right for
- finding curl-config. This fix corrects the negative case (where
- curl-config is not found).
+ Regression added in 790d6de48515. The was then added to avoid one
+ particular transfer to starve out others. But when aborting due to
+ reading the maxcount, the connection must be marked to be read from
+ again without first doing a select as for some protocols (like SFTP/SCP)
+ the data may already have been read off the socket.
+
+ Reported-by: Dan Donahue
+ Bug: https://curl.haxx.se/mail/lib-2016-07/0057.html
-- FAQ: added "How do I submit my patch?"
+Steve Holme (3 Aug 2016)
+- [Bill Nagel brought this change]
-- examples: use example.com in example URLs
+ mbedtls: Added support for NTLM
-- TODO-RELEASE: libidn problem not repeatable
-
- "261 - configure and libidn" is removed from the list since Julien
- Chaffraix tried to repeat it but failed and the reporter did not return
- to provide further details.
-
- Reported by: Lyndon Hill
- Bug: http://curl.haxx.se/mail/lib-2010-07/0029.html
+Daniel Stenberg (3 Aug 2016)
+- [Sergei Nikulov brought this change]
-- libcurl.m4: mention argument is PREFIX
-
- The macro provides a --with-libcurl option that expects a PREFIX to be
- specified and not actually a "directory" in which libcurl will be found.
- This now spells that out more clearly.
+ travis: removed option to rebuild autotool from source
- Reported by: Dan Locks
- Bug: http://curl.haxx.se/bug/view.cgi?id=3079891
+ Fixes #943
-Guenter Knauf (3 Oct 2010)
-- Some NetWare makefile tweaks.
-
- Renamed SDK_* to NDK_*; made NDK_* defines overwriteable from
- environment; removed now obsolete YACC macro;
- moved some curl_config.h defines to IPv6 section since they
- are only needed when IPv6 is enabled - this makes libcurl compile
- with older NDKs too which were not IPv6-aware.
+- bump: start working toward 7.50.2
-Daniel Stenberg (2 Oct 2010)
-- TODO-RELEASE: 416 error fixed
-
- "3076808 Requests fail silently following a 416 error" done
+Version 7.50.1 (3 Aug 2016)
-Julien Chaffraix (2 Oct 2010)
-- krb5-gssapi: Removed a memory leak in krb5_auth.
-
- We forgot to release the buffer passed to gss_init_sec_context.
-
- The previous logic was difficult to read as we were reusing the same
- variable (gssbuf) for both input buffer and output buffer. Splitted the
- logic in 2 variables to better underline who needs to be released.
- Also made the code break at 80 lines.
+Daniel Stenberg (3 Aug 2016)
+- THANKS: 7 new contributors from the 7.50.1 release
-- krb5-gssapi: Made the function always return a value.
-
- kr5_auth missed a final 'return' statement. This is not an error in
- gcc but can lead to potential bugs.
+- RELEASE-NOTES: 7.50.1
-- krb5-gssapi: Delete the GSS-API context.
-
- This fixes a memory leak related to the GSS-API code.
+- TLS: only reuse connections with the same client cert
- Added a krb5_init and krb5_end functions. Also removed a work-around
- the lack of proper initialization of the GSS-API context.
+ CVE-2016-5420
+ Bug: https://curl.haxx.se/docs/adv_20160803B.html
-Daniel Stenberg (2 Oct 2010)
-- HTTP: remove special case for 416
+- TLS: switch off SSL session id when client cert is used
- It was pointed out that the special case libcurl did for 416 was
- incorrect and wrong. 416 is not really different to other errors so the
- response body must be handled like for other errors/http responses.
+ CVE-2016-5419
+ Bug: https://curl.haxx.se/docs/adv_20160803A.html
+ Reported-by: Bru Rom
+ Contributions-by: Eric Rescorla and Ray Satiro
+
+- curl_multi_cleanup: clear connection pointer for easy handles
- Reported by: Chris Smowton
- Bug: http://curl.haxx.se/bug/view.cgi?id=3076808
+ CVE-2016-5421
+ Bug: https://curl.haxx.se/docs/adv_20160803C.html
+ Reported-by: Marcelo Echeverria and Fernando Muñoz
-- [Dan Fandrich brought this change]
+- KNOWN_BUGS: SOCKS proxy not working via IPv6
+
+ Closes #835
- sws: Added writedelay HTTP server command
+- KNOWN_BUGS: CURLOPT_SEEKFUNCTION not called with CURLFORM_STREAM
- This delays between write operations, hopefully making it easier
- to spot problems where libcurl doesn't flush the socket properly
- before waiting for the next response.
+ Closes #768
-- TODO-RELEASE: no bug in ftp_nextconnect
+- KNOWN_BUGS: transfer-encoding: chunked in HTTP/2
- The issue named "266 - Bug in ftp_nextconnect?" was deemed to not be a
- bug and instead resulted in clarified docs.
+ Closes #662
-- curl_easy_setopt.3: CURLOPT_DIRLISTONLY implies dir list
+- TODO: Provide cmake config-file
- Make it explicit that setting CURLOPT_DIRLISTONLY to 1 will make libcurl
- to list the directory.
+ Closes #885
-- RELEASE-NOTES: synced up to 588402585bae
+Patrick Monnerat (2 Aug 2016)
+- os400: define BUILDING_LIBCURL in make script.
-- TODO-RELEASE: move new features to next release
+Daniel Stenberg (1 Aug 2016)
+- RELEASE-NOTES: synced with aa9f536a18b
-- README.ares: we know require c-ares 1.6.0
+Jay Satiro (1 Aug 2016)
+- [Thomas Glanzmann brought this change]
-- SFTP: avoid downloading negative sizes!
+ mbedtls: Fix debug function name
- It is still not clarified exactly why this happens, but libssh2
- sometimes report a negative file size for the remote SFTP file and that
- deeply confuses libcurl (or crashes it) so this precaution is added to
- avoid badness.
+ This patch is necessary so that curl compiles if MBEDTLS_DEBUG is
+ defined.
- Reported by: Ernest Beinrohr
- Bug: http://curl.haxx.se/bug/view.cgi?id=3076430
+ Bug: https://curl.haxx.se/mail/lib-2016-08/0001.html
-- TODO-RELEASE: drop curl_easy_setoptv
+Daniel Stenberg (1 Aug 2016)
+- [Sergei Nikulov brought this change]
+
+ travis: fix OSX build by re-installing libtool
+
+ Apparently due to a broken homebrew install
- I haven't read any really convincing arguments for adding it
+ fixes #934
+ Closes #939
-- [Dirk Manske brought this change]
+- [Martin Vejnár brought this change]
- multi & hiper examples: updates and cleanups
+ win32: fix a potential memory leak in Curl_load_library
- all multi and hiper examples:
+ If a call to GetSystemDirectory fails, the `path` pointer that was
+ previously allocated would be leaked. This makes sure that `path` is
+ always freed.
- * don't loop curl_multi_perform calls, that was <7.20.0 style, currently
- the exported multi functions will not return CURLM_CALL_MULTI_PERFORM
+ Closes #938
+
+- include: revert 9adf3c4 and make public types void * again
- all hiper examples:
- * renamed check_run_count to check_multi_info
- * don't compare current running handle count with previous value, this
- was the wrong way to check for finished requests, simply call
- curl_multi_info_read
- * it's also safe to call curl_multi_remove_handle inside the
- curl_multi_info_read loop.
+ Many applications assume the actual contents of the public types and use
+ that do for example forward declarations (saving them from including our
+ public header) which then breaks when we switch from void * to a struct
+ *.
- ghiper.c:
- * replaced curl_multi_socket (that function is marked as obsolete) calls
- with curl_multi_socket_action calls (as in hiperfifo.c and
- evhiperfifo.c)
+ I'm not convinced we were wrong, but since this practise seems
+ widespread enough I'm willing to (partly) step down.
- ghiper.c and evhiperfifo.c:
- * be smart as hiperfifo.c, don't do uncessary curl_multi_* calls in
- new_conn and main
-
-- TODO-RELEASE: one fixed, one postponed, one added
+ Now libcurl uses the struct itself when it is built and it allows
+ applications to use the struct type if CURL_STRICTER is defined at the
+ time of the #include.
- As we're already in feature freeze, I pushed the feature onwards.
+ Reported-by: Peter Frühberger
+ Fixes #926
-Dan Fandrich (29 Sep 2010)
-- Renamed test1204 to test1117 to move it into the normal range
+Jay Satiro (28 Jul 2016)
+- [Yonggang Luo brought this change]
-Patrick Monnerat (29 Sep 2010)
-- Add gopher protocol definition to ILE/RPG binding.
- OS400 compile script in test dir updated for chkhostname.
-
-Julien Chaffraix (28 Sep 2010)
-- krb5-gssapi: Remove several memory leaks.
-
- Remove a leak seen on Kerberos/MIT (gss_OID is copied internally and
- we were leaking it). Now we just pass NULL as advised in RFC2744.
+ cmake: Fix for schannel support
- |tmp| was never set back to buf->data.
+ The check_library_exists_concat do not check crypt32 library properly.
+ So include it directly.
- Cleaned up Curl_sec_end to take into account failure in Curl_sec_login
- (where conn->mech would be NULL but not conn->app_data or
- conn->in_buffer->data).
-
-- security.c: Remove Curl_sec_fflush_fd.
+ Bug: https://github.com/curl/curl/pull/917
+ Reported-by: Yonggang Luo
- The current implementation would make us send wrong data on a closed
- socket. We don't buffer our data so the method can be safely removed.
+ Bug: https://github.com/curl/curl/issues/935
+ Reported-by: Alain Danteny
-- security.c: We should always register the socket handler.
+- Revert "travis: Install libtool for OS X builds"
- Following a change in the way socket handler are registered, the custom
- recv and send method were conditionaly registered.
- We need to register them everytime to handle the ftp security
- extensions.
+ Didn't work.
- Re-added the clear text handling in sec_recv.
+ This reverts commit 50723585ed380744358de054e2a55dccee65dfd7.
-- security.c: Fix Curl_sec_login after rewrite.
+- travis: Install libtool for OS X builds
- Curl_sec_login was returning the opposite result that the code in ftp.c
- was expecting. Simplified the return code (using a CURLcode) so to see
- more clearly what is going on.
+ CI is failing due to missing libtoolize, so I'm trying this.
+
+Daniel Stenberg (26 Jul 2016)
+- [Viktor Szakats brought this change]
-- security.c: Readd the '\n' to the infof() calls.
+ TODO: minor typo in last commit
- They are not automatically added and make the output of the verbose
- mode a lot more readable.
+ merged #931
-- security.c: Fix typo (PSBZ -> PBSZ)
+- TODO: Timeout idle connections from the pool
-- security.c: Fix ftp_send_command.
-
- My use of va_args was completely wrong. Fixed the usage so that
- we send the right commands!
+Patrick Monnerat (25 Jul 2016)
+- os400: minimum supported OS version: V6R1M0.
+ Do not log compilation informational messages.
-Daniel Stenberg (28 Sep 2010)
-- curl_easy_escape: don't escape "unreserved" characters
-
- According to RFC3986 section 2.3 the letters -, ., _ and ~ should not be
- percent-encoded.
+Jay Satiro (24 Jul 2016)
+- tests: Fix for http/2 feature
- Reported by: Miguel Diaz
- Bug: http://curl.haxx.se/mail/lib-2010-09/0227.html
+ Bug: https://curl.haxx.se/mail/lib-2016-07/0070.html
+ Reported-by: Paul Howarth
-- multi: don't expire timeouts at disonnect or done
-
- The functions Curl_disconnect() and Curl_done() are both used within the
- scope of a single request so they cannot be allowed to use
- Curl_expire(... 0) to kill all timeouts as there are some timeouts that
- are set before a request that are supposed to remain until the request
- is done.
+Steve Holme (23 Jul 2016)
+- README: Mention wolfSSL in the 'Dependencies' section
+
+- vauth.h: No need to query HAVE_GSSAPI || USE_WINDOWS_SSPI for SPNEGO
- The timeouts are now instead cleared at curl_easy_cleanup() and when the
- multi state machine changes a handle to the complete state.
+ As SPNEGO is only defined when these pre-processor variables are defined
+ there is no need to query them explicitly.
-Dan Fandrich (27 Sep 2010)
-- Changed the TPF make file to get source files from Makefile.inc
+- spnego: Corrected miss-placed * in Curl_auth_spnego_cleanup() declaration
- Patch was fixed and validated by David McCreedy.
+ Typo introduced in commit ad5e9bfd5d.
-- Added test case 1204 to test HTTP range failure
+Daniel Stenberg (22 Jul 2016)
+- SECURITY: mention how to get windows-specific CVEs
- This is an attempt to reproduce bug #3076808
+ ... and make the distros link a proper link
-Daniel Stenberg (27 Sep 2010)
-- [Dirk Manske brought this change]
+Dan Fandrich (21 Jul 2016)
+- test558: fix test by stripping file paths from FD lines
- multi_runsingle: set timeout error messages
-
- With the latest changes to fix the timeout handling with multi interface
- we lost the timeout error messages. This patch brings them back.
+Kamil Dudka (21 Jul 2016)
+- tests: distribute the http2-server.pl script, too
+
+- docs: distribute the CURLINFO_HTTP_VERSION(3) man page, too
+
+Daniel Stenberg (21 Jul 2016)
+- bump: start working on 7.50.1
+
+Version 7.50.0 (21 Jul 2016)
-- TODO-RELEASE: updated list of issues to work on
+Daniel Stenberg (21 Jul 2016)
+- RELEASE-NOTES: version 7.50.0 ready
-- parsedate: allow time specified without seconds
+- THANKS: 13 new contributors from the 7.50.0 release
+
+Jay Satiro (21 Jul 2016)
+- winbuild: fix embedded manifest option
- The date format in RFC822 allows that the seconds part of HH:MM:SS is
- left out, but this function didn't allow it. This change also includes a
- modified test case that makes sure that this now works.
+ Embedded manifest option didn't work due to typo.
- Reported by: Matt Ford
- Bug: http://curl.haxx.se/bug/view.cgi?id=3076529
+ Reported-by: Stefan Kanthak
-- TFTP: re-indented the source code
+- vauth: Fix memleak by freeing credentials if out of memory
- Just made sure that the good old curl indentation style is used all over
- this file.
+ This is a follow up to the parent commit dcdd4be which fixes one leak
+ but creates another by failing to free the credentials handle if out of
+ memory. Also there's a second location a few lines down where we fail to
+ do same. This commit fixes both of those issues.
-- [Tim Newsome brought this change]
+Daniel Stenberg (20 Jul 2016)
+- [Saurav Babu brought this change]
- TFTP: Work around tftpd-hpa upload bug
+ vauth: Fixed memory leak due to function returning without free
- tftpd-hpa has a bug where it will send an incorrect ack when the block
- counter wraps and tftp options have been sent. Work around that by
- accepting an ack for 65535 when we're expecting one for 0.
+ This patch allocates memory to "output_token" only when it is required
+ so that memory is not leaked if function returns.
-- Revert "security.c: buffer_read various fixes."
+- test558: updated after ipv6-check move
- This reverts commit fbb38de415b7bb7d743e53a7b4b887ffb12b3e5b.
+ Follow-up commit to c50980807c5 to make this test pass.
-- security.c: removed superfluous parentheses
+Jay Satiro (20 Jul 2016)
+- connect: disable TFO on Linux when using SSL
+
+ - Linux TFO + TLS is not implemented yet.
- And also removed the FIXME where memory was zeroed just before freed,
- and some other minor whitespace changes.
+ Bug: https://github.com/curl/curl/issues/907
-- [Julien Chaffraix brought this change]
+Daniel Stenberg (19 Jul 2016)
+- ROADMAP: QUIC and TLS 1.3
- security.c: Update the #include statements after the rewrite.
+- RELEASE-NOTES: synced with c50980807c5
-- [Julien Chaffraix brought this change]
+Jay Satiro (18 Jul 2016)
+- [Brian Prodoehl brought this change]
- security.c: sec_write tweaks
+ curl_global_init: Check if IPv6 works
- - |fd| is now a curl_socket_t and |len| a size_t to avoid conversions.
- - Added 2 FIXMEs about the 2 unsigned -> signed conversions.
- - Included 2 minor changes to Curl_sec_end.
+ - Curl_ipv6works() is not thread-safe until after the first call, so
+ call it once during global init to avoid a possible race condition.
+
+ Bug: https://github.com/curl/curl/issues/915
+ PR: https://github.com/curl/curl/pull/918
-- [Julien Chaffraix brought this change]
+- [Timothy Polich brought this change]
- security.c: _sec_send tweaks
+ CURLMOPT_SOCKETFUNCTION.3: fix typo
- - Renamed the method to sec_send now that we
- renamed sec_send to do_sec_send.
- - Some more variable renaming.
+ Closes https://github.com/curl/curl/pull/914
-- [Julien Chaffraix brought this change]
+- [Miroslav Franc brought this change]
- security.c: sec_read tweaks
+ library: Fix memory leaks found during static analysis
- - Renamed the function to sec_recv.
- - Renamed the parameters and variable to match the rest of the code.
+ Closes https://github.com/curl/curl/pull/913
-- [Julien Chaffraix brought this change]
+- [Viktor Szakats brought this change]
- security.c: Curl_sec_fflush_fd tweaks
+ cookie.c: Fix misleading indentation
- - Use an early return as it makes the code more readable.
- - Added a FIXME about a conversion.
-
-- [Julien Chaffraix brought this change]
+ Closes https://github.com/curl/curl/pull/911
- security.c: sec_send tweaks
+- FAQ: Update FTP directory listing section for MLSD command
- - Renamed it to do_sec_send as it is the function doing the actual
- transfer.
- - Do not return any values as no one was checking it and it never
- reported a failure (added a FIXME about checking for errors).
- - Renamed the variables to make their use more specific.
- - Removed some casts (int -> curl_socket_t, ...)
- - Avoid doing the htnl <-> nthl twice by caching the 2 results.
+ Explain how some FTP servers support the machine readable listing
+ format MLSD from RFC 3659 and compare it to LIST.
+
+ Ref: https://github.com/curl/curl/issues/906
-- [Julien Chaffraix brought this change]
+Daniel Stenberg (1 Jul 2016)
+- [Sergei Nikulov brought this change]
- security.c: Curl_sec_read_msg tweaks
+ Appveyor: Updates for options - CURL_STATICLIB/BUILD_TESTING
- - Renamed the variables name to better match their intend.
- - Unified the |decoded_len| checks.
- - Added some FIXMEs to flag some improvement that did not go in this
- change.
+ Closes #892
-- [Julien Chaffraix brought this change]
+- TODO: 17.4 also brings more HTTP/2 support
- security.c: Curl_sec_set_protection_level tweaking
+- TODO: try next proxy if one doesn't work
- - Removed sec_prot_internal as it is now inlined in the function (this removed
- a redundant check).
- - Changed the prototype to return an error code.
- - Updated the method to use the new ftp_send_command function.
- - Added a level_to_char helper method to avoid relying on the compiler's
- bound checks. This default to the maximum security we have in case of a
- wrong input.
-
-- [Julien Chaffraix brought this change]
+ Closes #896
- security.c: factored the logic from Curl_sec_login into a dedicated method that better reflect its intent.
+- conn: don't free easy handle data in handler->disconnect
- Introduced a helper method ftp_send_command that synchronously send
- an FTP query.
+ Reported-by: Gou Lingfeng
+ Bug: https://curl.haxx.se/mail/lib-2016-06/0139.html
-- [Julien Chaffraix brought this change]
+- test1244: test different proxy ports same URL
- security.c: Remove out_buffer as it was never written into.
+- curl_global_init.3: improved formatting of the flags
+
+- curl_global_init.3: expand on the SSL and WIN32 bits purpose
+
+ Reported-by: Richard Gray
+ Bug: https://curl.haxx.se/mail/lib-2016-06/0136.html
-- [Julien Chaffraix brought this change]
+- [Michael Kaufmann brought this change]
- security.c: buffer_read various fixes.
+ cleanup: minor code cleanup in Curl_http_readwrite_headers()
- Tighten the type of the |data| parameter to avoid a cast. Also made
- it const as we should not modify it.
+ - the expression of an 'if' was always true
+ - a 'while' contained a condition that was always true
+ - use 'if(k->exp100 > EXP100_SEND_DATA)' instead of 'if(k->exp100)'
+ - fixed a typo
- Added a DEBUGASSERT on the size to be written while changing it.
+ Closes #889
-- [Julien Chaffraix brought this change]
-
- security.c: Made block_write return a CURLcode.
+- SFTP: set a generic error when no SFTP one exists...
- While doing so, renamed it to socket_write to better match its
- function.
+ ... as otherwise we could get a 0 which would count as no error and we'd
+ wrongly continue and could end up segfaulting.
+
+ Bug: https://curl.haxx.se/mail/lib-2016-06/0052.html
+ Reported-by: 暖和的和暖
-- [Julien Chaffraix brought this change]
+- ROADMAP: http2 tests are merged, mention http2 perf
- security.c: Made block_read and sec_get_data return CURLcode.
+- docs/README.md: to render nicer pages on github
- To do so, made block_read call Curl_read_plain instead of read.
+ ... as previously the README.cmake would be picked and put at the bottom
+ of the docs page there and it wasn't very representative!
+
+- README.md: change host name for the svg logo
- While changing them renamed block_read to socket_read and sec_get_data
- to read_data to better match their function.
+ rawgit.com asks to use the domain cdn.rawgit.com for production
- Also fixed a potential memory leak in block_read.
+ See #900
-- [Julien Chaffraix brought this change]
+- [Viktor Szakats brought this change]
- Security.c: Fix headers guard to match the rest of the code.
+ README.md: use the SVG logo
-- [Julien Chaffraix brought this change]
+- README.md: logo on top!
- configure: Fix the LDAPS disable message
+- KNOWN_BUGS: 3.4 POP3 expects "CRLF.CRLF" eob for some
- ... for example when LDAP is not compiled.
-
- Fixed the logic to match the rest of the options' message that is we
- update the default message only if the option is not disabled after the
- different checks.
-
- Reported by: Guenter Knauf
+ Closes #740
-- RELEASE-NOTES: sync with 8665d4e5 and c-ares >= 1.6.0 note
+- RELEASE-NOTES: synced with d61c80515aa8
-- parse_remote_port: ignore colons without port number
+- [Michael Osipov brought this change]
+
+ acinclude.m4: improve autodetection of CA bundle on FreeBSD
- Obviously, browsers ignore a colon without a following port number. Both
- Firefox and Chrome just removes the colon for such URLs. This change
- does not remove the colon for URLs sent over a HTTP proxy, so we should
- consider doing that change as well.
+ The FreeBSD Port security/ca_root_nss installs the Mozilla NSS CA bundle
+ to /usr/local/share/certs/ca-root-nss.crt. Use this bundle in the
+ discovery process.
- Reported by: github user 'kreshano'
-
-- RELEASE-NOTES: in sync with 19f45eaa799
+ This change also removes the former FreeBSD path that has been obsolete
+ for 8 years since this FreeBSD ports commit:
+ https://svnweb.freebsd.org/ports/head/security/?view=revision&revision=215953
+
+ Closes #894
-- duphandle: use ares_dup()
+- configure: don't specify .lib for libs on windows
- curl_easy_duphandle() was not properly duping the ares channel. The
- ares_dup() function was introduced in c-ares 1.6.0 so by starting to use
- this function we also raise the bar and require c-ares >= 1.6.0
- (released Dec 9, 2008) for such builds.
+ Another follow up for crypt32.lib linking with winssl
+
+- configure: fix winssl LIBS change typo
- Reported by: Ning Dong
- Bug: http://curl.haxx.se/mail/lib-2010-08/0318.html
+ follow-up from 120bf29e
-- [Hendrik Visage brought this change]
+- TODO: "TCP Fast Open" is done, add monitor pool connections
- MacOSX-Framework: updates for Snowleopard
+- configure: add crypt32.lib for winssl builds
- 1) PPC64 appears to be an 10.5 only supported architecture, so I
- forced 10.5 for 64bit if there is a need for PPC64, else 64bit only
- does x86_64
+ Necessary since 6cabd78531f
+
+- Makefile.vc: link with crypt32.lib for winssl builds
- 2) proper "make clean" after every ./configure. fixes a bug where
- subsequent runs the 32bit do not get compiled
+ Necessary since 6cabd78531f
- 3) Added a version numbering curl-$VERSION} rather than the "stock standard" A
+ Fixes #853
-- RELEASE-NOTES: synced with 5fcc4332d62fe
-
- Removed the duplicate entry of Kamil in the credits.
+- [Joel Depooter brought this change]
-- configure: don't enable RTMP if the lib detect fails
+ VC: Add crypt32.lib to Visual Sudio project template files
- librtmp is often statically linked and using sub dependencies like
- OpenSSL, so we need to make sure we can actually link with it properly
- before enabling it. Otherwise we easily end up trying to link with a
- RTMP lib that fails.
+ Closes #854
-- TODO: added 8.4 non-gcrypt under GnuTLS
+- vc: fix the build for schannel certinfo support
- We must not assume gcrypt just because of GnuTLS
+ Broken since 6cabd785, which adds use of the Curl_extract_certinfo
+ function from the x509asn1.c file.
-- configure: check for gcrypt if using GnuTLS
+- typedefs: use the full structs in internal code...
- 1 - libcurl assumes that there are gcrypt functions available when
- GnuTLS is.
-
- 2 - GnuTLS can be built to use libnettle instead as crypto library,
- which breaks assumption (1)
-
- This change makes configure make sure that if GnuTLS is requested and
- detected, it also makes sure that gcrypt is present or it errors
- out. This is mostly a way to make the user more aware of this flaw, the
- correct fix would be to detect which crypto layer that is in use and
- adapt our code to use that instead of blindly assuming gcrypt.
-
- Reported by: Michal Gorny
- Bug: http://curl.haxx.se/bug/view.cgi?id=3071038
+ ... and save the typedef'ed names for headers and external APIs.
-- RELEASE-NOTES: sync from d2a7fd2fe65b to HEAD
+- internals: rename the SessionHandle struct to Curl_easy
-- FTP: fix bad check of Curl_timeleft() return code
+- headers: forward declare CURL, CURLM and CURLSH as structs
- When it returns 0 it means no timeout. Only a negative value means that
- we're out of time.
-
-- LDAP: moved variable declaration to avoid compiler warn
+ Instead of typedef'ing to void, typedef to their corresponding actual
+ struct names to allow compilers to type-check.
- If built without HTTP or proxy support it would cause a compiler warning
- due to the unused variable. I moved the declaration of it into the only
- scope it is used.
+ Assisted-by: Reinhard Max
-Tor Arntsen (18 Sep 2010)
-- LDAP: Use FALSE instead of bool_false when setting bits.close
+Jay Satiro (22 Jun 2016)
+- vtls: Only call add/getsession if session id is enabled
- bool_false is the internal name used in the setup_once.h definition
- we fall back to for non-C99 non-stdbool systems, it's not the actual
- name to use in assignments (we use bool_false, bool_true there to
- avoid global namespace problems, see comment in setup_once.h).
- The correct C99 value to use is 'false', but let's use FALSE as
- used elsewhere when assigning to bits.close. FALSE is set equal
- to 'false' in setup_once.h when possible.
+ Prior to this change we called Curl_ssl_getsessionid and
+ Curl_ssl_addsessionid regardless of whether session ID reusing was
+ enabled. According to comments that is in case session ID reuse was
+ disabled but then later enabled.
- This fixes a build problem on C99 targets.
+ The old way was not intuitive and probably not something users expected.
+ When a user disables session ID caching I'd guess they don't expect the
+ session ID to be cached anyway in case the caching is later enabled.
-- LDAP: Add missing declaration for 'result'
+Daniel Stenberg (22 Jun 2016)
+- curl.1: the used progress meter suffix is k in lower case
+
+ Closes #883
-Daniel Stenberg (18 Sep 2010)
-- [Mauro Iorio brought this change]
+- [Sergei Nikulov brought this change]
- LDAP: Support for tunnelling queries through HTTP proxy
+ cmake: now using BUILD_TESTING=ON/OFF
- As of curl-7.21.1 tunnelling ldap queries through HTTP Proxies is not
- supported. Actually if --proxytunnel command-line option (or equivalent
- CURLOPT_HTTPPROXYTUNNEL) is used for ldap queries like
- ldap://ldap.my.server.com/... You are unable to successfully execute the
- query. In facts ldap_*_bind is executed directly against the ldap server
- and proxy is totally ignored. This is true for both openLDAP and
- Microsoft LDAP API.
+ CMake build now using BUILD_TESTING=ON/OFF (default is OFF) to build
+ tests and enabling CTest integration. Options BUILD_CURL_TESTS and
+ BUILD_DASHBOARD_REPORTS was removed.
- Step to reproduce the error:
- Just launch "curl --proxytunnel --proxy 192.168.1.1:8080
- ldap://ldap.my.server.com/dc=... "
+ Closes #882
- This fix adds an invocation to Curl_proxyCONNECT against the provided
- proxy address and on successful "CONNECT" it tunnels ldap query to the
- final ldap server through the HTTP proxy. As far as I know Microsoft
- LDAP APIs don't permit tunnelling in any way so the patch provided is
- for OpenLDAP only. The patch has been developed against OpenLDAP 2.4.23
- and has been tested with Microsoft ISA Server 2006 and works properly
- with basic, digest and NTLM authentication.
+ Reviewed-by: Brad King
-- timeout: use the correct start value as offset
-
- Rodric provide an awesome recipe that proved libcurl didn't timeout at
- the requested time - it instead often timed out at [connect time] +
- [timeout time] instead of the documented and intended [timeout time]
- only. This bug was due to the code using the wrong base offset when
- comparing against "now". I could also take the oppurtinity to simplify
- the code by properly using of the generic help function for this:
- Curl_timeleft.
-
- Reported by: Rodric Glaser
- Bug: http://curl.haxx.se/bug/view.cgi?id=3061535
+- [Michael Kaufmann brought this change]
-- Curl_timeleft: avoid returning "no timeout" by mistake
+ cleanup: fix method names in code comments
- As this function uses return code 0 to mean that there is no timeout, it
- needs to check that it doesn't return a time left value that is exactly
- zero. It could lead to libcurl doing an extra 1000 ms select() call and
- thus not timing out as accurately as it should.
+ Closes #887
+
+Kamil Dudka (21 Jun 2016)
+- curl-compilers.m4: improve detection of GCC's -fvisibility= flag
- I fell over this bug when working on the bug 3061535 but this fix does
- not correct that problem alone, although this is a problem that needs to
- be fixed.
+ Some builds of GCC produce output on both stdout and stderr when --help
+ --verbose is used. The 2>&1 redirection caused them to be arbitrarily
+ interleaved with each other because of stream buffering. Consequently,
+ grep failed to match the fvisibility= string in the mixed output, even
+ though the string was present in GCC's standard output.
- Reported by: Rodric Glaser
- Bug: http://curl.haxx.se/bug/view.cgi?id=3061535
+ This led to silently disabling symbol hiding in some builds of curl.
-- whitespace: unified source
+Daniel Stenberg (19 Jun 2016)
+- tests: fix the HTTP/2 tests
- if ( => if(
- while ( => while(
+ The HTTP/2 tests brought with commit bf05606ef1f were using the internal
+ name 'http2' for the HTTP/2 server, while in fact that name was already
+ used for the second instance of the HTTP server. This made tests using
+ the second instance (like test 2050) fail after a HTTP/2 test had run.
- and some other changes in the similar spirit, trying to make the
- whole file use the same style
+ The server is now known as HTTP/2 internally and within the <server>
+ section in test cases. 1700, 1701 and 1702 were updated accordingly.
-- remote-header-name: don't output filename when NULL
+- openssl: use more 'const' to fix build warnings with 1.1.0 branch
-- [James Bursa brought this change]
+- curl.1: missed 'T' in the progress unit suffixes
- TheArtOfHttpScripting: use long options
+- curl.1: mention the unix for the progress meter
-- [James Bursa brought this change]
+Patrick Monnerat (16 Jun 2016)
+- os400: add new definitions to ILE/RPG binding.
- getinmemory: make the example easier to follow
-
- 1. Remove the comment warning that it's "not been verified to work". It
- works with no problems in my testing.
-
- 2. Remove 2 unnecessary includes.
-
- 3. Remove the myrealloc(). Initialize chunk.memory with malloc() instead
- of NULL. The comments for these two parts contradicted each other.
-
- 4. Handle out of memory from realloc() instead of continuing.
+Daniel Stenberg (16 Jun 2016)
+- openssl: fix cert check with non-DNS name fields present
- 5. Print a brief status message at the end.
-
-- multi: don't do extra expire calls for the connection
+ Regression introduced in 5f5b62635 (released in 7.48.0)
- The timeout is set for the connect phase already at the start of the
- request so we should not add a new one, and we MUST not set expire to 0
- as that will remove any other potentially existing timeouts.
-
-- [Peter Pentchev brought this change]
+ Reported-by: Fabian Ruff
+ Fixes #875
- Fix a bashism: test a = b is more portable than ==.
+Dan Fandrich (16 Jun 2016)
+- axtls: Use Curl_wait_ms instead of the less-portable usleep
-- glob_word: remove a check that is always false
+- axtls: Fixed compile after compile 31c521b0
-- inflate_stream: remove redundant check that is always true
+- tests: Added HTTP proxy keywords to tests 1141 & 1142
-- digest: make it clear the condition is always true
+Jay Satiro (15 Jun 2016)
+- [Sergei Nikulov brought this change]
-- ssluse: removed redundant check that is always true
+ cmake: Fix build with winldap
+
+ Bug: https://github.com/curl/curl/pull/874
+ Reported-by: Sergei Nikulov
-Dan Fandrich (11 Sep 2010)
-- Link curl and the test apps with -lrt explicitly when necessary
+- CURLOPT_POSTFIELDS.3: Clarify what happens when set empty
- When curl calls a function from that library then it needs to
- explicitly link to the library instead of piggybacking on
- libcurl's own dependency. Without this, GNU ld with the
- --no-add-needed flag fails when linking (which Fedora now does
- by default).
+ When CURLOPT_POSTFIELDS is set to an empty string libcurl will send a
+ zero-byte POST. Prior to this change it was documented as sending data
+ from the read callback.
- Reported by: Quanah Gibson-Mount
- Bug: http://curl.haxx.se/mail/lib-2010-09/0085.html
-
-- Mention the Debian Popularity Contest
-
-Tor Arntsen (9 Sep 2010)
-- test565: Don't hardcode IP:PORT
+ This also changes the wording of what happens when empty or NULL so that
+ it's hopefully easier to understand for people whose primary language
+ isn't English.
- Use %HOSTIP:%HTTPPORT instead of 127.0.0.1:8990 so that
- verification works if the baseport change option is used
- when executing runtests.pl.
+ Bug: https://github.com/curl/curl/issues/862
+ Reported-by: Askar Safin
-Daniel Stenberg (9 Sep 2010)
-- curl.1: updated protocols and polished language
+- [Michael Wallner brought this change]
-- FAQ: CURL_STATICLIB for visual studio users
+ curl_multi_socket_action.3: Fix rewording
- Clarified as it isn't used with a -D option for them.
+ - Remove some erroneous text.
- Reported by: Artfunkel
- Bug: http://curl.haxx.se/bug/view.cgi?id=3060381
+ Closes https://github.com/curl/curl/pull/865
-- FAQ: updated and added host with custom IP question
-
- Added "3.19 How do I get HTTP from a host using a specific IP address?"
- and updated some stuff about certs etc.
+- [Luo Jinghua brought this change]
-- chunky parser: only rewind if needed
+ resolve: enable protocol family logic for synthesized IPv6
- The code reading chunked encoding attempts to rewind the code if it had
- read more data than the chunky parser consumes. The rewinding can fail
- and it will then cause an error. This change now makes the rewinding
- only happen if pipelining is in use - as that's the only time it really
- needs to be done.
+ - Enable protocol family logic for IPv6 resolves even when support
+ for synthesized addresses is enabled.
- Bug: http://curl.haxx.se/mail/lib-2010-08/0297.html
- Reported by: Ron Parker
-
-Kamil Dudka (6 Sep 2010)
-- rtsp: avoid SIGSEGV on malformed header
-
-- rtsp: avoid SIGSEGV on malformed header
+ This is a follow up to the parent commit that added support for
+ synthesized IPv6 addresses from IPv4 on iOS/OS X. The protocol family
+ logic needed for IPv6 was inadvertently excluded if support for
+ synthesized addresses was enabled.
+
+ Bug: https://github.com/curl/curl/issues/863
+ Ref: https://github.com/curl/curl/pull/866
+ Ref: https://github.com/curl/curl/pull/867
-Daniel Stenberg (6 Sep 2010)
-- warning: fix conversion to 'int' from 'size_t'
+Daniel Stenberg (7 Jun 2016)
+- [Luo Jinghua brought this change]
-- portabilty: use proper variable type to hold sockets
+ resolve: add support for IPv6 DNS64/NAT64 Networks on OS X + iOS
- Curl_getconnectinfo() is changed to return a proper curl_socket_t for
- the last socket so that it'll work more portably (and cause less
- compiler warnings).
-
-Guenter Knauf (3 Sep 2010)
-- Trial to fix another compiler warning with braces.
+ Use getaddrinfo() to resolve the IPv4 address literal on iOS/Mac OS X.
+ If the current network interface doesn’t support IPv4, but supports
+ IPv6, NAT64, and DNS64.
+
+ Closes #866
+ Fixes #863
-Dan Fandrich (2 Sep 2010)
-- Use checkprefix() to compare protocol-specific strings
+- tests: two more HTTP/2 tests
- Otherwise, there could be problems running in certain locales.
+ 1701 and 1702
-Guenter Knauf (2 Sep 2010)
-- Moved S_ISREG define to setup as suggested by Dan.
+- runtests: don't display logs when http2 server fails to start
-- Use own typedef as workaround for broken sspi.h header (f.e. Watcom).
+- runtests: make stripfile work on stdout as well
+
+ ... and have test 1700 use that to strip out the nghttpx server: headers
-- Added some hacks in order to build with VC from git.
+- http2-tests: test1700 is the first real HTTP/2 test
- Adam Light posted this patch to the list which enables builds from
- git with VC versions other than vc6; also he added a vc10 target.
+ It requires that 'nghttpx' is in the PATH, and it will run the tests
+ using nghttpx as a front-end proxy in front of the standard HTTP/1 test
+ server. This uses HTTP/2 over plain TCP.
+
+ If you like me have nghttpx installed in a custom path, you can run test 1700
+ like this:
+
+ $ PATH=$PATH:$HOME/build-nghttp2/bin/ ./runtests.pl 1700
-- Added S_ISREG define for Win32.
+- RELEASE-NOTES: synced with 34855feeb4c299
-Daniel Stenberg (1 Sep 2010)
-- multi: fixes for timing out handles
+Steve Holme (6 Jun 2016)
+- schannel: Disable ALPN on Windows < 8.1
- Add a timeout check for handles in the state machine so that they will
- timeout in all states disregarding what actions that may or may not
- happen.
+ Calling QueryContextAttributes with SECPKG_ATTR_APPLICATION_PROTOCOL
+ fails on Windows < 8.1 so we need to disable ALPN on these OS versions.
- Fixed a bug in socket_action introduced recently when looping over timed
- out handles: it wouldn't assign the 'data' variable and thus it wouldn't
- properly take care of handles.
+ Inspiration provide by: Daniel Seither
- In the update_timer function, the code now checks if the timeout has
- been removed and then it tells the application. Previously it would
- always let the remaining timeout(s) just linger to expire later on.
+ Closes #848
+ Fixes #840
-- threaded resolver: no more expire 0 calls
+Jay Satiro (5 Jun 2016)
+- checksrc: Add LoadLibrary to the banned functions list
- Curl_expire() set to 0 expires ALL timeouts so it should only be called
- if we truly and really want to remove all timeouts for the handle.
+ LoadLibrary was supplanted by Curl_load_library for security
+ reasons in 6df916d.
-- resolve_server: simplify code
+- http: Fix HTTP/2 connection reuse
- Make use of the helper function Curl_timeleft() instead of duplicating
- code.
-
-- multi: make sure the next timeout is used when one expires
+ - Change the parser to not require a minor version for HTTP/2.
- Each easy handle has a list of timeouts, so as soon as the main timeout
- for a handle expires, we must make sure to get the next entry from the
- list and re-add the handle to the splay tree.
+ HTTP/2 connection reuse broke when we changed from HTTP/2.0 to HTTP/2
+ in 8243a95 because the parser still expected a minor version.
- This was attempted previously but was done poorly in my commit
- 232ad6549a68450.
+ Bug: https://github.com/curl/curl/issues/855
+ Reported-by: Andrew Robbins, Frank Gevaerts
-Dan Fandrich (30 Aug 2010)
-- Added proxy keyword to allow skipping test in proxyless configs
-
-Daniel Stenberg (29 Aug 2010)
-- multi: set timeouts when transfer begins
+Steve Holme (4 Jun 2016)
+- connect.c: Fixed compilation warning from commit 332e8d6164
- When a new transfer is about to start we now set the proper timeouts to
- expire for the multi interface if they are set for the handle. This is a
- follow-up bugfix to make sure that easy handles timeout properly when
- the times expire and the multi interface is used. This also improves
- curl_multi_timeout().
+ connect.c:952:5: warning: suggest explicit braces to avoid ambiguous 'else'
-- CURLOPT_DIRLISTONLY: don't use with CURLOPT_WILDCARDMATCH
+- win32: Used centralised verify windows version function
+
+ Closes #845
-- FAQ: update list of supported protocols
+- win32: Added verify windows version functionality
-- [Fabian Keil brought this change]
+- win32: Introduced centralised verify windows version function
- In the m4 detection line, factor out the 2>dev/null
+Kamil Dudka (3 Jun 2016)
+- tool_urlglob: fix off-by-one error in glob_parse()
+
+ ... causing SIGSEGV while parsing URL with too many globs.
+ Minimal example:
+
+ $ curl $(for i in $(seq 101); do printf '{a}'; done)
+
+ Reported-by: Romain Coltel
+ Bug: https://bugzilla.redhat.com/1340757
-- [Fabian Keil brought this change]
+Daniel Stenberg (1 Jun 2016)
+- [Benjamin Kircher brought this change]
- If m4 doesn't support --version, try if gm4 does.
+ libcurl-multi.3: fix small typo
+
+ Closes #850
-- [Fabian Keil brought this change]
+- [Viktor Szakats brought this change]
- If the m4 version isn't recognized at all, just say so
+ makefile.m32: add crypt32 for winssl builds
- 'm4 version found. You need a GNU m4 installed!' is a bit confusing.
+ Dependency added by 6cabd78
+
+ Closes #849
-- HISTORY: mention the gopher story
+- [Ivan Avdeev brought this change]
-Dan Fandrich (25 Aug 2010)
-- Tweaked some test data files
+ vtls: fix ssl session cache race condition
- Fixed some issues that caused xmllint failures, added features
- and keywords, fixed some quotes and removed some <strip> sections
- that unnecessarily limited test checking.
-
-- Added new source files to Symbian and TPF makefiles
+ Sessionid cache management is inseparable from managing individual
+ session lifetimes. E.g. for reference-counted sessions (like those in
+ SChannel and OpenSSL engines) every session addition and removal
+ should be accompanied with refcount increment and decrement
+ respectively. Failing to do so synchronously leads to a race condition
+ that causes symptoms like use-after-free and memory corruption.
+ This commit:
+ - makes existing session cache locking explicit, thus allowing
+ individual engines to manage lock's scope.
+ - fixes OpenSSL and SChannel engines by putting refcount management
+ inside this lock's scope in relevant places.
+ - adds these explicit locking calls to other engines that use
+ sessionid cache to accommodate for this change. Note, however,
+ that it is unknown whether any of these engines could also have
+ this race.
+
+ Bug: https://github.com/curl/curl/issues/815
+ Fixes #815
+ Closes #847
-Daniel Stenberg (25 Aug 2010)
-- RELEASE-NOTES: sync from b980c9a02 to HEAD
+- [Andrew Kurushin brought this change]
-- Makefile: add gopher.c file to build
+ schannel: add CURLOPT_CERTINFO support
- As the VC and RISCOS makefiles don't use the .inc file
+ Closes #822
-- runtests: fix uninitialized variable warning
+- RELEASE-NOTES: synced with 142ee9fa15002315
-- gopher tests: revert parts of gopher in the pingpong server
+- openssl: rename the private SSL_strerror
- Introduced in the initial gopher commits, there was added logic to do
- GOPHER test serving in the pingpong server but as it resembles HTTP much
- more than FTP or SMTP, the gopher testing has been moved over to instead
- use the sws (HTTP) server. This change simply removes unused code.
-
-- gopher tests: use sws and adjusted to more standard style
+ ... to make it not look like an OpenSSL function
-- sws: added basic gopher support
+- [Michael Kaufmann brought this change]
-- gopher: enable the header callback/verbosity
+ openssl: Use correct buffer sizes for error messages
+
+ Closes #844
-- gopher: fix test case line endings
+- curl: fix -q [regression]
+
+ This broke in 7.49.0 with commit e200034425a7625
- Patches over email very easily lose CRLF line endings in files otherwise
- LF-only so I had to put them back where needed.
+ Fixes #842
-- gopher: fix memory leak and busyloop
+- URL parser: allow URLs to use one, two or three slashes
- The fix for the busyloop really only is a temporary work-around. It
- causes a BLOCKING behavior which is a NO-NO. This function should rather
- be split up in a do and a doing piece where the pieces that aren't
- possible to send now will be sent in the doing function repeatedly until
- the entire request is sent.
+ Mostly in order to support broken web sites that redirect to broken URLs
+ that are accepted by browsers.
+
+ Browsers are typically even more leniant than this as the WHATWG URL
+ spec they should allow an _infinite_ amount. I tested 8000 slashes with
+ Firefox and it just worked.
+
+ Added test case 1141, 1142 and 1143 to verify the new parser.
+
+ Closes #791
-- [Cameron Kaiser brought this change]
+- [Renaud Lehoux brought this change]
- Gopher using Curl_write; test suite (4 tests)
+ cmake: Added missing mbedTLS support
+
+ Closes #837
-- [Cameron Kaiser brought this change]
+- [Renaud Lehoux brought this change]
- Remove url.c test
+ mbedtls: removed unused variables
+
+ Closes #838
-- [Cameron Kaiser brought this change]
+- [Frank Gevaerts brought this change]
- Forgot gopher.h in Makefile.inc
+ http: add CURLINFO_HTTP_VERSION and %{http_version}
+
+ Adds access to the effectively used http version to both libcurl and
+ curl.
+
+ Closes #799
-- [Cameron Kaiser brought this change]
+- bump: start the journey toward 7.50.0
- Gopher protocol support (initial release)
+- [Marcel Raad brought this change]
-- http: handle trailer headers in all chunked responses
-
- HTTP allows that a server sends trailing headers after all the chunks
- have been sent WITHOUT signalling their presence in the first response
- headers. The "Trailer:" header is only a SHOULD there and as we need to
- handle the situation even without that header I made libcurl ignore
- Trailer: completely.
+ openssl: fix build with OPENSSL_NO_COMP
- Test case 1116 was added to verify this and to make sure we handle more
- than one trailer header properly.
+ With OPENSSL_NO_COMP defined, there is no function
+ SSL_COMP_free_compression_methods
- Reported by: Patrick McManus
- Bug: http://curl.haxx.se/bug/view.cgi?id=3052450
+ Closes #836
-- TODO: we now support RTMP
+- [Gisle Vanem brought this change]
-- TODO: done "NTLM with other crypto functions"
+ memdebug: fix MSVC crash with -DMEMDEBUG_LOG_SYNC
- Since NTLM was made to work with the NSS API as well, the primary SSL
- alternatives will be built with NTLM support in libcurl.
+ Fixes #828
-- TODO: fixed "Make curl_multi_info_read faster"
-
- It is really fast now
+- [Jonathan brought this change]
-Dan Fandrich (24 Aug 2010)
-- Fixed a NULL pointer dereference in form posting
+ README.md: polish
- It was introduced in commit eeb2cb05 along with the -F type=
- change. Also fixed a typo in the name of the magic filename=
- parameter. Tweaked tests 39 and 173 to better test this path.
+ Closes #834
+
+- RELEASE-NOTES: fix vuln link
-Daniel Stenberg (24 Aug 2010)
-- [Ben Greear brought this change]
+Version 7.49.1 (30 May 2016)
- multi: Fix compile warning on 64-bit systems
+Daniel Stenberg (30 May 2016)
+- RELEASE-NOTES: 7.49.1
-Dan Fandrich (23 Aug 2010)
-- Mention PolarSSL in tutorial & add some URLs to INSTALL
+- [Steve Holme brought this change]
-Daniel Stenberg (23 Aug 2010)
-- RESUME_FROM: clarify what ftp uploads do
+ loadlibrary: Only load system DLLs from the system directory
- The numerical value passed to CURLOPT_RESUME_FROM for FTP uploads is
- interpreted and used as position where to resume the _reading_ of the
- local file and it will "blindly" append that data on the remote
- file. This was certainly not clear in the docs previously.
+ Inspiration provided by: Daniel Stenberg and Ray Satiro
- Reported by: catalin
- Bug: http://curl.haxx.se/bug/view.cgi?id=3048174
+ Bug: https://curl.haxx.se/docs/adv_20160530.html
+
+ Ref: Windows DLL hijacking with curl, CVE-2016-4802
-- [Dirk Manske brought this change]
+- ssh: fix version number check typo
- Curl_is_connected: use correct errno
-
- The correctly extracted errno contents were mistakenly overwritten by a newer
- value that wasn't the correct error value.
+Jay Satiro (29 May 2016)
+- curl_share_setopt.3: Add min ver needed for ssl session lock
- Bug: http://curl.haxx.se/mail/lib-2010-08/0242.html
+ Bug: https://github.com/curl/curl/issues/826
+ Reported-by: Michael Wallner
-- cmdline: make -F type= accept ;charset=
+Daniel Stenberg (29 May 2016)
+- ssh: fix build for libssh2 before 1.2.6
- The -F option allows some custom parameters within the given string, and
- those strings are separated with semicolons. You can for example specify
- "name=daniel;type=text/plain" to set content-type for the
- field. However, the use of semicolons like that made it not work fine if
- you specified one within the content-type, like for:
- "name=daniel;type=text/plain;charset=UTF-8"
- ... as the second one would be seen as a separator and "charset" is no
- parameter curl knows anything about so it was just silently discarded.
+ The statvfs functionality was added to libssh2 in that version, so we
+ switch off that functionality when built with older libraries.
- The new logic now checks if the semicolon and following keyword looks
- like a parameter it knows about and if it isn't it is assumed to be
- meant to be used within the content-type string itself.
+ Fixes #831
+
+- mbedtls: fix includes so snprintf() works
- I modified test case 186 to verify that this works as intended.
+ Regression from the previous *printf() rearrangements, this file missed to
+ include the correct header to make sure snprintf() works universally.
- Reported by: Larry Stone
- Bug: http://curl.haxx.se/bug/view.cgi?id=3048988
+ Reported-by: Moti Avrahami
+ Bug: https://curl.haxx.se/mail/lib-2016-05/0196.html
-Guenter Knauf (20 Aug 2010)
-- Added mk-ca-bundle.vbs script.
+Steve Holme (23 May 2016)
+- checksrc.pl: Added variants of strcat() & strncat() to banned function list
- The script works exactly same as the Perl one except for one thing:
- when the text descriptions generated with openssl are included then
- the md5 fingerprints are missing; seems openssl has either a bug or
- a feature which prints the md5 fingerprint output to stdout instead
- of writing them to specified file; this script could here do the same
- as what the Perl scripr does (redirect stdout into file) but this
- makes the script take up double the time because it needs to launch
- cmd.exe 140 times (fo each openssl call). So I think for now we just
- ommit the md5 fingerprints, and see if openssl will be fixed.
+ Added support for checking the tchar, unicode and mbcs variants of
+ strcat() and strncat() in the banned function list.
+
+Daniel Stenberg (23 May 2016)
+- smtp: minor ident (white space) fixes
-- Trial to fix win32 autobuilds.
+- THANKS: updated after script fixes
- It seems that its time to look at some better ideas for the win32
- non-configure builds; probably a prebuild target which copies
- config-win32.h to curl_config.h and appends also then feature
- defines like USE_ARES.
+ Now giving credit properly to github user names, fixed some UTF-8 issues
+ and added names discovered when contrithanks was improved.
-Dan Fandrich (19 Aug 2010)
-- Use the S_ISREG macro to determine what is a regular file
+- THANKS-filter: more name cleanups
-Kamil Dudka (19 Aug 2010)
-- AC_INIT: avoid a warning with autoconf 2.66
-
- It was complaining about the '=>' operator, introduced in e3fc0d5.
+- contrithanks.sh: exclude existing names case insensitively
-Dan Fandrich (18 Aug 2010)
-- Fixed a memory leak during OOM in the multi timeout code
+- contrithanks.sh: use same grep pattern and -a flag as contributors.sh
-- Removed a C99ism & made an array const
+- contributors.sh: better grep pattern, use grep -a
-Daniel Stenberg (19 Aug 2010)
-- [Julien Chaffraix brought this change]
+- THANKS-filter: fix more names
- test: added test 579 to verify progress callback for chunked post
-
- The 66 bytes checked are those 38 bytes with the chunked encoding
- headers added: 8+8+10+35+5 = 66
+- contrithanks.sh: do the same github fix as contributors.sh
- The three-letter words become 8 bytes on the wire because they are sent
- like: "3\r\none\r\n"
-
- ... and there's the trailing 5 bytes write after the four lines since
- the final chunk is sent (which is "0\r\n\r\n").
+ from 1577bfa35ba
-- multi: avoid sending multiple complete messages
+Jay Satiro (23 May 2016)
+- contributors: Show GitHub username if real name unknown
- I fell over this bug report that mentioned that libcurl could wrongly
- send more than one complete messages at the end of a transfer. Reading
- the code confirmed this, so I've added a new multi state to make it not
- happen. The mentioned bug report was made by Brad Jorsch but is (oddly
- enough) filed in Debian's bug tracker for the "wmweather+" tool.
+ Prior to this change if a GitHub contributor's real name was unknown
+ they would be omitted from the list.
- Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=593390
+ Bug: https://github.com/curl/curl/issues/824
-- FAQ: update the list of supported protocols
+Daniel Stenberg (21 May 2016)
+- RELEASE-NOTES: synced with 3caaeffbe8ded4
-- FAQ: added blurb about ECCN
+Jay Satiro (20 May 2016)
+- openssl: cleanup must free compression methods
- "1.13 curl's ECCN number" is a new section mostly made up from
- Alessandro Vesely's very informative ML post on the subject:
- http://curl.haxx.se/mail/lib-2008-03/0251.html
-
-Guenter Knauf (18 Aug 2010)
-- It is sufficient to pipe stderr to NUL to get rid of the nasty messages.
-
-- Added SSPI build to Watcom makefile.
+ - Free compression methods if OpenSSL 1.0.2 to avoid a memory leak.
+
+ Bug: https://github.com/curl/curl/issues/817
+ Reported-by: jveazey@users.noreply.github.com
-Daniel Stenberg (16 Aug 2010)
-- [Julien Chaffraix brought this change]
+Daniel Stenberg (20 May 2016)
+- [Gisle Vanem brought this change]
- progress: callback for POSTs less than MAX_INITIAL_POST_SIZE
+ curl_multibyte: fix compiler error
- Add a call to Curl_pgrsSetUploadSize in this case valided by a test
- case.
+ While compiling lib/curl_multibyte.c with '-DUSE_WIN32_IDN' etc. I was
+ getting:
- Reported by: Никита Дорохин.
- Bug: http://curl.haxx.se/mail/lib-2010-04/0173.html
-
-Dan Fandrich (16 Aug 2010)
-- Make the LD_PRELOAD path absolute in the tests that use it
+ f:\mingw32\src\inet\curl\lib\memdebug.h(38): error C2054: expected '('
+ to follow 'CURL_EXTERN'
- In some situations, libtool will change directories and perform
- a link step before executing the libtest test app. Since
- LD_PRELOAD is in effect for this entire process, the path to the
- binary must be absolute so it will be valid no matter in which
- directory the app is running.
+ f:\mingw32\src\inet\curl\lib\memdebug.h(38): error C2085:
+ 'curl_domalloc': not in formal parameter list
-Daniel Stenberg (16 Aug 2010)
-- negotiation: Wrong proxy authorization
-
- There's an error in http_negotiation.c where a mistake is using only
- userpwd even for proxy requests. Ludek provided a patch, but I decided
- to write the fix slightly different using his patch as inspiration.
+- THANKS-filter: make Jan-E get proper credit
+
+- [Jan-E brought this change]
+
+ winbuild/Makefile.vc: Fix check on SSL, MBEDTLS, WINSSL exclusivity
- Reported by: Ludek Finstrle
- Bug: http://curl.haxx.se/bug/view.cgi?id=3046066
+ Closes #818
-Dan Fandrich (16 Aug 2010)
-- Clear stdout and stderr files on each test run
+- [Alexander Traud brought this change]
+
+ libcurl.m4: Avoid obsolete warning
- This allows a test to be run several times in the same test
- session even when the -k option is given.
+ Closes #821
-Guenter Knauf (15 Aug 2010)
-- Syncroniszed vclean target; fixed some comments.
+Jay Satiro (20 May 2016)
+- [Michael Kaufmann brought this change]
-Daniel Stenberg (15 Aug 2010)
-- THANKS: added contributors from 7.21.1
+ CURLOPT_CONNECT_TO.3: user must not free the list prematurely
+
+ The connect-to list isn't copied so as long as the handle may be used
+ for a transfer the list must be valid.
+
+ Bug: https://github.com/curl/curl/pull/819
+ Reported-by: Michael Kaufmann
-- multi: two fixes done
+Daniel Stenberg (19 May 2016)
+- RELEASE-NOTES: synced with 48114a8634242c
-- multi: use timeouts properly for MAX_RECV/SEND_SPEED
+- openssl: ERR_remove_thread_state() is deprecated in latest 1.1.0
- When detecting that the send or recv speed, the multi interface changes
- state to TOOFAST and previously there was no timeout set that would
- force a recheck but it would rely on the application to somehow call
- libcurl anyway. This now sets a timeout for a suitable future time to
- check again if the average transfer speed is then below the threshold
- again.
+ See OpenSSL commit 21e001747d4a
-- multi: support timeouts
+- http2: use HTTP/2 in the HTTP/1.1-alike header
- Curl_expire() is now expanded to hold a list of timeouts for each easy
- handle. Only the closest in time will be the one used as the primary
- timeout for the handle and will be used for the splay tree (which sorts
- and lists all handles within the multi handle).
+ ... when generating them, not "2.0" as the protocol is called just
+ HTTP/2 and nothing else.
+
+Jay Satiro (19 May 2016)
+- dist: include curl_multi_socket_all.3
- When the main timeout has triggered/expired, the next timeout in time
- that is kept in the list will be moved to the main timeout position and
- used as the key to splay with. This way, all timeouts that are set with
- Curl_expire() internally will end up as a proper timeout. Previously any
- Curl_expire() that set a _later_ timeout than what was already set was
- just silently ignored and thus missed.
+ Closes https://github.com/curl/curl/pull/816
+
+Steve Holme (18 May 2016)
+- bump: Start work on 7.49.1
+
+Daniel Stenberg (18 May 2016)
+- curlbuild.h.dist: check __LP64__ as well to fix MIPS build
- Setting Curl_expire() with timeout 0 (zero) will cancel all previously
- added timeouts.
+ The preprocessor check that sets up the 32bit defines for non-configure
+ builds didn't work properly for MIPS systems as __mips__ is defined for
+ both 32bit and 64bit. Now __LP64__ is also checked and indicates 64bit.
- Corrects known bug #62.
+ Reported-by: Tomas Jakobsson
+ Fixes #813
-- Curl_llist_insert_next: allow insertion first in the list
-
- When we specify the "insert after" entry as NULL, this function now
- inserts the new entry first in the list.
+- [Marcel Raad brought this change]
-- multi: make curl_multi_info_read perform O(1)
+ schannel: fix compile break with MSVC XP toolset
- Instead of looping over all attached easy handles, this now keeps a list
- of messages in the multi handle. It allows curl_multi_info_read() to
- perform O(1) no matter how many easy handles that are handled. This is
- of importance since this function may be polled very frequently by apps
- using the multi interface.
-
-Kamil Dudka (15 Aug 2010)
-- curl -T: ignore file size of special files
+ For the Windows XP toolset of Visual C++ 2013/2015, the old Windows SDK
+ 7.1 is used. In this case, _USING_V110_SDK71_ is defined.
- original bug report at https://bugzilla.redhat.com/622520
+ Closes #812
-Dan Fandrich (13 Aug 2010)
-- Reset environment variables before starting servers
+- dist: include CHECKSRC.md
- Otherwise, variables from tests could affect the servers
- themselves.
+ Reported-by: Paul Howarth
+ Bug: https://curl.haxx.se/mail/lib-2016-05/0116.html
-Kamil Dudka (12 Aug 2010)
-- typecheck-gcc: work around gcc upstream bug #32061
+- test/Makefile.am: include manpage-scan.pl and nroff-scan.pl in dist
- original bug report at https://bugzilla.redhat.com/617757
+ Reported-by: Ray Satiro
+ Bug: https://curl.haxx.se/mail/lib-2016-05/0113.html
-Daniel Stenberg (11 Aug 2010)
-- release cycle loop: start over toward 7.21.2
+Version 7.49.0 (17 May 2016)
-Version 7.21.1 (11 Aug 2010)
+Daniel Stenberg (17 May 2016)
+- THANKS: 24 new names from 7.49.0 release notes
-Daniel Stenberg (11 Aug 2010)
-- RELEASE-NOTES: mention the runtests fix as well
+- RELEASE-NOTES: 7.49.0
-- runtests: clear old setenv remainders before test
+- mbedtls/polarssl: set "hostname" unconditionally
- Due to the layout of the singletest function there are situations where
- it returns before it clears the environment variables that were
- especially set for the single specific test case. That could lead to
- subsequent tests getting executed with environment variables sticking
- around from a previous test which could lead to badness.
+ ...as otherwise the TLS libs will skip the CN/SAN check and just allow
+ connection to any server. curl previously skipped this function when SNI
+ wasn't used or when connecting to an IP address specified host.
- This change makes sure to clear all custom variables that may be laying
- around from a previous round, before running a test case.
+ CVE-2016-3739
- Reported by: Kamil Dudka
- Bug: http://curl.haxx.se/mail/lib-2010-08/0141.html
+ Bug: https://curl.haxx.se/docs/adv_20160518A.html
+ Reported-by: Moti Avrahami
-Guenter Knauf (11 Aug 2010)
-- Added OpenSSL builds to Watcom makefiles.
+- [Frank Gevaerts brought this change]
-Yang Tse (11 Aug 2010)
-- configure: werror related adjustments
+ CURLOPT_RESOLVE.3: fix typo
+
+ Closes #811
+
+- docs: CURLOPT_RESOLVE overrides CURLOPT_IPRESOLVE
-Daniel Stenberg (11 Aug 2010)
-- FAQ: s/libcurl.so.3/libcurl.so.X
+- KNOWN_BUGS: GnuTLS backend skips really long certificate fields
+
+ Closes #762
-Dan Fandrich (10 Aug 2010)
-- KNOWN_BUG #59 is fixed. Clarify support of IPv6 zone IDs.
+- CURLOPT_HTTPPOST.3: the data needs to be around while in use
-- Fixed typo in Android configure command
+- openssl: get_cert_chain: fix NULL dereference
+
+ CID 1361815: Explicit null dereferenced (FORWARD_NULL)
-Daniel Stenberg (11 Aug 2010)
-- HISTORY: added stuff from recent years
+- openssl: get_cert_chain: avoid NULL dereference
+
+ CID 1361811: Explicit null dereferenced (FORWARD_NULL)
-- warning: silence the compiler
+- dprintf_formatf: fix (false?) Coverity warning
- warning: conversion to 'long int' from 'time_t' may alter its value
+ CID 1024412: Memory - illegal accesses (OVERRUN). Claimed to happen when
+ we run over 'workend' but the condition says <= workend and for all I
+ can see it should be safe. Compensating for the warning by adding a byte
+ margin in the buffer.
- ... on win64 when time_t is 64bit and long is 32bit.
+ Also, removed the extra brace level indentation in the code and made it
+ so that 'workend' is only assigned once within the function.
-- RELEASE-NOTES: synced, 3 additional bugfixes
+- RELEASE-NOTES: synced with 2dcb5adc72d6
-- multi_socket_action: clarify how to kickstart it
-
- The callbacks are called when curl_multi_socket_action() is called, not
- when handles are added. This is now mentioned in the "TYPICAL USAGE"
- section.
+- THANKS-filter: fixed Jonathan Cardoso
-- callbacks: acknowledge progress callback error returns
+Jay Satiro (15 May 2016)
+- ftp: fix incorrect out-of-memory code in Curl_pretransfer
- When the progress callback is called during the TCP connection, an error
- return would accidentally not abort the operation as intended but would
- instead be counted as a failure to connect to that particular IP and
- libcurl would just continue to try the next. I made singleipconnect()
- and trynextip() return CURLcode properly.
+ - Return value type must match function type.
- Added bonus: it corrected the error code for bad --interface usages,
- like tested in test 1084 and test 1085.
+ s/CURLM_OUT_OF_MEMORY/CURLE_OUT_OF_MEMORY/
- Reported by: Adam Light
- Bug: http://curl.haxx.se/mail/lib-2010-08/0105.html
+ Caught by Travis CI
-Guenter Knauf (10 Aug 2010)
-- More Watcom makefile fixes ...
+Daniel Stenberg (15 May 2016)
+- ftp wildcard: segfault due to init only in multi_perform
- Final fix (hopefully!) for dll wlink loader;
- prefer faster internal rm if available.
-
-- Fixed my wrong edit.
-
-- More Watcom makefile fixes.
+ The proper FTP wildcard init is now more properly done in Curl_pretransfer()
+ and the corresponding cleanup in Curl_close().
- Added the -br switch to dynamic builds which fixes the issue I saw
- with curl's --version output. Added debug info and symfile for debug
- builds to linker opts. Added DLL loader for wlink back, but this time
- dependend on wlink version.
- Patch posted to the list by malak.jiri AT gmail.com.
-
-- Changed test for -u switch in order to enable other wmake switches.
+ The previous place of init/cleanup code made the internal pointer to be NULL
+ when this feature was used with the multi_socket() API, as it was made within
+ the curl_multi_perform() function.
- The var %MAKEFLAGS is only set in 3 cases: if set as environment
- var or as macro definition from commandline, and either with the
- -u or -ms switch. Since all these cases are unlikely for the average
- user it should be safe to only test if %MAKEFLAGS is defined; this
- has the benefit that now all other switches can be used again in
- addition to the -u which was formerly not possible.
+ Reported-by: Jonathan Cardoso Machado
+ Fixes #800
-Daniel Stenberg (10 Aug 2010)
-- llist: hide Curl_llist_init
+Jay Satiro (13 May 2016)
+- libcurl-tlibcurl-thread: Update OpenSSL links
- Curl_llist_init is never used outside of llist.c and thus it should be
- static. I also removed the protos for Curl_llist_insert_prev and
- Curl_llist_remove_next which are functions we removed from llist.c ages
- ago.
-
-Guenter Knauf (10 Aug 2010)
-- Added msys Perl since git for Win32 comes with own Perl which identifies as msys.
+ Because the old OpenSSL link now redirects to their master documentation
+ (currently 1.1.0), which does not document the required actions for
+ OpenSSL <= 1.0.2.
-- Updated lib dependency versions.
+Daniel Stenberg (13 May 2016)
+- [Viktor Szakats brought this change]
-- Make testcurl.pl Watcom-aware.
+ darwinssl.c: fix OS X codename typo in comment
-Daniel Stenberg (10 Aug 2010)
-- parse_remote_port: fix ;type= URL suffix over HTTP proxy
+- RELEASE-NOTES: synced with 68701e51c1f7
- Test 563 is enabled now and verifies that the combo FTP type=A URL,
- CURLOPT_PORT set and proxy work fine. As a bonus I managed to remove the
- somewhat odd FTP check in parse_remote_port() and instead converted it
- to a better and more generic 'slash_removed' struct field. Checking the
- ->protocol field isn't right since when an FTP:// URL is sent over a
- HTTP proxy, the protocol is HTTP but the URL was handled by the FTP code
- and thus slash_removed is set TRUE for this case.
-
-- indent: white space fixes only
-
-Yang Tse (9 Aug 2010)
-- build: fix previous push
+ Added 8 bug fixes and 5 more contrbutors
-- build: don't build libhostname unless shared libcurl is built
+- [Jay Satiro brought this change]
-- build: libhostname and chkhostname linkage adjustments followup
-
-Daniel Stenberg (8 Aug 2010)
-- typo: remove duplicate semicolon
-
-- multi: avoid a malloc() when a transfer is complete
+ mprintf: Fix processing of width and prec args
- The struct used for storing the message for a completed transfer is now
- no longer allocated separatly but is kept within the main struct kept
- for each easy handle so that we avoid one malloc (and the subsequent
- free).
-
-Yang Tse (8 Aug 2010)
-- build: libhostname linkage adjustments followup
-
-Guenter Knauf (7 Aug 2010)
-- Fix to overwrite libcurl name.
-
-Yang Tse (7 Aug 2010)
-- build: chkhostname build adjustments followup
+ Prior to this change a width arg could be erroneously output, and also
+ width and precision args could not be used together without crashing.
+
+ "%0*d%s", 2, 9, "foo"
+
+ Before: "092"
+ After: "09foo"
+
+ "%*.*s", 5, 2, "foo"
+
+ Before: crash
+ After: " fo"
+
+ Test 557 is updated to verify this and more
-U-D5B1PQ1J\Administrador (7 Aug 2010)
-- build: allow NTLM tests to run on more build configurations
+- [Michael Kaufmann brought this change]
-Daniel Stenberg (7 Aug 2010)
-- curl_easy_setopt.3: rename stream to userdata
+ ConnectionExists: follow-up fix for proxy re-use
- In some places where the name 'stream' has been used for naming a
- function argument that is in fact settable with a setopt() option we now
- call that argument 'userdata' to make it more obvious that it is in fact
- possible to set by the application.
+ Follow-up commit to 5823179
- Suggested by: Jeff Pohlmeyer
+ Closes #648
-Guenter Knauf (7 Aug 2010)
-- Block created curlbuild.h for NetWare to avoid usage from other platforms.
+- [Per Malmberg brought this change]
-Daniel Stenberg (7 Aug 2010)
-- RELEASE-NOTES: synced with recent changes
+ darwinssl: fix certificate verification disable on OS X 10.8
+
+ The new way of disabling certificate verification doesn't work on
+ Mountain Lion (OS X 10.8) so we need to use the old way in that version
+ too. I've tested this solution on versions 10.7.5, 10.8, 10.9, 10.10.2
+ and 10.11.
+
+ Closes #802
-Yang Tse (6 Aug 2010)
-- build: ensure that libhostname doesn't get installed
+- [Cory Benfield brought this change]
-Daniel Stenberg (6 Aug 2010)
-- multi_socket: set timeout for 100-continue
+ http2: Add space between colon and header value
- When libcurl internally decided to wait for a 100-continue header, there
- was no call to the timeout function so there was no timeout callback
- called when the multi_socket API was used and thus applications became
- either completely wrong or at least ineffecient depending on how they
- handled the situation. We now set a timeout to get triggered.
+ curl's representation of HTTP/2 responses involves transforming the
+ response to a format that is similar to HTTP/1.1. Prior to this change,
+ curl would do this by separating header names and values with only a
+ colon, without introducing a space after the colon.
- Reported by: Ben Darnell
- Bug: http://curl.haxx.se/bug/view.cgi?id=3039744
-
-Guenter Knauf (6 Aug 2010)
-- Some more Watcom makefile massage ...
+ While this is technically a valid way to represent a HTTP/1.1 header
+ block, it is much more common to see a space following the colon. This
+ change introduces that space, to ensure that incautious tools are safely
+ able to parse the header block.
- For now removed the .autodepend directive until I've figured out
- which of my changes broke it again.
-
-Yang Tse (5 Aug 2010)
-- build: fix libssh2_scp_send64() availability
-
-- build: remove unneeded cast to (void *)
-
-- build: remove unused file
+ This also ensures that the difference between the HTTP/1.1 and HTTP/2
+ response layout is as minimal as possible.
+
+ Bug: https://github.com/curl/curl/issues/797
+
+ Closes #798
+ Fixes #797
-Daniel Stenberg (4 Aug 2010)
-- SCP: send large files properly with new enough libssh2
+Kamil Dudka (12 May 2016)
+- openssl: fix compile-time warning in Curl_ossl_check_cxn()
- libssh2 1.2.6 and later handle >32bit file sizes properly even on 32bit
- architectures and we make sure to use that ability.
+ ... introduced in curl-7_48_0-293-g2968c83:
- Reported by: Mikael Johansson
- Bug: http://curl.haxx.se/mail/lib-2010-08/0052.html
+ Error: COMPILER_WARNING:
+ lib/vtls/openssl.c: scope_hint: In function ‘Curl_ossl_check_cxn’
+ lib/vtls/openssl.c:767:15: warning: conversion to ‘int’ from ‘ssize_t’
+ may alter its value [-Wconversion]
-Yang Tse (3 Aug 2010)
-- build: add missing new files to non-configure target build files
+Jay Satiro (11 May 2016)
+- openssl: stricter connection check function
+
+ - In the case of recv error, limit returning 'connection still in place'
+ to EINPROGRESS, EAGAIN and EWOULDBLOCK.
+
+ This is an improvement on the parent commit which changed the openssl
+ connection check to use recv MSG_PEEK instead of SSL_peek.
+
+ Ref: https://github.com/curl/curl/commit/856baf5#comments
-- md4: replace bcopy usage with memcpy
+Daniel Stenberg (11 May 2016)
+- [Anders Bakken brought this change]
-Daniel Stenberg (3 Aug 2010)
-- RELEASE-NOTES: synced with recent changes
+ TLS: SSL_peek is not a const operation
+
+ Calling SSL_peek can cause bytes to be read from the raw socket which in
+ turn can upset the select machinery that determines whether there's data
+ available on the socket.
+
+ Since Curl_ossl_check_cxn only tries to determine whether the socket is
+ alive and doesn't actually need to see the bytes SSL_peek seems like
+ the wrong function to call.
+
+ We're able to occasionally reproduce a connect timeout due to this
+ bug. What happens is that Curl doesn't know to call SSL_connect again
+ after the peek happens since data is buffered in the SSL buffer and thus
+ select won't fire for this socket.
+
+ Closes #795
-- TODO-RELEASE: clear, file not really used ATM
+Jay Satiro (9 May 2016)
+- [Daniel Stenberg brought this change]
-- typecheck-gcc: add checks for recently added options
+ TLS: move the ALPN/NPN enable bits to the connection
+
+ Only protocols that actually have a protocol registered for ALPN and NPN
+ should try to get that negotiated in the TLS handshake. That is only
+ HTTPS (well, http/1.1 and http/2) right now. Previously ALPN and NPN
+ would wrongly be used in all handshakes if libcurl was built with it
+ enabled.
- I added all OBJECTPOINT curl_easy_setopt() options from 178 to 202. Left
- to add: the five FUNCTIONPOINT (callbacks) options added since:
+ Reported-by: Jay Satiro
- SSH_KEYFUNCTION
- INTERLEAVEFUNCTION
- CHUNK_BGN_FUNCTION
- CHUNK_END_FUNCTION
- FNMATCH_FUNCTION
+ Fixes #789
-- .gitignore: ignore all built examples
+Daniel Stenberg (8 May 2016)
+- libcurl-thread.3: openssl 1.1.0 is safe, and so is boringssl
-- example: fix code to build warning-free
+- [Antonio Larrosa brought this change]
-- Curl_connected_proxy: skip the bits.tcpconnect check
+ connect: fix invalid "Network is unreachable" errors
- Simply because the TCP might be connected already we cannot skip the
- proxy connect procedure. We need to be careful to not overload more
- meaning to the bits.tcpconnect field like this.
+ Sometimes, in systems with both ipv4 and ipv6 addresses but where the
+ network doesn't support ipv6, Curl_is_connected returns an error
+ (intermittently) even if the ipv4 socket connects successfully.
- With this fix, SOCKS proxies work again when the multi interface is
- used. I believe this regression was added with commit 4b351d018e,
- released as 7.20.1.
+ This happens because there's a for-loop that iterates on the sockets but
+ the error variable is not resetted when the ipv4 is checked and is ok.
- Left todo: add a test case that verifies this functionality that
- prevents us from breaking it again in the future!
+ This patch fixes this problem by setting error to 0 when checking the
+ second socket and not having a result yet.
- Reported by: Robin Cornelius
- Bug: http://curl.haxx.se/bug/view.cgi?id=3033966
+ Fixes #794
-- sethostname: provide local prototype for gethostname
-
- This is only to avoid warnings on some systems.
+Jay Satiro (5 May 2016)
+- FAQ: refer to thread safety guidelines
-- build: add typecast to avoid warning
+Daniel Stenberg (3 May 2016)
+- connections: non-HTTP proxies on different ports aren't reused either
+
+ Reported-by: Oleg Pudeyev and fuchaoqun
- There is an implicit conversion from "unsigned long" to "long";
- rounding, sign extension, or loss of accuracy may result.
+ Fixes #648
-Guenter Knauf (2 Aug 2010)
-- Rename CURL_SOURCES macro; revert previous rename of curl_SOURCES macro.
+- http: make sure a blank header overrides accept_decoding
+
+ Reported-by: rcanavan
+ Assisted-by: Isaac Boukris
+ Closes #785
-- Removed ugly dependency lists since wmake knows the .autodepend directive.
+- CHECKSRC.md: clarified, explained the whitelist file
-- Use suffix search path for sources in lib folder.
+- nroff-scan.pl: verify that references are made with \fI
-- Changed src/Makefile.Watcom to use CURL_SOURCES from src/Makefile.inc.
+- docs: unified man page references to use \fI
-- Renamed curl_SOURCES to CURL_ALLFILES to overcome wmake's case-insensitivity.
+- TODO: 17.14 --fail without --location should treat 3xx as a failure
+
+ Closes #727
-- Removed wlink from DLL loader list because it doesnt work with Watcom < 1.8.
+- RELEASE-NOTES: synced with 7987f5cb14d
-- Moved the LDAP API defines from Makefile.Watcom to config-win32.h.
-
- These defines are only needed for older Watcom versions (< 1280).
+- [Isaac Boukris brought this change]
-Daniel Stenberg (2 Aug 2010)
-- retry: consider retrying even if -f is used
+ CURLOPT_ACCEPT_ENCODING.3: Follow-up clarification
- The --retry logic does retry HTTP when some specific response codes are
- returned, but because the -f option sets the CURLOPT_FAILONERROR to
- libcurl, the return codes are different for such situations and then the
- curl tool failed to consider it for retrying.
+ Mention possible content-length mismatch with sum of bytes reported
+ by write callbacks when auto decoding is enabled.
- Reported by: Mike Power
- Bug: http://curl.haxx.se/bug/view.cgi?id=3037362
+ See #785
-- multi: fix FTPS connecting the data connection with OpenSSL
-
- Commit 496002ea1cd76af7f (released in 7.20.1) broke FTPS when using the
- multi interface and OpenSSL was used. The condition for the non-blocking
- connect was incorrect.
-
- Reported by: Georg Lippitsch
- Bug: http://curl.haxx.se/mail/lib-2010-07/0270.html
+- test1140: run nroff-scan to verify man pages
-Guenter Knauf (1 Aug 2010)
-- Fixed curlbuild.h rule.
+- nroff-scan.pl: verify the .BR references as well
-- Added rule to create curlbuild.h if not present (for builds from git).
+- CURLOPT_CONV_TO_NETWORK_FUNCTION.3: fix bad man page reference
-- Added dependend libs for curl static linking.
+- CURLOPT_BUFFERSIZE.3: fix reference to CURLOPT_MAX_RECV_SPEED_LARGE
-- Fixed curl.exe static linking.
+- curl_easy_pause.3: fix man page reference
-Daniel Stenberg (30 Jul 2010)
-- warning: silence a win64 compiler warning
+Jay Satiro (1 May 2016)
+- tool_cb_hdr: Fix --remote-header-name with schemeless URL
- conversion from 'size_t' to 'curl_socklen_t', possible loss of data
+ - Move the existing scheme check from tool_operate.
- Reported by: Adam Light
-
-- KNOWN_BUG: The SOCKET type in Win64 is 64 bits
+ In the case of --remote-header-name we want to parse Content-disposition
+ for a filename, but only if the scheme is http or https. A recent
+ adjustment 0dc4d8e was made to account for schemeless URLs however it's
+ not 100% accurate. To remedy that I've moved the scheme check to the
+ header callback, since at that point the library has already determined
+ the scheme.
- The SOCKET type in Win64 is 64 bits large (and thus so is curl_socket_t
- on that platform), and long is only 32 bits. It makes it impossible for
- curl_easy_getinfo() to return a socket properly with the
- CURLINFO_LASTSOCKET option as for all other operating systems.
+ Bug: https://github.com/curl/curl/issues/760
+ Reported-by: Kai Noda
-- smtp_connect: always provide host name buffer
+Daniel Stenberg (1 May 2016)
+- tls: make setting pinnedkey option fail if not supported
- Previously the host name buffer was only used if gethostname() exists,
- but since we converted that into a curl private function that function
- always exists and will be used so the buffer needs to exist for all
- cases/systems.
+ to make it obvious to users trying to use the feature with TLS backends
+ not supporting it.
+
+ Discussed in #781
+ Reported-by: Travis Burtrum
-- sethostname: avoid including unistd.h to duck for warnings
+- nroff-scan.pl: verifies nroff pages
+
+ ... not used by any test yet but can be used stand-alone.
-- sethostname: ISO C does not allow extra `;' outside of a function
+- opts: fix broken/bad references
-- [Kamil Dudka brought this change]
+- [Michael Kaufmann brought this change]
- NTLM tests: boost coverage by forcing the hostname
+ docs: fix bugs in CURLOPT_HTTP_VERSION.3 and CURLOPT_PIPEWAIT.3
- A shared library tests/libtest/.libs/lihostname.so is preloaded in NTLM
- test-cases to override the system implementation of gethostname(). It
- makes it possible to test the NTLM authentication for exact match, and
- this way test the implementation of MD4 and DES.
+ Closes #786
+
+- CURLOPT_ACCEPT_ENCODING.3: clarified
- If LD_PRELOAD doesn't work, a debug build willl also workk as debug
- builds are now made to prefer a specific environment variable and will
- then return that content as host name instead of the actual one.
+ As discussed in #785
+
+- curl.1: --mail-rcpt can be used multiple times
- Kamil wrote the bulk of this, Daniel Stenberg polished it.
+ Reported-by: mgendre
+ Closes #784
-Guenter Knauf (29 Jul 2010)
-- Added a comment with an alternate idea to avoid the backslash line contination character.
+- [Karlson2k brought this change]
-- Changed comparison to match size_t var type.
+ tests: Use 'pathhelp' for paths conversions in secureserver.pl
+
+ Closes #675
-- Removed unused vars to avoid compiler warnings.
+- [Karlson2k brought this change]
-- Make Watcom makefiles use Makefile.inc to reduce future maintainance.
-
- lib/Makefile.Watcom works fine already, for src/Makefile.Watcom we
- need first to tweak src/Makefile.inc a bit - therefore the handtweaked
- list still exists for now.
+ tests: Use 'pathhelp' for paths conversions in sshserver.pl
-- Watcom makefiles overhaul.
-
- - make both libcurl and curl makefiles use register calling convention
- (previously libcurl had stack calling convention).
- - added include paths to the Watcom headers so its no longer required
- to set the environment vars for this.
- - added -wcd=201 to supress compiler warning about unreachable code.
- - use macros for all tools, and removed dependency on GNU tools like rm.
- - make ipv6 and debug builds controlable via env vars and so make them
- optional instead of default.
- - commented WINLDAPAPI and WINBERAPI since they broke with OW 1.8, and
- it seems they're not needed (anymore?).
- - added rule for hugehelp.c.cvs so that it will be created when not
- already exist - this is required for building from a release tarball
- since there we have no hugehelp.c.cvs, thus compilation broke.
- - removed C_ARG creation from lib/Makefile.Watcom and use CFLAGS
- directly as done too in src/Makefile.Watcom - this has the benefit
- that we will see all active cflags and defines during compile.
- - added LINK-ARG to src/Makefile.Watcom in order to better control
- linker input.
- - a couple of other minor makefile tweaks here and there ...
- - added largefile support for Watcom builds to config-win32.h. Not yet
- tested if it really works, but should since Win32 supports it.
- - added loaddll stuff to speed up builds if supported.
+- [Karlson2k brought this change]
-- some cosmetic changes.
+ tests: Use 'pathhelp' for current path in runtests.pl
-Dan Fandrich (26 Jul 2010)
-- Added md4.c to the Watcom makefile
+- [Karlson2k brought this change]
-- Added PolarSSL to the docs
+ tests: pathhelp.pm to process paths on Msys/Cygwin
-Daniel Stenberg (25 Jul 2010)
-- curl-config: --built-shared returns shared info
+- lib: include curl_printf.h as one of the last headers
+
+ curl_printf.h defines printf to curl_mprintf, etc. This can cause
+ problems with external headers which may use
+ __attribute__((format(printf, ...))) markers etc.
+
+ To avoid that they cause problems with system includes, we include
+ curl_printf.h after any system headers. That makes the three last
+ headers to always be, and we keep them in this order:
+
+ curl_printf.h
+ curl_memory.h
+ memdebug.h
- The curl-config now features a --built-shared command line option that
- will output 'yes' or 'no' depending if the build process was asked to
- build shared library/libraries or not.
+ None of them include system headers, they all do funny #defines.
- It is primarily made to offer more details to the test suite to know
- what kind of stunts it can expect to work.
+ Reported-by: David Benjamin
+
+ Fixes #743
-- add_buffer_send: fix compiler warning
+- memdebug.h: remove inclusion of other headers
- Win64's 32 bit long but 64 bit size_t caused a warning that we avoid
- with a typecast. A small whitespace indent fix was also applied.
+ Mostly because they're not needed, because memdebug.h is always included
+ last of all headers so the others already included the correct ones.
- Reported by: Adam Light
+ But also, starting now we don't want this to accidentally include any
+ system headers, as the header included _before_ this header may add
+ defines and other fun stuff that we won't want used in system includes.
-Guenter Knauf (22 Jul 2010)
-- Updated library versions.
+- [Jay Satiro brought this change]
-- Fixed script version which was still based on CVS Revision tag.
+ curl -J: make it work even without http:// scheme on URL
+
+ It does open up a miniscule risk that one of the other protocols that
+ libcurl could use would send back a Content-Disposition header and then
+ curl would act on it even if not HTTP.
+
+ A future mitigation for this risk would be to allow the callback to ask
+ libcurl which protocol is being used.
+
+ Verified with test 1312
+
+ Closes #760
-Dan Fandrich (21 Jul 2010)
-- FAQ: Why doesn't cURL error out when the cable is unplugged?
+- manpage-scan.pl: also verify the command line option docs
- This one was long overdue to be mentioned in the FAQ. Also, mention the
- new ftp wildcard downloading feature.
+ This script now also scans src/tool_getparam.c, docs/curl.1 and
+ src/tool_help.c and will warn if any of them lists a command line option
+ not mentioned in one of the other places.
-Daniel Stenberg (21 Jul 2010)
-- [Ben Greear brought this change]
+- curl: show the long option version of -q in the -h list
- ssh: Fix compile error on 64-bit systems.
+- curl: remove "--socks" as "--socks5" turned 8
- Signed-off-by: Ben Greear <greearb@candelatech.com>
+ In commit 2e42b0a2524 (Jan 2008) we made the option "--socks" deprecated
+ and it has not been documented since. The more explicit socks options
+ (like --socks4 or --socks5) should be used.
-- [Ben Greear brought this change]
+- curl.1: document the deprecated --ftp-ssl option
- build: Enable configure --enable-werror
-
- This passes -Werror to gcc when building curl and libcurl,
- allowing easy dection of compile warnings.
+- curl: remove --http-request
- Signed-off-by: Ben Greear <greearb@candelatech.com>
+ It was mentioned as deprecated already in commit ae1912cb0d4 from
+ 1999. It has not been documented in this millennium.
-- [Ben Greear brought this change]
+- curl: mention --ntlm-wb in -h list
- pingpong: Fix indentation (whitespace change only)
-
- Signed-off-by: Ben Greear <greearb@candelatech.com>
+- curl: -h output lacked --proxy-header
+
+- curl.1: document --ntlm-wb
-- [Jan Van Boghout brought this change]
+- curl.1: document the long format of -q: --disable
- CUSTOMREQUEST: shouldn't be disabled when HTTP is disabled
+- curl.1: mention the deprecated --krb4 option
+
+- curl.1: document --ftp-ssl-reqd
- ... since FTP is using it as well, and potentially other protocols!
+ Even if deprecated, document it so that people will find it as old
+ scripts may still use it.
+
+- curl: use --telnet-option as documented
- Also, an #endif CURL_DISABLE_HTTP was incorrectly marked, as it seems to
- end the proxy block instead.
+ The code said "telnet-options" but no documentation ever said so. It
+ worked fine since the code is fine with a unique match of the first
+ part.
-- [Jan Van Boghout brought this change]
+- getparam: remove support for --ftpport
+
+ It has been deprecated and undocumented since commit ad5ead8bed7 (Dec
+ 2003). --ftp-port is the proper long option name.
- pingpong: response_time is milliseconds
+- curl: make --disable work as long form of -q
- Fixed the comment/document for the response_time struct member.
+ To make the aliases list reflect reality.
+
+- aliases: remove trailing space from capath string
-- [Jan Van Boghout brought this change]
+- cmdline parse: only single letter options have single-letter strings
+
+ ... moved around options so that parsing the code to find all
+ single-letter options easier.
- ftp: response timeout bug in "quote" sending
+Jay Satiro (28 Apr 2016)
+- CURLINFO_TLS_SSL_PTR.3: Clarify SSL pointer availability
- The FTP implementation was missing a timestamp reset point, making the
- waiting for responses after sending a post-transfer "QUOTE" command not
- working as supposedly. This bug was introduced in 7.20.0
+ Bug: https://curl.haxx.se/mail/lib-2016-04/0126.html
+ Reported-by: Bru Rom
-- [Jeff Pohlmeyer brought this change]
+Daniel Stenberg (28 Apr 2016)
+- curl_easy_getinfo.3: remove superfluous blank lines
- remote-header-name: chop filename at next semicolon
+- test1139: verifies libcurl option man page presence
- The --remote-header-name option for the command-line tool assumes that
- everything beyond the filename= field is part of the filename, but that
- might not always be the case, for example:
+ - checks that each option has its own man page present
- Content-Disposition: attachment; filename=file.txt; modification-date=...
+ - checks that each option is mentioned in its corresponding index man
+ page
+
+- curl_easy_getinfo.3: added missing mention of CURLINFO_TLS_SESSION
- This fix chops the filename off at the next semicolon, if there is one.
+ ... although it is deprecated.
-- --retry: access violation with URL part sets continued
+Jay Satiro (28 Apr 2016)
+- mbedtls: Fix session resume
- When getting multiple URLs, curl didn't properly reset the byte counter
- after a successful transfer so if the subsequent transfer failed it
- would wrongly use the previous byte counter and behave badly (segfault)
- because of that. The code assumes that the byte counter and the 'stream'
- pointer is well in synch.
+ This also fixes PolarSSL session resume.
- Reported by: Jon Sargeant
- Bug: http://curl.haxx.se/bug/view.cgi?id=3028241
-
-- releasnote: synch up with commit f3b77e5611d
-
-- [Constantine Sapuntzakis brought this change]
-
- examples: add curl_multi_timeout
+ Prior to this change the TLS session information wasn't properly
+ saved and restored for PolarSSL and mbedTLS.
+
+ Bug: https://curl.haxx.se/mail/lib-2016-01/0070.html
+ Reported-by: Thomas Glanzmann
- Make the multi-interface using examples use curl_multi_timeout to
- properly educate users how to do things.
+ Bug: https://curl.haxx.se/mail/lib-2016-04/0095.html
+ Reported-by: Moti Avrahami
-- configure: document the STATICLIB variable
+Daniel Stenberg (27 Apr 2016)
+- RELEASE-NOTES: synced with f4298fcc6d2
-- [Constantine Sapuntzakis brought this change]
+- [Michael Kaufmann brought this change]
- multi: fix condition that remove timers before trigger
+ opts: Fix some syntax errors in example code fragments
- curl_multi perform has two phases: run through every easy handle calling
- multi_runsingle and remove expired timers (timer removal).
+ Fixes #779
+
+- openssl: avoid BN_print a NULL bignum
- If a small timer (e.g. 1-10ms) is set during multi_runsingle, then it's
- possible that the timer has passed by when the timer removal runs. The
- timer which was just added is then removed. This will potentially cause
- the timer list to be empty and cause the next call to curl_multi_timeout
- to return -1. Ideally, curl_multi_timeout should return 0 in this case.
+ OpenSSL 1.1.0-pre seems to return NULL(?) for a whole lot of those
+ numbers so make sure the function handles this.
- One way to fix this is to move the struct timeval now = Curl_tvnow(); to
- the top of curl_multi_perform. The change does that.
+ Reported-by: Linus Nordberg
-- [Constantine Sapuntzakis brought this change]
+- [Marcel Raad brought this change]
- threaded resolver: fix timeout issue
+ CONNECT_ONLY: don't close connection on GSS 401/407 reponses
- Reset old timer first so we can set a new one further in the future.
-
-- configure: allow environments variable to override internals
+ Previously, connections were closed immediately before the user had a
+ chance to extract the socket when the proxy required Negotiate
+ authentication.
- configure checks for grep, egrep, sed and ar and set the variables GREP,
- EGREP, SED and AR accordingly. We now let already set variables override
- the internal choices to let users make decisions when they know the
- right choice already. This is a regression as our configure script used
- to allow this back before commit 0b57c475 (up to 7.18.2).
+ This regression was brought in with the security fix in commit
+ 79b9d5f1a42578f
- Reported by: "kdekker"
- Bug: http://curl.haxx.se/bug/view.cgi?id=3028318
+ Closes #655
-Dan Fandrich (9 Jul 2010)
-- Improved the Android build instructions
+- CURLINFO_TLS_SESSION.3: clarify TLS library support before 7.48.0
-Daniel Stenberg (7 Jul 2010)
-- [Tor Arntsen brought this change]
+- mbedtls.c: silly spellfix of a comment
- upload: Avoid infinite loop when checking for auth bits
+- KNOWN_BUGS: 1.10 Strips trailing dot from host name
- The test would loop forever if authtype bit 0 wasn't set.
+ Closes #716
-- upload: warn users trying to upload from stdin with anyauth
+- test1322: verify stripping of trailing dot from host name
- Since uploading from stdin is very likely to not work with anyauth and
- its multi-phase probing for what authentication to actually use, alert
- the user about it. Multi-phase negotiate almost certainly will involve
- sending data and thus libcurl will need to rewind the stream to send
- again, and it cannot do that with stdin.
+ While being debated (in #716) and a violation of RFC 7230 section 5.4,
+ this test verifies that the existing functionality works as intended. It
+ strips the dot from the host name and uses the host without dot
+ throughout the internals.
-- http: don't enable chunked during authentication negotiations
+- multi: accidentally used resolved host name instead of proxy
- As mentioned in bug report #2956968, the HTTP code wouldn't send the
- first empty chunk during the auth negotiation phase of the HTTP request
- sending, so the server would wait for data to come and libcurl would
- wait for data to arrive... I've made the code not enable chunked
- encoding until the auth negotiation is done and thus this scenario
- doesn't occur anymore.
+ Regression introduced in 09b5a998
- Reported by: Sidney San Martín
- Bug: http://curl.haxx.se/bug/view.cgi?id=2956968
+ Bug: https://curl.haxx.se/mail/lib-2016-04/0084.html
+ Reported-by: BoBo
-- --libcurl: list the tricky options instead of using [REMARK]
-
- I think the [REMARK] and commented function calls cluttered the code a
- bit too much and made the generated code ugly to read. Now we instead
- track the remarks one specially and just lists them at the end of the
- generated code more as additional information.
+- symbols-in-versions: added new CURLSSLBACKEND_ symbols
-- curl: avoid setting libcurl options to its default
+- test148: fixed after the --ftp-create-dirs retry change
- it makes the --libcurl output easier to follow.
+ follow-up commit to 3c1e84f569 as it made curl try a little harder
-- --libcurl: hide setopt() calls setting default options
-
- And additionally, don't show function or object pointers actual value
- since they make no sense to anyone. Show 'functionpointer' and
- 'objectpointer' instead.
+- curl.h: clarify curl_sslbackend for openssl clones and renames
-- --libcurl: use *_LARGE options with typecasted constants
+- [Karlson2k brought this change]
+
+ url.c: fixed DEBUGASSERT() for WinSock workaround
+
+ If buffer is allocated, but nothing is received during prereceive
+ stage, than number of processed bytes must be zero.
- In the generated code --libcurl makes, all calls to curl_easy_setopt()
- that use *_LARGE options now have the value typecasted to curl_off_t, so
- that it works correctly for 32bit systems with 64bit curl_off_t type.
+ Closes #778
-- multi: CURLINFO_LASTSOCKET doesn't work after remove_handle
+- KNOWN_BUGS: --interface for ipv6 binds to unusable IP address
- When curl_multi_remove_handle() is called and an easy handle is returned
- to the connection cache held in the multi handle, then we cannot allow
- CURLINFO_LASTSOCKET to extract it since that will more or less encourage
- that the user uses the socket while it can get used by libcurl again.
+ Closes #686 for now.
+
+- TODO: 1.17 Add support for IRIs
- Without this fix, we'd get a segfault in Curl_getconnectinfo() trying to
- dereference the NULL pointer in 'data->state.connc'.
+ Adding support for IRIs is a mouthful, but is probably interesting at
+ least for areas and countries where the use of such "URLs" are growing
+ popularity.
- Bug: http://curl.haxx.se/bug/view.cgi?id=3023840
+ Closes #776
-- [Pierre Joye brought this change]
+- THANKS-filter: Travis Burtrum
- build: add enable IPV6 option for the VC makefiles
+- lib1517: checksrc compliance
-- FAQ: the threaded resolver works universally now
+- [moparisthebest brought this change]
-Kamil Dudka (30 Jun 2010)
-- http_ntlm: add support for NSS
-
- When configured with '--without-ssl --with-nss', NTLM authentication
- now uses NSS crypto library for MD5 and DES. For MD4 we have a local
- implementation in that case. More details are available at
- https://bugzilla.redhat.com/603783
-
- In order to get it working, curl_global_init() must be called with
- CURL_GLOBAL_SSL or CURL_GLOBAL_ALL. That's necessary because NSS needs
- to be initialized globally and we do so only when the NSS library is
- actually required by protocol. The mentioned call of curl_global_init()
- is responsible for creating of the initialization mutex.
+ PolarSSL: Implement public key pinning
+
+Patrick Monnerat (22 Apr 2016)
+- os400: upgrade ILE/RPG binding
+
+- curl.h: CURLOPT_CONNECT_TO sets a struct slist *, not a string
+
+Daniel Stenberg (22 Apr 2016)
+- contributors.sh: make --releasenotes implied
- There was also slightly changed the NSS initialization scenario, in
- particular, loading of the NSS PEM module. It used to be loaded always
- right after the NSS library was initialized. Now the library is
- initialized as soon as any SSL or NTLM is required, while the PEM module
- is prevented from being loaded until the SSL is actually required.
+ It got too annoying to type =)
-Daniel Stenberg (29 Jun 2010)
-- glob: backslash escaping bug
+- RELEASE-NOTES: synced with 3c1e84f5693d8093
+
+- curl: make --ftp-create-dirs retry on failure
- curl didn't properly handle escaping characters in a URL with the use of
- backslash. It did an attempt, but that failed as reported in bug
- 3022551. The described example was using the URL
- "http://example.com?{AB,C\,D}".
+ The underlying libcurl option used for this feature is
+ CURLOPT_FTP_CREATE_MISSING_DIRS which has the ability to retry the dir
+ creation, but it was never set to do that by the command line tool.
- I've now removed the special-handling of letters following the backslash
- and I also removed the bad extra check that triggered this particular
- bug.
+ Now it does.
- Bug: http://curl.haxx.se/bug/view.cgi?id=3022551
- Reported by: Jon Sargeant
-
-- release-notes: sync up with recent commits
+ Bug: https://curl.haxx.se/mail/archive-2016-04/0021.html
+ Reported-by: John Wanghui
+ Help-by: Leif W
-- CONTRIBUTE: the git commit message line length is 72 columns
+- [Henrik Gaßmann brought this change]
-- [Pavel Raiskup brought this change]
-
- ftp wildcard: FTP LIST parser FIX
+ winbuild: add mbedtls support
+
+ Add WITH_MBEDTLS option. Make WITH_SSL, WITH_MBEDTLS and ENABLE_WINSSL
+ options mutual exclusive.
- There was a problem when a UNIX-like server returned information
- about directory size (total NNNNNN) at the first line of
- response.
+ Closes #606
-- [Pavel Raiskup brought this change]
+- KNOWN_BUGS: fixed "5.6 Improper use of Autoconf cache variables"
+
+ As of commit d9f3b365a3
- examples: new FTP wildcard showcase
+- [Irfan Adilovic brought this change]
-- multi_socket: re-use of same socket without notifying app
+ configure: ac_cv_ -> curl_cv_ for write-only vars
- When a hostname resolves to multiple IP addresses and the first one
- tried doesn't work, the socket for the second attempt may get dropped on
- the floor, causing the request to eventually time out. The issue is that
- when using kqueue (as on mac and bsd platforms) instead of select, the
- kernel removes the first fd from kqueue when it is closed (in trynextip,
- connect.c:503). Trynextip() then goes on to open a new socket, which
- gets assigned the same number as the one it just closed. Later in
- multi.c, socket_cb is not called because the fd is already in
- multi->sockhash, so the new socket is never added to kqueue.
+ These configure vars are modified in a curl-specific way but never
+ evaluated or loaded from cache, even though they are designated as
+ _cv_. We could either implement proper AC_CACHE_CHECKs for them, or
+ remove them completely.
- The correct fix is to ensure that socket_cb is called to remove the fd
- when trynextip() closes the socket, and again to re-add it after
- singleipsocket(). I'm not sure how to cleanly do that, but the attached
- patch works around the problem in an admittedly kludgy way by delaying
- the close to ensure that the newly-opened socket gets a different fd.
+ Fixes #603 as ac_cv_func_gethostbyname is no longer clobbered, and
+ AC_CHECK_FUNC(gethostbyname...) will no longer spuriously succeed after
+ the first configure run with caching.
- Daniel's added comment: I didn't spot a way to easily do a nicer fix so
- I've proceeded with Ben's patch.
+ `ac_cv_func_strcasecmp` is curious, see #770.
- Bug: http://curl.haxx.se/bug/view.cgi?id=3017819
- Patch by: Ben Darnell
-
-Kamil Dudka (24 Jun 2010)
-- [Pavel Raiskup brought this change]
+ `eval "ac_cv_func_$func=yes"` can still cause problems as it works in
+ tandem with AC_CHECK_FUNCS and then potentially modifies its result. It
+ would be best to rewrite this test to use a new CURL_CHECK_FUNCS macro,
+ which works the same as AC_CHECK_FUNCS but relies on caching the values
+ of curl_cv_func_* variables, without modifiying ac_cv_func_*.
- ftp-wildcard: avoid tight loop when used without any pattern
-
- It was broken for URLs like "ftp://example.com/".
+- [Irfan Adilovic brought this change]
-Daniel Stenberg (21 Jun 2010)
-- maketgz: produce CHANGES automatically with the 1000 most recent commits
+ configure: ac_cv_ -> curl_cv_ for r/w vars
- It passes the git log output through 'log2changes.pl' to produce
- the lot.
+ These configure vars are modified in a curl-specific way and modified by
+ the configure process, but are never loaded from cache, even though they
+ are designated as _cv_. We should implement proper AC_CACHE_CHECKs for
+ them eventually.
-- ignore: CHANGES.dist gets generated by maketgz
+- [Irfan Adilovic brought this change]
-- CHANGES: move all contents from CHANGES to CHANGES.0
+ configure: ac_cv_func_clock_gettime -> curl_...
- CHANGES is no longer used for manually edited content. It is to
- be generated automatically by maketgz when we make release
- tarballs.
+ This variable must not be cached in its current form, as any cached
+ information will prevent the next configure run from determining the
+ correct LIBS needed for the function. Thus, rename prefix `ac_cv_` to
+ just `curl_`.
-- log2changes: correct command line, fix tag usage, change Version output
-
- --decorate=full is needed with my git 1.7.1 to get the necessary
- output so that the previous edit would work to extract the
- Version stuff.
+- [Irfan Adilovic brought this change]
+
+ configure: ac_cv_ -> curl_cv_ for all cached vars
- ... but I had to edit how the refs/tags was extracted since it
- had a little flaw that made it miss the 7.20.1 output.
+ This was automated by:
- Finally, I changed so that Version is outputted even more similar
- to how CHANGES does it.
-
-Dan Fandrich (21 Jun 2010)
-- Make the output of log2changes.pl even more closely match CHANGES
+ sed -b -i -f <(ack -A1 AC_CACHE_CHECK | \
+ ack -o 'ac_cv_.*?\b' | \
+ sort -u | xargs -n1 bash -c \
+ 'echo "s/$0/curl_cv_${0#ac_cv_}/g"') \
+ $(git ls-files)
- Add the ASCII art header, and list version commits by decoding
- the ref tag names, when available (using the git log --decorate
- option).
+ This only changed the prefix for 16 variables actually checked with
+ AC_CACHE_CHECK.
-Daniel Stenberg (19 Jun 2010)
-- log2changes: first version of the git log to CHANGES conversion script
+- openssl: builds with OpenSSL 1.1.0-pre5
- $ git log --pretty=fuller --no-color --date=short | ./log2changes.pl
+ The RSA, DSA and DH structs are now opaque and require use of new APIs
- Of course, limiting the log output with a range like with
- "[tag]..HEAD" appended can be very useful too.
+ Fixes #763
-- sendrecv: treat all negative values from send/recv as errors
+Steve Holme (20 Apr 2016)
+- url.c: Prefer we don't use explicit NULLs in conditions
- For example the libssh2 based functions return other negative
- values than -1 to signal errors and it is important that we catch
- them properly. Right before this, various failures from libssh2
- were treated as negative download amounts which caused havoc.
+ Fixed commit fa5fa65a30 to not use NULLs in if condition.
-- multi: prevent NULL pointer dereference
-
- My additional call to Curl_pgrsUpdate() would sometimes get
- called even though there's no connection (left) so a NULL pointer
- would get passed, causing a segfault.
+Daniel Stenberg (20 Apr 2016)
+- [Isaac Boukris brought this change]
-- smtp: fixed a few uses of size_t that seemed to believe it was signed
+ NTLM: check for NULL pointer before deferencing
- Reported-by: Steven M. Schweda
-
-Dan Fandrich (17 Jun 2010)
-- Fixed an OOM memory leak in the FTP wildcard code
+ At ConnectionExists, both check->proxyuser and check->proxypasswd
+ could be NULL, so make sure to check first.
+
+ Fixes #765
-Kamil Dudka (17 Jun 2010)
-- test575: do not fail with threaded DNS resolver
+- [Karlson2k brought this change]
-Daniel Stenberg (17 Jun 2010)
-- [Krister Johansen brought this change]
+ tests: added test1517
+
+ ... for checking ability to receive full HTTP response when POST request
+ is used with slow read callback function.
+
+ This test checks for bug #657 and verifies the work-around from
+ 72d5e144fbc6.
+
+ Closes #720
- multi: unmark handle as used when no longer head of pipeline
+- [Karlson2k brought this change]
-- multi: call the progress function only once and allow abort
+ sendf.c: added ability to call recv() before send() as workaround
- 1) no need to call the progress function twice when in the
- CURLM_STATE_TOOFAST state.
+ WinSock destroys recv() buffer if send() is failed. As result - server
+ response may be lost if server sent it while curl is still sending
+ request. This behavior noticeable on HTTP server short replies if
+ libcurl use several send() for request (usually for POST request).
+ To workaround this problem, libcurl use recv() before every send() and
+ keeps received data in intermediate buffer for further processing.
- 2) Make sure that the progress callback's return code is
- acknowledged when used
+ Fixes: #657
+ Closes: #668
-- multi: call the progress callback in all states
+Kamil Dudka (19 Apr 2016)
+- connect: make sure that rc is initialized in singleipconnect()
- As long as no error is reported, the progress function can get
- called. This may be a little TOO often so we should keep an eye
- on this and possibly make this conditional somehow.
+ This commit fixes a Clang warning introduced in curl-7_48_0-190-g8f72b13:
+
+ Error: CLANG_WARNING:
+ lib/connect.c:1120:11: warning: The right operand of '==' is a garbage value
+ 1118| }
+ 1119|
+ 1120|-> if(-1 == rc)
+ 1121| error = SOCKERRNO;
+ 1122| }
+
+Daniel Stenberg (19 Apr 2016)
+- make/checksrc: use $srcdir, not $top_srcdir
-- configure: spell --disable-threaded-resolver correctly
+- src/checksrc.whitelist: removed
+
+- tool_operate: switch to inline checksrc ignore
+
+- lib/checksrc.whitelist: not needed anymore
- Previously we only accepted the option when named
- --disable-threaded-resover, which wasn't quite intended.
+ ... as checksrc now skips comments
+
+- vtls.h: remove a space before semicolon
- Reported by: Helwing Lutz
+ ... that the new checksrc detected
-- release: start on 7.21.1, bump contributor count
+- darwinssl: removed commented out code
-- version: start working on the 7.21.1-dev version
+- http_chunks: removed checksrc disable
+
+ ... since checksrc now skips comments
-- THANKS: added contributors from the 7.21.0 release
+- imap: inlined checksrc disable instead of whitelist edit
-Version 7.21.0 (16 Jun 2010)
+- checksrc: taught to skip comments
+
+ ... but output non-stripped version of the line, even if that then can
+ make the script identify the wrong position in the line at
+ times. Showing the line stripped (ie without comments) is just too
+ surprising.
-Daniel Stenberg (16 Jun 2010)
-- release: 7.21.0
+- opts/Makefile.am: list all docs file one by one
+
+ ... to make it easier to add lines in patches that won't just break all
+ other patches trying to add lines too.
-Yang Tse (10 Jun 2010)
-- remove unused 'tmpdata' and 'backup' ftp_parselist_data struct members
+- curl_easy_setopt.3: mention CURLOPT_TCP_FASTOPEN
-- replace isprint() with ISPRINT()
+- RELEASE-NOTES: synced with 03de4e4b219
+
+ (since we just merged two major features)
-- ensure that Curl_wildcard_dtor() leaves WildcardData struct zero initialized
+- [Alessandro Ghedini brought this change]
-Patrick Monnerat (9 Jun 2010)
-- ILE/RPG binding updated to current curl.h definitions.
+ connect: implement TCP Fast Open for Linux
+
+ Closes #660
-Yang Tse (9 Jun 2010)
-- code simplification
+- [Alessandro Ghedini brought this change]
-- add Curl_ prefix to conform with cURL naming standards
+ tool: add --tcp-fastopen option
-- Merge branch 'master' of git@github.com:bagder/curl
+- [Alessandro Ghedini brought this change]
-- fix compiler warning using curl_socket_t to store socket descriptor
+ connect: implement TCP Fast Open for OS X
-Daniel Stenberg (8 Jun 2010)
-- inet_pton: warnings: use size_t to store pointer deltas
+- [Alessandro Ghedini brought this change]
-Yang Tse (8 Jun 2010)
-- avoid redundant work when reusing same connection
+ url: add CURLOPT_TCP_FASTOPEN option
-- fix function result checking
+- checksrc: pass on -D so the whitelists are found correctly
-Daniel Stenberg (8 Jun 2010)
-- transfer: warning: implicit conversion
+- configure: remove check for libresolve
- There is an implicit conversion from "unsigned long" to "long";
- rounding, sign extension, or loss of accuracy may result.
+ 'strncasecmp' was once provided by libresolv (no trailing e) for SunOS,
+ but this check is broken and most likely adds nothing useful. Removing
+ now.
- Fixed by an added typecast.
-
-- TFTP: fix compiler warning
+ Reported-by: Irfan Adilovic
- Curl_fillreadbuffer()'s second argument takes an int, so
- typecasting to another is a bad idea.
+ Discussed in #770
-- TFTP: fix warning for sendto() usage on non-POSIX systems
+- scripts/make: use $(EXEEXT) for executables
- Older unixes want an 'int' instead of 'size_t' as the 3rd
- argumment so before this change it would cause warnings such as:
+ Reported-by: bodop
- There is an implicit conversion from "unsigned long" to "int";
- rounding, sign extension, or loss of accuracy may result.
+ Fixes #771
+
+- includes: avoid duplicate memory callback typdefs even harder
-Dan Fandrich (7 Jun 2010)
-- Include Makefile.inc to get the list of source files for Amiga
+- checksrc/makefile.am: use $top_srcdir to find source files
- Signed-off-by: Diego Casorran <dcasorran@gmail.com>
+ ... to properly support out of source tree builds.
+
+- RELEASE-NOTES: synced with 26ec93dd6aeba8dfb5
+
+- opts: fix option references missing (section)
-Yang Tse (7 Jun 2010)
-- Curl_updateconninfo() error handling fix
+- [Michael Kaufmann brought this change]
-Daniel Stenberg (5 Jun 2010)
-- [Constantine Sapuntzakis brought this change]
+ news: CURLOPT_CONNECT_TO and --connect-to
+
+ Makes curl connect to the given host+port instead of the host+port found
+ in the URL.
- OpenSSL: fix spurious SSL connection aborts
+- makefile.vc6: use d suffix on debug object
- Was seeing spurious SSL connection aborts using libcurl and
- OpenSSL. I tracked it down to uncleared error state on the
- OpenSSL error stack - patch attached deals with that.
+ To allow both release and debug builds in parallel.
- Rough idea of problem:
+ Reported-by: Rod Widdowson
- Code that uses libcurl calls some library that uses OpenSSL but
- don't clear the OpenSSL error stack after an error.
+ Fixes #769
+
+Jay Satiro (12 Apr 2016)
+- http2: Use size_t type for data drain count
- ssluse.c calls SSL_read which eventually gets an EWOULDBLOCK from
- the OS. Returns -1 to indicate an error
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
+
+- http2: Improve header parsing
- ssluse.c calls SSL_get_error. First thing, SSL_get_error calls
- ERR_get_error to check the OpenSSL error stack, finds an old
- error and returns SSL_ERROR_SSL instead of SSL_ERROR_WANT_READ or
- SSL_ERROR_WANT_WRITE.
+ - Error if a header line is larger than supported.
- ssluse.c returns an error and aborts the connection
+ - Warn if cumulative header line length may be larger than supported.
- Solution:
+ - Allow spaces when parsing the path component.
- Clear the openssl error stack before calling SSL_* operation if
- we're going to call SSL_get_error afterwards.
+ - Make sure each header line ends in \r\n. This fixes an out of bounds.
- Notes:
+ - Disallow header continuation lines until we decide what to do.
- This is much more likely to happen with multi because it's easier
- to intersperse other calls to the OpenSSL library in the same
- thread.
-
-Yang Tse (5 Jun 2010)
-- replace socklen_t with curl_socklen_t
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-Daniel Stenberg (5 Jun 2010)
-- [Frank Meier brought this change]
-
- getinfo: added *_PRIMARY_PORT, *_LOCAL_IP and *_LOCAL_PORT
+- http2: Add Curl_http2_strerror for HTTP/2 error codes
+
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-- RELEASE-NOTES: add contributors not mentioned
+- [Tatsuhiro Tsujikawa brought this change]
-Yang Tse (4 Jun 2010)
-- Enable OpenLDAP support for cygwin builds.
+ http2: Don't increment drain when one header field is received
- Enable OpenLDAP support for cygwin builds. This support was disabled back
- in 2008 due to incompatibilities between OpenSSL and OpenLDAP headers.
- cygwin's OpenSSL 0.9.8l and OpenLDAP 2.3.43 versions on cygwin 1.5.25
- allow building an OpenLDAP enabled libcurl supporting back to Windows 95.
+ Sicne we write header field in temporary location, not in the memory
+ that upper layer provides, incrementing drain should not happen.
- Remove non-functional CURL_LDAP_HYBRID code and references.
-
-Kamil Dudka (2 Jun 2010)
-- ftplistparser.c: oops, fix typo in the last commit
-
-- ftplistparser.c: avoid some invalid dereferences
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-- lib: eliminate some dead code
+- [Tatsuhiro Tsujikawa brought this change]
-Daniel Stenberg (2 Jun 2010)
-- SSH: corrected the inability to respect the timeout
+ http2: Ensure that http2_handle_stream_close is called
- Jason McDonald posted bug report #3006786 when he found that the
- SFTP code didn't timeout properly in several places in the code
- even if a timeout was set properly.
+ This commit ensures that streams which was closed in on_stream_close
+ callback gets passed to http2_handle_stream_close. Previously, this
+ might not happen. To achieve this, we increment drain property to
+ forcibly call recv function for that stream.
- Based on his suggested patch, I wrote a different implementation
- that I think addressed the issue better and also uses the connect
- timeout for the initial part of the SSH/SFTP done during the
- "protocol connect" phase.
+ To more accurately check that we have no pending event before shutting
+ down HTTP/2 session, we sum up drain property into
+ http_conn.drain_total. We only shutdown session if that value is 0.
- (http://curl.haxx.se/bug/view.cgi?id=3006786)
-
-Yang Tse (2 Jun 2010)
-- mention last changes
+ With this commit, when stream was closed before reading response
+ header fields, error code CURLE_HTTP2_STREAM is returned even if
+ HTTP/2 level error is NO_ERROR. This signals the upper layer that
+ stream was closed by error just like TCP connection close in HTTP/1.
+
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-- add missing new files to non-configure target build files
+- [Tatsuhiro Tsujikawa brought this change]
-- include libcurl standard internal headers
+ http2: Process paused data first before tear down http2 session
+
+ This commit ensures that data from network are processed before HTTP/2
+ session is terminated. This is achieved by pausing nghttp2 whenever
+ different stream than current easy handle receives data.
+
+ This commit also fixes the bug that sometimes processing hangs when
+ multiple HTTP/2 streams are multiplexed.
+
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-Daniel Stenberg (2 Jun 2010)
-- TODO: add multi interface improvement remove ldap select
+- [Tatsuhiro Tsujikawa brought this change]
-Yang Tse (2 Jun 2010)
-- make setup.h first included file
+ http2: Check session closure early in http2_recv
+
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-- fix spnego memory leak
+- [Tatsuhiro Tsujikawa brought this change]
-- openldap header inclusions fix
+ http2: Add handling stream level error
+
+ Previously, when a stream was closed with other than NGHTTP2_NO_ERROR
+ by RST_STREAM, underlying TCP connection was dropped. This is
+ undesirable since there may be other streams multiplexed and they are
+ very much fine. This change introduce new error code
+ CURLE_HTTP2_STREAM, which indicates stream error that only affects the
+ relevant stream, and connection should be kept open. The existing
+ CURLE_HTTP2 means connection error in general.
+
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-Daniel Stenberg (1 Jun 2010)
-- multi_socket: handles timer inaccuracy better for timeouts
+Daniel Stenberg (11 Apr 2016)
+- http2: drain the socket better...
- Igor Novoseltsev reported a problem with the multi socket API and
- using timeouts and timers. It boiled down to a problem with
- libcurl's use of GetTickCount() interally to figure out the
- current time, while Igor's own application code used another
- function call.
+ ... but ignore EAGAIN if the stream has ended so that we don't end up in
+ a loop. This is a follow-up to c8ab613 in order to avoid the problem
+ d261652 was made to fix.
- It made his app call the socket API timeout function a bit
- _before_ libcurl would consider the timeout to trigger, and that
- could easily lead to timeouts or stalls in the app. It seems
- GetTickCount() in general often has no better resolution than
- 16ms and switching to the alternative function
- QueryPerformanceCounter has its share of problems:
- http://www.virtualdub.org/blog/pivot/entry.php?id=106
+ Reported-by: Jay Satiro
+ Clues-provided-by: Tatsuhiro Tsujikawa
- We address this problem by simply having libcurl treat timers
- that already has occured or will occur within 40ms subject for
- treatment. I'm confident that there are other implementations and
- operating systems with similarly in accurate timer functions so
- it makes sense to have applied generically and I don't believe we
- sacrifice much by adding a 40ms inaccuracy on these timeouts.
+ Discussed in #750
-Yang Tse (1 Jun 2010)
-- fix ldaps option issue
+- KNOWN_BUGS: added info for "Hangs with PolarSSL"
-- fix ldap related compilation issues
+- KNOWN_BUGS: 1.9 HTTP/2 frames while in the connection pool kill reuse
+
+ Closes #750
-- fix compiler warning: enumerated type mixed with another type
+- build: include scripts/ in the dist
-- fix compiler warning: enumerated type mixed with another type
+Steve Holme (9 Apr 2016)
+- CURLOPT_SOCKS5_GSSAPI_SERVICE: Merged with CURLOPT_PROXY_SERVICE_NAME
+
+ As these two options provide identical functionality, the former for
+ SOCK5 proxies and the latter for HTTP proxies, merged the two options
+ together.
+
+ As such CURLOPT_SOCKS5_GSSAPI_SERVICE is marked as deprecated as of
+ 7.49.0.
-Patrick Monnerat (31 May 2010)
-- smtp_authenticate: avoid compiler warnings
+- urldata: Use bool for socks5_gssapi_nec as it is a flag
+
+ This value is set to TRUE or FALSE so should be a bool and not a long.
-Yang Tse (31 May 2010)
-- fix compiler warning: enumerated type mixed with another type
+- url: Ternary operator code style changes
-- fix compiler warning: enumerated type mixed with another type
+- CODE_STYLE: Added ternary operator example to 'Space around operators'
+
+ Following conversation on the libcurl mailing list.
-- fix compiler warning: enumerated type mixed with another type
+- sasl: Fixed compilation errors from commit 9d89a0387
+
+ ...when GSS-API or Windows SSPI are not used.
-- fix compiler warning: external declaration in primary source file
+- url: Corrected comments following 9d89a0387
-- fix compiler warning: variable was set but never used
+- docs: Added clarification following commit 9d89a0387
-- fix compiler warning: enumerated type mixed with another type
+- Makefile: Fixed echo of checksrc check
-- fix compiler warning: external declaration in primary source file
+- checksrc: Fix issue with the autobuilds not picking up the whitelist
-- update year in copyright notice
+- checksrc: Added missing vauth and vtls directories
-Kamil Dudka (29 May 2010)
-- strtoofft: rename CURL_LLONG_MIN -> CURL_OFF_T_MIN
+- ftp/imap/pop3/smtp: Allow the service name to be overridden
- ... and CURL_LLONG_MAX -> CURL_OFF_T_MAX
+ Allow the service name to be overridden for DIGIST-MD5 and Kerberos 5
+ authentication in FTP, IMAP, POP3 and SMTP.
-- CURL_LLONG_MAX: avoid constant overflow
+- http_negotiate: Calculate service name and proxy service name locally
- ... when (CURL_SIZEOF_CURL_OFF_T == 4)
+ Calculate the service name and proxy service names locally, rather than
+ in url.c which will allow for us to support overriding the service name
+ for other protocols such as FTP, IMAP, POP3 and SMTP.
-Daniel Stenberg (28 May 2010)
-- [Howard Chu brought this change]
+- ROADMAP: Updated following the move of the authentication code
- LDAPS: list availability depending on SSL's presence
+Patrick Monnerat (8 Apr 2016)
+- KNOWN_BUGS: openldap hangs. TODO: binary SASL.
-- [Howard Chu brought this change]
-
- LDAP: make it build without SSL if no such support is available
+Daniel Stenberg (8 Apr 2016)
+- KNOWN_BUGS: 5.6 Improper use of Autoconf cache variables
- of course it also goes for the case where SSL is explicitly
- disabled
+ Closes #603
-- TODO: removed fixed items
-
- These two items are now actually implemented:
+- KNOWN_BUGS: 11.2 error buffer not set...
- 11.1 Content-Disposition
- 11.5 ftp wildcard download
+ Closes #544
-Kamil Dudka (28 May 2010)
-- lib: eliminate 'statement not reached' warnings
+- KNOWN_BUGS: 11.1 Curl leaks .onion hostnames in DNS
+
+ Closes #543
-Daniel Stenberg (28 May 2010)
-- test1115: verify that unexpected 1xx responses work fine
+- KNOWN_BUGS: 1.8 DNS timing is wrong for HTTP redirects
+
+ Closes #522
-Kamil Dudka (28 May 2010)
-- lib577: avoid redefinition of ERROR
+- TODO: HTTP/2 "prior knowledge" is implemented!
-- test313: a new test for CRL support
+- [Damien Vielpeau brought this change]
-- tests/certs: re-generated because of lost pass-phrase
+ mbedtls: fix MBEDTLS_DEBUG builds
-- tests/certs/scripts: generate also CRL
+- mbedtls: implement and provide *_data_pending()
+
+ ... as otherwise we might get stuck thinking there's no more data to
+ handle.
+
+ Reported-by: Damien Vielpeau
- ... and make it possible to do so without any user interaction
+ Fixes #737
-Daniel Stenberg (27 May 2010)
-- [Howard Chu brought this change]
+- mbedtls: follow-up for the previous commit
- openldap: fix compiler warnings
+- mbedtls.c: name space pollution fix, Use 'Curl_'
-- indent: some whitespace edits
+- mbedtls.c: changed private prefix to mbed_
+
+ mbedtls_ is the prefix used by the mbedTLS library itself so we should
+ avoid using that for our private functions.
-Kamil Dudka (27 May 2010)
-- wildcard.c: add missing include of "setup.h"
+- mbedtls.h: fix compiler warnings
-- [Tor Arntsen brought this change]
+- Revert "winbuild: trying to set some files eol=crlf for git"
+
+ This reverts commit 9c08b4f1e7eced5a4d3782a3e0daa484c9d77d21.
+
+ Didn't help. Caused problems.
+
+ Fixes #756
- lib573: do not compare double for exact match
+- curl.1: use example.com more
+
+ Make (most) example snippets use the example.com domain instead of the
+ random ones picked and used before. Some of those were probably
+ legitimate sites and some not. example.com is designed for this purpose.
-- [Pavel Raiskup brought this change]
+- [Michael Kaufmann brought this change]
- wildcard.c: add missing include of "curl_memory.h"
+ HTTP2: Add a space character after the status code
+
+ The space character after the status code is mandatory, even if the
+ reason phrase is empty (see RFC 7230 section 3.1.2)
+
+ Closes #755
-- [Tor Arntsen brought this change]
+- [Viktor Szakats brought this change]
- setup_once: use enum type for 'bool' on non-C99 platforms
+ URLs: change http to https in many places
- An enum will catch non-bool assignments to bool on platforms with
- a strict compiler, e.g MIPSPro.
+ Closes #754
+
+- winbuild: trying to set some files eol=crlf for git
- Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+ Thinking it might help to apply patches etc with git.
-- url.c: avoid implied cast to bool
+- [Theodore Dubois brought this change]
-- [Tor Arntsen brought this change]
+ curl.1: change example for -F
+
+ It's a bad idea to send your passwords anywhere, especially over HTTP.
+ Modified example to send a picture instead.
+
+ Fixes #752
- curl_fnmatch: remove use of register keyword
+- KNOWN_BUGS: reorganized and cleaned up
- Using the 'register' keyword rarely improves anything with modern
- compilers and architectures.
+ Now sorted into categories and organized in the same style we do the
+ TODO document. It will make each issue linked properly on the
+ https://curl.haxx.se/docs/knownbugs.html web page.
+
+ The sections should make it easier to find issues and issues related to
+ areas of the reader's specific interest.
-Daniel Stenberg (26 May 2010)
-- [Julien Chaffraix brought this change]
+Jay Satiro (6 Apr 2016)
+- KNOWN_BUGS: #95 curl in Windows can't handle Unicode arguments
- RTMP: Fix compiler warnings
+Steve Holme (6 Apr 2016)
+- KNOWN_BUGS: Use https://curl.haxx.se URL for github based issues
-- [Julien Chaffraix brought this change]
+- CHECKSRC.md: Corrected some typos
- OOM fixes in http_negociate.c and lib/splay.c
+- RELEASE-NOTES: Corrected last updated
- Fix 2 OOM errors: a missing NULL-check in lib/http_negociate.c
- and a potential NULL dereferencing in lib/splay.c
-
-- [Howard Chu brought this change]
+ Included a summary of the checksrc.bat updates and combined two krb5
+ changes as they should have been implemented at the same time.
- LDAP: properly implemented as a curl_handler
+- vauth: Corrected a number of typos in comments
- makes the LDAP code much cleaner, nicer and in general being a
- better libcurl citizen. If a new enough OpenLDAP version is
- detect, the new and shiny lib/openldap.c code is then used
- instead of the old cruft
-
- Code by Howard, minor cleanups by Daniel.
-
-- [Tor Arntsen brought this change]
+ Reported-by: Michael Osipov
- curl_fnmatch: Use int not bool when function returns int
+Jay Satiro (5 Apr 2016)
+- KNOWN_BUGS: #94 IMAP custom requests use the LIST handler
- bool in curl internals is unsigned char and should not be used
- to receive return value from functions returning int - this fails
- when using IBM VisualAge and Tru64 compilers.
+ Bug: https://github.com/curl/curl/issues/536
+ Reported-by: eXeC64@users.noreply.github.com
-- TFTP: send legal timeout value
+Daniel Stenberg (5 Apr 2016)
+- KNOWN_BUGS: remove 68, 70 and 72.
- Eric Mertens posted bug #3003705: when we made TFTP use the
- correct timeout option when sent to the server (fixed May 18th
- 2010) it became obvious that libcurl used invalid timeout values
- (300 by default while the RFC allows nothing above 255). While of
- course it is obvious that as TFTP has worked thus far without
- being able to set timeout at all, just removing the setting
- wouldn't make any difference in behavior. I decided to still keep
- it (but fix the problem) as it now actually allows for easier
- (future) customization of the timeout.
+ Due to their age (we don't fully know if they actually remain) and lack
+ of detail - very few people will bother to find out what they're about
+ or work on them. If people truly still suffer from any of these, I
+ assume they will be reported again and then we'll deal with them.
- (http://curl.haxx.se/bug/view.cgi?id=3003705)
-
-- TFTP: don't ack if wrong block num is received
+ 72. "Pausing pipeline problems."
+ https://curl.haxx.se/mail/lib-2009-07/0214.html
+
+ 70. Problem re-using easy handle after call to curl_multi_remove_handle
+ https://curl.haxx.se/mail/lib-2009-07/0249.html
- If an unexpected block number was received, break out of the
- switch loop.
+ 68. "More questions about ares behavior".
+ https://curl.haxx.se/mail/lib-2009-08/0012.html
-- TFTP: block id wrap bug fix
+- KNOWN_BUGS: remove 92 and 88, fixed
+
+- http2: fix connection reuse when PING comes after last DATA
+
+ It turns out the google GFE HTTP/2 servers send a PING frame immediately
+ after a stream ends and its last DATA has been received by curl. So if
+ we don't drain that from the socket, it makes the socket readable in
+ subsequent checks and libcurl then (wrongly) assumes the connection is
+ dead when trying to reuse the connection.
- In a normal expression, doing [unsigned short] + 1 will not wrap
- at 16 bits so the comparisons and outputs were done wrong. I
- added a macro do make sure it gets done right.
+ Reported-by: Joonas Kuorilehto
- Douglas Kilpatrick filed bug report #3004787 about it:
- http://curl.haxx.se/bug/view.cgi?id=3004787
+ Discussed in #750
-- [Ben Greear brought this change]
+- multi: remove trailing space in debug output
- Fix build warnings.
-
- Signed-off-by: Ben Greear <greearb@candelatech.com>
+- RELEASE-NOTES: synced with 86e97b642fb
+
+- CHECKSRC.md: mention cmdline options, fix the bullet list
-- [Ben Greear brought this change]
+- docs/CHECKSRC.md: initial version
- setopt: Fix setting of set.is_fwrite_set
+Steve Holme (3 Apr 2016)
+- checksrc.bat: Added support for the examples
+
+Daniel Stenberg (3 Apr 2016)
+- lib/src: fix the checksrc invoke
- Signed-off-by: Ben Greear <greearb@candelatech.com>
+ ... now works correctly when invoke from the root makefile
+
+- nw: please the stricter checksrc
-- [Tanguy Fautre brought this change]
+Steve Holme (3 Apr 2016)
+- checksrc.bat: Re-enabled the tests directory by default
+
+ Following the recent changes to the source in the tests directory,
+ re-enabled tests for the default scan.
- build: allow curl to build with Microsoft VC10
+- checksrc.bat: Added tests/server directory support
- By undefing a bunch of E* defines that VC10 has started to define
- but that we redefine internally to their WSA* alternatives when
- building for Windows.
+ In addition to commit 83b174b3f0 and following the recent changes.
+
+- tests: Fixed header files to comply with our code style
-Kamil Dudka (20 May 2010)
-- [Tor Arntsen brought this change]
+Daniel Stenberg (3 Apr 2016)
+- make checksrc: run it in docs/examples too by default
- Test 573: Use correct type for CURLINFO_CONNECT_TIME
+- docs/examples: remove spurious white spaces all over
- curl_easy_getinfo() called with a pointer to long instead of double
- would sigbus on RISC processors (e.g. MIPS) due to wrong alignment
- of pointer address.
+ ... to please the new, slightly picker, checksrc.pl
-- [Tor Arntsen brought this change]
+- tests: fix make checksrc in servers/
- lib: Fix AIX build failure
+- tests: 'make checksrc' now checks server/ too
-Dan Fandrich (19 May 2010)
-- Fixed some memory leaks in the POP3 torture tests
+- root/make: have checksrc run in include/curl too
-- Fixed a memory leak in the SMTP torture tests
+- tests/server: comply with our code style
-Daniel Stenberg (18 May 2010)
-- TFTP: send timeout option correctly
-
- Eric Mertens posted bug report #3003005 pointing out that the
- libcurl TFTP code was not sending the timeout option properly to
- the server, and suggested a fix.
-
- (http://curl.haxx.se/bug/view.cgi?id=3003005)
+- code: style updates
-Kamil Dudka (16 May 2010)
-- [Tor Arntsen brought this change]
+- checksrc: check for more malplaced spaces
- lib: Change some CRLF line endings to LF
-
- An update had added a couple of lines with DOS line endings,
- and some compilers will choke on that (e.g. the Tru64 compiler).
+- unit: make unit test source code checksrc compliant
-- ftp wildcard: a new option CURLOPT_FNMATCH_DATA
+- checksrc: run checksrc in tests when 'make checksrc' in root
-Daniel Stenberg (15 May 2010)
-- [Howard Chu brought this change]
+- checksrc: remove debug crap
- RMTP: the version code is now rtmp aware
+- lib557: allow too long lines
-- [Howard Chu brought this change]
+- checksrc: allow ignore of specific warnings within a file (section)
- RTMP: fix wrong #ifdef
+- checksrc: add warning names, explain on help output
-- [Pavel Raiskup brought this change]
+Steve Holme (3 Apr 2016)
+- checksrc.bat: Disable tests by default until warnings are fixed
- ftp wildcard: fix int32_t and size/group mixups
+- checksrc.bat: Added support for the tests directory
-Dan Fandrich (14 May 2010)
-- Fixed test 577 to work when --enable-hidden-symbols is configured
+- vauth: Removed the need for a separate GSS-API based SPN function
-Daniel Stenberg (14 May 2010)
-- OpenSSL: multi interface handshake could hang
-
- John-Mark Bell filed bug #3000052 that identified a problem (with
- an associated patch) with the OpenSSL handshake state machine
- when the multi interface is used:
+- curl_sasl: Fixed potential null pointer utilisation
- Performing an https request using a curl multi handle and using
- select or epoll to wait for events results in a hang. It appears
- that the cause is the fix for bug #2958179, which makes
- ossl_connect_common unconditionally return from the step 2 loop
- when fetching from a multi handle.
+ Although this should never happen due to the relationship between the
+ 'mech' and 'resp' variables, and the way they are allocated together,
+ it does cause problems for code analysis tools:
- When ossl_connect_step2 has completed, it updates
- connssl->connecting_state to ssl_connect_3. ossl_connect_common
- will then return to the caller, as a multi handle is in
- use. Eventually, the client code will call curl_multi_fdset to
- obtain an updated fdset to select or epoll on. For https
- requests, curl_multi_fdset will cause https_getsock to be called.
- https_getsock will only return a socket handle if the
- connecting_state is ssl_connect_2_reading or
- ssl_connect_2_writing. Therefore, the client will never obtain a
- valid fdset, and thus not drive the multi handle, resulting in a
- hang.
+ V595 The 'mech' pointer was utilized before it was verified against
+ nullptr. Check lines: 376, 381. curl_sasl.c 376
- (http://curl.haxx.se/bug/view.cgi?id=3000052)
+ Bug: https://github.com/curl/curl/issues/745
+ Reported-by: Alexis La Goutte
-- changelog: add link to bug report
+- spnego: Small code tidy up
+
+ * Prefer dereference of string pointer rather than strlen()
+ * Free challenge pointer in one place
+ * Additional comments
-Dan Fandrich (14 May 2010)
-- Added directories.pm to the source tar ball
+- krb5: Small code tidy up
+
+ * Prefer dereference of string pointer rather than strlen()
+ * Free challenge pointer in one place
+ * Additional comments
-Daniel Stenberg (14 May 2010)
-- follow redirect: ignore response-body on redirect even if compressed
+- krb5_gssapi: Only process challenge when present
- Sebastian V reported bug #3000056 identifying a problem with
- redirect following. It showed that when curl followed redirects
- it didn't properly ignore the response body of the 30X response
- if that response was using compressed Content-Encoding!
+ This wouldn't cause a problem because of the way the function is called,
+ but prior to this change, we were processing the challenge message when
+ the credentials were NULL rather than when the challenge message was
+ populated.
- (http://curl.haxx.se/bug/view.cgi?id=3000056)
+ This also brings this part of the Kerberos 5 code in line with the
+ Negotiate code.
-- version: we're now going for 7.21.0
-
-- [Hoi-Ho Chan brought this change]
+- krb5: Fixed missing client response when mutual authentication enabled
+
+ Although mutual authentication is currently turned off and can only be
+ enabled by changing libcurl source code, authentication using Kerberos
+ 5 has been broken since commit 79543caf90 in this use case.
- Remove support for BSD version of PolarSSL
+- krb5_sspi: Only process challenge when present
- "The BSD version of PolarSSL was made for migratory purposes only and is not
- maintained. The GPL version of PolarSSL is actually the only actively
- developed version, so I would be very reluctant to use the BSD version." /
- Paul Bakker, PolarSSL hacker.
+ This wouldn't cause a problem because of the way the function is called,
+ but prior to this change, we were processing the challenge message when
+ the credentials were NULL rather than when the challenge message was
+ populated.
- Signed-off-by: Hoi-Ho Chan <hoiho.chan@gmail.com>
+ This also brings this part of the Kerberos 5 code in line with the
+ Negotiate code.
-Dan Fandrich (12 May 2010)
-- Added Polar SSL and RTMP files to the non-autoconf build files
+- krb5_sspi: Only generate the output token when its not allocated
- I didn't bother with a few that have little hope of running the required
- dependent libraries.
-
-- Added the new ftp source files to the non-autoconf build files
-
-- Copy the license file so it's seen by the Android build system
-
-Daniel Stenberg (13 May 2010)
-- updated with symbols added in recent commits for 7.21.0
+ Prior to this change, we were generating the output token when the
+ credentials were NULL rather than when the output token was NULL.
+
+ This also brings this part of the Kerberos 5 code in line with the
+ Negotiate code.
-- changelogs: mention RTMP and the FTP wildcard support
+- krb5: Only generate a SPN when its not known
+
+ Prior to this change, we were generating the SPN in the SSPI code when
+ the credentials were NULL and in the GSS-API code when the context was
+ empty. It is better to decouple the SPN generation from these checks
+ and only generate it when the SPN itself is NULL.
+
+ This also brings this part of the Kerberos 5 code in line with the
+ Negotiate code.
-- ftp wildcards: mention they're added in 7.21.0
+Daniel Stenberg (3 Apr 2016)
+- tests/libtest: follow our code style guidelines better
+
+ ... checksrc of all test code is pending.
-- style: minor whitespace change
+- checksrc.whitelist: remove fopen() uses
-- syntax: cleanups
+- formdata: use appropriate fopen() macros
-- [Pavel Raiskup brought this change]
+- checksrc: improve the fopen() parser somewhat
+
+ The quote scanner was too fragile, now look for a comma instead to find
+ the mode argument.
- FTP: WILDCARDMATCH/CHUNKING/FNMATCH added
+- unit1604: fix snprintf
+
+ follow-up to 0326b06
+
+ sizeof(pointer) is no good for the buffer size!
+
+ Reported-by: Viktor Szakats
-- [Howard Chu brought this change]
+Steve Holme (3 Apr 2016)
+- unittests: Fixed compilation warnings
+
+ warning: implicit declaration of function 'sprintf_was_used'
+ [-Wimplicit-function-declaration]
+
+ Follow up to the modications made to tests/libtest in commit 55452ebdff
+ as we prefer not to use sprintf() now.
- RTMP: initial support added, powered by librtmp
+Daniel Stenberg (2 Apr 2016)
+- curl.1: -w filename_effective was introduced in 7.26.0
- librtmp is found at http://rtmpdump.mplayerhq.hu/
+ We never made a 7.25.1 release
-- [Howard Chu brought this change]
+- 7.49.0: next release version
- sendrecv: make them two pairs of send/recv to properly deal with FTPS
+- http2: make use of the nghttp2 error callback
- FTP(S) use two connections that can be set to different recv and
- send functions independently, so by introducing recv+send pairs
- in the same manner we already have sockets/connections we can
- work with FTPS fine.
+ It offers extra info from nghttp2 in certain error cases. Like for
+ example when trying prior-knowledge http2 on a server that doesn't speak
+ http2 at all. The error message is passed on as a verbose message to
+ libcurl.
- This commit fixes the FTPS regression introduced in change d64bd82.
-
-Kamil Dudka (11 May 2010)
-- changelog: fixed CRL support in libcurl-NSS
-
-- nss: make it possible to read ASCII and DER CRL
+ Discussed in #722
+
+ The error callback was added in nghttp2 1.9.0
-- nss: add CRL to cache instead of read-only NSS db
+Steve Holme (2 Apr 2016)
+- spnego: Renamed the context's SPN variable
+
+ To be consistent with the Kerberos 5 context and other authentication
+ code.
-Daniel Stenberg (10 May 2010)
-- git: how to write a fine commit message
+- krb5_gssapi: Renamed the status variables
+
+ For consistency with the spnego code.
-- findtool: file name as a full path requires a slash
+- krb5: Moved host from Curl_auth_create_gssapi_user_message() to be argument
- Kalle Vahlman's patch applied a while ago broke how the findtool
- function searches for tools, as it would always check if "$file"
- was present first, which thus made the bad assumption that a file
- in the current directory would be a match.
+ For consistency with the spnego and oauth2 code moved the setting of
+ the host name outside of the Curl_auth_create_gssapi_user_messag()
+ function.
- I noticed when it found 'libtool' in the current directory but
- libtoolize is not there, which confused the script.
+ This will allow us to more easily override it in the future.
-Hacki (8 May 2010)
-- moved vars into conditional since seems that winsock implementation doesnt use them.
+- test1119: Fixed missing CURL_DID_MEMORY_FUNC_TYPEDEFS symbol
-Daniel Stenberg (7 May 2010)
-- multi interface: missed storing connection time
+- RELEASE-NOTES: Removed "http_negotiate: Corrected host and proxy host name"
- Dirk Manske reported a regression. When connecting with the multi
- interface, there were situations where libcurl wouldn't store
- connect time correctly as it used to (and is documented to) do.
+ As this was introduced in the recent vauth changes and not a prior
+ release.
+
+Daniel Stenberg (1 Apr 2016)
+- RELEASE-NOTES: synced with 0aa8da10bbdafa
+
+Steve Holme (1 Apr 2016)
+- http_negotiate: Corrected host and proxy host name being wrong way round
- Using his fine sample program we could repeat it, and I wrote up
- test case 573 using that code. The problem does not easily show
- itself using the local test suite though.
+ I had accidentally used the proxy server name for the host and the host
+ server name for the proxy in commit ad5e9bfd5d and 6d6f9ca1d9. Whilst
+ Windows SSPI was quite happy with this, GSS-API wasn't.
- The fix, also as suggested by Dirk, is a bit on the ugly side as
- it adds yet another call to Curl_verboseconnect() and setting the
- TIMER_CONNECT time. That situation is subject for some closer
- inspection in the future.
+ Thanks-to: Michael Osipov
-- verboseconnect: so the verbose checking within the function
+- build: Changed the Visual Studio projects warning level from 3 to 4
- As the function is used more than once and libcurl can be built
- without it, do the conditional check within the verboseconnect()
- function itself.
+ After squashing most of our compiler warnings, up'ed the default
+ warning level from 3 to 4 in order to increase the likelyhood of
+ catching future warnings.
-- changelogs: split the I/O handling
+Daniel Stenberg (1 Apr 2016)
+- [ehlertjd@gmail.com brought this change]
-- [Howard Chu brought this change]
-
- sendrecv: split the I/O handling into private handler
-
- Howard Chu brought the bulk work of this patch that properly
- moves out the sending and recving of data to the parts of the
- code that are properly responsible for the various ways of doing
- so.
+ IMAP: check pointer before dereferencing it
- Daniel Stenberg assisted with polishing a few bits and fixed some
- minor flaws in the original patch.
+ may be null in the CURLOPT_CONNECT_ONLY case
- Another upside of this patch is that we now abuse CURLcodes less
- with the "magic" -1 return codes and instead use CURLE_AGAIN more
- consistently.
+ Fixes #747
-- changelog: PolarSSL
+Steve Holme (1 Apr 2016)
+- .gitignore: Added new VC14 SQLite based program database files
-- [Hoi-Ho Chan brought this change]
-
- PolarSSL: initial support added
+- curl_memory.h: Fixed typo in comment
- This is Hoi-Ho Chan's patch with some minor fixes by me. There
- are some potential issues in this, but none worse than we can
- sort out on the list and over time.
+ From commit 7218b52c49.
-- TODO: we've done PRET already, consider HOST for the future
+- spnego: Corrected some typos in comments
- ... and GnuTLS connects are non-blocking, TFTP is better
- integrated as a "real" protocol and RTSP is supported.
+ Corrected typos from commit ad5e9bfd5d and 6d6f9ca1d9.
-- TODO: GnuTLS connects are now non-blocking
+- memdebug: Ensure curl/curl.h is included before curl_memory.h
- Since commit c288860 by Jerome Vouillon
+ Follow up to commit 7db9782dd6.
-- INTERNALS: tftp is decent now, ldap is not
+Daniel Stenberg (1 Apr 2016)
+- upload: missing rewind call could make libcurl hang
- It's not quite fair to list TFTP is a "crappy" member of the
- libcurl family so I removed its mentioning.
-
-- changelog: mention Ben Greear's telnet work
+ When an upload is done, there are two places where that can be detected
+ and only one of them would rewind the input stream - which sometimes is
+ necessary for example when doing NTLM HTTP POSTs and more.
+
+ This could then end up libcurl hanging.
+
+ Figured-out-by: Isaac Boukris
+ Reported-by: Anatol Belski
+
+ Fixes #741
-- [Ben Greear brought this change]
+- curl.h: define CURL_DID_MEMORY_FUNC_TYPEDEFS
+
+ So that we only do the extra typedefs in curl_memory.h when we really
+ need to and avoid double typedefs.
+
+ follow-up commit to 7218b52c49aeb1
+
+ Thanks-to: Steve Holme
- telnet: Allow programatic use of telnet.
+- curl/mprintf.h: remove support for _MPRINTF_REPLACE
- The main change is to allow input from user-specified methods,
- when they are specified with CURLOPT_READFUNCTION.
- All calls to fflush(stdout) in telnet.c were removed, which makes
- using 'curl telnet://foo.com' painful since prompts and other data
- are not always returned to the user promptly. Use
- 'curl --no-buffer telnet://foo.com' instead. In general,
- the user should have their CURLOPT_WRITEFUNCTION do a fflush
- for interactive use.
+ The define is not in our name space and is therefore not protected by
+ our API promises.
- Also fix assumption that reading from stdin never returns < 0.
- Old code could crash in that case.
+ It was only really used by libcurl internals but was mostly erased from
+ there already in 8aabbf5 (March 2015). This is supposedly the final
+ death blow to that define from everywhere.
- Call progress functions in telnet main loop.
+ As a side-effect, making sure _MPRINTF_REPLACE is gone and not used, I
+ made the lib tests in tests/libtest/ use curl_printf.h for its redefine
+ magic and then subsequently the use of sprintf() got banned in the tests
+ as well (as it is in libcurl internals) and I then replaced them all
+ with snprintf().
- Signed-off-by: Ben Greear <greearb@candelatech.com>
-
-- test: enable valgrind for 604, seems to work
-
-Kamil Dudka (28 Apr 2010)
-- [Paul Howarth brought this change]
+ In the unlikely event that any users is actually using this define and
+ gets sad by this change, it is very easily copied to the user's own
+ code.
- add 1s post-command delay to tests 513 and 514
+- curl_memory.h: avoid the curl/curl.h include
- addressing http://curl.haxx.se/mail/lib-2009-12/0031.html
-
-Daniel Stenberg (26 Apr 2010)
-- [Kalle Vahlman brought this change]
+ Discussed in #743
- Allow tools to be defined with full path in buildconf
+Steve Holme (1 Apr 2016)
+- url: Corrected get protocol family for FTP and LDAP
- This is required in Scratchbox where
- LIBTOOL=/targets/links/arch_tools/bin/libtool
- is set in the environment.
+ Fixed copy/paste error from commit a5aec58726.
-- progress callback: can be called more than once per sec
-
-- SSH: init and cleanup libssh2 in global_init/cleanup
+Jay Satiro (31 Mar 2016)
+- strerror: don't bit shift a signed integer
- The necessary libssh2 functions require libssh2 1.2.5 or later.
-
-- new configure option --enable-threaded-resolver
+ Bug: https://github.com/curl/curl/issues/744
+ Reported-by: Alexis La Goutte
-- configure: check for libssh2_init and libssh2_exit
+Daniel Stenberg (31 Mar 2016)
+- http2: more documentation for prior knowledge
-Kamil Dudka (24 Apr 2010)
-- nss: fix SSL handshake timeout underflow
+- [Diego Bes brought this change]
-Guenter Knauf (24 Apr 2010)
-- encourage users to take latest lib dependencies.
-
-Daniel Stenberg (24 Apr 2010)
-- socks5: please static code analyzer
+ http2: support "prior knowledge", no upgrade from HTTP/1.1
- Make sure we don't call memcpy() if the argument is NULL even
- though we also passed a zero length then, as the clang analyzer
- whined and we want to limit warnings (even false positives) when
- they're this easy to fix.
+ Supports HTTP/2 over clear TCP
- The change of (char) to (unsigned char) will fix long user names
- and passwords on systems that have the char type signed by
- default.
-
-- gzip: Value stored to 'data' is never read
+ - Optimize switching to HTTP/2 by removing calls to init and setup
+ before switching. Switching will eventually call setup and setup calls
+ init.
+
+ - Supports new version to “force” the use of HTTP/2 over clean TCP
+
+ - Add common line parameter “--http2-prior-knowledge” to the Curl
+ command line tool.
-- RELEASE-NOTES: update top numbers
+- imap: remove duplicated function
+
+ The list and search response functions were identical! Merged into one
+ now. Detected by PVS Studio.
+
+ Reported-by: Alexis La Goutte
-- changelog: added the --proto and -proto-redir options
+- SOCKS5_gssapi_negotiate: don't assume little-endian ints
+
+ The code copied one byte from a 32bit integer, which works fine as long
+ as the byte order is the same. Not a fine assumption. Reported by PVS
+ Studio.
+
+ Reported-by: Alexis La Goutte
-- [Alex Bligh brought this change]
+- http: remove ((expression)) double parentheses
- curl: added --proto and --proto-redir
+- Curl_add_buffer_send: avoid possible NULL dereference
- --proto tells curl to use the listed protocols for its initial
- retrieval
+ ... as we check for a NULL pointer below, we move the derefence to after
+ the check. Detected by PVS Studio.
- --proto-redir tells curl to use the listed protocols after a
- redirect
+ Reported-by: Alexis La Goutte
-Kamil Dudka (24 Apr 2010)
-- test536: do not fail with threaded DNS resolver
+- file: remove duplicate checks of the same variable
- Also tweaked comments in certain examples using curl_multi_fdset().
-
-Daniel Stenberg (21 Apr 2010)
-- curl: -O crash on windows
+ ... as it doesn't change in between. Deteced by PVS Studio.
- The -O option caused curl to crash on windows and DOS due to the
- tool writing out of boundary memory.
+ Reported-by: Alexis La Goutte
-Yang Tse (20 Apr 2010)
-- hmac.c related compilation adjustment
+Steve Holme (30 Mar 2016)
+- [Marcel Raad brought this change]
-- hmac.c related compilation adjustment
+ openssl: Fix compilation warnings
+
+ When compiling with OpenSSL 1.1.0 (so that the HAVE_X509_GET0_SIGNATURE
+ && HAVE_X509_GET0_EXTENSIONS pre-processor block is active), Visual C++
+ 14 complains:
+
+ warning C4701: potentially uninitialized local variable 'palg' used
+ warning C4701: potentially uninitialized local variable 'psig' used
-monnerat (20 Apr 2010)
-- Add compilation directives for hmac in Watcom,riscos and vc6 platform-specific makefiles.
+Daniel Stenberg (30 Mar 2016)
+- multi: turn Curl_done into file local multi_done
+
+ ... as it now is used by multi.c only.
-Yang Tse (20 Apr 2010)
-- [Ruslan Gazizov brought this change]
+- multi: multi_reconnect_request is the former Curl_reconnect_request
+
+ now a file local function in multi.c
- replaced wsock32.lib usage with ws2_32.lib in MSVC makefiles
+- multi: move Curl_do and Curl_do_done to multi.c and make static
+
+ ... called multi_do and multi_do_done as they're file local now.
-monnerat (19 Apr 2010)
-- Merge branch 'master' of github.com:bagder/curl
+Jay Satiro (29 Mar 2016)
+- wolfssl: Use ECC supported curves extension
+
+ https://github.com/wolfSSL/wolfssl/issues/366
-- Remove null-effect leftover code.
+- build-wolfssl: Allow a broader range of ciphers (Visual Studio)
+
+ This is an update to the build-time options used to build wolfSSL in
+ Visual Studio for greater compatibility, and make it behave similar to
+ the way OpenSSL 1.0.2 behaves. Starting in wolfSSL v3.6.6 static ciphers
+ and SSLv3 are disabled by default at build time, but we can use both.
+
+ - Enable static cipher suites TLS_ECDH_ and TLS_RSA_.
+
+ - Enable SSLv3 hello. Though in libcurl we disable it by default at
+ runtime, we make it available so the user can manually select it if
+ necessary.
-Daniel Stenberg (19 Apr 2010)
-- changelog: -J/--remote-header-name strips CRLF
+Daniel Stenberg (29 Mar 2016)
+- [Isaac Boukris brought this change]
-- parse_filename: strip trailing CRs and LFs
+ GSS: make Curl_gss_log_error more verbose
- The feature that uses the file name given in a
- Content-disposition: header didn't properly skip trailing
- carriage returns and linefeed characters from the end of the file
- name when it was given without quotes.
-
-- Curl_HMAC_MD5: fix the array init to not warn with picky compilers
+ Also display the GSS_C_GSS_CODE (major code) when specified instead of
+ only GSS_C_MECH_CODE (minor code).
+
+ In addition, the old code was printing a colon twice after the prefix
+ and also miscalculated the length of the buffer in between calls to
+ gss_display_status (the length of ": " was missing).
+
+ Also, gss_buffer is not guaranteed to be NULL terminated and thus need
+ to restrict reading by its length.
+
+ Closes #738
-monnerat (19 Apr 2010)
-- Fix GnuTLS compilation problem in md5.c
+- build: use roffit 0.11 feature
+
+ ... load file specified as argument.
-- Fix compilation problem: declare Curl_HMAC_MD5 as extern in include file.
+- http2: set correct scheme in handler structs [regression]
+
+ Since commit a5aec58 the handler schemes need to match for the
+ connections to be reused and for HTTP/2 multiplexing to work, reusing
+ connections is very important!
+
+ Closes #736
-- Merge branch 'master' of github.com:bagder/curl
+- hostip.c: minor white space edit for style
-- Implement SMTP authentication
+- [Viktor Szakats brought this change]
-Daniel Stenberg (17 Apr 2010)
-- parseconfig: Value stored to 'line' is never read
+ TODO: use secure protocol in recently added URL
- Make the function call with (void) as we don't care about the
- return code.
-
-- parsedate: Value stored to 'found' is never read
+ Closes #733
-- check_gzip_header: Value stored to 'data' is never read
+- HTTP2.md: mention libressl and boringssl too
-- dprintf_formatf: Value stored to 'left' is never read
+- docs/HTTP-COOKIES: converted to markdown
-- curl_version: remove superfluous assignments
+- HTTP2: s/polarssl/mbedtls
-- FTP PORT: Value stored to 'rc' is never read
+Jay Satiro (28 Mar 2016)
+- wolfssl: Add ALPN support
-- Curl_setup_transfer: no longer returns anything
+- tool_operate: remove mixed declaration
- This function could only return CURLE_OK and by changing it to
- a void instead, we can simplify code all over.
+ This is a follow up to the previous commit.
-- PASV response: Value stored to 'rc' is never read
-
-- Curl_perform: Value stored to 'res2' is never read
+Daniel Stenberg (28 Mar 2016)
+- curl: warn for --capath use if not supported by libcurl
+
+ Closes #492
-- sftp range: remove unnecessary check for NULL pointer
+- TODO: 2.5 Edge-triggered sockets should work
-- ftp_range: remove unnecessary check for NULL pointer
+- Makefile.am: skip the scripts dir
+
+ Skipping the scripts dir is primarily done for 'make install' so that it
+ does not attempt to install the zsh completion script as we've not yet
+ found a proper way to do/run that at install time.
+
+ By leaving the script dir's Makefile in place, a user can still opt to
+ run make install manually in there.
+
+ Closes #620
-- file_range: remove unnecessary check for NULL pointer
+- CURLMOPT_SOCKETFUNCTION.3: describe the 'what' argument
-- SOCKS4: Value stored to 'rc' is never read
+- curl_multi_socket_action.3: mark the options properly
+
+ ... to make them appear as links on the html version.
-- FTP PASV: Value stored to 'rc' is never read
+Steve Holme (27 Mar 2016)
+- RELEASE-NOTES: Synced with f0bdd72c10
-- ftp_range: Value stored to 'totalsize' is never read
+- http_ntlm: Renamed from curl_ntlm.[c|h]
- Simplified the code by removing a local variable completely.
-
-- SOCKS5: when name resolves fail return immediately
+ Renamed the header and source files for this module as they are HTTP
+ specific and as such, they should use the naming convention as other
+ HTTP authentication source files do - this revert commit 260ee6b7bf.
- This makes the code flow more obvious and reacts on the return
- code properly, even if the code acted the same way before.
-
-- POP3: when USER command fails, don't even try PASS
+ Note: We could also rename curl_ntlm_wb.[c|h], however, the Winbind
+ code needs separating from the HTTP protocol and migrating into the
+ vauth directory, thus adding support for Winbind to the SASL based
+ protocols such as IMAP, POP3 and SMTP.
-- tftp_rx: Value stored to 'sbytes' is never read
+Daniel Stenberg (27 Mar 2016)
+- [marquis-de-muesli brought this change]
-- file_range: Value stored to 'totalsize' is never read
-
-- changelog: GnuTLS: SSL handshake phase is non-blocking
+ docs: curlinfo_filetime sftp support, new curlopt_quote "statvfs"
+
+ Closes #677
-- [Jerome Vouillon brought this change]
+- [marquis-de-muesli brought this change]
- GnuTLS: make the connection phase non-blocking
+ SSH: new CURLOPT_QUOTE command "statvfs"
- When multi interface is used, the SSL handshake is no longer
- blocking when GnuTLS is used.
+ usage: "statvfs path"
+ returns remote file system statistics
-- krb5_auth: fix my previous change to compile
+- [marquis-de-muesli brought this change]
-unknown (16 Apr 2010)
-- OS400 version V5R2M0 not supported anymore by IBM: default target release changed to V5R3M0.
+ SSH: support CURLINFO_FILETIME
-Daniel Stenberg (16 Apr 2010)
-- changelog: GnuTLS fix, no reverse loopkups and fixed GSS detection
+- [Karlson2k brought this change]
-- SSL_RECV: EOF is not an error here
+ sshserver.pl: use quotes for given options
- The recent overhaul of the SSL recv function made this treat a
- zero returned from gnutls_record_recv() as an error, and this
- caused our HTTPS test cases to fail. We leave it to upper layer
- code to detect if an EOF is a problem or not.
+ Fixed failed redirection of stderr with some options. At least on Msys2,
+ perl fails to redirect stderr if $value contains newline or other weird
+ characters.
-- [Paul Howarth brought this change]
-
- configure: GSSAPI detection on ancient Linux distros
+Jay Satiro (26 Mar 2016)
+- url: don't use bad offset in tld_check_name to show error
- On some ancient distributions such as RHEL-3, <gssapi/gssapi_krb5.h> needs
- to be processed after <gssapi/gssapi.h>, but does not include it itself.
- This patch checks for <gssapi/gssapi.h> first and then includes it
- in the test for <gssapi/gssapi_krb5.h>, resolving the problem.
+ libidn's tld_check_lz returns an error offset of the first character
+ that it failed to process, however that offset is not a byte offset and
+ may not even be in the locale encoding therefore we can't use it to show
+ the user the character that failed to process.
- Without the patch, <gssapi/gssapi_krb5.h> is "present but cannot be
- compiled".
+ Bug: https://github.com/curl/curl/issues/731
+ Reported-by: Karlson2k
-- resolvers: no more using AI_CANONNAME
+Steve Holme (26 Mar 2016)
+- http_negotiate: Combine GSS-API and SSPI source files
- No resolver anymore needs to use AI_CANONNAME and do reverse
- lookups. We should work hard to avoid having code that relies on
- it.
+ As the GSS-API and SSPI based source files are no longer library/API
+ specific, following the extraction of that authentication code to the
+ vauth directory, combine these files rather than maintain two separate
+ versions.
-- KRB5: use given host name instead of reverse lookup'ed name
+- vauth: Moved the Negotiate authentication code to the new vauth directory
- This code would previously use dns_entry->addr->ai_canonname
- instead of the given host name, which caused us grief and
- problems since not all our resolver options do the reverse lookup
- and I would also guess that it caused problems with KRB5/GSS with
- virtual name-based hosts. Now the host name from the URL is used.
-
-Dan Fandrich (15 Apr 2010)
-- Remove redundant conditional
+ Part 2 of 2 - Moved the GSS-API based Negotiate authentication code.
-- Eliminated an unlikely race condition in some tests.
+- vauth: Moved the Negotiate authentication code to the new vauth directory
- Based on a patch from the FreeBSD ports by Peter Pentchev.
+ Part 1 of 2 - Moved the SSPI based Negotiate authentication code.
-Daniel Stenberg (15 Apr 2010)
-- changelog: prevent needless reverse name lookups
+- warnless.h: Removed spurious character from commit 696bc6b9c9
+
+ Not picked up by checksrc or Visual Studio but my own code review, this
+ would haven broken Intel based Unix builds - Perhaps I should learn to
+ type on my laptop's keyboard before committing!
-- Curl_ipv4_resolve_r: only set AI_CANONNAME when needed
+- schannel: Fixed compilation warning from commit f8d88a4913
- As reported in bug report #2987196, the code for ipv6 already did
- the setting of this bit correctly so we copied that logic into
- the Curl_ipv4_resolve_r() function as well. KRB code is the only
- code we know that might need the cannonical name so only resolve
- it for such requests!
+ warning C4244: '=': conversion from 'int' to 'unsigned short', possible
+ loss of data
-- IGNORE: files generated by maketgz
+- warnless?: Added some integer based conversion functions
-- bumped to start the journey towards 7.20.2
+Daniel Stenberg (25 Mar 2016)
+- [Dusty Mabe brought this change]
-- added contributors from the 7.20.1 RELEASE-NOTES
+ docs/TODO: Add feature request for metalink in HTTP headers
+
+ Closes #729
+ Closes #728
-- ignore files generated by 'maketgz'
+Steve Holme (25 Mar 2016)
+- build: Corrected typos from commit 70e56939aa
-Version 7.20.1 (14 Apr 2010)
+- vauth: Refactored function names after move to new vauth directory
+
+ Renamed all the SASL functions that moved to the new vauth directory to
+ include the correct module name.
-Daniel Stenberg (14 Apr 2010)
-- 7.20.1: 14 April 2010
+- vauth: Updated the copyright year after recent changes
+
+ As most of this work was performed in 2015 but not pushed until 2016
+ updated the copyright year to reflect the public facing changes.
-Guenter Knauf (13 Apr 2010)
-- Use correct directory for c-ares git pull
- Signed-off-by: Tor Arntsen <tor@spacetec.no>
+- vauth: Moved the OAuth 2.0 authentication code to the new vauth directory
-Yang Tse (13 Apr 2010)
-- fix compiler warning: variable might be clobbered by longjmp or vfork
+- vauth: Moved the NTLM authentication code to the new vauth directory
-Guenter Knauf (13 Apr 2010)
-- added last git commit output for c-ares too.
+- vauth: Moved the Kerberos V5 authentication code to the new vauth directory
-- changed the git update block to take care of c-ares repo if detected.
+- digest.c: Fixed checksrc warnings
-- updated timestamp of the script.
+- vauth: Moved the DIGEST authentication code to the new vauth directory
-- removed obsolete var in gitpull() function
- no need to create a var - lets just return the status var itself.
+- vauth: Moved the CRAM-MD5 authentication code to the new vauth directory
-- added a cast to silent compiler warning with 64bit systems.
+- vauth: Moved the ClearText authentication code to the new vauth directory
-- fixed a path typo in src/Makefile.netware.
+- vauth: Moved Curl_sasl_build_spn() to create the initial vauth source files
-Daniel Stenberg (12 Apr 2010)
-- Added text for How To Make a Patch with git
+- checksrc.bat: Added support for checking the new vauth directory
-- update the section on timeouts
+- build: Updated all makefiles and project files for the new vauth directory
- The section that describes how to work with timeouts was
- misleading and could easily trick users to use the wrong API.
+ Updated the makefiles and Visual Studio project files to support moving
+ the authentication code to the new lib/vauth directory that was started
+ in commit 0d04e859e1.
-- update URL and cut out wrong info on ipv6
-
- c-ares has had its own URL for a while and we should point
- people to that. It also works with IPv6 since a long time.
+Daniel Stenberg (24 Mar 2016)
+- [JDepooter brought this change]
-- refer to CURLMOPT_TIMERFUNCTION for multi_socket users
+ schannel: Add ALPN support
- curl_multi_timeout(3) is simply the wrong function to use
- if you're using the multi_socket API and this document now
- states this pretty clearly to help guiding users.
-
-- s/CVS/git
-
-- modified to use the git file, not cvs
+ Add ALPN support for schannel. This allows cURL to negotiate
+ HTTP/2.0 connections when built with schannel.
- I've done this blindly, and the last piece that works with ares
- should possibly be done differently now that c-ares isn't a
- subtree within the curl tree anymore...
+ Closes #724
-- mention missing test servers for <server>
+Steve Holme (24 Mar 2016)
+- http: Minor update based on CODE_STYLE guidelines
-- FTP quote commands prefixed with '*' now can fail without aborting
+Daniel Stenberg (23 Mar 2016)
+- multi: fix "Operation timed out after" timer
+
+ Use the local, reasonably updated, 'now' value when creating the message
+ string to output for the timeout condition.
- Prefixing the FTP quote commands with an asterisk really only
- worked for the postquote actions. This is now fixed and test case
- 227 has been extended to verify.
+ Fixes #619
-Kamil Dudka (7 Apr 2010)
-- qssl: reflect recent code changes in SSL interface
+- openssl: boringssl provides the same numbering as openssl
- Reported by Guenter Knauf.
+ ... so we don't need extra boringssl precautions for for
+ HAVE_ERR_REMOVE_THREAD_STATE_NOARG.
+
+ Pointed-out-by: David Benjamin
-- nss: handle client certificate related errors
+- openssl: fix ERR_remove_thread_state() for boringssl/libressl
+
+ The removed arg is only done in OpenSSL
+
+ Bug: https://twitter.com/xtraemeat/status/712564874098917376
-- [Ben Greear brought this change]
+- bump: work on 7.48.1
- ssl: Fix build when SSL isn't enabled
+- RELEASE-PROCEDURE: mention the github release tag edit
- Signed-off-by: Ben Greear <greearb@candelatech.com>
-
-- refactorize interface of Curl_ssl_recv/Curl_ssl_send
+ ... and update the coming release dates a bit
-- simplify code of Curl_resolv_timeout()
+Steve Holme (23 Mar 2016)
+- checksrc.bat: Updated the help to be consistent with generate.bat
+
+ Follow up to commit a8c7f0fcbf prior to release.
-- eliminate a race condition in Curl_resolv_timeout()
+Version 7.48.0 (23 Mar 2016)
-Daniel Stenberg (2 Apr 2010)
-- [Ben Greear brought this change]
+Daniel Stenberg (23 Mar 2016)
+- RELEASE-NOTES: curl 7.48.0
- fixed compiler warnings
+- THANKS: 15 new contributors from 7.48.0 release
-- updated contributor count
+Jay Satiro (23 Mar 2016)
+- CURLINFO_TLS_SSL_PTR.3: Warn about limitations
+
+ Bug: https://github.com/curl/curl/issues/685
-- add contributors from the 7.20.0 release notes
+Daniel Stenberg (22 Mar 2016)
+- Revert "sshserver: remove use of AuthorizedKeysFile2"
+
+ It seems we may have some autobuild problems after this commit went
+ in. Trying to see if a revert helps to get them back.
+
+ This reverts commit 2716350d1f3edc8e929f6ceeee05051090f6d642.
-- fix SFTP download hang
+- maketgz: add -j to make dist
- Matt Wixson found and fixed a bug in the SCP/SFTP area where the
- code treated a 0 return code from libssh2 to be the same as
- EAGAIN while in reality it isn't. The problem caused a hang in
- SFTP transfers from a MessageWay server.
+ ... makes it a lot faster
-Dan Fandrich (31 Mar 2010)
-- Fixed misleading test message
+- libcurl-thread.3: minor nroff format fix
-Daniel Stenberg (31 Mar 2010)
-- update the generic copyright year range
+- CURLINFO_TLS_SSL_PTR.3: minor nroff format fix
-- removed README.cmake due to the improved situation
+- CODE_STYLE: indend example code
+
+ ... to make it look nicer in markdown outputa
+
+Jay Satiro (22 Mar 2016)
+- build-wolfssl: Update VS properties for wolfSSL v3.9.0
+
+ - Do not use wolfSSL's sample user-setting files.
+
+ wolfSSL starting in v3.9.0 has added their own sample user settings that
+ are applied by default, but we don't use them because we have our own
+ settings.
+
+ - Do not use wolfSSL's Visual Studio Unicode character setting.
+
+ wolfSSL Visual Studio projects use the Unicode character set however our
+ settings and options imitate mingw build which does not use the Unicode
+ character set. This does not appear to have any effect at the moment but
+ better safe than sorry.
+
+
+ These changes are backwards compatible with earlier versions.
-Guenter Knauf (31 Mar 2010)
-- fix compiler warning with a cast.
+Steve Holme (22 Mar 2016)
+- hostip6: Fixed compilation warnings when verbose strings disabled
+
+ warning C4189: 'data': local variable is initialized but not referenced
+
+ ...and some minor formatting/spacing changes.
-- make folks use latest available dependent libraries.
+Daniel Stenberg (21 Mar 2016)
+- sshserver: remove use of AuthorizedKeysFile2
+
+ Support for the (undocumented) AuthorizedKeysFile2 was removed in
+ OpenSSH 5.9, released in September 2011
+
+ Closes #715
-Dan Fandrich (30 Mar 2010)
-- Call curl_global_cleanup() in test 560 to avoid a memory leak
+Steve Holme (20 Mar 2016)
+- connect/ntlm/http: Fixed compilation warnings when verbose strings disabled
+
+ warning C4189: 'data': local variable is initialized but not referenced
-- Allow test 538 to run even when proxy support is disabled
+- openssl: Fixed compilation warning when /Wall enabled
+
+ warning C4706: assignment within conditional expression
-Daniel Stenberg (29 Mar 2010)
-- use (s)size_t for string lengths to fix compiler warns
+- CODE_STYLE: Use boolean conditions
+
+ Rather than use TRUE, FALSE, NULL, 0 or != 0 in if/while conditions.
+
+ Additionally, corrected some example code to adhere to the recommended
+ coding style.
-- use size_t to hold string length
+- inet_pton.c: Fixed compilation warnings
- using int is not fine on 64bit systems
+ warning: conversion to 'unsigned char' from 'int' may alter its value
-- [Ben Greear brought this change]
+Daniel Stenberg (19 Mar 2016)
+- RELEASE-NOTES: synced with 80851028efc2fa9
- Fix compile warnings in ssh.c
+- mbedtls: fix compiler warning
- strlen() returns size_t, but ssh libraries are wanting 'unsigned int'. Add
- explicit casts and use _ex versions of the ssh library calls.
+ vtls/mbedtls.h:67:36: warning: implicit declaration of function
+ ‘mbedtls_sha256’ [-Wimplicit-function-declaration]
+
+Steve Holme (19 Mar 2016)
+- easy: Minor coding standard and style updates
- Signed-off-by: Ben Greear <greearb@candelatech.com>
+ Following commit c5744340db. Additionally removes the need for a second
+ 'result code' variable as well.
-- [Ben Greear brought this change]
+Jay Satiro (19 Mar 2016)
+- easy: Remove poll failure check in easy_transfer
+
+ .. because curl_multi_wait can no longer signal poll failure.
+
+ follow-up to 77e1726
+
+ Bug: https://github.com/curl/curl/issues/707
- fix smtp compile warning
+Steve Holme (19 Mar 2016)
+- build: Added missing Visual Studio filter files for VC10 onwards
- Use ssize_t instead of int for the Curl_smtp_escape_eob nread
- argument.
+ As these files don't need to contain references to the source files,
+ although typically do, added basic files which only include three
+ filters and don't require the project file generator to be modified.
- Signed-off-by: Ben Greear <greearb@candelatech.com>
+ These files allow the source code to be viewed in the Solution Explorer
+ in versions of Visual Studio from 2010 onwards in the same manner as
+ previous versions did rather than one large view of files.
-- Ben's POP3 change
+- ftp/imap/pop3/smtp: Fixed compilation warning when /Wall enabled
+
+ warning C4706: assignment within conditional expression
-- [Ben Greear brought this change]
+- config-w32.h: Fixed compilation warning when /Wall enabled
+
+ warning C4668: 'USE_IPV6' is not defined as a preprocessor macro,
+ replacing with '0' for '#if/#elif'
- pop3: Get message listing if no mailbox in URL
+- imap.c: Fixed compilation warning with /Wall enabled
- If you pass a URL to pop3 that does not contain a message ID as
- part of the URL, it will currently ask for 'INBOX' which just
- causes the pop3 server to return an error.
+ warning C4701: potentially uninitialized local variable 'size' used
- The change makes libcurl treat en empty message ID as a request
- for LIST (list of pop3 message IDs). User's code could then
- parse this and download individual messages as desired.
+ Technically this can't happen, as the usage of 'size' is protected by
+ 'if(parsed)' and 'parsed' is only set after 'size' has been parsed.
+
+ Anyway, lets keep the compiler happy.
+
+- KNOWN_BUGS: #93 Issue with CURLFORM_CONTENTLEN in arrays on 32-bit platforms
-- [Ben Greear brought this change]
+Daniel Stenberg (18 Mar 2016)
+- bump: the coming release is 7.48.0
- Allow running ./tests/testcurl.pl from within git repo.
+- configure: use cpp -P when needed
- My first instinct was to run the test script within the checked out
- repository. This small change to the script allows that to work as
- expected.
+ Since gcc 5, the processor output can get split up on multiple lines
+ that made the configure script fail to figure out values from
+ definitions. The fix is to use cpp -P, and this fix now first checks if
+ cpp -P is necessary and then if cpp -P works before it uses that to
+ extract defined values.
- Signed-off-by: Ben Greear <greearb@candelatech.com>
+ Fixes #719
-- minor language fix
+Steve Holme (18 Mar 2016)
+- formdata.c: Fixed compilation warning
+
+ formdata.c:390: warning: cast from pointer to integer of different size
+
+ Introduced in commit ca5f9341ef this happens because a char*, which is
+ 32-bits wide in 32-bit land, is being cast to a curl_off_t which is
+ 64-bits wide where 64-bit integers are supported by the compiler.
+
+ This doesn't happen in 64-bit land as a pointer is the same size as a
+ curl_off_t.
+
+ This fix doesn't address the fact that a 64-bit value cannot be used
+ for CURLFORM_CONTENTLEN when set in a form array and compiled on a
+ 32-bit platforms, it does at least suppress the compilation warning.
-- [Ben Greear brought this change]
+Daniel Stenberg (18 Mar 2016)
+- FAQ: 2.5 Install libcurl for both 32bit and 64bit?
- allow user+password in the URL for all protocols
+- [Gisle Vanem brought this change]
+
+ openssl: adapt to API breakage in ERR_remove_thread_state()
+
+ The OpenSSL API change that broke this is "Convert ERR_STATE to new
+ multi-threading API": openssl commit 8509dcc.
- Ben Greear brought a patch that from now on allows all protocols
- to specify name and user within the URL, in the same manner HTTP
- and FTP have been allowed to in the past - although far from all
- of the libcurl supported protocols actually have that feature in
- their URL definition spec.
+ Closes #713
-- ignore pid files and stunnel.conf
+- version: init moved to private name space, added protos
- all used while running tests
+ follow-up to 80015cdd52145
-- make sure git pull is actually done!
+- openssl: verbose: show matching SAN pattern
+
+ ... to allow users to see which specfic wildcard that matched when such
+ is used.
+
+ Also minor logic cleanup to simplify the code, and I removed all tabs
+ from verbose strings.
+
+Jay Satiro (16 Mar 2016)
+- version: thread safety
-- changelogged: smoother rate limiting
+Steve Holme (16 Mar 2016)
+- transfer: Removed redundant HTTP authentication include files
+
+ It would also seem that share.h is not required here either as there
+ are no references to the Curl_share structure or functions.
-- [Ben Greear brought this change]
+- easy: Removed redundant HTTP authentication include files
- Make rate-limitation logic smoother
+Jay Satiro (15 Mar 2016)
+- CURLOPT_SSLENGINE.3: Only for OpenSSL built with engine support
- This gives a smoother rate limitation performance by using
- sub-second pauses and also taking the buffer sizes into
- account.
+ Bug: https://curl.haxx.se/mail/lib-2016-03/0150.html
+ Reported-by: Oliver Graute
+
+Steve Holme (15 Mar 2016)
+- curl_sasl: Minor code indent fixes
-- remove all .cvsignore files
+Daniel Stenberg (14 Mar 2016)
+- runtests: mention when run event-based
-- PROT_CLOSEACTION should not include TFTP
+- easy: add check to malloc() when running event-based
- TFTP is not a protocol that uses close actions so it should
- not be set in that bitmask!
+ ... to allow torture tests then too.
-- [Tor Arntsen brought this change]
+- memdebug: skip logging the limit countdown, fflush when reached
- Avoid double newline for the 'last commits' log in testcurl.pl
+- CODE_STYLE: Space around operators
- The backtick command which extracts 'git log' lines come with a
- newline, so chomp the newline before calling logit(), as the logit
- function adds a newline by itself.
+ As just discussed on the mailing list, also document how we prefer
+ spacing in expressions.
+
+- curl: glob_range: no need to check unsigned variable for negative
+
+ cppcheck warned:
+
+ [src/tool_urlglob.c:283]: (style) Checking if unsigned variable 'step_n'
+ is less than zero.
+
+- CODE_STYLE: add example for indent style as well
-- [Tor Arntsen brought this change]
+- CODE_STYLE: mention braces for functions too
- Change to version-independent git option for 'git log --oneline'
+- docs/Makefile.am: include CODE_STYLE in tarball too
+
+- CONTRIBUTE: moved out code style to a separate document
+
+- CODE_STYLE: initial version
- 'git log --oneline' is a relatively recent Git function. It is
- documented to be the same as 'git log --pretty=oneline --abbrev-commit',
- so use that instead. It works all the way back to Git 1.5.0.
+ Ripped out from CONTRIBUTE into its own document, but also extended from
+ there.
-- show 5 commits even if no git pull was made
+- curl_sasl.c: minor code indent fixes
-- don't touch ares/aclocal.m4 and show recent git commits
+- multi: simplified singlesocket
- since c-ares no longer embedded, we must not touch such files
- anymore
+ Since sh_getentry() now checks for invalid sockets itself and by
+ narrowing the scope of the remove_sock_from_hash variable.
+
+- multi: introduce sh_getentry() for looking up sockets in the sockhash
- we show the 5 last git commits if git was proven in use, to help
- us see exactly what's being tested
+ Simplify the code by using a single entry that looks for a socket in the
+ socket hash. As indicated in #712, the code looked for CURL_SOCKET_BAD
+ at some point and that is ineffective/wrong and this makes it easier to
+ avoid that.
+
+- [Jaime Fullaondo brought this change]
-- use CURL_SIZEOF_LONG instead of SIZEOF_LONG
+ multi hash: ensure modulo performed on curl_socket_t
- That's the symbol we have or generate in include/curl/curlbuild.h
+ Closes #712
+
+Steve Holme (13 Mar 2016)
+- base64: Minor coding standard and style updates
+
+- base64: Use 'CURLcode result' for curl result codes
+
+- negotiate: Use 'CURLcode result' for curl result codes
-- s/CVS/DEV in the version string from the git repo
+Daniel Stenberg (13 Mar 2016)
+- [Maksim Kuzevanov brought this change]
-Bill Hoffman (24 Mar 2010)
-- Merge branch 'master' of github.com:bagder/curl
+ multi_runsingle: avoid loop in CURLM_STATE_WAITPROXYCONNECT
+
+ Closes #703
+
+- TODO: Use the RFC6265 test suite
-- Add .gitattributes files to turn off CRLF translation for some files
+Steve Holme (13 Mar 2016)
+- checksrc.bat: Added the ability to scan src and lib source independently
-Daniel Stenberg (24 Mar 2010)
-- provide a version number as today's date
+- digest: Use boolean based success code for Curl_sasl_digest_get_pair()
- It should at least help visualize which autobuilds that are
- using this script.
+ Rather than use a 0 and 1 integer base result code use a TRUE / FALSE
+ based success code.
+
+- digest: Corrected some typos in comments
+
+- krb5: Corrected some typos in function descriptions
-- testcurl now uses git instead of CVS
+- ntlm: Corrected some typos in function descriptions
-Bill Hoffman (24 Mar 2010)
-- Merge branch 'master' of github.com:bagder/curl
+- url: Corrected indentation when calling idna_to_ascii_lz()
-- Enable LDAP by default since it is now disabled when ldap.h is not found,
+- idn_win32: Use boolean based success codes
+
+ Rather than use 0 and 1 integer base result codes use a FALSE / TRUE
+ based success code.
+
+Daniel Stenberg (10 Mar 2016)
+- idn_win32.c: warning: Trailing whitespace
-- CMake fixes for Linux.
+Steve Holme (10 Mar 2016)
+- idn_win32.c: Fixed compilation warning from commit 9e7fcd4291
- Make sure <sys/socket.h> is included if around when testing/using
- socklen_t. Also, disable LDAP if LDAP_H is not found on the system.
+ warning C4267: 'function': conversion from 'size_t' to 'int',
+ possible loss of data
-Daniel Stenberg (24 Mar 2010)
-- [Bob Richmond brought this change]
+Daniel Stenberg (10 Mar 2016)
+- THANKS-filter: unify Michael König
- fix: timeout after last data chunk was handled
+- RELEASE-NOTES: synced with 863c5766dd
+
+- ftp: remove a check for NULL(!)
- Bob Richmond: There's an annoying situation where libcurl will
- read new HTTP response data from a socket, then check if it's a
- timeout if one is set. If the last packet received constitutes
- the end of the response body, libcurl still treats it as a
- timeout condition and reports a message like:
+ ... as it implies we need to check for that on all the other variable
+ references as well (as Coverity otherwise warns us for missing NULL
+ checks), and we're alredy making sure that the pointer is never NULL.
+
+- cookies: first n/v pair in Set-Cookie: is the cookie, then parameters
- "Operation timed out after 3000 milliseconds with 876 out of 876
- bytes received"
+ RFC 6265 section 4.1.1 spells out that the first name/value pair in the
+ header is the actual cookie name and content, while the following are
+ the parameters.
- It should only a timeout if the timer lapsed and we DIDN'T
- receive the end of the response body yet.
+ libcurl previously had a more liberal approach which causes significant
+ problems when introducing new cookie parameters, like the suggested new
+ cookie priority draft.
+
+ The previous logic read all n/v pairs from left-to-right and the first
+ name used that wassn't a known parameter name would be used as the
+ cookie name, thus accepting "Set-Cookie: Max-Age=2; person=daniel" to be
+ a cookie named 'person' while an RFC 6265 compliant parser should
+ consider that to be a cookie named 'Max-Age' with an (unknown) parameter
+ 'person'.
+
+ Fixes #709
-- avoid compiler warning without USE_ALARM_TIMEOUT
+- krb5: improved type handling to avoid clang compiler warnings
-Bill Hoffman (24 Mar 2010)
-- Fix curl CMake build.
+- url.c: fix clang warning: no newline at end of file
+
+- curl_multi_wait: never return -1 in 'numfds'
+
+ Such a return value isn't documented but could still happen, and the
+ curl tool code checks for it. It would happen when the underlying
+ Curl_poll() function returns an error. Starting now we mask that error
+ as a user of curl_multi_wait() would have no way to handle it anyway.
- This commit fixes the cmake build of curl, and cleans up the
- cmake code a little. It removes some commented out code and
- some trailing whitespace. To get curl to build the binary
- tree include/curl directory needed to be added to the include
- path. Also, SIZEOF_SHORT needed to be added. A check for the
- lack of defines of SIZEOF_* for warnless.c was added.
+ Reported-by: Jay Satiro
+ Closes #707
-Daniel Stenberg (24 Mar 2010)
-- [Chris Conroy brought this change]
+- HTTP2.md: add CURL_HTTP_VERSION_2TLS and updated alt-svc link
- remove debug printfs
+- curl_multi_wait.3: add example
-- RTSP GET_PARAMETER fix
+Steve Holme (8 Mar 2016)
+- imap/pop3/smtp: Fixed connections upgraded with TLS are not reused
- Christopher Conroy fixed a problem with RTSP and GET_PARAMETER
- reported to us by Massimo Callegari. There's a new test case 572
- that verifies this now.
+ Regression since commit 710f14edba.
+
+ Bug: https://github.com/curl/curl/issues/422
+ Reported-by: Justin Ehlert
-- remove trace of CVS
+Jay Satiro (8 Mar 2016)
+- opt-docs: fix heading macros
+
+ ..SH should be .SH
+
+ Bug: https://github.com/curl/curl/issues/705
+ Reported-by: Eric S. Raymond
-- [Chris Conroy brought this change]
+Kamil Dudka (8 Mar 2016)
+- [Tim Rühsen brought this change]
- Fix RTSP GET_PARAMETER empty and non-empty operation.
+ cookie: do not refuse cookies for localhost
- Test coverage included. Thanks to Massimo Callegari for the bug report
+ Closes #658
-- s/CVS/DEV/ in the version string for repo versions
+Daniel Stenberg (8 Mar 2016)
+- ftp_done: clear tunnel_state when secondary socket closes
+
+ Introducing a function for closing the secondary connection to make this
+ bug less likely to happen again.
+
+ Reported-by: daboul
+ Closes #701
+
+- [Gisle Vanem brought this change]
+
+ openssl: use the correct OpenSSL/BoringSSL/LibreSSL in messages
-- scrapped all left-over TODOs
+- HTTP2.md: HTTP/2 by default for curl's HTTPS connections
+
+- [Anders Bakken brought this change]
+
+ pipeline: Sanity check pipeline pointer before accessing it.
+
+ I got a crash with this stack:
+
+ curl/lib/url.c:2873 (Curl_removeHandleFromPipeline)
+ curl/lib/url.c:2919 (Curl_getoff_all_pipelines)
+ curl/lib/multi.c:561 (curl_multi_remove_handle)
+ curl/lib/url.c:415 (Curl_close)
+ curl/lib/easy.c:859 (curl_easy_cleanup)
+
+ Closes #704
+
+- HTTP2.md: mention the disable ALPN and NPN options
+
+- TODO: 17.12 keep running, read instructions from pipe/socket
+
+ And delete trailing whitespace
+ And rename section 17 to "command line tool" from "client"
+
+ Closes #702
+
+- README.md: linkified
+
+ It also makes it less readable as plain text, so let's keep this
+ primarily for github use.
- In order to get back on track, I've removed all the plans for
- stuff I had in the queue. I will instead focus on fixing bugs and
- relying on that people who truly want things added will come back
- on the mailing list and nag and provide patches.
+ Removed the top ascii art logo, as it looks weird when markdownified.
+
+- README.md: markdown version of README
- 7.20.1 should be possible to release in April 2010
+ Attempt to make it look more appealing on github
+
+Jay Satiro (6 Mar 2016)
+- mprintf: update trio project link
+
+Daniel Stenberg (6 Mar 2016)
+- CURLOPT_ACCEPTTIMEOUT_MS.3: added example
+
+- CURLOPT_ACCEPT_ENCODING.3: added example
-- restore executable bits on some files
+- CURLOPT_APPEND.3: added example
-- remove the CVSish $Id$ lines
+- CURLOPT_NOPROGRESS.3: added example, conform to stardard style
-- The 'ares' subtree has been removed from the source repository
+Steve Holme (6 Mar 2016)
+- build-openssl/checksrc.bat: Fixed prepend vs append of Perl path
+
+ Fixed inconsistency from commit 1eae114065 and 0ad6c72227 of the order
+ in which Perl was added to the PATH.
-- s/CVS/git
+Daniel Stenberg (6 Mar 2016)
+- opts: added two examples
-- update to current state
+- CURLOPT_SSL_CTX_FUNCTION.3: use .NF for example
-- remove the ares subtree
+- CURLOPT_SSL_CTX_FUNCTION.3: added example
- c-ares is now hosted entirely separate from the curl project
- see http://c-ares.haxx.se/ for all details concerning c-ares,
- its source repository and more.
+ and removed erroneous reference to test case lib509
+
+- curlx.c: use more curl style code
-- mark connection as connected
+- test46: change cookie expiry date
- Kenny To filed the bug report #2963679 with patch to fix a
- problem he experienced with doing multi interface HTTP POST over
- a proxy using PROXYTUNNEL. He found a case where it would connect
- fine but bits.tcpconnect was not set correct so libcurl didn't
- work properly.
+ Since two of the cookies would now otherwise expire and cause the test
+ to fail after commit 20de9b4f09
- (http://curl.haxx.se/bug/view.cgi?id=2963679)
+ Discussed in #697
-- enabled valgrind
+Jay Satiro (5 Mar 2016)
+- [Viktor Szakats brought this change]
+
+ makefile.m32: add missing libs for static -winssl-ssh2 builds
- I ran it now successfully and it helped to pinpoint a libssh2
- memory leak!
+ Bug: https://github.com/curl/curl/pull/693
-Dan Fandrich (23 Mar 2010)
-- Updated Symbian notes
+- mbedtls: fix user-specified SSL protocol version
+
+ Prior to this change when a single protocol CURL_SSLVERSION_ was
+ specified by the user that version was set only as the minimum version
+ but not as the maximum version as well.
-Daniel Stenberg (23 Mar 2010)
-- chunked-encoding with Content-Length: header problem
+Steve Holme (5 Mar 2016)
+- .gitignore: Added *.VC.opendb and *.vcxproj.user files for VC14
+
+- build-openssl.bat: Fixed cannot find perl if installed but not in path
+
+- checksrc.bat: Fixed cannot find perl if installed but not in path
+
+Jay Satiro (5 Mar 2016)
+- [Viktor Szakats brought this change]
+
+ makefile.m32: fix to allow -ssh2-winssl combination
+
+ In makefile.m32, option -ssh2 (libssh2) automatically implied -ssl
+ (OpenSSL) option, with no way to override it with -winssl. Since both
+ libssh2 and curl support using Windows's built-in SSL backend, modify
+ the logic to allow that combination.
+
+- cookie: Don't expire session cookies in remove_expired
+
+ Prior to this change cookies with an expiry date that failed parsing
+ and were converted to session cookies could be purged in remove_expired.
- Akos Pasztory filed debian bug report #572276
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572276
- mentioning a problem with a resource that returns chunked-encoded
- _and_ with a Content-Length and libcurl failed to properly ignore
- the latter information.
+ Bug: https://github.com/curl/curl/issues/697
+ Reported-by: Seth Mos
-- delayed easy handle kill caused double Curl_close() call
+Daniel Stenberg (3 Mar 2016)
+- cookie: remove redundant check
- Hauke Duden provided an example program that made the multi
- interface crash. His example simply used the multi interface and
- did first one FTP transfer and after completion it used a second
- easy handle and did another FTP transfer on the same FTP server.
+ ... as it was already checked previously within the function.
- This triggered a bug in the "delayed easy handle kill" system
- that curl uses: when an FTP connection is left alive it must keep
- an easy handle around internally - only for the purpose of having
- an easy handle when it later disconnects it. The code assumed
- that when the easy handle was removed and an internal reference
- was made, that version could be killed later on when a new easy
- handle came using the same connection. This was wrong as Hauke's
- example showed that the removed handle wasn't killed for real
- until later. This caused a double close attempt => segfault.
+ Reported-by: Dmitry-Me
+ Closes #695
-- ignore more files generated when tests run in the source tree
+Jay Satiro (1 Mar 2016)
+- [Anders Bakken brought this change]
-- Thomas Lopatic fixed the alarm()-based DNS timeout
+ url: if Curl_done is premature then pipeline not in use
+
+ Prevent a crash if 2 (or more) requests are made to the same host and
+ pipelining is enabled and the connection does not complete.
+
+ Bug: https://github.com/curl/curl/pull/690
-- [Thomas Lopatic brought this change]
+- [Viktor Szakats brought this change]
- fix the alarm()-based DNS timeout
+ makefile.m32: allow to pass .dll/.exe-specific LDFLAGS
- Looking at the code of Curl_resolv_timeout() in hostip.c, I think
- that in case of a timeout, the signal handler for SIGALRM never
- gets removed. I think that in my case it gets executed at some
- point later on when execution has long left Curl_resolv_timeout()
- or even the cURL library.
+ using envvars `CURL_LDFLAG_EXTRAS_DLL` and
+ `CURL_LDFLAG_EXTRAS_EXE` respectively. This
+ is useful f.e. to pass ASLR-related extra
+ options, that are required to make this
+ feature work when using the mingw toolchain.
- The code that is jumped to with siglongjmp() simply sets the
- error message to "name lookup timed out" and then returns with
- CURLRESOLV_ERROR. I guess that instead of simply returning
- without cleaning up, the code should have a goto that jumps to
- the spot right after the call to Curl_resolv().
+ Ref: https://github.com/curl/curl/pull/670#issuecomment-190863985
+
+ Closes https://github.com/curl/curl/pull/689
-- [Daniel Johnson brought this change]
+Daniel Stenberg (29 Feb 2016)
+- formpost: fix memory leaks in AddFormData error branches
+
+ Reported-by: Dmitry-Me
+ Fixes #688
- Fix warnings for clang
+Jay Satiro (28 Feb 2016)
+- getinfo: Fix syntax error when mbedTLS
+
+ The assignment of the mbedTLS TLS session info in the parent commit was
+ incorrect. Change the assignment to a pointer to the session structure.
-- Merge branch 'master' of github.com:bagder/curl
+- getinfo: Add support for mbedTLS TLS session info
+
+ .. and preprocessor check TLS session info is defined for all backends.
-Kamil Dudka (22 Mar 2010)
-- [douglas steinwand brought this change]
+Daniel Stenberg (26 Feb 2016)
+- ROADMAP: clarify on the TLS proxy, mention HTTP cookies to work on
- Fix insufficient initialization in Curl_clone_ssl_config()
+- file: try reading from files with no size
+
+ Some systems have special files that report as 0 bytes big, but still
+ contain data that can be read (for example /proc/cpuinfo on
+ Linux). Starting now, a zero byte size is considered "unknown" size and
+ will be read as far as possible anyway.
+
+ Reported-by: Jesse Tan
- which could have caused a double free when reusing curl handle.
+ Closes #681
-Daniel Stenberg (22 Mar 2010)
-- we never used this file anyway
+Jay Satiro (25 Feb 2016)
+- configure: warn on invalid ca bundle or path
+
+ - Warn if --with-ca-bundle file does not exist.
+
+ - Warn if --with-ca-path directory does not contain certificates.
+
+ - Improve help messages for both.
+
+ Example configure output:
+
+ ca cert bundle: /some/file (warning: certs not found)
+ ca cert path: /some/dir (warning: certs not found)
+
+ Bug: https://github.com/curl/curl/issues/404
+ Reported-by: Jeffrey Walton
-- s/CVS/git
+Daniel Stenberg (24 Feb 2016)
+- Curl_read: check for activated HTTP/1 pipelining, not only requested
+
+ ... as when pipelining is used, we read things into a unified buffer and
+ we don't do that with HTTP/2. This could then easily make programs that
+ set CURLMOPT_PIPELINING = CURLPIPE_HTTP1|CURLPIPE_MULTIPLEX to get data
+ intermixed or plain broken between HTTP/2 streams.
+
+ Reported-by: Anders Bakken
-- various changes of CVS to git
+Patrick Monnerat (24 Feb 2016)
+- os400: Fix ILE/RPG definition of CURLOPT_TFTP_NO_OPTIONS
-- remove references to CVS in the code and use DEV instead
+Jay Satiro (23 Feb 2016)
+- getinfo: CURLINFO_TLS_SSL_PTR supersedes CURLINFO_TLS_SESSION
+
+ The two options are almost the same, except in the case of OpenSSL:
+
+ CURLINFO_TLS_SESSION OpenSSL session internals is SSL_CTX *.
+
+ CURLINFO_TLS_SSL_PTR OpenSSL session internals is SSL *.
+
+ For backwards compatibility we couldn't modify CURLINFO_TLS_SESSION to
+ return an SSL pointer for OpenSSL.
+
+ Also, add support for the 'internals' member to point to SSL object for
+ the other backends axTLS, PolarSSL, Secure Channel, Secure Transport and
+ wolfSSL.
+
+ Bug: https://github.com/curl/curl/issues/234
+ Reported-by: dkjjr89@users.noreply.github.com
+
+ Bug: https://curl.haxx.se/mail/lib-2015-09/0127.html
+ Reported-by: Michael König
-- Ben Greear's two fixes explained
+Daniel Stenberg (23 Feb 2016)
+- multi_remove_handle: keep the timeout list until after disconnect
+
+ The internal Curl_done() function uses Curl_expire() at times and that
+ uses the timeout list. Better clean up the list once we're done using
+ it. This caused a segfault.
+
+ Reported-by: 蔡文凱
+ Bug: https://curl.haxx.se/mail/lib-2016-02/0097.html
-- [Ben Greear brought this change]
+Kamil Dudka (23 Feb 2016)
+- tests/sshserver.pl: use RSA instead of DSA for host auth
+
+ DSA is no longer supported by OpenSSH 7.0, which causes all SCP/SFTP
+ test cases to be skipped. Using RSA for host authentication works with
+ both old and new versions of OpenSSH.
+
+ Reported-by: Karlson2k
+
+ Closes #676
- Fix tftp return codes and tsize upload handling
+Jay Satiro (23 Feb 2016)
+- TFTP: add option to suppress TFTP option requests (Part 2)
+
+ - Add tests.
+
+ - Add an example to CURLOPT_TFTP_NO_OPTIONS.3.
- Error codes were not properly returned to the main curl code (and on to apps
- using libcurl).
+ - Add --tftp-no-options to expose CURLOPT_TFTP_NO_OPTIONS.
- tftp was crapping out when tsize == 0 on upload, but I see no reason to fail
- to upload just because the remote file is zero-length. Ignore tsize option on
- upload.
+ Bug: https://github.com/curl/curl/issues/481
-- more files to ignore
+- [Michael Koenig brought this change]
-- provide an initial set of .gitignore files
+ TFTP: add option to suppress TFTP option requests (Part 1)
+
+ Some TFTP server implementations ignore the "TFTP Option extension"
+ (RFC 1782-1784, 2347-2349), or implement it in a flawed way, causing
+ problems with libcurl. Another switch for curl_easy_setopt
+ "CURLOPT_TFTP_NO_OPTIONS" is introduced which prevents libcurl from
+ sending TFTP option requests to a server, avoiding many problems caused
+ by faulty implementations.
+
+ Bug: https://github.com/curl/curl/issues/481
+
+Daniel Stenberg (22 Feb 2016)
+- [Karlson2k brought this change]
+
+ runtests: Fixed usage of %PWD on MinGW64
+
+ Closes #672
+
+Jay Satiro (20 Feb 2016)
+- CURLOPT_DEBUGFUNCTION.3: Fix example
+
+- [Viktor Szakats brought this change]
+
+ src/Makefile.m32: add CURL_{LD,C}FLAGS_EXTRAS support
+
+ Sync with lib/Makefile.m32 which already uses those variables.
+
+ Bug: https://github.com/curl/curl/pull/670
+
+Dan Fandrich (20 Feb 2016)
+- Enabled test 1437 after the bug fix in commit 3fa220a6
+
+Jay Satiro (19 Feb 2016)
+- [Emil Lerner brought this change]
+
+ curl_sasl: Fix memory leak in digest parser
+
+ If any parameter in a HTTP DIGEST challenge message is present multiple
+ times, memory allocated for all but the last entry should be freed.
+
+ Bug: https://github.com/curl/curl/pull/667
+
+Dan Fandrich (19 Feb 2016)
+- Added test 1437 to verify a memory leak
+
+ Reported-by: neex@users.noreply.github.com
+
+Jay Satiro (18 Feb 2016)
+- CURLOPT_COOKIEFILE.3: HTTP headers must be Set-Cookie style
+
+ Bug: https://github.com/curl/curl/issues/666
+ Reported-by: baumanj@users.noreply.github.com
+
+- curl.1: HTTP headers for --cookie must be Set-Cookie style
+
+ Bug: https://github.com/curl/curl/issues/666
+ Reported-by: baumanj@users.noreply.github.com
+
+Daniel Stenberg (18 Feb 2016)
+- curl.1: add a missing dash
+
+- CONTRIBUTING.md: fix links
+
+- ISSUE_TEMPLATE: github issue template
+
+ First version, try this out!
+
+- CONTRIBUTING.md: move into .github
+
+ To hide github specific files somewhat from the rest.
+
+- opts: add references
+
+- examples/make: add 'checksrc' target
+
+- 10-at-a-time: typecast the argument passed to sleep()
+
+- externalsocket.c: fix compiler warning for fwrite return type
+
+- anyauthput.c: fix compiler warnings
+
+- simplessl.c: warning: while with space
+
+- curlx.c: i2s_ASN1_IA5STRING() clashes with an openssl function
+
+ Reported-By: Gisle Vanem
+
+- http2: don't decompress gzip decoding automatically
+
+ At one point during the development of HTTP/2, the commit 133cdd29ea0
+ introduced automatic decompression of Content-Encoding as that was what
+ the spec said then. Now however, HTTP/2 should work the same way as
+ HTTP/1 in this regard.
+
+ Reported-by: Kazuho Oku
+
+ Closes #661
+
+Jay Satiro (16 Feb 2016)
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http: Don't break the header into chunks if HTTP/2
+
+ nghttp2 callback deals with TLS layer and therefore the header does not
+ need to be broken into chunks.
+
+ Bug: https://github.com/curl/curl/issues/659
+ Reported-by: Kazuho Oku
+
+Daniel Stenberg (16 Feb 2016)
+- [Viktor Szakats brought this change]
+
+ openssl: use macro to guard the opaque EVP_PKEY branch
+
+- [Viktor Szakats brought this change]
+
+ openssl: avoid direct PKEY access with OpenSSL 1.1.0
+
+ by using API instead of accessing an internal structure.
+ This is required starting OpenSSL 1.1.0-pre3.
+
+ Closes #650
+
+- RELEASE-NOTES: synced with ede0bfc079da
+
+- [Clint Clayton brought this change]
+
+ CURLOPT_CONNECTTIMEOUT_MS.3: Fix example to use milliseconds option
+
+ Change the example in the docs for CURLOPT_CONNECTTIMEOUT_MS to use
+ CURLOPT_CONNECTTIMEOUT_MS instead of CURLOPT_CONNECTTIMEOUT.
+
+ Closes #653
+
+- opt-docs: add more references
+
+- [David Byron brought this change]
+
+ SCP: use libssh2_scp_recv2 to support > 2GB files on windows
+
+ libssh2_scp_recv2 is introduced in libssh2 1.7.0 - to be released "any
+ day now.
+
+ Closes #451
+
+Jay Satiro (13 Feb 2016)
+- [Shine Fan brought this change]
+
+ gtls: fix for builds lacking encrypted key file support
+
+ Bug: https://github.com/curl/curl/pull/651
+
+Dan Fandrich (13 Feb 2016)
+- test1604: Add to Makefile.inc so it gets run
+
+Jay Satiro (12 Feb 2016)
+- generate.bat: Fix comment bug by removing old comments
+
+ Remove NOTES section, it's no longer needed since we aren't setting the
+ errorlevel and more importantly the recently updated URL in the comments
+ is causing some unusual behavior that breaks the script.
+
+ Closes https://github.com/curl/curl/issues/649
+
+Kamil Dudka (12 Feb 2016)
+- curl.1: --disable-{eprt,epsv} are ignored for IPv6 hosts
+
+ The behavior has been clarified in CURLOPT_FTP_USE_{EPRT,EPSV}.3 man
+ pages since curl-7_12_3~131. This patch makes it clear in the curl.1
+ man page, too.
+
+ Bug: https://bugzilla.redhat.com/1305970
+
+Daniel Stenberg (12 Feb 2016)
+- dist: ship buildconf.bat too
+
+ As the winbuild/* stuff uses it!
+
+- curlx_tvdiff: handle 32bit time_t overflows
+
+ On 32bit systems, make sure we don't overflow and return funky values
+ for very large time differences.
+
+ Reported-by: Anders Bakken
+
+ Closes #646
+
+- examples: fix some compiler warnings
+
+- simplessl.c: fix my breakage
+
+- examples: adhere to curl code style
+
+ All plain C examples now (mostly) adhere to the curl code style. While
+ they are only examples, they had diverted so much and contained all
+ sorts of different mixed code styles by now. Having them use a unified
+ style helps users and readability. Also, as they get copy-and-pasted
+ widely by users, making sure they're clean and nice is a good idea.
+
+ 573 checksrc warnings were addressed.
+
+- examples/cookie_interface.c: add cleanup call
+
+ cleaning up handles is a good idea as we leak memory otherwise
+
+ Also, line wrapped before 80 columns.
+
+Kamil Dudka (10 Feb 2016)
+- nss: search slash in forward direction in dup_nickname()
+
+ It is wasteful to search it backwards if we look for _any_ slash.
+
+- nss: do not count enabled cipher-suites
+
+ We only care if at least one cipher-suite is enabled, so it does
+ not make any sense to iterate till the end and count all enabled
+ cipher-suites.
+
+Daniel Stenberg (10 Feb 2016)
+- contributors.sh: make 79 the max column width (from 80)
+
+- RELEASE-NOTES: synced with c276aefee3995
+
+- mbedtls.c: re-indent to better match curl standards
+
+- [Rafael Antonio brought this change]
+
+ mbedtls: fix memory leak when destroying SSL connection data
+
+ Closes #626
+
+- mbedtls: fix ALPN usage segfault
+
+ Since we didn't keep the input argument around after having called
+ mbedtls, it could end up accessing the wrong memory when figuring out
+ the ALPN protocols.
+
+ Closes #642
+
+Jay Satiro (9 Feb 2016)
+- [Timotej Lazar brought this change]
+
+ opts: update references to renamed options
+
+- KNOWN_BUGS: Update #92 - Windows device prefix
+
+- tool_doswin: Support for literal path prefix \\?\
+
+ For example something like --output \\?\C:\foo
+
+Daniel Stenberg (9 Feb 2016)
+- configure: state "BoringSSL" in summary when that was detected
+
+- [David Benjamin brought this change]
+
+ openssl: remove most BoringSSL #ifdefs.
+
+ As of https://boringssl-review.googlesource.com/#/c/6980/, almost all of
+ BoringSSL #ifdefs in cURL should be unnecessary:
+
+ - BoringSSL provides no-op stubs for compatibility which replaces most
+ #ifdefs.
+
+ - DES_set_odd_parity has been in BoringSSL for nearly a year now. Remove
+ the compatibility codepath.
+
+ - With a small tweak to an extend_key_56_to_64 call, the NTLM code
+ builds fine.
+
+ - Switch OCSP-related #ifdefs to the more generally useful
+ OPENSSL_NO_OCSP.
+
+ The only #ifdefs which remain are Curl_ossl_version and the #undefs to
+ work around OpenSSL and wincrypt.h name conflicts. (BoringSSL leaves
+ that to the consumer. The in-header workaround makes things sensitive to
+ include order.)
+
+ This change errs on the side of removing conditionals despite many of
+ the restored codepaths being no-ops. (BoringSSL generally adds no-op
+ compatibility stubs when possible. OPENSSL_VERSION_NUMBER #ifdefs are
+ bad enough!)
+
+ Closes #640
+
+Jay Satiro (8 Feb 2016)
+- KNOWN_BUGS: Windows device prefix is required for devices
+
+- tool_urlglob: Allow reserved dos device names (Windows)
+
+ Allow --output to reserved dos device names without the device prefix
+ for backwards compatibility.
+
+ Example: --output NUL can be used instead of --output \\.\NUL
+
+ Bug: https://github.com/curl/curl/commit/4520534#commitcomment-15954863
+ Reported-by: Gisle Vanem
+
+Daniel Stenberg (8 Feb 2016)
+- cookies: allow spaces in cookie names, cut of trailing spaces
+
+ It turns out Firefox and Chrome both allow spaces in cookie names and
+ there are sites out there using that.
+
+ Turned out the code meant to strip off trailing space from cookie names
+ didn't work. Fixed now.
+
+ Test case 8 modified to verify both these changes.
+
+ Closes #639
-Kamil Dudka (19 Mar 2010)
-- - Improved Curl_read() to not ignore the error returned from Curl_ssl_recv().
+Patrick Monnerat (8 Feb 2016)
+- Merge branch 'master' of github.com:curl/curl
-Daniel Stenberg (18 Mar 2010)
-- fix warning about conversions between curl_off_t and long
+- os400: sync ILE/RPG definitions with latest public header files.
-Yang Tse (18 Mar 2010)
-- another shot at the ftp_init() icc 9.1 optimizer issue
+Daniel Stenberg (8 Feb 2016)
+- [Ludwig Nussel brought this change]
-- replaced intel compiler option -no-ansi-alias with -fno-strict-aliasing
+ SSLCERTS: update wrt SSL CA certificate store
-- update outdated serial number
+- [Ludwig Nussel brought this change]
-Dan Fandrich (16 Mar 2010)
-- Factored out some code into a few independent functions
+ configure: --with-ca-fallback: use built-in TLS CA fallback
+
+ When trying to verify a peer without having any root CA certificates
+ set, this makes libcurl use the TLS library's built in default as
+ fallback.
+
+ Closes #569
-Daniel Stenberg (15 Mar 2010)
-- - Constantine Sapuntzakis brought a patch:
+- Proxy-Connection: stop sending this header by default
- The problem mentioned on Dec 10 2009
- (http://curl.haxx.se/bug/view.cgi?id=2905220) was only partially fixed.
- Partially because an easy handle can be associated with many connections in
- the cache (e.g. if there is a redirect during the lifetime of the easy
- handle). The previous patch only cleaned up the first one. The new fix now
- removes the easy handle from all connections, not just the first one.
+ RFC 7230 says we should stop. Firefox already stopped.
+
+ Bug: https://github.com/curl/curl/issues/633
+ Reported-By: Brad Fitzpatrick
+
+ Closes #633
-Yang Tse (11 Mar 2010)
-- fix compiler warning
+- bump: work toward the next release
-Dan Fandrich (11 Mar 2010)
-- SSL should now be working out-of-the-box on Symbian S60.
+- THANKS: 2 contributors from the 7.47.1 release
-- Enable Symbian zlib support by default.
+- RELEASE-PROCEDURE: remove the github upload part
+
+ ... as we're HTTPS on the main site now, there's no point in that
+ extra step
-- Allow compilation even when OpenSSL has been configured without MD4 support.
+Version 7.47.1 (8 Feb 2016)
-- A few Symbian build changes
+Daniel Stenberg (8 Feb 2016)
+- RELEASE-NOTES: curl 7.47.1 time!
-Yang Tse (9 Mar 2010)
-- watt32 compilation fix
+Jay Satiro (8 Feb 2016)
+- tool_operhlp: Check for backslashes in get_url_file_name
+
+ Extract the filename from the last slash or backslash. Prior to this
+ change backslashes could be part of the filename.
+
+ This change needed for the curl tool built for Cygwin. Refer to the
+ CYGWIN addendum in advisory 20160127B.
+
+ Bug: https://curl.haxx.se/docs/adv_20160127B.html
-Daniel Stenberg (6 Mar 2010)
-- - Ben Greear brought a patch that fixed the rate limiting logic for TFTP when
- the easy interface was used.
+Daniel Stenberg (7 Feb 2016)
+- RELEASE-NOTES: synced with d6a8869ea34
-- indent fix by Ben Greear, I removed some braces for single-line conditional
- expressions
+Jay Satiro (6 Feb 2016)
+- openssl: Fix signed/unsigned mismatch warning in X509V3_ext
+
+ sk_X509_EXTENSION_num may return an unsigned integer, however the value
+ will fit in an int.
+
+ Bug: https://github.com/curl/curl/commit/dd1b44c#commitcomment-15913896
+ Reported-by: Gisle Vanem
-Yang Tse (6 Mar 2010)
-- Added another VS10 version string
+Daniel Stenberg (7 Feb 2016)
+- TODO: 17.11 -w output to stderr
-- fix line break
+Jay Satiro (6 Feb 2016)
+- [Michael Kaufmann brought this change]
-- removed usage of 's6_addr', fixing compilation issue triggered with no
- longer using 'in6_addr' but only our 'ares_in6_addr' struct
+ idn_win32: Better error checking
+
+ .. also fix a conversion bug in the unused function
+ curl_win32_ascii_to_idn().
+
+ And remove wprintfs on error (Jay).
+
+ Bug: https://github.com/curl/curl/pull/637
-Daniel Stenberg (5 Mar 2010)
-- Daniel Johnson provided fixes for building with the clang compiler
+- [Gisle Vanem brought this change]
-Yang Tse (5 Mar 2010)
-- Added IPv6 name servers support
+ examples/asiohiper: Avoid function name collision on Windows
+
+ closesocket => close_socket
+ Winsock already has the former.
+
+ Bug: https://curl.haxx.se/mail/lib-2016-02/0016.html
-Gisle Vanem (5 Mar 2010)
-- Ops!. Readded ares_nowarn.h.
+- [Gisle Vanem brought this change]
-- Added ares_nowarn.c.
+ examples/htmltitle: Use _stricmp on Windows
+
+ Bug: https://curl.haxx.se/mail/lib-2016-02/0017.html
-Yang Tse (5 Mar 2010)
-- Constantine Sapuntzakis detected and fixed a double free in builds done
- with threaded resolver enabled (Windows default configuration) that would
- get triggered when a curl handle is closed while doing DNS resolution.
+Daniel Stenberg (6 Feb 2016)
+- COPYING: clarify that Daniel is not the sole author
+
+ ... done on request and as it is a fair point.
-- Added SIZEOF_INT and SIZEOF_SHORT definitions for VMS configuration file
+Jay Satiro (5 Feb 2016)
+- unit1604: Fix unit setup return code
-Daniel Stenberg (4 Mar 2010)
-- Julien Chaffraix clarified CURLOPT_HEADERFUNCTION and made
- CURLOPT_HEADERFUNCTION and CURLOPT_WRITEFUNCTION more consistent
+- tool_doswin: Use type SANITIZEcode in sanitize_file_name
-- - [Daniel Johnson] I've been trying to build libcurl with clang on Darwin and
- ran into some issues with the GSSAPI tests in configure.ac. The tests first
- try to determine the include dirs and libs and set CPPFLAGS and LIBS
- accordingly. It then checks for the headers and finally sets LIBS a second
- time, causing the libs to be included twice. The first setting of LIBS seems
- redundant and should be left out, since the first part is otherwise just
- about finding headers.
+- tool_doswin: Improve sanitization processing
+
+ - Add unit test 1604 to test the sanitize_file_name function.
+
+ - Use -DCURL_STATICLIB when building libcurltool for unit testing.
+
+ - Better detection of reserved DOS device names.
+
+ - New flags to modify sanitize behavior:
+
+ SANITIZE_ALLOW_COLONS: Allow colons
+ SANITIZE_ALLOW_PATH: Allow path separators and colons
+ SANITIZE_ALLOW_RESERVED: Allow reserved device names
+ SANITIZE_ALLOW_TRUNCATE: Allow truncating a long filename
- My second issue is that 'krb5-config --libs gssapi' on Darwin is less than
- useless and returns junk that, while it happens to work with gcc, causes
- clang to choke. For example, --libs returns $CFLAGS along with the libs,
- which is really retarded. Simply setting 'LIBS="$LIBS -lgssapi_krb5
- -lresolv"' on Darwin is sufficient.
+ - Restore sanitization of banned characters from user-specified outfile.
+
+ Prior to this commit sanitization of a user-specified outfile was
+ temporarily disabled in 2b6dadc because there was no way to allow path
+ separators and colons through while replacing other banned characters.
+ Now in such a case we call the sanitize function with
+ SANITIZE_ALLOW_PATH which allows path separators and colons to pass
+ through.
+
+
+ Closes https://github.com/curl/curl/issues/624
+ Reported-by: Octavio Schroeder
-- - Based on patch provided by Jacob Moshenko, the transfer logic now properly
- makes sure that when using sub-second timeouts, there's no final bad 1000ms
- wait. Previously, a sub-second timeout would often make the elapsed time end
- up the time rounded up to the nearest second (e.g. 1s for 200ms timeout)
+- [Viktor Szakats brought this change]
-- update the generic copyright year range to include 2010
+ URLs: change more http to https
-- - Andrei Benea filed bug report #2956698 and pointed out that the
- CURLOPT_CERTINFO feature leaked memory due to a missing OpenSSL function
- call. He provided the patch to fix it too.
+- sasl_sspi: Fix memory leak in domain populate
+
+ Free an existing domain before replacing it.
- http://curl.haxx.se/bug/view.cgi?id=2956698
+ Bug: https://github.com/curl/curl/issues/635
+ Reported-by: silveja1@users.noreply.github.com
-- - Markus Duft pointed out in bug #2961796 that even though Interix has a
- poll() function it doesn't quite work the way we want it so we must disable
- it, and he also provided a patch for it.
+Daniel Stenberg (4 Feb 2016)
+- [Viktor Szakats brought this change]
+
+ URLs: follow GitHub project rename (also Travis CI)
- http://curl.haxx.se/bug/view.cgi?id=2961796
+ Closes #632
-- - Made the pingpong timeout code properly deal with the response timeout AND
- the global timeout if set. Also, as was reported in the bug report #2956437
- by Ryan Chan, the time stamp to use as basis for the per command timeout was
- not set properly in the DONE phase for FTP (and not for SMTP) so I fixed
- that just now. This was a regression compared to 7.19.7 due to the
- conversion of FTP code over to the generic pingpong concepts.
+- CHANGES.o: fix references to curl.haxx.nu
- http://curl.haxx.se/bug/view.cgi?id=2956437
+ I removed the scheme prefix from the URLs references this host name, as
+ we don't own/run that anymore but the name is kept for historic reasons.
+
+- HISTORY: add some info about when we used which host names
+
+Jay Satiro (2 Feb 2016)
+- [Viktor Szakats brought this change]
-- remove assignment never used
+ URLs: change more http to https
-- - Ben Greear provided an update for TFTP that fixes upload.
+Dan Fandrich (3 Feb 2016)
+- URLs: Change more haxx.se URLs from http: to https:
-- SSL, not SSH, SSL
+Daniel Stenberg (3 Feb 2016)
+- RELEASE-NOTES: synced with 4af40b364
-- - Wesley Miaw reported bug #2958179 which identified a case of looping during
- OpenSSL based SSL handshaking even though the multi interface was used and
- there was no good reason for it.
+- URLs: change all http:// URLs to https://
+
+- configure: update the copyright year range in output
+
+- dotdot: allow an empty input string too
- http://curl.haxx.se/bug/view.cgi?id=2958179
+ It isn't used by the code in current conditions but for safety it seems
+ sensible to at least not crash on such input.
+
+ Extended unit test 1395 to verify this too as well as a plain "/" input.
-Yang Tse (28 Feb 2010)
-- Added SIZEOF_INT and SIZEOF_SHORT definitions for non-configure systems
+- HTTPS: update a bunch of URLs from HTTP to HTTPS
-- Added ares_nowarn.* to VC6 project file
+- [Sergei Nikulov brought this change]
-Daniel Stenberg (26 Feb 2010)
-- spellchecked by Stéphane Fillod
+ AppVeyor: updated to handle OpenSSL/WinSSL builds
+
+ Closes #621
-- - Pat Ray in bug #2958474 pointed out an off-by-one case when receiving a
- chunked-encoding trailer.
+Jay Satiro (1 Feb 2016)
+- tool_operate: Don't sanitize --output path (Windows)
- http://curl.haxx.se/bug/view.cgi?id=2958474
+ Due to path separators being incorrectly sanitized in --output
+ pathnames, eg -o c:\foo => c__foo
+
+ This is a partial revert of 3017d8a until I write a proper fix. The
+ remote-name will continue to be sanitized, but if the user specified an
+ --output with string replacement (#1, #2, etc) that data is unsanitized
+ until I finish a fix.
+
+ Bug: https://github.com/bagder/curl/issues/624
+ Reported-by: Octavio Schroeder
-Dan Fandrich (26 Feb 2010)
-- Fixed a couple of out of memory leaks and a segfault in the IMAP code.
+- curl.1: Explain remote-name behavior if file already exists
+
+ .. also warn about letting the server pick the filename.
-Yang Tse (26 Feb 2010)
-- fix sizeof short
+- [Gisle Vanem brought this change]
-- Added SIZEOF_INT and SIZEOF_SHORT definitions for non-configure systems
+ urldata: Error on missing SSL backend-specific connect info
-- Added SIZEOF_INT definition
+Daniel Stenberg (28 Jan 2016)
+- bump: towards the next (7.47.1 ?)
-- fix compiler warning
+- [Sergei Nikulov brought this change]
-- fix compiler warning
+ cmake: fixed when OpenSSL enabled on Windows and schannel detected
+
+ Closes #617
-- fix compiler warning
+Jay Satiro (28 Jan 2016)
+- [Sergei Nikulov brought this change]
-Dan Fandrich (25 Feb 2010)
-- Fixed a couple of out of memory leaks and a segfault in the SMTP code.
+ urldata: moved common variable out of ifdef
+
+ Closes https://github.com/bagder/curl/pull/618
-Yang Tse (25 Feb 2010)
-- fix file name
+- [Viktor Szakats brought this change]
-- Fixed bug report #2958074 indicating
- (http://curl.haxx.se/bug/view.cgi?id=2958074) that curl on Windows with
- option --trace-time did not use local time when timestamping trace lines.
- This could also happen on other systems depending on time souurce.
+ tool_doswin: silence unused function warning
+
+ tool_doswin.c:185:14: warning: 'msdosify' defined but not used
+ [-Wunused-function]
+
+ Closes https://github.com/bagder/curl/pull/616
-- enable 802 and 803
+Daniel Stenberg (27 Jan 2016)
+- getredirect.c: fix variable name
+
+ Reported-by: Bernard Spil
-- fix compiler warning
+Version 7.47.0 (27 Jan 2016)
-- fix compiler warning
+Daniel Stenberg (27 Jan 2016)
+- examples/Makefile.inc: specify programs without .c!
-- fix compiler warning
+- THANKS: 6 new contributors from 7.47.0 release notes
-- fix socket data type
+- [Isaac Boukris brought this change]
-- fix socket data type and logging format in debug tracking socket functions
+ NTLM: Fix ConnectionExists to compare Proxy credentials
+
+ Proxy NTLM authentication should compare credentials when
+ re-using a connection similar to host authentication, as it
+ authenticate the connection.
+
+ Example:
+ curl -v -x http://proxy:port http://host/ -U good_user:good_pwd
+ --proxy-ntlm --next -x http://proxy:port http://host/
+ [-U fake_user:fake_pwd --proxy-ntlm]
+
+ CVE-2016-0755
+
+ Bug: http://curl.haxx.se/docs/adv_20160127A.html
-- convert Curl_ultous() and Curl_ultouc() functions to curlx_ultous() and
- curlx_ultouc(), exposing them through curlx.h to allow proper code reuse
- later in our test harness.
+- [Ray Satiro brought this change]
-- updated sources
+ curl: avoid local drive traversal when saving file (Windows)
+
+ curl does not sanitize colons in a remote file name that is used as the
+ local file name. This may lead to a vulnerability on systems where the
+ colon is a special path character. Currently Windows/DOS is the only OS
+ where this vulnerability applies.
+
+ CVE-2016-0754
+
+ Bug: http://curl.haxx.se/docs/adv_20160127B.html
-Patrick Monnerat (22 Feb 2010)
-- _ Adjusted RFC821 HELO fallback and enabled test804
+- RELEASE-NOTES: 7.47.0
-- - Proper handling of STARTTLS on SMTP, taking CURLUSESSL_TRY into account.
- - SMTP falls back to RFC821 HELO when EHLO fails (and SSL is not required).
- - Use of true local host name (i.e.: via gethostname()) when available, as default argument to SMTP HELO/EHLO.
- - Test case 804 for HELO fallback.
+- FAQ: language fix in 4.19
-Yang Tse (22 Feb 2010)
-- add header inclusion
+- [paulehoffman brought this change]
-- fix compiler warning
+ FAQ: Update to point to GitHub
+
+ Current FAQ didn't make it clear where the main repo is.
+
+ Closes #612
-- fix compiler warning
+- maketgz: generate date stamp with LC_TIME=C
+
+ bug: http://curl.haxx.se/mail/lib-2016-01/0123.html
-Daniel Stenberg (21 Feb 2010)
-- clarify more details on section "2.1 More non-blocking"
+- curl_multi_socket_action.3: line wrap
-- TFTP transfers are not blocking since 7.20.0
+- RELEASE-NOTES: synced with d58ba66eeceb
-- - Fixed the SMTP compliance by making sure RCPT TO addresses are specified
- properly in angle brackets. Recipients provided with CURLOPT_MAIL_RCPT now
- get angle bracket wrapping automatically by libcurl unless the recipient
- starts with an angle bracket as then the app is assumed to deal with that
- properly on its own.
+Steve Holme (21 Jan 2016)
+- TODO: "Create remote directories" for SMB
-- - I made the SMTP code expect a 250 response back from the server after the
- full DATA has been sent, and I modified the test SMTP server to also send
- that response. As usual, the DONE operation that is made after a completed
- transfer is still not doable in a non-blocking way so this waiting for 250
- is unfortunately made blockingly.
+Jay Satiro (18 Jan 2016)
+- mbedtls: Fix pinned key return value on fail
+
+ - Switch from verifying a pinned public key in a callback during the
+ certificate verification to inline after the certificate verification.
+
+ The callback method had three problems:
+
+ 1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH
+ was not returned.
+
+ 2. If peer certificate verification was disabled the pinned key
+ verification did not take place as it should.
+
+ 3. (related to #2) If there was no certificate of depth 0 the callback
+ would not have checked the pinned public key.
+
+ Though all those problems could have been fixed it would have made the
+ code more complex. Instead we now verify inline after the certificate
+ verification in mbedtls_connect_step2.
+
+ Ref: http://curl.haxx.se/mail/lib-2016-01/0047.html
+ Ref: https://github.com/bagder/curl/pull/601
-- corected a comment and wrapped a few longish lines
+- tests: Add a test for pinnedpubkey fail even when insecure
+
+ Because disabling the peer verification (--insecure) must not disable
+ the public key pinning check (--pinnedpubkey).
-Yang Tse (20 Feb 2010)
-- fix compiler warning
+- [Daniel Schauenberg brought this change]
-- fix compiler warning
+ CURLINFO_RESPONSE_CODE.3: add example
-- fix compiler warning
+Kamil Dudka (15 Jan 2016)
+- ssh: make CURLOPT_SSH_PUBLIC_KEYFILE treat "" as NULL
+
+ The CURLOPT_SSH_PUBLIC_KEYFILE option has been documented to handle
+ empty strings specially since curl-7_25_0-31-g05a443a but the behavior
+ was unintentionally removed in curl-7_38_0-47-gfa7d04f.
+
+ This commit restores the original behavior and clarifies it in the
+ documentation that NULL and "" have both the same meaning when passed
+ to CURLOPT_SSH_PUBLIC_KEYFILE.
+
+ Bug: http://curl.haxx.se/mail/lib-2016-01/0072.html
+
+Daniel Stenberg (14 Jan 2016)
+- RELEASE-NOTES: synced with 35083ca60ed035a
-- fix compiler warning
+- openssl: improved error detection/reporting
+
+ ... by extracting the LIB + REASON from the OpenSSL error code. OpenSSL
+ 1.1.0+ returned a new func number of another cerfificate fail so this
+ required a fix and this is the better way to catch this error anyway.
+
+- openssl: for 1.1.0+ they now provide a SSLeay() macro of their own
-- fix compiler warning
+- CURLOPT_RESOLVE.3: minor language polish
-Daniel Stenberg (17 Feb 2010)
-- ares_reinit()
+- configure: assume IPv6 works when cross-compiled
+
+ The configure test uses AC_TRY_RUN to figure out if an ipv6 socket
+ works, and testing like that doesn't work for cross-compiles. These days
+ IPv6 support is widespread so a blind guess is probably more likely to
+ be 'yes' than 'no' now.
+
+ Further: anyone who cross-compiles can use configure's --disable-ipv6 to
+ explicitly disable IPv6 and that also works for cross-compiles.
- - To allow an app to force a re-read of /etc/resolv.conf etc, pretty much
- like the res_init() resolver function offers
+ Made happen after discussions in issue #594
-- use curl standard indentation and line lengths
+- TODO: "Try to URL encode given URL"
+
+ Closes #514
-Yang Tse (16 Feb 2010)
-- replaced tabs with spaces
+- ConnectionExists: only do pipelining/multiplexing when asked
+
+ When an HTTP/2 upgrade request fails (no protocol switch), it would
+ previously detect that as still possible to pipeline on (which is
+ acorrect) and do that when PIPEWAIT was enabled even if pipelining was
+ not explictily enabled.
+
+ It should only pipelined if explicitly asked to.
+
+ Closes #584
-- fix Content-Length validation
+- [Mohammad AlSaleh brought this change]
+
+ lib: Prefix URLs with lower-case protocol names/schemes
+
+ Before this patch, if a URL does not start with the protocol
+ name/scheme, effective URLs would be prefixed with upper-case protocol
+ names/schemes. This behavior might not be expected by library users or
+ end users.
+
+ For example, if `CURLOPT_DEFAULT_PROTOCOL` is set to "https". And the
+ URL is "hostname/path". The effective URL would be
+ "HTTPS://hostname/path" instead of "https://hostname/path".
+
+ After this patch, effective URLs would be prefixed with a lower-case
+ protocol name/scheme.
+
+ Closes #597
+
+ Signed-off-by: Mohammad AlSaleh <CE.Mohammad.AlSaleh@gmail.com>
-Daniel Stenberg (15 Feb 2010)
-- use (void) in front of fwrite() calls that ignore the return code
+- [Alessandro Ghedini brought this change]
-Yang Tse (15 Feb 2010)
-- fix compiler warning: conversion from "long" to "size_t" may lose sign
+ scripts: don't generate and install zsh completion when cross-compiling
-- fix compiler warning: conversion from "long" to "size_t" may lose sign
+- [Alessandro Ghedini brought this change]
-Daniel Stenberg (15 Feb 2010)
-- -w speed_download and speed_upload are measured in bytes per second
+ scripts: fix zsh completion generation
+
+ The script should use the just-built curl, not the system one. This fixes
+ zsh completion generation when no system curl is installed.
-- 75. NTLM authentication involving unicode user name or password.
- http://curl.haxx.se/mail/lib-2009-10/0024.html
- http://curl.haxx.se/bug/view.cgi?id=2944325
+- [Alessandro Ghedini brought this change]
-Yang Tse (14 Feb 2010)
-- removed trailing whitespace
+ zsh.pl: fail if no curl is found
+
+ Instead of generation a broken completion file.
-- fix compiler warning
+- [Michael Kaufmann brought this change]
-- Overhauled test suite getpart() function. Fixing potential out of bounds
- stack and memory overwrites triggered with huge test case definitions.
+ IDN host names: Remove the port number before converting to ACE
+
+ Closes #596
-Daniel Stenberg (13 Feb 2010)
-- - Martin Hager reported and fixed a problem with a missing quote in libcurl.m4
+Jay Satiro (10 Jan 2016)
+- runtests: Add mbedTLS to the SSL backends
- (http://curl.haxx.se/bug/view.cgi?id=2951319)
+ .. and enable SSLpinning tests for mbedTLS, BoringSSL and LibreSSL.
+
+Daniel Stenberg (10 Jan 2016)
+- [Thomas Glanzmann brought this change]
+
+ mbedtls: implement CURLOPT_PINNEDPUBLICKEY
-Gunter Knauf (13 Feb 2010)
-- used allways #ifdef / #ifndef;
- moved gethostbyname_thread() to #else case to avoid 'not used' compiler warning.
+Jay Satiro (9 Jan 2016)
+- [Tatsuhiro Tsujikawa brought this change]
-- replaced tabs by spaces, removed trailing tabs/spaces.
+ url: Fix compile error with --enable-werror
-Daniel Stenberg (13 Feb 2010)
-- - Tom Donovan fixed the CURL_FORMAT_* defines when building with cmake.
+- [Tatsuhiro Tsujikawa brought this change]
-- - Jack Zhang reported a problem with SMTP: we wrongly used multiple addresses
- in the same RCPT TO line, when they should be sent in separate single
- commands. I updated test case 802 to verify this.
+ http2: Ensure that http2_handle_stream_close is called
+
+ Previously, when HTTP/2 is enabled and used, and stream has content
+ length known, Curl_read was not called when there was no bytes left to
+ read. Because of this, we could not make sure that
+ http2_handle_stream_close was called for every stream. Since we use
+ http2_handle_stream_close to emit trailer fields, they were
+ effectively ignored. This commit changes the code so that Curl_read is
+ called even if no bytes left to read, to ensure that
+ http2_handle_stream_close is called for every stream.
+
+ Discussed in https://github.com/bagder/curl/pull/564
+
+Daniel Stenberg (8 Jan 2016)
+- http2: handle the received SETTINGS frame
+
+ This regression landed in 5778e6f5 and made libcurl not act on received
+ settings and instead stayed with its internal defaults.
+
+ Bug: http://curl.haxx.se/mail/lib-2016-01/0031.html
+ Reported-by: Bankde
+
+- Revert "multiplex: allow only once HTTP/2 is actually used"
+
+ This reverts commit 46cb70e9fa81c9a56de484cdd7c5d9d0d9fbec36.
- - I also fixed a bad use of my_setopt_str() of CURLOPT_MAIL_RCPT in the curl
- tool which made it try to output it as string for the --libcurl feature
- which could lead to crashes.
+ Bug: http://curl.haxx.se/mail/lib-2016-01/0031.html
-- CURLOPT_MAIL_RCPT is *not* a string so we must not try to printf() it
+Jay Satiro (8 Jan 2016)
+- [Tatsuhiro Tsujikawa brought this change]
-- free --mail-from strings properly
+ http2: Fix PUSH_PROMISE headers being treated as trailers
+
+ Discussed in https://github.com/bagder/curl/pull/564
-Patrick Monnerat (11 Feb 2010)
-- _ Make it compilable again on OS400.
- _ Upgrade OS400 EBCDIC wrappers for new options.
- _ Upgrade ILE/RPG bindings to current state.
+Daniel Stenberg (8 Jan 2016)
+- [Michael Kaufmann brought this change]
-Yang Tse (11 Feb 2010)
-- mention last changes
+ connection reuse: IDN host names fixed
+
+ Use the ACE form of IDN hostnames as key in the connection cache. Add
+ new tests.
+
+ Closes #592
-- Steven M. Schweda updated VMS readme file
+- tests: mark IPv6 FTP and FTPS tests with the FTP keyword
-- Steven M. Schweda removed batch_compile.com and defines.com
+Jay Satiro (7 Jan 2016)
+- mbedtls: Fix ALPN support
+
+ - Fix ALPN reply detection.
+
+ - Wrap nghttp2 code in ifdef USE_NGHTTP2.
+
+
+ Prior to this change ALPN and HTTP/2 did not work properly in mbedTLS.
-- Steven M. Schweda fixed:
+- http2: Fix client write for trailers on stream close
- VMS builder bad behavior when used in a batch job.
+ Check that the trailer buffer exists before attempting a client write
+ for trailers on stream close.
- Various ".LIS" and ".MAP" files created without being requested
- by a "LIST" command-line option, and in the wrong place, too.
+ Refer to comments in https://github.com/bagder/curl/pull/564
+
+Daniel Stenberg (7 Jan 2016)
+- COPYING: update general copyright year range
+
+- ConnectionExists: add missing newline in infof() call
- Some minor typographical changes.
+ Mistake from commit a464f33843ee1
-Dan Fandrich (10 Feb 2010)
-- Mention the minimum size of CURL_MAX_WRITE_SIZE
+- multiplex: allow only once HTTP/2 is actually used
+
+ To make sure curl doesn't allow multiplexing before a connection is
+ upgraded to HTTP/2 (like when Upgrade: h2c fails), we must make sure the
+ connection uses HTTP/2 as well and not only check what's wanted.
+
+ Closes #584
+
+ Patch-by: c0ff
-Yang Tse (10 Feb 2010)
-- - remove extra "\r\n" from doc404_RTSP
+Jay Satiro (4 Jan 2016)
+- curl_global_init.3: Add Windows-specific info for init via DLL
- - avoid memory alignment issue when setting RTSP packet length
+ - Add to both curl_global_init.3 and libcurl.3 the caveat for Windows
+ that initializing libcurl via a DLL's DllMain or static initializer
+ could cause a deadlock.
+
+ Bug: https://github.com/bagder/curl/issues/586
+ Reported-by: marc-groundctl@users.noreply.github.com
+
+Daniel Stenberg (4 Jan 2016)
+- FAQ: clarify who to mail about ECCN clarifications
+
+- progressfunc.c: spellfix description
-Dan Fandrich (9 Feb 2010)
-- Removed some erroneous "compressed" key words
+- docs/examples/multi-app.c: fix bad desc formatting
-Daniel Stenberg (9 Feb 2010)
-- start working on 7.20.1
+- examples: added descriptions
-Version 7.20.0 (9 Feb 2010)
+- example/simple.c: add description
-Daniel Stenberg (9 Feb 2010)
-- spell and 7.20.0
+- getredirect.c: a new example
-- - When downloading compressed content over HTTP and the app as asked libcurl
- to automatically uncompress it with the CURLOPT_ENCODING option, libcurl
- could wrongly provide the callback with more data than what the maximum
- documented amount. An application could thus get tricked into badness if the
- maximum limit was trusted to be enforced by libcurl itself (as it is
- documented).
+Marc Hoersken (27 Dec 2015)
+- RELEASE-NOTES: add 5e0e81a9c4e35f04ca
+
+Daniel Stenberg (26 Dec 2015)
+- RELEASE-NOTES: synced with 2aec4359db1088b10d
+
+Marc Hoersken (26 Dec 2015)
+- test 1515: add data check
+
+- test 1515: add MSYS support by passing a relative path
- This is further detailed and explained in the libcurl security advisory
- 20100209 at
+ MSYS would otherwise turn a /-style path into a C:\-style path.
+
+- test 539: use datacheck mode text for ASCII-mode LISTings
- http://curl.haxx.se/docs/adv_20100209.html
+ While still using datacheck mode binary for the inline reply data.
-- set VERSIONINFO accordingly for the 7.20.0 release
+- runtests.pl: check up to 5 data parts with different text modes
+
+ Move the text-mode conversion for reply/replycheck from the verify
+ section into the load section and add support for 4 more check parts.
-Yang Tse (6 Feb 2010)
-- warning fix
+Daniel Stenberg (24 Dec 2015)
+- CURLOPT_RANGE: for HTTP servers, range support is optional
-- OOM handling fix
+Marc Hoersken (24 Dec 2015)
+- tests 1048 and 1050: use datacheck mode text for ASCII-mode LISTings
-- OOM handling fix
+- tests 706 and 707: use datacheck mode text for ASCII-mode LISTings
-- fix compiler warning
+- tests 400,403,406: use datacheck mode text for ASCII-mode LISTings
-- fix compiler warning
+- sockfilt.c: fix calculation of sleep timeout on Windows
+
+ Not converting to double caused small timeouts to be skipped.
-- fix compiler warning
+- tests first.c: fix calculation of sleep timeout on Windows
+
+ Not converting to double caused small timeouts to be skipped.
-- Addes OOM handling for curl_easy_setopt() calls in test
+- test 573: add more debug output
-- - avoid OpenSSL 0.9.8 ENGINE_by_id memory leak
+- ftplistparser.c: fix handling of file LISTings using Windows EOL
+
+ Previously file.txt[CR][LF] would have been returned as file.tx
+ (without the last t) if filetype is symlink. Now the t is
+ included and the internal item_length includes the zero byte.
- - cleanup parenthesis usage in return statements
+ Spotted using test 576 on Windows.
-- - attempt to workaround icc 9.1 optimizer issue
+- test 16: fix on Linux (and Windows) by using plain ASCII characters
+
+ Follow up on b064ff0c351bb287557228575ef4c1d079b866fb, thanks Daniel.
-- fix printf-style format strings
+- tftpd server: add Windows support by writing files in binary mode
-- Validate server port argument
+- tests 252-255: use datacheck mode text for ASCII-mode LISTings
-- Fix variable initialization
+- test 16: fix on Windows by converting data file from ANSI to UTF-8
-- Modified test case 557 to additionally verify libcurl's internal curl_m*printf()
- functions formatting functionality when handling signed and unsigned shorts.
+Daniel Stenberg (23 Dec 2015)
+- Makefile.inc: s/curl_SOURCES/CURL_FILES
+
+ This allows the root Makefile.am to include the Makefile.inc without
+ causing automake to warn on it (variables named *_SOURCES are
+ magic). curl_SOURCES is then instead assigned properly in
+ src/Makefile.am only.
+
+ Closes #577
-- Added size check for 'short' data type
+- [Anders Bakken brought this change]
-- Fix compiler warning: unused variable
+ ConnectionExists: with *PIPEWAIT, wait for connections
+
+ Try harder to prevent libcurl from opening up an additional socket when
+ CURLOPT_PIPEWAIT is set. Accomplished by letting ongoing TCP and TLS
+ handshakes complete first before the decision is made.
+
+ Closes #575
-- added an additional second to allow test to pass on heavily loaded servers
+- [Anders Bakken brought this change]
-Dan Fandrich (3 Feb 2010)
-- Changed the Watcom makefiles to make them easier to keep in sync with
- Makefile.inc since that can't be included directly.
+ Add .dir-locals and set c-basic-offset to 2.
+
+ This makes it easier for emacs users to automatically get the right
+ 2-space indentation when they edit curl source files.
+
+ c++-mode is in there as well because Emacs can't easily know if
+ something is a C or C++ header.
+
+ Closes #574
+
+- [Johannes Schindelin brought this change]
+
+ configure: detect IPv6 support on Windows
+
+ This patch was "nicked" from the MINGW-packages project by Daniel.
+
+ https://github.com/Alexpux/MINGW-packages/commit/9253d0bf58a1486e91f7efb5316e7fdb48fa4007
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Daniel Stenberg (3 Feb 2010)
-- more symbols added in 7.20.0
+- configure: allow static builds on mingw
+
+ This patch is adopted from the MINGW-packages project. It makes it
+ possible to build curl both shared and static again.
+
+ URL: https://github.com/Alexpux/MINGW-packages/tree/master/mingw-w64-curl
-Yang Tse (3 Feb 2010)
-- Fix OOM handling
+Marc Hoersken (17 Dec 2015)
+- test 1326: fix file check since curl is outputting binary data
-- Fix progressmode Configurable struct member data type. Changed to
- 'int' which fits better with existing CURL_PROGRESS_* definitions.
+- test 1326: fix getting stuck on Windows due to incomplete request
+
+ The request needs to be read and send in binary mode in order to use
+ CRLF instead of LF. Adding --upload-file - causes curl to read stdin
+ in binary mode.
-- Fix portability issue related with unaligned memory access
+Daniel Stenberg (17 Dec 2015)
+- RELEASE-NOTES: command line option recount
-- Fix compiler warnings: conversion from 'const int ' to 'unsigned char ', possible loss of data
+Dan Fandrich (16 Dec 2015)
+- scripts/Makefile: build zsh script even in an out-of-tree build
+
+Marc Hoersken (16 Dec 2015)
+- sockfilt.c: added some debug output to select_ws
+
+- sockfilt.c: keep lines shorter than 80 chars
+
+- sockfilt.c: do not wait on unreliable file or pipe handle
+
+ The previous implementation caused issues on modern MSYS2 runtimes.
+
+Daniel Stenberg (16 Dec 2015)
+- cyassl: deal with lack of *get_peer_certificate
+
+ The function is only present in wolfssl/cyassl if it was built with
+ --enable-opensslextra. With these checks added, pinning support is disabled
+ unless the TLS lib has that function available.
+
+ Also fix the mistake in configure that checks for the wrong lib name.
+
+ Closes #566
-- cookies with same path length might get sorted in different order when
- using different qsort implementations. In order to make this test give
- same results on different systems, paths now have different lengths.
+- wolfssl: handle builds without SSLv3 support
-- added an additional second to allow test to pass on heavily loaded servers
+- [Tatsuhiro Tsujikawa brought this change]
-- Fix compiler warning: conditional expression is constant
+ http2: Support trailer fields
+
+ This commit adds trailer support in HTTP/2. In HTTP/1.1, chunked
+ encoding must be used to send trialer fields. HTTP/2 deprecated any
+ trandfer-encoding, including chunked. But trailer fields are now
+ always available.
+
+ Since trailer fields are relatively rare these days (gRPC uses them
+ extensively though), allocating buffer for trailer fields is done when
+ we detect that HEADERS frame containing trailer fields is started. We
+ use Curl_add_buffer_* functions to buffer all trailers, just like we
+ do for regular header fields. And then deliver them when stream is
+ closed. We have to be careful here so that all data are delivered to
+ upper layer before sending trailers to the application.
+
+ We can deliver trailer field one by one using NGHTTP2_ERR_PAUSE
+ mechanism, but current method is far more simple.
+
+ Another possibility is use chunked encoding internally for HTTP/2
+ traffic. I have not tested it, but it could add another overhead.
+
+ Closes #564
-- Fix compiler warning: local variable may be used without having been initialized.
+- RELEASE-NOTES: synced with 6c2c019654e658a
-- Fix compiler warnings: conversion from 'const int ' to 'unsigned char ', possible loss of data
+Jay Satiro (15 Dec 2015)
+- x509asn1: Fix host altname verification
+
+ - In Curl_verifyhost check all altnames in the certificate.
+
+ Prior to this change only the first altname was checked. Only the GSKit
+ SSL backend was affected by this bug.
+
+ Bug: http://curl.haxx.se/mail/lib-2015-12/0062.html
+ Reported-by: John Kohl
-- Fix compiler warnings:
+Daniel Stenberg (15 Dec 2015)
+- curl --expect100-timeout: added
- (1) conversion from 'const int ' to 'unsigned char ', possible loss of data
- (2) conditional expression is constant
+ This is the new command line option to set the value for the existing
+ libcurl option CURLOPT_EXPECT_100_TIMEOUT_MS
+
+- cyassl: fix compiler warning on type conversion
-- mention a couple of changes back from November
+- curlver: the pending release will become 7.47.0
-- mention run time statistics options
+- [Anders Bakken brought this change]
-- - Symbol CURL_FORMAT_OFF_T now obsoleted, will be removed in a future release,
- symbol will not be available when building with CURL_NO_OLDIES defined. Use
- of CURL_FORMAT_CURL_OFF_T is preferred since 7.19.0
+ setstropt: const-correctness
+
+ Closes #565
-- avoid possibility of using obsoleted stuff
+- ROADMAP: implemented HTTP2 for HTTPS-only
-- remove setup.h inclusion which is already done from test.h inclusion
+- HTTP2.md: spell fix and remove TODO now implemented
-Kamil Dudka (2 Feb 2010)
-- mention SOCKS related problems in the curl(1) man page
+- libressl: the latest openssl x509 funcs are not in libressl
-Yang Tse (2 Feb 2010)
-- Fix compiler warning: variable was set but never used
+- curl: use 2TLS by default
+
+ Make this the default for the curl tool (if built with HTTP/2 powers
+ enabled) unless a specific HTTP version is requested on the command
+ line.
- Simplify preprocessor symbol checking
+ This should allow more users to get HTTP/2 powers without having to
+ change anything.
-Daniel Stenberg (2 Feb 2010)
-- Julien Chaffraix pointed out a comment mistake, and I re-indented the code
- slightly while editing
+- http: add libcurl option to allow HTTP/2 for HTTPS only
+
+ ... and stick to 1.1 for HTTP. This is in line with what browsers do and
+ should have very little risk.
+
+- openssl: adapt to openssl >= 1.1.0 X509 opaque structs
+
+ Closes #491
-Yang Tse (2 Feb 2010)
-- include headers
+- openssl: avoid BIO_reset() warnings since it returns a value
-- Conroy added a check to the coded message size since the docs stipulate
- that each call will contain a full protocol packet.
+- openssl: adapt to 1.1.0+ name changes
-- Conroy's fix to make the code match with the RTP documentation regarding
- writing out the whole header. The docs say it writes the whole header,
- but the code (before this patch) did not write out the leading $.
+- scripts/makefile: add standard header
-Daniel Stenberg (1 Feb 2010)
-- We introduce a loop in lib/multi.c around all calls to multi_runsingle() and
- simply check for CURLM_CALL_MULTI_PERFORM internally. This has the added
- benefit that this goes in line with my long-term wishes to get rid of the
- CURLM_CALL_MULTI_PERFORM all together from the public API.
+- scripts/Makefile: fix GNUism and survive no perl
+
+ Closes #555
+
+ Reported-by: Thomas Klausner
-Yang Tse (1 Feb 2010)
-- update rtsp server header field from SWS to RTSPD
+- fix b6d5cb40d7038fe
-- Test suite support for RTSP
+- [Tatsuhiro Tsujikawa brought this change]
-- Make Curl_pop3_write() additionally truncate trailing POP3_EOB from received
- string buffer, otherwise Curl_client_write() call with zero size would write
- to the end of string buffer including matched POP3_EOB.
+ http2: Fix hanging paused stream
+
+ When NGHTTP2_ERR_PAUSE is returned from data_source_read_callback, we
+ might not process DATA frame fully. Calling nghttp2_session_mem_recv()
+ again will continue to process DATA frame, but if there is no incoming
+ frames, then we have to call it again with 0-length data. Without this,
+ on_stream_close callback will not be called, and stream could be hanged.
+
+ Bug: http://curl.haxx.se/mail/lib-2015-11/0103.html
+ Reported-by: Francisco Moraes
-- WIN32 fix, _beginthreadex() may return either 0 or -1L upon failure
+- [Christian Stewart brought this change]
-- fix errno usage for WIN32 builds
+ build: fix compilation error with CURL_DISABLE_VERBOSE_STRINGS
+
+ With curl disable verbose strings in http.c the compilation fails due to
+ the data variable being undefined later on in the function.
+
+ Closes #558
-- fix printf-style format strings
+Jay Satiro (7 Dec 2015)
+- [Gisle Vanem brought this change]
-- Chris Conroy fixed test #568 issues with carriage returns
+ config-win32: Fix warning HAVE_WINSOCK2_H undefined
-- RTSP followup fix. Both the pipelined and non-pipelined case need to
- check for (excess > 0 && !k->ignorebody).
+- [Gisle Vanem brought this change]
-Daniel Stenberg (28 Jan 2010)
-- - Tommie Gannert pointed out a silly bug in ares_process_fd() since it didn't
- check for broken connections like ares_process() did. Based on that, I
- merged the two functions into a single generic one with two front-ends.
+ openssl: BoringSSL doesn't have CONF_modules_free
-Yang Tse (28 Jan 2010)
-- fix printf-style format strings
+- [Gisle Vanem brought this change]
-- Use 'size_t' for GETNAMEINFO_TYPE_ARG2 definition for VMS.
+ lwip: Fix compatibility issues with later versions
+
+ The name of the header guard in lwIP's <lwip/opt.h> has changed from
+ '__LWIP_OPT_H__' to 'LWIP_HDR_OPT_H' (bug #35874 in May 2015).
+
+ Other fixes:
- http://curl.haxx.se/mail/lib-2009-12/0293.html
+ - In curl_setup.h, the problem with an old PSDK doesn't apply if lwIP is
+ used.
+
+ - In memdebug.h, the 'socket' should be undefined first due to lwIP's
+ lwip_socket() macro.
+
+ - In curl_addrinfo.c lwIP's getaddrinfo() + freeaddrinfo() macros need
+ special handling because they were undef'ed in memdebug.h.
+
+ - In select.c we can't use preprocessor conditionals inside select if
+ MSVC and select is a macro, as it is with lwIP.
+
+ http://curl.haxx.se/mail/lib-2015-12/0023.html
+ http://curl.haxx.se/mail/lib-2015-12/0024.html
-- portability fix
+Patrick Monnerat (7 Dec 2015)
+- os400: define CURL_VERSION_PSL in ILE/RPG binding
-- fix printf-style format strings
+Jay Satiro (7 Dec 2015)
+- [Gisle Vanem brought this change]
-- Known bug #64 fixed by Constantine Sapuntzakis and Joshua Kwan in 7.20.0
+ version: Add flag CURL_VERSION_PSL for libpsl
-- Chris Conroy provided first RTSP tests
+- formdata: Check if length is too large for memory
+
+ - If the size of the length type (curl_off_t) is greater than the size
+ of the size_t type then check before allocating memory to make sure the
+ value of length will fit in a size_t without overflow. If it doesn't
+ then return CURLE_BAD_FUNCTION_ARGUMENT.
+
+ Bug: https://github.com/bagder/curl/issues/425#issuecomment-154518679
+ Reported-by: Steve Holme
-- RTSP tests disabled until test harness RTSP support is updated
+Steve Holme (3 Dec 2015)
+- tests: Corrected copy and pasted comments from commit e643c5c908
-- Chris Conroy's RTSP followup fixes
+Daniel Stenberg (3 Dec 2015)
+- curl: remove keepalive #ifdef checks done on libcurl's behalf
+
+ They didn't match the ifdef logic used within libcurl anyway so they
+ could indeed warn for the wrong case - plus the tool cannot know how the
+ lib actually performs at that level.
-- mention asynchronous DNS lookups enhancements
+Steve Holme (2 Dec 2015)
+- test947: Corrected typo in test name
-- Restore normal operation:
+- tests: Disable the OAUTHBEARER tests when using a non-default port number
- c-ares is only enabled when specifically requested.
+ Tests 842, 843, 844, 845, 887, 888, 889, 890, 946, 947, 948 and 949 fail
+ if a custom port number is specified via the -b option of runtests.pl.
- Consequently, c-ares default setting is disabled.
+ Suggested by: Kamil Dudka
+ Bug: http://curl.haxx.se/mail/lib-2015-12/0003.html
-- fix c-ares assumed check being skipped
+Daniel Stenberg (2 Dec 2015)
+- bump: towards next release
+
+ for all we know now, it might be called 7.46.1
+
+Version 7.46.0 (1 Dec 2015)
+
+Daniel Stenberg (1 Dec 2015)
+- RELEASE-NOTES: updated contributor count for 7.46.0
+
+- THANKS: new contributors from the 7.46.0 release
-- fix compiler warning
+- THANKS-filter: single Tim Rühsen spelling
-- fix LDFLAGS preservation in CURL_CHECK_LIB_ARES
+- docs/examples: gitignore some more built examples
-Daniel Stenberg (26 Jan 2010)
-- no need to take precautiono for how things were before 7.16.0 since that
- is now a very long time ago
+- RELEASE-NOTES; this bug was never released
+
+- RELEASE-NOTES: synced with e55f15454efacb0
+
+- [Flavio Medeiros brought this change]
+
+ Curl_read_plain: clean up ifdefs that break statements
+
+ Closes #546
-- - Mike Crowe made libcurl return CURLE_COULDNT_RESOLVE_PROXY when it is the
- proxy that cannot be resolved when using c-ares. This matches the behaviour
- when not using c-ares.
+- http2: convert some verbose output into debug-only output
-Dan Fandrich (26 Jan 2010)
-- Added curl_threads.c to a few more non-configure build files
+- http2 push: add missing inits of new stream
+
+ - set the correct stream_id for pushed streams
+ - init maxdownload and size properly
+
+- http2 push: set weight for new stream
+
+ give the new stream the old one's stream_weight internally to avoid
+ sending a PRIORITY frame unless asked for it
+
+- curl_setup.h: undef freeaddrinfo in c-ares block to fix build
+
+ Fixes warnings 78c25c854a added.
+
+- nonblock: fix setting non-blocking mode for Amiga
+
+ IoctlSocket() apparently wants a pointer to a long, passed as a char *
+ in its third parameter. This bug was introduced already back in commit
+ c5fdeef41d from October 1 2001!
+
+ Bug: http://curl.haxx.se/mail/lib-2015-11/0088.html
+ Reported-by: Norbert Kett
-Yang Tse (26 Jan 2010)
-- minor fixes for --enable-ares configure option
+- zsh install: fix DESTDIR support
+
+ Reported-by: Mohammad AlSaleh
-Daniel Stenberg (26 Jan 2010)
-- Andre Guibert de Bruet improved the libssh2 error code translation
+Dan Fandrich (27 Nov 2015)
+- lib: Only define curl_dofreeaddrinfo if struct addrinfo is available
-Yang Tse (26 Jan 2010)
-- resolver selection for non-configure Windows builds, default is threaded DNS
+Steve Holme (27 Nov 2015)
+- tool_paramhlp: Fixed display of URL index in password prompt for --next
+
+ Commit f3bae6ed73 added the URL index to the password prompt when using
+ --next. Unfortunately, because the size_t specifier (%zu) is not
+ supported by all sprintf() implementations we use the curl_off_t format
+ specifier instead. The display of an incorrect value arises on platforms
+ where size_t and curl_off_t are of a different size.
-- add curl_threads.c to non-configure target build files
+Daniel Stenberg (25 Nov 2015)
+- timecond: do not add if-modified-since without timecondition
+
+ The RTSP code path didn't skip adding the if-modified-since for certain
+ RTSP code paths, even if CURLOPT_TIMECONDITION was set to
+ CURL_TIMECOND_NONE.
+
+ Also, an unknown non-zero CURLOPT_TIMECONDITION value no longer equals
+ CURL_TIMECOND_IFMODSINCE.
+
+ Bug: http://stackoverflow.com/questions/33903982/curl-timecond-none-doesnt-work-how-to-remove-if-modified-since-header
-- onstantine Sapuntzakis threaded resolver enhancements
+- RELEASE-NOTES: synced with 99d17a5e2ba77e58
-- Constantine Sapuntzakis threaded resolver enhancements
+- examples/README: cut out the incomplete list
+
+ ... and add a generic explanation for them instead. Each example file
+ should contain its own description these days.
-- Constantine Sapuntzakis provided initial thread abstraction layer
+- test1513: make sure the callback is only called once
-- make Curl_handler_*_proxy definition static
+- [Daniel Shahaf brought this change]
-Dan Fandrich (25 Jan 2010)
-- Updated minimum library sizes
+ build: Install zsh completion
+
+ Fixes #534
+ Closes #537
-Yang Tse (25 Jan 2010)
-- fix compiler warning
+- done: make sure the final progress update is made
+
+ It would previously be skipped if an existing error was returned, but
+ would lead to a previous value being left there and later used.
+ CURLINFO_TOTAL_TIME for example.
+
+ Still it avoids that final progress update if we reached DONE as the
+ result of a callback abort to avoid another callback to be called after
+ an abort-by-callback.
+
+ Reported-by: Lukas Ruzicka
+
+ Closes #538
-Daniel Stenberg (24 Jan 2010)
-- Julien Chaffraix corrected bad #elif lines to silence warnings
+- curl: expanded the -XHEAD warning text
+
+ ... to also mention the specific options used.
-Yang Tse (24 Jan 2010)
-- HAVE_GETADDRINFO_THREADSAFE definition for non-configure win32 builds
+- Revert "cleanup: general removal of TODO (and similar) comments"
+
+ This reverts commit 64e959ffe37c436503f9fed1ce2d6ee6ae50bd9a.
+
+ Feedback-by: Dan Fandrich
+ URL: http://curl.haxx.se/mail/lib-2015-11/0062.html
-Bjorn Stenberg (23 Jan 2010)
-- Mention -J change
+- CURLOPT_HEADERFUNCTION.3: fix typo
+
+ Refer to _HEADERDATA not _WRITEDATA.
+
+ Reported-by: Michał Piechowski
-- Added -J/--remote-header-name.
+- TODO: TCP Fast Open
-Daniel Stenberg (23 Jan 2010)
-- "remove progress meter from libcurl" at next API break
+Steve Holme (22 Nov 2015)
+- examples: Added website parse-able descriptions to the e-mail examples
-Yang Tse (23 Jan 2010)
-- add inclusion of curl_memory.h
+- TODO: Added another 'multi-interface' idea
-- adjust preprocessor symbol definition check relative to resolver specialty
+- smb.c: Fixed compilation warnings
+
+ smb.c:134:3: warning: conversion to 'short unsigned int' from 'int' may
+ alter its value
+ smb.c:146:42: warning: conversion to 'unsigned int' from 'long long
+ unsigned int' may alter its value
+ smb.c:146:65: warning: conversion to 'unsigned int' from 'long long
+ unsigned int' may alter its value
-- PKTSIZE might have been already defined in arpa/tftp.h
+- schannel: Corrected copy/paste error in commit 8d17117683
-Dan Fandrich (23 Jan 2010)
-- Include "curl_memory.h" to get the strdup replacement when necessary
+- schannel: Use GetVersionEx() when VerifyVersionInfo() isn't available
+
+ Regression from commit 7a8e861a5 as highlighted in the msys autobuilds.
-Daniel Stenberg (22 Jan 2010)
-- wrap long lines and do some indent policing
+- examples: Fixed compilation warnings
+
+ pop3-multi.c:96:5: warning: implicit declaration of function 'memset'
+ imap-multi.c:96:5: warning: implicit declaration of function 'memset'
+ http2-download.c:226:5: warning: implicit declaration of function 'memset'
+ http2-upload.c:290:5: warning: implicit declaration of function 'memset'
+ http2-upload.c:290:5: warning: implicit declaration of function 'memset'
-Yang Tse (22 Jan 2010)
-- Definitions of resolver specialty compile-time defines CURLRES_* moved
- from hostip.h to setup.h in order to allow proper inclusion in any file.
+- Makefile.inc: Fixed test run error
- This represents no functional change at all in which resolver is used,
- everything still works as usual, internally and externally there is no
- difference in behavior.
+ test845 not present in tests/data/Makefile.inc
-- adjust rtsp protocol support in curl-config and libcurl.pc when http is disabled
+Daniel Stenberg (20 Nov 2015)
+- TODO: remove duplicated title
-- deal with the possibility that CURL_DISABLE_RTSP may already be defined
+- TODO: added two more libcurl ideas
+
+ Moved some ideas from "next major" to just ordinary ideas since we can
+ always add new things while keeping the old without doing a "next
+ major".
-- fix compiler warning: statement is unreachable
+Steve Holme (20 Nov 2015)
+- tests: Re-enabled tests 889 and 890 following POP3 fix
-- fix compilation when http is disabled
+- pop3: Differentiate between success and continuation responses
-- disabling of rtsp when http isn't enabled required here for non-configure systems
+- pop3: Added clarity on some server response codes
-Daniel Stenberg (22 Jan 2010)
-- wrap long lines, remove (very old) attribution from code
+Daniel Stenberg (20 Nov 2015)
+- [Daniel Shahaf brought this change]
-- cleanups by Julien Chaffraix
+ build: Fix theoretical infinite loops
+
+ Add error-checking to 'cd' in a few cases where omitting the checks
+ might result in an infinite loop.
+
+ Closes #535
-- alphabetically sort the list of supported protocols
+Patrick Monnerat (19 Nov 2015)
+- curl.h: s/#defien/#define/
-- In spite claiming to tbe disabled by default, RTSP is enabled and it now
- also says so. I also made the list of protocols get sorted.
+- os400: synchronize ILE/RPG header file
-- expanded to provide info about the newer protocols too
+- os400: Provide options for libssh2 use in compile scripts. Adjust README.
-- s/RTPFUNCTION/INTERLEAVEFUNCTION/
- s/RTPDATA/INTERLEAVEDATA/
+Daniel Stenberg (19 Nov 2015)
+- [danielsh@apache.org brought this change]
-- keep lines shorter than 80 columns, and reduce/remove the use of the word
- 'note' in most description as it is mostly useless.
+ zsh completion: Preserve single quotes in output
+
+ When an option's help string contains literal single quotes, those
+ single quotes would be stripped from the option's description in the
+ completion output (unless the zsh RC_QUOTES option were set while the
+ completion function was being sourced, which is not the default). This
+ patch makes the completion output contain single quotes where the --help
+ output does.
+
+ Closes #532
-Yang Tse (22 Jan 2010)
-- Julien Chaffraix adjusted "<name> section" line length
+Jay Satiro (18 Nov 2015)
+- [MaxGiting brought this change]
-- Constantine Sapuntzakis refactoring of async callbacks, allowing
- removal of Curl_addrinfo_copy(), Curl_addrinfo6_callback(), and
- Curl_addrinfo4_callback()
+ FAQ: Grammar changes
+
+ Closes https://github.com/bagder/curl/pull/533
-Dan Fandrich (21 Jan 2010)
-- Added rtsp.c to the non-configure target build files
+Daniel Stenberg (17 Nov 2015)
+- http2: http_done: don't free already-freed push headers
+
+ The push headers are freed after the push callback has been invoked,
+ meaning this code should only free the headers if the callback was never
+ invoked and thus the headers weren't freed at that time.
+
+ Reported-by: Davey Shafik
-Yang Tse (21 Jan 2010)
-- fix compiler warning
+- [Anders Bakken brought this change]
-- make tftp_translate_code() static, it is only used from within tftp.c
+ getconnectinfo: Don't call recv(2) if socket == -1
+
+ Closes #528
-- fix warning triggered when debugging on cygwin
+- CURLMOPT_PUSHFUNCTION.3: *_byname() returns only the first header
+
+ ... if there are more than one using the same name
-- allow exporting of exe_ext() sub
+- http2: minor comment typo
-- improve displaylogcontent() sub fixing a warning
+- sasl; fix checksrc warnings
-Daniel Stenberg (21 Jan 2010)
-- remove typedef we ended up not using
+Steve Holme (15 Nov 2015)
+- RELEASE-NOTES: Adjusted for the recent OAuth 2.0 activity
-- Chris Conroy brought support for RTSP transfers, and with it comes 8(!) new
- libcurl options for controlling what to get and how to receive posssibly
- interleaved RTP data. Initial commit.
+- tests: Disabled 889 and 890 until we support POP3 continuation responses
+
+ As POP3 final and continuation responses both begin with a + character,
+ and both the finalcode and contcode variables in SASLprotoc are set as
+ such, we cannot tell the difference between them when we are expecting
+ an optional continuation from the server such as the following:
+
+ + something else from the server
+ +OK final response
+
+ Disabled these tests until such a time we can tell the responses apart.
-- Julien Chaffraix fixed line lengths
+- tests: Corrected typos from commit ba4d8f7eba
-- Julien Chaffraix removed an old obsolete typedef
+- tests: Added OAUTHBEARER failure response tests
-- Yun Fu pointed out a flaw in the loop that checks handles, and I indented
- the code more curl-style
+- oauth2: Support OAUTHBEARER failures sent as continuation responses
+
+ According to RFC7628 a failure message may be sent by the server in a
+ base64 encoded JSON string as a continuation response.
+
+ Currently only implemented for OAUTHBEARER and not XAUTH2.
-- "5.3 Sort outgoing cookies" removed, we now sort them
+Daniel Stenberg (15 Nov 2015)
+- RELEASE-NOTES: synced with 808a17ee675
-Yang Tse (20 Jan 2010)
-- SIGTERM is the signal to trap here, SIGKILL can't be caught.
+Steve Holme (14 Nov 2015)
+- tests: Renamed existing OAuth 2.0 (XOAUTH) tests
-- Use killsockfilters() to kill sockfilter processes, this ensures that when
- killing a sockfilter process the actual PID from the pid file is used and
- not the one returned by open2() which might be different.
+- tests: Added OAuth 2.0 (OAUTHBEARER) tests
-- Allow killsockfilters() to take a 5th optional parameter that when provided
- indicates that only one of the two possible sockfilter processes should be
- killed. Valid values for this parameter are 'main' and 'data'.
+- oauth2: Added support for OAUTHBEARER SASL mechanism to IMAP, POP3 and SNMP
+
+ OAUTHBEARER is now the official "registered" SASL mechanism name for
+ OAuth 2.0. However, we don't want to drop support for XOAUTH2 as some
+ servers won't support the new mechanism yet.
-- Use delete() to unset environment variables instead of assigning undef which
- generates warning 'Use of uninitialized value in scalar assignment' with perl
- versions older than 5.10
+Daniel Stenberg (13 Nov 2015)
+- RELEASE-NOTES: recounted curl_easy_setopt() options
-- Adjust valgrind logs file name detection.
+- typecheck-gcc.h: add missing slist-using options
- Adjust environment vars setting and restoring from test definition.
+ CURLOPT_RESOLVE and CURLOPT_PROXYHEADER were missing
+
+ Also sorted the list.
+
+- typecheck-gcc.h: added CURLOPT_CLOSESOCKETDATA
- Avoid using strftime in torture sub.
+ ... and sorted curl_is_cb_data_option alphabetically
-Daniel Stenberg (20 Jan 2010)
-- modified test case 8 to also make sure that we deal with cookies using
- identical names but different paths properly
+Jay Satiro (13 Nov 2015)
+- [Sebastian Pohlschmidt brought this change]
-- - As was pointed out on the http-state mailing list, the order of cookies in a
- HTTP Cookie: header _needs_ to be sorted on the path length in the cases
- where two cookies using the same name are set more than once using
- (overlapping) paths. Realizing this, identically named cookies must be
- sorted correctly. But detecting only identically named cookies and take care
- of them individually is harder than just to blindly and unconditionally sort
- all cookies based on their path lengths. All major browsers also already do
- this, so this makes our behavior one step closer to them in the cookie area.
+ openssl: Free modules on cleanup
- Test case 8 was the only one that broke due to this change and I updated it
- accordingly.
+ Curl_ossl_init calls OPENSSL_load_builtin_modules() but
+ Curl_ossl_cleanup doesn't make a call to free these modules.
+
+ Bug: https://github.com/bagder/curl/issues/526
-- oops, I forgot to cvs add this before my previous commit (Dan Fandrich
- pointed it out to me)
+Steve Holme (13 Nov 2015)
+- symbols-in-versions: Added new CURLOPTTYPE_STRINGPOINT alias
+
+ ...following commit aba281e762 to fix test 1119.
-- - David McCreedy brought a fix and a new test case (129) to make libcurl work
- again when downloading files over FTP using ASCII and it turns out that the
- final size of the file is not the same as the initial size the server
- reported. This is very common since servers don't take the newline
- conversions into account.
+Daniel Stenberg (13 Nov 2015)
+- curl: mark two more options strings for --libcurl output
-- "260 - IMAP, POP3 and SMTP support" done!
+- typecheck-gcc.h: add some missing string types
+
+ Also sorted that list alphabetically
-- avoid "Use of uninitialized value $l in concatenation"
+- curl.h: introducing the STRINGPOINT alias
+
+ As an alias for OBJECTPOINT. Provided to allow us to grep for all string
+ options easier.
-Yang Tse (19 Jan 2010)
-- Fail harder when curl coredumps trying to verify http and ftp servers.
+- cleanup: general removal of TODO (and similar) comments
- Add some debug messages to see what's going on with valgrind logs.
+ They tend to never get updated anyway so they're frequently inaccurate
+ and we never go back to revisit them anyway. We document issues to work
+ on properly in KNOWN_BUGS and TODO instead.
-- prevent %runcert hash growth when clearing items
+- ftplistparser: remove empty function
-- update copyright year notice
+- openssl: remove #if check for 0.9.7 for ENGINE_load_private_key
-- Constantine Sapuntzakis enhancements to make memory tracking log file writing
- of messages atomic, on systems where an fwrite of a memory buffer is atomic.
+- openssl: all supported versions have X509_STORE_set_flags
+
+ Simplify by removing #ifdefs and macros
-Dan Fandrich (18 Jan 2010)
-- Added PEM certificate keyword
+- openssl: remove 0.9.3 check
-Yang Tse (18 Jan 2010)
-- fix warnings
+- openssl: remove #ifdefs for < 0.9.5 support
+
+ We only support >= 0.9.7
-- Stop ssl running server when cert file currently used by server is
- different than the one specified in test definition for same server
+- lib/vtls/openssl: remove unused traces of yassl ifdefs
-- fix warnings
+Dan Fandrich (12 Nov 2015)
+- [dfandrich brought this change]
-- - Remove QD restarting of https servers. Proper fixing required.
- This will make tests 310 311 and 312 fail while fixing.
+ unit1603: Demote hash mismatch failure to a warning
- - Remove some debug messages
+ The hashes can vary between architectures (e.g. Sparc differs from x86_64).
+ This is not a fatal problem but just reduces the coverage of these white-box
+ tests, as the assumptions about into which hash bucket each key falls are no
+ longer valid.
+
+- [dfandrich brought this change]
-- make verifyhttp use different file names depending on server characteristics
+ unit1603: Added unit tests for hash functions
-- add serverfactors() sub which returns server characterization factors
+- [dfandrich brought this change]
-- fix warnings
+ unit1602: Fixed failure in torture test
-- fix warnings
+Steve Holme (12 Nov 2015)
+- sasl: Re-introduced XOAUTH2 in the default enabled authentication mechanism
+
+ Following the fix in commit d6d58dd558 it is necessary to re-introduce
+ XOAUTH2 in the default enabled authentication mechanism, which was
+ removed in commit 7b2012f262, otherwise users will have to specify
+ AUTH=XOAUTH2 in the URL.
+
+ Note: OAuth 2.0 will only be used when the bearer is specified.
-- fix warnings
+- [Stefan Bühler brought this change]
-- add some debug messages
+ sasl_sspi: fix identity memory leak in digest authentication
-- use servername_id() from serverhelp.pm
+- [Stefan Bühler brought this change]
+
+ sasl_sspi: fixed unicode build for digest authentication
+
+ Closes #525
-- refactored stopping of test harness servers
+- oauth2: Re-factored OAuth 2.0 state variable
-- Store now this file in CVS with unix line endings.
+- sasl: Don't choose OAuth 2.0 if mechanism not advertised
- maketgz already converts this file to DOS style with an awk filter.
+ Regression from commit 9e8ced9890 which meant if --oauth2-bearer was
+ specified but the SASL mechanism wasn't supported by the server then
+ the mechanism would be chosen.
-- Declaration of $sshdlog is done in sshhelp.pm
+Daniel Stenberg (12 Nov 2015)
+- runtests: more compact "System characteristics" output
+
+ - no point in repeating curl features that is already listed as features
+ from the curl -V output
+
+ - remove the port numbers/unix domain path from the output unless
+ verbose is used, as that is rarely interesting to users.
-- Start using the centralized pidfile and logfile name generation
- subroutines for ssh and socks test suite servers.
+- runtests: rename conditional curl-features to $has_[name]
-Dan Fandrich (15 Jan 2010)
-- Added the new protocol source files to the non-autoconf build files
+Steve Holme (11 Nov 2015)
+- oauth2: Introduced support for host and port details
+
+ Added support to the OAuth 2.0 message function for host and port, in
+ order to accommodate the official OAUTHBEARER SASL mechanism which is
+ to be added shortly.
-Yang Tse (14 Jan 2010)
-- Squeeze slack time when killing more than one server from
- the <killserver> section of test harness definition files.
+- curl_setup.h: Removed duplicate CURL_DISABLE_RTSP when HTTP_ONLY defined
-Kamil Dudka (14 Jan 2010)
-- - Suppressed side effect of OpenSSL configure checks, which prevented NSS from
- being properly detected under certain circumstances. It had been caused by
- strange behavior of pkg-config when handling PKG_CONFIG_LIBDIR. pkg-config
- distinguishes among empty and non-existent environment variable in that case.
+- cmake: Add missing feature macros in config header (Part 2)
+
+ In addition to commit a215381c94 added the RTSP, RTMP and SMB protocols.
-Yang Tse (13 Jan 2010)
-- Give the test a bit mote time to run so it passes on slow machines
+Daniel Stenberg (10 Nov 2015)
+- [Douglas Creager brought this change]
-Kamil Dudka (13 Jan 2010)
-- remove trailing spaces from configure.ac
+ cmake: Add missing feature macros in config header
+
+ The curl_config.h file can be generated either from curl_config.h.cmake
+ or curl_config.h.in, depending on whether you're building using CMake or
+ the autotools. The CMake template header doesn't include entries for
+ all of the protocols that you can disable, which (I think) means that
+ you can't actually disable those protocols when building via CMake.
+
+ Closes #523
-Yang Tse (12 Jan 2010)
-- Added test case #1112 which does an FTPS download with strict timeout
- and slow data transfer in a similar way as test case #1086 does for FTP.
+- [Douglas Creager brought this change]
+
+ BoringSSL: Work with stricter BIO_get_mem_data()
+
+ BoringSSL implements `BIO_get_mem_data` as a function, instead of a
+ macro, and expects the output pointer to be a `char **`. We have to add
+ an explicit cast to grab the pointer as a `const char **`.
- This also exercises <killserver> section for the FTPS server.
+ Closes #524
-- Make runtests.pl actually support any (valid) server specification
- for the <killserver> section of test harness definition files.
+- http2: rectify the http2 version #if check
+
+ We need 1.0.0 or later. Also verified by configure.
+
+Steve Holme (9 Nov 2015)
+- oauth2: Don't use XAUTH2 in OAuth 2.0 function name
-- Fix tftp and sftp supported protocols in servername_str()
+- oauth2: Don't use XOAUTH2 in OAuth 2.0 variables
-- Make sockfilter kill messages look alike server ones
+- oauth2: Use OAuth 2.0 rather than XOAUTH2 in comments
+
+ When referring to OAuth 2.0 we should use the official name rather the
+ SASL mechanism name.