Changelog
-Version 7.32.0 (11 Aug 2013)
+Version 7.50.2 (7 Sep 2016)
-Daniel Stenberg (11 Aug 2013)
-- THANKS: added contributors from the 7.32.0 release notes
+Daniel Stenberg (7 Sep 2016)
+- RELEASE-NOTES: curl 7.50.2 release
-- [Fabian Keil brought this change]
+- THANKS: updated for 7.50.2
- test1228: add 'HTTP proxy' to the keywords
+Jay Satiro (6 Sep 2016)
+- [Gaurav Malhotra brought this change]
-- [Fabian Keil brought this change]
-
- tests: add keywords for a couple of FILE tests
-
-- [Fabian Keil brought this change]
-
- tests: add 'FAILURE' keywords to tests 1409 and 1410
-
-- [Fabian Keil brought this change]
+ openssl: fix CURLINFO_SSL_VERIFYRESULT
+
+ CURLINFO_SSL_VERIFYRESULT does not get the certificate verification
+ result when SSL_connect fails because of a certificate verification
+ error.
+
+ This fix saves the result of SSL_get_verify_result so that it is
+ returned by CURLINFO_SSL_VERIFYRESULT.
+
+ Closes https://github.com/curl/curl/pull/995
- tests: add keywords for a couple of HTTP tests
+Daniel Stenberg (6 Sep 2016)
+- [Daniel Gustafsson brought this change]
-- [Fabian Keil brought this change]
+ darwinssl: test for errSecSuccess in PKCS12 import rather than noErr (#993)
+
+ While noErr and errSecSuccess are defined as the same value, the API
+ documentation states that SecPKCS12Import() returns errSecSuccess if
+ there were no errors in importing. Ensure that a future change of the
+ defined value doesn't break (however unlikely) and be consistent with
+ the API docs.
- tests: add keywords for a couple of FTP tests
+- [Daniel Gustafsson brought this change]
-- [Fabian Keil brought this change]
+ docs: Fix link to CONTRIBUTE in Github contribution guidelines (#994)
- test1511: consistently terminate headers with CRLF
+- [Marcel Raad brought this change]
-- DISABLED: shut of test 1512 for now
+ openssl: Fix compilation with OPENSSL_API_COMPAT=0x10100000L
- It shows intermittent failures and I haven't been able to track them
- down yet. Disable this test for now.
-
-- curl_multi_add_handle.3: ... that timer callback is for event-based
+ With OPENSSL_API_COMPAT=0x10100000L (OpenSSL 1.1 API), the cleanup
+ functions are unavailable (they're no-ops anyway in OpenSSL 1.1). The
+ replacements for SSL_load_error_strings, SSLeay_add_ssl_algorithms, and
+ OpenSSL_add_all_algorithms are called automatically [1][2]. SSLeay() is
+ now called OpenSSL_version_num().
+
+ [1]: https://www.openssl.org/docs/man1.1.0/ssl/OPENSSL_init_ssl.html
+ [2]: https://www.openssl.org/docs/man1.1.0/crypto/OPENSSL_init_crypto.html
+
+ Closes #992
-- comments: remove old and wrong multi/easy interface statements
+- RELEASE-NOTES: synced with 3d4c0c8b9bc1d
-- curl_multi_add_handle.3: mention the CURLMOPT_TIMERFUNCTION use
+- http2: return EOF when done uploading without known size
+
+ Fixes #982
-- [John E. Malmberg brought this change]
+- http2: skip the content-length parsing, detect unknown size
- KNOWN_BUGS: 22 and 57 have been fixed and committed
+- http2: minor white space edit
-- RELEASE-NOTES: synced with d20def20462e7
+- http2: use named define instead of magic constant in read callback
-- global dns cache: fix memory leak
-
- The take down of the global dns cache didn't take CURLOPT_RESOLVE names
- into account.
+- [Craig Davison brought this change]
-- global dns cache: didn't work [regression]
+ configure: make the cpp -P detection not clobber CPPFLAGS
- CURLOPT_DNS_USE_GLOBAL_CACHE broke in commit c43127414d89ccb (been
- broken since the libcurl 7.29.0 release). While this option has been
- documented as deprecated for almost a decade and nobody even reported
- this bug, it should remain functional.
+ CPPPFLAGS is now CPPPFLAG. Fixes CURL_CHECK_DEF.
- Added test case 1512 to verify
-
-Yang Tse (8 Aug 2013)
-- [John Malmberg brought this change]
+ Fixes #958
- packages/vms: update VMS build files
-
- VMS modified files either missing from a previous commit and changes
- to remove references to CVS repositories.
+- [Olivier Brunel brought this change]
-Daniel Stenberg (8 Aug 2013)
-- FTP: renamed several local functions
+ speed caps: not based on average speeds anymore
- The previous naming scheme ftp_state_post_XXXX() wasn't really helpful
- as it wasn't always immediately after 'xxxx' and it wasn't easy to
- understand what it does based on such a name.
+ Speed limits (from CURLOPT_MAX_RECV_SPEED_LARGE &
+ CURLOPT_MAX_SEND_SPEED_LARGE) were applied simply by comparing limits
+ with the cumulative average speed of the entire transfer; While this
+ might work at times with good/constant connections, in other cases it
+ can result to the limits simply being "ignored" for more than "short
+ bursts" (as told in man page).
- This new one is instead ftp_state_yyyy() where yyyy describes what it
- does or sends.
-
-- mk-ca-bundle.1: don't install on make install
+ Consider a download that goes on much slower than the limit for some
+ time (because bandwidth is used elsewhere, server is slow, whatever the
+ reason), then once things get better, curl would simply ignore the limit
+ up until the average speed (since the beginning of the transfer) reached
+ the limit. This could prove the limit useless to effectively avoid
+ using the entire bandwidth (at least for quite some time).
- Since the mk-ca-bundle tool itself isn't installed with make install,
- there's no point in installing its documentation.
+ So instead, we now use a "moving starting point" as reference, and every
+ time at least as much as the limit as been transferred, we can reset
+ this starting point to the current position. This gets a good limiting
+ effect that applies to the "current speed" with instant reactivity (in
+ case of sudden speed burst).
- Bug: http://curl.haxx.se/mail/lib-2013-08/0057.html
- Reported-by: Guenter Knauf
+ Closes #971
-Yang Tse (7 Aug 2013)
-- packages/vms/Makefile.am: add latest file additions to EXTRA_DIST
+- HISTORY.md: the multi socket was put in the wrong year!
-- [John Malmberg brought this change]
+- [Mark Hamilton brought this change]
- Building_vms_pcsi_kit
-
- These are the files needed to build VMS distribution packages known as
- PCSI kits.
-
- Also minor update to the existing files, mainly to the documentation and
- file clean up code.
+ tool_helpers.c: fix comment typo (#989)
-Daniel Stenberg (6 Aug 2013)
-- LIBCURL-STRUCTS: new document
-
- This is the first version of this new document, detailing the seven
- perhaps most important internal structs in libcurl source code:
-
- 1.1 SessionHandle
- 1.2 connectdata
- 1.3 Curl_multi
- 1.4 Curl_handler
- 1.5 conncache
- 1.6 Curl_share
- 1.7 CookieInfo
+- [Mark Hamilton brought this change]
-- CONTRIBUTE: minor language polish
+ libtest/test.h: fix typo (#988)
-- FTP: when EPSV gets a 229 but fails to connect, retry with PASV
-
- This is a regression as this logic used to work. It isn't clear when it
- broke, but I'm assuming in 7.28.0 when we went all-multi internally.
-
- This likely never worked with the multi interface. As the failed
- connection is detected once the multi state has reached DO_MORE, the
- Curl_do_more() function was now expanded somewhat so that the
- ftp_do_more() function can request to go "back" to the previous state
- when it makes another attempt - using PASV.
-
- Added test case 1233 to verify this fix. It has the little issue that it
- assumes no service is listening/accepting connections on port 1...
-
- Reported-by: byte_bucket in the #curl IRC channel
+- CURLMOPT_PIPELINING.3: language
-Nick Zitzmann (5 Aug 2013)
-- md5: remove use of CommonCrypto-to-OpenSSL macros for the benefit of Leopard
+- CURLMOPT_PIPELINING.3: extended and clarified
- For some reason, OS X 10.5's GCC suddenly stopped working correctly with
- macros that change MD5_Init etc. in the code to CC_MD5_Init etc., so I
- worked around this by removing use of the macros and inserting static
- functions that just call CommonCrypto's implementations of the functions
- instead.
+ Especially in regards to the multiplexing part.
-Guenter Knauf (5 Aug 2013)
-- Simplify check for trusted certificates.
+Steve Holme (31 Aug 2016)
+- curl_sspi.c: Updated function description comments
- This changes the previous check for untrusted certs to a check for
- certs explicitely marked as trusted.
- The change is backward-compatible (tested with certdata.txt v1.80).
+ * Added description to Curl_sspi_free_identity()
+ * Added parameter and return explanations to Curl_sspi_global_init()
+ * Added parameter explaination to Curl_sspi_global_cleanup()
-Daniel Stenberg (5 Aug 2013)
-- configure: warn on bad env variable use, don't error
+- README: Corrected the supported Visual Studio versions
- Use XC_CHECK_BUILD_FLAGS instead XC_CHECK_USER_FLAGS.
+ Missed from commit 8356022d17.
-- Revert "configure: don't error out on variable confusions, just warn"
+- KNOWN_BUGS: Move the Visual Studio project shortcomings from local README
+
+- KNOWN_BUGS: Expand 6.4 to include Kerberos V5
- This reverts commit 6b27703b5f525eccdc0a8409f51de8595c75132a.
+ ...and discuss a possible solution.
-- formadd: wrong pointer for file name when CURLFORM_BUFFERPTR used
+Daniel Stenberg (30 Aug 2016)
+- connect: fix #ifdefs for debug versions of conn/streamclose() macros
+
+ CURLDEBUG is for the memory debugging
- The internal function that's used to detect known file extensions for
- the default Content-Type got the the wrong pointer passed in when
- CURLFORM_BUFFER + CURLFORM_BUFFERPTR were used. This had the effect that
- strlen() would be used which could lead to an out-of-bounds read (and
- thus segfault). In most cases it would only lead to it not finding or
- using the correct default content-type.
+ DEBUGBUILD is for the extra debug stuff
- It also showed that test 554 and test 587 were testing for the
- previous/wrong behavior and now they're updated as well.
+ Pointed-out-by: Steve Holme
+
+- KNOWN_BUGS: mention some cmake "support gaps"
+
+Nick Zitzmann (28 Aug 2016)
+- darwinssl: add documentation stating that the --cainfo option is intended for backward compatibility only
- Bug: http://curl.haxx.se/bug/view.cgi?id=1262
- Reported-by: Konstantin Isakov
+ In other news, I changed one other reference to "Mac OS X" in the documentation (that I previously wrote) to say "macOS" instead.
-Guenter Knauf (4 Aug 2013)
-- Skip more untrusted certificates.
+Daniel Stenberg (28 Aug 2016)
+- http2: return CURLE_HTTP2_STREAM for unexpected stream close
- Christian Heimes brought to our attention that the certdata.txt
- format has recently changed [1], causing ca-bundle.crt created
- with mk-ca-bundle.[pl|vbs] to include untrusted certs.
+ Follow-up to c3e906e9cd0f, seems like a more appropriate error code
- [1] http://lists.debian.org/debian-release/2012/11/msg00411.html
+ Suggested-by: Jay Satiro
-Daniel Stenberg (4 Aug 2013)
-- configure: don't error out on variable confusions, just warn
+- [Tatsuhiro Tsujikawa brought this change]
-- configure: rephrase the notice in _XC_CHECK_VAR_*
+ http2: handle closed streams when uploading
- Instead of claiming it is an error, we call it a "note" to reduce the
- severity level. But the following text now says the [variable] "*should*
- only be used to specify"... instead of previously having said "may".
+ Fixes #986
-- multi: remove data->state.current_conn struct field
+- http2: make sure stream errors don't needlessly close the connection
- Not needed
+ With HTTP/2 each transfer is made in an indivial logical stream over the
+ connection, making most previous errors that caused the connection to get
+ forced-closed now instead just kill the stream and not the connection.
+
+ Fixes #941
-- multi: remove the one_easy struct field
+- Curl_verify_windows_version: minor edit to avoid compiler warnings
- Since the merge of SessionHandle with Curl_one_easy, this indirection
- isn't used anymore.
+ ... instead of if() before the switch(), add a default to the switch so
+ that the compilers don't warn on "warning: enumeration value
+ 'PLATFORM_DONT_CARE' not handled in switch" anymore.
-- multi: rename all Curl_one_easy to SessionHandle
+Steve Holme (27 Aug 2016)
+- RELEASE-NOTES: Added missing fix from commit 15592143f
-- multi: remove the multi_pos struct field
+Jay Satiro (26 Aug 2016)
+- schannel: Disable ALPN for Wine since it is causing problems
- Since Curl_one_easy is really a SessionHandle now, this indirection
- doesn't exist anymore.
-
-- multi: remove easy_handle struct field
+ - Disable ALPN on Wine.
- It isn't needed anymore
-
-- multi: remove 'Curl_one_easy' struct, phase 1
+ - Don't pass input secbuffer when ALPN is disabled.
- The motivation for having a separate struct that keep track of an easy
- handle when using the multi handle was removed when we switched to
- always using the multi interface internally. Now they were just two
- separate struct that was always allocated for each easy handle.
+ When ALPN support was added a change was made to pass an input secbuffer
+ to initialize the context. When ALPN is enabled the buffer contains the
+ ALPN information, and when it's disabled the buffer is empty. In either
+ case this input buffer caused problems with Wine and connections would
+ not complete.
- This first step just moves the Curl_one_easy struct members into the
- SessionHandle struct and hides this somehow (== keeps the source code
- changes to a minimum) by defining Curl_one_easy to SessionHandle
+ Bug: https://github.com/curl/curl/issues/983
+ Reported-by: Christian Fillion
+
+Kamil Dudka (26 Aug 2016)
+- [Peter Wang brought this change]
+
+ nss: work around race condition in PK11_FindSlotByName()
- The biggest changes in this commit are:
+ Serialise the call to PK11_FindSlotByName() to avoid spurious errors in
+ a multi-threaded environment. The underlying cause is a race condition
+ in nssSlot_IsTokenPresent().
- 1 - the linked list of easy handles had to be changed somewhat due
- to the new struct layout. This made the main linked list pointer
- get renamed to 'easyp' and there's also a new pointer to the last
- node, called easylp. It is no longer circular but ends with ->next
- pointing to NULL. New nodes are still added last.
+ Bug: https://bugzilla.mozilla.org/1297397
- 2 - easy->state is now called easy->mstate to avoid name collision
+ Closes #985
-Steve Holme (2 Aug 2013)
-- Revert "DOCS: Added IMAP URL example for listing new messages"
+- nss: refuse previously loaded certificate from file
- This reverts commit 82ab5f1b0c7c3f as this was the wrong place to
- document the complexity of IMAP URLs and Custom Requests.
+ ... when we are not asked to use a certificate from file
-- DOCS: Added IMAP URL example for listing new messages
-
- In addition to listing the folder contents, in the URL examples, added
- an example to list the new messages waiting in the user's inbox.
+Daniel Stenberg (26 Aug 2016)
+- ftp_done: remove dead code
-Yang Tse (1 Aug 2013)
-- packages/vms/Makefile.am: add latest file additions to EXTRA_DIST
+- TLS: random file/egd doesn't have to match for conn reuse
-- [John Malmberg brought this change]
+- test161: add comment for the exit code
- Add in the files needed to build libcurl shared images on VMS.
-
- Update the packages/vms/readme file to be current.
-
- Also some files for the GNV based build were either missing or needed an
- update.
-
- curl_crtl_init.c is a special file that is run before main() to
- set up the proper C runtime behavior.
-
- generate_vax_transfer.com generates the VAX transfer vector modules from
- the gnv_libcurl_symbols.opt file.
-
- gnv_conftest.c_first is a helper file needed for configure scripts to
- come up with the expected answers on VMS.
-
- gnv_libcurl_symbols.opt is the public symbols for the libcurl shared
- image.
+Dan Fandrich (26 Aug 2016)
+- test219: Add http as a required feature
+
+Daniel Stenberg (25 Aug 2016)
+- [Michael Kaufmann brought this change]
+
+ HTTP: stop parsing headers when switching to unknown protocols
- gnv_link_curl.com builds the shared libcurl image and rebuilds other
- programs to use it.
+ - unknown protocols probably won't send more headers (e.g. WebSocket)
+ - improved comments and moved them to the correct case statements
- macro32_exactcase.patch is a hack to make a local copy of the VMS Macro32
- assembler case sensitive, which is needed to build the VAX transfer modules.
+ Closes #899
+
+- openssl: make build with 1.1.0 again
- report_openssl_version.c is a tool for help verify that the libcurl
- shared image is being built for a minium version of openssl.
+ synced with OpenSSL git master commit cc06906707
+
+- INTERNALS: fix title
-- curl: second follow-up for commit 5af2bfb9
+- configure: detect zlib with our pkg-config macros
- Display progress-bar unconditionally on first call
+ ... instead of relying on the pkg-config autoconf macros to be present.
+
+ Fixes #972 (again...)
-- curl: follow-up for commit 5af2bfb9
+Jay Satiro (25 Aug 2016)
+- http2: Remove incorrect comments
- Use tvnow() and tvdiff() to avoid introducing new linkage issues
+ .. also remove same from scp
-Daniel Stenberg (31 Jul 2013)
-- curl: --progress-bar max update frequency now at 5Hz
+Daniel Stenberg (23 Aug 2016)
+- [Ales Novak brought this change]
-- curl: make --progress-bar update the line less frequently
+ ftp: fix wrong poll on the secondary socket
- Also, use memset() instead of a lame loop.
+ When we're uploading using FTP and the server issues a tiny pause
+ between opening the connection to the client's secondary socket, the
+ client's initial poll() times out, which leads to second poll() which
+ does not wait for POLLIN on the secondary socket. So that poll() also
+ has to time out, creating a long (200ms) pause.
- The previous logic that tried to avoid too many updates were very
- ineffective for really fast transfers, as then it could easily end up
- doing hundreds of updates per second that would make a significant
- impact in transfer performance!
+ This patch adds the correct flag to the secondary socket, making the
+ second poll() correctly wait for the connection there too.
- Bug: http://curl.haxx.se/mail/archive-2013-07/0031.html
- Reported-by: Marc Doughty
-
-Nick Zitzmann (30 Jul 2013)
-- darwinssl: added LFs to some strings passed into infof()
+ Signed-off-by: Ales Novak <alnovak@suse.cz>
- (This doesn't need to appear in the release notes.) I noticed a few places
- where infof() was called, and there should've been an LF at the end of the
- string, but there wasn't.
+ Closes #978
-- darwinssl: fix build error in crypto authentication under Snow Leopard
+- RELEASE-NOTES: synced with 95ded2c56
+
+- configure: make it work without PKG_CHECK_MODULES
+
+ With commit c2f9b78 we added a new dependency on pkg-config for
+ developers which may be unwanted. This change make the configure script
+ still work as before if pkg-config isn't installed, it'll just use the
+ old zlib detection logic without pkg-config.
- It turns out Snow Leopard not only has SecItemCopyMatching() defined in
- a header not included by the omnibus header, but it won't work for our
- purposes, because searching for SecIdentityRef objects wasn't added
- to that API until Lion. So we now use the old SecKeychainSearch API
- instead if the user is building under, or running under, Snow Leopard.
+ Reported-by: Marc Hörsken
- Bug: http://sourceforge.net/p/curl/bugs/1255/
- Reported by: Edward Rudd
+ Fixes #972
-- md5 & metalink: use better build macros on Apple operating systems
+Marc Hoersken (21 Aug 2016)
+- Revert "KNOWN_BUGS: SOCKS proxy not working via IPv6"
- Previously we used __MAC_10_X and __IPHONE_X to mark digest-generating
- code that was specific to OS X and iOS. Now we use
- __MAC_OS_X_VERSION_MAX_ALLOWED and __IPHONE_OS_VERSION_MAX_ALLOWED
- instead of those macros.
+ This reverts commit 9cb1059f92286a6eb5d28c477fdd3f26aed1d554.
- Bug: http://sourceforge.net/p/curl/bugs/1255/
- Reported by: Edward Rudd
+ As discussed in #835 SOCKS5 supports IPv6 proxies and destinations.
-Yang Tse (29 Jul 2013)
-- tool_operhlp.c: fix add_file_name_to_url() OOM handling
+Daniel Stenberg (21 Aug 2016)
+- [Marco Deckel brought this change]
-- tool_operate.c: fix brace placement for vi/emacs delimiter matching
-
-- tool_operate.c: move <fabdef.h> header inclusion location
-
-Daniel Stenberg (29 Jul 2013)
-- RELEASE-NOTES: synced with b5478a0e033e7
+ win: Basic support for Universal Windows Platform apps
+
+ Closes #820
-- curl_easy_pause: on unpause, trigger mulit-socket handling
+Steve Holme (21 Aug 2016)
+- sasl: Don't use GSSAPI authentication when domain name not specified
- When the multi-socket API is used, we need the handle to be checked
- again when it gets unpaused.
+ Only choose the GSSAPI authentication mechanism when the user name
+ contains a Windows domain name or the user is a valid UPN.
- Bug: http://curl.haxx.se/mail/lib-2013-07/0239.html
- Reported-by: Justin Karneges
-
-- [John E. Malmberg brought this change]
+ Fixes #718
- curl_formadd: fix file upload on VMS
+- vauth: Added check for supported SSPI based authentication mechanisms
- For the standard VMS text file formats, VMS needs to read the file to
- get the actual file size.
+ Completing commit 00417fd66c and 2708d4259b.
+
+- http.c: Remove duplicate (authp->avail & CURLAUTH_DIGEST) check
- For the standard VMS binary file formats, VMS needs a special format of
- fopen() call so that it stops reading at the logical end of file instead
- of at the end of the blocks allocated to the file.
+ From commit 2708d4259b.
+
+Marc Hoersken (20 Aug 2016)
+- socks.c: display the hostname returned by the SOCKS5 proxy server
- I structured the patch this way as I was not sure about changing the
- structures or parameters to the routines, but would prefer to only call
- the stat() function once and pass the information to where the fopen()
- call is made.
+ Instead of displaying the requested hostname the one returned
+ by the SOCKS5 proxy server is used in case of connection error.
+ The requested hostname is displayed earlier in the connection sequence.
- Bug: https://sourceforge.net/p/curl/bugs/758/
+ The upper-value of the port is moved to a temporary variable and
+ replaced with a 0-byte to make sure the hostname is 0-terminated.
-- formadd: CURLFORM_FILECONTENT wrongly rejected some option combos
+Steve Holme (20 Aug 2016)
+- urldata.h: Corrected comment for httpcode which is also populated by SMTP
- The code for CURLFORM_FILECONTENT had its check for duplicate options
- wrong so that it would reject CURLFORM_PTRNAME if used in combination
- with it (but not CURLFORM_COPYNAME)! The flags field used for this
- purpose cannot be interpreted that broadly.
-
- Bug: http://curl.haxx.se/mail/lib-2013-07/0258.html
- Reported-by: Byrial Jensen
+ As of 7.25.0 and commit 5430007222.
-Yang Tse (25 Jul 2013)
-- packages/vms/Makefile.am: add latest file additions to EXTRA_DIST
+Marc Hoersken (20 Aug 2016)
+- socks.c: use Curl_printable_address in SOCKS5 connection sequence
+
+ Replace custom string formatting with Curl_printable_address.
+ Add additional debug and error output in case of failures.
-- [John E. Malmberg brought this change]
+- socks.c: align SOCKS4 connection sequence with SOCKS5
+
+ Calling sscanf is not required since the raw IPv4 address is
+ available and the protocol can be detected using ai_family.
- VMS: intial set of files to allow building using GNV toolkit.
+Steve Holme (20 Aug 2016)
+- http.c: Corrected indentation change from commit 2708d4259b
+
+ Made by Visual Studio's auto-correct feature and missed by me in my own
+ code reviews!
-- string formatting: fix too many arguments for format
+- http: Added calls to Curl_auth_is_<mechansism>_supported()
+
+ Hooked up the HTTP authentication layer to query the new 'is mechanism
+ supported' functions when deciding what mechanism to use.
+
+ As per commit 00417fd66c existing functionality is maintained for now.
-- string formatting: fix zero-length printf format string
+Marc Hoersken (20 Aug 2016)
+- socks.c: improve verbose output of SOCKS5 connection sequence
-- easy.c: curl_easy_getinfo() fix va_start/va_end matching
+- configure.ac: add missing quotes to PKG_CHECK_MODULES
-- imap.c: imap_sendf() fix va_start/va_end matching
+Steve Holme (20 Aug 2016)
+- sasl: Added calls to Curl_auth_is_<mechansism>_supported()
+
+ Hooked up the SASL authentication layer to query the new 'is mechanism
+ supported' functions when deciding what mechanism to use.
+
+ For now existing functionality is maintained.
-- string formatting: fix 15+ printf-style format strings
+Daniel Stenberg (19 Aug 2016)
+- [Miroslav Franc brought this change]
-Patrick Monnerat (24 Jul 2013)
-- OS400: sync ILE/RPG binding with current curl.h
+ spnego_sspi: fix memory leak in case *outlen is zero (#970)
-Yang Tse (24 Jul 2013)
-- string formatting: fix 25+ printf-style format strings
+- CURLMOPT_MAX_TOTAL_CONNECTIONS.3: mention it can also multiplex
-Daniel Stenberg (23 Jul 2013)
-- Makefile.am: use LDFLAGS as well when linking libcurl
+Steve Holme (18 Aug 2016)
+- vauth: Introduced Curl_auth_is_<mechansism>_supported() functions
- Linking on Solaris 10 x86 with Sun Studio 12 failed when we upgraded
- automake for the release builds.
+ As Windows SSPI authentication calls fail when a particular mechanism
+ isn't available, introduced these functions for DIGEST, NTLM, Kerberos 5
+ and Negotiate to allow both HTTP and SASL authentication the opportunity
+ to query support for a supported mechanism before selecting it.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1217
- Reported-by: Dagobert Michelsen
+ For now each function returns TRUE to maintain compatability with the
+ existing code when called.
-- [Fabian Keil brought this change]
+Daniel Stenberg (18 Aug 2016)
+- test1144: verify HEAD with body-only response
- url.c: Fix dot file path cleanup when using an HTTP proxy
+Steve Holme (17 Aug 2016)
+- RELEASE-PROCEDURE: Added some more future release dates
- Previously the path was cleaned, but the URL wasn't properly updated.
-
-- [Fabian Keil brought this change]
-
- tests: test1232 verifies dotdot removal from path with proxy
+ ...and removed some old ones
-- [Fabian Keil brought this change]
+Daniel Stenberg (17 Aug 2016)
+- [David Woodhouse brought this change]
- dotdot.c: Fix a RFC section number in a comment for Curl_dedotdotify()
-
-- [John E. Malmberg brought this change]
-
- build_vms.com: fix debug and float options
+ curl: allow "pkcs11:" prefix for client certificates
- In the reorganization of the build_vms.com the debug and float options
- were not fixed up correctly.
-
-- [John E. Malmberg brought this change]
-
- curl: fix upload of a zip file in OpenVMS
+ RFC7512 provides a standard method to reference certificates in PKCS#11
+ tokens, by means of a URI starting 'pkcs11:'.
- Two fixes:
+ We're working on fixing various applications so that whenever they would
+ have been able to use certificates from a file, users can simply insert
+ a PKCS#11 URI instead and expect it to work. This expectation is now a
+ part of the Fedora packaging guidelines, for example.
- 1. Force output file format to be stream-lf so that partial downloads
- can be continued.
+ This doesn't work with cURL because of the way that the colon is used
+ to separate the certificate argument from the passphrase. So instead of
- This should have minor impact as if the file does not exist, it was
- created with stream-lf format. The only time this was an issue is if
- there was already an existing file with a different format.
+ curl -E 'pkcs11:manufacturer=piv_II;id=%01' …
- 2. Fix file uploads are now fixed.
+ I instead need to invoke cURL with the colon escaped, like this:
- a. VMS binary files such as ZIP archives are now uploaded
- correctly.
+ curl -E 'pkcs11\:manufacturer=piv_II;id=%01' …
- b. VMS text files are read once to get the correct size
- and then converted to line-feed terminated records as
- they are read into curl.
+ This is suboptimal because we want *consistency* — the URI should be
+ usable in place of a filename anywhere, without having strange
+ differences for different applications.
- The default VMS text formats do not contain either line-feed or
- carriage-return terminated records. Those delimiters are added by the
- operating system file read calls if the application requests them.
+ This patch therefore disables the processing in parse_cert_parameter()
+ when the string starts with 'pkcs11:'. It means you can't pass a
+ passphrase with an unescaped PKCS#11 URI, but there's no need to do so
+ because RFC7512 allows a PIN to be given as a 'pin-value' attribute in
+ the URI itself.
- Bug: http://curl.haxx.se/bug/view.cgi?id=496
-
-Yang Tse (22 Jul 2013)
-- libtest: fix data type of some *_setopt() 'long' arguments
+ Also, if users are already using RFC7512 URIs with the colon escaped as
+ in the above example — even providing a passphrase for cURL to handling
+ instead of using a pin-value attribute, that will continue to work
+ because their string will start 'pkcs11\:' and won't match the check.
+
+ What *does* break with this patch is the extremely unlikely case that a
+ user has a file which is in the local directory and literally named
+ just "pkcs11", and they have a passphrase on it. If that ever happened,
+ the user would need to refer to it as './pkcs11:<passphrase>' instead.
-- curl: fix symbolic names for CURL_NETRC_* enum in --libcurl output
+- nss: make the global variables static
-- curl: fix symbolic names for CURLUSESSL_* enum in --libcurl output
+- openssl: use regular malloc instead of OPENSSL_malloc
+
+ This allows for better memmory debugging and torture tests.
-- tool_operate.c: fix passing curl_easy_setopt long arg on some x64 ABIs
+- proxy: fix tests as follow-up to 93b0d907d5
+
+ This fixes tests that were added after 113f04e664b as the tests would
+ fail otherwise.
- We no longer pass our 'bool' data type variables nor constants as
- an argument to my_setopt(), instead we use proper 1L or 0L values.
+ We bring back "Proxy-Connection: Keep-Alive" now unconditionally to fix
+ regressions with old and stupid proxies, but we could possibly switch to
+ using it only for CONNECT or only for NTLM in a future if we want to
+ gradually reduce it.
- This also fixes macro used to pass string argument for CURLOPT_SSLCERT,
- CURLOPT_SSLKEY and CURLOPT_EGDSOCKET using my_setopt_str() instead of
- my_setopt().
+ Fixes #954
- This also casts enum or int argument data types to long when passed to
- my_setopt_enum().
+ Reported-by: János Fekete
-Daniel Stenberg (21 Jul 2013)
-- curl_multi_wait: fix revents
+- Revert "Proxy-Connection: stop sending this header by default"
- Commit 6d30f8ebed34e7276 didn't work properly. First, it used the wrong
- array index, but this fix also:
+ This reverts commit 113f04e664b16b944e64498a73a4dab990fe9a68.
+
+- CURLOPT_PROXY.3: unsupported schemes cause errors now
+
+ Follow-up to a96319ebb9 (document the new behavior)
+
+- tests/README: mention nghttpx for HTTP/2 tests
+
+- README.md: add our CII Best Practices badge
+
+- proxy: polished the error message for unsupported schemes
- 1 - only does the copying if indeed there was any activity
+ Follow up to a96319ebb93
+
+- test219: verify unsupported scheme for proxies get rejected
+
+- proxy: reject attempts to use unsupported proxy schemes
- 2 - makes sure to properly translate between internal and external
- bitfields, which are not guaranteed to match
+ I discovered some people have been using "https://example.com" style
+ strings as proxy and it "works" (curl doesn't complain) because curl
+ ignores unknown schemes and then assumes plain HTTP instead.
- Reported-by: Evgeny Turnaev
+ I think this misleads users into believing curl uses HTTPS to proxies
+ when it doesn't. Now curl rejects proxy strings using unsupported
+ schemes instead of just ignoring and defaulting to HTTP.
-- RELEASE-NOTES: synced with d529f3882b9bca
+- RELEASE-NOTES: synced with b7ee5316c2fd5b
-- curl_easy_perform: gradually increase the delay time
+Marc Hoersken (14 Aug 2016)
+- socks.c: Correctly calculate position of port in response packet
+
+ Third commit to fix issue #944 regarding SOCKS5 error handling.
- Instead of going 50,100,150 etc millisecond delay time when nothing has
- been found to do or wait for, we now start lower and double each loop as
- in 4,8,16,32 etc.
+ Reported-by: David Kalnischkies
+
+- socks.c: Do not modify and invalidate calculated response length
- This lowers the minimum wait without sacrifizing the longer wait too
- much with unnecessary CPU cycles burnt.
+ Second commit to fix issue #944 regarding SOCKS5 error handling.
- Bug: http://curl.haxx.se/mail/lib-2013-07/0103.html
- Reported-by: Andreas Malzahn
+ Reported-by: David Kalnischkies
-- ftp_do_more: consider DO_MORE complete when server connects back
+- socks.c: Move error output after reading the whole response packet
- In the case of an active connection when ftp_do_more() detects that the
- server has connected back, it must make sure to mark it as complete so
- that the multi_runsingle() function will detect this and move on to the
- next state.
+ First commit to fix issue #944 regarding SOCKS5 error handling.
- Bug: http://curl.haxx.se/mail/lib-2013-07/0115.html
- Reported-by: Clemens Gruber
+ Reported-by: David Kalnischkies
-Yang Tse (19 Jul 2013)
-- Makefile.b32: Borland makefile adjustments. Tested with BCC 5.5.1
+Daniel Stenberg (13 Aug 2016)
+- [Ronnie Mose brought this change]
-- WIN32 MemoryTracking: require UNICODE for wide strdup code support
+ MANUAL: Remove invalid link to LDAP documentation (#962)
+
+ The server developer.netscape.com does not resolve into any
+ ip address and can be removed.
-Daniel Stenberg (18 Jul 2013)
-- CURLOPT_XFERINFOFUNCTION: introducing a new progress callback
+Jay Satiro (13 Aug 2016)
+- openssl: accept subjectAltName iPAddress if no dNSName match
- CURLOPT_XFERINFOFUNCTION is now the preferred progress callback function
- and CURLOPT_PROGRESSFUNCTION is considered deprecated.
+ Undo change introduced in d4643d6 which caused iPAddress match to be
+ ignored if dNSName was present but did not match.
- This new callback uses pure 'curl_off_t' arguments to pass on full
- resolution sizes. It otherwise retains the same characteristics: the
- same call rate, the same meanings for the arguments and the return code
- is used the same way.
+ Also, if iPAddress is present but does not match, and dNSName is not
+ present, fail as no-match. Prior to this change in such a case the CN
+ would be checked for a match.
- The progressfunc.c example is updated to show how to use the new
- callback for newer libcurls while supporting the older one if built with
- an older libcurl or even built with a newer libcurl while running with
- an older.
+ Bug: https://github.com/curl/curl/issues/959
+ Reported-by: wmsch@users.noreply.github.com
-Yang Tse (18 Jul 2013)
-- Reinstate "WIN32 MemoryTracking: track wcsdup() _wcsdup() and _tcsdup() usage".
-
- This reverts commit 7ed25cc, reinstating commit 8ec2cb5.
+Daniel Stenberg (12 Aug 2016)
+- [Dambaev Alexander brought this change]
+
+ configure.ac: add zlib search with pkg-config
- As of 18-jul-2013 we still do have code in libcurl that makes use of these
- memory functions. Commit 8ec2cb5 comment still applies and is yet valid.
+ Closes #956
+
+- rtsp: ignore whitespace in session id
- These memory functions are solely used in Windows builds, so all related
- code is protected with '#ifdef WIN32' preprocessor conditional compilation
- directives.
+ Follow-up to e577c43bb to fix test case 569 brekage: stop the parser at
+ whitespace as well.
- Specifically, wcsdup() _wcsdup() are used when building a Windows target with
- UNICODE and USE_WINDOWS_SSPI preprocessor symbols defined. This is the case
- when building a Windows UNICODE target with Windows native SSL/TLS support
- enabled.
+ Help-by: Erik Janssen
+
+- HTTP: retry failed HEAD requests too
- Realizing that wcsdup() _wcsdup() are used is a bit tricky given that usage
- of these is hidden behind _tcsdup() which is MS way of dealing with code
- that must tolerate UNICODE and non-UNICODE compilation. Additionally, MS
- header files and those compatible from other compilers use this preprocessor
- conditional compilation directive in order to select at compilation time
- whether 'wide' or 'ansi' MS API functions are used.
+ Mark's new document about HTTP Retries
+ (https://mnot.github.io/I-D/httpbis-retry/) made me check our code and I
+ spotted that we don't retry failed HEAD requests which seems totally
+ inconsistent and I can't see any reason for that separate treatment.
- Without this code, Windows build targets with Windows native SSL/TLS support
- enabled and MemoryTracking support enabled misbehave in tracking memory usage,
- regardless of being a UNICODE enabled build or not.
-
-- xc-am-iface.m4: comments refinement
-
-- configure: fix 'subdir-objects' distclean related issue
+ So, no separate treatment for HEAD starting now. A HTTP request sent
+ over a reused connection that gets cut off before a single byte is
+ received will be retried on a fresh connection.
- See XC_AMEND_DISTCLEAN comments for details.
+ Made-aware-by: Mark Nottingham
-Daniel Stenberg (18 Jul 2013)
-- [Evgeny Turnaev brought this change]
+- mk-ca-bundle.1: document -m, added in 1.26
- curl_multi_wait: set revents for extra fds
-
- Pass back the revents that happened for the user-provided file
- descriptors.
+- RELEASE-NOTES: synced with e577c43bb5
-- [Ben Greear brought this change]
+- [Erik Janssen brought this change]
- asyn-ares: Don't blank ares servers if none configured.
+ rtsp: accept any RTSP session id
- Best to just let c-ares use it's defaults if none are configured
- in (lib)curl.
+ Makes libcurl work in communication with gstreamer-based RTSP
+ servers. The original code validates the session id to be in accordance
+ with the RFC. I think it is better not to do that:
- Signed-off-by: Ben Greear <greearb@candelatech.com>
-
-- [Sergei Nikulov brought this change]
-
- cmake: Fix for MSVC2010 project generation
+ - For curl the actual content is a don't care.
- Fixed issue with static build for MSVC2010.
+ - The clarity of the RFC is debatable, is $ allowed or only as \$, that
+ is imho not clear
- After some investigation I've discovered known issue
- http://public.kitware.com/Bug/view.php?id=11240 When .rc file is linked
- to static lib it fails with following linker error
+ - Gstreamer seems to url-encode the session id but % is not allowed by
+ the RFC
- LINK : warning LNK4068: /MACHINE not specified; defaulting to X86
- file.obj : fatal error LNK1112: module machine type 'x64' conflicts with
- target machine type 'X86'
+ - less code
- Fix add target property /MACHINE: for MSVC generation.
+ With this patch curl will correctly handle real-life lines like:
+ Session: biTN4Kc.8%2B1w-AF.; timeout=60
- Also removed old workarounds - it caused errors during msvc build.
+ Bug: https://curl.haxx.se/mail/lib-2016-08/0076.html
+
+- symbols-in-versions: add CURL_STRICTER
- Bug: http://curl.haxx.se/mail/lib-2013-07/0046.html
+ Added in 5fce88aa8c12564
-- mk-ca-bundle.1: point out certdata.txt format docs
+- [Simon Warta brought this change]
+
+ winbuild: Allow changing C compiler via environment variable CC (#952)
+
+ This makes it possible to use specific compilers or a cache.
+
+ Sample use for clcache:
+ set CC=clcache.bat
+ nmake /f Makefile.vc DEBUG=no MODE=static VC=14 GEN_PDB=no
-Yang Tse (16 Jul 2013)
-- slist.c: Curl_slist_append_nodup() OOM handling fix
+- LICENSE-MIXING.md: switched to markdown
-Daniel Stenberg (16 Jul 2013)
-- test1414: FTP PORT download without SIZE support
+- docs-make: have markdown files use .md
-Yang Tse (16 Jul 2013)
-- tests/Makefile.am: add configurehelp.pm to DISTCLEANFILES
+- curl.h: make CURL_NO_OLDIES define CURL_STRICTER
-Patrick Monnerat (15 Jul 2013)
-- curl_slist_append(): fix error detection
+- HISTORY.md: use markdown extension
-- slist.c: fix indentation
+- SSLCERTS.md: renamed to markdown extension
-- OS400: new SSL backend GSKit
+- INTERNALS.md: use markdown extension for markdown content
-- OS400: add slist and certinfo EBCDIC support
+- CONTRIBUTE.md: markdown extension
-- config-os400.h: enable system strdup(), strcmpi(), etc.
+- CONTRIBUTE: changed to markdown
-- x509asn1.c,x509asn1.h: new module to support ASN.1/X509 parsing & info extract
- Use from qssl backend
+- CONTRIBUTE: refreshed
-- ssluse.c,sslgen.c,sslgen.h: move certinfo support to generic SSL
+- TODO: added an SSH section and two SFTP things to do
-- Merge branch 'master' of github.com:bagder/curl
-
- Merge for resync
+- TODO: remove the 1.22 duplicated item
-- slist.c, slist.h, cookie.c: new internal procedure Curl_slist_append_nodup()
+- TODO: move "CURLOPT_MAIL_CLIENT" to SMTP section
-Yang Tse (15 Jul 2013)
-- sslgen.c: fix Curl_rand() compiler warning
-
- Use simple seeding method upon RANDOM_FILE seeding method failure.
+- TODO: API for URL parsing/splitting
-- sslgen.c: fix unreleased Curl_rand() infinite recursion
+- TODO: move QUIC to the HTTP section
-Daniel Stenberg (14 Jul 2013)
-- [Dave Reisner brought this change]
+- [Simon Warta brought this change]
- src/tool: allow timeouts to accept decimal values
+ winbuild: Free name $(CC) in Makefile (#950)
- Implement wrappers around strtod to convert the user argument to a
- double with sane error checking. Use this to allow --max-time and
- --connect-timeout to accept decimal values instead of strictly integers.
+ In the old line number 290, CC and CURL_CC had the same value. After
+ that, /DCURL_STATICLIB was added to CC but not CURL_CC (intended?).
- The manpage is updated to make mention of this feature and,
- additionally, forewarn that the actual timeout of the operation can
- vary in its precision (particularly as the value increases in its
- decimal precision).
-
-- [Dave Reisner brought this change]
+ This gets rid of the CC variable entirely. It is a first step to make it
+ possible to manualyl set a CC variable in order to be able to change the
+ compiler.
- curl.1: fix long line, found by checksrc.pl
+- TODO: Use huge HTTP/2 windows
-- [Dave Reisner brought this change]
+- [Simon Warta brought this change]
- src/tool_paramhlp: try harder to catch negatives
+ winbuild: Avoid setting redundant CFLAGS to compile commands (#949)
- strto* functions happily chomp off leading whitespace, so simply
- checking for str[0] can lead to false negatives. Do the full parse and
- check the out value instead.
+ $(CURL_CC) is always used with $(CURL_CFLAGS) appended, so before this,
+ all arguments in CURL_CFLAGS have been added twice.
-- [John E. Malmberg brought this change]
-
- build_vms.com: detect and use zlib shared image
+Jay Satiro (8 Aug 2016)
+- cmake: Enable win32 threaded resolver by default
+
+ - Turn on USE_THREADS_WIN32 in Windows if ares isn't on
- Update the build_vms.com to detect and use zlib shared image installed
- by the ZLIB kit produced by Jean-Francois Pieronne, and the also the
- future ZLIB 1.2.8 kit in addition to the older ZLIB kits.
+ This change is similar to what we already do in the autotools build.
+
+- cmake: Enable win32 large file support by default
- Also fix the indentation to match one of the common standards used for
- VMS DCL command files and removed the hard tab characters.
+ All compilers used by cmake in Windows should support large files.
- Tested on OpenVMS 8.4 Alpha and IA64, and OpenVMS 7.3 VAX.
+ - Add test SIZEOF_OFF_T
+ - Remove outdated test SIZEOF_CURL_OFF_T
+ - Turn on USE_WIN32_LARGE_FILES in Windows
+ - Check for 'Largefile' during the features output
-Yang Tse (14 Jul 2013)
-- url.c: fix parse_url_login() OOM handling
+Daniel Stenberg (7 Aug 2016)
+- TODO: added several ideas, removed SPDY
-- http_digest.c: SIGSEGV and OOM handling fixes
+- http2: always wait for readable socket
+
+ Since the server can at any time send a HTTP/2 frame to us, we need to
+ wait for the socket to be readable during all transfers so that we can
+ act on incoming frames even when uploading etc.
+
+ Reminded-by: Tatsuhiro Tsujikawa
-- url.c: fix parse_login_details() OOM handling
+- RELEASE-NOTES: synced with 7b4bf37a44791
-- [John E. Malmberg brought this change]
+- [Thomas Glanzmann brought this change]
- setup-vms.h: sk_pop symbol tweak
+ mbedtls: set debug threshold to 4 (verbose) when MBEDTLS_DEBUG is defined
- Newer versions of curl are referencing a sk_pop symbol while the HP
- OpenSSL library has the symbol in uppercase only.
+ In order to make MBEDTLS_DEBUG work, the debug threshold must be unequal
+ to 0. This patch also adds a comment how mbedtls must be compiled in
+ order to make debugging work, and explains the possible debug levels.
-- getinfo.c: fix enumerated type mixed with another type
+- CURLOPT_TCP_NODELAY: now enabled by default
+
+ After a few wasted hours hunting down the reason for slowness during a
+ TLS handshake that turned out to be because of TCP_NODELAY not being
+ set, I think we have enough motivation to toggle the default for this
+ option. We now enable TCP_NODELAY by default and allow applications to
+ switch it off.
+
+ This also makes --tcp-nodelay unnecessary, but --no-tcp-nodelay can be
+ used to disable it.
+
+ Thanks-to: Tim Rühsen
+ Bug: https://curl.haxx.se/mail/lib-2016-06/0143.html
-- test 1511: fix enumerated type mixed with another type
+- [Serj Kalichev brought this change]
-- url.c: fix SIGSEGV
+ TFTP: Fix upload problem with piped input
+
+ When input stream for curl is stdin and input stream is not a file but
+ generated by a script then curl can truncate data transfer to arbitrary
+ size since a partial packet is treated as end of transfer by TFTP.
+
+ Fixes #857
-- dotdot.c: fix global declaration shadowing
+- mk-ca-bundle.pl: -m keeps ca cert meta data in output
+
+ Makes the script pass on comments holding meta data to the output
+ file. Like fingerprinters, issuer, date ranges etc.
+
+ Closes #937
-- easy.c: fix global declaration shadowing
+- multi: make Curl_expire() work with 0 ms timeouts
+
+ Previously, passing a timeout of zero to Curl_expire() was a magic code
+ for clearing all timeouts for the handle. That is now instead made with
+ the new Curl_expire_clear() function and thus a 0 timeout is fine to set
+ and will trigger a timeout ASAP.
+
+ This will help removing short delays, in particular notable when doing
+ HTTP/2.
-Kamil Dudka (9 Jul 2013)
-- Revert "curl.1: document the --time-cond option in the man page"
+- transfer: return without select when the read loop reached maxcount
- This reverts commit 3a0e931fc715a80004958794a96b12cf90503f99 because
- the documentation of --time-cond was duplicated by mistake.
+ Regression added in 790d6de48515. The was then added to avoid one
+ particular transfer to starve out others. But when aborting due to
+ reading the maxcount, the connection must be marked to be read from
+ again without first doing a select as for some protocols (like SFTP/SCP)
+ the data may already have been read off the socket.
- Reported by: Dave Reisner
+ Reported-by: Dan Donahue
+ Bug: https://curl.haxx.se/mail/lib-2016-07/0057.html
-- curl.1: document the --sasl-ir option in the man page
+Steve Holme (3 Aug 2016)
+- [Bill Nagel brought this change]
-- curl.1: document the --post303 option in the man page
+ mbedtls: Added support for NTLM
-- curl.1: document the --time-cond option in the man page
+Daniel Stenberg (3 Aug 2016)
+- [Sergei Nikulov brought this change]
-Yang Tse (9 Jul 2013)
-- configure: automake 1.14 compatibility tweak (use XC_AUTOMAKE)
+ travis: removed option to rebuild autotool from source
+
+ Fixes #943
-- xc-am-iface.m4: provide XC_AUTOMAKE macro
+- bump: start working toward 7.50.2
-Guenter Knauf (8 Jul 2013)
-- Added winssl-zlib target to VC builds.
+Version 7.50.1 (3 Aug 2016)
-- Synced Makefile.vc6 with recent changes.
-
- Issue posted to the list by malinowsky AT FTW DOT at.
+Daniel Stenberg (3 Aug 2016)
+- THANKS: 7 new contributors from the 7.50.1 release
-- Added libmetalink URL; added Android versions.
+- RELEASE-NOTES: 7.50.1
-Dan Fandrich (3 Jul 2013)
-- examples: Moved usercertinmem.c to COMPLICATED_EXAMPLES
+- TLS: only reuse connections with the same client cert
- This prevents it from being built during a "make check" since it
- depends on OpenSSL.
-
-Nick Zitzmann (2 Jul 2013)
-- Merge branch 'master' of https://github.com/bagder/curl
+ CVE-2016-5420
+ Bug: https://curl.haxx.se/docs/adv_20160803B.html
-- darwinssl: SSLv2 connections are aborted if unsupported by the OS
+- TLS: switch off SSL session id when client cert is used
- I just noticed that OS X no longer supports SSLv2. Other TLS engines return
- an error if the requested protocol isn't supported by the underlying
- engine, so we do that now for SSLv2 if the framework returns an error
- when trying to turn on SSLv2 support. (Note: As always, SSLv2 support is
- only enabled in curl when starting the app with the -2 argument; it's off
- by default. SSLv2 is really old and insecure.)
+ CVE-2016-5419
+ Bug: https://curl.haxx.se/docs/adv_20160803A.html
+ Reported-by: Bru Rom
+ Contributions-by: Eric Rescorla and Ray Satiro
-Marc Hoersken (1 Jul 2013)
-- lib506.c: Fixed possible use of uninitialized variables
-
-Kamil Dudka (30 Jun 2013)
-- url: restore the functionality of 'curl -u :'
-
- This commit fixes a regression introduced in
- fddb7b44a79d78e05043e1c97e069308b6b85f79.
+- curl_multi_cleanup: clear connection pointer for easy handles
- Reported by: Markus Moeller
- Bug: http://curl.haxx.se/mail/archive-2013-06/0052.html
+ CVE-2016-5421
+ Bug: https://curl.haxx.se/docs/adv_20160803C.html
+ Reported-by: Marcelo Echeverria and Fernando Muñoz
-Daniel Stenberg (25 Jun 2013)
-- digest: append the timer to the random for the nonce
-
-- digest: improve nonce generation
+- KNOWN_BUGS: SOCKS proxy not working via IPv6
- Use the new improved Curl_rand() to generate better random nonce for
- Digest auth.
+ Closes #835
-- curl.1: fix typo in --xattr description
+- KNOWN_BUGS: CURLOPT_SEEKFUNCTION not called with CURLFORM_STREAM
- Bug: http://curl.haxx.se/bug/view.cgi?id=1252
- Reported-by: Jean-Noël Rouvignac
+ Closes #768
-- RELEASE-NOTES: synced with 365c5ba39591
+- KNOWN_BUGS: transfer-encoding: chunked in HTTP/2
- The 10 first bug fixes for the pending release...
+ Closes #662
-- formpost: better random boundaries
-
- When doing multi-part formposts, libcurl used a pseudo-random value that
- was seeded with time(). This turns out to be bad for users who formpost
- data that is provided with users who then can guess how the boundary
- string will look like and then they can forge a different formpost part
- and trick the receiver.
+- TODO: Provide cmake config-file
- My advice to such implementors is (still even after this change) to not
- rely on the boundary strings being cryptographically strong. Fix your
- code and logic to not depend on them that much!
-
- I moved the Curl_rand() function into the sslgen.c source file now to be
- able to take advantage of the SSL library's random function if it
- provides one. If not, try to use the RANDOM_FILE for seeding and as a
- last resort keep the old logic, just modified to also add microseconds
- which makes it harder to properly guess the exact seed.
+ Closes #885
+
+Patrick Monnerat (2 Aug 2016)
+- os400: define BUILDING_LIBCURL in make script.
+
+Daniel Stenberg (1 Aug 2016)
+- RELEASE-NOTES: synced with aa9f536a18b
+
+Jay Satiro (1 Aug 2016)
+- [Thomas Glanzmann brought this change]
+
+ mbedtls: Fix debug function name
- The formboundary() function in formdata.c is now using 64 bit entropy
- for the boundary and therefore the string of dashes was reduced by 4
- letters and there are 16 hex digits following it. The total length is
- thus still the same.
+ This patch is necessary so that curl compiles if MBEDTLS_DEBUG is
+ defined.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1251
- Reported-by: "Floris"
+ Bug: https://curl.haxx.se/mail/lib-2016-08/0001.html
-- printf: make sure %x are treated unsigned
+Daniel Stenberg (1 Aug 2016)
+- [Sergei Nikulov brought this change]
+
+ travis: fix OSX build by re-installing libtool
- When using %x, the number must be treated as unsigned as otherwise it
- would get sign-extended on for example 64bit machines and do wrong
- output. This problem showed when doing printf("%08x", 0xffeeddcc) on a
- 64bit host.
+ Apparently due to a broken homebrew install
+
+ fixes #934
+ Closes #939
-- tests: add test1395 to the tarball
+- [Martin Vejnár brought this change]
-- SIGPIPE: don't use 'data' in sigpipe restore
+ win32: fix a potential memory leak in Curl_load_library
- Follow-up fix from 7d80ed64e43515.
+ If a call to GetSystemDirectory fails, the `path` pointer that was
+ previously allocated would be leaked. This makes sure that `path` is
+ always freed.
- The SessionHandle may not be around to use when we restore the sigpipe
- sighandler so we store the no_signal boolean in the local struct to know
- if/how to restore.
+ Closes #938
-- TODO: 1.8 Modified buffer size approach
+- include: revert 9adf3c4 and make public types void * again
- Thoughts around buffer sizes and what might be possible to do...
-
-- c-ares: improve error message on failed resolve
+ Many applications assume the actual contents of the public types and use
+ that do for example forward declarations (saving them from including our
+ public header) which then breaks when we switch from void * to a struct
+ *.
- When the c-ares based resolver backend failed to resolve a name, it
- tried to show the name that failed from existing structs. This caused
- the wrong output and shown hostname when for example --interface
- [hostname] was used and that name resolving failed.
+ I'm not convinced we were wrong, but since this practise seems
+ widespread enough I'm willing to (partly) step down.
- Now we use the hostname used in the actual resolve attempt in the error
- message as well.
+ Now libcurl uses the struct itself when it is built and it allows
+ applications to use the struct type if CURL_STRICTER is defined at the
+ time of the #include.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1191
- Reported-by: Kim Vandry
+ Reported-by: Peter Frühberger
+ Fixes #926
-- ossl_recv: check for an OpenSSL error, don't assume
+Jay Satiro (28 Jul 2016)
+- [Yonggang Luo brought this change]
+
+ cmake: Fix for schannel support
- When we recently started to treat a zero return code from SSL_read() as
- an error we also got false positives - which primarily looks to be
- because the OpenSSL documentation is wrong and a zero return code is not
- at all an error case in many situations.
+ The check_library_exists_concat do not check crypt32 library properly.
+ So include it directly.
- Now ossl_recv() will check with ERR_get_error() to see if there is a
- stored error and only then consider it to be a true error if SSL_read()
- returned zero.
+ Bug: https://github.com/curl/curl/pull/917
+ Reported-by: Yonggang Luo
- Bug: http://curl.haxx.se/bug/view.cgi?id=1249
- Reported-by: Nach M. S.
- Patch-by: Nach M. S.
-
-Nick Zitzmann (22 Jun 2013)
-- Merge branch 'master' of https://github.com/bagder/curl
+ Bug: https://github.com/curl/curl/issues/935
+ Reported-by: Alain Danteny
-- darwinssl: fix crash that started happening in Lion
+- Revert "travis: Install libtool for OS X builds"
- Something (a recent security update maybe?) changed in Lion, and now it
- has changed SSLCopyPeerTrust such that it may return noErr but also give
- us a null trust, which caught us off guard and caused an eventual crash.
-
-Daniel Stenberg (22 Jun 2013)
-- SIGPIPE: ignored while inside the library
+ Didn't work.
- ... and restore the ordinary handling again when it returns. This is
- done for curl_easy_perform() and curl_easy_cleanup() only for now - and
- only when built to use OpenSSL as backend as this is the known culprit
- for the spurious SIGPIPEs people have received.
+ This reverts commit 50723585ed380744358de054e2a55dccee65dfd7.
+
+- travis: Install libtool for OS X builds
- Bug: http://curl.haxx.se/bug/view.cgi?id=1180
- Reported by: Lluís Batlle i Rossell
+ CI is failing due to missing libtoolize, so I'm trying this.
-- KNOWN_BUGS: #83 unable to load non-default openssl engines
+Daniel Stenberg (26 Jul 2016)
+- [Viktor Szakats brought this change]
-- test1396: invoke the correct test tool!
+ TODO: minor typo in last commit
- This erroneously run unit test 1310 instead of 1396!
+ merged #931
-Kamil Dudka (22 Jun 2013)
-- test1230: avoid using hard-wired port number
-
- ... to prevent failure when a non-default -b option is given
+- TODO: Timeout idle connections from the pool
-- curl-config.in: replace tabs by spaces
+Patrick Monnerat (25 Jul 2016)
+- os400: minimum supported OS version: V6R1M0.
+ Do not log compilation informational messages.
-Nick Zitzmann (22 Jun 2013)
-- darwinssl: reform OS-specific #defines
+Jay Satiro (24 Jul 2016)
+- tests: Fix for http/2 feature
- This doesn't need to be in the release notes. I cleaned up a lot of the #if
- lines in the code to use MAC_OS_X_VERSION_MIN_REQUIRED and
- MAC_OS_X_VERSION_MAX_ALLOWED instead of checking for whether things like
- __MAC_10_6 or whatever were defined, because for some SDKs Apple has released
- they were defined out of place.
+ Bug: https://curl.haxx.se/mail/lib-2016-07/0070.html
+ Reported-by: Paul Howarth
-Daniel Stenberg (22 Jun 2013)
-- [Alessandro Ghedini brought this change]
+Steve Holme (23 Jul 2016)
+- README: Mention wolfSSL in the 'Dependencies' section
- docs: fix typo in curl_easy_getinfo manpage
+- vauth.h: No need to query HAVE_GSSAPI || USE_WINDOWS_SSPI for SPNEGO
+
+ As SPNEGO is only defined when these pre-processor variables are defined
+ there is no need to query them explicitly.
-- dotdot: introducing dot file path cleanup
+- spnego: Corrected miss-placed * in Curl_auth_spnego_cleanup() declaration
- RFC3986 details how a path part passed in as part of a URI should be
- "cleaned" from dot sequences before getting used. The described
- algorithm is now implemented in lib/dotdot.c with the accompanied test
- case in test 1395.
+ Typo introduced in commit ad5e9bfd5d.
+
+Daniel Stenberg (22 Jul 2016)
+- SECURITY: mention how to get windows-specific CVEs
- Bug: http://curl.haxx.se/bug/view.cgi?id=1200
- Reported-by: Alex Vinnik
+ ... and make the distros link a proper link
-- bump: start working towards what most likely will become 7.32.0
+Dan Fandrich (21 Jul 2016)
+- test558: fix test by stripping file paths from FD lines
-- THANKS: added 24 new contributors from the 7.31.0 release
+Kamil Dudka (21 Jul 2016)
+- tests: distribute the http2-server.pl script, too
-Version 7.31.0 (22 Jun 2013)
+- docs: distribute the CURLINFO_HTTP_VERSION(3) man page, too
-Daniel Stenberg (22 Jun 2013)
-- RELEASE-NOTES: synced with 0de7249bb39a2 - 7.31.0
+Daniel Stenberg (21 Jul 2016)
+- bump: start working on 7.50.1
-- unit1396: unit tests to verify curl_easy_(un)escape
+Version 7.50.0 (21 Jul 2016)
-- Curl_urldecode: no peeking beyond end of input buffer
+Daniel Stenberg (21 Jul 2016)
+- RELEASE-NOTES: version 7.50.0 ready
+
+- THANKS: 13 new contributors from the 7.50.0 release
+
+Jay Satiro (21 Jul 2016)
+- winbuild: fix embedded manifest option
- Security problem: CVE-2013-2174
+ Embedded manifest option didn't work due to typo.
+
+ Reported-by: Stefan Kanthak
+
+- vauth: Fix memleak by freeing credentials if out of memory
- If a program would give a string like "%FF" to curl_easy_unescape() but
- ask for it to decode only the first byte, it would still parse and
- decode the full hex sequence. The function then not only read beyond the
- allowed buffer but it would also deduct the *unsigned* counter variable
- for how many more bytes there's left to read in the buffer by two,
- making the counter wrap. Continuing this, the function would go on
- reading beyond the buffer and soon writing beyond the allocated target
- buffer...
+ This is a follow up to the parent commit dcdd4be which fixes one leak
+ but creates another by failing to free the credentials handle if out of
+ memory. Also there's a second location a few lines down where we fail to
+ do same. This commit fixes both of those issues.
+
+Daniel Stenberg (20 Jul 2016)
+- [Saurav Babu brought this change]
+
+ vauth: Fixed memory leak due to function returning without free
- Bug: http://curl.haxx.se/docs/adv_20130622.html
- Reported-by: Timo Sirainen
+ This patch allocates memory to "output_token" only when it is required
+ so that memory is not leaked if function returns.
-Guenter Knauf (20 Jun 2013)
-- Use opened body.out file and write content to it.
+- test558: updated after ipv6-check move
+
+ Follow-up commit to c50980807c5 to make this test pass.
-Daniel Stenberg (20 Jun 2013)
-- multi_socket: react on socket close immediately
+Jay Satiro (20 Jul 2016)
+- connect: disable TFO on Linux when using SSL
- As a remedy to the problem when a socket gets closed and a new one is
- opened with the same file descriptor number and as a result
- multi.c:singlesocket() doesn't detect the difference, the new function
- Curl_multi_closed() gets told when a socket is closed so that it can be
- removed from the socket hash. When the old one has been removed, a new
- socket should be detected fine by the singlesocket() on next invoke.
+ - Linux TFO + TLS is not implemented yet.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1248
- Reported-by: Erik Johansson
+ Bug: https://github.com/curl/curl/issues/907
-- RELEASE-NOTES: synced with e305f5ec715f
+Daniel Stenberg (19 Jul 2016)
+- ROADMAP: QUIC and TLS 1.3
-- TODO: mention the DANE patch from March
+- RELEASE-NOTES: synced with c50980807c5
-- CURLOPT_COOKIELIST: take cookie share lock
-
- When performing COOKIELIST operations the cookie lock needs to be taken
- for the cases where the cookies are shared among multiple handles!
+Jay Satiro (18 Jul 2016)
+- [Brian Prodoehl brought this change]
+
+ curl_global_init: Check if IPv6 works
- Verified by Benjamin Gilbert's updated test 506
+ - Curl_ipv6works() is not thread-safe until after the first call, so
+ call it once during global init to avoid a possible race condition.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1215
- Reported-by: Benjamin Gilbert
+ Bug: https://github.com/curl/curl/issues/915
+ PR: https://github.com/curl/curl/pull/918
-- [Benjamin Gilbert brought this change]
+- [Timothy Polich brought this change]
- test506: verify that CURLOPT_COOKIELIST takes share lock
+ CURLMOPT_SOCKETFUNCTION.3: fix typo
- It doesn't right now: http://curl.haxx.se/bug/view.cgi?id=1215
+ Closes https://github.com/curl/curl/pull/914
-- TODO: HTTP2/SPDY support
+- [Miroslav Franc brought this change]
-- curl_easy_setopt.3: clarify CURLOPT_PROGRESSFUNCTION frequency
+ library: Fix memory leaks found during static analysis
- Make it clearer that the CURLOPT_PROGRESSFUNCTION callback will be
- called more frequently than once per second when things are happening.
+ Closes https://github.com/curl/curl/pull/913
-- RELEASE-NOTES: synced with 9c3e098259b82
-
- Mention 7 recent bug fixes and their associated contributors
+- [Viktor Szakats brought this change]
-- curl_multi_wait.3: clarify the numfds counter
+ cookie.c: Fix misleading indentation
+
+ Closes https://github.com/curl/curl/pull/911
-- curl_easy_perform: avoid busy-looping
+- FAQ: Update FTP directory listing section for MLSD command
- When curl_multi_wait() finds no file descriptor to wait for, it returns
- instantly and this must be handled gracefully within curl_easy_perform()
- or cause a busy-loop. Starting now, repeated fast returns without any
- file descriptors is detected and a gradually increasing sleep will be
- used (up to a max of 1000 milliseconds) before continuing the loop.
+ Explain how some FTP servers support the machine readable listing
+ format MLSD from RFC 3659 and compare it to LIST.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1238
- Reported-by: Miguel Angel
+ Ref: https://github.com/curl/curl/issues/906
-- [YAMADA Yasuharu brought this change]
+Daniel Stenberg (1 Jul 2016)
+- [Sergei Nikulov brought this change]
- cookies: follow-up fix for path checking
+ Appveyor: Updates for options - CURL_STATICLIB/BUILD_TESTING
- The initial fix to only compare full path names were done in commit
- 04f52e9b4db0 but found out to be incomplete. This takes should make the
- change more complete and there's now two additional tests to verify
- (test 31 and 62).
+ Closes #892
-- [Sergei Nikulov brought this change]
+- TODO: 17.4 also brings more HTTP/2 support
- lib1900: use tutil_tvnow instead of gettimeofday
+- TODO: try next proxy if one doesn't work
- Makes it build on windows
+ Closes #896
-- [Eric Hu brought this change]
+- conn: don't free easy handle data in handler->disconnect
+
+ Reported-by: Gou Lingfeng
+ Bug: https://curl.haxx.se/mail/lib-2016-06/0139.html
- axtls: now done non-blocking
+- test1244: test different proxy ports same URL
-- [Eric Hu brought this change]
+- curl_global_init.3: improved formatting of the flags
- test2033: requires NTLM support
+- curl_global_init.3: expand on the SSL and WIN32 bits purpose
+
+ Reported-by: Richard Gray
+ Bug: https://curl.haxx.se/mail/lib-2016-06/0136.html
-- KNOWN_BUGS: #82 failed build with Borland compiler
+- [Michael Kaufmann brought this change]
-- Curl_output_digest: support auth-int for empty entity body
+ cleanup: minor code cleanup in Curl_http_readwrite_headers()
- By always returning the md5 for an empty body when auth-int is asked
- for, libcurl now at least sometimes does the right thing.
+ - the expression of an 'if' was always true
+ - a 'while' contained a condition that was always true
+ - use 'if(k->exp100 > EXP100_SEND_DATA)' instead of 'if(k->exp100)'
+ - fixed a typo
- Bug: http://curl.haxx.se/bug/view.cgi?id=1235
- Patched-by: Nach M. S.
+ Closes #889
-- multi_socket: reduce timeout inaccuracy margin
+- SFTP: set a generic error when no SFTP one exists...
- Allow less room for "triggered too early" mistakes by applications /
- timers on non-windows platforms. Starting now, we assume that a timeout
- call is never made earlier than 3 milliseconds before the actual
- timeout. This greatly improves timeout accuracy on Linux.
+ ... as otherwise we could get a 0 which would count as no error and we'd
+ wrongly continue and could end up segfaulting.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1228
- Reported-by: Hang Su
+ Bug: https://curl.haxx.se/mail/lib-2016-06/0052.html
+ Reported-by: 暖和的和暖
+
+- ROADMAP: http2 tests are merged, mention http2 perf
-- cert_stuff: avoid double free in the PKCS12 code
+- docs/README.md: to render nicer pages on github
- In the pkcs12 code, we get a list of x509 records returned from
- PKCS12_parse but when iterating over the list and passing each to
- SSL_CTX_add_extra_chain_cert() we didn't also properly remove them from
- the "stack", which made them get freed twice (both in sk_X509_pop_free()
- and then later in SSL_CTX_free).
+ ... as previously the README.cmake would be picked and put at the bottom
+ of the docs page there and it wasn't very representative!
+
+- README.md: change host name for the svg logo
- This isn't really documented anywhere...
+ rawgit.com asks to use the domain cdn.rawgit.com for production
- Bug: http://curl.haxx.se/bug/view.cgi?id=1236
- Reported-by: Nikaiw
+ See #900
+
+- [Viktor Szakats brought this change]
-- cert_stuff: remove code duplication in the pkcs12 logic
+ README.md: use the SVG logo
-- [Aleksey Tulinov brought this change]
+- README.md: logo on top!
- axtls: honor disabled VERIFYHOST
+- KNOWN_BUGS: 3.4 POP3 expects "CRLF.CRLF" eob for some
- When VERIFYHOST == 0, libcurl should let invalid certificates to pass.
+ Closes #740
-- [Peter Gal brought this change]
+- RELEASE-NOTES: synced with d61c80515aa8
- curl_easy_setopt.3: HTTP header with no content
-
- Update the documentation on how to specify a HTTP header with no
- content.
+- [Michael Osipov brought this change]
-- RELEASE-NOTES: synced with 87cf677eca55
+ acinclude.m4: improve autodetection of CA bundle on FreeBSD
- Added 11 bugs and 7 contributors
-
-- lib1500: remove bad check
+ The FreeBSD Port security/ca_root_nss installs the Mozilla NSS CA bundle
+ to /usr/local/share/certs/ca-root-nss.crt. Use this bundle in the
+ discovery process.
- After curl_multi_wait() returns, this test checked that we got exactly
- one file descriptor told to read from, but we cannot be sure that is
- true. curl_multi_wait() will sometimes return earlier without any file
- descriptor to handle, just just because it is a suitable time to call
- *perform().
+ This change also removes the former FreeBSD path that has been obsolete
+ for 8 years since this FreeBSD ports commit:
+ https://svnweb.freebsd.org/ports/head/security/?view=revision&revision=215953
- This problem showed up with commit 29bf0598.
+ Closes #894
+
+- configure: don't specify .lib for libs on windows
- Bug: http://curl.haxx.se/mail/lib-2013-06/0029.html
- Reported-by: Fabian Keil
+ Another follow up for crypt32.lib linking with winssl
-- tests/Makefile: typo in the perlcheck target
+- configure: fix winssl LIBS change typo
- Bug: http://curl.haxx.se/bug/view.cgi?id=1239
- Reported-by: Christian Weisgerber
+ follow-up from 120bf29e
-- test1230: verify CONNECT to a numerical ipv6-address
+- TODO: "TCP Fast Open" is done, add monitor pool connections
-- sws: support extracting test number from CONNECT ipv6-address!
+- configure: add crypt32.lib for winssl builds
- If an ipv6-address is provided to CONNECT, the last hexadecimal group in
- the address will be used as the test number! For example the address
- "[1234::ff]" would be treated as test case 255.
+ Necessary since 6cabd78531f
-- curl_multi_wait: only use internal timer if not -1
+- Makefile.vc: link with crypt32.lib for winssl builds
- commit 29bf0598aad5 introduced a problem when the "internal" timeout is
- prefered to the given if shorter, as it didn't consider the case where
- -1 was returned. Now the internal timeout is only considered if not -1.
+ Necessary since 6cabd78531f
- Reported-by: Tor Arntsen
- Bug: http://curl.haxx.se/mail/lib-2013-06/0015.html
+ Fixes #853
-Dan Fandrich (3 Jun 2013)
-- libcurl-tutorial.3: added a section on IPv6
-
- Also added a (correctly-escaped) backslash to the autoexec.bat
- example file and a new Windows character device name with
- a colon as examples of other characters that are special
- and potentially dangerous (this reverts and reworks commit
- 7d8d2a54).
+- [Joel Depooter brought this change]
-Daniel Stenberg (3 Jun 2013)
-- curl_multi_wait: reduce timeout if the multi handle wants to
-
- If the multi handle's pending timeout is less than what is passed into
- this function, it will now opt to use the shorter time anyway since it
- is a very good hint that the handle wants to process something in a
- shorter time than what otherwise would happen.
-
- curl_multi_wait.3 was updated accordingly to clarify
+ VC: Add crypt32.lib to Visual Sudio project template files
- This is the reason for bug #1224
-
- Bug: http://curl.haxx.se/bug/view.cgi?id=1224
- Reported-by: Andrii Moiseiev
+ Closes #854
-- multi_runsingle: switch an if() condition for readability
+- vc: fix the build for schannel certinfo support
- ... because there's an identical check right next to it so using the
- operators in the check in the same order increases readability.
+ Broken since 6cabd785, which adds use of the Curl_extract_certinfo
+ function from the x509asn1.c file.
-Marc Hoersken (2 Jun 2013)
-- curl_schannel.c: Removed variable unused since 35874298e4
+- typedefs: use the full structs in internal code...
+
+ ... and save the typedef'ed names for headers and external APIs.
-- curl_setup.h: Fixed redefinition warning using mingw-w64
+- internals: rename the SessionHandle struct to Curl_easy
-Daniel Stenberg (30 May 2013)
-- multi_runsingle: add braces to clarify the code
+- headers: forward declare CURL, CURLM and CURLSH as structs
+
+ Instead of typedef'ing to void, typedef to their corresponding actual
+ struct names to allow compilers to type-check.
+
+ Assisted-by: Reinhard Max
-- libcurl-tutorial.3: remove incorrect backslash
+Jay Satiro (22 Jun 2016)
+- vtls: Only call add/getsession if session id is enabled
- A single backslash in the content is not legal nroff syntax.
+ Prior to this change we called Curl_ssl_getsessionid and
+ Curl_ssl_addsessionid regardless of whether session ID reusing was
+ enabled. According to comments that is in case session ID reuse was
+ disabled but then later enabled.
- Reported and fixed by: Eric S. Raymond
- Bug: http://curl.haxx.se/bug/view.cgi?id=1234
+ The old way was not intuitive and probably not something users expected.
+ When a user disables session ID caching I'd guess they don't expect the
+ session ID to be cached anyway in case the caching is later enabled.
-- curl_formadd.3: fixed wrong "end-marker" syntax
+Daniel Stenberg (22 Jun 2016)
+- curl.1: the used progress meter suffix is k in lower case
- Reported and fixed by: Eric S. Raymond
- Bug: http://curl.haxx.se/bug/view.cgi?id=1233
+ Closes #883
-- curl.1: clarify that --silent still outputs data
+- [Sergei Nikulov brought this change]
-- Digest auth: escape user names with \ or " in them
+ cmake: now using BUILD_TESTING=ON/OFF
- When sending the HTTP Authorization: header for digest, the user name
- needs to be escaped if it contains a double-quote or backslash.
+ CMake build now using BUILD_TESTING=ON/OFF (default is OFF) to build
+ tests and enabling CTest integration. Options BUILD_CURL_TESTS and
+ BUILD_DASHBOARD_REPORTS was removed.
- Test 1229 was added to verify
+ Closes #882
- Reported and fixed by: Nach M. S
- Bug: http://curl.haxx.se/bug/view.cgi?id=1230
+ Reviewed-by: Brad King
-- [Mike Giancola brought this change]
+- [Michael Kaufmann brought this change]
- ossl_recv: SSL_read() returning 0 is an error too
+ cleanup: fix method names in code comments
- SSL_read can return 0 for "not successful", according to the open SSL
- documentation: http://www.openssl.org/docs/ssl/SSL_read.html
-
-- [Mike Giancola brought this change]
+ Closes #887
- ossl_send: SSL_write() returning 0 is an error too
-
- We found that in specific cases if the connection is abruptly closed,
- the underlying socket is listed in a close_wait state. We continue to
- call the curl_multi_perform, curl_mutli_fdset etc. None of these APIs
- report the socket closed / connection finished. Since we have cases
- where the multi connection is only used once, this can pose a problem
- for us. I've read that if another connection was to come in, curl would
- see the socket as bad and attempt to close it at that time -
- unfortunately, this does not work for us.
-
- I found that in specific situations, if SSL_write returns 0, curl did
- not recognize the socket as closed (or errored out) and did not report
- it to the application. I believe we need to change the code slightly, to
- check if ssl_write returns 0. If so, treat it as an error - the same as
- a negative return code.
+Kamil Dudka (21 Jun 2016)
+- curl-compilers.m4: improve detection of GCC's -fvisibility= flag
- For OpenSSL - the ssl_write documentation is here:
- http://www.openssl.org/docs/ssl/SSL_write.html
-
-- KNOWN_BUGS: curl -OJC- fails to resume
+ Some builds of GCC produce output on both stdout and stderr when --help
+ --verbose is used. The 2>&1 redirection caused them to be arbitrarily
+ interleaved with each other because of stream buffering. Consequently,
+ grep failed to match the fvisibility= string in the mixed output, even
+ though the string was present in GCC's standard output.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1169
+ This led to silently disabling symbol hiding in some builds of curl.
-- Curl_cookie_add: handle IPv6 hosts
-
- 1 - don't skip host names with a colon in them in an attempt to bail out
- on HTTP headers in the cookie file parser. It was only a shortcut anyway
- and trying to parse a file with HTTP headers will still be handled, only
- slightly slower.
+Daniel Stenberg (19 Jun 2016)
+- tests: fix the HTTP/2 tests
- 2 - don't skip domain names based on number of dots. The original
- netscape cookie spec had this oddity mentioned and while our code
- decreased the check to only check for two, the existing cookie spec has
- no such dot counting required.
+ The HTTP/2 tests brought with commit bf05606ef1f were using the internal
+ name 'http2' for the HTTP/2 server, while in fact that name was already
+ used for the second instance of the HTTP server. This made tests using
+ the second instance (like test 2050) fail after a HTTP/2 test had run.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1221
- Reported-by: Stefan Neis
+ The server is now known as HTTP/2 internally and within the <server>
+ section in test cases. 1700, 1701 and 1702 were updated accordingly.
-- curl_easy_setopt.3: expand the PROGRESSFUNCTION section
-
- Explain the callback and its arguments better and with more descriptive
- text.
+- openssl: use more 'const' to fix build warnings with 1.1.0 branch
-- tests: add test1394 file to the tarball
+- curl.1: missed 'T' in the progress unit suffixes
-- tarball: include the xmlstream example
+- curl.1: mention the unix for the progress meter
-- [David Strauss brought this change]
+Patrick Monnerat (16 Jun 2016)
+- os400: add new definitions to ILE/RPG binding.
- xmlstream: XML stream parsing example source code
+Daniel Stenberg (16 Jun 2016)
+- openssl: fix cert check with non-DNS name fields present
+
+ Regression introduced in 5f5b62635 (released in 7.48.0)
- Add an XML stream parsing example using Expat. Add missing ignore for
- the binary from an unrelated example.
+ Reported-by: Fabian Ruff
+ Fixes #875
-- [YAMADA Yasuharu brought this change]
+Dan Fandrich (16 Jun 2016)
+- axtls: Use Curl_wait_ms instead of the less-portable usleep
- cookies: only consider full path matches
-
- I found a bug which cURL sends cookies to the path not to aim at.
- For example:
- - cURL sends a request to http://example.fake/hoge/
- - server returns cookie which with path=/hoge;
- the point is there is NOT the '/' end of path string.
- - cURL sends a request to http://example.fake/hogege/ with the cookie.
-
- The reason for this old "feature" is because that behavior is what is
- described in the original netscape cookie spec:
- http://curl.haxx.se/rfc/cookie_spec.html
-
- The current cookie spec (RFC6265) clarifies the situation:
- http://tools.ietf.org/html/rfc6265#section-5.2.4
+- axtls: Fixed compile after compile 31c521b0
-- [Eric Hu brought this change]
+- tests: Added HTTP proxy keywords to tests 1141 & 1142
- axtls: prevent memleaks on SSL handshake failures
+Jay Satiro (15 Jun 2016)
+- [Sergei Nikulov brought this change]
-- Revert "WIN32 MemoryTracking: track wcsdup() _wcsdup() and _tcsdup() usage"
+ cmake: Fix build with winldap
- This reverts commit 8ec2cb5544b86306b702484ea785b6b9596562ab.
+ Bug: https://github.com/curl/curl/pull/874
+ Reported-by: Sergei Nikulov
+
+- CURLOPT_POSTFIELDS.3: Clarify what happens when set empty
- We don't have any code anywhere in libcurl (or the curl tool) that use
- wcsdup so there's no such memory use to track. It seems to cause mild
- problems with the Borland compiler though that we may avoid by reverting
- this change again.
+ When CURLOPT_POSTFIELDS is set to an empty string libcurl will send a
+ zero-byte POST. Prior to this change it was documented as sending data
+ from the read callback.
- Bug: http://curl.haxx.se/mail/lib-2013-05/0070.html
-
-- RELEASE-NOTES: synced with ae26ee3489588f0
-
-Guenter Knauf (11 May 2013)
-- Updated zlib version in build files.
-
-Daniel Stenberg (9 May 2013)
-- [Renaud Guillard brought this change]
-
- OS X framework: fix invalid symbolic link
+ This also changes the wording of what happens when empty or NULL so that
+ it's hopefully easier to understand for people whose primary language
+ isn't English.
+
+ Bug: https://github.com/curl/curl/issues/862
+ Reported-by: Askar Safin
-Kamil Dudka (9 May 2013)
-- [Daniel Stenberg brought this change]
+- [Michael Wallner brought this change]
- nss: give PR_INTERVAL_NO_WAIT instead of -1 to PR_Recv/PR_Send
+ curl_multi_socket_action.3: Fix rewording
+
+ - Remove some erroneous text.
- Reported by: David Strauss
- Bug: http://curl.haxx.se/mail/lib-2013-05/0088.html
+ Closes https://github.com/curl/curl/pull/865
-Daniel Stenberg (8 May 2013)
-- libtest: gitignore more binary files
+- [Luo Jinghua brought this change]
-- servercert: allow empty subject
+ resolve: enable protocol family logic for synthesized IPv6
- Bug: http://curl.haxx.se/bug/view.cgi?id=1220
- Patch by: John Gardiner Myers
+ - Enable protocol family logic for IPv6 resolves even when support
+ for synthesized addresses is enabled.
+
+ This is a follow up to the parent commit that added support for
+ synthesized IPv6 addresses from IPv4 on iOS/OS X. The protocol family
+ logic needed for IPv6 was inadvertently excluded if support for
+ synthesized addresses was enabled.
+
+ Bug: https://github.com/curl/curl/issues/863
+ Ref: https://github.com/curl/curl/pull/866
+ Ref: https://github.com/curl/curl/pull/867
-- [Steve Holme brought this change]
+Daniel Stenberg (7 Jun 2016)
+- [Luo Jinghua brought this change]
- tests: Added new SMTP tests to verify commit 99b40451836d
+ resolve: add support for IPv6 DNS64/NAT64 Networks on OS X + iOS
+
+ Use getaddrinfo() to resolve the IPv4 address literal on iOS/Mac OS X.
+ If the current network interface doesn’t support IPv4, but supports
+ IPv6, NAT64, and DNS64.
+
+ Closes #866
+ Fixes #863
-- runtests.pl: support nonewline="yes" in client/stdin sections
+- tests: two more HTTP/2 tests
+
+ 1701 and 1702
-- build: fixed unit1394 for debug and metlink builds
+- runtests: don't display logs when http2 server fails to start
-Kamil Dudka (6 May 2013)
-- unit1394.c: plug the curl tool unit test in
+- runtests: make stripfile work on stdout as well
+
+ ... and have test 1700 use that to strip out the nghttpx server: headers
-- [Jared Jennings brought this change]
+- http2-tests: test1700 is the first real HTTP/2 test
+
+ It requires that 'nghttpx' is in the PATH, and it will run the tests
+ using nghttpx as a front-end proxy in front of the standard HTTP/1 test
+ server. This uses HTTP/2 over plain TCP.
+
+ If you like me have nghttpx installed in a custom path, you can run test 1700
+ like this:
+
+ $ PATH=$PATH:$HOME/build-nghttp2/bin/ ./runtests.pl 1700
- unit1394.c: basis of a unit test for parse_cert_parameter()
+- RELEASE-NOTES: synced with 34855feeb4c299
-- src/Makefile.am: build static lib for unit tests if enabled
+Steve Holme (6 Jun 2016)
+- schannel: Disable ALPN on Windows < 8.1
+
+ Calling QueryContextAttributes with SECPKG_ATTR_APPLICATION_PROTOCOL
+ fails on Windows < 8.1 so we need to disable ALPN on these OS versions.
+
+ Inspiration provide by: Daniel Seither
+
+ Closes #848
+ Fixes #840
-- tool_getparam: ensure string termination in parse_cert_parameter()
+Jay Satiro (5 Jun 2016)
+- checksrc: Add LoadLibrary to the banned functions list
+
+ LoadLibrary was supplanted by Curl_load_library for security
+ reasons in 6df916d.
-- tool_getparam: fix memleak in handling the -E option
+- http: Fix HTTP/2 connection reuse
+
+ - Change the parser to not require a minor version for HTTP/2.
+
+ HTTP/2 connection reuse broke when we changed from HTTP/2.0 to HTTP/2
+ in 8243a95 because the parser still expected a minor version.
+
+ Bug: https://github.com/curl/curl/issues/855
+ Reported-by: Andrew Robbins, Frank Gevaerts
-- tool_getparam: describe what parse_cert_parameter() does
+Steve Holme (4 Jun 2016)
+- connect.c: Fixed compilation warning from commit 332e8d6164
- ... and de-duplicate the code initializing *passphrase
+ connect.c:952:5: warning: suggest explicit braces to avoid ambiguous 'else'
-- curl.1: document escape sequences recognized by -E
+- win32: Used centralised verify windows version function
+
+ Closes #845
-- [Jared Jennings brought this change]
+- win32: Added verify windows version functionality
- curl -E: allow to escape ':' in cert nickname
+- win32: Introduced centralised verify windows version function
-Marc Hoersken (5 May 2013)
-- curl_schannel.c: Fixed invalid memory access during SSL shutdown
+Kamil Dudka (3 Jun 2016)
+- tool_urlglob: fix off-by-one error in glob_parse()
+
+ ... causing SIGSEGV while parsing URL with too many globs.
+ Minimal example:
+
+ $ curl $(for i in $(seq 101); do printf '{a}'; done)
+
+ Reported-by: Romain Coltel
+ Bug: https://bugzilla.redhat.com/1340757
-Steve Holme (4 May 2013)
-- smtp: Fix trailing whitespace warning
+Daniel Stenberg (1 Jun 2016)
+- [Benjamin Kircher brought this change]
-- smtp: Fix compilation warning
+ libcurl-multi.3: fix small typo
- comparison between signed and unsigned integer expressions
-
-- RELEASE-NOTES: synced with 92ef5f19c801
+ Closes #850
-- smtp: Updated RFC-2821 references to RFC-5321
+- [Viktor Szakats brought this change]
-- smtp: Fixed sending of double CRLF caused by first in EOB
+ makefile.m32: add crypt32 for winssl builds
- If the mail sent during the transfer contains a terminating <CRLF> then
- we should not send the first <CRLF> of the EOB as specified in RFC-5321.
+ Dependency added by 6cabd78
- Additionally don't send the <CRLF> if there is "no mail data" as the
- DATA command already includes it.
+ Closes #849
-- tests: Corrected MAIL SIZE for CRLF line endings
-
- ... which was missed in commit: f5c3d9538452
+- [Ivan Avdeev brought this change]
-- tests: Corrected infilesize for CRLF line endings
+ vtls: fix ssl session cache race condition
- ... which was missed in commit: f5c3d9538452
-
-- tests: Corrected test1406 to be RFC2821 compliant
+ Sessionid cache management is inseparable from managing individual
+ session lifetimes. E.g. for reference-counted sessions (like those in
+ SChannel and OpenSSL engines) every session addition and removal
+ should be accompanied with refcount increment and decrement
+ respectively. Failing to do so synchronously leads to a race condition
+ that causes symptoms like use-after-free and memory corruption.
+ This commit:
+ - makes existing session cache locking explicit, thus allowing
+ individual engines to manage lock's scope.
+ - fixes OpenSSL and SChannel engines by putting refcount management
+ inside this lock's scope in relevant places.
+ - adds these explicit locking calls to other engines that use
+ sessionid cache to accommodate for this change. Note, however,
+ that it is unknown whether any of these engines could also have
+ this race.
+
+ Bug: https://github.com/curl/curl/issues/815
+ Fixes #815
+ Closes #847
-- tests: Corrected test1320 to be RFC2821 compliant
+- [Andrew Kurushin brought this change]
-- tests: Corrected typo in test909
+ schannel: add CURLOPT_CERTINFO support
- Introduced in commit: 514817669e9e
+ Closes #822
-- tests: Corrected test909 to be RFC2821 compliant
+- RELEASE-NOTES: synced with 142ee9fa15002315
-- tests: Updated test references to 909 from 1411
+- openssl: rename the private SSL_strerror
- ...and removed references to libcurl and test1406.
+ ... to make it not look like an OpenSSL function
-- tests: Renamed test1411 to test909 as this is a main SMTP test
+- [Michael Kaufmann brought this change]
-Daniel Stenberg (1 May 2013)
-- [Lars Johannesen brought this change]
+ openssl: Use correct buffer sizes for error messages
+
+ Closes #844
- bindlocal: move brace out of #ifdef
+- curl: fix -q [regression]
- The code within #ifdef HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID wrongly had two
- closing braces when it should only have one, so builds without that
- define would fail.
+ This broke in 7.49.0 with commit e200034425a7625
- Bug: http://curl.haxx.se/mail/lib-2013-05/0000.html
+ Fixes #842
-Steve Holme (30 Apr 2013)
-- smtp: Tidy up to move the eob counter to the per-request structure
+- URL parser: allow URLs to use one, two or three slashes
+
+ Mostly in order to support broken web sites that redirect to broken URLs
+ that are accepted by browsers.
+
+ Browsers are typically even more leniant than this as the WHATWG URL
+ spec they should allow an _infinite_ amount. I tested 8000 slashes with
+ Firefox and it just worked.
- Move the eob counter from the smtp_conn structure to the SMTP structure
- as it is associated with a SMTP payload on a per-request basis.
+ Added test case 1141, 1142 and 1143 to verify the new parser.
+
+ Closes #791
-- TODO: Updated following the addition of CURLOPT_SASL_IR
+- [Renaud Lehoux brought this change]
-- smtp: Fixed unknown percentage complete in progress bar
+ cmake: Added missing mbedTLS support
- The curl command line utility would display the the completed progress
- bar with a percentage of zero as the progress routines didn't know the
- size of the transfer.
+ Closes #837
-Daniel Stenberg (29 Apr 2013)
-- ftpserver: silence warnings
-
- Fix regressions in commit b56e3d43e5d. Make @data local and filter off
- non-numerical digits from $testno in STATUS_imap.
+- [Renaud Lehoux brought this change]
-Steve Holme (29 Apr 2013)
-- ftpserver.pl: Corrected the imap LOGIN response
+ mbedtls: removed unused variables
- ...to be more realistic and consistent with the other imap responses.
+ Closes #838
-- tests: Added imap STATUS command test
+- [Frank Gevaerts brought this change]
-- tests: Corrected the SMTP tests to be RFC2821 compliant
+ http: add CURLINFO_HTTP_VERSION and %{http_version}
- The emails that are sent to the server during these tests were
- incorrectly formatted as they contained one or more LF terminated lines
- rather than being CRLF terminated as per Section 2.3.7 of RFC-2821.
+ Adds access to the effectively used http version to both libcurl and
+ curl.
- This wasn't a problem for the test suite as the <stdin> data matched the
- <upload> data but anyone using these tests as reference would be sending
- incorrect data to a server.
+ Closes #799
-- email: Tidy up of *_perform_authenticate()
-
- Removed the hard returns from imap and pop3 by using the same style for
- sending the authentication string as smtp. Moved the "Other mechanisms
- not supported" check in smtp to match that of imap and pop3 to provide
- consistency between the three email protocols.
+- bump: start the journey toward 7.50.0
-- smtp: Updated limit check to be more readable like the check in pop3
+- [Marcel Raad brought this change]
-- pop3: Added 255 octet limit check when sending initial response
+ openssl: fix build with OPENSSL_NO_COMP
- Added 255 octet limit check as per Section 4. Paragraph 8 of RFC-5034.
-
-- DOCS: Corrected line length of recent Secure Transport changes
-
-Nick Zitzmann (27 Apr 2013)
-- darwinssl: add TLS crypto authentication
+ With OPENSSL_NO_COMP defined, there is no function
+ SSL_COMP_free_compression_methods
- Users using the Secure Transport (darwinssl) back-end can now use a
- certificate and private key to authenticate with a site using TLS. Because
- Apple's security system is based around the keychain and does not have any
- non-public function to create a SecIdentityRef data structure from data
- loaded outside of the Keychain, the certificate and private key have to be
- loaded into the Keychain first (using the certtool command line tool or
- the Security framework's C API) before we can find it and use it.
+ Closes #836
-Steve Holme (27 Apr 2013)
-- Corrected version numbers after bump
+- [Gisle Vanem brought this change]
-Daniel Stenberg (27 Apr 2013)
-- bump version
+ memdebug: fix MSVC crash with -DMEMDEBUG_LOG_SYNC
- Since we're adding new stuff, the next release will bump the minor
- version and we're looking forward to 7.31.0
+ Fixes #828
-Steve Holme (27 Apr 2013)
-- RELEASE-NOTES: synced with f4e6e201b146
+- [Jonathan brought this change]
-- DOCS: Updated following the addition of CURLOPT_SASL_IR
+ README.md: polish
- Documented the the option in curl_easy_setopt() and added it to
- symbols-in-versions.
+ Closes #834
-- tests: Corrected command line arguments in test907 and test908
+- RELEASE-NOTES: fix vuln link
-- tests: Added SMTP AUTH with initial response tests
+Version 7.49.1 (30 May 2016)
-- tests: Updated SMTP tests to decouple client initial response
-
- Updated test903 and test904 following the addition of CURLOPT_SASL_IR
- as the default behaviour of SMTP AUTH responses is now to not include
- the initial response. New tests with --sasl-ir support to follow.
+Daniel Stenberg (30 May 2016)
+- RELEASE-NOTES: 7.49.1
-- imap: Added support for overriding the SASL initial response
-
- In addition to checking for the SASL-IR capability the user can override
- the sending of the client's initial response in the AUTHENTICATION
- command with the use of CURLOPT_SASL_IR should the server erroneously
- not report SASL-IR when it does support it.
+- [Steve Holme brought this change]
-- smtp: Added support for disabling the SASL initial response
+ loadlibrary: Only load system DLLs from the system directory
- Updated the default behaviour of sending the client's initial response in the AUTH
- command to not send it and added support for CURLOPT_SASL_IR to allow the user to
- specify including the response.
+ Inspiration provided by: Daniel Stenberg and Ray Satiro
- Related Bug: http://curl.haxx.se/mail/lib-2012-03/0114.html
- Reported-by: Gokhan Sengun
-
-- pop3: Added support for enabling the SASL initial response
+ Bug: https://curl.haxx.se/docs/adv_20160530.html
- Allowed the user to specify whether to send the client's intial response
- in the AUTH command via CURLOPT_SASL_IR.
-
-- sasl-ir: Added --sasl-ir option to curl command line tool
-
-- sasl-ir: Added CURLOPT_SASL_IR to enable/disable the SASL initial response
+ Ref: Windows DLL hijacking with curl, CVE-2016-4802
-Daniel Stenberg (26 Apr 2013)
-- curl_easy_init: use less mallocs
-
- By introducing an internal alternative to curl_multi_init() that accepts
- parameters to set the hash sizes, easy handles will now use tiny socket
- and connection hash tables since it will only ever add a single easy
- handle to that multi handle.
-
- This decreased the number mallocs in test 40 (which is a rather simple
- and typical easy interface use case) from 1142 to 138. The maximum
- amount of memory allocated used went down from 118969 to 78805.
+- ssh: fix version number check typo
-Steve Holme (26 Apr 2013)
-- ftpserver.pl: Fixed imap logout confirmation data
+Jay Satiro (29 May 2016)
+- curl_share_setopt.3: Add min ver needed for ssl session lock
- An IMAP server should response with the BYE continuation response before
- confirming the LOGOUT command was successful.
+ Bug: https://github.com/curl/curl/issues/826
+ Reported-by: Michael Wallner
-Daniel Stenberg (26 Apr 2013)
-- ftp_state_pasv_resp: connect through proxy also when set by env
+Daniel Stenberg (29 May 2016)
+- ssh: fix build for libssh2 before 1.2.6
- When connecting back to an FTP server after having sent PASV/EPSV,
- libcurl sometimes didn't use the proxy properly even though the proxy
- was used for the initial connect.
+ The statvfs functionality was added to libssh2 in that version, so we
+ switch off that functionality when built with older libraries.
- The function wrongly checked for the CURLOPT_PROXY variable to be set,
- which made it act wrongly if the proxy information was set with an
- environment variable.
+ Fixes #831
+
+- mbedtls: fix includes so snprintf() works
- Added test case 711 to verify (based on 707 which uses --socks5). Also
- added test712 to verify another variation of setting the proxy: with
- --proxy socks5://
+ Regression from the previous *printf() rearrangements, this file missed to
+ include the correct header to make sure snprintf() works universally.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1218
- Reported-by: Zekun Ni
-
-Kamil Dudka (26 Apr 2013)
-- [Zdenek Pavlas brought this change]
+ Reported-by: Moti Avrahami
+ Bug: https://curl.haxx.se/mail/lib-2016-05/0196.html
- url: initialize speed-check data for file:// protocol
+Steve Holme (23 May 2016)
+- checksrc.pl: Added variants of strcat() & strncat() to banned function list
- ... in order to prevent an artificial timeout event based on stale
- speed-check data from a previous network transfer. This commit fixes
- a regression caused by 9dd85bced56f6951107f69e581c872c1e7e3e58e.
-
- Bug: https://bugzilla.redhat.com/906031
+ Added support for checking the tchar, unicode and mbcs variants of
+ strcat() and strncat() in the banned function list.
-Daniel Stenberg (25 Apr 2013)
-- test709: clarify the test in the name
+Daniel Stenberg (23 May 2016)
+- smtp: minor ident (white space) fixes
-- sshserver: disable StrictHostKeyChecking
-
- I couldn't figure out why the host key logic isn't working, but having
- it set to yes prevents my SSH-based test cases to run. I also don't see
- a strong need to use strict host key checking on this test server.
+- THANKS: updated after script fixes
- So I disabled it.
+ Now giving credit properly to github user names, fixed some UTF-8 issues
+ and added names discovered when contrithanks was improved.
-- runtests: log more commands in verbose mode
-
- ... to aid tracking down failures
+- THANKS-filter: more name cleanups
-Steve Holme (25 Apr 2013)
-- TODO: Corrected copy/paste typo
+- contrithanks.sh: exclude existing names case insensitively
-- TODO: Added new ideas for future SMTP, POP3 and IMAP features
+- contrithanks.sh: use same grep pattern and -a flag as contributors.sh
-- TODO: Updated following the addition of ;auth=<MECH> support
+- contributors.sh: better grep pattern, use grep -a
-- DOCS: Minor rewording / clarification of host name protocol detection
+- THANKS-filter: fix more names
-- RELEASE-NOTES: synced with a8c92cb60890
+- contrithanks.sh: do the same github fix as contributors.sh
+
+ from 1577bfa35ba
-- DOCS: Added reference to IETF draft for SMTP URL Interface
+Jay Satiro (23 May 2016)
+- contributors: Show GitHub username if real name unknown
- ...when mentioning login options. Additional minor clarification of
- "Windows builds" to be "Windows builds with SSPI"as a way of enabling
- NTLM as Windows builds may be built with OpenSSL to enable NTLM or
- without NTLM support altogether.
+ Prior to this change if a GitHub contributor's real name was unknown
+ they would be omitted from the list.
+
+ Bug: https://github.com/curl/curl/issues/824
-Linus Nielsen Feltzing (23 Apr 2013)
-- HISTORY: Fix spelling error.
+Daniel Stenberg (21 May 2016)
+- RELEASE-NOTES: synced with 3caaeffbe8ded4
-Steve Holme (23 Apr 2013)
-- DOCS: Reworked the scheme calculation explanation under CURLOPT_URL
+Jay Satiro (20 May 2016)
+- openssl: cleanup must free compression methods
+
+ - Free compression methods if OpenSSL 1.0.2 to avoid a memory leak.
+
+ Bug: https://github.com/curl/curl/issues/817
+ Reported-by: jveazey@users.noreply.github.com
-- url: Added smtp and pop3 hostnames to the protocol detection list
+Daniel Stenberg (20 May 2016)
+- [Gisle Vanem brought this change]
-Daniel Stenberg (23 Apr 2013)
-- HISTORY: correct some years/dates
+ curl_multibyte: fix compiler error
- Thanks to archive.org's wayback machine I updated this document with
- some facts from the early httpget/urlget web page:
+ While compiling lib/curl_multibyte.c with '-DUSE_WIN32_IDN' etc. I was
+ getting:
- http://web.archive.org/web/19980216125115/http://www.inf.ufrgs.br/~sagula/urlget.html
+ f:\mingw32\src\inet\curl\lib\memdebug.h(38): error C2054: expected '('
+ to follow 'CURL_EXTERN'
+
+ f:\mingw32\src\inet\curl\lib\memdebug.h(38): error C2085:
+ 'curl_domalloc': not in formal parameter list
-- [Alessandro Ghedini brought this change]
+- THANKS-filter: make Jan-E get proper credit
- tests: add test1511 to check timecond clean-up
+- [Jan-E brought this change]
+
+ winbuild/Makefile.vc: Fix check on SSL, MBEDTLS, WINSSL exclusivity
- Verifies the timecond fix in commit c49ed0b6c0f
+ Closes #818
-- [Alessandro Ghedini brought this change]
+- [Alexander Traud brought this change]
- getinfo.c: reset timecond when clearing session-info variables
+ libcurl.m4: Avoid obsolete warning
- Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=705783
- Reported-by: Ludovico Cavedon <cavedon@debian.org>
+ Closes #821
-Steve Holme (22 Apr 2013)
-- DOCS: Added information about login options to CURLOPT_USERPWD
+Jay Satiro (20 May 2016)
+- [Michael Kaufmann brought this change]
-- DOCS: Added information about login options in the URL
-
-- url: Fixed missing length check in parse_proxy()
+ CURLOPT_CONNECT_TO.3: user must not free the list prematurely
- Commit 11332577b3cb removed the length check that was performed by the
- old scanf() code.
-
-- url: Fixed crash when no username or password supplied for proxy
+ The connect-to list isn't copied so as long as the handle may be used
+ for a transfer the list must be valid.
- Fixed an issue in parse_proxy(), introduced in commit 11332577b3cb,
- where an empty username or password (For example: http://:@example.com)
- would cause a crash.
+ Bug: https://github.com/curl/curl/pull/819
+ Reported-by: Michael Kaufmann
-- url: Removed unused text length constants
+Daniel Stenberg (19 May 2016)
+- RELEASE-NOTES: synced with 48114a8634242c
-- url: Updated proxy URL parsing to use parse_login_details()
-
-- url: Tidy up of setstropt_userpwd() parameters
+- openssl: ERR_remove_thread_state() is deprecated in latest 1.1.0
- Updated the naming convention of the login parameters to match those of
- other functions.
+ See OpenSSL commit 21e001747d4a
-- url: Tidy up of code and comments following recent changes
+- http2: use HTTP/2 in the HTTP/1.1-alike header
- Tidy up of variable names and comments in setstropt_userpwd() and
- parse_login_details().
+ ... when generating them, not "2.0" as the protocol is called just
+ HTTP/2 and nothing else.
-- url: Simplified setstropt_userpwd() following recent changes
+Jay Satiro (19 May 2016)
+- dist: include curl_multi_socket_all.3
- There is no need to perform separate clearing of data if a NULL option
- pointer is passed in. Instead this operation can be performed by simply
- not calling parse_login_details() and letting the rest of the code do
- the work.
+ Closes https://github.com/curl/curl/pull/816
-- url: Correction to scope of if statements when setting data
+Steve Holme (18 May 2016)
+- bump: Start work on 7.49.1
-- url: Fixed memory leak in setstropt_userpwd()
+Daniel Stenberg (18 May 2016)
+- curlbuild.h.dist: check __LP64__ as well to fix MIPS build
- setstropt_userpwd() was calling setstropt() in commit fddb7b44a79d to
- set each of the login details which would duplicate the strings and
- subsequently cause a memory leak.
-
-- RELEASE-NOTES: synced with d535c4a2e1f7
+ The preprocessor check that sets up the 32bit defines for non-configure
+ builds didn't work properly for MIPS systems as __mips__ is defined for
+ both 32bit and 64bit. Now __LP64__ is also checked and indicates 64bit.
+
+ Reported-by: Tomas Jakobsson
+ Fixes #813
-- url: Added overriding of URL login options from CURLOPT_USERPWD
+- [Marcel Raad brought this change]
-- tool_paramhlp: Fixed options being included in username
+ schannel: fix compile break with MSVC XP toolset
- Fix to prevent the options from being displayed when curl requests the
- user's password if the following command line is specified:
+ For the Windows XP toolset of Visual C++ 2013/2015, the old Windows SDK
+ 7.1 is used. In this case, _USING_V110_SDK71_ is defined.
- --user username;options
+ Closes #812
-- url: Added support for parsing login options from the CURLOPT_USERPWD
-
- In addition to parsing the optional login options from the URL, added
- support for parsing them from CURLOPT_USERPWD, to allow the following
- supported command line:
+- dist: include CHECKSRC.md
- --user username:password;options
+ Reported-by: Paul Howarth
+ Bug: https://curl.haxx.se/mail/lib-2016-05/0116.html
-- url: Added bounds checking to parse_login_details()
+- test/Makefile.am: include manpage-scan.pl and nroff-scan.pl in dist
- Added bounds checking when searching for the separator characters within
- the login string as this string may not be NULL terminated (For example
- it is the login part of a URL). We do this in preference to allocating a
- new string to copy the login details into which could then be passed to
- parse_login_details() for performance reasons.
+ Reported-by: Ray Satiro
+ Bug: https://curl.haxx.se/mail/lib-2016-05/0113.html
-- url: Added size_t cast to pointer based length calculations
+Version 7.49.0 (17 May 2016)
-- url: Corrected minor typo in comment
+Daniel Stenberg (17 May 2016)
+- THANKS: 24 new names from 7.49.0 release notes
-Daniel Stenberg (18 Apr 2013)
-- CURL_CHECK_CA_BUNDLE: don't check for paths when cross-compiling
+- RELEASE-NOTES: 7.49.0
+
+- mbedtls/polarssl: set "hostname" unconditionally
+
+ ...as otherwise the TLS libs will skip the CN/SAN check and just allow
+ connection to any server. curl previously skipped this function when SNI
+ wasn't used or when connecting to an IP address specified host.
- When cross-compiling we can't scan and detect existing files or paths.
+ CVE-2016-3739
- Bug: http://curl.haxx.se/mail/lib-2013-04/0294.html
+ Bug: https://curl.haxx.se/docs/adv_20160518A.html
+ Reported-by: Moti Avrahami
-- [Ishan SinghLevett brought this change]
+- [Frank Gevaerts brought this change]
- usercertinmem.c: add example showing user cert in memory
+ CURLOPT_RESOLVE.3: fix typo
- Relies on CURLOPT_SSL_CTX_FUNCTION, which is OpenSSL specific
+ Closes #811
-Steve Holme (18 Apr 2013)
-- url: Fix chksrc longer than 79 columns warning
+- docs: CURLOPT_RESOLVE overrides CURLOPT_IPRESOLVE
-- url: Fix incorrect variable type for result code
-
-- url: Fix compiler warning
+- KNOWN_BUGS: GnuTLS backend skips really long certificate fields
- signed and unsigned type in conditional expression
+ Closes #762
-- url: Moved parsing of login details out of parse_url_login()
-
- Separated the parsing of login details from the processing of them in
- parse_url_login() ready for use by setstropt_userpwd().
+- CURLOPT_HTTPPOST.3: the data needs to be around while in use
-- url: Re-factored set_userpass() and parse_url_userpass()
+- openssl: get_cert_chain: fix NULL dereference
- Re-factored these functions to reflect their new behaviour following the
- addition of login options.
+ CID 1361815: Explicit null dereferenced (FORWARD_NULL)
-- url: Reworked URL parsing to allow overriding by CURLOPT_USERPWD
+- openssl: get_cert_chain: avoid NULL dereference
+
+ CID 1361811: Explicit null dereferenced (FORWARD_NULL)
-Daniel Stenberg (18 Apr 2013)
-- maketgz: make bzip2 creation work with Parallel BZIP2 too
+- dprintf_formatf: fix (false?) Coverity warning
+
+ CID 1024412: Memory - illegal accesses (OVERRUN). Claimed to happen when
+ we run over 'workend' but the condition says <= workend and for all I
+ can see it should be safe. Compensating for the warning by adding a byte
+ margin in the buffer.
- Apparently the previous usage didn't work with that implementation,
- while this updated version works with at least both Parallel BZIP2
- v1.1.8 and regular bzip "Version 1.0.6, 6-Sept-2010".
+ Also, removed the extra brace level indentation in the code and made it
+ so that 'workend' is only assigned once within the function.
-Linus Nielsen Feltzing (18 Apr 2013)
-- Add tests/http_pipe.py to the tarball build
+- RELEASE-NOTES: synced with 2dcb5adc72d6
-Steve Holme (16 Apr 2013)
-- smtp: Re-factored all perform based functions
-
- Standardised the naming of all perform based functions to be in the form
- smtp_perform_something().
-
-- smtp: Added description comments to all perform based functions
-
-- smtp: Moved smtp_quit() to be with the other perform functions
-
-- smtp: Moved smtp_rcpt_to() to be with the other perform functions
+- THANKS-filter: fixed Jonathan Cardoso
-- smtp: Moved smtp_mail() to be with the other perform functions
-
-Daniel Stenberg (16 Apr 2013)
-- [Wouter Van Rooy brought this change]
-
- curl-config: don't output static libs when they are disabled
+Jay Satiro (15 May 2016)
+- ftp: fix incorrect out-of-memory code in Curl_pretransfer
- Curl-config outputs static libraries even when they are disabled in
- configure.
-
- This causes problems with the build of pycurl.
-
-- [Dave Reisner brought this change]
-
- docs/libcurl: fix formatting in manpage
+ - Return value type must match function type.
- Commit c3ea3eb6 introduced some minor cosmetic errors in
- curl_mutli_socket_action(3).
-
-- [Paul Howarth brought this change]
-
- Add extra libs for lib1900 and lib2033 test programs
+ s/CURLM_OUT_OF_MEMORY/CURLE_OUT_OF_MEMORY/
- These are needed in cases where clock_gettime is used, from librt.
+ Caught by Travis CI
-Dan Fandrich (15 Apr 2013)
-- FAQ: mention that the network connection can be monitored
+Daniel Stenberg (15 May 2016)
+- ftp wildcard: segfault due to init only in multi_perform
- Also note the prohibition on sharing handles across threads.
-
-Steve Holme (15 Apr 2013)
-- pop3: Added missing comment for pop3_state_apop_resp()
-
-- smtp: Updated the coding style of smtp_state_servergreet_resp()
+ The proper FTP wildcard init is now more properly done in Curl_pretransfer()
+ and the corresponding cleanup in Curl_close().
- Updated the coding style, in this function, to be consistant with other
- response functions rather then performing a hard return on failure.
-
-- pop3: Updated the coding style of pop3_state_servergreet_resp()
+ The previous place of init/cleanup code made the internal pointer to be NULL
+ when this feature was used with the multi_socket() API, as it was made within
+ the curl_multi_perform() function.
- Updated the coding style, in this function, to be consistent with other
- response functions rather then performing a hard return on failure.
+ Reported-by: Jonathan Cardoso Machado
+ Fixes #800
-- pop3: Re-factored all perform based functions
+Jay Satiro (13 May 2016)
+- libcurl-tlibcurl-thread: Update OpenSSL links
- Standardised the naming of all perform based functions to be in the form
- pop3_perform_something() following the changes made to IMAP.
+ Because the old OpenSSL link now redirects to their master documentation
+ (currently 1.1.0), which does not document the required actions for
+ OpenSSL <= 1.0.2.
-- pop3: Added description comments to all perform based functions
+Daniel Stenberg (13 May 2016)
+- [Viktor Szakats brought this change]
-- pop3: Moved pop3_quit() to be with the other perform functions
+ darwinssl.c: fix OS X codename typo in comment
-- pop3: Moved pop3_command() to be with the other perform functions
+- RELEASE-NOTES: synced with 68701e51c1f7
- Started to apply the same tidy up to the POP3 code as applied to the
- IMAP code in the 7.30.0 release.
+ Added 8 bug fixes and 5 more contrbutors
-- RELEASE-NOTES: Removed erroneous spaces
+- [Jay Satiro brought this change]
-- RELEASE-NOTES: synced with 8723cade21fb
-
-- smtp: Added support for ;auth=<mech> in the URL
+ mprintf: Fix processing of width and prec args
- Added support for specifying the preferred authentication mechanism in
- the URL as per Internet-Draft 'draft-earhart-url-smtp-00'.
-
-- pop3: Reworked authentication type constants
+ Prior to this change a width arg could be erroneously output, and also
+ width and precision args could not be used together without crashing.
- ... to use left-shifted values, like those defined in curl.h, rather
- than 16-bit hexadecimal values.
-
-- pop3: Small consistency tidy up
-
-- pop3: Added support for ;auth=<mech> in the URL
+ "%0*d%s", 2, 9, "foo"
- Added support for specifying the preferred authentication type and SASL
- mechanism in the URL as per RFC-2384.
-
-- imap: Added support for ;auth=<mech> in the URL
+ Before: "092"
+ After: "09foo"
- Added support for specifying the preferred authentication mechanism in
- the URL as per RFC-5092.
-
-- sasl: Reworked SASL mechanism constants
+ "%*.*s", 5, 2, "foo"
- ... to use left-shifted values, like those defined in curl.h, rather
- than 16-bit hexadecimal values.
-
-- sasl: Added predefined preferred mechanism values
+ Before: crash
+ After: " fo"
- In preparation for the upcoming changes to IMAP, POP3 and SMTP added
- preferred mechanism values.
+ Test 557 is updated to verify this and more
-- url: Added support for parsing login options from the URL
-
- As well as parsing the username and password from the URL, added support
- for parsing the optional options part from the login details, to allow
- the following supported URL format:
+- [Michael Kaufmann brought this change]
+
+ ConnectionExists: follow-up fix for proxy re-use
- schema://username:password;options@example.com/path?q=foobar
+ Follow-up commit to 5823179
- This will only be used by IMAP, POP3 and SMTP at present but any
- protocol that may be given login options in the URL will be able to
- add support for them.
+ Closes #648
+
+- [Per Malmberg brought this change]
-- smtp: Fix compiler warning
+ darwinssl: fix certificate verification disable on OS X 10.8
- warning: unused variable 'smtp' introduced in commit 73cbd21b5ee6.
+ The new way of disabling certificate verification doesn't work on
+ Mountain Lion (OS X 10.8) so we need to use the old way in that version
+ too. I've tested this solution on versions 10.7.5, 10.8, 10.9, 10.10.2
+ and 10.11.
+
+ Closes #802
-- smtp: Moved parsing of url path into separate function
+- [Cory Benfield brought this change]
-Daniel Stenberg (12 Apr 2013)
-- FTP: handle a 230 welcome response
+ http2: Add space between colon and header value
- ...instead of the 220 we otherwise expect.
+ curl's representation of HTTP/2 responses involves transforming the
+ response to a format that is similar to HTTP/1.1. Prior to this change,
+ curl would do this by separating header names and values with only a
+ colon, without introducing a space after the colon.
- Made the ftpserver.pl support sending a custom "welcome" and then
- created test 1219 to verify this fix with such a 230 welcome.
+ While this is technically a valid way to represent a HTTP/1.1 header
+ block, it is much more common to see a space following the colon. This
+ change introduces that space, to ensure that incautious tools are safely
+ able to parse the header block.
- Bug: http://curl.haxx.se/mail/lib-2013-02/0102.html
- Reported by: Anders Havn
-
-- configure: try pthread_create without -lpthread
+ This also ensures that the difference between the HTTP/1.1 and HTTP/2
+ response layout is as minimal as possible.
- For libc variants without a spearate pthread lib (like bionic), try
- using pthreads without the pthreads lib first and only if that fails try
- the -lpthread linker flag.
+ Bug: https://github.com/curl/curl/issues/797
- Bug: http://curl.haxx.se/bug/view.cgi?id=1216
- Reported by: Duncan
+ Closes #798
+ Fixes #797
-- FTP: access files in root dir correctly
+Kamil Dudka (12 May 2016)
+- openssl: fix compile-time warning in Curl_ossl_check_cxn()
- Accessing a file with an absolute path in the root dir but with no
- directory specified was not handled correctly. This fix comes with four
- new test cases that verify it.
+ ... introduced in curl-7_48_0-293-g2968c83:
- Bug: http://curl.haxx.se/mail/lib-2013-04/0142.html
- Reported by: Sam Deane
-
-Steve Holme (12 Apr 2013)
-- pop3: Reworked the function description for Curl_pop3_write()
-
-- pop3: Added function description to pop3_parse_custom_request()
+ Error: COMPILER_WARNING:
+ lib/vtls/openssl.c: scope_hint: In function ‘Curl_ossl_check_cxn’
+ lib/vtls/openssl.c:767:15: warning: conversion to ‘int’ from ‘ssize_t’
+ may alter its value [-Wconversion]
-- pop3: Moved utility functions to end of pop3.c
-
-Nick Zitzmann (12 Apr 2013)
-- darwinssl: add TLS session resumption
+Jay Satiro (11 May 2016)
+- openssl: stricter connection check function
+
+ - In the case of recv error, limit returning 'connection still in place'
+ to EINPROGRESS, EAGAIN and EWOULDBLOCK.
- This ought to speed up additional TLS handshakes, at least in theory.
+ This is an improvement on the parent commit which changed the openssl
+ connection check to use recv MSG_PEEK instead of SSL_peek.
+
+ Ref: https://github.com/curl/curl/commit/856baf5#comments
-Steve Holme (12 Apr 2013)
-- imap: Added function description to imap_parse_custom_request()
+Daniel Stenberg (11 May 2016)
+- [Anders Bakken brought this change]
-- imap: Moved utility functions to end of imap.c (Part 3/3)
+ TLS: SSL_peek is not a const operation
- Moved imap_is_bchar() be with the other utility based functions.
-
-- imap: Moved utility functions to end of imap.c (Part 2/3)
+ Calling SSL_peek can cause bytes to be read from the raw socket which in
+ turn can upset the select machinery that determines whether there's data
+ available on the socket.
- Moved imap_parse_url_path() and imap_parse_custom_request() to the end of the
- file allowing all utility functions to be grouped together.
-
-- imap: Moved utility functions to end of imap.c (Part 1/3)
+ Since Curl_ossl_check_cxn only tries to determine whether the socket is
+ alive and doesn't actually need to see the bytes SSL_peek seems like
+ the wrong function to call.
+
+ We're able to occasionally reproduce a connect timeout due to this
+ bug. What happens is that Curl doesn't know to call SSL_connect again
+ after the peek happens since data is buffered in the SSL buffer and thus
+ select won't fire for this socket.
- Moved imap_atom() and imap_sendf() to the end of the file allowing all
- utility functions to be grouped together.
+ Closes #795
-- imap: Corrected function description for imap_connect()
+Jay Satiro (9 May 2016)
+- [Daniel Stenberg brought this change]
-Kamil Dudka (12 Apr 2013)
-- tests: prevent test206, test1060, and test1061 from failing
+ TLS: move the ALPN/NPN enable bits to the connection
- ... in case runtests.pl is invoked with non-default -b option
+ Only protocols that actually have a protocol registered for ALPN and NPN
+ should try to get that negotiated in the TLS handshake. That is only
+ HTTPS (well, http/1.1 and http/2) right now. Previously ALPN and NPN
+ would wrongly be used in all handshakes if libcurl was built with it
+ enabled.
- Fixes a regression caused by 1e29d275c643ef6aab7948f0f55a7a9397e56b42.
-
-Daniel Stenberg (12 Apr 2013)
-- [David Strauss brought this change]
-
- libcurl-share.3: update what it does and does not share.
+ Reported-by: Jay Satiro
- Update sharing interface documentation to provide exhaustive list of
- what it does and does not share.
-
-- THANKS: remove duplicated names
-
-- bump: start working towards next release
+ Fixes #789
-- THANKS: added people from the 7.30.0 RELEASE-NOTES
+Daniel Stenberg (8 May 2016)
+- libcurl-thread.3: openssl 1.1.0 is safe, and so is boringssl
-Version 7.30.0 (12 Apr 2013)
+- [Antonio Larrosa brought this change]
-Daniel Stenberg (12 Apr 2013)
-- RELEASE-NOTES: cleaned up for 7.30 (synced with 5c5e1a1cd20)
+ connect: fix invalid "Network is unreachable" errors
- Most notable the security advisory:
- http://curl.haxx.se/docs/adv_20130412.html
-
-- test1218: another cookie tailmatch test
+ Sometimes, in systems with both ipv4 and ipv6 addresses but where the
+ network doesn't support ipv6, Curl_is_connected returns an error
+ (intermittently) even if the ipv4 socket connects successfully.
+
+ This happens because there's a for-loop that iterates on the sockets but
+ the error variable is not resetted when the ipv4 is checked and is ok.
- ... and make 1216 also verify it with a file input
+ This patch fixes this problem by setting error to 0 when checking the
+ second socket and not having a result yet.
- These tests verify commit 3604fde3d3c9b0d, the fix for the "cookie
- domain tailmatch" vulnerability. See
- http://curl.haxx.se/docs/adv_20130412.html
+ Fixes #794
-- [YAMADA Yasuharu brought this change]
+Jay Satiro (5 May 2016)
+- FAQ: refer to thread safety guidelines
- cookie: fix tailmatching to prevent cross-domain leakage
+Daniel Stenberg (3 May 2016)
+- connections: non-HTTP proxies on different ports aren't reused either
- Cookies set for 'example.com' could accidentaly also be sent by libcurl
- to the 'bexample.com' (ie with a prefix to the first domain name).
+ Reported-by: Oleg Pudeyev and fuchaoqun
- This is a security vulnerabilty, CVE-2013-1944.
+ Fixes #648
+
+- http: make sure a blank header overrides accept_decoding
- Bug: http://curl.haxx.se/docs/adv_20130412.html
+ Reported-by: rcanavan
+ Assisted-by: Isaac Boukris
+ Closes #785
-Guenter Knauf (11 Apr 2013)
-- Enabled MinGW sync resolver builds.
+- CHECKSRC.md: clarified, explained the whitelist file
-Yang Tse (10 Apr 2013)
-- if2ip.c: fix compiler warning
+- nroff-scan.pl: verify that references are made with \fI
-Guenter Knauf (10 Apr 2013)
-- Fixed lost OpenSSL output with "-t" - followup.
-
- The previously applied patch didnt work on Windows; we cant rely
- on shell commands like 'echo' since they act diffently on each
- platform and each shell.
- In order to keep this script platform-independent the code must
- only use pure Perl.
+- docs: unified man page references to use \fI
-Daniel Stenberg (9 Apr 2013)
-- test1217: verify parsing 257 responses with "rubbish" before path
+- TODO: 17.14 --fail without --location should treat 3xx as a failure
- Test 1217 verifies commit e0fb2d86c9f78, and without that change this
- test fails.
+ Closes #727
-- [Bill Middlecamp brought this change]
+- RELEASE-NOTES: synced with 7987f5cb14d
- FTP: handle "rubbish" in front of directory name in 257 responses
-
- When doing PWD, there's a 257 response which apparently some servers
- prefix with a comment before the path instead of after it as is
- otherwise the norm.
+- [Isaac Boukris brought this change]
+
+ CURLOPT_ACCEPT_ENCODING.3: Follow-up clarification
- Failing to parse this, several otherwise legitimate use cases break.
+ Mention possible content-length mismatch with sum of bytes reported
+ by write callbacks when auto decoding is enabled.
- Bug: http://curl.haxx.se/mail/lib-2013-04/0113.html
+ See #785
-Guenter Knauf (9 Apr 2013)
-- Fixed ares-enabled builds with static makefiles.
-
-- Fixed lost OpenSSL output with "-t".
-
- The OpenSSL pipe wrote to the final CA bundle file, but the encoded PEM
- output wrote to a temporary file. Consequently, the OpenSSL output was
- lost when the temp file was renamed to the final file at script finish
- (overwriting the final file written earlier by openssl).
- Patch posted to the list by Richard Michael (rmichael edgeofthenet org).
+- test1140: run nroff-scan to verify man pages
-Daniel Stenberg (9 Apr 2013)
-- test1216: test tailmatching cookie domains
-
- This test is an attempt to repeat the problem YAMADA Yasuharu reported
- at http://curl.haxx.se/mail/lib-2013-04/0108.html
+- nroff-scan.pl: verify the .BR references as well
-- RELEASe-NOTES: synced with 29fdb2700f797
-
- added "tcpkeepalive on Mac OS X"
+- CURLOPT_CONV_TO_NETWORK_FUNCTION.3: fix bad man page reference
-Nick Zitzmann (8 Apr 2013)
-- darwinssl: disable insecure ciphers by default
-
- I noticed that aria2's SecureTransport code disables insecure ciphers such
- as NULL, anonymous, IDEA, and weak-key ciphers used by SSLv3 and later.
- That's a good idea, and now we do the same thing in order to prevent curl
- from accessing a "secure" site that only negotiates insecure ciphersuites.
+- CURLOPT_BUFFERSIZE.3: fix reference to CURLOPT_MAX_RECV_SPEED_LARGE
-Daniel Stenberg (8 Apr 2013)
-- [Robert Wruck brought this change]
+- curl_easy_pause.3: fix man page reference
- tcpkeepalive: Support CURLOPT_TCP_KEEPIDLE on OSX
+Jay Satiro (1 May 2016)
+- tool_cb_hdr: Fix --remote-header-name with schemeless URL
- MacOS X doesn't have TCP_KEEPIDLE/TCP_KEEPINTVL but only a single
- TCP_KEEPALIVE (see
- http://developer.apple.com/library/mac/#DOCUMENTATION/Darwin/Reference/ManPages/man4/tcp.4.html).
- Here is a patch for CURLOPT_TCP_KEEPIDLE on OSX platforms.
-
-- configure: remove CURL_CHECK_FUNC_RECVFROM
+ - Move the existing scheme check from tool_operate.
- 1 - We don't use the results from the test and we never did. recvfrom()
- is only used by the TFTP code and it has not caused any problems.
+ In the case of --remote-header-name we want to parse Content-disposition
+ for a filename, but only if the scheme is http or https. A recent
+ adjustment 0dc4d8e was made to account for schemeless URLs however it's
+ not 100% accurate. To remedy that I've moved the scheme check to the
+ header callback, since at that point the library has already determined
+ the scheme.
- 2 - the CURL_CHECK_FUNC_RECVFROM function is extremely slow
+ Bug: https://github.com/curl/curl/issues/760
+ Reported-by: Kai Noda
-Steve Holme (8 Apr 2013)
-- RELEASE-NOTES: Corrected duplicate NTLM memory leaks
-
-- RELEASE-NOTES: Removed trailing full stop
-
-Daniel Stenberg (8 Apr 2013)
-- [Fabian Keil brought this change]
-
- proxy: make ConnectionExists() check credential of proxyconnections too
+Daniel Stenberg (1 May 2016)
+- tls: make setting pinnedkey option fail if not supported
- Previously it only compared credentials if the requested needle
- connection wasn't using a proxy. This caused NTLM authentication
- failures when using proxies as the authentication code wasn't send on
- the connection where the challenge arrived.
+ to make it obvious to users trying to use the feature with TLS backends
+ not supporting it.
- Added test 1215 to verify: NTLM server authentication through a proxy
- (This is a modified copy of test 67)
-
-- RELEASE-NOTES: sync with 704a5dfca9
+ Discussed in #781
+ Reported-by: Travis Burtrum
-- TODO-RELEASE: cleaned up, not really maintained lately
+- nroff-scan.pl: verifies nroff pages
+
+ ... not used by any test yet but can be used stand-alone.
-Marc Hoersken (7 Apr 2013)
-- if2ip.c: Fixed another warning: unused parameter 'remote_scope'
+- opts: fix broken/bad references
-Daniel Stenberg (7 Apr 2013)
-- [Marc Hoersken brought this change]
+- [Michael Kaufmann brought this change]
- cookie.c: Made cookie sort function more deterministic
+ docs: fix bugs in CURLOPT_HTTP_VERSION.3 and CURLOPT_PIPEWAIT.3
- Since qsort implementations vary with regards to handling the order
- of similiar elements, this change makes the internal sort function
- more deterministic by comparing path length first, then domain length
- and finally the cookie name. Spotted with testcase 62 on Windows.
-
-Marc Hoersken (7 Apr 2013)
-- curl_schannel.c: Follow up on memory leak fix ae4558d
+ Closes #786
-- Revert "getpart.pm: Strip carriage returns to fix Windows support"
+- CURLOPT_ACCEPT_ENCODING.3: clarified
- This reverts commit e51b23c925a2721cf7c29b2b376d3d8903cfb067.
- As discussed on the mailinglist, this was not the correct approach.
+ As discussed in #785
-- http_negotiate.c: Fixed passing argument from incompatible pointer type
+- curl.1: --mail-rcpt can be used multiple times
+
+ Reported-by: mgendre
+ Closes #784
-- ftp.c: Added missing brackets around ABOR command logic
+- [Karlson2k brought this change]
-- sockfilt.c: Fixed detection of client-side connection close
+ tests: Use 'pathhelp' for paths conversions in secureserver.pl
- WINSOCK only:
- Since FD_CLOSE is only signaled once, it may trigger at the same
- time as FD_READ. Data actually being available makes it impossible
- to detect that the connection was closed by checking that recv returns
- zero. Another recv attempt could block the connection if it was
- not closed. This workaround abuses exceptfds in conjunction with
- readfds to signal that the connection has actually closed.
+ Closes #675
-- curl_schannel.c: Fixed memory leak if connection was not successful
+- [Karlson2k brought this change]
-- if2ip.c: Fixed warning: unused parameter 'remote_scope'
+ tests: Use 'pathhelp' for paths conversions in sshserver.pl
-- runtests.pl: Fixed --verbose parameter passed to http_pipe.py
+- [Karlson2k brought this change]
-- sockfilt.c: Reduce CPU load while running under a Windows PIPE
+ tests: Use 'pathhelp' for current path in runtests.pl
-- tftpd.c: Apply sread timeout to the whole data transfer session
+- [Karlson2k brought this change]
-- getpart.pm: Strip carriage returns to fix Windows support
+ tests: pathhelp.pm to process paths on Msys/Cygwin
-Daniel Stenberg (6 Apr 2013)
-- ftp tests: libcurl returns CURLE_FTP_ACCEPT_FAILED better now
-
- Since commit 57aeabcc1a20f, it handles errors on the control connection
- while waiting for the data connection better.
+- lib: include curl_printf.h as one of the last headers
- Test 591 and 592 are updated accordingly.
-
-- FTP: wait on both connections during active STOR state
+ curl_printf.h defines printf to curl_mprintf, etc. This can cause
+ problems with external headers which may use
+ __attribute__((format(printf, ...))) markers etc.
- When doing PORT and upload (STOR), this function needs to extract the
- file descriptor for both connections so that it will respond immediately
- when the server eventually connects back.
+ To avoid that they cause problems with system includes, we include
+ curl_printf.h after any system headers. That makes the three last
+ headers to always be, and we keep them in this order:
- This flaw caused active connections to become unnecessary slow but they
- would still often work due to the normal polling on a timeout. The bug
- also would not occur if the server connected back very fast, like when
- testing on local networks.
+ curl_printf.h
+ curl_memory.h
+ memdebug.h
- Bug: http://curl.haxx.se/bug/view.cgi?id=1183
- Reported by: Daniel Theron
-
-Marc Hoersken (6 Apr 2013)
-- tftpd.c: Follow up cleanup and restore of previous sockopt
-
-Daniel Stenberg (6 Apr 2013)
-- [Kim Vandry brought this change]
-
- connect: treat an interface bindlocal() problem as a non-fatal error
+ None of them include system headers, they all do funny #defines.
- I am using curl_easy_setopt(CURLOPT_INTERFACE, "if!something") to force
- transfers to use a particular interface but the transfer fails with
- CURLE_INTERFACE_FAILED, "Failed binding local connection end" if the
- interface I specify has no IPv6 address. The cause is as follows:
+ Reported-by: David Benjamin
- The remote hostname resolves successfully and has an IPv6 address and an
- IPv4 address.
+ Fixes #743
+
+- memdebug.h: remove inclusion of other headers
- cURL attempts to connect to the IPv6 address first.
+ Mostly because they're not needed, because memdebug.h is always included
+ last of all headers so the others already included the correct ones.
- bindlocal (in lib/connect.c) fails because Curl_if2ip cannot find an
- IPv6 address on the interface.
+ But also, starting now we don't want this to accidentally include any
+ system headers, as the header included _before_ this header may add
+ defines and other fun stuff that we won't want used in system includes.
+
+- [Jay Satiro brought this change]
+
+ curl -J: make it work even without http:// scheme on URL
- This is a fatal error in singleipconnect()
+ It does open up a miniscule risk that one of the other protocols that
+ libcurl could use would send back a Content-Disposition header and then
+ curl would act on it even if not HTTP.
- This change will make cURL try the next IP address in the list.
+ A future mitigation for this risk would be to allow the callback to ask
+ libcurl which protocol is being used.
- Also included are two changes related to IPv6 address scope:
+ Verified with test 1312
- - Filter the choice of address in Curl_if2ip to only consider addresses
- with the same scope ID as the connection address (mismatched scope for
- local and remote address does not result in a working connection).
+ Closes #760
+
+- manpage-scan.pl: also verify the command line option docs
- - bindlocal was ignoring the scope ID of addresses returned by
- Curl_if2ip . Now it uses them.
+ This script now also scans src/tool_getparam.c, docs/curl.1 and
+ src/tool_help.c and will warn if any of them lists a command line option
+ not mentioned in one of the other places.
+
+- curl: show the long option version of -q in the -h list
+
+- curl: remove "--socks" as "--socks5" turned 8
- Bug: http://curl.haxx.se/bug/view.cgi?id=1189
+ In commit 2e42b0a2524 (Jan 2008) we made the option "--socks" deprecated
+ and it has not been documented since. The more explicit socks options
+ (like --socks4 or --socks5) should be used.
-Marc Hoersken (6 Apr 2013)
-- tftpd.c: Fixed sread timeout on Windows by setting it manually
+- curl.1: document the deprecated --ftp-ssl option
-- ftp.pm: Added tskill to support Windows XP Home
+- curl: remove --http-request
+
+ It was mentioned as deprecated already in commit ae1912cb0d4 from
+ 1999. It has not been documented in this millennium.
-- runtests.pl: Modularization of MinGW/Msys compatibility functions
+- curl: mention --ntlm-wb in -h list
-- ftp.pm: Made Perl testsuite able to handle Windows processes
+- curl: -h output lacked --proxy-header
-- util.c: Revert workaround eeefcdf, 6eb56e7 and e3787e8
+- curl.1: document --ntlm-wb
-- ftp.pm: Made Perl testsuite able to kill Windows processes
+- curl.1: document the long format of -q: --disable
-- util.c: Follow up cleanup on eeefcdf
+- curl.1: mention the deprecated --krb4 option
-Daniel Stenberg (6 Apr 2013)
-- cpp: use #ifdef __MINGW32__ to avoid compiler complaints
+- curl.1: document --ftp-ssl-reqd
- ... instead of just #if
+ Even if deprecated, document it so that people will find it as old
+ scripts may still use it.
-Marc Hoersken (6 Apr 2013)
-- util.c: Made write_pidfile write the correct PID on MinGW/Msys
+- curl: use --telnet-option as documented
- This workaround fixes an issue on MinGW/Msys regarding the Perl
- testsuite scripts not being able to signal or control the server
- processes. The MinGW Perl runtime only sees the Msys processes and
- their corresponding PIDs, but sockfilt (and other servers) wrote the
- Windows PID into their PID-files. Since this PID is useless to the
- testsuite, the write_pidfile function was changed to search for the
- Msys PID and write that into the PID-file.
+ The code said "telnet-options" but no documentation ever said so. It
+ worked fine since the code is fine with a unique match of the first
+ part.
-Daniel Stenberg (5 Apr 2013)
-- RELEASE-NOTES: synced with 5e722b2d09087
+- getparam: remove support for --ftpport
- 3 more bug fixes, 6 more contributors
-
-Marc Hoersken (5 Apr 2013)
-- sockfilt.c: Fixed handling of multiple fds being signaled
+ It has been deprecated and undocumented since commit ad5ead8bed7 (Dec
+ 2003). --ftp-port is the proper long option name.
-Kamil Dudka (5 Apr 2013)
-- curl_global_init.3: improve description of CURL_GLOBAL_ALL
+- curl: make --disable work as long form of -q
- Reported by: Tomas Mlcoch
+ To make the aliases list reflect reality.
-- examples/multi-single.c: fix the order of destructions
-
- ... so that it adheres to the API documentation.
-
- Reported by: Tomas Mlcoch
+- aliases: remove trailing space from capath string
-Daniel Stenberg (5 Apr 2013)
-- Curl_open: restore default MAXCONNECTS to 5
+- cmdline parse: only single letter options have single-letter strings
- At some point recently we lost the default value for the easy handle's
- connection cache, and this change puts it back to 5 - which is the
- former default value and it is documented in the curl_easy_setopt.3 man
- page.
+ ... moved around options so that parsing the code to find all
+ single-letter options easier.
-Marc Hoersken (4 Apr 2013)
-- sockfilt.c: Added wrapper functions to fix Windows console issues
+Jay Satiro (28 Apr 2016)
+- CURLINFO_TLS_SSL_PTR.3: Clarify SSL pointer availability
- The new read and write wrapper functions support reading from stdin
- and writing to stdout/stderr on Windows by using the appropriate
- Windows API functions and data types.
+ Bug: https://curl.haxx.se/mail/lib-2016-04/0126.html
+ Reported-by: Bru Rom
-Yang Tse (4 Apr 2013)
-- lib1509.c: fix compiler warnings
+Daniel Stenberg (28 Apr 2016)
+- curl_easy_getinfo.3: remove superfluous blank lines
-- easy.c: fix compiler warning
-
-Daniel Stenberg (4 Apr 2013)
-- --engine: spellfix the help message
+- test1139: verifies libcurl option man page presence
+
+ - checks that each option has its own man page present
- Reported by: Fredrik Thulin
+ - checks that each option is mentioned in its corresponding index man
+ page
-Yang Tse (4 Apr 2013)
-- http_negotiate.c: follow-up for commit 3dcc1a9c
+- curl_easy_getinfo.3: added missing mention of CURLINFO_TLS_SESSION
+
+ ... although it is deprecated.
-Linus Nielsen Feltzing (4 Apr 2013)
-- easy: Fix the broken CURLOPT_MAXCONNECTS option
+Jay Satiro (28 Apr 2016)
+- mbedtls: Fix session resume
- Copy the CURLOPT_MAXCONNECTS option to CURLMOPT_MAXCONNECTS in
- curl_easy_perform().
+ This also fixes PolarSSL session resume.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1212
- Reported-by: Steven Gu
-
-Guenter Knauf (4 Apr 2013)
-- Updated copyright date.
+ Prior to this change the TLS session information wasn't properly
+ saved and restored for PolarSSL and mbedTLS.
+
+ Bug: https://curl.haxx.se/mail/lib-2016-01/0070.html
+ Reported-by: Thomas Glanzmann
+
+ Bug: https://curl.haxx.se/mail/lib-2016-04/0095.html
+ Reported-by: Moti Avrahami
-- Another small output fix for --help and --version.
+Daniel Stenberg (27 Apr 2016)
+- RELEASE-NOTES: synced with f4298fcc6d2
-Yang Tse (4 Apr 2013)
-- http_negotiate.c: fix several SPNEGO memory handling issues
+- [Michael Kaufmann brought this change]
-Guenter Knauf (4 Apr 2013)
-- Added a cont to specify base64 line wrap.
+ opts: Fix some syntax errors in example code fragments
+
+ Fixes #779
-- Fixed version output.
+- openssl: avoid BN_print a NULL bignum
+
+ OpenSSL 1.1.0-pre seems to return NULL(?) for a whole lot of those
+ numbers so make sure the function handles this.
+
+ Reported-by: Linus Nordberg
-- Added support for --help and --version options.
+- [Marcel Raad brought this change]
-- Added option to specify length of base64 output.
+ CONNECT_ONLY: don't close connection on GSS 401/407 reponses
+
+ Previously, connections were closed immediately before the user had a
+ chance to extract the socket when the proxy required Negotiate
+ authentication.
+
+ This regression was brought in with the security fix in commit
+ 79b9d5f1a42578f
- Based on a patch posted to the list by Richard Michael.
+ Closes #655
-Daniel Stenberg (3 Apr 2013)
-- curl_easy_setopt.3: CURLOPT_HTTPGET disables CURLOPT_UPLOAD
+- CURLINFO_TLS_SESSION.3: clarify TLS library support before 7.48.0
-- [Yasuharu Yamada brought this change]
+- mbedtls.c: silly spellfix of a comment
- Curl_cookie_add: only increase numcookies for new cookies
+- KNOWN_BUGS: 1.10 Strips trailing dot from host name
- Count up numcookies in Curl_cookie_add() only when cookie is new one
+ Closes #716
-- SO_SNDBUF: don't set SNDBUF for win32 versions vista or later
+- test1322: verify stripping of trailing dot from host name
- The Microsoft knowledge-base article
- http://support.microsoft.com/kb/823764 describes how to use SNDBUF to
- overcome a performance shortcoming in winsock, but it doesn't apply to
- Windows Vista and later versions. If the described SNDBUF magic is
- applied when running on those more recent Windows versions, it seems to
- instead have the reversed effect in many cases and thus make libcurl
- perform less good on those systems.
+ While being debated (in #716) and a violation of RFC 7230 section 5.4,
+ this test verifies that the existing functionality works as intended. It
+ strips the dot from the host name and uses the host without dot
+ throughout the internals.
+
+- multi: accidentally used resolved host name instead of proxy
- This fix thus adds a run-time version-check that does the SNDBUF magic
- conditionally depending if it is deemed necessary or not.
+ Regression introduced in 09b5a998
- Bug: http://curl.haxx.se/bug/view.cgi?id=1188
- Reported by: Andrew Kurushin
- Tested by: Christian Hägele
+ Bug: https://curl.haxx.se/mail/lib-2016-04/0084.html
+ Reported-by: BoBo
-Nick Zitzmann (1 Apr 2013)
-- darwinssl: additional descriptive messages of SSL handshake errors
-
- (This doesn't need to appear in the release notes.)
+- symbols-in-versions: added new CURLSSLBACKEND_ symbols
-Guenter Knauf (1 Apr 2013)
-- Added dns and connect time to output.
+- test148: fixed after the --ftp-create-dirs retry change
+
+ follow-up commit to 3c1e84f569 as it made curl try a little harder
-Daniel Stenberg (1 Apr 2013)
-- RELEASE-NOTES: synced with 0614b902136
+- curl.h: clarify curl_sslbackend for openssl clones and renames
-- code-policed
+- [Karlson2k brought this change]
-- tcpkeepalive: support TCP_KEEPIDLE/TCP_KEEPINTVL on win32
+ url.c: fixed DEBUGASSERT() for WinSock workaround
+
+ If buffer is allocated, but nothing is received during prereceive
+ stage, than number of processed bytes must be zero.
- Patch by: Robert Wruck
- Bug: http://curl.haxx.se/bug/view.cgi?id=1209
+ Closes #778
-- BINDINGS: BBHTTP is a cocoa binding, Julia has a binding
+- KNOWN_BUGS: --interface for ipv6 binds to unusable IP address
+
+ Closes #686 for now.
-- ftp_sendquote: use PPSENDF, not FTPSENDF
+- TODO: 1.17 Add support for IRIs
- The last remaining code piece that still used FTPSENDF now uses PPSENDF.
- In the problematic case, a PREQUOTE series was done on a re-used
- connection when Curl_pp_init() hadn't been called so it had messed up
- pointers. The init call is done properly from Curl_pp_sendf() so this
- change fixes this particular crash.
+ Adding support for IRIs is a mouthful, but is probably interesting at
+ least for areas and countries where the use of such "URLs" are growing
+ popularity.
- Bug: http://curl.haxx.se/mail/lib-2013-03/0319.html
- Reported by: Sam Deane
+ Closes #776
-Steve Holme (27 Mar 2013)
-- RELEASE-NOTES: Corrected typo
+- THANKS-filter: Travis Burtrum
-Daniel Stenberg (27 Mar 2013)
-- [Clemens Gruber brought this change]
+- lib1517: checksrc compliance
- multi-uv.c: remove unused variable
+- [moparisthebest brought this change]
-- RELEASE-NOTES: add two references
+ PolarSSL: Implement public key pinning
-- test1509: verify proxy header response headers count
-
- Modified sws to support and use custom CONNECT responses instead of the
- previously naive hard-coded version. Made the HTTP test server able to
- extract test case number from the host name in a CONNECT request by
- finding the number after the last dot. It makes 'machine.moo.123' use
- test case 123.
-
- Adapted a larger amount of tests to the new <connect> style.
-
- Bug: http://curl.haxx.se/bug/view.cgi?id=1204
- Reported by: Martin Jansen
+Patrick Monnerat (22 Apr 2016)
+- os400: upgrade ILE/RPG binding
-- [Clemens Gruber brought this change]
+- curl.h: CURLOPT_CONNECT_TO sets a struct slist *, not a string
- Added libuv example multi-uv.c
+Daniel Stenberg (22 Apr 2016)
+- contributors.sh: make --releasenotes implied
+
+ It got too annoying to type =)
-Yang Tse (25 Mar 2013)
-- NTLM: fix several NTLM code paths memory leaks
+- RELEASE-NOTES: synced with 3c1e84f5693d8093
-- WIN32 MemoryTracking: track wcsdup() _wcsdup() and _tcsdup() usage
+- curl: make --ftp-create-dirs retry on failure
- As of 25-mar-2013 wcsdup() _wcsdup() and _tcsdup() are only used in
- WIN32 specific code, so tracking of these has not been extended for
- other build targets. Without this fix, memory tracking system on
- WIN32 builds, when using these functions, would provide misleading
- results.
+ The underlying libcurl option used for this feature is
+ CURLOPT_FTP_CREATE_MISSING_DIRS which has the ability to retry the dir
+ creation, but it was never set to do that by the command line tool.
- In order to properly extend this support for all targets curl.h
- would have to define curl_wcsdup_callback prototype and consequently
- wchar_t should be visible before that in curl.h. IOW curl_wchar_t
- defined in curlbuild.h and this pulling whatever system header is
- required to get wchar_t definition.
+ Now it does.
- Additionally a new curl_global_init_mem() function that also receives
- user defined wcsdup() callback would be required.
+ Bug: https://curl.haxx.se/mail/archive-2016-04/0021.html
+ Reported-by: John Wanghui
+ Help-by: Leif W
+
+- [Henrik Gaßmann brought this change]
-- curl_ntlm_msgs.c: revert commit 463082bea4
+ winbuild: add mbedtls support
- reverts unreleased invalid memory leak fix
+ Add WITH_MBEDTLS option. Make WITH_SSL, WITH_MBEDTLS and ENABLE_WINSSL
+ options mutual exclusive.
+
+ Closes #606
-Daniel Stenberg (23 Mar 2013)
-- RELEASE-NOTES: synced with bc6037ed3ec02
+- KNOWN_BUGS: fixed "5.6 Improper use of Autoconf cache variables"
- More changes, bugfixes and contributors!
+ As of commit d9f3b365a3
-- [Martin Jansen brought this change]
+- [Irfan Adilovic brought this change]
- Curl_proxyCONNECT: count received headers
+ configure: ac_cv_ -> curl_cv_ for write-only vars
- Proxy servers tend to add their own headers at the beginning of
- responses. The size of these headers was not taken into account by
- CURLINFO_HEADER_SIZE before this change.
+ These configure vars are modified in a curl-specific way but never
+ evaluated or loaded from cache, even though they are designated as
+ _cv_. We could either implement proper AC_CACHE_CHECKs for them, or
+ remove them completely.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1204
-
-Steve Holme (21 Mar 2013)
-- sasl: Corrected a few violations of the curl coding standards
+ Fixes #603 as ac_cv_func_gethostbyname is no longer clobbered, and
+ AC_CHECK_FUNC(gethostbyname...) will no longer spuriously succeed after
+ the first configure run with caching.
- Corrected some incorrectly positioned pointer variable declarations to
- be "char *" rather than "char* ".
+ `ac_cv_func_strcasecmp` is curious, see #770.
+
+ `eval "ac_cv_func_$func=yes"` can still cause problems as it works in
+ tandem with AC_CHECK_FUNCS and then potentially modifies its result. It
+ would be best to rewrite this test to use a new CURL_CHECK_FUNCS macro,
+ which works the same as AC_CHECK_FUNCS but relies on caching the values
+ of curl_cv_func_* variables, without modifiying ac_cv_func_*.
+
+- [Irfan Adilovic brought this change]
-- multi.c: Corrected a couple of violations of the curl coding standards
+ configure: ac_cv_ -> curl_cv_ for r/w vars
- Corrected some incorrectly positioned pointer variable declarations to
- be "type *" rather than "type* ".
+ These configure vars are modified in a curl-specific way and modified by
+ the configure process, but are never loaded from cache, even though they
+ are designated as _cv_. We should implement proper AC_CACHE_CHECKs for
+ them eventually.
-- imap-tests: Added CRLF to reply data to be compliant with RFC-822
+- [Irfan Adilovic brought this change]
+
+ configure: ac_cv_func_clock_gettime -> curl_...
- Updated the reply data in tests: 800, 801, 802, 804 and 1321 to possess
- the CRLF as per RFC-822.
+ This variable must not be cached in its current form, as any cached
+ information will prevent the next configure run from determining the
+ correct LIBS needed for the function. Thus, rename prefix `ac_cv_` to
+ just `curl_`.
+
+- [Irfan Adilovic brought this change]
-- multi.c: Fix compilation warning
+ configure: ac_cv_ -> curl_cv_ for all cached vars
+
+ This was automated by:
+
+ sed -b -i -f <(ack -A1 AC_CACHE_CHECK | \
+ ack -o 'ac_cv_.*?\b' | \
+ sort -u | xargs -n1 bash -c \
+ 'echo "s/$0/curl_cv_${0#ac_cv_}/g"') \
+ $(git ls-files)
- warning: an enumerated type is mixed with another type
+ This only changed the prefix for 16 variables actually checked with
+ AC_CACHE_CHECK.
-- multi.c: fix compilation error
+- openssl: builds with OpenSSL 1.1.0-pre5
- warning: conversion from enumeration type to different enumeration type
+ The RSA, DSA and DH structs are now opaque and require use of new APIs
+
+ Fixes #763
-- lib1900.c: fix compilation warning
+Steve Holme (20 Apr 2016)
+- url.c: Prefer we don't use explicit NULLs in conditions
- warning: declaration of 'time' shadows a global declaration
+ Fixed commit fa5fa65a30 to not use NULLs in if condition.
-Yang Tse (20 Mar 2013)
-- [John E. Malmberg brought this change]
+Daniel Stenberg (20 Apr 2016)
+- [Isaac Boukris brought this change]
- build_vms.com: use existing curlbuild.h and parsing fix
+ NTLM: check for NULL pointer before deferencing
- This patch removes building curlbuild.h from the build_vms.com procedure
- and uses the one in the daily or release tarball instead.
+ At ConnectionExists, both check->proxyuser and check->proxypasswd
+ could be NULL, so make sure to check first.
- packages/vms/build_curlbuild_h.com is obsolete with this change.
+ Fixes #765
+
+- [Karlson2k brought this change]
+
+ tests: added test1517
- Accessing the library module name "tool_main" needs different handling
- when the optional extended parsing is enabled.
+ ... for checking ability to receive full HTTP response when POST request
+ is used with slow read callback function.
- Tested on IA64/VMS 8.4 and VAX/VMS 7.3
-
-Nick Zitzmann (19 Mar 2013)
-- darwinssl: disable ECC ciphers under Mountain Lion by default
+ This test checks for bug #657 and verifies the work-around from
+ 72d5e144fbc6.
- I found out that ECC doesn't work as of OS X 10.8.3, so those ciphers are
- turned off until the next point release of OS X.
+ Closes #720
-Steve Holme (18 Mar 2013)
-- FEATURES: Small tidy up for constancy and grammar
+- [Karlson2k brought this change]
-Daniel Stenberg (18 Mar 2013)
-- [Oliver Schindler brought this change]
+ sendf.c: added ability to call recv() before send() as workaround
+
+ WinSock destroys recv() buffer if send() is failed. As result - server
+ response may be lost if server sent it while curl is still sending
+ request. This behavior noticeable on HTTP server short replies if
+ libcurl use several send() for request (usually for POST request).
+ To workaround this problem, libcurl use recv() before every send() and
+ keeps received data in intermediate buffer for further processing.
+
+ Fixes: #657
+ Closes: #668
- Curl_proxyCONNECT: clear 'rewindaftersend' on success
+Kamil Dudka (19 Apr 2016)
+- connect: make sure that rc is initialized in singleipconnect()
- After having done a POST over a CONNECT request, the 'rewindaftersend'
- boolean could be holding the previous value which could lead to badness.
+ This commit fixes a Clang warning introduced in curl-7_48_0-190-g8f72b13:
- This should be tested for in a new test case!
+ Error: CLANG_WARNING:
+ lib/connect.c:1120:11: warning: The right operand of '==' is a garbage value
+ 1118| }
+ 1119|
+ 1120|-> if(-1 == rc)
+ 1121| error = SOCKERRNO;
+ 1122| }
+
+Daniel Stenberg (19 Apr 2016)
+- make/checksrc: use $srcdir, not $top_srcdir
+
+- src/checksrc.whitelist: removed
+
+- tool_operate: switch to inline checksrc ignore
+
+- lib/checksrc.whitelist: not needed anymore
- Bug: https://groups.google.com/d/msg/msysgit/B31LNftR4BI/KhRTz0iuGmUJ
+ ... as checksrc now skips comments
-Steve Holme (18 Mar 2013)
-- TODO: Reordered the protocol and security sections
+- vtls.h: remove a space before semicolon
- Moved SMTP, POP3, IMAP and New Protocol sections to be listed after the
- other protocols (FTP, HTTP and TELNET) and SASL to be after SSL and
- GnuTLS as these are all security related.
+ ... that the new checksrc detected
+
+- darwinssl: removed commented out code
+
+- http_chunks: removed checksrc disable
- Additionally fixed numbering of the SSL and GnuTLS sections as they
- weren't consecutive.
+ ... since checksrc now skips comments
-Yang Tse (18 Mar 2013)
-- tests: specify 'text' mode for some output files in verify section
+- imap: inlined checksrc disable instead of whitelist edit
-Steve Holme (17 Mar 2013)
-- imap: Fixed incorrect initial response generation for SASL AUTHENTICATE
+- checksrc: taught to skip comments
- Fixed incorrect initial response generation for the NTLM and LOGIN SASL
- authentication mechanisms when the SASL-IR was detected.
+ ... but output non-stripped version of the line, even if that then can
+ make the script identify the wrong position in the line at
+ times. Showing the line stripped (ie without comments) is just too
+ surprising.
+
+- opts/Makefile.am: list all docs file one by one
- Introduced in commit: 6da7dc026c14.
+ ... to make it easier to add lines in patches that won't just break all
+ other patches trying to add lines too.
-- FEATURES: Expanded the supported enhanced IMAP command list
+- curl_easy_setopt.3: mention CURLOPT_TCP_FASTOPEN
-- TODO: Corrected typo in TOC
+- RELEASE-NOTES: synced with 03de4e4b219
+
+ (since we just merged two major features)
-- TODO: Added IMAP section and removed unused Other protocols section
+- [Alessandro Ghedini brought this change]
-- TODO: Added graceful base64 decoding failure to SMTP and POP3
+ connect: implement TCP Fast Open for Linux
+
+ Closes #660
-- TODO: Corrected typo on section 10.2 heading
+- [Alessandro Ghedini brought this change]
-Yang Tse (16 Mar 2013)
-- tests: 96, 558, 1330: strip build subdirectory dependent leading path
+ tool: add --tcp-fastopen option
-Steve Holme (15 Mar 2013)
-- TODO: Added section 10.2 Initial response to POP3 to do list
+- [Alessandro Ghedini brought this change]
-- imap-tests: Corrected copy/paste error in test808 reply data
+ connect: implement TCP Fast Open for OS X
-Yang Tse (15 Mar 2013)
-- unit1330.c: fix date
+- [Alessandro Ghedini brought this change]
-- tests: add #96 #558 and #1330
-
- These verfy that the 'memory tracking' subsystem is actually doing its
- job when using curl tool (#96), a test in libtest (#558) and also a unit
- test (#1330), in order to prevent regressions in this functionallity.
+ url: add CURLOPT_TCP_FASTOPEN option
-Steve Holme (15 Mar 2013)
-- imap-tests: Added test808 for custom EXAMINE command
+- checksrc: pass on -D so the whitelists are found correctly
-Daniel Stenberg (15 Mar 2013)
-- HTTP proxy: insert slash in URL if missing
+- configure: remove check for libresolve
- curl has been accepting URLs using slightly wrong syntax for a long
- time, such as when completely missing as slash "http://example.org" or
- missing a slash when a query part is given
- "http://example.org?q=foobar".
+ 'strncasecmp' was once provided by libresolv (no trailing e) for SunOS,
+ but this check is broken and most likely adds nothing useful. Removing
+ now.
- curl would translate these into a legitimate HTTP request to servers,
- although as was shown in bug #1206 it was not adjusted properly in the
- cases where a HTTP proxy was used.
+ Reported-by: Irfan Adilovic
- Test 1213 and 1214 were added to the test suite to verify this fix.
+ Discussed in #770
+
+- scripts/make: use $(EXEEXT) for executables
- The test HTTP server was adjusted to allow us to specify test number in
- the host name only without using any slashes in a given URL.
+ Reported-by: bodop
- Bug: http://curl.haxx.se/bug/view.cgi?id=1206
- Reported by: ScottJi
+ Fixes #771
-Steve Holme (14 Mar 2013)
-- ftpserver.pl: Added EXAMINE_imap() for IMAP EXAMINE commands
-
- Used hard coded data from RFC-3501 section 6.3.2.
+- includes: avoid duplicate memory callback typdefs even harder
-Yang Tse (14 Mar 2013)
-- curl_memory.h: introduce CURLX_NO_MEMORY_CALLBACKS usage possibility
+- checksrc/makefile.am: use $top_srcdir to find source files
- This commit alone does not fix anything nor modifies existing
- interfaces or behaviors, although it is a prerequisite for other
- fixes.
+ ... to properly support out of source tree builds.
-- Makefile.vc6: add missing files
+- RELEASE-NOTES: synced with 26ec93dd6aeba8dfb5
-Linus Nielsen Feltzing (14 Mar 2013)
-- pipelining: Remove dead code.
+- opts: fix option references missing (section)
-- Multiple pipelines and limiting the number of connections.
+- [Michael Kaufmann brought this change]
+
+ news: CURLOPT_CONNECT_TO and --connect-to
- Introducing a number of options to the multi interface that
- allows for multiple pipelines to the same host, in order to
- optimize the balance between the penalty for opening new
- connections and the potential pipelining latency.
+ Makes curl connect to the given host+port instead of the host+port found
+ in the URL.
+
+- makefile.vc6: use d suffix on debug object
- Two new options for limiting the number of connections:
+ To allow both release and debug builds in parallel.
- CURLMOPT_MAX_HOST_CONNECTIONS - Limits the number of running connections
- to the same host. When adding a handle that exceeds this limit,
- that handle will be put in a pending state until another handle is
- finished, so we can reuse the connection.
+ Reported-by: Rod Widdowson
- CURLMOPT_MAX_TOTAL_CONNECTIONS - Limits the number of connections in total.
- When adding a handle that exceeds this limit,
- that handle will be put in a pending state until another handle is
- finished. The free connection will then be reused, if possible, or
- closed if the pending handle can't reuse it.
+ Fixes #769
+
+Jay Satiro (12 Apr 2016)
+- http2: Use size_t type for data drain count
- Several new options for pipelining:
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
+
+- http2: Improve header parsing
- CURLMOPT_MAX_PIPELINE_LENGTH - Limits the pipeling length. If a
- pipeline is "full" when a connection is to be reused, a new connection
- will be opened if the CURLMOPT_MAX_xxx_CONNECTIONS limits allow it.
- If not, the handle will be put in a pending state until a connection is
- ready (either free or a pipe got shorter).
+ - Error if a header line is larger than supported.
- CURLMOPT_CONTENT_LENGTH_PENALTY_SIZE - A pipelined connection will not
- be reused if it is currently processing a transfer with a content
- length that is larger than this.
+ - Warn if cumulative header line length may be larger than supported.
- CURLMOPT_CHUNK_LENGTH_PENALTY_SIZE - A pipelined connection will not
- be reused if it is currently processing a chunk larger than this.
+ - Allow spaces when parsing the path component.
- CURLMOPT_PIPELINING_SITE_BL - A blacklist of hosts that don't allow
- pipelining.
+ - Make sure each header line ends in \r\n. This fixes an out of bounds.
- CURLMOPT_PIPELINING_SERVER_BL - A blacklist of server types that don't allow
- pipelining.
+ - Disallow header continuation lines until we decide what to do.
- See the curl_multi_setopt() man page for details.
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-Yang Tse (13 Mar 2013)
-- tool_main.c: remove redundant vms_show storage-class specifier
-
- vms_show 'extern' storage-class specifier removed from tool_main.c due to...
-
- - Advice from Tor Arntsen: http://curl.haxx.se/mail/lib-2013-03/0164.html
+- http2: Add Curl_http2_strerror for HTTP/2 error codes
- - HP OpenVMS docs stating that 'Extern is the default storage class for
- variables declared outside a function.'
- http://h71000.www7.hp.com/commercial/c/docs/dec_c_help_5.html
- (Storage_Classes section)
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-- test509: libcurl initialization with memory callbacks and actual usage
+- [Tatsuhiro Tsujikawa brought this change]
-Steve Holme (13 Mar 2013)
-- pop3: Removed unnecessary transfer cancellation
+ http2: Don't increment drain when one header field is received
- Following commit e450f66a02d8 and the changes in the multi interface
- being used internally, from 7.29.0, the transfer cancellation in
- pop3_dophase_done() is no longer required.
-
-Yang Tse (13 Mar 2013)
-- Makefile.am: add VMS files not being included in tarball
+ Sicne we write header field in temporary location, not in the memory
+ that upper layer provides, incrementing drain should not happen.
+
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-- [Tom Grace brought this change]
+- [Tatsuhiro Tsujikawa brought this change]
- build_vms.com: VMS build fixes
+ http2: Ensure that http2_handle_stream_close is called
+
+ This commit ensures that streams which was closed in on_stream_close
+ callback gets passed to http2_handle_stream_close. Previously, this
+ might not happen. To achieve this, we increment drain property to
+ forcibly call recv function for that stream.
+
+ To more accurately check that we have no pending event before shutting
+ down HTTP/2 session, we sum up drain property into
+ http_conn.drain_total. We only shutdown session if that value is 0.
- Added missing slash in cc_full_list.
- Removed unwanted extra quotes inside symbol tool_main
- for non-VAX architectures that triggered link failure.
- Replaced curl_sys_inc with sys_inc.
+ With this commit, when stream was closed before reading response
+ header fields, error code CURLE_HTTP2_STREAM is returned even if
+ HTTP/2 level error is NO_ERROR. This signals the upper layer that
+ stream was closed by error just like TCP connection close in HTTP/1.
+
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-- [Tom Grace brought this change]
+- [Tatsuhiro Tsujikawa brought this change]
- tool_main.c: fix VMS global variable storage-class specifier
+ http2: Process paused data first before tear down http2 session
+
+ This commit ensures that data from network are processed before HTTP/2
+ session is terminated. This is achieved by pausing nghttp2 whenever
+ different stream than current easy handle receives data.
- An extern submits a psect and a global reference to the linker to point
- to it. Using "extern int vms_show = 0" also creates a globaldef.
+ This commit also fixes the bug that sometimes processing hangs when
+ multiple HTTP/2 streams are multiplexed.
- The use of the extern by itself does declare a psect but does not declare
- a globalsymbol. It does declare a globalref. But the linker needs one and
- only one globaldef or there is an error.
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-Patrick Monnerat (12 Mar 2013)
-- OS400: synchronize RPG binding
+- [Tatsuhiro Tsujikawa brought this change]
-Steve Holme (12 Mar 2013)
-- pop3: Fixed continuous wait when using --ftp-list
+ http2: Check session closure early in http2_recv
- Don't initiate a transfer when using --ftp-list.
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-Kamil Dudka (12 Mar 2013)
-- [Zdenek Pavlas brought this change]
+- [Tatsuhiro Tsujikawa brought this change]
- curl_global_init: accept the CURL_GLOBAL_ACK_EINTR flag
+ http2: Add handling stream level error
- The flag can be used in pycurl-based applications where using the multi
- interface would not be acceptable because of the performance lost caused
- by implementing the select() loop in python.
+ Previously, when a stream was closed with other than NGHTTP2_NO_ERROR
+ by RST_STREAM, underlying TCP connection was dropped. This is
+ undesirable since there may be other streams multiplexed and they are
+ very much fine. This change introduce new error code
+ CURLE_HTTP2_STREAM, which indicates stream error that only affects the
+ relevant stream, and connection should be kept open. The existing
+ CURLE_HTTP2 means connection error in general.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1168
- Downstream Bug: https://bugzilla.redhat.com/919127
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-- easy: do not ignore poll() failures other than EINTR
-
-Yang Tse (12 Mar 2013)
-- curl.h: stricter CURL_EXTERN linkage decorations logic
+Daniel Stenberg (11 Apr 2016)
+- http2: drain the socket better...
- No API change involved.
+ ... but ignore EAGAIN if the stream has ended so that we don't end up in
+ a loop. This is a follow-up to c8ab613 in order to avoid the problem
+ d261652 was made to fix.
- Info: http://curl.haxx.se/mail/lib-2013-02/0234.html
-
-Daniel Stenberg (11 Mar 2013)
-- THANKS: Latin-1'ified Jiri's name
+ Reported-by: Jay Satiro
+ Clues-provided-by: Tatsuhiro Tsujikawa
+
+ Discussed in #750
-Steve Holme (11 Mar 2013)
-- test806: Added CRLF to reply data to be compliant with RFC-822
+- KNOWN_BUGS: added info for "Hangs with PolarSSL"
-Daniel Stenberg (11 Mar 2013)
-- test805: added crlf newlines to make data size match
+- KNOWN_BUGS: 1.9 HTTP/2 frames while in the connection pool kill reuse
- since mails sent are supposed to have CRLF line endings I added them and
- now the data size after (\Seen) matches again properly
-
-- test: fix newline for the data check of 807
+ Closes #750
-Yang Tse (11 Mar 2013)
-- test801 to test807: fix protocol section line endings
+- build: include scripts/ in the dist
-Steve Holme (10 Mar 2013)
-- Makefile.am: Corrected a couple of spurious tab characters
+Steve Holme (9 Apr 2016)
+- CURLOPT_SOCKS5_GSSAPI_SERVICE: Merged with CURLOPT_PROXY_SERVICE_NAME
- Corrected a couple of tab characters between test702 and test703, and
- between test900 and test901 which should be spaces.
+ As these two options provide identical functionality, the former for
+ SOCK5 proxies and the latter for HTTP proxies, merged the two options
+ together.
+
+ As such CURLOPT_SOCKS5_GSSAPI_SERVICE is marked as deprecated as of
+ 7.49.0.
-- [Jiri Hruska brought this change]
+- urldata: Use bool for socks5_gssapi_nec as it is a flag
+
+ This value is set to TRUE or FALSE so should be a bool and not a long.
- imap: Added test807 for custom request functionality (STORE)
+- url: Ternary operator code style changes
-- [Jiri Hruska brought this change]
+- CODE_STYLE: Added ternary operator example to 'Space around operators'
+
+ Following conversation on the libcurl mailing list.
- imap: Added test806 for IMAP (folder) LIST command
+- sasl: Fixed compilation errors from commit 9d89a0387
+
+ ...when GSS-API or Windows SSPI are not used.
-- [Jiri Hruska brought this change]
+- url: Corrected comments following 9d89a0387
- imap: Added test805 for APPEND functionality
+- docs: Added clarification following commit 9d89a0387
-- [Jiri Hruska brought this change]
+- Makefile: Fixed echo of checksrc check
- imap: Added test804 for skipping SELECT if in the same mailbox
+- checksrc: Fix issue with the autobuilds not picking up the whitelist
-- [Jiri Hruska brought this change]
+- checksrc: Added missing vauth and vtls directories
- imap: Added test802 and test803 for UIDVALIDITY verification
+- ftp/imap/pop3/smtp: Allow the service name to be overridden
- Added one test for a request with matching UIDVALIDITY and one which is
- a mismatched request that will fail.
+ Allow the service name to be overridden for DIGIST-MD5 and Kerberos 5
+ authentication in FTP, IMAP, POP3 and SMTP.
-- [Jiri Hruska brought this change]
+- http_negotiate: Calculate service name and proxy service name locally
+
+ Calculate the service name and proxy service names locally, rather than
+ in url.c which will allow for us to support overriding the service name
+ for other protocols such as FTP, IMAP, POP3 and SMTP.
- imap: Added test801 for UID and SECTION URL parameters
+- ROADMAP: Updated following the move of the authentication code
-- [Jiri Hruska brought this change]
+Patrick Monnerat (8 Apr 2016)
+- KNOWN_BUGS: openldap hangs. TODO: binary SASL.
- imap-tests: Accept quoted parameters in ftpserver.pl
+Daniel Stenberg (8 Apr 2016)
+- KNOWN_BUGS: 5.6 Improper use of Autoconf cache variables
- Any IMAP parameter can come in escaped and in double quotes. Added a
- simple function to unquote the command parameters and applied it to
- the IMAP command handlers.
-
-- [Jiri Hruska brought this change]
+ Closes #603
- tests: Fix ftpserver.pl indentation
+- KNOWN_BUGS: 11.2 error buffer not set...
- The whole of FETCH_imap() had one extra space of indentation, whilst
- APPEND_imap() used indentation of 2 instead of 4 in places.
+ Closes #544
-- Makefile.am: Corrected end of line filler character
+- KNOWN_BUGS: 11.1 Curl leaks .onion hostnames in DNS
- The majority of lines, that specify a test file for inclusion, end with
- a tab character before the slash whilst some end with a space. Corrected
- those that end with a space to end with a tab character as well.
+ Closes #543
-- email-tests: Updated the test data that corresponds to the test number
+- KNOWN_BUGS: 1.8 DNS timing is wrong for HTTP redirects
- Finished segregating the email protocol tests, into their own protocol
- based ranges, in preparation of adding more e-mail related tests to the
- test suite.
+ Closes #522
-- email-tests: Renamed the IMAP test to be 800
-
- Continued segregating the email protocol tests, into their own protocol
- based ranges, in preparation of adding more e-mail related tests to the
- test suite.
+- TODO: HTTP/2 "prior knowledge" is implemented!
-- email-tests: Renamed the SMTP tests to be in the range 900-906
-
- Continued segregating the email protocol tests, into their own protocol
- based ranges, in preparation of adding more e-mail related tests to the
- test suite.
+- [Damien Vielpeau brought this change]
-- email-tests: Renamed the POP3 tests to be in the range 850-857
-
- Started segregating the email protocol tests, into their own protocol
- based ranges, in preparation of adding more e-mail related tests to the
- test suite.
+ mbedtls: fix MBEDTLS_DEBUG builds
-Daniel Stenberg (10 Mar 2013)
-- hiperfifo: updated to use current libevent API
+- mbedtls: implement and provide *_data_pending()
- Patch by: Myk Taylor
-
-Steve Holme (10 Mar 2013)
-- imap: Reworked some function descriptions
+ ... as otherwise we might get stuck thinking there's no more data to
+ handle.
+
+ Reported-by: Damien Vielpeau
+
+ Fixes #737
-- imap: Added some missing comments to imap_sendf()
+- mbedtls: follow-up for the previous commit
-- email: Removed hard returns from init functions
+- mbedtls.c: name space pollution fix, Use 'Curl_'
-Daniel Stenberg (9 Mar 2013)
-- curl_multi_wait: avoid second loop if nothing to do
+- mbedtls.c: changed private prefix to mbed_
- ... hopefully this will also make clang-analyzer stop warning on
- potentional NULL dereferences (which were false positives anyway).
+ mbedtls_ is the prefix used by the mbedTLS library itself so we should
+ avoid using that for our private functions.
-- multi_runsingle: avoid NULL dereference
+- mbedtls.h: fix compiler warnings
+
+- Revert "winbuild: trying to set some files eol=crlf for git"
+
+ This reverts commit 9c08b4f1e7eced5a4d3782a3e0daa484c9d77d21.
- When Curl_do() returns failure, the connection pointer could be NULL so
- the code path following needs to that that into account.
+ Didn't help. Caused problems.
- Bug: http://curl.haxx.se/mail/lib-2013-03/0062.html
- Reported by: Eric Hu
+ Fixes #756
-Steve Holme (9 Mar 2013)
-- imap: Re-factored all perform based functions
+- curl.1: use example.com more
- Standardised the naming of all perform based functions to be in the form
- imap_perform_something().
+ Make (most) example snippets use the example.com domain instead of the
+ random ones picked and used before. Some of those were probably
+ legitimate sites and some not. example.com is designed for this purpose.
-Daniel Stenberg (9 Mar 2013)
-- [Cédric Deltheil brought this change]
+- [Michael Kaufmann brought this change]
- examples/getinmemory.c: abort the transfer if not enough memory
+ HTTP2: Add a space character after the status code
- No more use exit(3) but instead tell libcurl that no byte has been
- written to let it return a `CURLE_WRITE_ERROR`. In addition, check
- curl easy handle return code.
-
-- RELEASE-NOTES: synced with ca3c0ed3a9c
+ The space character after the status code is mandatory, even if the
+ reason phrase is empty (see RFC 7230 section 3.1.2)
- 8 more bugfixes, one change and a bunch of contributors
-
-Yang Tse (9 Mar 2013)
-- Makefile.am: empty AM_LDFLAGS definition for automake 1.7 compatibility
+ Closes #755
-Steve Holme (9 Mar 2013)
-- imap: Added description comments to all perform based functions
+- [Viktor Szakats brought this change]
-- imap: Removed the need for separate custom request functions
+ URLs: change http to https in many places
- Moved the custom request processing into the LIST command as the logic
- is the same.
+ Closes #754
-- imap: Corrected typo in comment
-
-Yang Tse (9 Mar 2013)
-- Makefile.am: empty AM_LDFLAGS definition for automake 1.7 compatibility
+- winbuild: trying to set some files eol=crlf for git
+
+ Thinking it might help to apply patches etc with git.
-Steve Holme (9 Mar 2013)
-- imap: Moved imap_logout() to be grouped with the other perform functions
+- [Theodore Dubois brought this change]
-- email: Updated the function descriptions for the logout / quit functions
+ curl.1: change example for -F
- Updated the function description comments following commit 4838d196fdbf.
+ It's a bad idea to send your passwords anywhere, especially over HTTP.
+ Modified example to send a picture instead.
+
+ Fixes #752
-- email: Simplified the logout / quit functions
+- KNOWN_BUGS: reorganized and cleaned up
- Moved the blocking state machine to the disconnect functions so that the
- logout / quit functions are only responsible for sending the actual
- command needed to logout or quit.
+ Now sorted into categories and organized in the same style we do the
+ TODO document. It will make each issue linked properly on the
+ https://curl.haxx.se/docs/knownbugs.html web page.
- Additionally removed the hard return on failure.
+ The sections should make it easier to find issues and issues related to
+ areas of the reader's specific interest.
-- email: Tidied up the *_regular_transfer() functions
-
- Added comments and simplified convoluted dophase_done comparison.
+Jay Satiro (6 Apr 2016)
+- KNOWN_BUGS: #95 curl in Windows can't handle Unicode arguments
+
+Steve Holme (6 Apr 2016)
+- KNOWN_BUGS: Use https://curl.haxx.se URL for github based issues
+
+- CHECKSRC.md: Corrected some typos
-- email: Simplified nesting of if statements in *_doing() functions
+- RELEASE-NOTES: Corrected last updated
+
+ Included a summary of the checksrc.bat updates and combined two krb5
+ changes as they should have been implemented at the same time.
-Daniel Stenberg (8 Mar 2013)
-- RELEASE-NOTES: mention that krb4 is up for consideration
+- vauth: Corrected a number of typos in comments
+
+ Reported-by: Michael Osipov
-Steve Holme (8 Mar 2013)
-- imap: Fixed handling of untagged responses for the STORE custom command
+Jay Satiro (5 Apr 2016)
+- KNOWN_BUGS: #94 IMAP custom requests use the LIST handler
- Added an exception, for the STORE command, to the untagged response
- processor in imap_endofresp() as servers will back respones containing
- the FETCH keyword instead.
+ Bug: https://github.com/curl/curl/issues/536
+ Reported-by: eXeC64@users.noreply.github.com
-Yang Tse (8 Mar 2013)
-- curlbuild.h.dist: enhance non-configure GCC ABI detection logic
+Daniel Stenberg (5 Apr 2016)
+- KNOWN_BUGS: remove 68, 70 and 72.
- GCC specific adjustments:
+ Due to their age (we don't fully know if they actually remain) and lack
+ of detail - very few people will bother to find out what they're about
+ or work on them. If people truly still suffer from any of these, I
+ assume they will be reported again and then we'll deal with them.
- - check __ILP32__ before 32 and 64bit processor architectures in
- order to detect ILP32 programming model on 64 bit processors
- which, of course, also support LP64 programming model, when using
- gcc 4.7 or newer.
+ 72. "Pausing pipeline problems."
+ https://curl.haxx.se/mail/lib-2009-07/0214.html
- - keep 32bit processor architecture checks in order to support gcc
- versions older than 4.7 which don't define __ILP32__
+ 70. Problem re-using easy handle after call to curl_multi_remove_handle
+ https://curl.haxx.se/mail/lib-2009-07/0249.html
- - check __LP64__ for gcc 3.3 and newer, while keeping 64bit processor
- architecture checks for older versions which don't define __LP64__
+ 68. "More questions about ares behavior".
+ https://curl.haxx.se/mail/lib-2009-08/0012.html
-- curlbuild.h.dist: fix GCC build on ARM systems without configure script
+- KNOWN_BUGS: remove 92 and 88, fixed
+
+- http2: fix connection reuse when PING comes after last DATA
+
+ It turns out the google GFE HTTP/2 servers send a PING frame immediately
+ after a stream ends and its last DATA has been received by curl. So if
+ we don't drain that from the socket, it makes the socket readable in
+ subsequent checks and libcurl then (wrongly) assumes the connection is
+ dead when trying to reuse the connection.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1205
- Reported by: technion
+ Reported-by: Joonas Kuorilehto
+
+ Discussed in #750
-- [Gisle Vanem brought this change]
+- multi: remove trailing space in debug output
- polarssl.c: fix header filename typo
+- RELEASE-NOTES: synced with 86e97b642fb
-- configure: use XC_LIBTOOL for portability across libtool versions
+- CHECKSRC.md: mention cmdline options, fix the bullet list
-- xc-lt-iface.m4: provide XC_LIBTOOL macro
+- docs/CHECKSRC.md: initial version
-Steve Holme (7 Mar 2013)
-- imap: Fixed SELECT not being performed for custom requests
+Steve Holme (3 Apr 2016)
+- checksrc.bat: Added support for the examples
-- email: Minor code tidy up following recent changes
+Daniel Stenberg (3 Apr 2016)
+- lib/src: fix the checksrc invoke
- Removed unwanted braces and added variable initialisation.
+ ... now works correctly when invoke from the root makefile
-- DOCS: Corrected the IMAP URL grammar of the UIDVALIDITY parameter
+- nw: please the stricter checksrc
-- FEATURES: Provided a little clarity in some IMAP features
-
-- email: Optimised block_statemach() functions
+Steve Holme (3 Apr 2016)
+- checksrc.bat: Re-enabled the tests directory by default
- Optimised the result test in each of the block_statemach() functions.
+ Following the recent changes to the source in the tests directory,
+ re-enabled tests for the default scan.
-- DOCS: Added the list command to the IMAP URL section
+- checksrc.bat: Added tests/server directory support
- Added examples of the list command and clarified existing example URLs
- following recent changes.
+ In addition to commit 83b174b3f0 and following the recent changes.
-- FEATURES: Updated for recent imap additions
-
- Updated the imap features list, corrected a typo in the smtp features
- and clarified a pop3 feature.
+- tests: Fixed header files to comply with our code style
-Daniel Stenberg (7 Mar 2013)
-- version bump: the next release will be 7.30.0
+Daniel Stenberg (3 Apr 2016)
+- make checksrc: run it in docs/examples too by default
-- checksrc: ban unsafe functions
+- docs/examples: remove spurious white spaces all over
- The list of unsafe functions currently consists of sprintf, vsprintf,
- strcat, strncat and gets.
-
- Subsequently, some existing code needed updating to avoid warnings on
- this.
+ ... to please the new, slightly picker, checksrc.pl
-Steve Holme (7 Mar 2013)
-- RELEASE-NOTES: Added missing imap fixes and additions
-
- With all the recent imap changes it wasn't clear what new features and
- fixes should be included in the release notes.
+- tests: fix make checksrc in servers/
-Nick Zitzmann (6 Mar 2013)
-- RELEASE-NOTES: brought this up-to-date with the latest changes
+- tests: 'make checksrc' now checks server/ too
-Steve Holme (6 Mar 2013)
-- [Jiri Hruska brought this change]
+- root/make: have checksrc run in include/curl too
- imap: Fixed test801 and test1321 to specify a message UID
-
- Just a folder list would be retrieved if UID was not specified now.
+- tests/server: comply with our code style
-- [Jiri Hruska brought this change]
+- code: style updates
- imap: Fixed ftpserver.pl to allow verification even through LIST command
-
- Commit 198012ee inadvertently broke LIST_imap().
+- checksrc: check for more malplaced spaces
-- imap: Tidied up the APPEND and final APPEND response functions
-
- Removed unnecessary state changes on failure and setting of result codes
- on success.
+- unit: make unit test source code checksrc compliant
-- imap: Tidied up the final FETCH response function
-
- Removed unnecessary state change on failure and setting of result code on
- success.
+- checksrc: run checksrc in tests when 'make checksrc' in root
-- imap: Tidied up the LIST response function
-
- Reworked comments as they referenced custom commands, removed
- unnecessary state change on failure and setting of result code on
- success.
+- checksrc: remove debug crap
-- imap: Removed the custom request response function
-
- Removed imap_state_custom_resp() as imap_state_list_resp() provides the
- same functionality.
+- lib557: allow too long lines
+
+- checksrc: allow ignore of specific warnings within a file (section)
+
+- checksrc: add warning names, explain on help output
+
+Steve Holme (3 Apr 2016)
+- checksrc.bat: Disable tests by default until warnings are fixed
+
+- checksrc.bat: Added support for the tests directory
-- [Jiri Hruska brought this change]
+- vauth: Removed the need for a separate GSS-API based SPN function
- imap: Updated ftpserver.pl to be more compliant, added new commands
+- curl_sasl: Fixed potential null pointer utilisation
- Enriched IMAP capabilities of ftpserver.pl in order to be able to
- add tests for the new IMAP features.
+ Although this should never happen due to the relationship between the
+ 'mech' and 'resp' variables, and the way they are allocated together,
+ it does cause problems for code analysis tools:
- * Added support for APPEND - Saves uploaded data to log/upload.$testno
- * Added support for LIST - Returns the contents of <reply/> section in
- the current test, like e.g FETCH.
- * Added support for STORE - Returns hardcoded updated flags
- * Changed handling of SELECT - Returns much more information in the
- usual set of untagged responses; uses hardcoded data from an example
- in the IMAP RFC
- * Changed handling of FETCH - Fixed response format
-
-- imap: Added check for empty UID in FETCH command
+ V595 The 'mech' pointer was utilized before it was verified against
+ nullptr. Check lines: 376, 381. curl_sasl.c 376
- As the UID has to be specified by the user for the FETCH command to work
- correctly, added a check to imap_fetch(), although strictly speaking it
- is protected by the call from imap_perform().
+ Bug: https://github.com/curl/curl/issues/745
+ Reported-by: Alexis La Goutte
-Kamil Dudka (6 Mar 2013)
-- nss: fix misplaced code enabling non-blocking socket mode
+- spnego: Small code tidy up
- The option needs to be set on the SSL socket. Setting it on the model
- takes no effect. Note that the non-blocking mode is still not enabled
- for the handshake because the code is not yet ready for that.
+ * Prefer dereference of string pointer rather than strlen()
+ * Free challenge pointer in one place
+ * Additional comments
-Daniel Stenberg (6 Mar 2013)
-- imap: fix compiler warning
+- krb5: Small code tidy up
- imap.c:694:21: error: unused variable 'imapc' [-Werror=unused-variable]
-
-Steve Holme (5 Mar 2013)
-- imap: Added support for list command
-
-- imap: Added list perform and response handler functions
-
-- imap: Introduced IMAP_LIST state
+ * Prefer dereference of string pointer rather than strlen()
+ * Free challenge pointer in one place
+ * Additional comments
-- imap: Small tidy up of imap_select() to match imap_append()
+- krb5_gssapi: Only process challenge when present
- Updated the style of imap_select() before adding the LIST command.
-
-- imap: Moved mailbox check from the imap_do() function
+ This wouldn't cause a problem because of the way the function is called,
+ but prior to this change, we were processing the challenge message when
+ the credentials were NULL rather than when the challenge message was
+ populated.
- In preparation for the addition of the LIST command, moved the mailbox
- check from imap_do() to imap_select() and imap_append().
+ This also brings this part of the Kerberos 5 code in line with the
+ Negotiate code.
-- curl_setup.h: Added S_IRDIR() macro for compilers that don't support it
+- krb5: Fixed missing client response when mutual authentication enabled
- Commit 26eaa8383001 introduces the use of S_ISDIR() yet some compilers,
- such as MSVC don't support it, so we must define a substitute using
- file flags and mask.
+ Although mutual authentication is currently turned off and can only be
+ enabled by changing libcurl source code, authentication using Kerberos
+ 5 has been broken since commit 79543caf90 in this use case.
-Daniel Stenberg (4 Mar 2013)
-- AddFormData: prevent only directories from being posted
+- krb5_sspi: Only process challenge when present
- Commit f4cc54cb4746ae5a6d (shipped as part of the 7.29.0 release) was a
- bug fix that introduced a regression in that while trying to avoid
- allowing directory names, it also forbade "special" files like character
- devices and more. like "/dev/null" as was used by Oliver who reported
- this regression.
+ This wouldn't cause a problem because of the way the function is called,
+ but prior to this change, we were processing the challenge message when
+ the credentials were NULL rather than when the challenge message was
+ populated.
- Reported by: Oliver Gondža
- Bug: http://curl.haxx.se/mail/archive-2013-02/0040.html
+ This also brings this part of the Kerberos 5 code in line with the
+ Negotiate code.
-Nick Zitzmann (3 Mar 2013)
-- darwinssl: fix infinite loop if server disconnected abruptly
+- krb5_sspi: Only generate the output token when its not allocated
- If the server hung up the connection without sending a closure alert,
- then we'd keep probing the socket for data even though it's dead. Now
- we're ready for this situation.
+ Prior to this change, we were generating the output token when the
+ credentials were NULL rather than when the output token was NULL.
- Bug: http://curl.haxx.se/mail/lib-2013-03/0014.html
- Reported by: Aki Koskinen
-
-Steve Holme (3 Mar 2013)
-- imap: Added comments to imap_append()
-
-- [Jiri Hruska brought this change]
-
- imap: Added required mailbox check for FETCH and APPEND commands
+ This also brings this part of the Kerberos 5 code in line with the
+ Negotiate code.
-- pingpong.c: Fix enumerated type mixed with another type
-
-- smtp: Updated the coding style for state changes after a send operation
+- krb5: Only generate a SPN when its not known
+
+ Prior to this change, we were generating the SPN in the SSPI code when
+ the credentials were NULL and in the GSS-API code when the context was
+ empty. It is better to decouple the SPN generation from these checks
+ and only generate it when the SPN itself is NULL.
- Some state changes would be performed after a failure test that
- performed a hard return, whilst others would be performed within a test
- for success. Updated the code, for consistency, so all instances are
- performed within a success test.
+ This also brings this part of the Kerberos 5 code in line with the
+ Negotiate code.
-- pop3: Updated the coding style for state changes after a send operation
+Daniel Stenberg (3 Apr 2016)
+- tests/libtest: follow our code style guidelines better
- Some state changes would be performed after a failure test that
- performed a hard return, whilst others would be performed within a test
- for success. Updated the code, for consistency, so all instances are
- performed within a success test.
+ ... checksrc of all test code is pending.
-- imap: Fixed typo in variable assignment
+- checksrc.whitelist: remove fopen() uses
-- [Jiri Hruska brought this change]
+- formdata: use appropriate fopen() macros
- imap: Fixed custom request handling in imap_done()
+- checksrc: improve the fopen() parser somewhat
- Fixed imap_done() so that neither the FINAL states are not entered when
- a custom command has been performed.
+ The quote scanner was too fragile, now look for a comma instead to find
+ the mode argument.
-- [Jiri Hruska brought this change]
-
- imap: Enabled custom requests in imap_select_resp()
+- unit1604: fix snprintf
- Changed imap_select_resp() to invoke imap_custom() instead of
- imap_fetch() after the mailbox has been selected if a custom
- command has been set.
-
-- [Jiri Hruska brought this change]
-
- imap: Enabled custom requests in imap_perform()
+ follow-up to 0326b06
- Modified imap_perform() to start with the custom command instead of
- SELECT when a custom command is to be performed and no mailbox has
- been given.
-
-- [Jiri Hruska brought this change]
+ sizeof(pointer) is no good for the buffer size!
+
+ Reported-by: Viktor Szakats
- imap: Added custom request perform and response handler functions
+Steve Holme (3 Apr 2016)
+- unittests: Fixed compilation warnings
- Added imap_custom(), which initiates the custom command processing,
- and an associated response handler imap_state_custom_resp(), which
- handles any responses by sending them to the client as body data.
+ warning: implicit declaration of function 'sprintf_was_used'
+ [-Wimplicit-function-declaration]
- All untagged responses with the same name as the first word of the
- custom request string are accepted, with the exception of SELECT and
- EXAMINE which have responses that cannot be easily identified. An
- extra check has been provided for them so that any untagged responses
- are accepted for them.
+ Follow up to the modications made to tests/libtest in commit 55452ebdff
+ as we prefer not to use sprintf() now.
-- pop3: Fixed unnecessary parent structure reference
+Daniel Stenberg (2 Apr 2016)
+- curl.1: -w filename_effective was introduced in 7.26.0
- Updated pop3 code following recent imap changes.
+ We never made a 7.25.1 release
-- [Jiri Hruska brought this change]
+- 7.49.0: next release version
- imap: Added custom request parsing
+- http2: make use of the nghttp2 error callback
- Added imap_parse_custom_request() for parsing the CURLOPT_CUSTOMREQUEST
- parameter which URL decodes the value and separates the request from
- any parameters - This makes it easier to filter untagged responses
- by the request command.
-
-- [Jiri Hruska brought this change]
-
- imap: Introduced custom request parameters
+ It offers extra info from nghttp2 in certain error cases. Like for
+ example when trying prior-knowledge http2 on a server that doesn't speak
+ http2 at all. The error message is passed on as a verbose message to
+ libcurl.
- Added custom request parameters to the per-request structure.
-
-- [Jiri Hruska brought this change]
-
- imap: Introduced IMAP_CUSTOM state
-
-- imap: Minor code tidy up
+ Discussed in #722
- Minor tidy up of code layout and comments following recent changes.
+ The error callback was added in nghttp2 1.9.0
-- imap: Simplified the imap_state_append_resp() function
+Steve Holme (2 Apr 2016)
+- spnego: Renamed the context's SPN variable
- Introduced the result code variable to simplify the state changes and
- remove the hard returns.
+ To be consistent with the Kerberos 5 context and other authentication
+ code.
-- imap: Changed successful response logic in imap_state_append_resp()
+- krb5_gssapi: Renamed the status variables
- For consistency changed the logic of the imap_state_append_resp()
- function to test for an unsucessful continuation response rather than a
- succesful one.
+ For consistency with the spnego code.
-- imap: Standardised imapcode condition tests
+- krb5: Moved host from Curl_auth_create_gssapi_user_message() to be argument
- For consistency changed two if(constant != imapcode) tests to be
- if(imapcode != constant).
-
-- imap: Moved imap_append() to be with the other perform functions
+ For consistency with the spnego and oauth2 code moved the setting of
+ the host name outside of the Curl_auth_create_gssapi_user_messag()
+ function.
+
+ This will allow us to more easily override it in the future.
-- [Jiri Hruska brought this change]
+- test1119: Fixed missing CURL_DID_MEMORY_FUNC_TYPEDEFS symbol
- imap: Enabled APPEND support in imap_perform()
+- RELEASE-NOTES: Removed "http_negotiate: Corrected host and proxy host name"
- Added logic in imap_perform() to perform an APPEND rather than SELECT
- and FETCH if an upload has been specified.
+ As this was introduced in the recent vauth changes and not a prior
+ release.
-- [Jiri Hruska brought this change]
+Daniel Stenberg (1 Apr 2016)
+- RELEASE-NOTES: synced with 0aa8da10bbdafa
- imap: Implemented APPEND final processing
+Steve Holme (1 Apr 2016)
+- http_negotiate: Corrected host and proxy host name being wrong way round
- The APPEND operation needs to be performed in several steps:
- 1) We send "<tag> APPEND <mailbox> <flags> {<size>}\r\n"
- 2) Server responds with continuation respose "+ ...\r\n"
- 3) We start the transfer and send <size> bytes of data
- 4) Only now we end the request command line by sending "\r\n"
- 5) Server responds with "<tag> OK ...\r\n"
+ I had accidentally used the proxy server name for the host and the host
+ server name for the proxy in commit ad5e9bfd5d and 6d6f9ca1d9. Whilst
+ Windows SSPI was quite happy with this, GSS-API wasn't.
- This commit performs steps 4 and 5, in the DONE phase, as more
- processing is required after the transfer.
+ Thanks-to: Michael Osipov
-- [Jiri Hruska brought this change]
-
- imap: Added APPEND perform and response handler functions
+- build: Changed the Visual Studio projects warning level from 3 to 4
- Added imap_append() function to initiate upload and imap_append_resp()
- to handle the continuation response and start the transfer.
+ After squashing most of our compiler warnings, up'ed the default
+ warning level from 3 to 4 in order to increase the likelyhood of
+ catching future warnings.
-- [Jiri Hruska brought this change]
+Daniel Stenberg (1 Apr 2016)
+- [ehlertjd@gmail.com brought this change]
- imap: Introduced IMAP_APPEND and IMAP_APPEND_FINAL states
+ IMAP: check pointer before dereferencing it
+
+ may be null in the CURLOPT_CONNECT_ONLY case
+
+ Fixes #747
-- [Jiri Hruska brought this change]
+Steve Holme (1 Apr 2016)
+- .gitignore: Added new VC14 SQLite based program database files
- imap: Updated setting of transfer variables in imap_state_fetch_resp()
+- curl_memory.h: Fixed typo in comment
- Add number of bytes retrieved from the PP cache to req.bytecount and set
- req.maxdownload only when starting a proper download.
+ From commit 7218b52c49.
-- [Jiri Hruska brought this change]
+- spnego: Corrected some typos in comments
+
+ Corrected typos from commit ad5e9bfd5d and 6d6f9ca1d9.
- imap: Improved FETCH response parsing
+- memdebug: Ensure curl/curl.h is included before curl_memory.h
- Added safer parsing of the untagged FETCH response line and the size of
- continuation data.
+ Follow up to commit 7db9782dd6.
-- imap: Fixed accidentally lossing the result code
+Daniel Stenberg (1 Apr 2016)
+- upload: missing rewind call could make libcurl hang
+
+ When an upload is done, there are two places where that can be detected
+ and only one of them would rewind the input stream - which sometimes is
+ necessary for example when doing NTLM HTTP POSTs and more.
+
+ This could then end up libcurl hanging.
- Accidentally lost the result code in imap_state_capability() and
- imap_state_login() with commit b06a78622609.
+ Figured-out-by: Isaac Boukris
+ Reported-by: Anatol Belski
+
+ Fixes #741
-- imap: Another minor comment addition / tidy up
+- curl.h: define CURL_DID_MEMORY_FUNC_TYPEDEFS
+
+ So that we only do the extra typedefs in curl_memory.h when we really
+ need to and avoid double typedefs.
+
+ follow-up commit to 7218b52c49aeb1
+
+ Thanks-to: Steve Holme
-- imap: Updated the coding style for state changes after a send operation
+- curl/mprintf.h: remove support for _MPRINTF_REPLACE
- Some state changes would be performed after a failure test that
- performed a hard return, whilst others would be performed within a test
- for success. Updated the code, for consistency, so all instances are
- performed within a success test.
+ The define is not in our name space and is therefore not protected by
+ our API promises.
+
+ It was only really used by libcurl internals but was mostly erased from
+ there already in 8aabbf5 (March 2015). This is supposedly the final
+ death blow to that define from everywhere.
+
+ As a side-effect, making sure _MPRINTF_REPLACE is gone and not used, I
+ made the lib tests in tests/libtest/ use curl_printf.h for its redefine
+ magic and then subsequently the use of sprintf() got banned in the tests
+ as well (as it is in libcurl internals) and I then replaced them all
+ with snprintf().
+
+ In the unlikely event that any users is actually using this define and
+ gets sad by this change, it is very easily copied to the user's own
+ code.
-- pop3 / smtp: Small comment tidy up
+- curl_memory.h: avoid the curl/curl.h include
- Small tidy up to keep some comments consistant across each of the email
- protocols.
+ Discussed in #743
-- [Jiri Hruska brought this change]
+Steve Holme (1 Apr 2016)
+- url: Corrected get protocol family for FTP and LDAP
+
+ Fixed copy/paste error from commit a5aec58726.
- imap: FETCH response handler cleanup before further changes
+Jay Satiro (31 Mar 2016)
+- strerror: don't bit shift a signed integer
- Removed superfluous NULL assignment after Curl_safefree() and rewrote
- some comments and logging messages.
+ Bug: https://github.com/curl/curl/issues/744
+ Reported-by: Alexis La Goutte
-- pop3: Small tidy up of function arguments
+Daniel Stenberg (31 Mar 2016)
+- http2: more documentation for prior knowledge
-- imap: Small tidy up of function arguments
+- [Diego Bes brought this change]
-- smtp: Corrected debug message for POP3_AUTH_FINAL constant
+ http2: support "prior knowledge", no upgrade from HTTP/1.1
- Following commit ad3177da24b8 corrected the debug message in state()
- from AUTH to AUTH_FINAL.
-
-- pop3: Corrected debug message for POP3_AUTH_FINAL constant
+ Supports HTTP/2 over clear TCP
- Following commit afad1ce753a1 corrected the debug message in state()
- from AUTH to AUTH_FINAL.
-
-- imap: Corrected debug message for IMAP_AUTHENTICATE_FINAL constant
+ - Optimize switching to HTTP/2 by removing calls to init and setup
+ before switching. Switching will eventually call setup and setup calls
+ init.
- Following commit 13006f3de9ec corrected the debug message in state()
- from AUTHENTICATE to AUTHENTICATE_FINAL.
-
-- [Jiri Hruska brought this change]
-
- imap: Fixed error code returned for invalid FETCH response
+ - Supports new version to “force” the use of HTTP/2 over clean TCP
- If the FETCH command does not result in an untagged response the the
- UID is probably invalid. As such do not return CURLE_OK.
+ - Add common line parameter “--http2-prior-knowledge” to the Curl
+ command line tool.
-- [Jiri Hruska brought this change]
+- imap: remove duplicated function
+
+ The list and search response functions were identical! Merged into one
+ now. Detected by PVS Studio.
+
+ Reported-by: Alexis La Goutte
- imap: Added processing of the final FETCH responses
+- SOCKS5_gssapi_negotiate: don't assume little-endian ints
- Not processing the final FETCH responses was not optimal, not only
- because the response code would be ignored but it would also leave data
- unread on the socket which would prohibit connection reuse.
+ The code copied one byte from a 32bit integer, which works fine as long
+ as the byte order is the same. Not a fine assumption. Reported by PVS
+ Studio.
+
+ Reported-by: Alexis La Goutte
-- [Jiri Hruska brought this change]
+- http: remove ((expression)) double parentheses
- imap: Introduced FETCH_FINAL state for processing final fetch responses
-
- A typical FETCH response can be broken down into four parts:
+- Curl_add_buffer_send: avoid possible NULL dereference
- 1) "* <uid> FETCH (<what> {<size>}\r\n", using continuation syntax
- 2) <size> bytes of the actual message
- 3) ")\r\n", finishing the untagged response
- 4) "<tag> OK ...", finishing the command
+ ... as we check for a NULL pointer below, we move the derefence to after
+ the check. Detected by PVS Studio.
- Part 1 is read in imap_fetch_resp(), part 2 is consumed in the PERFORM
- phase by the transfer subsystem, parts 3 and 4 are currently ignored.
+ Reported-by: Alexis La Goutte
-- imap: fix autobuild warning
+- file: remove duplicate checks of the same variable
- Removed whitespace from imap_perform()
-
-- imap: fix compiler warning
+ ... as it doesn't change in between. Deteced by PVS Studio.
- error: declaration of 'imap' shadows a previous local
+ Reported-by: Alexis La Goutte
-- smtp: Re-factored the final SMTP_AUTH constant
-
- Changed the final SMTP_AUTH constant to SMTP_AUTH_FINAL for consistency
- with the response function.
+Steve Holme (30 Mar 2016)
+- [Marcel Raad brought this change]
-- pop3: Re-factored the final POP3_AUTH constant
+ openssl: Fix compilation warnings
- Changed the final POP3_AUTH constant to POP3_AUTH_FINAL for consistency
- with the response function.
+ When compiling with OpenSSL 1.1.0 (so that the HAVE_X509_GET0_SIGNATURE
+ && HAVE_X509_GET0_EXTENSIONS pre-processor block is active), Visual C++
+ 14 complains:
+
+ warning C4701: potentially uninitialized local variable 'palg' used
+ warning C4701: potentially uninitialized local variable 'psig' used
-- imap: Re-factored final IMAP_AUTHENTICATE constant
+Daniel Stenberg (30 Mar 2016)
+- multi: turn Curl_done into file local multi_done
- Changed the final IMAP_AUTHENTICATE constant to IMAP_AUTHENTICATE_FINAL
- for consistency with the response function.
+ ... as it now is used by multi.c only.
-- imap: Updated the coding style of imap_state_servergreet_resp()
+- multi: multi_reconnect_request is the former Curl_reconnect_request
- Updated the coding style, in this function, to be consistant with other
- response functions rather then performing a hard return on failure.
+ now a file local function in multi.c
-- imap: Reversed the logic of the (un)successful tagged SELECT response
+- multi: move Curl_do and Curl_do_done to multi.c and make static
- Reversed the logic of the unsuccessful vs successful tagged SELECT
- response in imap_state_select_resp() to be more logical to read.
+ ... called multi_do and multi_do_done as they're file local now.
-- imap: Reversed the logic of the (un)successful tagged CAPABILITY response
+Jay Satiro (29 Mar 2016)
+- wolfssl: Use ECC supported curves extension
- Reversed the logic of the unsuccessful vs successful tagged CAPABILITY
- response in imap_state_capability_resp() to be more logical to read.
+ https://github.com/wolfSSL/wolfssl/issues/366
-- imap: Corrected char* references with char *
+- build-wolfssl: Allow a broader range of ciphers (Visual Studio)
+
+ This is an update to the build-time options used to build wolfSSL in
+ Visual Studio for greater compatibility, and make it behave similar to
+ the way OpenSSL 1.0.2 behaves. Starting in wolfSSL v3.6.6 static ciphers
+ and SSLv3 are disabled by default at build time, but we can use both.
- Corrected char* references made in commit: 709b3506cd9b.
+ - Enable static cipher suites TLS_ECDH_ and TLS_RSA_.
+
+ - Enable SSLv3 hello. Though in libcurl we disable it by default at
+ runtime, we make it available so the user can manually select it if
+ necessary.
-- [Jiri Hruska brought this change]
+Daniel Stenberg (29 Mar 2016)
+- [Isaac Boukris brought this change]
- imap: Added processing of more than one response when sent in same packet
+ GSS: make Curl_gss_log_error more verbose
+
+ Also display the GSS_C_GSS_CODE (major code) when specified instead of
+ only GSS_C_MECH_CODE (minor code).
+
+ In addition, the old code was printing a colon twice after the prefix
+ and also miscalculated the length of the buffer in between calls to
+ gss_display_status (the length of ": " was missing).
+
+ Also, gss_buffer is not guaranteed to be NULL terminated and thus need
+ to restrict reading by its length.
- Added a loop to imap_statemach_act() in which Curl_pp_readresp() is
- called until the cache is drained. Without this multiple responses
- received in a single packet could result in a hang or delay.
+ Closes #738
-- [Jiri Hruska brought this change]
+- build: use roffit 0.11 feature
+
+ ... load file specified as argument.
- imap: Added skipping of SELECT command if already in the same mailbox
+- http2: set correct scheme in handler structs [regression]
+
+ Since commit a5aec58 the handler schemes need to match for the
+ connections to be reused and for HTTP/2 multiplexing to work, reusing
+ connections is very important!
- Added storage and checking of the last mailbox userd to prevent
- unnecessary switching.
+ Closes #736
-- [Jiri Hruska brought this change]
+- hostip.c: minor white space edit for style
- imap: Introduced the mailbox variable
-
- Added the mailbox variable to the per-connection structure in
- preparation for checking for an already selected mailbox.
+- [Viktor Szakats brought this change]
-- email: Slight reordering of connection based variables
+ TODO: use secure protocol in recently added URL
- Reordered the state and ssl_done variables in order to provide more
- consistency between the email protocols as well as for for an upcoming
- change.
-
-- imap: Tidied up comments for connection based variables
+ Closes #733
-- DOCS: Added the IMAP UIDVALIDITY property to the CURLOPT_URL section
+- HTTP2.md: mention libressl and boringssl too
-- [Jiri Hruska brought this change]
+- docs/HTTP-COOKIES: converted to markdown
- imap: Added verification of UIDVALIDITY mailbox attribute
-
- Added support for checking the UIDVALIDITY, and aborting the request, if
- it has been specified in the URL and the server response is different.
+- HTTP2: s/polarssl/mbedtls
-- [Jiri Hruska brought this change]
+Jay Satiro (28 Mar 2016)
+- wolfssl: Add ALPN support
- imap: Added support for parsing the UIDVALIDITY property
+- tool_operate: remove mixed declaration
- Added support for parsing the UIDVALIDITY property from the SELECT
- response and storing it in the per-connection structure.
-
-- [Jiri Hruska brought this change]
+ This is a follow up to the previous commit.
- imap: Introduced the mailbox_uidvalidity variable
+Daniel Stenberg (28 Mar 2016)
+- curl: warn for --capath use if not supported by libcurl
- Added the mailbox_uidvalidity variable to the per-connection structure
- in preparation for checking the UIDVALIDITY mailbox attribute.
+ Closes #492
-- imap: Corrected comment in imap_endofresp()
+- TODO: 2.5 Edge-triggered sockets should work
-- imap: Corrected whitespace
+- Makefile.am: skip the scripts dir
+
+ Skipping the scripts dir is primarily done for 'make install' so that it
+ does not attempt to install the zsh completion script as we've not yet
+ found a proper way to do/run that at install time.
+
+ By leaving the script dir's Makefile in place, a user can still opt to
+ run make install manually in there.
+
+ Closes #620
-- [Jiri Hruska brought this change]
+- CURLMOPT_SOCKETFUNCTION.3: describe the 'what' argument
- imap: Added filtering of CAPABILITY and FETCH untagged responses
+- curl_multi_socket_action.3: mark the options properly
- Only responses that contain "CAPABILITY" and "FETCH", respectively,
- will be sent to their response handler.
+ ... to make them appear as links on the html version.
-- [Jiri Hruska brought this change]
+Steve Holme (27 Mar 2016)
+- RELEASE-NOTES: Synced with f0bdd72c10
- imap: Added a helper function for upcoming untagged response filtering
+- http_ntlm: Renamed from curl_ntlm.[c|h]
- RFC 3501 states that "the client MUST be prepared to accept any response
- at all times" yet we assume anything received with "* " at the beginning
- is the untagged response we want.
+ Renamed the header and source files for this module as they are HTTP
+ specific and as such, they should use the naming convention as other
+ HTTP authentication source files do - this revert commit 260ee6b7bf.
- Introduced a helper function that checks whether the input looks like a
- response to specified command, so that we may filter the ones we are
- interested in according to the current state.
+ Note: We could also rename curl_ntlm_wb.[c|h], however, the Winbind
+ code needs separating from the HTTP protocol and migrating into the
+ vauth directory, thus adding support for Winbind to the SASL based
+ protocols such as IMAP, POP3 and SMTP.
-- [Jiri Hruska brought this change]
+Daniel Stenberg (27 Mar 2016)
+- [marquis-de-muesli brought this change]
- imap: Moved CAPABILITY response handling to imap_state_capability_resp()
+ docs: curlinfo_filetime sftp support, new curlopt_quote "statvfs"
- Introduced similar handling to the FETCH responses, where even the
- untagged data responses are handled by the response handler of the
- individual state.
-
-Linus Nielsen Feltzing (26 Feb 2013)
-- Remove unused variable in smtp_state_data_resp()
+ Closes #677
-Steve Holme (25 Feb 2013)
-- email: Small tidy up following recent changes
-
-- smtp: Removed bytecountp from the per-request structure
-
- Removed this pointer to a downloaded bytes counter because it was set in
- smtp_init() to point to the same variable the transfer functions keep
- the count in (k->bytecount), effectively making the code in transfer.c
- "*k->bytecountp = k->bytecount" a no-op.
+- [marquis-de-muesli brought this change]
-- pop3: Removed bytecountp from the per-request structure
+ SSH: new CURLOPT_QUOTE command "statvfs"
- Removed this pointer to a downloaded bytes counter because it was set in
- pop3_init() to point to the same variable the transfer functions keep
- the count in (k->bytecount), effectively making the code in transfer.c
- "*k->bytecountp = k->bytecount" a no-op.
+ usage: "statvfs path"
+ returns remote file system statistics
-- [Jiri Hruska brought this change]
+- [marquis-de-muesli brought this change]
- imap: Removed bytecountp from the per-request structure
-
- Removed this pointer to a downloaded bytes counter because it was set in
- imap_init() to point to the same variable the transfer functions keep
- the count in (k->bytecount), effectively making the code in transfer.c
- "*k->bytecountp = k->bytecount" a no-op.
+ SSH: support CURLINFO_FILETIME
-- [Jiri Hruska brought this change]
+- [Karlson2k brought this change]
- imap: Adjusted SELECT and FETCH function order
+ sshserver.pl: use quotes for given options
- Moved imap_select() and imap_fetch() to be grouped with the other
- perform functions.
+ Fixed failed redirection of stderr with some options. At least on Msys2,
+ perl fails to redirect stderr if $value contains newline or other weird
+ characters.
-- [Jiri Hruska brought this change]
+Jay Satiro (26 Mar 2016)
+- url: don't use bad offset in tld_check_name to show error
+
+ libidn's tld_check_lz returns an error offset of the first character
+ that it failed to process, however that offset is not a byte offset and
+ may not even be in the locale encoding therefore we can't use it to show
+ the user the character that failed to process.
+
+ Bug: https://github.com/curl/curl/issues/731
+ Reported-by: Karlson2k
- imap: Adjusted SELECT and FETCH state order in imap_statemach_act()
+Steve Holme (26 Mar 2016)
+- http_negotiate: Combine GSS-API and SSPI source files
- Exchanged the position of these states in the switch statements to
- match the state enum, execution and function order.
+ As the GSS-API and SSPI based source files are no longer library/API
+ specific, following the extraction of that authentication code to the
+ vauth directory, combine these files rather than maintain two separate
+ versions.
-- imap: Minor tidy up of comments in imap_parse_url_path()
+- vauth: Moved the Negotiate authentication code to the new vauth directory
- Tidy up of comments before next round of imap changes.
+ Part 2 of 2 - Moved the GSS-API based Negotiate authentication code.
-- imap: Fixed incorrect comparison for STARTTLS in imap_endofresp()
+- vauth: Moved the Negotiate authentication code to the new vauth directory
- Corrected the comparison type in addition to commit 1dac29fa83a9.
+ Part 1 of 2 - Moved the SSPI based Negotiate authentication code.
-- DOCS: Corrected IMAP URL examples according to RFC5092
+- warnless.h: Removed spurious character from commit 696bc6b9c9
- URL examples that included the UID weren't technically correct although
- would pass the curl parser.
+ Not picked up by checksrc or Visual Studio but my own code review, this
+ would haven broken Intel based Unix builds - Perhaps I should learn to
+ type on my laptop's keyboard before committing!
-Nick Zitzmann (24 Feb 2013)
-- darwinssl: fix undefined $ssllib warning in runtests.pl
+- schannel: Fixed compilation warning from commit f8d88a4913
- I also added --with-darwinssl to the list of SSL options in configure.
+ warning C4244: '=': conversion from 'int' to 'unsigned short', possible
+ loss of data
-Steve Holme (24 Feb 2013)
-- imap: Added check for new internal imap response code
+- warnless?: Added some integer based conversion functions
-- imap: Changed the order of the response types in imap_endofresp()
-
- From a maintenance point of view the code reads better to view tagged
- responses, then untagged followed by continuation responses.
+Daniel Stenberg (25 Mar 2016)
+- [Dusty Mabe brought this change]
+
+ docs/TODO: Add feature request for metalink in HTTP headers
- Additionally, this matches the order of responses in POP3.
+ Closes #729
+ Closes #728
-- [Jiri Hruska brought this change]
+Steve Holme (25 Mar 2016)
+- build: Corrected typos from commit 70e56939aa
- imap: Added stricter parsing of continuation responses
+- vauth: Refactored function names after move to new vauth directory
- Enhanced the parsing to only allow continuation responses in some
- states.
+ Renamed all the SASL functions that moved to the new vauth directory to
+ include the correct module name.
-- imap: Simplified memcmp() in tagged response parsing
+- vauth: Updated the copyright year after recent changes
+
+ As most of this work was performed in 2015 but not pushed until 2016
+ updated the copyright year to reflect the public facing changes.
-- [Jiri Hruska brought this change]
+- vauth: Moved the OAuth 2.0 authentication code to the new vauth directory
- imap: Reworked the logic of untagged command responses
+- vauth: Moved the NTLM authentication code to the new vauth directory
-- imap: Corrected spacing of trailing brace
+- vauth: Moved the Kerberos V5 authentication code to the new vauth directory
-- [Jiri Hruska brought this change]
+- digest.c: Fixed checksrc warnings
- imap: Added stricter parsing of tagged command responses
-
- Enhanced the parsing of tagged responses which must start with "OK",
- "NO" or "BAD"
+- vauth: Moved the DIGEST authentication code to the new vauth directory
-- [Jiri Hruska brought this change]
+- vauth: Moved the CRAM-MD5 authentication code to the new vauth directory
- imap: Simplified command response test in imap_endofresp()
+- vauth: Moved the ClearText authentication code to the new vauth directory
-- [Jiri Hruska brought this change]
+- vauth: Moved Curl_sasl_build_spn() to create the initial vauth source files
- imap: Corrected comment in imap_endofresp()
+- checksrc.bat: Added support for checking the new vauth directory
-- DOCS: Corrected layout of POP3 and IMAP URL examples
+- build: Updated all makefiles and project files for the new vauth directory
- Corrected layout issues with the POP3 and IMAP URL examples introduced
- in commit cb3ae6894fb2.
+ Updated the makefiles and Visual Studio project files to support moving
+ the authentication code to the new lib/vauth directory that was started
+ in commit 0d04e859e1.
+
+Daniel Stenberg (24 Mar 2016)
+- [JDepooter brought this change]
-- DOCS: Updated CURLOPT_URL section following recent POP3 and IMAP changes
+ schannel: Add ALPN support
- Updated the POP3 sub-section to refer to message ID rather than mailbox.
+ Add ALPN support for schannel. This allows cURL to negotiate
+ HTTP/2.0 connections when built with schannel.
- Added an IMAP sub-section with example URLs depicting the specification
- of mailbox, uid and section.
+ Closes #724
-- pop3: Refactored the mailbox variable as it didn't reflect it's purpose
-
- Updated the mailbox variable to correctly reflect it's purpose. The
- name mailbox was a leftover from when IMAP and POP3 support was
- initially added to curl.
-
-- FEATURES: Updated following recent IMAP changes
+Steve Holme (24 Mar 2016)
+- http: Minor update based on CODE_STYLE guidelines
-- [Jiri Hruska brought this change]
-
- imap: Added the ability to FETCH a specific UID and SECTION
+Daniel Stenberg (23 Mar 2016)
+- multi: fix "Operation timed out after" timer
- Updated the FETCH command to send the UID and SECTION parsed from the
- URL. By default the BODY specifier doesn't include a section, BODY[] is
- now sent whereas BODY[TEXT] was previously sent. In my opinion
- retrieving just the message text is rarely useful when dealing with
- emails, as the headers are required for example, so that functionality
- is not retained. In can however be simulated by adding SECTION=TEXT to
- the URL.
+ Use the local, reasonably updated, 'now' value when creating the message
+ string to output for the timeout condition.
- Also updated test801 and test1321 due to the BODY change.
-
-- email: Additional tidy up of comments following recent changes
+ Fixes #619
-- smtp: Removed some FTP heritage leftovers
+- openssl: boringssl provides the same numbering as openssl
- Removed user and passwd from the SMTP struct as these cannot be set on
- a per-request basis and are leftover from legacy FTP code.
+ ... so we don't need extra boringssl precautions for for
+ HAVE_ERR_REMOVE_THREAD_STATE_NOARG.
- Changed some comments still using FTP terminology.
+ Pointed-out-by: David Benjamin
-- smtp: Moved the per-request variables to the per-request data structure
+- openssl: fix ERR_remove_thread_state() for boringssl/libressl
- Moved the rcpt variable from the per-connection struct smtp_conn to the
- new per-request struct and fixed references accordingly.
-
-- pop3: Introduced a custom SMTP structure for per-request data
+ The removed arg is only done in OpenSSL
- Created a new SMTP structure and changed the type of the smtp proto
- variable in connectdata from FTP* to SMTP*.
-
-unknown (23 Feb 2013)
-- [Steve Holme brought this change]
+ Bug: https://twitter.com/xtraemeat/status/712564874098917376
- imap: Minor correction of comments for max line length
+- bump: work on 7.48.1
-Daniel Stenberg (23 Feb 2013)
-- strcasestr: remove check for this unused function
-
-- pop3: fix compiler warning
+- RELEASE-PROCEDURE: mention the github release tag edit
- error: declaration of 'pop3' shadows a previous local
-
-Steve Holme (23 Feb 2013)
-- [Jiri Hruska brought this change]
+ ... and update the coming release dates a bit
- imap: Added URL parsing of new variables
+Steve Holme (23 Mar 2016)
+- checksrc.bat: Updated the help to be consistent with generate.bat
- Updated the imap_parse_url_path() function to parse uidvalidity, uid and
- section parameters based on RFC-5092.
+ Follow up to commit a8c7f0fcbf prior to release.
-- [Jiri Hruska brought this change]
+Version 7.48.0 (23 Mar 2016)
- imap: Introduced imap_is_bchar() function
-
- Added imap_is_bchar() for testing if a given character is a valid bchar
- or not.
+Daniel Stenberg (23 Mar 2016)
+- RELEASE-NOTES: curl 7.48.0
-- [Jiri Hruska brought this change]
+- THANKS: 15 new contributors from 7.48.0 release
- imap: Introduced new per-request veriables
+Jay Satiro (23 Mar 2016)
+- CURLINFO_TLS_SSL_PTR.3: Warn about limitations
- Added uidvalidity, uid and section variables to the per-request IMAP
- structure in preparation for upcoming URL parsing.
+ Bug: https://github.com/curl/curl/issues/685
-- pingpong: Renamed curl_ftptransfer to curl_pp_transfer
-
-- pop3: Removed some FTP heritage leftovers
+Daniel Stenberg (22 Mar 2016)
+- Revert "sshserver: remove use of AuthorizedKeysFile2"
- Removed user and passwd from the POP3 struct as these cannot be set on
- a per-request basis and are leftover from legacy FTP code.
+ It seems we may have some autobuild problems after this commit went
+ in. Trying to see if a revert helps to get them back.
- Changed some comments still using FTP terminology.
+ This reverts commit 2716350d1f3edc8e929f6ceeee05051090f6d642.
-- pop3: Moved the per-request variables to the per-request data structure
+- maketgz: add -j to make dist
- Moved the mailbox and custom request variables from the per-connection
- struct pop3_conn to the new per-request struct and fixed references
- accordingly.
+ ... makes it a lot faster
-- pop3: Introduced a custom POP3 structure for per-request data
-
- Created a new POP3 structure and changed the type of the pop3 proto
- variable in connectdata from FTP* to POP*.
+- libcurl-thread.3: minor nroff format fix
-- [Jiri Hruska brought this change]
+- CURLINFO_TLS_SSL_PTR.3: minor nroff format fix
- imap: Fixed escaping of mailbox names
+- CODE_STYLE: indend example code
- Used imap_atom() to escape mailbox names in imap_select().
+ ... to make it look nicer in markdown outputa
-- pingpong: Moved curl_ftptransfer definition to pingpong.h
+Jay Satiro (22 Mar 2016)
+- build-wolfssl: Update VS properties for wolfSSL v3.9.0
- Moved the ftp transfer structure into pingpong.h so other protocols that
- require it don't have to include ftp.h.
-
-- urldata.h: Fixed comment for opt_no_body variable
+ - Do not use wolfSSL's sample user-setting files.
- Corrected comment for opt_no_body variable to CURLOPT_NOBODY.
-
-- email: Minor tidy up following IMAP changes
-
-- [Jiri Hruska brought this change]
-
- imap: Removed more FTP leftovers
+ wolfSSL starting in v3.9.0 has added their own sample user settings that
+ are applied by default, but we don't use them because we have our own
+ settings.
- Changed some variables and comments still using FTP terminology.
-
-- [Jiri Hruska brought this change]
-
- imap: Removed some FTP heritage leftovers
+ - Do not use wolfSSL's Visual Studio Unicode character setting.
- Removed user and passwd from the IMAP struct as these cannot be set on
- a per-request basis and are leftover from legacy FTP code.
-
-- [Jiri Hruska brought this change]
-
- imap: Introduced a custom IMAP structure for per-request data
+ wolfSSL Visual Studio projects use the Unicode character set however our
+ settings and options imitate mingw build which does not use the Unicode
+ character set. This does not appear to have any effect at the moment but
+ better safe than sorry.
- Created a new IMAP structure and changed the type of the imap proto
- variable in connectdata from FTP* to the new IMAP*.
- Moved the mailbox variable from the per-connection struct imap_conn to
- the new per-request struct and fixed references accordingly.
+ These changes are backwards compatible with earlier versions.
-- pop3: Updated do phrase clean-up comment
+Steve Holme (22 Mar 2016)
+- hostip6: Fixed compilation warnings when verbose strings disabled
- Following commit 65644b833532 for the IMAP module updated the clean-up
- comment in POP3.
-
-- imap: Fixed memory leak when performing multiple selects
+ warning C4189: 'data': local variable is initialized but not referenced
- Moved the clean-up of the mailbox variable from imap_disconnect() to
- imap_done() as this variable is allocated in the do phase, yet would
- have only been freed only once if multiple selects where preformed
- on a single connection.
-
-Daniel Stenberg (22 Feb 2013)
-- [Alexander Klauer brought this change]
+ ...and some minor formatting/spacing changes.
- Documentation: Typo in docs/CONTRIBUTE
+Daniel Stenberg (21 Mar 2016)
+- sshserver: remove use of AuthorizedKeysFile2
- Fixes a typo get → git in docs/CONTRIBUTE.
-
-- [Alexander Klauer brought this change]
-
- repository: ignore patch files generated by git
+ Support for the (undocumented) AuthorizedKeysFile2 was removed in
+ OpenSSH 5.9, released in September 2011
- Ignores the patch files generated by the 'git format-patch' command.
-
-- [Alexander Klauer brought this change]
+ Closes #715
- libcurl documentation: clarifications and typos
+Steve Holme (20 Mar 2016)
+- connect/ntlm/http: Fixed compilation warnings when verbose strings disabled
- * Elaborates on default values of some curl_easy_setopt() options.
- * Reminds the user to cast variadic arguments to curl_easy_setopt() to
- 'void *' where curl internally interprets them as such.
- * Clarifies the working of the CURLOPT_SEEKFUNCTION option for
- curl_easy_setopt().
- * Fixes typo 'forth' → 'fourth'.
- * Elaborates on CURL_SOCKET_TIMEOUT.
- * Adds some missing periods.
- * Notes that the return value of curl_version() must not be passed to
- free().
+ warning C4189: 'data': local variable is initialized but not referenced
-- [Alexander Klauer brought this change]
-
- lib/url.c: Generic read/write data pointers
+- openssl: Fixed compilation warning when /Wall enabled
- Always interprets the pointer passed with the CURLOPT_WRITEDATA or
- CURLOPT_READDATA options of curl_easy_setopt() as a void pointer in
- order to avoid problems in environments where FILE and void pointers
- have non-trivial conversion.
-
-- [Alexander Klauer brought this change]
+ warning C4706: assignment within conditional expression
- libcurl documentation: updates HTML index
+- CODE_STYLE: Use boolean conditions
+
+ Rather than use TRUE, FALSE, NULL, 0 or != 0 in if/while conditions.
- * Adds several links to documentation of library functions which were
- missing.
- * Marks documentation of deprecated library functions "(deprecated)".
- * Removes spurious .html suffixes.
+ Additionally, corrected some example code to adhere to the recommended
+ coding style.
-- ossl_seed: avoid recursive seeding!
+- inet_pton.c: Fixed compilation warnings
+
+ warning: conversion to 'unsigned char' from 'int' may alter its value
-Steve Holme (22 Feb 2013)
-- [Jiri Hruska brought this change]
+Daniel Stenberg (19 Mar 2016)
+- RELEASE-NOTES: synced with 80851028efc2fa9
- Fixed checking the socket if there is data waiting in the cache
+- mbedtls: fix compiler warning
- Use Curl_pp_moredata() in Curl_pp_multi_statemach() to check if there is
- more data to be received, rather than the socket state, as a task could
- hang waiting for more data from the socket itself.
+ vtls/mbedtls.h:67:36: warning: implicit declaration of function
+ ‘mbedtls_sha256’ [-Wimplicit-function-declaration]
-- imap.c: Fixed an incorrect variable reference
+Steve Holme (19 Mar 2016)
+- easy: Minor coding standard and style updates
- Fixed an incorrect variable reference which was introduced in commit
- a1701eea289f as a result of a copy and paste from SMTP/POP3.
+ Following commit c5744340db. Additionally removes the need for a second
+ 'result code' variable as well.
-- [Jiri Hruska brought this change]
+Jay Satiro (19 Mar 2016)
+- easy: Remove poll failure check in easy_transfer
+
+ .. because curl_multi_wait can no longer signal poll failure.
+
+ follow-up to 77e1726
+
+ Bug: https://github.com/curl/curl/issues/707
- pingpong: Introduce Curl_pp_moredata()
+Steve Holme (19 Mar 2016)
+- build: Added missing Visual Studio filter files for VC10 onwards
- A simple function to test whether the PP is not sending and there are
- still more data in its receiver cache. This will be later utilized to:
+ As these files don't need to contain references to the source files,
+ although typically do, added basic files which only include three
+ filters and don't require the project file generator to be modified.
- 1) Change Curl_pp_multi_statemach() and Curl_pp_easy_statemach() to
- not test socket state and just call user's statemach_act() function
- when there are more data to process, because otherwise the task would
- just hang, waiting for more data from the socket.
+ These files allow the source code to be viewed in the Solution Explorer
+ in versions of Visual Studio from 2010 onwards in the same manner as
+ previous versions did rather than one large view of files.
+
+- ftp/imap/pop3/smtp: Fixed compilation warning when /Wall enabled
- 2) Allow PP users to read multiple responses by looping as long as there
- are more data available and current phase is not finished.
- (Currently needed for correct processing of IMAP SELECT responses.)
+ warning C4706: assignment within conditional expression
-Nick Zitzmann (19 Feb 2013)
-- FEATURES: why yes, we do support metalink
+- config-w32.h: Fixed compilation warning when /Wall enabled
- I just noticed Metalink support wasn't listed as a feature of the tool.
+ warning C4668: 'USE_IPV6' is not defined as a preprocessor macro,
+ replacing with '0' for '#if/#elif'
-- metalink: fix improbable crash parsing metalink filename
+- imap.c: Fixed compilation warning with /Wall enabled
- The this_url pointer wasn't being initialized, so if strdup() would return
- null when copying the filename in a metalink file, then hilarity would
- ensue during the cleanup phase. This change was brought to you by clang,
- which noticed this and raised a warning.
+ warning C4701: potentially uninitialized local variable 'size' used
+
+ Technically this can't happen, as the usage of 'size' is protected by
+ 'if(parsed)' and 'parsed' is only set after 'size' has been parsed.
+
+ Anyway, lets keep the compiler happy.
-Yang Tse (19 Feb 2013)
-- smtp.c: fix enumerated type mixed with another type
+- KNOWN_BUGS: #93 Issue with CURLFORM_CONTENTLEN in arrays on 32-bit platforms
-- polarssl threadlock cleanup
+Daniel Stenberg (18 Mar 2016)
+- bump: the coming release is 7.48.0
-Nick Zitzmann (18 Feb 2013)
-- docs: schannel and darwinssl documentation improvements
+- configure: use cpp -P when needed
+
+ Since gcc 5, the processor output can get split up on multiple lines
+ that made the configure script fail to figure out values from
+ definitions. The fix is to use cpp -P, and this fix now first checks if
+ cpp -P is necessary and then if cpp -P works before it uses that to
+ extract defined values.
- Schannel and darwinssl use the certificates built into the
- OS to do vert verification instead of bundles. darwinssl
- is thread-safe. Corrected typos in the NSS docs.
+ Fixes #719
-Daniel Stenberg (18 Feb 2013)
-- resolver_error: remove wrong error message output
+Steve Holme (18 Mar 2016)
+- formdata.c: Fixed compilation warning
- The attempt to use gai_strerror() or alternative function didn't work as
- the 'sock_error' field didn't contain the proper error code. But since
- this hasn't been reported and thus isn't really a big deal I decided to
- just scrap the whole attempt to output the detailed resolver error and
- instead remain with just stating that the resolving of the name failed.
+ formdata.c:390: warning: cast from pointer to integer of different size
+
+ Introduced in commit ca5f9341ef this happens because a char*, which is
+ 32-bits wide in 32-bit land, is being cast to a curl_off_t which is
+ 64-bits wide where 64-bit integers are supported by the compiler.
+
+ This doesn't happen in 64-bit land as a pointer is the same size as a
+ curl_off_t.
+
+ This fix doesn't address the fact that a 64-bit value cannot be used
+ for CURLFORM_CONTENTLEN when set in a form array and compiled on a
+ 32-bit platforms, it does at least suppress the compilation warning.
-- [Kim Vandry brought this change]
+Daniel Stenberg (18 Mar 2016)
+- FAQ: 2.5 Install libcurl for both 32bit and 64bit?
- Curl_resolver_is_resolved: show proper host name on failed resolve
+- [Gisle Vanem brought this change]
-- Curl_resolver_is_resolved: fix compiler warning
+ openssl: adapt to API breakage in ERR_remove_thread_state()
+
+ The OpenSSL API change that broke this is "Convert ERR_STATE to new
+ multi-threading API": openssl commit 8509dcc.
- conversion to 'int' from 'long int' may alter its value
+ Closes #713
-- compiler warning fix
+- version: init moved to private name space, added protos
- follow-up to commit ed7174c6f66, rename 'wait' to 'block'
+ follow-up to 80015cdd52145
-- compiler warning fix: declaration of 'wait' shadows a global declaration
+- openssl: verbose: show matching SAN pattern
- It seems older gcc installations (at least) will cause warnings if we
- name a variable 'wait'. Now changed to 'block' instead.
+ ... to allow users to see which specfic wildcard that matched when such
+ is used.
- Reported by: Jiří Hruška
- Bug: http://curl.haxx.se/mail/lib-2013-02/0247.html
+ Also minor logic cleanup to simplify the code, and I removed all tabs
+ from verbose strings.
+
+Jay Satiro (16 Mar 2016)
+- version: thread safety
-Nick Zitzmann (17 Feb 2013)
-- MacOSX-Framework: Make script work in Xcode 4.0 and later
+Steve Holme (16 Mar 2016)
+- transfer: Removed redundant HTTP authentication include files
- Apple made a number of changes to Xcode 4. The SDKs were moved, the entire
- Developer folder was moved, and PowerPC support was removed. The script
- will now adapt to those changes and should be future-proofed against
- additional changes in case Apple moves the Developer folder ever again.
- Also, the minimum OS X version compiler option was removed, so that the
- framework can be built against the latest SDK but still run in older cats.
+ It would also seem that share.h is not required here either as there
+ are no references to the Curl_share structure or functions.
-Daniel Stenberg (17 Feb 2013)
-- docs: refer to CURLOPT_ACCEPT_ENCODING instead of the old name
+- easy: Removed redundant HTTP authentication include files
-Steve Holme (16 Feb 2013)
-- email: Tidied up result code variables
+Jay Satiro (15 Mar 2016)
+- CURLOPT_SSLENGINE.3: Only for OpenSSL built with engine support
- Tidied up result variables to be consistent in name, declaration order
- and default values.
+ Bug: https://curl.haxx.se/mail/lib-2016-03/0150.html
+ Reported-by: Oliver Graute
-Nick Zitzmann (16 Feb 2013)
-- ntlm_core: fix compiler warning when building with clang
+Steve Holme (15 Mar 2016)
+- curl_sasl: Minor code indent fixes
+
+Daniel Stenberg (14 Mar 2016)
+- runtests: mention when run event-based
+
+- easy: add check to malloc() when running event-based
- Fixed a 64-to-32 compiler warning raised when building with
- clang and the --with-darwinssl option.
+ ... to allow torture tests then too.
-Daniel Stenberg (16 Feb 2013)
-- Guile-curl: a new libcurl binding
+- memdebug: skip logging the limit countdown, fflush when reached
-- polarsslthreadlock: #include the proper memory and debug includes
+- CODE_STYLE: Space around operators
- Pointed out by Steve Holme
+ As just discussed on the mailing list, also document how we prefer
+ spacing in expressions.
-Steve Holme (16 Feb 2013)
-- email: Removed unnecessary forward declaration
+- curl: glob_range: no need to check unsigned variable for negative
+
+ cppcheck warned:
- Due to the reordering of functions in commit 586f5d361474 the forward
- declaration to state_upgrade_tls() are no longer required.
+ [src/tool_urlglob.c:283]: (style) Checking if unsigned variable 'step_n'
+ is less than zero.
-- pop3.c: Added reference to RFC-5034
+- CODE_STYLE: add example for indent style as well
-Daniel Stenberg (15 Feb 2013)
-- [Willem Sparreboom brought this change]
+- CODE_STYLE: mention braces for functions too
- PolarSSL: Change to cURL coding style
-
- Repaired all curl/lib/checksrc.pl warnings in the previous four patches
+- docs/Makefile.am: include CODE_STYLE in tarball too
-- [Willem Sparreboom brought this change]
+- CONTRIBUTE: moved out code style to a separate document
- PolarSSL: WIN32 threading support for entropy
+- CODE_STYLE: initial version
- Added WIN32 threading support for PolarSSL entropy if
- --enable-threaded-resolver config flag is set and process.h can be found.
+ Ripped out from CONTRIBUTE into its own document, but also extended from
+ there.
-- [Willem Sparreboom brought this change]
+- curl_sasl.c: minor code indent fixes
- PolarSSL: pthread support for entropy
+- multi: simplified singlesocket
- Added pthread support for polarssl entropy if --enable-threaded-resolver
- config flag is set and pthread.h can be found.
-
-- [Willem Sparreboom brought this change]
+ Since sh_getentry() now checks for invalid sockets itself and by
+ narrowing the scope of the remove_sock_from_hash variable.
- PolarSSL: changes to entropy/ctr_drbg/HAVEGE_RANDOM
+- multi: introduce sh_getentry() for looking up sockets in the sockhash
- Add non-threaded entropy and ctr_drbg and removed HAVEGE_RANDOM define
+ Simplify the code by using a single entry that looks for a socket in the
+ socket hash. As indicated in #712, the code looked for CURL_SOCKET_BAD
+ at some point and that is ineffective/wrong and this makes it easier to
+ avoid that.
-- [Willem Sparreboom brought this change]
+- [Jaime Fullaondo brought this change]
- PolarSSL: added human readable error strings
+ multi hash: ensure modulo performed on curl_socket_t
- Print out human readable error strings for PolarSSL related errors
+ Closes #712
-Steve Holme (15 Feb 2013)
-- pop3: Removed unnecessary state changes on failure
+Steve Holme (13 Mar 2016)
+- base64: Minor coding standard and style updates
-- imap: Removed unnecessary state change on failure
+- base64: Use 'CURLcode result' for curl result codes
-Daniel Stenberg (15 Feb 2013)
-- metalink_cleanup: yet another follow-up fix
+- negotiate: Use 'CURLcode result' for curl result codes
-- metalink_cleanup: define it without argument
-
- Since the function takes no argument, the macro shouldn't take one as
- some compilers will error out on that.
+Daniel Stenberg (13 Mar 2016)
+- [Maksim Kuzevanov brought this change]
-- rename "easy" statemachines: call them block instead
+ multi_runsingle: avoid loop in CURLM_STATE_WAITPROXYCONNECT
- ... since they're not used by the easy interface really, I wanted to
- remove the association. Also, I unified the pingpong statemachine driver
- into a single function with a 'wait' argument: Curl_pp_statemach.
+ Closes #703
-Yang Tse (15 Feb 2013)
-- [Gisle Vanem brought this change]
+- TODO: Use the RFC6265 test suite
- curl_setup_once.h: definition of HAVE_CLOSE_S defines sclose() to close_s()
+Steve Holme (13 Mar 2016)
+- checksrc.bat: Added the ability to scan src and lib source independently
-- [Gisle Vanem brought this change]
+- digest: Use boolean based success code for Curl_sasl_digest_get_pair()
+
+ Rather than use a 0 and 1 integer base result code use a TRUE / FALSE
+ based success code.
- config-dos.h: define HAVE_CLOSE_S for MSDOS/Watt-32
+- digest: Corrected some typos in comments
-- [Gisle Vanem brought this change]
+- krb5: Corrected some typos in function descriptions
- config-dos.h: define strerror() to strerror_s_() for High-C
+- ntlm: Corrected some typos in function descriptions
-- [Gisle Vanem brought this change]
-
- config-dos.h: define HAVE_TERMIOS_H only for djgpp
+- url: Corrected indentation when calling idna_to_ascii_lz()
-Steve Holme (14 Feb 2013)
-- smtp.c: Fixed a trailing whitespace
+- idn_win32: Use boolean based success codes
- Remove tailing whitespace introduced in commit 7ed689d24a4e.
+ Rather than use 0 and 1 integer base result codes use a FALSE / TRUE
+ based success code.
-- pop3: Fixed blocking SSL connect when connecting via POP3S
-
- A call to Curl_ssl_connect() was accidentally left in when the SSL/TLS
- connection layer was reworked in 7.29. Not only would this cause the
- connection to block but had the additional overhead of calling the
- non-blocking connect a little bit later.
+Daniel Stenberg (10 Mar 2016)
+- idn_win32.c: warning: Trailing whitespace
-- smtp: Refactored the smtp_state_auth_resp() function
+Steve Holme (10 Mar 2016)
+- idn_win32.c: Fixed compilation warning from commit 9e7fcd4291
- Renamed smtp_state_auth_resp() function to match the implementations in
- IMAP and POP3.
+ warning C4267: 'function': conversion from 'size_t' to 'int',
+ possible loss of data
-Daniel Stenberg (14 Feb 2013)
-- remove ifdefs
-
- Clarify the code by reducing ifdefs
+Daniel Stenberg (10 Mar 2016)
+- THANKS-filter: unify Michael König
+
+- RELEASE-NOTES: synced with 863c5766dd
-- strlcat: remove function
+- ftp: remove a check for NULL(!)
- This function was only used twice, both in places where performance
- isn't crucial (socks + if2ip). Removing the use of this function removes
- the need to have our private version for systems without it == reduced
- amount of code.
+ ... as it implies we need to check for that on all the other variable
+ references as well (as Coverity otherwise warns us for missing NULL
+ checks), and we're alredy making sure that the pointer is never NULL.
+
+- cookies: first n/v pair in Set-Cookie: is the cookie, then parameters
- Also, in the SOCKS case it is clearly better to fail gracefully rather
- than to truncate the results.
+ RFC 6265 section 4.1.1 spells out that the first name/value pair in the
+ header is the actual cookie name and content, while the following are
+ the parameters.
- This work was triggered by a bug report on the strcal prototype in
- strequal.h.
+ libcurl previously had a more liberal approach which causes significant
+ problems when introducing new cookie parameters, like the suggested new
+ cookie priority draft.
- strlcat was added in commit db70cd28 in February 2001!
+ The previous logic read all n/v pairs from left-to-right and the first
+ name used that wassn't a known parameter name would be used as the
+ cookie name, thus accepting "Set-Cookie: Max-Age=2; person=daniel" to be
+ a cookie named 'person' while an RFC 6265 compliant parser should
+ consider that to be a cookie named 'Max-Age' with an (unknown) parameter
+ 'person'.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1192
- Reported by: Jeremy Huddleston
+ Fixes #709
-- Curl_FormBoundary: made static
-
- As Curl_FormBoundary() is no longer used outside of this file (since
- commit ad7291c1a9d), it is now renamed to formboundary() and is made
- static.
+- krb5: improved type handling to avoid clang compiler warnings
-- ossl_seed: fix the last resort PRNG seeding
-
- Instead of just abusing the pseudo-randomizer from Curl_FormBoundary(),
- this now uses Curl_ossl_random() to get entropy.
+- url.c: fix clang warning: no newline at end of file
-Steve Holme (13 Feb 2013)
-- email: Tidy up before additional IMAP work
+- curl_multi_wait: never return -1 in 'numfds'
- Replaced two explicit comparisons of CURLE_OK with boolean alternatives.
+ Such a return value isn't documented but could still happen, and the
+ curl tool code checks for it. It would happen when the underlying
+ Curl_poll() function returns an error. Starting now we mask that error
+ as a user of curl_multi_wait() would have no way to handle it anyway.
- General tidy up of comments.
+ Reported-by: Jay Satiro
+ Closes #707
-- smtp: Removed duplicate pingpong structure initialisation
-
- The smtp_connect() function was setting the member variables of the
- pingpong structure twice, once before calling Curl_pp_init() and once
- after!
+- HTTP2.md: add CURL_HTTP_VERSION_2TLS and updated alt-svc link
-Yang Tse (13 Feb 2013)
-- move msvc IDE related files to 'vs' directory tree
-
- Use 'vs' directory tree given that 'vc' intended one clashes
- with an already existing build target in file Makefile.dist.
+- curl_multi_wait.3: add example
-Daniel Stenberg (13 Feb 2013)
-- install-sh: updated to support multiple source files as arguments
+Steve Holme (8 Mar 2016)
+- imap/pop3/smtp: Fixed connections upgraded with TLS are not reused
- Version 7.29.0 uses Makefiles generated with a newer version of the
- autotools than the previous 7.28.1. These Makefiles try to install
- e.g. header files by calling install-sh with multiple source files as
- arguments. The bundled install-sh is to old and does not support this.
+ Regression since commit 710f14edba.
- The problem only occurs, if install-sh is actually being used, ie. the
- platform install executable is to old or not usable. Example: Solaris
- 10.
+ Bug: https://github.com/curl/curl/issues/422
+ Reported-by: Justin Ehlert
+
+Jay Satiro (8 Mar 2016)
+- opt-docs: fix heading macros
- The files install-sh and mkinstalldirs are now updated with the automake
- 1.11.3 versions. A better fix might be to completely remove them from
- git and force the files to be added/created during buildconf.
+ ..SH should be .SH
- Bug: http://curl.haxx.se/bug/view.cgi?id=1195
- Reported by: Rainer Jung
-
-Yang Tse (13 Feb 2013)
-- move msvc IDE related files to 'vc' directory tree
+ Bug: https://github.com/curl/curl/issues/705
+ Reported-by: Eric S. Raymond
-- msvc IDE 'vc' directory tree preparation
+Kamil Dudka (8 Mar 2016)
+- [Tim Rühsen brought this change]
-Steve Holme (12 Feb 2013)
-- imap: Corrected a whitespace issue from previous commit
+ cookie: do not refuse cookies for localhost
- Fixed a small whitespace issue that crept in there in commit
- 508cdf4da4d7.
+ Closes #658
-- email: Another post optimisation of endofresp() tidy up
-
-- sasl: Fixed null pointer reference when decoding empty digest challenge
+Daniel Stenberg (8 Mar 2016)
+- ftp_done: clear tunnel_state when secondary socket closes
- Fixed a null pointer reference when an empty challenge is passed to the
- Curl_sasl_create_digest_md5_message() function.
+ Introducing a function for closing the secondary connection to make this
+ bug less likely to happen again.
- Bug: http://sourceforge.net/p/curl/bugs/1193/
- Reported by: Saran Neti
+ Reported-by: daboul
+ Closes #701
-- email: Post optimisation of endofresp() tidy up
-
- Removed unnecessary end of line check and return.
+- [Gisle Vanem brought this change]
-Nick Zitzmann (12 Feb 2013)
-- darwinssl: Fix send glitchiness with data > 32 or so KB
+ openssl: use the correct OpenSSL/BoringSSL/LibreSSL in messages
+
+- HTTP2.md: HTTP/2 by default for curl's HTTPS connections
+
+- [Anders Bakken brought this change]
+
+ pipeline: Sanity check pipeline pointer before accessing it.
- An ambiguity in the SSLWrite() documentation lead to a bad inference in the
- code where we assumed SSLWrite() returned the amount of bytes written to
- the socket, when that is not actually true; it returns the amount of data
- that is buffered for writing to the socket if it returns errSSLWouldBlock.
- Now darwinssl_send() returns CURLE_AGAIN if data is buffered but not written.
+ I got a crash with this stack:
- Reference URL: http://curl.haxx.se/mail/lib-2013-02/0145.html
+ curl/lib/url.c:2873 (Curl_removeHandleFromPipeline)
+ curl/lib/url.c:2919 (Curl_getoff_all_pipelines)
+ curl/lib/multi.c:561 (curl_multi_remove_handle)
+ curl/lib/url.c:415 (Curl_close)
+ curl/lib/easy.c:859 (curl_easy_cleanup)
+
+ Closes #704
-Steve Holme (12 Feb 2013)
-- pingpong.h: Fixed line length over 78 characters from b56c9eb48e3c
+- HTTP2.md: mention the disable ALPN and NPN options
-- pingpong: Optimised the endofresp() function
+- TODO: 17.12 keep running, read instructions from pipe/socket
- Reworked the pp->endofresp() function so that the conndata, line and
- line length are passed down to it just as with Curl_client_write()
- rather than each implementation of the function having to query
- these values.
+ And delete trailing whitespace
+ And rename section 17 to "command line tool" from "client"
- Additionally changed the int return type to bool as this is more
- representative of the function's usage.
+ Closes #702
-- email: Post STARTLS capability code tidy up (Part Three)
+- README.md: linkified
+
+ It also makes it less readable as plain text, so let's keep this
+ primarily for github use.
- Corrected the order of the upgrade_tls() functions and moved the handler
- upgrade and getsock() functions out from the middle of the state related
- functions.
+ Removed the top ascii art logo, as it looks weird when markdownified.
-- email: Post STARTLS capability code tidy up (Part Two)
+- README.md: markdown version of README
- Corrected the order of the pop3_state_capa() / imap_state_capability()
- and the pop3_state_capa_resp() / imap_state_capability_resp() functions
- to match the execution order.
+ Attempt to make it look more appealing on github
-Daniel Stenberg (11 Feb 2013)
-- [ulion brought this change]
+Jay Satiro (6 Mar 2016)
+- mprintf: update trio project link
- SOCKS: fix socks proxy when noproxy matched
-
- Test 1212 added to verify
-
- Bug: http://curl.haxx.se/bug/view.cgi?id=1190
+Daniel Stenberg (6 Mar 2016)
+- CURLOPT_ACCEPTTIMEOUT_MS.3: added example
-Steve Holme (11 Feb 2013)
-- ntlm: Updated comments for the addition of SASL support to IMAP in v7.29
+- CURLOPT_ACCEPT_ENCODING.3: added example
-- RELEASE-NOTES: Updated following the recent imap/pop3/smtp changes
+- CURLOPT_APPEND.3: added example
-Linus Nielsen Feltzing (10 Feb 2013)
-- Fix NULL pointer reference when closing an unused multi handle.
+- CURLOPT_NOPROGRESS.3: added example, conform to stardard style
-Steve Holme (10 Feb 2013)
-- email: Post STARTLS capability code tidy up (Part One)
+Steve Holme (6 Mar 2016)
+- build-openssl/checksrc.bat: Fixed prepend vs append of Perl path
- Corrected the order of the CAPA / CAPABILITY state machine constants to
- match the execution order.
+ Fixed inconsistency from commit 1eae114065 and 0ad6c72227 of the order
+ in which Perl was added to the PATH.
-- imap: Fixed memory leak following commit f6010d9a0359
+Daniel Stenberg (6 Mar 2016)
+- opts: added two examples
-- smtp: Added support for the STARTTLS capability (Part Two)
-
- Added honoring of the tls_supported flag when starting a TLS upgrade
- rather than unconditionally attempting it. If the use_ssl flag is set
- to CURLUSESSL_TRY and the server doesn't support TLS upgrades then the
- connection will continue to authenticate. If this flag is set to
- CURLUSESSL_ALL then the connection will complete with a failure as it
- did previously.
+- CURLOPT_SSL_CTX_FUNCTION.3: use .NF for example
-- pop3: Added support for the STLS capability (Part Three)
+- CURLOPT_SSL_CTX_FUNCTION.3: added example
- Added honoring of the tls_supported flag when starting a TLS upgrade
- rather than unconditionally attempting it. If the use_ssl flag is set
- to CURLUSESSL_TRY and the server doesn't support TLS upgrades then the
- connection will continue to authenticate. If this flag is set to
- CURLUSESSL_ALL then the connection will complete with a failure as it
- did previously.
+ and removed erroneous reference to test case lib509
-- imap: Added support for the STARTTLS capability (Part Three)
-
- Added honoring of the tls_supported flag when starting a TLS upgrade
- rather than unconditionally attempting it. If the use_ssl flag is set
- to CURLUSESSL_TRY and the server doesn't support TLS upgrades then the
- connection will continue to authenticate. If this flag is set to
- CURLUSESSL_ALL then the connection will complete with a failure as it
- did previously.
+- curlx.c: use more curl style code
-Daniel Stenberg (10 Feb 2013)
-- [Alessandro Ghedini brought this change]
+- test46: change cookie expiry date
+
+ Since two of the cookies would now otherwise expire and cause the test
+ to fail after commit 20de9b4f09
+
+ Discussed in #697
- htmltitle: fix suggested build command
+Jay Satiro (5 Mar 2016)
+- [Viktor Szakats brought this change]
-Steve Holme (10 Feb 2013)
-- pop3: Added support for the STLS capability (Part Two)
+ makefile.m32: add missing libs for static -winssl-ssh2 builds
- Added sending of initial CAPA command before STLS is sent. This allows
- for the detection of the capability before trying to upgrade the
- connection.
+ Bug: https://github.com/curl/curl/pull/693
-- imap: Added support for the STARTTLS capability (Part Two)
+- mbedtls: fix user-specified SSL protocol version
- Added sending of initial CAPABILITY command before STARTTLS is sent.
- This allows for the detection of the capability before trying to
- upgrade the connection.
+ Prior to this change when a single protocol CURL_SSLVERSION_ was
+ specified by the user that version was set only as the minimum version
+ but not as the maximum version as well.
-- smtp: Added support for the STLS capability (Part One)
+Steve Holme (5 Mar 2016)
+- .gitignore: Added *.VC.opendb and *.vcxproj.user files for VC14
+
+- build-openssl.bat: Fixed cannot find perl if installed but not in path
+
+- checksrc.bat: Fixed cannot find perl if installed but not in path
+
+Jay Satiro (5 Mar 2016)
+- [Viktor Szakats brought this change]
+
+ makefile.m32: fix to allow -ssh2-winssl combination
- Introduced detection of the STARTTLS capability, in order to add support
- for TLS upgrades without unconditionally sending the STARTTLS command.
+ In makefile.m32, option -ssh2 (libssh2) automatically implied -ssl
+ (OpenSSL) option, with no way to override it with -winssl. Since both
+ libssh2 and curl support using Windows's built-in SSL backend, modify
+ the logic to allow that combination.
-- pop3: Added support for the STLS capability (Part One)
+- cookie: Don't expire session cookies in remove_expired
+
+ Prior to this change cookies with an expiry date that failed parsing
+ and were converted to session cookies could be purged in remove_expired.
- Introduced detection of the STLS capability, in order to add support
- for TLS upgrades without unconditionally sending the STLS command.
+ Bug: https://github.com/curl/curl/issues/697
+ Reported-by: Seth Mos
-- imap: Added support for the STARTTLS capability (Part One)
+Daniel Stenberg (3 Mar 2016)
+- cookie: remove redundant check
+
+ ... as it was already checked previously within the function.
- Introduced detection of the STARTTLS capability, in order to add support
- for TLS upgrades without unconditionally sending the STARTTLS command.
+ Reported-by: Dmitry-Me
+ Closes #695
-- RELEASE-NOTES: synced with 92f7606f29b704
+Jay Satiro (1 Mar 2016)
+- [Anders Bakken brought this change]
-- smtp: Fixed an issue when processing EHLO failure responses (Part 3)
+ url: if Curl_done is premature then pipeline not in use
- Follow up fix to commit 62bd21746443 to cater for servers that don't
- respond with a 250 in their EHLO responses. Additionally updated the
- SMTP tests to respond with a 250 response code as per RFC5321.
-
-- pop3: Fixed SASL authentication capability detection
+ Prevent a crash if 2 (or more) requests are made to the same host and
+ pipelining is enabled and the connection does not complete.
- Fixed the SASL capability detection to include the space character
- before the authentication mechanism list. Otherwise a capability such
- as SASLSOMETHING would be interpreted as enabling SASL and potentially
- trying to identify SOMETHING as a mechanism.
+ Bug: https://github.com/curl/curl/pull/690
-- pop3: Fixed incorrect return value from pop3_endofresp()
-
- Corrected an incorrect return value when -ERR is received from the
- server - introduced in commit b5bb61ee697b (June 2012).
+- [Viktor Szakats brought this change]
-- smtp: Fixed an issue when processing EHLO failure responses (Part 2)
+ makefile.m32: allow to pass .dll/.exe-specific LDFLAGS
+
+ using envvars `CURL_LDFLAG_EXTRAS_DLL` and
+ `CURL_LDFLAG_EXTRAS_EXE` respectively. This
+ is useful f.e. to pass ASLR-related extra
+ options, that are required to make this
+ feature work when using the mingw toolchain.
- Follow up fix to commit 23d17190ee32 as EHLO capabilities can exist
- within a positive response line.
+ Ref: https://github.com/curl/curl/pull/670#issuecomment-190863985
+
+ Closes https://github.com/curl/curl/pull/689
-- smtp: Fixed an issue with missing capabilities after the AUTH line
+Daniel Stenberg (29 Feb 2016)
+- formpost: fix memory leaks in AddFormData error branches
- Follow up to commit 40f9bb787f05 to fix missing capabilities after an
- AUTH line.
+ Reported-by: Dmitry-Me
+ Fixes #688
-Nick Zitzmann (8 Feb 2013)
-- darwinssl: Make certificate errors less techy
+Jay Satiro (28 Feb 2016)
+- getinfo: Fix syntax error when mbedTLS
- Previously if a problem was found with one of the server's certificates,
- we'd log an OSStatus for the end user to look up. Now we explain what
- was wrong with the site's certificate chain. Also un-did part of the
- previous commit where the code wouldn't catch errSSLServerAuthCompleted
- if built under Leopard.
+ The assignment of the mbedTLS TLS session info in the parent commit was
+ incorrect. Change the assignment to a pointer to the session structure.
-Guenter Knauf (9 Feb 2013)
-- Updated dependency libs.
+- getinfo: Add support for mbedTLS TLS session info
+
+ .. and preprocessor check TLS session info is defined for all backends.
-Steve Holme (9 Feb 2013)
-- imap: Corrected some comments
+Daniel Stenberg (26 Feb 2016)
+- ROADMAP: clarify on the TLS proxy, mention HTTP cookies to work on
-- smtp: Fixed an issue when processing EHLO failure responses
+- file: try reading from files with no size
- Fixed a small issue where smtp_endofresp() would look for capabilities
- in the description part of a failure response. In theory a server
- shouldn't respond with SIZE or AUTH in an EHLO command's failure
- response but if it did then capabilities would be unnecessarily set
- before eventually failing.
-
-- pop3: Reworked pop3_endofresp() to simplify it little
+ Some systems have special files that report as 0 bytes big, but still
+ contain data that can be read (for example /proc/cpuinfo on
+ Linux). Starting now, a zero byte size is considered "unknown" size and
+ will be read as far as possible anyway.
- Reworked pop3_endofresp() to simplify it and provide consistency between
- imap and smtp.
+ Reported-by: Jesse Tan
+
+ Closes #681
-- imap: Renamed state variables in imap_authenticate()
+Jay Satiro (25 Feb 2016)
+- configure: warn on invalid ca bundle or path
- Renamed the authstate1 and authstate2 variables in imap_authenticate()
- as the old name was a left over from when there was only one state
- variable which was named due to a clash with the state() function.
+ - Warn if --with-ca-bundle file does not exist.
- Additionally this provides consistency with the smtp module.
-
-- smtp: Reworked smtp_endofresp() to allow for extra capability detection
+ - Warn if --with-ca-path directory does not contain certificates.
+
+ - Improve help messages for both.
+
+ Example configure output:
+
+ ca cert bundle: /some/file (warning: certs not found)
+ ca cert path: /some/dir (warning: certs not found)
+
+ Bug: https://github.com/curl/curl/issues/404
+ Reported-by: Jeffrey Walton
-- smtp: Renamed smtp_state_auth_passwd_resp() function
+Daniel Stenberg (24 Feb 2016)
+- Curl_read: check for activated HTTP/1 pipelining, not only requested
- Renamed the login password response function to better describe it's
- purpose as well as for consistency with the imap and pop3 modules.
+ ... as when pipelining is used, we read things into a unified buffer and
+ we don't do that with HTTP/2. This could then easily make programs that
+ set CURLMOPT_PIPELINING = CURLPIPE_HTTP1|CURLPIPE_MULTIPLEX to get data
+ intermixed or plain broken between HTTP/2 streams.
+
+ Reported-by: Anders Bakken
-Daniel Stenberg (8 Feb 2013)
-- [Gisle Vanem brought this change]
+Patrick Monnerat (24 Feb 2016)
+- os400: Fix ILE/RPG definition of CURLOPT_TFTP_NO_OPTIONS
- ntlm: fix memory leak
+Jay Satiro (23 Feb 2016)
+- getinfo: CURLINFO_TLS_SSL_PTR supersedes CURLINFO_TLS_SESSION
- Running tests\libtest\libntlmconnect.exe reveals a 1 byte (!) leak in
- ./lib/curl_ntlm_msgs.c:
+ The two options are almost the same, except in the case of OpenSSL:
- perl ..\memanalyze.pl c:memdebug.curl
- Leak detected: memory still allocated: 1 bytes
- At 9771e8, there's 1 bytes.
- allocated by curl_ntlm_msgs.c:399
+ CURLINFO_TLS_SESSION OpenSSL session internals is SSL_CTX *.
- Snippet from curl_ntlm_msgs.c:
- /* setup ntlm identity's domain and length */
- dup_domain.tchar_ptr = malloc(sizeof(TCHAR) * (domlen + 1));
+ CURLINFO_TLS_SSL_PTR OpenSSL session internals is SSL *.
- (my domlen == 0).
+ For backwards compatibility we couldn't modify CURLINFO_TLS_SESSION to
+ return an SSL pointer for OpenSSL.
- 'dup_domain.tbyte_ptr' looks to be freed in Curl_ntlm_sspi_cleanup() via
- 'ntlm->identity.Domain'. But I see no freeing of 'dup_domain.tchar_ptr'.
-
-- DONE: consider callback-aborted transfers premature
+ Also, add support for the 'internals' member to point to SSL object for
+ the other backends axTLS, PolarSSL, Secure Channel, Secure Transport and
+ wolfSSL.
- This bug report properly identified that when doing SMTP and aborting
- the transfer with a callback, it must be considered aborted prematurely
- by the code to avoid QUIT etc to be attempted as that would cause a
- hang.
+ Bug: https://github.com/curl/curl/issues/234
+ Reported-by: dkjjr89@users.noreply.github.com
- The new test case 1507 verifies this behavior.
+ Bug: https://curl.haxx.se/mail/lib-2015-09/0127.html
+ Reported-by: Michael König
+
+Daniel Stenberg (23 Feb 2016)
+- multi_remove_handle: keep the timeout list until after disconnect
- Reported by: Patricia Muscalu
- Bug: http://curl.haxx.se/bug/view.cgi?id=1184
+ The internal Curl_done() function uses Curl_expire() at times and that
+ uses the timeout list. Better clean up the list once we're done using
+ it. This caused a segfault.
+
+ Reported-by: 蔡文凱
+ Bug: https://curl.haxx.se/mail/lib-2016-02/0097.html
-- FAQ: refreshed some phrases
+Kamil Dudka (23 Feb 2016)
+- tests/sshserver.pl: use RSA instead of DSA for host auth
+
+ DSA is no longer supported by OpenSSH 7.0, which causes all SCP/SFTP
+ test cases to be skipped. Using RSA for host authentication works with
+ both old and new versions of OpenSSH.
+
+ Reported-by: Karlson2k
+
+ Closes #676
-Nick Zitzmann (7 Feb 2013)
-- darwinssl: Fix build under Leopard
+Jay Satiro (23 Feb 2016)
+- TFTP: add option to suppress TFTP option requests (Part 2)
+
+ - Add tests.
+
+ - Add an example to CURLOPT_TFTP_NO_OPTIONS.3.
- It turns out that Leopard (OS X 10.5) doesn't have constants for the ECDH
- ciphers in its headers, so the cases for them have been taken out of the
- build when building under Leopard. Also added a standard function for
- getting a string description of a SecCertificateRef.
+ - Add --tftp-no-options to expose CURLOPT_TFTP_NO_OPTIONS.
+
+ Bug: https://github.com/curl/curl/issues/481
-Steve Holme (7 Feb 2013)
-- RELEASE-NOTES: Added new imap features
+- [Michael Koenig brought this change]
-- imap: Added support for SASL-IR extension (Part 2)
+ TFTP: add option to suppress TFTP option requests (Part 1)
- Modified imap_authenticate() to add support for sending the initial
- response with the AUTHENTICATE command, as per RFC4959.
-
-- smtp: Updated SMTP_AUTH_PASSWD state constant
+ Some TFTP server implementations ignore the "TFTP Option extension"
+ (RFC 1782-1784, 2347-2349), or implement it in a flawed way, causing
+ problems with libcurl. Another switch for curl_easy_setopt
+ "CURLOPT_TFTP_NO_OPTIONS" is introduced which prevents libcurl from
+ sending TFTP option requests to a server, avoiding many problems caused
+ by faulty implementations.
- Changed the SMTP_AUTH_PASSWD state constant to SMTP_AUTH_LOGIN_PASSWD to
- better describe the state as the second part of an AUTH LOGIN command,
- as well as for consistency with the imap and pop3 modules.
+ Bug: https://github.com/curl/curl/issues/481
-- imap: Added support for SASL-IR extension (Part 1)
-
- Introduced detection of the SASL-IR capability, in order to add support
- for sending the initial response with the AUTHENTICATE command, as per
- RFC4959.
+Daniel Stenberg (22 Feb 2016)
+- [Karlson2k brought this change]
-Daniel Stenberg (7 Feb 2013)
-- Revert "vc: remove explicit MSVC6 IDE project file and documentation"
+ runtests: Fixed usage of %PWD on MinGW64
- This reverts commit 0e66d5878edc3d7ffc445116d194b58bbc7504b9.
+ Closes #672
-Steve Holme (7 Feb 2013)
-- imap: Changed response tag generation to be completely unique
+Jay Satiro (20 Feb 2016)
+- CURLOPT_DEBUGFUNCTION.3: Fix example
+
+- [Viktor Szakats brought this change]
+
+ src/Makefile.m32: add CURL_{LD,C}FLAGS_EXTRAS support
- Updated the automatic response tag generation to follow the examples
- given in RC3501, which list a 4 character string such as A001, A002,
- etc.
+ Sync with lib/Makefile.m32 which already uses those variables.
- As a unique identifier should be generated for each command the string
- generation is based on the connection id and the incrementing command
- id.
+ Bug: https://github.com/curl/curl/pull/670
-Dan Fandrich (6 Feb 2013)
-- Tweak the Android.mk file for its new location
-
- This is untested, but ought to be enough to still allow it
- to work automatically when the entire curl source tree is
- dropped into a full Android source tree.
+Dan Fandrich (20 Feb 2016)
+- Enabled test 1437 after the bug fix in commit 3fa220a6
-Daniel Stenberg (6 Feb 2013)
-- vc: remove explicit MSVC6 IDE project file and documentation
-
- VC6 is _very_ old and we provide working makefiles even for that
- compiler. Users who build with the IDE never use that method and project
- file anyway and it was just lingering in the root dir.
+Jay Satiro (19 Feb 2016)
+- [Emil Lerner brought this change]
-Steve Holme (6 Feb 2013)
-- imap: Small variable rename in preparation for upcoming change
+ curl_sasl: Fix memory leak in digest parser
- Renamed a couple of variables and updated some comments in
- preparation for upcoming command id / response tag change.
-
-Daniel Stenberg (6 Feb 2013)
-- msvc: move Makefile.msvc.names into winbuild/
+ If any parameter in a HTTP DIGEST challenge message is present multiple
+ times, memory allocated for all but the last entry should be freed.
- In an attempt to clear up misc files from the root dir
+ Bug: https://github.com/curl/curl/pull/667
-- build: move Android.mk to packages/Android/
+Dan Fandrich (19 Feb 2016)
+- Added test 1437 to verify a memory leak
+
+ Reported-by: neex@users.noreply.github.com
-- emacs files: remove from git and dist
+Jay Satiro (18 Feb 2016)
+- CURLOPT_COOKIEFILE.3: HTTP headers must be Set-Cookie style
- We don't need them and I doubt many people used them. We also don't have
- any configs for other editors and we wouldn't want that.
+ Bug: https://github.com/curl/curl/issues/666
+ Reported-by: baumanj@users.noreply.github.com
-Steve Holme (6 Feb 2013)
-- email: Moved starttls code in separate functions
+- curl.1: HTTP headers for --cookie must be Set-Cookie style
- To help maintain the readability of the code in imap.c, pop3.c and
- smtp.c moved the starttls code into state_starttls() functions.
+ Bug: https://github.com/curl/curl/issues/666
+ Reported-by: baumanj@users.noreply.github.com
-- [Nick Zitzmann brought this change]
+Daniel Stenberg (18 Feb 2016)
+- curl.1: add a missing dash
- FEATURES: More NTLM and SSL changes, added two others, fixed typo
-
- Added IDN and HTTP data compression as they were left out of the
- document until now.
+- CONTRIBUTING.md: fix links
+
+- ISSUE_TEMPLATE: github issue template
- Added notes for qssl, schannel and Secure Transport supporting SSLv2,
- Secure Transport supports NTLM, and axTLS does not support SSLv3.
+ First version, try this out!
+
+- CONTRIBUTING.md: move into .github
- There was also a typo; "AUTH TSL" should be "AUTH TLS".
+ To hide github specific files somewhat from the rest.
-Kamil Dudka (6 Feb 2013)
-- curl-config.in: do not randomly mix tabs and spaces
+- opts: add references
-Daniel Stenberg (6 Feb 2013)
-- 7.29.1: onwards!
+- examples/make: add 'checksrc' target
-- THANKS: 12 contributors from 7.29.0
+- 10-at-a-time: typecast the argument passed to sleep()
-Version 7.29.0 (6 Feb 2013)
+- externalsocket.c: fix compiler warning for fwrite return type
-Daniel Stenberg (6 Feb 2013)
-- vms: config-vms.h is removed, no use trying to distribute it
+- anyauthput.c: fix compiler warnings
-- RELEASE-NOTES: mention the SASL buffer overflow
+- simplessl.c: warning: while with space
-- [Eldar Zaitov brought this change]
+- curlx.c: i2s_ASN1_IA5STRING() clashes with an openssl function
+
+ Reported-By: Gisle Vanem
- Curl_sasl_create_digest_md5_message: fix buffer overflow
+- http2: don't decompress gzip decoding automatically
- When negotiating SASL DIGEST-MD5 authentication, the function
- Curl_sasl_create_digest_md5_message() uses the data provided from the
- server without doing the proper length checks and that data is then
- appended to a local fixed-size buffer on the stack.
+ At one point during the development of HTTP/2, the commit 133cdd29ea0
+ introduced automatic decompression of Content-Encoding as that was what
+ the spec said then. Now however, HTTP/2 should work the same way as
+ HTTP/1 in this regard.
- This vulnerability can be exploited by someone who is in control of a
- server that a libcurl based program is accessing with POP3, SMTP or
- IMAP. For applications that accept user provided URLs, it is also
- thinkable that a malicious user would feed an application with a URL to
- a server hosting code targetting this flaw.
+ Reported-by: Kazuho Oku
- Bug: http://curl.haxx.se/docs/adv_20130206.html
+ Closes #661
-Steve Holme (6 Feb 2013)
-- FEATURES: Removed erroneous whitespace
-
- Removed whitespace introduced in commit 5f8f20f5e65b that caused
- formatting issues when generating the website docs.
+Jay Satiro (16 Feb 2016)
+- [Tatsuhiro Tsujikawa brought this change]
-Yang Tse (6 Feb 2013)
-- setup-vms.h: post VMS patch cleanup - III
+ http: Don't break the header into chunks if HTTP/2
- - rename post-config-vms.h to setup-vms.h
- - move its inclusion into proper location in curl_setup.h
-
-- vms_show: post VMS patch cleanup - II
+ nghttp2 callback deals with TLS layer and therefore the header does not
+ need to be broken into chunks.
- - remove multiple declarations of vms_show and add comments
+ Bug: https://github.com/curl/curl/issues/659
+ Reported-by: Kazuho Oku
-- tool_main.c: post VMS patch cleanup - I
-
- - remove header inclusion already done in curl_setup_once.h
+Daniel Stenberg (16 Feb 2016)
+- [Viktor Szakats brought this change]
-Steve Holme (6 Feb 2013)
-- FEATURES: Added SSPI to list of NTLM libraries
+ openssl: use macro to guard the opaque EVP_PKEY branch
-- FEATURES: Added Secure Transport and qssl to list of SSL libraries
+- [Viktor Szakats brought this change]
-- FEATURES: Added email feature set
+ openssl: avoid direct PKEY access with OpenSSL 1.1.0
- Added SMTP, SMTPS, POP3, POP3S, IMAP and IMAPS features.
-
-- imap.h: Corrected incorrect comment clarification
+ by using API instead of accessing an internal structure.
+ This is required starting OpenSSL 1.1.0-pre3.
- Corrected comment clarification made in commit 167717b8069a.
-
-- COPYING: Updated copyright year to include 2013
+ Closes #650
-Daniel Stenberg (5 Feb 2013)
-- RELEASE-NOTES: synced with 25f351424b3538
-
- 8 more bug fixes mentioned
+- RELEASE-NOTES: synced with ede0bfc079da
-- [John E. Malmberg brought this change]
+- [Clint Clayton brought this change]
- VMS: fix and generate the VMS build config
+ CURLOPT_CONNECTTIMEOUT_MS.3: Fix example to use milliseconds option
- config_h.com is a new file that generates a config.h file based on the
- curl_config.h.in file and a quick scan of the configure script. This is
- actually a generic procedure that is shared with other VMS packages.
+ Change the example in the docs for CURLOPT_CONNECTTIMEOUT_MS to use
+ CURLOPT_CONNECTTIMEOUT_MS instead of CURLOPT_CONNECTTIMEOUT.
- The existing pre-built config-vms.h had over 100 entries that were not
- correct and in some cases conflicted with the build options available in
- the build_vms.com.
+ Closes #653
+
+- opt-docs: add more references
+
+- [David Byron brought this change]
+
+ SCP: use libssh2_scp_recv2 to support > 2GB files on windows
- generate_config_vms_h_curl.com is a helper procedure to the
- config_h.com. It covers the cases that the generic config_h.com is not
- able to figure out, and accepts input from the build_vms.com procedure.
+ libssh2_scp_recv2 is introduced in libssh2 1.7.0 - to be released "any
+ day now.
- build_curlbuild_h.com is a new file to generate the curlbuild.h file
- that Curl is now using when it is using a curl_config.h file.
+ Closes #451
+
+Jay Satiro (13 Feb 2016)
+- [Shine Fan brought this change]
+
+ gtls: fix for builds lacking encrypted key file support
- post-config-vms.h is a new file that is needed to provide VMS specific
- definitions, and most of them need to be set before the system header
- files are included.
+ Bug: https://github.com/curl/curl/pull/651
+
+Dan Fandrich (13 Feb 2016)
+- test1604: Add to Makefile.inc so it gets run
+
+Jay Satiro (12 Feb 2016)
+- generate.bat: Fix comment bug by removing old comments
- The VMS build procedure is fixed:
+ Remove NOTES section, it's no longer needed since we aren't setting the
+ errorlevel and more importantly the recently updated URL in the comments
+ is causing some unusual behavior that breaks the script.
- 1. Fixed to link in the correct HP ssl library.
- 2. Fixed to detect if HP Kerberos is installed.
- 3. Fixed to detect if HP LDAP is installed.
- 4. Fixed to detect if gnv$libzshr is installed.
- 5. Simplified the input parameter parsing to not use a loop.
- 6. Warn that 64 bit pointer option support is not complete
- in comments.
- 7. Default to IEEE floating if platform supports it so
- resulting libcurl will be compatible with other
- open source projects on VMS.
- 8. Default to LARGEFILE if platform supports it.
- 9. Default to enable SSL, LDAP, Kerberos, libz
- if the libraries are present.
- 10. Build with exact case global symbols for libcurl.
- 11. Generate linker option file needed.
- 12. Compiler list option only commonly needed items.
- 13. fulllist option for those who really want it.
- 14. Create debug symbol file on Alpha, IA64.
+ Closes https://github.com/curl/curl/issues/649
-- Curl_proxyCONNECT: return once CONNECT is sent
+Kamil Dudka (12 Feb 2016)
+- curl.1: --disable-{eprt,epsv} are ignored for IPv6 hosts
- By doing this unconditionally, we infer a simpler and more defined
- behavior. This also has the upside that test 1021 no longer fails for me
- even if I run with valgrind.
+ The behavior has been clarified in CURLOPT_FTP_USE_{EPRT,EPSV}.3 man
+ pages since curl-7_12_3~131. This patch makes it clear in the curl.1
+ man page, too.
- Also fixed some wrong comments.
+ Bug: https://bugzilla.redhat.com/1305970
-Steve Holme (5 Feb 2013)
-- email: Reworked comments in the endofresp() functions
+Daniel Stenberg (12 Feb 2016)
+- dist: ship buildconf.bat too
- Tidied up the comments in the endofresp() functions to be more
- meaningful prior to release.
+ As the winbuild/* stuff uses it!
-Marc Hoersken (5 Feb 2013)
-- schannel: Removed extended error connection setup flag
+- curlx_tvdiff: handle 32bit time_t overflows
- According KB975858 this flag may cause problems on Windows 7 and
- Windows Server 2008 R2 systems. Extended error information is not
- currently used by libcurl and therefore not a requirement.
+ On 32bit systems, make sure we don't overflow and return funky values
+ for very large time differences.
- The flag may improve the SSL-connection shutdown in case of an
- error. This means it might be a good improvement in the future.
+ Reported-by: Anders Bakken
- Fixes bug/issue #1187 - thanks for the report
+ Closes #646
-Daniel Stenberg (5 Feb 2013)
-- [Tor Arntsen brought this change]
+- examples: fix some compiler warnings
- singleipconnect: Update *sockp for all CURLE_OK
-
- The 56b7c87c7 change left a case where a good sockfd was not copied to
- *sockp before returning with CURLE_OK
+- simplessl.c: fix my breakage
-- curl_easy_perform: Value stored to 'mcode' is never read
+- examples: adhere to curl code style
- pointed out by clang-analyzer
-
-- singleipconnect: remove dead assignment
+ All plain C examples now (mostly) adhere to the curl code style. While
+ they are only examples, they had diverted so much and contained all
+ sorts of different mixed code styles by now. Having them use a unified
+ style helps users and readability. Also, as they get copy-and-pasted
+ widely by users, making sure they're clean and nice is a good idea.
- pointed out by clang-analyzer
+ 573 checksrc warnings were addressed.
-Linus Nielsen Feltzing (5 Feb 2013)
-- CURLMOPT_MAXCONNECTS: restore functionality
+- examples/cookie_interface.c: add cleanup call
+
+ cleaning up handles is a good idea as we leak memory otherwise
- When a connection is no longer used, it is kept in the cache. If the
- cache is full, the oldest idle connection is closed. If no connection is
- idle, the current one is closed instead.
+ Also, line wrapped before 80 columns.
-Steve Holme (5 Feb 2013)
-- RELEASE-NOTES: Updated following recent changes to the email protocols
+Kamil Dudka (10 Feb 2016)
+- nss: search slash in forward direction in dup_nickname()
- Added recent additions and fixes following the changes to imap, pop3
- and smtp. Additionally added another contributor that helped to test
- the imap sasl changes.
+ It is wasteful to search it backwards if we look for _any_ slash.
-- email: Provided extra comments following recent pop3/imap fixes
+- nss: do not count enabled cipher-suites
- Provided additional clarification about the logic of the authenticate()
- functions following commit 6b6bdc83bd36 and b4270a9af1d0.
+ We only care if at least one cipher-suite is enabled, so it does
+ not make any sense to iterate till the end and count all enabled
+ cipher-suites.
-Daniel Stenberg (5 Feb 2013)
-- [Andrei Kurushin brought this change]
+Daniel Stenberg (10 Feb 2016)
+- contributors.sh: make 79 the max column width (from 80)
- winbuild: include version info for .dll .exe
-
- Bug: http://curl.haxx.se/bug/view.cgi?id=1186
+- RELEASE-NOTES: synced with c276aefee3995
-- FAQ: clarify 5.13 How do I stop an ongoing transfer
+- mbedtls.c: re-indent to better match curl standards
+
+- [Rafael Antonio brought this change]
+
+ mbedtls: fix memory leak when destroying SSL connection data
- Rich Gray provided good feedback and we now clarify that you can in fact
- stop a multi transfer at any point you like by removing the easy handle.
+ Closes #626
-- [Matt Arsenault brought this change]
+- mbedtls: fix ALPN usage segfault
+
+ Since we didn't keep the input argument around after having called
+ mbedtls, it could end up accessing the wrong memory when figuring out
+ the ALPN protocols.
+
+ Closes #642
- cmake: Fix mingw build
+Jay Satiro (9 Feb 2016)
+- [Timotej Lazar brought this change]
-- [Sergei Nikulov brought this change]
+ opts: update references to renamed options
- cmake: updated OpenSSL build
+- KNOWN_BUGS: Update #92 - Windows device prefix
-Steve Holme (4 Feb 2013)
-- pop3.c: Updated variable names to use shorter / more readable variant
+- tool_doswin: Support for literal path prefix \\?\
- Tidied up code from commit 6b6bdc83bdUpdated where a few instances of
- the pop3c struct variable used the longer conndata struct rather than
- matching what other code in pop3_authenticate() used.
+ For example something like --output \\?\C:\foo
-Guenter Knauf (4 Feb 2013)
-- updated copyright years.
+Daniel Stenberg (9 Feb 2016)
+- configure: state "BoringSSL" in summary when that was detected
-- configure: update the copyright years for the output.
+- [David Benjamin brought this change]
-Steve Holme (3 Feb 2013)
-- imap: Fixed no known authentication mechanism when fallback is required
+ openssl: remove most BoringSSL #ifdefs.
- Fixed an issue where (lib)curl is compiled without support for a
- supported challenge-response based SASL authentication mechanism, such
- as CRAM-MD5 or NTLM, the server doesn't support the LOGIN or PLAIN
- mechanisms and (lib)curl doesn't fallback to Clear Text authentication.
+ As of https://boringssl-review.googlesource.com/#/c/6980/, almost all of
+ BoringSSL #ifdefs in cURL should be unnecessary:
- Note: In order to fallback to Clear Text authentication properly this
- fix adds support for the LOGINDISABLED server capability.
- imap: Fixed no known authentication mechanism when fallback is required
+ - BoringSSL provides no-op stubs for compatibility which replaces most
+ #ifdefs.
- Fixed an issue where (lib)curl is compiled without support for a
- supported challenge-response based SASL authentication mechanism, such
- as CRAM-MD5 or NTLM, the server doesn't support the LOGIN or PLAIN
- mechanisms and (lib)curl doesn't fallback to Clear Text authentication.
+ - DES_set_odd_parity has been in BoringSSL for nearly a year now. Remove
+ the compatibility codepath.
- Note: In order to fallback to Clear Text authentication properly this
- fix adds support for the LOGINDISABLED server capability.
+ - With a small tweak to an extend_key_56_to_64 call, the NTLM code
+ builds fine.
- Related bug: http://curl.haxx.se/mail/lib-2013-02/0004.html
- Reported by: Stanislav Ivochkin
-
-- pop3: Fixed no known authentication mechanism when fallback is required
+ - Switch OCSP-related #ifdefs to the more generally useful
+ OPENSSL_NO_OCSP.
- Fixed an issue where (lib)curl is compiled without support for a
- supported challenge-response based SASL authentication mechanism, such
- as CRAM-MD5 or NTLM, the server doesn't support the LOGIN or PLAIN
- mechanisms and (lib)curl doesn't fallback to APOP or Clear Text
- authentication.
+ The only #ifdefs which remain are Curl_ossl_version and the #undefs to
+ work around OpenSSL and wincrypt.h name conflicts. (BoringSSL leaves
+ that to the consumer. The in-header workaround makes things sensitive to
+ include order.)
+
+ This change errs on the side of removing conditionals despite many of
+ the restored codepaths being no-ops. (BoringSSL generally adds no-op
+ compatibility stubs when possible. OPENSSL_VERSION_NUMBER #ifdefs are
+ bad enough!)
- Bug: http://curl.haxx.se/mail/lib-2013-02/0004.html
- Reported by: Stanislav Ivochkin
+ Closes #640
+
+Jay Satiro (8 Feb 2016)
+- KNOWN_BUGS: Windows device prefix is required for devices
-Daniel Stenberg (1 Feb 2013)
-- singleipconnect: simplify and clean up
+- tool_urlglob: Allow reserved dos device names (Windows)
- Remove timeout argument that's never used.
+ Allow --output to reserved dos device names without the device prefix
+ for backwards compatibility.
- Make the actual connection get detected on a single spot to reduce code
- duplication.
+ Example: --output NUL can be used instead of --output \\.\NUL
- Store the IPv6 state already when the connection is attempted.
+ Bug: https://github.com/curl/curl/commit/4520534#commitcomment-15954863
+ Reported-by: Gisle Vanem
-- Curl_perfom: removed
+Daniel Stenberg (8 Feb 2016)
+- cookies: allow spaces in cookie names, cut of trailing spaces
- Curl_perfom is no longer used anywhere since the always-multi commit
- c43127414d89ccb9, and some related functions were used only from within
- Curl_perfom.
-
-Guenter Knauf (30 Jan 2013)
-- Updated date.
-
-Yang Tse (30 Jan 2013)
-- zz40-xc-ovr.m4: fix 'wc' detection - follow-up 2
+ It turns out Firefox and Chrome both allow spaces in cookie names and
+ there are sites out there using that.
+
+ Turned out the code meant to strip off trailing space from cookie names
+ didn't work. Fixed now.
- - Fix a pair of single quotes to double quotes.
+ Test case 8 modified to verify both these changes.
- URL: http://curl.haxx.se/mail/lib-2013-01/0355.html
- Reported by: Tor Arntsen
+ Closes #639
+
+Patrick Monnerat (8 Feb 2016)
+- Merge branch 'master' of github.com:curl/curl
+
+- os400: sync ILE/RPG definitions with latest public header files.
+
+Daniel Stenberg (8 Feb 2016)
+- [Ludwig Nussel brought this change]
-- zz40-xc-ovr.m4: fix 'wc' detection - follow-up
+ SSLCERTS: update wrt SSL CA certificate store
+
+- [Ludwig Nussel brought this change]
+
+ configure: --with-ca-fallback: use built-in TLS CA fallback
- - Take into account that 'wc' may return leading spaces and/or tabs.
+ When trying to verify a peer without having any root CA certificates
+ set, this makes libcurl use the TLS library's built in default as
+ fallback.
- - Set initial IFS to space, tab and newline.
+ Closes #569
-- zz40-xc-ovr.m4: fix 'wc' detection
+- Proxy-Connection: stop sending this header by default
- - Take into account that 'wc' may return leading spaces.
+ RFC 7230 says we should stop. Firefox already stopped.
- - Set internationalization behavior variables.
+ Bug: https://github.com/curl/curl/issues/633
+ Reported-By: Brad Fitzpatrick
- Tor Arntsen analyzed and reported the issue.
+ Closes #633
+
+- bump: work toward the next release
+
+- THANKS: 2 contributors from the 7.47.1 release
+
+- RELEASE-PROCEDURE: remove the github upload part
- URL: http://curl.haxx.se/mail/lib-2013-01/0351.html
+ ... as we're HTTPS on the main site now, there's no point in that
+ extra step
+
+Version 7.47.1 (8 Feb 2016)
-- zz40-xc-ovr.m4: check another three basic utilities
+Daniel Stenberg (8 Feb 2016)
+- RELEASE-NOTES: curl 7.47.1 time!
-Guenter Knauf (29 Jan 2013)
-- Fixed debug.c to work again unchanged.
+Jay Satiro (8 Feb 2016)
+- tool_operhlp: Check for backslashes in get_url_file_name
- Added CURLOPT_FOLLOWLOCATION since example.com is now redirected.
+ Extract the filename from the last slash or backslash. Prior to this
+ change backslashes could be part of the filename.
+
+ This change needed for the curl tool built for Cygwin. Refer to the
+ CYGWIN addendum in advisory 20160127B.
+
+ Bug: https://curl.haxx.se/docs/adv_20160127B.html
-Daniel Stenberg (29 Jan 2013)
-- [Nick Zitzmann brought this change]
+Daniel Stenberg (7 Feb 2016)
+- RELEASE-NOTES: synced with d6a8869ea34
- darwinssl: Fix bug where packets were sometimes transmitted twice
+Jay Satiro (6 Feb 2016)
+- openssl: Fix signed/unsigned mismatch warning in X509V3_ext
- There was a bug where, if SSLWrite() returned errSSLWouldBlock but did
- succeed in transmitting at least something, then we'd incorrectly
- resend the packet. Now we never take errSSLWouldBlock as a sign that
- nothing was transferred to/from the server.
+ sk_X509_EXTENSION_num may return an unsigned integer, however the value
+ will fit in an int.
- Bug: http://curl.haxx.se/mail/lib-2013-01/0295.html
- Reported by: Bruno de Carvalho
+ Bug: https://github.com/curl/curl/commit/dd1b44c#commitcomment-15913896
+ Reported-by: Gisle Vanem
-- [Nick Zitzmann brought this change]
+Daniel Stenberg (7 Feb 2016)
+- TODO: 17.11 -w output to stderr
- FAQ: "Darwinssl" is AKA "Secure Transport" and supports NTLM
+Jay Satiro (6 Feb 2016)
+- [Michael Kaufmann brought this change]
-- RELEASE-NOTES: only list Nick once
+ idn_win32: Better error checking
- Even though he's a fine dude, once is enough for this time!
-
-Yang Tse (28 Jan 2013)
-- zz40-xc-ovr.m4: 1.0 interface stabilization
+ .. also fix a conversion bug in the unused function
+ curl_win32_ascii_to_idn().
- - Stabilization results in 4 public interface m4 macros:
- XC_CONFIGURE_PREAMBLE
- XC_CONFIGURE_PREAMBLE_VER_MAJOR
- XC_CONFIGURE_PREAMBLE_VER_MINOR
- XC_CHECK_PATH_SEPARATOR
- - Avoid one level of internal indirection
- - Update comments
- - Drop XC_OVR_ZZ40 macro
-
-Kamil Dudka (28 Jan 2013)
-- docs: fix typos in man pages
+ And remove wprintfs on error (Jay).
- Reported by: Jiri Jaburek
- Bug: https://bugzilla.redhat.com/896544
+ Bug: https://github.com/curl/curl/pull/637
+
+- [Gisle Vanem brought this change]
-- docs: update the comments about loading CA certs with NSS
+ examples/asiohiper: Avoid function name collision on Windows
- Bug: https://bugzilla.redhat.com/696783
+ closesocket => close_socket
+ Winsock already has the former.
+
+ Bug: https://curl.haxx.se/mail/lib-2016-02/0016.html
-Guenter Knauf (28 Jan 2013)
-- Updated dependency libs.
+- [Gisle Vanem brought this change]
-- Fixed simple.c to work again unchanged.
+ examples/htmltitle: Use _stricmp on Windows
- Added CURLOPT_FOLLOWLOCATION since example.com is now redirected.
+ Bug: https://curl.haxx.se/mail/lib-2016-02/0017.html
-Steve Holme (27 Jan 2013)
-- smtp.c: Fixed unnecessary state change if starttls fails
+Daniel Stenberg (6 Feb 2016)
+- COPYING: clarify that Daniel is not the sole author
- The state machine should only be changed to SMTP_STARTTLS when the
- STARTTLS command has been successfully sent to the server.
+ ... done on request and as it is a fair point.
-- pop3.c: Fixed unnecessary state change if starttls fails
-
- The state machine should only be changed to POP3_STARTTLS when the
- STLS command has been successfully sent to the server.
+Jay Satiro (5 Feb 2016)
+- unit1604: Fix unit setup return code
-- imap.c: Fixed unnecessary state change if starttls fails
-
- The state machine should only be changed to IMAP_STARTTLS when the
- STARTTLS command has been successfully sent to the server.
+- tool_doswin: Use type SANITIZEcode in sanitize_file_name
-- email: Updated comment regarding ssldone usage
+- tool_doswin: Improve sanitization processing
- Updated the ssldone comment as multi mode is always used internally now.
-
-Yang Tse (26 Jan 2013)
-- zz40-xc-ovr.m4: emit witness message in configure BODY
+ - Add unit test 1604 to test the sanitize_file_name function.
- This avoids witness message in output when running configure --help,
- while sending the message to config.log for other configure runs.
-
-Steve Holme (25 Jan 2013)
-- smtp.c: Added comments to smtp_endofresp()
+ - Use -DCURL_STATICLIB when building libcurltool for unit testing.
- Minor code tidy up to add comments similar to those used in the pop3
- and imap end of resp functions, in order to assist anyone reading the
- code and highlight the similarities between each of these protocols.
-
-Yang Tse (25 Jan 2013)
-- zz40-xc-ovr.m4: truly do version conditional overriding
+ - Better detection of reserved DOS device names.
- - version conditional overriding
- - catch unexpanded XC macros
- - fix double words in comments
-
-- zz40-xc-ovr.m4: fix variable assignment of subshell output bashism
+ - New flags to modify sanitize behavior:
+
+ SANITIZE_ALLOW_COLONS: Allow colons
+ SANITIZE_ALLOW_PATH: Allow path separators and colons
+ SANITIZE_ALLOW_RESERVED: Allow reserved device names
+ SANITIZE_ALLOW_TRUNCATE: Allow truncating a long filename
- Tor Arntsen analyzed and reported the issue.
+ - Restore sanitization of banned characters from user-specified outfile.
- URL: http://curl.haxx.se/mail/lib-2013-01/0306.html
+ Prior to this commit sanitization of a user-specified outfile was
+ temporarily disabled in 2b6dadc because there was no way to allow path
+ separators and colons through while replacing other banned characters.
+ Now in such a case we call the sanitize function with
+ SANITIZE_ALLOW_PATH which allows path separators and colons to pass
+ through.
+
+
+ Closes https://github.com/curl/curl/issues/624
+ Reported-by: Octavio Schroeder
-- zz40-xc-ovr.m4: reinstate strict AC_REQUIRE macro dependencies
+- [Viktor Szakats brought this change]
-- zz40-xc-ovr.m4: avoid double single-quote usage
+ URLs: change more http to https
-- zz40-xc-ovr.m4: parentheses balancing of 'case' statements
+- sasl_sspi: Fix memory leak in domain populate
- m4 quadrigraph shell comment technique allows proper autoconf
- parentheses balancing in shell 'case' statements. The presence
- of unbalanced parentheses may otherwise trigger expansion bugs.
-
-Steve Holme (24 Jan 2013)
-- smtp.c: Corrected RFC references
+ Free an existing domain before replacing it.
- The most recent version of the SMTP RFC is RFC5321 and not RFC2821 as
- previously documented.
+ Bug: https://github.com/curl/curl/issues/635
+ Reported-by: silveja1@users.noreply.github.com
+
+Daniel Stenberg (4 Feb 2016)
+- [Viktor Szakats brought this change]
+
+ URLs: follow GitHub project rename (also Travis CI)
- Added RFC1870 and re-ordered list numerically.
+ Closes #632
-- smtp.c: Fixed failure detection during TLS upgrade
+- CHANGES.o: fix references to curl.haxx.nu
- smtp_state_upgrade_tls() would attempt to incorrectly complete the
- upgrade to smtps and start the EHLO command if
- Curl_ssl_connect_nonblocking() returned a failure code and if ssldone
- was set to TRUE. This would only happen when a non-blocking API hadn't
- been provided by the SSL implementation and curlssl_connect() was
- called underneath.
+ I removed the scheme prefix from the URLs references this host name, as
+ we don't own/run that anymore but the name is kept for historic reasons.
+
+- HISTORY: add some info about when we used which host names
+
+Jay Satiro (2 Feb 2016)
+- [Viktor Szakats brought this change]
+
+ URLs: change more http to https
+
+Dan Fandrich (3 Feb 2016)
+- URLs: Change more haxx.se URLs from http: to https:
-- pop3.c: Fixed failure detection during TLS upgrade
+Daniel Stenberg (3 Feb 2016)
+- RELEASE-NOTES: synced with 4af40b364
+
+- URLs: change all http:// URLs to https://
+
+- configure: update the copyright year range in output
+
+- dotdot: allow an empty input string too
- pop3_state_upgrade_tls() would attempt to incorrectly complete the
- upgrade to pop3s and start the CAPA command if
- Curl_ssl_connect_nonblocking() returned a failure code and if ssldone
- was set to TRUE. This would only happen when a non-blocking API hadn't
- been provided by the SSL implementation and curlssl_connect() was
- called underneath.
+ It isn't used by the code in current conditions but for safety it seems
+ sensible to at least not crash on such input.
+
+ Extended unit test 1395 to verify this too as well as a plain "/" input.
+
+- HTTPS: update a bunch of URLs from HTTP to HTTPS
+
+- [Sergei Nikulov brought this change]
-- imap.c: Fixed failure detection during TLS upgrade
+ AppVeyor: updated to handle OpenSSL/WinSSL builds
- imap_state_upgrade_tls() would attempt to incorrectly complete the
- upgrade to imaps and start the CAPABILITY command if
- Curl_ssl_connect_nonblocking() returned a failure code and if ssldone
- was set to TRUE. This would only happen when a non-blocking API hadn't
- been provided by the SSL implementation and curlssl_connect() was
- called underneath.
+ Closes #621
-Yang Tse (24 Jan 2013)
-- zz40-xc-ovr.m4: internals overhauling
+Jay Satiro (1 Feb 2016)
+- tool_operate: Don't sanitize --output path (Windows)
+
+ Due to path separators being incorrectly sanitized in --output
+ pathnames, eg -o c:\foo => c__foo
+
+ This is a partial revert of 3017d8a until I write a proper fix. The
+ remote-name will continue to be sanitized, but if the user specified an
+ --output with string replacement (#1, #2, etc) that data is unsanitized
+ until I finish a fix.
- - Update comments
- - Execute commands in subshells
- - Faster path separator check
- - Fix missing 'test' command
- - Rename private macros
- - Minimize AC_REQUIRE usage
+ Bug: https://github.com/bagder/curl/issues/624
+ Reported-by: Octavio Schroeder
-Steve Holme (23 Jan 2013)
-- email: Removed unnecessary return statements
+- curl.1: Explain remote-name behavior if file already exists
- Small tidy up to remove unnecessary return statements prior to the next
- fix.
+ .. also warn about letting the server pick the filename.
-Yang Tse (23 Jan 2013)
-- zz40-xc-ovr.m4: redirect errors and warnings to stderr
+- [Gisle Vanem brought this change]
+
+ urldata: Error on missing SSL backend-specific connect info
-- zz40-xc-ovr.m4: AC_REQUIRE also XC_CONFIGURE_PREAMBLE success message
+Daniel Stenberg (28 Jan 2016)
+- bump: towards the next (7.47.1 ?)
-- zz60-xc-ovr.m4: tighten XC_OVR_ZZ60 macro placement requirements
+- [Sergei Nikulov brought this change]
-- configure: use XC_CONFIGURE_PREAMBLE early checks
+ cmake: fixed when OpenSSL enabled on Windows and schannel detected
- Some basic checks we make were placed early enough in generated
- configure script when using autoconf 2.5X versions. Newer autoconf
- versions expand these checks much further into the configure script,
- rendering them useless. Using XC_CONFIGURE_PREAMBLE fixes placement
- of early intended checks across all our autoconf supported versions.
+ Closes #617
-- zz40-xc-ovr.m4: provide XC_CONFIGURE_PREAMBLE macro
+Jay Satiro (28 Jan 2016)
+- [Sergei Nikulov brought this change]
+
+ urldata: moved common variable out of ifdef
+
+ Closes https://github.com/bagder/curl/pull/618
-Daniel Stenberg (23 Jan 2013)
-- FAQ: update the SSL lib list and wording in question 2.2
+- [Viktor Szakats brought this change]
-Steve Holme (22 Jan 2013)
-- curl_sasl.c: Corrected references to RFC
+ tool_doswin: silence unused function warning
+
+ tool_doswin.c:185:14: warning: 'msdosify' defined but not used
+ [-Wunused-function]
- The most recent version of the RFC is RFC4422 and not RFC2222 as
- previously documented.
+ Closes https://github.com/bagder/curl/pull/616
-- email: Corrected references to SASL RFC
+Daniel Stenberg (27 Jan 2016)
+- getredirect.c: fix variable name
- The most recent version of the SASL RFC is RFC4422 and not RFC2222 as
- previously documented.
+ Reported-by: Bernard Spil
-Daniel Stenberg (22 Jan 2013)
-- [Ulion brought this change]
+Version 7.47.0 (27 Jan 2016)
- formpost: support quotes, commas and semicolon in file names
-
- - document the double-quote and backslash need be escaped if quoting.
- - libcurl formdata escape double-quote in filename by backslash.
- - curl formparse can parse filename both contains '"' and ',' or ';'.
- - curl now can uploading file with ',' or ';' in filename.
-
- Bug: http://curl.haxx.se/bug/view.cgi?id=1171
+Daniel Stenberg (27 Jan 2016)
+- examples/Makefile.inc: specify programs without .c!
+
+- THANKS: 6 new contributors from 7.47.0 release notes
-- memanalyze.pl: handle fopen() of file names with quotes
+- [Isaac Boukris brought this change]
-Yang Tse (21 Jan 2013)
-- xc-cc-check.m4: re-evaluate exporting and AC_SUBST'ing vars
+ NTLM: Fix ConnectionExists to compare Proxy credentials
- Notes:
+ Proxy NTLM authentication should compare credentials when
+ re-using a connection similar to host authentication, as it
+ authenticate the connection.
- When running a configure script that has nested packages (for example
- libcurl's configure with --enable-ares and c-ares sources embedded in
- curl tree) and AC_CONFIG_SUBDIRS([nested-subdir]) machinery is used to
- automatically run the nested configure script from within the parent
- configure script, it happens that the nested _shell_ script will
- inherit shell variables exported from the parent _shell_ script.
+ Example:
+ curl -v -x http://proxy:port http://host/ -U good_user:good_pwd
+ --proxy-ntlm --next -x http://proxy:port http://host/
+ [-U fake_user:fake_pwd --proxy-ntlm]
- If for example parent configure script sets and exports LDFLAGS and LIBS
- variables with proper values in order to link either a parent library or
- program with a library which will be configured and built by a nested
- package; It will happen that when the nested configure script runs, the
- nested library does not exist yet and _any_ link-test done in the nested
- configure will fail, such as those that autoconf macros perform in order
- to detect existing compiler and its characteristics, the result is that
- the nested configure script will fail with errors such as:
+ CVE-2016-0755
- configure: error: C compiler cannot create executables
+ Bug: http://curl.haxx.se/docs/adv_20160127A.html
+
+- [Ray Satiro brought this change]
+
+ curl: avoid local drive traversal when saving file (Windows)
- For now, we no longer export variables previously exported here.
+ curl does not sanitize colons in a remote file name that is used as the
+ local file name. This may lead to a vulnerability on systems where the
+ colon is a special path character. Currently Windows/DOS is the only OS
+ where this vulnerability applies.
- On the other hand, AC_SUBST'ing them is appropriate and even with nested
- packages each package's config.status gets its own package values.
+ CVE-2016-0754
- So we reinstate AC_SUBST'ing previously AC_SUBST'ed variables.
+ Bug: http://curl.haxx.se/docs/adv_20160127B.html
-Daniel Stenberg (21 Jan 2013)
-- FAQ: 3.22 curl -X gives me HTTP problems
+- RELEASE-NOTES: 7.47.0
-Yang Tse (21 Jan 2013)
-- xc-cc-check.m4: avoid recursive package automake'ing breakage
+- FAQ: language fix in 4.19
-- xc-cc-check.m4: mark earlier variables that are to be exported
+- [paulehoffman brought this change]
-- configure: autotools compatibility fixes - step I
+ FAQ: Update to point to GitHub
+
+ Current FAQ didn't make it clear where the main repo is.
- Fix proper macro expansion order across autotools versions for
- C compiler and preprocessor program checks.
+ Closes #612
-Steve Holme (20 Jan 2013)
-- pop3.c: Fixed conditional compilation of the apop response function
+- maketgz: generate date stamp with LC_TIME=C
- Extended the fix from commit 8b15c84ea91e to additionally exclude
- pop3_state_apop_resp() if the CURL_DISABLE_CRYPTO_AUTH flag is
- defined.
+ bug: http://curl.haxx.se/mail/lib-2016-01/0123.html
-Yang Tse (20 Jan 2013)
-- Makefile.inc: fix $(top_srcdir) not allowed in _SOURCES variables
+- curl_multi_socket_action.3: line wrap
-Daniel Stenberg (19 Jan 2013)
-- formadd: reject trying to read a directory where a file is expected
-
- Bug: http://curl.haxx.se/mail/archive-2013-01/0017.html
- Reported by: Ulrich Doehner
+- RELEASE-NOTES: synced with d58ba66eeceb
-- curl_easy_send.3: document return codes
-
- Reported by: Craig Davison
- Bug: http://curl.haxx.se/mail/lib-2013-01/0234.html
+Steve Holme (21 Jan 2016)
+- TODO: "Create remote directories" for SMB
-- curl_easy_recv.3: document return codes
+Jay Satiro (18 Jan 2016)
+- mbedtls: Fix pinned key return value on fail
- Reported by: Craig Davison
- Bug: http://curl.haxx.se/mail/lib-2013-01/0234.html
+ - Switch from verifying a pinned public key in a callback during the
+ certificate verification to inline after the certificate verification.
+
+ The callback method had three problems:
+
+ 1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH
+ was not returned.
+
+ 2. If peer certificate verification was disabled the pinned key
+ verification did not take place as it should.
+
+ 3. (related to #2) If there was no certificate of depth 0 the callback
+ would not have checked the pinned public key.
+
+ Though all those problems could have been fixed it would have made the
+ code more complex. Instead we now verify inline after the certificate
+ verification in mbedtls_connect_step2.
+
+ Ref: http://curl.haxx.se/mail/lib-2016-01/0047.html
+ Ref: https://github.com/bagder/curl/pull/601
-Steve Holme (19 Jan 2013)
-- email: General code tidy up
+- tests: Add a test for pinnedpubkey fail even when insecure
- Corrected some function argument definitions to maximize the 80
- character line length limit and be in keeping with the curl
- coding style.
+ Because disabling the peer verification (--insecure) must not disable
+ the public key pinning check (--pinnedpubkey).
+
+- [Daniel Schauenberg brought this change]
+
+ CURLINFO_RESPONSE_CODE.3: add example
-- pop3.c: Fixed a problem with pop3s connections not connecting properly
+Kamil Dudka (15 Jan 2016)
+- ssh: make CURLOPT_SSH_PUBLIC_KEYFILE treat "" as NULL
- Fixed an issue where Curl_ssl_connect_nonblocking() wouldn't complete
- correctly and the ssldone flag wouldn't be set to true for pop3s based
- connections.
+ The CURLOPT_SSH_PUBLIC_KEYFILE option has been documented to handle
+ empty strings specially since curl-7_25_0-31-g05a443a but the behavior
+ was unintentionally removed in curl-7_38_0-47-gfa7d04f.
- Bug introduced in commit: 4ffb8a6398ed.
+ This commit restores the original behavior and clarifies it in the
+ documentation that NULL and "" have both the same meaning when passed
+ to CURLOPT_SSH_PUBLIC_KEYFILE.
+
+ Bug: http://curl.haxx.se/mail/lib-2016-01/0072.html
-Daniel Stenberg (18 Jan 2013)
-- RELEASE-NOTES: add references to several bugfixes+changes
+Daniel Stenberg (14 Jan 2016)
+- RELEASE-NOTES: synced with 35083ca60ed035a
-Steve Holme (18 Jan 2013)
-- RELEASE-NOTES: Added missing imap fix
+- openssl: improved error detection/reporting
- Added missing imap fix as per commit 709b3506cd9b.
+ ... by extracting the LIB + REASON from the OpenSSL error code. OpenSSL
+ 1.1.0+ returned a new func number of another cerfificate fail so this
+ required a fix and this is the better way to catch this error anyway.
-Yang Tse (18 Jan 2013)
-- runtests.pl: make VPATH builds find valgrind.supp
+- openssl: for 1.1.0+ they now provide a SSLeay() macro of their own
-Daniel Stenberg (18 Jan 2013)
-- RELEASE-NOTES: synced with c43127414d89
+- CURLOPT_RESOLVE.3: minor language polish
-- always-multi: always use non-blocking internals
+- configure: assume IPv6 works when cross-compiled
- Remove internal separated behavior of the easy vs multi intercace.
- curl_easy_perform() is now using the multi interface itself.
+ The configure test uses AC_TRY_RUN to figure out if an ipv6 socket
+ works, and testing like that doesn't work for cross-compiles. These days
+ IPv6 support is widespread so a blind guess is probably more likely to
+ be 'yes' than 'no' now.
- Several minor multi interface quirks and bugs have been fixed in the
- process.
+ Further: anyone who cross-compiles can use configure's --disable-ipv6 to
+ explicitly disable IPv6 and that also works for cross-compiles.
- Much help with debugging this has been provided by: Yang Tse
+ Made happen after discussions in issue #594
-Yang Tse (17 Jan 2013)
-- url.c: fix HTTP CONNECT tunnel establishment upon delayed response
+- TODO: "Try to URL encode given URL"
- Fixes initial proxy response being processed by the tunneled protocol
- handler instead of the HTTP wrapper handler. This issue would trigger
- upon delayed CONNECT response from the proxy.
+ Closes #514
+
+- ConnectionExists: only do pipelining/multiplexing when asked
- Additionally fixes a multi interface code-path in which connections
- would not time out properly.
+ When an HTTP/2 upgrade request fails (no protocol switch), it would
+ previously detect that as still possible to pipeline on (which is
+ acorrect) and do that when PIPEWAIT was enabled even if pipelining was
+ not explictily enabled.
- This does not fix known bug #39.
+ It should only pipelined if explicitly asked to.
- URL: http://curl.haxx.se/mail/lib-2013-01/0191.html
+ Closes #584
-Daniel Stenberg (16 Jan 2013)
-- [Yves Arrouye brought this change]
+- [Mohammad AlSaleh brought this change]
- --libcurl: fix for non-zero default options
+ lib: Prefix URLs with lower-case protocol names/schemes
+
+ Before this patch, if a URL does not start with the protocol
+ name/scheme, effective URLs would be prefixed with upper-case protocol
+ names/schemes. This behavior might not be expected by library users or
+ end users.
- If the default value for an option taking a long as its value is non
- zero, and it is set by zero by a command line option, then that command
- line option is not reflected in --libcurl's output. This is because line
- 520-521 of tool_setopt.c look like:
+ For example, if `CURLOPT_DEFAULT_PROTOCOL` is set to "https". And the
+ URL is "hostname/path". The effective URL would be
+ "HTTPS://hostname/path" instead of "https://hostname/path".
- if(!lval)
- skip = TRUE;
+ After this patch, effective URLs would be prefixed with a lower-case
+ protocol name/scheme.
- An example of a command-line option doing so is the -k option that sets
- CURLOPT_SLL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST to 0L, when the
- defaults are non-zero.
+ Closes #597
+
+ Signed-off-by: Mohammad AlSaleh <CE.Mohammad.AlSaleh@gmail.com>
-- FTP: reject illegal port numbers in EPSV 229 responses
+- [Alessandro Ghedini brought this change]
-Yang Tse (15 Jan 2013)
-- commit bc682cbd follow-up
+ scripts: don't generate and install zsh completion when cross-compiling
-- build: use per-target '_CPPFLAGS' for those currently using default
-
- Automake documents that doing this will make it choose a different name
- for intermediate object files even when sharing source files across
- targets of same Makefile.am.
+- [Alessandro Ghedini brought this change]
+
+ scripts: fix zsh completion generation
- Up to automake 1.13.1 target's intermediate object files were placed
- in the build subdirectory of the target. We depended on this, probably
- undocumented behavior, to achieve same behavior as if a per-target flag
- had been specified when building targets that actually belong to
- different Makefile.am files.
+ The script should use the just-built curl, not the system one. This fixes
+ zsh completion generation when no system curl is installed.
+
+- [Alessandro Ghedini brought this change]
+
+ zsh.pl: fail if no curl is found
- It seems automake 1.13.2 is going to break behavior mentioned above.
+ Instead of generation a broken completion file.
+
+- [Michael Kaufmann brought this change]
+
+ IDN host names: Remove the port number before converting to ACE
- So, lets use a documented behavior in order to achieve same purpose,
- across automake versions, no matter where automake wishes to place
- intermediate object files.
+ Closes #596
+
+Jay Satiro (10 Jan 2016)
+- runtests: Add mbedTLS to the SSL backends
- Our build targets that already were using a per-target '_CFLAGS' or
- '_CPPFLAGS' need no 'fixing', these were already 'fixed'. The only
- Makefile.am or Makefile.in files in libcurl's source tree touched by
- this 'fix' are tests/libtest/Makefile.inc and tests/unit/Makefile.inc.
+ .. and enable SSLpinning tests for mbedTLS, BoringSSL and LibreSSL.
+
+Daniel Stenberg (10 Jan 2016)
+- [Thomas Glanzmann brought this change]
-- tests/libtest/Makefile.inc: sort build targets
+ mbedtls: implement CURLOPT_PINNEDPUBLICKEY
-- tests/Makefile.am: remove wildcard usage in EXTRA_DIST
+Jay Satiro (9 Jan 2016)
+- [Tatsuhiro Tsujikawa brought this change]
-Kamil Dudka (15 Jan 2013)
-- nss: fix error messages for CURLE_SSL_{CACERT,CRL}_BADFILE
+ url: Fix compile error with --enable-werror
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Ensure that http2_handle_stream_close is called
+
+ Previously, when HTTP/2 is enabled and used, and stream has content
+ length known, Curl_read was not called when there was no bytes left to
+ read. Because of this, we could not make sure that
+ http2_handle_stream_close was called for every stream. Since we use
+ http2_handle_stream_close to emit trailer fields, they were
+ effectively ignored. This commit changes the code so that Curl_read is
+ called even if no bytes left to read, to ensure that
+ http2_handle_stream_close is called for every stream.
- Do not use the error messages from NSS for errors not occurring in NSS.
+ Discussed in https://github.com/bagder/curl/pull/564
-Steve Holme (14 Jan 2013)
-- TODO: Updated following IMAP SASL additions
+Daniel Stenberg (8 Jan 2016)
+- http2: handle the received SETTINGS frame
+
+ This regression landed in 5778e6f5 and made libcurl not act on received
+ settings and instead stayed with its internal defaults.
+
+ Bug: http://curl.haxx.se/mail/lib-2016-01/0031.html
+ Reported-by: Bankde
-Yang Tse (14 Jan 2013)
-- configure: fix automake 1.13 compatibility
+- Revert "multiplex: allow only once HTTP/2 is actually used"
- Tested with:
+ This reverts commit 46cb70e9fa81c9a56de484cdd7c5d9d0d9fbec36.
- buildconf: autoconf version 2.69
- buildconf: autom4te version 2.69
- buildconf: autoheader version 2.69
- buildconf: automake version 1.13.1
- buildconf: aclocal version 1.13.1
- buildconf: libtool version 2.4
- buildconf: GNU m4 version 1.4.16
+ Bug: http://curl.haxx.se/mail/lib-2016-01/0031.html
+
+Jay Satiro (8 Jan 2016)
+- [Tatsuhiro Tsujikawa brought this change]
-Daniel Stenberg (13 Jan 2013)
-- BUGS: update bug tracker URL
+ http2: Fix PUSH_PROMISE headers being treated as trailers
- ... and refresh number of lines of code
+ Discussed in https://github.com/bagder/curl/pull/564
-- Curl_resolver_getsock: fix the function description comment
+Daniel Stenberg (8 Jan 2016)
+- [Michael Kaufmann brought this change]
+
+ connection reuse: IDN host names fixed
- It referred to it by the wrong name and said it returned the wrong value.
+ Use the ACE form of IDN hostnames as key in the connection cache. Add
+ new tests.
- Reported by: Gisle Vanem
+ Closes #592
+
+- tests: mark IPv6 FTP and FTPS tests with the FTP keyword
-Kamil Dudka (11 Jan 2013)
-- nss: clear session cache if a client cert from file is used
+Jay Satiro (7 Jan 2016)
+- mbedtls: Fix ALPN support
- This commit fixes a regression introduced in 052a08ff.
+ - Fix ALPN reply detection.
- NSS caches certs/keys returned by the SSL_GetClientAuthDataHook callback
- and if we connect second time to the same server, the cached cert/key
- pair is used. If we use multiple client certificates for different
- paths on the same server, we need to clear the session cache to force
- NSS to call the hook again. The commit 052a08ff prevented the session
- cache from being cleared if a client certificate from file was used.
+ - Wrap nghttp2 code in ifdef USE_NGHTTP2.
- The condition is now fixed to cover both cases: consssl->client_nickname
- is not NULL if a client certificate from the NSS database is used and
- connssl->obj_clicert is not NULL if a client certificate from file is
- used.
- Review by: Kai Engert
+ Prior to this change ALPN and HTTP/2 did not work properly in mbedTLS.
-Yang Tse (11 Jan 2013)
-- sockfilt.c: log file descriptor number on read/write error
+- http2: Fix client write for trailers on stream close
+
+ Check that the trailer buffer exists before attempting a client write
+ for trailers on stream close.
+
+ Refer to comments in https://github.com/bagder/curl/pull/564
-- [Gisle Vanem brought this change]
+Daniel Stenberg (7 Jan 2016)
+- COPYING: update general copyright year range
- packages/DOS/common.dj: remove COFF debug info generation
+- ConnectionExists: add missing newline in infof() call
- gcc on DOS hasn't really supported COFF-debug (-gcoff) on djgpp for a
- long time.
+ Mistake from commit a464f33843ee1
+
+- multiplex: allow only once HTTP/2 is actually used
+
+ To make sure curl doesn't allow multiplexing before a connection is
+ upgraded to HTTP/2 (like when Upgrade: h2c fails), we must make sure the
+ connection uses HTTP/2 as well and not only check what's wanted.
+
+ Closes #584
- "Sounds like the COFF debug info generation has bit-rotted in GCC.
- Nothing new here, no other platform uses COFF AFAIK."
+ Patch-by: c0ff
+
+Jay Satiro (4 Jan 2016)
+- curl_global_init.3: Add Windows-specific info for init via DLL
- So lets drop it too.
+ - Add to both curl_global_init.3 and libcurl.3 the caveat for Windows
+ that initializing libcurl via a DLL's DllMain or static initializer
+ could cause a deadlock.
- URL: http://curl.haxx.se/mail/lib-2013-01/0130.html
+ Bug: https://github.com/bagder/curl/issues/586
+ Reported-by: marc-groundctl@users.noreply.github.com
+
+Daniel Stenberg (4 Jan 2016)
+- FAQ: clarify who to mail about ECCN clarifications
+
+- progressfunc.c: spellfix description
-- curl: ignore SIGPIPE - compilation fix - follow-up
+- docs/examples/multi-app.c: fix bad desc formatting
-- test servers: handle W32/W64 SIGBREAK with exit_signal_handler
+- examples: added descriptions
-- test servers: fix errno, ERRNO and SOCKERRNO usage for W32/W64
+- example/simple.c: add description
-- sockfilt.c: fix some W64 compiler warnings
+- getredirect.c: a new example
-Daniel Stenberg (9 Jan 2013)
-- [Nick Zitzmann brought this change]
+Marc Hoersken (27 Dec 2015)
+- RELEASE-NOTES: add 5e0e81a9c4e35f04ca
- docs: the --with-darwinssl option is available on Apple OSes
+Daniel Stenberg (26 Dec 2015)
+- RELEASE-NOTES: synced with 2aec4359db1088b10d
-Yang Tse (9 Jan 2013)
-- curl: ignore SIGPIPE - compilation fix
+Marc Hoersken (26 Dec 2015)
+- test 1515: add data check
-- build: fix circular header inclusion with other packages
+- test 1515: add MSYS support by passing a relative path
- This commit renames lib/setup.h to lib/curl_setup.h and
- renames lib/setup_once.h to lib/curl_setup_once.h.
+ MSYS would otherwise turn a /-style path into a C:\-style path.
+
+- test 539: use datacheck mode text for ASCII-mode LISTings
- Removes the need and usage of a header inclusion guard foreign
- to libcurl. [1]
+ While still using datacheck mode binary for the inline reply data.
+
+- runtests.pl: check up to 5 data parts with different text modes
- Removes the need and presence of an alarming notice we carried
- in old setup_once.h [2]
+ Move the text-mode conversion for reply/replycheck from the verify
+ section into the load section and add support for 4 more check parts.
+
+Daniel Stenberg (24 Dec 2015)
+- CURLOPT_RANGE: for HTTP servers, range support is optional
+
+Marc Hoersken (24 Dec 2015)
+- tests 1048 and 1050: use datacheck mode text for ASCII-mode LISTings
+
+- tests 706 and 707: use datacheck mode text for ASCII-mode LISTings
+
+- tests 400,403,406: use datacheck mode text for ASCII-mode LISTings
+
+- sockfilt.c: fix calculation of sleep timeout on Windows
- ----------------------------------------
+ Not converting to double caused small timeouts to be skipped.
+
+- tests first.c: fix calculation of sleep timeout on Windows
- 1 - lib/setup_once.h used __SETUP_ONCE_H macro as header inclusion guard
- up to commit ec691ca3 which changed this to HEADER_CURL_SETUP_ONCE_H,
- this single inclusion guard is enough to ensure that inclusion of
- lib/setup_once.h done from lib/setup.h is only done once.
+ Not converting to double caused small timeouts to be skipped.
+
+- test 573: add more debug output
+
+- ftplistparser.c: fix handling of file LISTings using Windows EOL
- Additionally lib/setup.h has always used __SETUP_ONCE_H macro to
- protect inclusion of setup_once.h even after commit ec691ca3, this
- was to avoid a circular header inclusion triggered when building a
- c-ares enabled version with c-ares sources available which also has
- a setup_once.h header. Commit ec691ca3 exposes the real nature of
- __SETUP_ONCE_H usage in lib/setup.h, it is a header inclusion guard
- foreign to libcurl belonging to c-ares's setup_once.h
+ Previously file.txt[CR][LF] would have been returned as file.tx
+ (without the last t) if filetype is symlink. Now the t is
+ included and the internal item_length includes the zero byte.
- The renaming this commit does, fixes the circular header inclusion,
- and as such removes the need and usage of a header inclusion guard
- foreign to libcurl. Macro __SETUP_ONCE_H no longer used in libcurl.
+ Spotted using test 576 on Windows.
+
+- test 16: fix on Linux (and Windows) by using plain ASCII characters
- 2 - Due to the circular interdependency of old lib/setup_once.h and the
- c-ares setup_once.h header, old file lib/setup_once.h has carried
- back from 2006 up to now days an alarming and prominent notice about
- the need of keeping libcurl's and c-ares's setup_once.h in sync.
+ Follow up on b064ff0c351bb287557228575ef4c1d079b866fb, thanks Daniel.
+
+- tftpd server: add Windows support by writing files in binary mode
+
+- tests 252-255: use datacheck mode text for ASCII-mode LISTings
+
+- test 16: fix on Windows by converting data file from ANSI to UTF-8
+
+Daniel Stenberg (23 Dec 2015)
+- Makefile.inc: s/curl_SOURCES/CURL_FILES
- Given that this commit fixes the circular interdependency, the need
- and presence of mentioned notice is removed.
+ This allows the root Makefile.am to include the Makefile.inc without
+ causing automake to warn on it (variables named *_SOURCES are
+ magic). curl_SOURCES is then instead assigned properly in
+ src/Makefile.am only.
- All mentioned interdependencies come back from now old days when
- the c-ares project lived inside a curl subdirectory. This commit
- removes last traces of such fact.
+ Closes #577
-Daniel Stenberg (8 Jan 2013)
-- curl: ignore SIGPIPE
+- [Anders Bakken brought this change]
+
+ ConnectionExists: with *PIPEWAIT, wait for connections
- This is a work-around for bug #1180 which is really libcurl's inability
- to ignore SIGPIPE in a few cases. With this work-around at least curl
- won't suffer from it!
+ Try harder to prevent libcurl from opening up an additional socket when
+ CURLOPT_PIPEWAIT is set. Accomplished by letting ongoing TCP and TLS
+ handshakes complete first before the decision is made.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1180
- Reported by: Lluís Batlle i Rossell
+ Closes #575
-Yang Tse (8 Jan 2013)
-- sockfilt.c: fix some compiler warnings
+- [Anders Bakken brought this change]
-Daniel Stenberg (8 Jan 2013)
-- Revert "configure: update req to 2.59"
+ Add .dir-locals and set c-basic-offset to 2.
- This reverts commit 7a6d8b1b1a8fcc184c36d6b6e741e32250b4bacb.
+ This makes it easier for emacs users to automatically get the right
+ 2-space indentation when they edit curl source files.
- URL: http://curl.haxx.se/mail/lib-2013-01/0103.html
-
-Steve Holme (8 Jan 2013)
-- pop3: Added support for non-blocking SSL upgrade
+ c++-mode is in there as well because Emacs can't easily know if
+ something is a C or C++ header.
- Added support for asynchronous SSL upgrade when using the
- multi-interface.
+ Closes #574
+
+- [Johannes Schindelin brought this change]
-Daniel Stenberg (8 Jan 2013)
-- configure: update req to 2.59
+ configure: detect IPv6 support on Windows
- I ran the 2.59 version of autoupdate that updates obsoleted configure.ac
- constructs to the 2.59 standard. With a little hands-on fiddling I
- prevented it from ruining the quoting in AS_HELP_STRING() uses.
+ This patch was "nicked" from the MINGW-packages project by Daniel.
- I subsequently also bumped the required autoconf version to 2.59
- (released in December 2003) as I don't have an older autoconf version
- around to test with and I can't be bothered to install one either...
+ https://github.com/Alexpux/MINGW-packages/commit/9253d0bf58a1486e91f7efb5316e7fdb48fa4007
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- configure: allow static builds on mingw
+
+ This patch is adopted from the MINGW-packages project. It makes it
+ possible to build curl both shared and static again.
- Inspired by: Björn Stenberg
- Related blog post: http://cazfi.livejournal.com/195108.html
+ URL: https://github.com/Alexpux/MINGW-packages/tree/master/mingw-w64-curl
-Steve Holme (7 Jan 2013)
-- imap.c: Small tidy up to add missing comment
+Marc Hoersken (17 Dec 2015)
+- test 1326: fix file check since curl is outputting binary data
-- imap: Added support for sasl digest-md5 authentication
+- test 1326: fix getting stuck on Windows due to incomplete request
+
+ The request needs to be read and send in binary mode in order to use
+ CRLF instead of LF. Adding --upload-file - causes curl to read stdin
+ in binary mode.
-- imap: Added support for sasl cram-md5 authentication
+Daniel Stenberg (17 Dec 2015)
+- RELEASE-NOTES: command line option recount
-Marc Hoersken (7 Jan 2013)
-- tests/server/sockfilt.c: Fixed integer comparison warning
+Dan Fandrich (16 Dec 2015)
+- scripts/Makefile: build zsh script even in an out-of-tree build
-- tests/server/sockfilt.c: Include required Win32 headers
+Marc Hoersken (16 Dec 2015)
+- sockfilt.c: added some debug output to select_ws
-Steve Holme (7 Jan 2013)
-- imap: Added support for sasl ntlm authentication
+- sockfilt.c: keep lines shorter than 80 chars
-- imap: Added support for sasl login authentication
+- sockfilt.c: do not wait on unreliable file or pipe handle
+
+ The previous implementation caused issues on modern MSYS2 runtimes.
-- pop3.c: Fixed default authentication detection
+Daniel Stenberg (16 Dec 2015)
+- cyassl: deal with lack of *get_peer_certificate
+
+ The function is only present in wolfssl/cyassl if it was built with
+ --enable-opensslextra. With these checks added, pinning support is disabled
+ unless the TLS lib has that function available.
+
+ Also fix the mistake in configure that checks for the wrong lib name.
- Fixed an issue where a server may positively respond to the CAPA command
- but not list clear text as a valid authentication type.
+ Closes #566
-- curl_sasl.c: Small code tidy up following imap changes
+- wolfssl: handle builds without SSLv3 support
-- smtp.c: Small code tidy up following imap changes
+- [Tatsuhiro Tsujikawa brought this change]
-- pop3.c: Small code tidy up following imap changes
+ http2: Support trailer fields
+
+ This commit adds trailer support in HTTP/2. In HTTP/1.1, chunked
+ encoding must be used to send trialer fields. HTTP/2 deprecated any
+ trandfer-encoding, including chunked. But trailer fields are now
+ always available.
+
+ Since trailer fields are relatively rare these days (gRPC uses them
+ extensively though), allocating buffer for trailer fields is done when
+ we detect that HEADERS frame containing trailer fields is started. We
+ use Curl_add_buffer_* functions to buffer all trailers, just like we
+ do for regular header fields. And then deliver them when stream is
+ closed. We have to be careful here so that all data are delivered to
+ upper layer before sending trailers to the application.
+
+ We can deliver trailer field one by one using NGHTTP2_ERR_PAUSE
+ mechanism, but current method is far more simple.
+
+ Another possibility is use chunked encoding internally for HTTP/2
+ traffic. I have not tested it, but it could add another overhead.
+
+ Closes #564
-- imap: Added support for sasl plain text authentication
+- RELEASE-NOTES: synced with 6c2c019654e658a
-Marc Hoersken (6 Jan 2013)
-- tests/server/sockfilt.c: Fixed support for listening sockets
+Jay Satiro (15 Dec 2015)
+- x509asn1: Fix host altname verification
+
+ - In Curl_verifyhost check all altnames in the certificate.
- This commit fixes support for sockets that are ready to accept
- a new connection and have previously been put into listening mode.
+ Prior to this change only the first altname was checked. Only the GSKit
+ SSL backend was affected by this bug.
- It also includes changes which are the result of investigation
- regarding Windows STDIN. These changes are the preparation for further
- improvements regarding support for reading data from STDIN on Windows.
+ Bug: http://curl.haxx.se/mail/lib-2015-12/0062.html
+ Reported-by: John Kohl
+
+Daniel Stenberg (15 Dec 2015)
+- curl --expect100-timeout: added
- Open issue: WaitForMultipleObjectsEx does not support PIPE handles
- which are returned by GetStdHandle while running without a GUI.
+ This is the new command line option to set the value for the existing
+ libcurl option CURLOPT_EXPECT_100_TIMEOUT_MS
+
+- cyassl: fix compiler warning on type conversion
+
+- curlver: the pending release will become 7.47.0
-- tests/server/sockfilt.c: Set Windows Console to binary mode
+- [Anders Bakken brought this change]
-- tests/server/sockfilt.c: Improved log error messages
+ setstropt: const-correctness
- Include error code and parameters in error messages.
+ Closes #565
+
+- ROADMAP: implemented HTTP2 for HTTPS-only
+
+- HTTP2.md: spell fix and remove TODO now implemented
+
+- libressl: the latest openssl x509 funcs are not in libressl
-Steve Holme (6 Jan 2013)
-- imap: Introduced the continue response in imap_endofresp()
+- curl: use 2TLS by default
+
+ Make this the default for the curl tool (if built with HTTP/2 powers
+ enabled) unless a specific HTTP version is requested on the command
+ line.
+
+ This should allow more users to get HTTP/2 powers without having to
+ change anything.
-- imap: Added support for SASL based authentication mechanism detection
+- http: add libcurl option to allow HTTP/2 for HTTPS only
- Added support for detecting the supported SASL authentication mechanisms
- via the CAPABILITY command.
+ ... and stick to 1.1 for HTTP. This is in line with what browsers do and
+ should have very little risk.
-Yang Tse (6 Jan 2013)
-- Revert changes relative to lib/*.[ch] recent renaming
+- openssl: adapt to openssl >= 1.1.0 X509 opaque structs
- This reverts renaming and usage of lib/*.h header files done
- 28-12-2012, reverting 2 commits:
+ Closes #491
+
+- openssl: avoid BIO_reset() warnings since it returns a value
+
+- openssl: adapt to 1.1.0+ name changes
+
+- scripts/makefile: add standard header
+
+- scripts/Makefile: fix GNUism and survive no perl
- f871de0... build: make use of 76 lib/*.h renamed files
- ffd8e12... build: rename 76 lib/*.h files
+ Closes #555
- This also reverts removal of redundant include guard (redundant thanks
- to changes in above commits) done 2-12-2013, reverting 1 commit:
+ Reported-by: Thomas Klausner
+
+- fix b6d5cb40d7038fe
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Fix hanging paused stream
- c087374... curl_setup.h: remove redundant include guard
+ When NGHTTP2_ERR_PAUSE is returned from data_source_read_callback, we
+ might not process DATA frame fully. Calling nghttp2_session_mem_recv()
+ again will continue to process DATA frame, but if there is no incoming
+ frames, then we have to call it again with 0-length data. Without this,
+ on_stream_close callback will not be called, and stream could be hanged.
- This also reverts renaming and usage of lib/*.c source files done
- 3-12-2013, reverting 3 commits:
+ Bug: http://curl.haxx.se/mail/lib-2015-11/0103.html
+ Reported-by: Francisco Moraes
+
+- [Christian Stewart brought this change]
+
+ build: fix compilation error with CURL_DISABLE_VERBOSE_STRINGS
- 13606bb... build: make use of 93 lib/*.c renamed files
- 5b6e792... build: rename 93 lib/*.c files
- 7d83dff... build: commit 13606bbfde follow-up 1
+ With curl disable verbose strings in http.c the compilation fails due to
+ the data variable being undefined later on in the function.
- Start of related discussion thread:
+ Closes #558
+
+Jay Satiro (7 Dec 2015)
+- [Gisle Vanem brought this change]
+
+ config-win32: Fix warning HAVE_WINSOCK2_H undefined
+
+- [Gisle Vanem brought this change]
+
+ openssl: BoringSSL doesn't have CONF_modules_free
+
+- [Gisle Vanem brought this change]
+
+ lwip: Fix compatibility issues with later versions
- http://curl.haxx.se/mail/lib-2013-01/0012.html
+ The name of the header guard in lwIP's <lwip/opt.h> has changed from
+ '__LWIP_OPT_H__' to 'LWIP_HDR_OPT_H' (bug #35874 in May 2015).
- Asking for confirmation on pushing this revertion commit:
+ Other fixes:
- http://curl.haxx.se/mail/lib-2013-01/0048.html
+ - In curl_setup.h, the problem with an old PSDK doesn't apply if lwIP is
+ used.
- Confirmation summary:
+ - In memdebug.h, the 'socket' should be undefined first due to lwIP's
+ lwip_socket() macro.
- http://curl.haxx.se/mail/lib-2013-01/0079.html
+ - In curl_addrinfo.c lwIP's getaddrinfo() + freeaddrinfo() macros need
+ special handling because they were undef'ed in memdebug.h.
- NOTICE: The list of 2 files that have been modified by other
- intermixed commits, while renamed, and also by at least one
- of the 6 commits this one reverts follows below. These 2 files
- will exhibit a hole in history unless git's '--follow' option
- is used when viewing logs.
+ - In select.c we can't use preprocessor conditionals inside select if
+ MSVC and select is a macro, as it is with lwIP.
- lib/curl_imap.h
- lib/curl_smtp.h
+ http://curl.haxx.se/mail/lib-2015-12/0023.html
+ http://curl.haxx.se/mail/lib-2015-12/0024.html
+
+Patrick Monnerat (7 Dec 2015)
+- os400: define CURL_VERSION_PSL in ILE/RPG binding
+
+Jay Satiro (7 Dec 2015)
+- [Gisle Vanem brought this change]
+
+ version: Add flag CURL_VERSION_PSL for libpsl
-Daniel Stenberg (6 Jan 2013)
-- mk-ca-bundle.1: convert syntax to what's used elsewhere
+- formdata: Check if length is too large for memory
- ... mostly to make sure roffit works better on it, but also to make our
- man pages use a more unified style.
+ - If the size of the length type (curl_off_t) is greater than the size
+ of the size_t type then check before allocating memory to make sure the
+ value of length will fit in a size_t without overflow. If it doesn't
+ then return CURLE_BAD_FUNCTION_ARGUMENT.
+
+ Bug: https://github.com/bagder/curl/issues/425#issuecomment-154518679
+ Reported-by: Steve Holme
+
+Steve Holme (3 Dec 2015)
+- tests: Corrected copy and pasted comments from commit e643c5c908
-- mk-ca-bundle.1: mention new -f, fix outputfile output
+Daniel Stenberg (3 Dec 2015)
+- curl: remove keepalive #ifdef checks done on libcurl's behalf
- also edited a few sentences to become more verbose
+ They didn't match the ifdef logic used within libcurl anyway so they
+ could indeed warn for the wrong case - plus the tool cannot know how the
+ lib actually performs at that level.
+
+Steve Holme (2 Dec 2015)
+- test947: Corrected typo in test name
-- mk-ca-bundle: add -f, support passing to stdout and more
+- tests: Disable the OAUTHBEARER tests when using a non-default port number
- 1. When the downloaded data file from Mozilla is current, but the output
- bundle does not exist: continue processing to create the bundle. The
- goal is to have the output file - not just download the latest input.
+ Tests 842, 843, 844, 845, 887, 888, 889, 890, 946, 947, 948 and 949 fail
+ if a custom port number is specified via the -b option of runtests.pl.
- 2. added -f option to force re-processing the file. Useful for
- debugging/testing the process.
+ Suggested by: Kamil Dudka
+ Bug: http://curl.haxx.se/mail/lib-2015-12/0003.html
+
+Daniel Stenberg (2 Dec 2015)
+- bump: towards next release
- 3. added support for output to '-' (stdout), allowing the output to be
- piped.
+ for all we know now, it might be called 7.46.1
+
+Version 7.46.0 (1 Dec 2015)
+
+Daniel Stenberg (1 Dec 2015)
+- RELEASE-NOTES: updated contributor count for 7.46.0
+
+- THANKS: new contributors from the 7.46.0 release
+
+- THANKS-filter: single Tim Rühsen spelling
+
+- docs/examples: gitignore some more built examples
+
+- RELEASE-NOTES; this bug was never released
+
+- RELEASE-NOTES: synced with e55f15454efacb0
+
+- [Flavio Medeiros brought this change]
+
+ Curl_read_plain: clean up ifdefs that break statements
- 4. All progress and error messages go to STDERR rather than STDOUT (3)
+ Closes #546
+
+- http2: convert some verbose output into debug-only output
+
+- http2 push: add missing inits of new stream
- 5. The script opened and closed the output file many times
- unnecessarily. It now opens it once, does the output and closes it.
+ - set the correct stream_id for pushed streams
+ - init maxdownload and size properly
+
+- http2 push: set weight for new stream
- 6. Backup of the input files happens after successful processing, not
- before.
+ give the new stream the old one's stream_weight internally to avoid
+ sending a PRIORITY frame unless asked for it
+
+- curl_setup.h: undef freeaddrinfo in c-ares block to fix build
- 7. The output is written to a temporary file, and renamed to the
- requested name after backup - this greatly reduces the window where the
- file can be seen partially written.
+ Fixes warnings 78c25c854a added.
+
+- nonblock: fix setting non-blocking mode for Amiga
- 8. all die calls have a \n at the end to suppress perl's traceback - the
- traceback isn't useful to end users.
+ IoctlSocket() apparently wants a pointer to a long, passed as a char *
+ in its third parameter. This bug was introduced already back in commit
+ c5fdeef41d from October 1 2001!
- Patch: http://curl.haxx.se/mail/lib-2013-01/0045.html
+ Bug: http://curl.haxx.se/mail/lib-2015-11/0088.html
+ Reported-by: Norbert Kett
-Yang Tse (5 Jan 2013)
-- imap test server: fix typo in name of SELECT_imap() sub definition
+- zsh install: fix DESTDIR support
- IMAP test server breaking typo introduced with commit b708a522a1
+ Reported-by: Mohammad AlSaleh
-Steve Holme (4 Jan 2013)
-- imap test server: Added support for the CAPABILITY command
-
- Added support for the CAPABILITY command in preparation of upcoming
- changes.
-
-Daniel Stenberg (3 Jan 2013)
-- writeout: -w now supports remote_ip/port and local_ip/port
-
- Added mention to the curl.1 man page.
-
- Test case 1223 verifies remote_ip/port.
-
-Yang Tse (3 Jan 2013)
-- test 1222: 8 chars object name generation && test 1221: adjustments
-
-Daniel Stenberg (3 Jan 2013)
-- INTERNALS: remove "footnote" never used
-
-Yang Tse (3 Jan 2013)
-- build: commit 13606bbfde follow-up 1
-
-Daniel Stenberg (3 Jan 2013)
-- FAQ: Can I write a server with libcurl?
-
-Yang Tse (3 Jan 2013)
-- build: rename 93 lib/*.c files
-
- 93 lib/*.c source files renamed to use our standard naming scheme.
-
- This commit only does the file renaming.
-
- ----------------------------------------
-
- renamed: lib/amigaos.c -> lib/curl_amigaos.c
- renamed: lib/asyn-ares.c -> lib/curl_asyn_ares.c
- renamed: lib/asyn-thread.c -> lib/curl_asyn_thread.c
- renamed: lib/axtls.c -> lib/curl_axtls.c
- renamed: lib/base64.c -> lib/curl_base64.c
- renamed: lib/bundles.c -> lib/curl_bundles.c
- renamed: lib/conncache.c -> lib/curl_conncache.c
- renamed: lib/connect.c -> lib/curl_connect.c
- renamed: lib/content_encoding.c -> lib/curl_content_encoding.c
- renamed: lib/cookie.c -> lib/curl_cookie.c
- renamed: lib/cyassl.c -> lib/curl_cyassl.c
- renamed: lib/dict.c -> lib/curl_dict.c
- renamed: lib/easy.c -> lib/curl_easy.c
- renamed: lib/escape.c -> lib/curl_escape.c
- renamed: lib/file.c -> lib/curl_file.c
- renamed: lib/fileinfo.c -> lib/curl_fileinfo.c
- renamed: lib/formdata.c -> lib/curl_formdata.c
- renamed: lib/ftp.c -> lib/curl_ftp.c
- renamed: lib/ftplistparser.c -> lib/curl_ftplistparser.c
- renamed: lib/getenv.c -> lib/curl_getenv.c
- renamed: lib/getinfo.c -> lib/curl_getinfo.c
- renamed: lib/gopher.c -> lib/curl_gopher.c
- renamed: lib/gtls.c -> lib/curl_gtls.c
- renamed: lib/hash.c -> lib/curl_hash.c
- renamed: lib/hmac.c -> lib/curl_hmac.c
- renamed: lib/hostasyn.c -> lib/curl_hostasyn.c
- renamed: lib/hostcheck.c -> lib/curl_hostcheck.c
- renamed: lib/hostip.c -> lib/curl_hostip.c
- renamed: lib/hostip4.c -> lib/curl_hostip4.c
- renamed: lib/hostip6.c -> lib/curl_hostip6.c
- renamed: lib/hostsyn.c -> lib/curl_hostsyn.c
- renamed: lib/http.c -> lib/curl_http.c
- renamed: lib/http_chunks.c -> lib/curl_http_chunks.c
- renamed: lib/http_digest.c -> lib/curl_http_digest.c
- renamed: lib/http_negotiate.c -> lib/curl_http_negotiate.c
- renamed: lib/http_negotiate_sspi.c -> lib/curl_http_negotiate_sspi.c
- renamed: lib/http_proxy.c -> lib/curl_http_proxy.c
- renamed: lib/idn_win32.c -> lib/curl_idn_win32.c
- renamed: lib/if2ip.c -> lib/curl_if2ip.c
- renamed: lib/imap.c -> lib/curl_imap.c
- renamed: lib/inet_ntop.c -> lib/curl_inet_ntop.c
- renamed: lib/inet_pton.c -> lib/curl_inet_pton.c
- renamed: lib/krb4.c -> lib/curl_krb4.c
- renamed: lib/krb5.c -> lib/curl_krb5.c
- renamed: lib/ldap.c -> lib/curl_ldap.c
- renamed: lib/llist.c -> lib/curl_llist.c
- renamed: lib/md4.c -> lib/curl_md4.c
- renamed: lib/md5.c -> lib/curl_md5.c
- renamed: lib/memdebug.c -> lib/curl_memdebug.c
- renamed: lib/mprintf.c -> lib/curl_mprintf.c
- renamed: lib/multi.c -> lib/curl_multi.c
- renamed: lib/netrc.c -> lib/curl_netrc.c
- renamed: lib/non-ascii.c -> lib/curl_non_ascii.c
- renamed: lib/curl_non-ascii.h -> lib/curl_non_ascii.h
- renamed: lib/nonblock.c -> lib/curl_nonblock.c
- renamed: lib/nss.c -> lib/curl_nss.c
- renamed: lib/nwlib.c -> lib/curl_nwlib.c
- renamed: lib/nwos.c -> lib/curl_nwos.c
- renamed: lib/openldap.c -> lib/curl_openldap.c
- renamed: lib/parsedate.c -> lib/curl_parsedate.c
- renamed: lib/pingpong.c -> lib/curl_pingpong.c
- renamed: lib/polarssl.c -> lib/curl_polarssl.c
- renamed: lib/pop3.c -> lib/curl_pop3.c
- renamed: lib/progress.c -> lib/curl_progress.c
- renamed: lib/qssl.c -> lib/curl_qssl.c
- renamed: lib/rawstr.c -> lib/curl_rawstr.c
- renamed: lib/rtsp.c -> lib/curl_rtsp.c
- renamed: lib/security.c -> lib/curl_security.c
- renamed: lib/select.c -> lib/curl_select.c
- renamed: lib/sendf.c -> lib/curl_sendf.c
- renamed: lib/share.c -> lib/curl_share.c
- renamed: lib/slist.c -> lib/curl_slist.c
- renamed: lib/smtp.c -> lib/curl_smtp.c
- renamed: lib/socks.c -> lib/curl_socks.c
- renamed: lib/socks_gssapi.c -> lib/curl_socks_gssapi.c
- renamed: lib/socks_sspi.c -> lib/curl_socks_sspi.c
- renamed: lib/speedcheck.c -> lib/curl_speedcheck.c
- renamed: lib/splay.c -> lib/curl_splay.c
- renamed: lib/ssh.c -> lib/curl_ssh.c
- renamed: lib/sslgen.c -> lib/curl_sslgen.c
- renamed: lib/ssluse.c -> lib/curl_ssluse.c
- renamed: lib/strdup.c -> lib/curl_strdup.c
- renamed: lib/strequal.c -> lib/curl_strequal.c
- renamed: lib/strerror.c -> lib/curl_strerror.c
- renamed: lib/strtok.c -> lib/curl_strtok.c
- renamed: lib/strtoofft.c -> lib/curl_strtoofft.c
- renamed: lib/telnet.c -> lib/curl_telnet.c
- renamed: lib/tftp.c -> lib/curl_tftp.c
- renamed: lib/timeval.c -> lib/curl_timeval.c
- renamed: lib/transfer.c -> lib/curl_transfer.c
- renamed: lib/url.c -> lib/curl_url.c
- renamed: lib/version.c -> lib/curl_version.c
- renamed: lib/warnless.c -> lib/curl_warnless.c
- renamed: lib/wildcard.c -> lib/curl_wildcard.c
-
- ----------------------------------------
-
-- build: make use of 93 lib/*.c renamed files
-
- 93 *.c source files renamed to use our standard naming scheme.
-
- This change affects 77 files in libcurl's source tree.
-
-Daniel Stenberg (3 Jan 2013)
-- INSTALL: unify the SSL library texts
-
- Make them smaller and more similar for each separate SSL library
- supported by the configure build
-
-Yang Tse (2 Jan 2013)
-- curl_setup.h: remove redundant include guard
-
-- build and tests: curl_10char_object_name() shell function
-
- lib/objnames.inc provides definition of curl_10char_object_name() shell
- function. The intended purpose of this function is to transliterate a
- (*.c) source file name that may be longer than 10 characters, or not,
- into a string with at most 10 characters which may be used as an OS/400
- object name.
-
- Test case 1221 does unit testng of this function and also verifies
- that it is possible to generate distinct short object names for all
- curl and libcurl *.c source file names.
-
- lib/objnames-test.sh is the shell script used for test case 1221.
-
- tests/runtests.pl modified to accept shell script test cases.
-
- More details inside lib/objnames.inc and lib/objnames-test.sh
+Dan Fandrich (27 Nov 2015)
+- lib: Only define curl_dofreeaddrinfo if struct addrinfo is available
-- configure.ac: replace AM_CONFIG_HEADER with AC_CONFIG_HEADERS
+Steve Holme (27 Nov 2015)
+- tool_paramhlp: Fixed display of URL index in password prompt for --next
- automake 1.13 errors if AM_CONFIG_HEADER is used in configure script.
- automake 1.13 no longer autoupdates AM_CONFIG_HEADER to
- AC_CONFIG_HEADERS, thing which automake has been doing since automake
- version 1.7
+ Commit f3bae6ed73 added the URL index to the password prompt when using
+ --next. Unfortunately, because the size_t specifier (%zu) is not
+ supported by all sprintf() implementations we use the curl_off_t format
+ specifier instead. The display of an incorrect value arises on platforms
+ where size_t and curl_off_t are of a different size.
+
+Daniel Stenberg (25 Nov 2015)
+- timecond: do not add if-modified-since without timecondition
- Given that our first automake supported version is automake 1.7,
- simply replacing AM_CONFIG_HEADER usage with AC_CONFIG_HEADERS seems
- enough to yet support same automake versions.
+ The RTSP code path didn't skip adding the if-modified-since for certain
+ RTSP code paths, even if CURLOPT_TIMECONDITION was set to
+ CURL_TIMECOND_NONE.
- Dave Reisner reported issue with 1.13 and provided patch.
+ Also, an unknown non-zero CURLOPT_TIMECONDITION value no longer equals
+ CURL_TIMECOND_IFMODSINCE.
- http://curl.haxx.se/mail/lib-2012-12/0246.html
+ Bug: http://stackoverflow.com/questions/33903982/curl-timecond-none-doesnt-work-how-to-remove-if-modified-since-header
+
+- RELEASE-NOTES: synced with 99d17a5e2ba77e58
-- curl-override.m4: provide AC_CONFIG_MACRO_DIR definition conditionally
+- examples/README: cut out the incomplete list
- Provide a 'traceable' AC_CONFIG_MACRO_DIR definition only when using
- an autoconf version that does not provide it, instead of what we were
- doing up to now of providing and overriding AC_CONFIG_MACRO_DIR for
- all autoconf versions.
+ ... and add a generic explanation for them instead. Each example file
+ should contain its own description these days.
-Steve Holme (30 Dec 2012)
-- imap.c: Minor follow up tidy up
+- test1513: make sure the callback is only called once
+
+- [Daniel Shahaf brought this change]
+
+ build: Install zsh completion
+
+ Fixes #534
+ Closes #537
-- imap: Code tidy up prior to adding support for the CAPABILITY command
+- done: make sure the final progress update is made
- * Changing the order of the state machine to represent the order in
- which commands are sent to the server.
+ It would previously be skipped if an existing error was returned, but
+ would lead to a previous value being left there and later used.
+ CURLINFO_TOTAL_TIME for example.
- * Reworking the imap_endofresp() function as the FETCH response doesn't
- include the command id and shouldn't be part of the length comparison
- that takes into account the id string.
+ Still it avoids that final progress update if we reached DONE as the
+ result of a callback abort to avoid another callback to be called after
+ an abort-by-callback.
+
+ Reported-by: Lukas Ruzicka
+
+ Closes #538
-- pop3_doing: Applied debug info message when function fails
+- curl: expanded the -XHEAD warning text
- Applied the same debug message as used in smtp_doing() and imap_doing()
- when pop3_multi_statemach() fails.
+ ... to also mention the specific options used.
-- imap_doing: don't call imap_dophase_done() if already failed
+- Revert "cleanup: general removal of TODO (and similar) comments"
+
+ This reverts commit 64e959ffe37c436503f9fed1ce2d6ee6ae50bd9a.
- Applied the POP3 fix from commit 2897ce7dc2e1 so imap_dophase_done()
- isn't called if imap_multi_statemach() fails.
+ Feedback-by: Dan Fandrich
+ URL: http://curl.haxx.se/mail/lib-2015-11/0062.html
-- smtp_doing: don't call smtp_dophase_done() if already failed
+- CURLOPT_HEADERFUNCTION.3: fix typo
- Applied the POP3 fix from commit 2897ce7dc2e1 so smtp_dophase_done()
- isn't called if smtp_multi_statemach() fails.
+ Refer to _HEADERDATA not _WRITEDATA.
+
+ Reported-by: Michał Piechowski
-Yang Tse (29 Dec 2012)
-- examples/certinfo.c: fix compiler warning
+- TODO: TCP Fast Open
-Steve Holme (29 Dec 2012)
-- pop3.c: Removed unnecessary POP3_STOP state changes
-
- Removed unnecessary state changes in pop3_state_starttls_resp()
- following previous fix in IMAP module.
+Steve Holme (22 Nov 2015)
+- examples: Added website parse-able descriptions to the e-mail examples
-- smtp.c: Added extra comments around SMTP_STOP state change
-
- Provided extra comments in the SMTP module following previous IMAP fix.
+- TODO: Added another 'multi-interface' idea
-- imap.c: Fixed bad state error when logging in with invalid credentials
+- smb.c: Fixed compilation warnings
- Fixed a problem with the state machine when attempting to log in with
- invalid credentials. The server would report login failure but libcurl
- would not read the response due to inappropriate IMAP_STOP states being
- set after the login was sent.
+ smb.c:134:3: warning: conversion to 'short unsigned int' from 'int' may
+ alter its value
+ smb.c:146:42: warning: conversion to 'unsigned int' from 'long long
+ unsigned int' may alter its value
+ smb.c:146:65: warning: conversion to 'unsigned int' from 'long long
+ unsigned int' may alter its value
-Yang Tse (29 Dec 2012)
-- imap.c: remove trailing whitespace
+- schannel: Corrected copy/paste error in commit 8d17117683
-Steve Holme (28 Dec 2012)
-- imap.c: Code tidy up - Part 2
-
-- imap.c: Code tidy up - Part 1
-
- Applied some of the comment and layout changes that had already been
- applied to the pop3 and smtp code over the last 6 to 9 months.
-
- This is in preparation of adding SASL based authentication.
-
-- pop3.c: Minor code tidy up
-
- Minor tidy up of comments and layout prior to next part of imap work.
-
-- smtp: Minor code tidy up
-
- Minor tidy up of comments and layout prior to next part of imap work.
-
-- curl_imap.h: Tidy up of comments to be more readable
-
-- imap.c: Code tidy up renaming imapsendf() to imap_sendf()
+- schannel: Use GetVersionEx() when VerifyVersionInfo() isn't available
- Renamed imapsendf() to imap_sendf() to be more in keeping with the
- other imap functions as well as Curl_pp_sendf() that it replaces.
-
-Yang Tse (28 Dec 2012)
-- build: rename 76 lib/*.h files
-
- 76 private header files renamed to use our standard naming scheme.
-
- This commit only does the file renaming.
-
- ----------------------------------------
+ Regression from commit 7a8e861a5 as highlighted in the msys autobuilds.
+
+- examples: Fixed compilation warnings
+
+ pop3-multi.c:96:5: warning: implicit declaration of function 'memset'
+ imap-multi.c:96:5: warning: implicit declaration of function 'memset'
+ http2-download.c:226:5: warning: implicit declaration of function 'memset'
+ http2-upload.c:290:5: warning: implicit declaration of function 'memset'
+ http2-upload.c:290:5: warning: implicit declaration of function 'memset'
+
+- Makefile.inc: Fixed test run error
- renamed: amigaos.h -> curl_amigaos.h
- renamed: arpa_telnet.h -> curl_arpa_telnet.h
- renamed: asyn.h -> curl_asyn.h
- renamed: axtls.h -> curl_axtls.h
- renamed: bundles.h -> curl_bundles.h
- renamed: conncache.h -> curl_conncache.h
- renamed: connect.h -> curl_connect.h
- renamed: content_encoding.h -> curl_content_encoding.h
- renamed: cookie.h -> curl_cookie.h
- renamed: cyassl.h -> curl_cyassl.h
- renamed: dict.h -> curl_dict.h
- renamed: easyif.h -> curl_easyif.h
- renamed: escape.h -> curl_escape.h
- renamed: file.h -> curl_file.h
- renamed: fileinfo.h -> curl_fileinfo.h
- renamed: formdata.h -> curl_formdata.h
- renamed: ftp.h -> curl_ftp.h
- renamed: ftplistparser.h -> curl_ftplistparser.h
- renamed: getinfo.h -> curl_getinfo.h
- renamed: gopher.h -> curl_gopher.h
- renamed: gtls.h -> curl_gtls.h
- renamed: hash.h -> curl_hash.h
- renamed: hostcheck.h -> curl_hostcheck.h
- renamed: hostip.h -> curl_hostip.h
- renamed: http.h -> curl_http.h
- renamed: http_chunks.h -> curl_http_chunks.h
- renamed: http_digest.h -> curl_http_digest.h
- renamed: http_negotiate.h -> curl_http_negotiate.h
- renamed: http_proxy.h -> curl_http_proxy.h
- renamed: if2ip.h -> curl_if2ip.h
- renamed: imap.h -> curl_imap.h
- renamed: inet_ntop.h -> curl_inet_ntop.h
- renamed: inet_pton.h -> curl_inet_pton.h
- renamed: krb4.h -> curl_krb4.h
- renamed: llist.h -> curl_llist.h
- renamed: memdebug.h -> curl_memdebug.h
- renamed: multiif.h -> curl_multiif.h
- renamed: netrc.h -> curl_netrc.h
- renamed: non-ascii.h -> curl_non-ascii.h
- renamed: nonblock.h -> curl_nonblock.h
- renamed: nssg.h -> curl_nssg.h
- renamed: parsedate.h -> curl_parsedate.h
- renamed: pingpong.h -> curl_pingpong.h
- renamed: polarssl.h -> curl_polarssl.h
- renamed: pop3.h -> curl_pop3.h
- renamed: progress.h -> curl_progress.h
- renamed: qssl.h -> curl_qssl.h
- renamed: rawstr.h -> curl_rawstr.h
- renamed: rtsp.h -> curl_rtsp.h
- renamed: select.h -> curl_select.h
- renamed: sendf.h -> curl_sendf.h
- renamed: setup.h -> curl_setup.h
- renamed: setup_once.h -> curl_setup_once.h
- renamed: share.h -> curl_share.h
- renamed: slist.h -> curl_slist.h
- renamed: smtp.h -> curl_smtp.h
- renamed: sockaddr.h -> curl_sockaddr.h
- renamed: socks.h -> curl_socks.h
- renamed: speedcheck.h -> curl_speedcheck.h
- renamed: splay.h -> curl_splay.h
- renamed: ssh.h -> curl_ssh.h
- renamed: sslgen.h -> curl_sslgen.h
- renamed: ssluse.h -> curl_ssluse.h
- renamed: strdup.h -> curl_strdup.h
- renamed: strequal.h -> curl_strequal.h
- renamed: strerror.h -> curl_strerror.h
- renamed: strtok.h -> curl_strtok.h
- renamed: strtoofft.h -> curl_strtoofft.h
- renamed: telnet.h -> curl_telnet.h
- renamed: tftp.h -> curl_tftp.h
- renamed: timeval.h -> curl_timeval.h
- renamed: transfer.h -> curl_transfer.h
- renamed: url.h -> curl_url.h
- renamed: urldata.h -> curl_urldata.h
- renamed: warnless.h -> curl_warnless.h
- renamed: wildcard.h -> curl_wildcard.h
+ test845 not present in tests/data/Makefile.inc
+
+Daniel Stenberg (20 Nov 2015)
+- TODO: remove duplicated title
+
+- TODO: added two more libcurl ideas
- ----------------------------------------
-
-- build: make use of 76 lib/*.h renamed files
-
- 76 private header files renamed to use our standard naming scheme.
-
- This change affects 322 files in libcurl's source tree.
-
-- lib/*.h: use our standard naming scheme for header inclusion guards
-
-Steve Holme (28 Dec 2012)
-- imsp.c: Fixed usernames and passwords that contain escape characters
-
- Fixed a problem with sending usernames and passwords that contain
- backslash, quotation mark and space characters.
-
-Daniel Stenberg (27 Dec 2012)
-- curl.1: extend the -X, --request description
-
-- RELEASE-NOTES: synced with e3ed2b82e6
-
-- [Nick Zitzmann brought this change]
-
- darwinssl: Fixed inability to disable peer verification
-
- ... on Snow Leopard and Lion
-
- Snow Leopard introduced the SSLSetSessionOption() function, but it
- doesn't disable peer verification as expected on Snow Leopard or
- Lion (it works as expected in Mountain Lion). So we now use sysctl()
- to detect whether or not the user is using Snow Leopard or Lion,
- and if that's the case, then we now use the deprecated
- SSLSetEnableCertVerify() function instead to disable peer verification.
-
-Yang Tse (26 Dec 2012)
-- curl tool: rename hugehelp files to tool_hugehelp
-
-- curl tool: renaming hugehelp files to tool_hugehelp
-
-- sockfilt.c: commit b44da5a82a follow-up 2
-
-- sockfilt.c: commit b44da5a82a follow-up
-
-- sockfilt.c: fix some compiler warnings
+ Moved some ideas from "next major" to just ordinary ideas since we can
+ always add new things while keeping the old without doing a "next
+ major".
+
+Steve Holme (20 Nov 2015)
+- tests: Re-enabled tests 889 and 890 following POP3 fix
-- curl_multi_remove_handle: commit 0aabfd9963 follow-up
+- pop3: Differentiate between success and continuation responses
-Daniel Stenberg (25 Dec 2012)
-- lib556: enable VERBOSE to ease debugging on failures
+- pop3: Added clarity on some server response codes
-Marc Hoersken (25 Dec 2012)
-- socklift.c: Quick fix to re-add missing code
+Daniel Stenberg (20 Nov 2015)
+- [Daniel Shahaf brought this change]
-- socklift.c: Added select_ws function to support Windows
+ build: Fix theoretical infinite loops
- WinSock select() does not support standard file descriptors,
- it can only check SOCKETs. The following function is an attempt
- to create a select() function with support for other handles.
+ Add error-checking to 'cd' in a few cases where omitting the checks
+ might result in an infinite loop.
+
+ Closes #535
-Yang Tse (25 Dec 2012)
-- Enable tests 1503, 1504 and 1505
+Patrick Monnerat (19 Nov 2015)
+- curl.h: s/#defien/#define/
-- curl_multi_remove_handle: fix memory leak triggered with CURLOPT_RESOLVE
+- os400: synchronize ILE/RPG header file
-- Curl_hash_clean: OOM handling fix
+- os400: Provide options for libssh2 use in compile scripts. Adjust README.
-- test 1504 and 1505: same as 1502 but with different cleanup sequences
+Daniel Stenberg (19 Nov 2015)
+- [danielsh@apache.org brought this change]
-Daniel Stenberg (24 Dec 2012)
-- Curl_conncache_foreach: allow callback to break loop
+ zsh completion: Preserve single quotes in output
- ... and have it take a proper 'struct connectdata *' as first argument
-
-- pop3_doing: don't call pop3_dophase_done() if already failed
+ When an option's help string contains literal single quotes, those
+ single quotes would be stripped from the option's description in the
+ completion output (unless the zsh RC_QUOTES option were set while the
+ completion function was being sourced, which is not the default). This
+ patch makes the completion output contain single quotes where the --help
+ output does.
- ... it also clobbered the 'result' return value so that it wouldn't
- return the error back to the parent function properly, which broke test
- 809 when run with 'multi-always'.
+ Closes #532
-Yang Tse (23 Dec 2012)
-- test 1503: same as 1502 but with a different cleanup sequence
+Jay Satiro (18 Nov 2015)
+- [MaxGiting brought this change]
-- test 1502: OOM handling fixes
+ FAQ: Grammar changes
+
+ Closes https://github.com/bagder/curl/pull/533
-- curl_multi_wait: OOM handling fix
+Daniel Stenberg (17 Nov 2015)
+- http2: http_done: don't free already-freed push headers
+
+ The push headers are freed after the push callback has been invoked,
+ meaning this code should only free the headers if the callback was never
+ invoked and thus the headers weren't freed at that time.
+
+ Reported-by: Davey Shafik
-- [Daniel Stenberg brought this change]
+- [Anders Bakken brought this change]
- curl_multi_wait: avoid an unnecessary memory allocation
+ getconnectinfo: Don't call recv(2) if socket == -1
+
+ Closes #528
-- runtests.pl: prepend $srcdir to HTTPTLS server config files path
+- CURLMOPT_PUSHFUNCTION.3: *_byname() returns only the first header
+
+ ... if there are more than one using the same name
-- multi.c: OOM handling fix
+- http2: minor comment typo
-- lib543.c: OOM handling fixes
+- sasl; fix checksrc warnings
-- configure: add internal sanity check (warn only) on vars for makefiles
+Steve Holme (15 Nov 2015)
+- RELEASE-NOTES: Adjusted for the recent OAuth 2.0 activity
-Daniel Stenberg (21 Dec 2012)
-- SCP: relative path didn't work
+- tests: Disabled 889 and 890 until we support POP3 continuation responses
- When prefixing a path with /~/ it is supposed to be used relative to the
- user's home directory but it didn't work. Now we cut off the entire
- three byte sequenct "/~/" which seems to be how OpenSSH does it.
+ As POP3 final and continuation responses both begin with a + character,
+ and both the finalcode and contcode variables in SASLprotoc are set as
+ such, we cannot tell the difference between them when we are expecting
+ an optional continuation from the server such as the following:
- Bug: http://curl.haxx.se/bug/view.cgi?id=1173
- Reported by: Balaji Parasuram
-
-Yang Tse (21 Dec 2012)
-- configure: LIBMETALINK_CFLAGS actually is LIBMETALINK_CPPFLAGS
+ + something else from the server
+ +OK final response
+
+ Disabled these tests until such a time we can tell the responses apart.
-- configure: add minimal sanity check on user provided CFLAGS and CPPFLAGS
+- tests: Corrected typos from commit ba4d8f7eba
-- bundles connection caching: some out of memory handling fixes
+- tests: Added OAUTHBEARER failure response tests
-- libntlmconnect.c: fix compiler warnings and OOM handling
+- oauth2: Support OAUTHBEARER failures sent as continuation responses
+
+ According to RFC7628 a failure message may be sent by the server in a
+ base64 encoded JSON string as a continuation response.
+
+ Currently only implemented for OAUTHBEARER and not XAUTH2.
-- configure.ac: clear local test intended variables before use
+Daniel Stenberg (15 Nov 2015)
+- RELEASE-NOTES: synced with 808a17ee675
-- VC6 IDE: link with advapi32.lib when using WIN32 crypto API (md5.c)
+Steve Holme (14 Nov 2015)
+- tests: Renamed existing OAuth 2.0 (XOAUTH) tests
-- curl-functions.m4: improve gethostname arg 2 data type check
+- tests: Added OAuth 2.0 (OAUTHBEARER) tests
-- setup_once.h: HP-UX specific 'bool', 'false' and 'true' definitions.
+- oauth2: Added support for OAUTHBEARER SASL mechanism to IMAP, POP3 and SNMP
- Also reverts commit f254c59dc7
+ OAUTHBEARER is now the official "registered" SASL mechanism name for
+ OAuth 2.0. However, we don't want to drop support for XOAUTH2 as some
+ servers won't support the new mechanism yet.
-- configure: check if compiler halts on function prototype mismatch
+Daniel Stenberg (13 Nov 2015)
+- RELEASE-NOTES: recounted curl_easy_setopt() options
-- warnless.c: fix compiler warnings
+- typecheck-gcc.h: add missing slist-using options
+
+ CURLOPT_RESOLVE and CURLOPT_PROXYHEADER were missing
+
+ Also sorted the list.
+
+- typecheck-gcc.h: added CURLOPT_CLOSESOCKETDATA
+
+ ... and sorted curl_is_cb_data_option alphabetically
-- curl-functions.m4: add gethostname arg 2 data type check and definition
+Jay Satiro (13 Nov 2015)
+- [Sebastian Pohlschmidt brought this change]
-Daniel Stenberg (14 Dec 2012)
-- [Nick Zitzmann brought this change]
+ openssl: Free modules on cleanup
+
+ Curl_ossl_init calls OPENSSL_load_builtin_modules() but
+ Curl_ossl_cleanup doesn't make a call to free these modules.
+
+ Bug: https://github.com/bagder/curl/issues/526
- darwinssl: Fix implicit conversion compiler warnings
+Steve Holme (13 Nov 2015)
+- symbols-in-versions: Added new CURLOPTTYPE_STRINGPOINT alias
- The Clang compiler found a few implicit conversion problems that have
- now been fixed.
+ ...following commit aba281e762 to fix test 1119.
-Yang Tse (14 Dec 2012)
-- setup_once.h: HP-UX <sys/socket.h> issue workaround
+Daniel Stenberg (13 Nov 2015)
+- curl: mark two more options strings for --libcurl output
+
+- typecheck-gcc.h: add some missing string types
- Issue: When building a 32bit target with large file support HP-UX
- <sys/socket.h> header file may simultaneously provide two different
- sets of declarations for sendfile and sendpath functions, one with
- static and another with external linkage. Given that we do not use
- mentioned functions we really don't care which linkage is the
- appropriate one, but on the other hand, the double declaration emmits
- warnings when using the HP-UX compiler and errors when using modern
- gcc versions resulting in fatal compilation errors.
+ Also sorted that list alphabetically
+
+- curl.h: introducing the STRINGPOINT alias
- Mentioned issue is now fixed as long as we don't use sendfile nor
- sendpath functions.
+ As an alias for OBJECTPOINT. Provided to allow us to grep for all string
+ options easier.
-- setup_once.h: refactor inclusion of <unistd.h> and <sys/socket.h>
+- cleanup: general removal of TODO (and similar) comments
- Inclusion of top two most included header files now done in setup_once.h
+ They tend to never get updated anyway so they're frequently inaccurate
+ and we never go back to revisit them anyway. We document issues to work
+ on properly in KNOWN_BUGS and TODO instead.
+
+- ftplistparser: remove empty function
-- setup_once.h: HP-UX specific TRUE and FALSE definitions
+- openssl: remove #if check for 0.9.7 for ENGINE_load_private_key
+
+- openssl: all supported versions have X509_STORE_set_flags
- Some HP-UX system headers require TRUE defined to 1 and FALSE to 0.
+ Simplify by removing #ifdefs and macros
+
+- openssl: remove 0.9.3 check
-Daniel Stenberg (12 Dec 2012)
-- gopher: #include cleanup
+- openssl: remove #ifdefs for < 0.9.5 support
- Remove all system file includes from this file as they're not needed
+ We only support >= 0.9.7
+
+- lib/vtls/openssl: remove unused traces of yassl ifdefs
+
+Dan Fandrich (12 Nov 2015)
+- [dfandrich brought this change]
+
+ unit1603: Demote hash mismatch failure to a warning
- Reported by: Dan Fandrich
+ The hashes can vary between architectures (e.g. Sparc differs from x86_64).
+ This is not a fatal problem but just reduces the coverage of these white-box
+ tests, as the assumptions about into which hash bucket each key falls are no
+ longer valid.
+
+- [dfandrich brought this change]
-Yang Tse (11 Dec 2012)
-- examples/simplessl.c: fix compiler warning
+ unit1603: Added unit tests for hash functions
-- examples/externalsocket.c: fix SunPro compilation issue
+- [dfandrich brought this change]
+
+ unit1602: Fixed failure in torture test
+
+Steve Holme (12 Nov 2015)
+- sasl: Re-introduced XOAUTH2 in the default enabled authentication mechanism
+
+ Following the fix in commit d6d58dd558 it is necessary to re-introduce
+ XOAUTH2 in the default enabled authentication mechanism, which was
+ removed in commit 7b2012f262, otherwise users will have to specify
+ AUTH=XOAUTH2 in the URL.
+
+ Note: OAuth 2.0 will only be used when the bearer is specified.
-- examples/simplessl.c: fix compiler warning
+- [Stefan Bühler brought this change]
-- build: add bundles and conncache files to other build systems
+ sasl_sspi: fix identity memory leak in digest authentication
-- conncache: fix enumerated type mixed with another type
+- [Stefan Bühler brought this change]
-- examples/anyauthput.c: fix Tru64 compilation issue
+ sasl_sspi: fixed unicode build for digest authentication
+
+ Closes #525
-Daniel Stenberg (8 Dec 2012)
-- [Colin Watson brought this change]
+- oauth2: Re-factored OAuth 2.0 state variable
- configure: fix cross pkg-config detection
+- sasl: Don't choose OAuth 2.0 if mechanism not advertised
- When cross-compiling, CURL_CHECK_PKGCONFIG was checking for the cross
- pkg-config using ${host}-pkg-config.
+ Regression from commit 9e8ced9890 which meant if --oauth2-bearer was
+ specified but the SASL mechanism wasn't supported by the server then
+ the mechanism would be chosen.
+
+Daniel Stenberg (12 Nov 2015)
+- runtests: more compact "System characteristics" output
- The gold standard for doing this correctly is pkg-config's own macro,
- PKG_PROG_PKG_CONFIG. However, on the assumption that you have a good
- reason not to use that directly (reduced dependencies for maintainer
- builds?), the behaviour of cURL's version should at least match.
- PKG_PROG_PKG_CONFIG uses AC_PATH_TOOL, which ultimately ends up trying
- ${host_alias}-pkg-config; this is not quite the same as what cURL does,
- and may differ because ${host} has been run through config.sub. For
- instance, when cross-building to the armhf architecture on Ubuntu,
- ${host_alias} is arm-linux-gnueabihf while ${host} is
- arm-unknown-linux-gnueabihf. This may also have been the cause of the
- problem reported at http://curl.haxx.se/mail/lib-2012-04/0224.html.
+ - no point in repeating curl features that is already listed as features
+ from the curl -V output
- AC_PATH_TOOL is significantly simpler than cURL's current code, and
- dates back to well before the current minimum of Autoconf 2.57, so let's
- use it instead.
+ - remove the port numbers/unix domain path from the output unless
+ verbose is used, as that is rarely interesting to users.
-- [Linus Nielsen Feltzing brought this change]
+- runtests: rename conditional curl-features to $has_[name]
- Introducing a new persistent connection caching system using "bundles".
+Steve Holme (11 Nov 2015)
+- oauth2: Introduced support for host and port details
- A bundle is a list of all persistent connections to the same host.
- The connection cache consists of a hash of bundles, with the
- hostname as the key.
- The benefits may not be obvious, but they are two:
+ Added support to the OAuth 2.0 message function for host and port, in
+ order to accommodate the official OAUTHBEARER SASL mechanism which is
+ to be added shortly.
+
+- curl_setup.h: Removed duplicate CURL_DISABLE_RTSP when HTTP_ONLY defined
+
+- cmake: Add missing feature macros in config header (Part 2)
- 1) Faster search for connections to reuse, since the hash
- lookup only finds connections to the host in question.
- 2) It lays out the groundworks for an upcoming patch,
- which will introduce multiple HTTP pipelines.
+ In addition to commit a215381c94 added the RTSP, RTMP and SMB protocols.
+
+Daniel Stenberg (10 Nov 2015)
+- [Douglas Creager brought this change]
+
+ cmake: Add missing feature macros in config header
- This patch also removes the awkward list of "closure handles",
- which were needed to send QUIT commands to the FTP server
- when closing a connection.
- Now we allocate a separate closure handle and use that
- one to close all connections.
+ The curl_config.h file can be generated either from curl_config.h.cmake
+ or curl_config.h.in, depending on whether you're building using CMake or
+ the autotools. The CMake template header doesn't include entries for
+ all of the protocols that you can disable, which (I think) means that
+ you can't actually disable those protocols when building via CMake.
- This has been tested in a live system for a few weeks, and of
- course passes the test suite.
+ Closes #523
+
+- [Douglas Creager brought this change]
-- [Fabian Keil brought this change]
+ BoringSSL: Work with stricter BIO_get_mem_data()
+
+ BoringSSL implements `BIO_get_mem_data` as a function, instead of a
+ macro, and expects the output pointer to be a `char **`. We have to add
+ an explicit cast to grab the pointer as a `const char **`.
+
+ Closes #524
- runtests and friends: Do not add undefined values to @INC
+- http2: rectify the http2 version #if check
- On FreeBSD this fixes the warning:
- Use of uninitialized value $p in string eq at /usr/local/lib/perl5/5.14.2/BSDPAN/BSDPAN.pm line 36.
+ We need 1.0.0 or later. Also verified by configure.
+
+Steve Holme (9 Nov 2015)
+- oauth2: Don't use XAUTH2 in OAuth 2.0 function name
+
+- oauth2: Don't use XOAUTH2 in OAuth 2.0 variables
-Steve Holme (5 Dec 2012)
-- Merge pull request #52 from isn-/master
+- oauth2: Use OAuth 2.0 rather than XOAUTH2 in comments
- small compilation fix
+ When referring to OAuth 2.0 we should use the official name rather the
+ SASL mechanism name.