Changelog
-Daniel Stenberg (15 Dec 2010)
-- RELEASE-NOTES: synced with a865bd9fbaaa43e5c
+Version 7.48.0 (23 Mar 2016)
-- IsPipeliningPossible: only for HTTP
-
- The function that checks if pipelining is possible now requires the HTTP
- bit to be set so that it doesn't mistakenly tries to do it for other
- protocols.
+Daniel Stenberg (23 Mar 2016)
+- RELEASE-NOTES: curl 7.48.0
+
+- THANKS: 15 new contributors from 7.48.0 release
+
+Jay Satiro (23 Mar 2016)
+- CURLINFO_TLS_SSL_PTR.3: Warn about limitations
- Bug: http://curl.haxx.se/mail/lib-2010-12/0152.html
- Reported by: Dmitri Shubin
+ Bug: https://github.com/curl/curl/issues/685
-- multi_runsingle: don't timeout completed handles
+Daniel Stenberg (22 Mar 2016)
+- Revert "sshserver: remove use of AuthorizedKeysFile2"
- The generic timeout code must not check easy handles that are already
- completed. Going to completed (again) within there risked decreasing the
- number of alive handles again and thus it could go negative.
+ It seems we may have some autobuild problems after this commit went
+ in. Trying to see if a revert helps to get them back.
- This regression bug was added in 7.21.2 in commit ca10e28f06f1
+ This reverts commit 2716350d1f3edc8e929f6ceeee05051090f6d642.
-- symbols-in-versions: CURLOPT_KEYPASSWD fixed
+- maketgz: add -j to make dist
- It was added in 7.17.0 and is not deprecated
-
-- RELEASE-NOTES: synced with c28443c551825
+ ... makes it a lot faster
-Dan Fandrich (8 Dec 2010)
-- Mention that using other libraries can affect app licensing
+- libcurl-thread.3: minor nroff format fix
-Yang Tse (7 Dec 2010)
-- easy: fix compiler warning: end-of-loop code not reached
+- CURLINFO_TLS_SSL_PTR.3: minor nroff format fix
-Daniel Stenberg (6 Dec 2010)
-- disconnect: pass on the dead_connection argument
+- CODE_STYLE: indend example code
- Cleanup fix after Kamil's commit 5c7c9a768d0093
+ ... to make it look nicer in markdown outputa
-Yang Tse (6 Dec 2010)
-- sws: fix compier warning: external definition with no prior declaration
-
-Daniel Stenberg (6 Dec 2010)
-- [Heinrich Ko brought this change]
+Jay Satiro (22 Mar 2016)
+- build-wolfssl: Update VS properties for wolfSSL v3.9.0
+
+ - Do not use wolfSSL's sample user-setting files.
+
+ wolfSSL starting in v3.9.0 has added their own sample user settings that
+ are applied by default, but we don't use them because we have our own
+ settings.
+
+ - Do not use wolfSSL's Visual Studio Unicode character setting.
+
+ wolfSSL Visual Studio projects use the Unicode character set however our
+ settings and options imitate mingw build which does not use the Unicode
+ character set. This does not appear to have any effect at the moment but
+ better safe than sorry.
+
+
+ These changes are backwards compatible with earlier versions.
- ossl_connect_common: detect connection re-use
+Steve Holme (22 Mar 2016)
+- hostip6: Fixed compilation warnings when verbose strings disabled
- ossl_connect_common() now checks whether or not 'struct
- connectdata->state' is equal 'ssl_connection_complete' and if so, will
- return CURLE_OK with 'done' set to 'TRUE'. This check prevents
- ossl_connect_common() from creating a new ssl connection on an existing
- ssl session which causes openssl to fail when it tries to parse an
- encrypted TLS packet since the cipher data was effectively thrown away
- when the new ssl connection was created.
+ warning C4189: 'data': local variable is initialized but not referenced
- Bug: http://curl.haxx.se/mail/lib-2010-11/0169.html
+ ...and some minor formatting/spacing changes.
-Kamil Dudka (6 Dec 2010)
-- url: provide dead_connection flag in Curl_handler::disconnect
+Daniel Stenberg (21 Mar 2016)
+- sshserver: remove use of AuthorizedKeysFile2
+
+ Support for the (undocumented) AuthorizedKeysFile2 was removed in
+ OpenSSH 5.9, released in September 2011
- It helps to prevent a hangup with some FTP servers in case idle session
- timeout has exceeded. But it may be useful also for other protocols
- that send any quit message on disconnect. Currently used by FTP, POP3,
- IMAP and SMTP.
+ Closes #715
-Yang Tse (6 Dec 2010)
-- ssh: fix a download resume point calculation
+Steve Holme (20 Mar 2016)
+- connect/ntlm/http: Fixed compilation warnings when verbose strings disabled
+
+ warning C4189: 'data': local variable is initialized but not referenced
-Daniel Stenberg (5 Dec 2010)
-- Curl_wait_for_resolv: correct timeout
+- openssl: Fixed compilation warning when /Wall enabled
- When looping in this function and checking for the timeout being
- expired, it was not updating the reference time when calculating the
- timediff since previous round which made it think each subsequent loop
- to have taken longer than it actually did.
+ warning C4706: assignment within conditional expression
+
+- CODE_STYLE: Use boolean conditions
- I also modified the function to use the generic Curl_timeleft() function
- instead of the custom logic.
+ Rather than use TRUE, FALSE, NULL, 0 or != 0 in if/while conditions.
- Bug: http://curl.haxx.se/bug/view.cgi?id=3112579
+ Additionally, corrected some example code to adhere to the recommended
+ coding style.
-- Curl_send/recv_plain: return errno on failure
+- inet_pton.c: Fixed compilation warnings
- When send() and recv() fail, we now store the errno value to allow the
- app to access it.
-
- Bug: http://curl.haxx.se/bug/view.cgi?id=3128121
- Reported by: Yuri
+ warning: conversion to 'unsigned char' from 'int' may alter its value
-Guenter Knauf (5 Dec 2010)
-- Updated OpenSSL version.
+Daniel Stenberg (19 Mar 2016)
+- RELEASE-NOTES: synced with 80851028efc2fa9
-Yang Tse (4 Dec 2010)
-- fix compiler warning: conversion may lose significant bits
+- mbedtls: fix compiler warning
+
+ vtls/mbedtls.h:67:36: warning: implicit declaration of function
+ ‘mbedtls_sha256’ [-Wimplicit-function-declaration]
-- fix compiler warning: assignment within conditional expression
+Steve Holme (19 Mar 2016)
+- easy: Minor coding standard and style updates
+
+ Following commit c5744340db. Additionally removes the need for a second
+ 'result code' variable as well.
-- fix getinfo CURLINFO_LOCAL* for reused connections (take 2) follow-up
+Jay Satiro (19 Mar 2016)
+- easy: Remove poll failure check in easy_transfer
- - Show address string from proper buffer in case of connection failure.
+ .. because curl_multi_wait can no longer signal poll failure.
- - Try next address when inet_ntop() fails.
-
-Daniel Stenberg (3 Dec 2010)
-- version-check: added brief documentation
+ follow-up to 77e1726
- and the traditional source header
+ Bug: https://github.com/curl/curl/issues/707
-Yang Tse (3 Dec 2010)
-- build: provide SIZEOF_SIZE_T DOS definition
+Steve Holme (19 Mar 2016)
+- build: Added missing Visual Studio filter files for VC10 onwards
+
+ As these files don't need to contain references to the source files,
+ although typically do, added basic files which only include three
+ filters and don't require the project file generator to be modified.
+
+ These files allow the source code to be viewed in the Solution Explorer
+ in versions of Visual Studio from 2010 onwards in the same manner as
+ previous versions did rather than one large view of files.
-- build: lib/config.dos renamed to lib/config-dos.h
+- ftp/imap/pop3/smtp: Fixed compilation warning when /Wall enabled
+
+ warning C4706: assignment within conditional expression
-- build: provide SIZEOF_SIZE_T VMS definition
+- config-w32.h: Fixed compilation warning when /Wall enabled
+
+ warning C4668: 'USE_IPV6' is not defined as a preprocessor macro,
+ replacing with '0' for '#if/#elif'
-- build: move config-vms.h from subdir 'packages/vms' into 'lib'
+- imap.c: Fixed compilation warning with /Wall enabled
+
+ warning C4701: potentially uninitialized local variable 'size' used
+
+ Technically this can't happen, as the usage of 'size' is protected by
+ 'if(parsed)' and 'parsed' is only set after 'size' has been parsed.
+
+ Anyway, lets keep the compiler happy.
-- build: provide SIZEOF_SIZE_T definition for non-configure builds
+- KNOWN_BUGS: #93 Issue with CURLFORM_CONTENTLEN in arrays on 32-bit platforms
-- build: provide SIZEOF_SIZE_T netware definition
+Daniel Stenberg (18 Mar 2016)
+- bump: the coming release is 7.48.0
-- configure: undo using autobuilds to temporarily verify strict aliasing warnings.
+- configure: use cpp -P when needed
+
+ Since gcc 5, the processor output can get split up on multiple lines
+ that made the configure script fail to figure out values from
+ definitions. The fix is to use cpp -P, and this fix now first checks if
+ cpp -P is necessary and then if cpp -P works before it uses that to
+ extract defined values.
+
+ Fixes #719
-- fix compiler warning: rounding, sign extension, or loss of accuracy may result
+Steve Holme (18 Mar 2016)
+- formdata.c: Fixed compilation warning
+
+ formdata.c:390: warning: cast from pointer to integer of different size
+
+ Introduced in commit ca5f9341ef this happens because a char*, which is
+ 32-bits wide in 32-bit land, is being cast to a curl_off_t which is
+ 64-bits wide where 64-bit integers are supported by the compiler.
+
+ This doesn't happen in 64-bit land as a pointer is the same size as a
+ curl_off_t.
+
+ This fix doesn't address the fact that a 64-bit value cannot be used
+ for CURLFORM_CONTENTLEN when set in a form array and compiled on a
+ 32-bit platforms, it does at least suppress the compilation warning.
-- fix compiler warning: statement is not reachable
+Daniel Stenberg (18 Mar 2016)
+- FAQ: 2.5 Install libcurl for both 32bit and 64bit?
-- fix compiler warning: conversion may lose significant bits
+- [Gisle Vanem brought this change]
-- connect: fix compiler warning: unused variable
+ openssl: adapt to API breakage in ERR_remove_thread_state()
+
+ The OpenSSL API change that broke this is "Convert ERR_STATE to new
+ multi-threading API": openssl commit 8509dcc.
+
+ Closes #713
-- fix getinfo CURLINFO_LOCAL* for reused connections (take 2)
+- version: init moved to private name space, added protos
+
+ follow-up to 80015cdd52145
-- fix getinfo CURLINFO_LOCAL* for reused connections follow-up
+- openssl: verbose: show matching SAN pattern
- Reinstate IPV6 build variable that got removed.
+ ... to allow users to see which specfic wildcard that matched when such
+ is used.
+
+ Also minor logic cleanup to simplify the code, and I removed all tabs
+ from verbose strings.
+
+Jay Satiro (16 Mar 2016)
+- version: thread safety
-- fix getinfo CURLINFO_LOCAL* for reused connections
+Steve Holme (16 Mar 2016)
+- transfer: Removed redundant HTTP authentication include files
- Failed to commit this file changes along with the others.
+ It would also seem that share.h is not required here either as there
+ are no references to the Curl_share structure or functions.
-- fix getinfo CURLINFO_LOCAL* for reused connections
+- easy: Removed redundant HTTP authentication include files
-- atoi: remove atoi usage
+Jay Satiro (15 Mar 2016)
+- CURLOPT_SSLENGINE.3: Only for OpenSSL built with engine support
+
+ Bug: https://curl.haxx.se/mail/lib-2016-03/0150.html
+ Reported-by: Oliver Graute
-- multi: fix compiler warning: conversion may lose significant bits follow-up
+Steve Holme (15 Mar 2016)
+- curl_sasl: Minor code indent fixes
-- ftp: fix 'bool' data type implementation dependant usage
+Daniel Stenberg (14 Mar 2016)
+- runtests: mention when run event-based
-- multi: fix compiler warning: conversion may lose significant bits
+- easy: add check to malloc() when running event-based
+
+ ... to allow torture tests then too.
-- multi: fix compiler warning: enumerated type mixed with another type
+- memdebug: skip logging the limit countdown, fflush when reached
-- hostip: edit comment
+- CODE_STYLE: Space around operators
+
+ As just discussed on the mailing list, also document how we prefer
+ spacing in expressions.
-- xattr: fix compiler warning: enumerated type mixed with another type
+- curl: glob_range: no need to check unsigned variable for negative
+
+ cppcheck warned:
+
+ [src/tool_urlglob.c:283]: (style) Checking if unsigned variable 'step_n'
+ is less than zero.
-- s/isspace/ISSPACE
+- CODE_STYLE: add example for indent style as well
-- symbol-scan: use configure script knowledge about how to run the C preprocessor
+- CODE_STYLE: mention braces for functions too
-- ignore file generated by configure
+- docs/Makefile.am: include CODE_STYLE in tarball too
-- curl_multi_info_read: fix compiler warning: conversion may lose significant bits
+- CONTRIBUTE: moved out code style to a separate document
-- inet_pton: fix compiler warning
+- CODE_STYLE: initial version
- warning C4146: unary minus operator applied to unsigned type, result still unsigned
+ Ripped out from CONTRIBUTE into its own document, but also extended from
+ there.
-- Curl_getaddrinfo_ex: sanitize function results follow-up.
+- curl_sasl.c: minor code indent fixes
-- Curl_getaddrinfo_ex: sanitize function results.
+- multi: simplified singlesocket
- Ensure that spurious results from system's getaddrinfo() ares not propagated
- by Curl_getaddrinfo_ex() into the library.
+ Since sh_getentry() now checks for invalid sockets itself and by
+ narrowing the scope of the remove_sock_from_hash variable.
+
+- multi: introduce sh_getentry() for looking up sockets in the sockhash
- Also ensure that the ai_addrlen member of Curl_getaddrinfo_ex()'s output linked
- list of Curl_addrinfo structures has appropriate family-specific address size.
+ Simplify the code by using a single entry that looks for a socket in the
+ socket hash. As indicated in #712, the code looked for CURL_SOCKET_BAD
+ at some point and that is ineffective/wrong and this makes it easier to
+ avoid that.
-Kamil Dudka (22 Nov 2010)
-- openldap: use remote port in URL passed to ldap_init_fd()
+- [Jaime Fullaondo brought this change]
+
+ multi hash: ensure modulo performed on curl_socket_t
- ... not the proxy port. It makes no difference unless a proxy is used.
+ Closes #712
+
+Steve Holme (13 Mar 2016)
+- base64: Minor coding standard and style updates
-Yang Tse (20 Nov 2010)
-- gtls: define and use gtls_EAGAIN, gtls_EINTR and gtls_EIO.
+- base64: Use 'CURLcode result' for curl result codes
+
+- negotiate: Use 'CURLcode result' for curl result codes
+
+Daniel Stenberg (13 Mar 2016)
+- [Maksim Kuzevanov brought this change]
+
+ multi_runsingle: avoid loop in CURLM_STATE_WAITPROXYCONNECT
- Winsock builds clobber some errno.h defines in setup_once.
+ Closes #703
+
+- TODO: Use the RFC6265 test suite
-Dan Fandrich (19 Nov 2010)
-- Added a couple examples that were missing from the tar ball
+Steve Holme (13 Mar 2016)
+- checksrc.bat: Added the ability to scan src and lib source independently
-- Check for errors while preprocessing curl.h in test 1119
+- digest: Use boolean based success code for Curl_sasl_digest_get_pair()
- This showed a problem when running the test out-of-tree, so
- an include path is now being added to pick up the generated
- curlbuild.h file.
+ Rather than use a 0 and 1 integer base result code use a TRUE / FALSE
+ based success code.
-- Use the 3-argument open for compatibility with older perls
+- digest: Corrected some typos in comments
-- [Matthias Bolte brought this change]
+- krb5: Corrected some typos in function descriptions
- Detect socket errors in GnuTLS on Windows
+- ntlm: Corrected some typos in function descriptions
+
+- url: Corrected indentation when calling idna_to_ascii_lz()
+
+- idn_win32: Use boolean based success codes
- On Windows, translate WSAGetLastError() to errno values as GNU
- TLS does it internally, too. This is necessary because send() and
- recv() on Windows don't set errno when they fail but GNU TLS
- expects a proper errno value.
+ Rather than use 0 and 1 integer base result codes use a FALSE / TRUE
+ based success code.
+
+Daniel Stenberg (10 Mar 2016)
+- idn_win32.c: warning: Trailing whitespace
+
+Steve Holme (10 Mar 2016)
+- idn_win32.c: Fixed compilation warning from commit 9e7fcd4291
- Bug: http://curl.haxx.se/bug/view.cgi?id=3110991
+ warning C4267: 'function': conversion from 'size_t' to 'int',
+ possible loss of data
-Yang Tse (19 Nov 2010)
-- test servers: fix strict aliasing compiler warnings
+Daniel Stenberg (10 Mar 2016)
+- THANKS-filter: unify Michael König
-- configure: use autobuilds to temporarily verify strict aliasing warnings.
+- RELEASE-NOTES: synced with 863c5766dd
+
+- ftp: remove a check for NULL(!)
- Temporarily, When cross-compiling with gcc 3.0 or later, enable strict aliasing
- rules and warnings. Given that cross-compiled targets autobuilds do not run the
+ ... as it implies we need to check for that on all the other variable
+ references as well (as Coverity otherwise warns us for missing NULL
+ checks), and we're alredy making sure that the pointer is never NULL.
-Julien Chaffraix (17 Nov 2010)
-- configure: Prevent link errors with --librtmp.
+- cookies: first n/v pair in Set-Cookie: is the cookie, then parameters
- If --librtmp was specified but pkg-config could not find the librtmp
- file, we would have undefined symbols when linking curl.
+ RFC 6265 section 4.1.1 spells out that the first name/value pair in the
+ header is the actual cookie name and content, while the following are
+ the parameters.
- We prevent this error by disabling this case as suggested on the mailing
- list.
+ libcurl previously had a more liberal approach which causes significant
+ problems when introducing new cookie parameters, like the suggested new
+ cookie priority draft.
+
+ The previous logic read all n/v pairs from left-to-right and the first
+ name used that wassn't a known parameter name would be used as the
+ cookie name, thus accepting "Set-Cookie: Max-Age=2; person=daniel" to be
+ a cookie named 'person' while an RFC 6265 compliant parser should
+ consider that to be a cookie named 'Max-Age' with an (unknown) parameter
+ 'person'.
+
+ Fixes #709
-Daniel Stenberg (15 Nov 2010)
-- RELEASE-NOTES: synced with cbf4961bf3e4
+- krb5: improved type handling to avoid clang compiler warnings
-- gnutls->handshake: improved timeout handling
-
- When no timeout is set, we call the socket_ready function with a timeout
- value of 0 during handshake, which makes it loop too much/fast in this
- function. It also made this function return CURLE_OPERATION_TIMEDOUT
- wrongly on a slow handshake.
+- url.c: fix clang warning: no newline at end of file
+
+- curl_multi_wait: never return -1 in 'numfds'
- However, the particular bug report that highlighted this problem is not
- solved by this fix, as this fix only makes the more proper error get
- reported instead.
+ Such a return value isn't documented but could still happen, and the
+ curl tool code checks for it. It would happen when the underlying
+ Curl_poll() function returns an error. Starting now we mask that error
+ as a user of curl_multi_wait() would have no way to handle it anyway.
- Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594150
- Reported by: Johannes Ernst
+ Reported-by: Jay Satiro
+ Closes #707
+
+- HTTP2.md: add CURL_HTTP_VERSION_2TLS and updated alt-svc link
+
+- curl_multi_wait.3: add example
-Julien Chaffraix (13 Nov 2010)
-- urldata: Capitalize enum protect_level values.
+Steve Holme (8 Mar 2016)
+- imap/pop3/smtp: Fixed connections upgraded with TLS are not reused
- This makes it easier to spot the enum values from the variables.
- Removed some unneeded DEBUGASSERT added in the previous commit.
+ Regression since commit 710f14edba.
+
+ Bug: https://github.com/curl/curl/issues/422
+ Reported-by: Justin Ehlert
-- security: tighten enum protection_level usage.
+Jay Satiro (8 Mar 2016)
+- opt-docs: fix heading macros
- While changing Curl_sec_read_msg to accept an enum protection_level
- instead of an int, I went ahead and fixed the usage of the associated
- fields.
+ ..SH should be .SH
- Some code was assuming that prot_clear == 0. Fixed those to use the
- proper value. Added assertions prior to any code that would set the
- protection level.
+ Bug: https://github.com/curl/curl/issues/705
+ Reported-by: Eric S. Raymond
-Yang Tse (13 Nov 2010)
-- configure: fix autoconf 2.68 warning: no AC_LANG_SOURCE call detected in body
+Kamil Dudka (8 Mar 2016)
+- [Tim Rühsen brought this change]
-Daniel Stenberg (12 Nov 2010)
-- curl.1: "a file", not an
+ cookie: do not refuse cookies for localhost
+
+ Closes #658
-- version-check.pl: display version number for symbols
+Daniel Stenberg (8 Mar 2016)
+- ftp_done: clear tunnel_state when secondary socket closes
- This script is the start of a helper tool that scans a source code and
- outputs the most recent libcurl version it finds symbols for. Meaning
- that if there's no conditions in the code, that's the earliest libcurl
- version the scanned code requires.
+ Introducing a function for closing the secondary connection to make this
+ bug less likely to happen again.
- It is not added to the Makefile.am yet as it is still a bit crude, but
- I'm committing it to keep it and allow us to work on it.
+ Reported-by: daboul
+ Closes #701
-- [Adam Light brought this change]
+- [Gisle Vanem brought this change]
- Makefile.vc6: fixed the xattr.c compile
+ openssl: use the correct OpenSSL/BoringSSL/LibreSSL in messages
-Julien Chaffraix (12 Nov 2010)
-- krb5: Use GSS_ERROR to check for error.
-
- This is the advised way of checking for errors in the GSS-API RFC.
- Also added some '\n' to the error message so that they are not mixed
- with other outputs.
+- HTTP2.md: HTTP/2 by default for curl's HTTPS connections
-- security: Pass the right parameter to init.
-
- init is expecting app_data. Passing it the struct connecdata would make
- us crash later.
+- [Anders Bakken brought this change]
-Daniel Stenberg (11 Nov 2010)
-- HTTP Auth: Add CURLAUTH_ONLY
+ pipeline: Sanity check pipeline pointer before accessing it.
- This is a meta symbol. OR this value together with a single specific
- auth value to force libcurl to probe for un-restricted auth and if not,
- only that single auth algorithm is acceptable.
+ I got a crash with this stack:
- For example you can use CURLAUTH_DIGEST|CURLAUTH_ONLY to make libcurl
- first probe for what method to use, but yet only consider Digest to be
- acceptable.
+ curl/lib/url.c:2873 (Curl_removeHandleFromPipeline)
+ curl/lib/url.c:2919 (Curl_getoff_all_pipelines)
+ curl/lib/multi.c:561 (curl_multi_remove_handle)
+ curl/lib/url.c:415 (Curl_close)
+ curl/lib/easy.c:859 (curl_easy_cleanup)
- Using _only_ CURLAUTH_DIGEST without the CURLAUTH_ONLY field, will make
- libcurl explicitly use Digest right away and not do any probing.
+ Closes #704
-- ip_version: moved to connection struct
+- HTTP2.md: mention the disable ALPN and NPN options
+
+- TODO: 17.12 keep running, read instructions from pipe/socket
- The IP version choice was previously only in the UserDefined struct
- within the SessionHandle, but since we sometimes alter that option
- during a request we need to have it on a per-connection basis.
+ And delete trailing whitespace
+ And rename section 17 to "command line tool" from "client"
- I also moved more "init conn" code into the allocate_conn() function
- which is designed for that purpose more or less.
+ Closes #702
-Yang Tse (11 Nov 2010)
-- buildconf: MAC OS X requires libtool version 1.5.26 or newer
+- README.md: linkified
- MAC OS X requires libtool version 1.5.26 or newer, otherwise
- configure will mishandle *.dSYM directories when it runs.
-
-- configure: remove temporary autobuilds exercising of xattr function tests
+ It also makes it less readable as plain text, so let's keep this
+ primarily for github use.
+
+ Removed the top ascii art logo, as it looks weird when markdownified.
-- configure: use autobuilds to temporarily exercise xattr function tests
+- README.md: markdown version of README
+
+ Attempt to make it look more appealing on github
-- xattr: portability fix
+Jay Satiro (6 Mar 2016)
+- mprintf: update trio project link
-- curl-functions: provide xattr function tests that also check number of arguments
+Daniel Stenberg (6 Mar 2016)
+- CURLOPT_ACCEPTTIMEOUT_MS.3: added example
-Daniel Stenberg (10 Nov 2010)
-- test1120: verify FTP response 421
-
- curl mustn't try to use the control connection after the 421 is received
+- CURLOPT_ACCEPT_ENCODING.3: added example
-- ftpserver.pl: spellfix comment
+- CURLOPT_APPEND.3: added example
-- [Rutger Hofman brought this change]
+- CURLOPT_NOPROGRESS.3: added example, conform to stardard style
- TFTP: resend the correct data
+Steve Holme (6 Mar 2016)
+- build-openssl/checksrc.bat: Fixed prepend vs append of Perl path
- I found a bug in tftp_tx() in tftp.c. If a data resend is done after
- reception of an ACK/OACK, the call to sendto is wrong.
+ Fixed inconsistency from commit 1eae114065 and 0ad6c72227 of the order
+ in which Perl was added to the PATH.
+
+Daniel Stenberg (6 Mar 2016)
+- opts: added two examples
-- [Stefan Tomanek brought this change]
+- CURLOPT_SSL_CTX_FUNCTION.3: use .NF for example
- write extended attributes by using fsetxattr
+- CURLOPT_SSL_CTX_FUNCTION.3: added example
- Instead of reopening the downloaded file, fsetxattr uses the (already
- open) file descriptor to attach extended attributes. This makes the
- procedure more robust against errors caused by moved or deleted files.
+ and removed erroneous reference to test case lib509
-Dan Fandrich (9 Nov 2010)
-- Check for getinfo errors before setting attributes
+- curlx.c: use more curl style code
-Kamil Dudka (9 Nov 2010)
-- ftp: treat server's response 421 as CURLE_OPERATION_TIMEDOUT
+- test46: change cookie expiry date
- Bug: https://bugzilla.redhat.com/650255
- Reported by: Simon H.
-
-Daniel Stenberg (9 Nov 2010)
-- symbols-in-version: add CURL_SOCKET_BAD
+ Since two of the cookies would now otherwise expire and cause the test
+ to fail after commit 20de9b4f09
- I also documented the filtering logic in the symbol-scan.pl function to
- clarify why not all CURL_* symbols are included.
+ Discussed in #697
-Yang Tse (9 Nov 2010)
-- serial number bump
+Jay Satiro (5 Mar 2016)
+- [Viktor Szakats brought this change]
-Kamil Dudka (8 Nov 2010)
-- ftp: close connection as soon as ABOR has been sent
-
- ... and do not send ABOR unless really necessary.
+ makefile.m32: add missing libs for static -winssl-ssh2 builds
- Bug: https://bugzilla.redhat.com/649347
- Reported by: Simon H.
+ Bug: https://github.com/curl/curl/pull/693
-Daniel Stenberg (8 Nov 2010)
-- RELEASE-NOTES: synced with fc6c4c10f9faab08
+- mbedtls: fix user-specified SSL protocol version
- I also recounted and updated the command line and libcurl options.
+ Prior to this change when a single protocol CURL_SSLVERSION_ was
+ specified by the user that version was set only as the minimum version
+ but not as the maximum version as well.
-- help: indent the --xattr option like the others
+Steve Holme (5 Mar 2016)
+- .gitignore: Added *.VC.opendb and *.vcxproj.user files for VC14
-- curl.1: --resolve documented
+- build-openssl.bat: Fixed cannot find perl if installed but not in path
-- CURLOPT_RESOLVE: documented
+- checksrc.bat: Fixed cannot find perl if installed but not in path
-- CURLOPT_USE_SSL: move from FTP options to connection options
+Jay Satiro (5 Mar 2016)
+- [Viktor Szakats brought this change]
-- xattr-check: correct the comment as well
-
-- xattr: use const char * for const strings
-
-- setxattr: fix the checks
+ makefile.m32: fix to allow -ssh2-winssl combination
- My copy and paste job was a little too much copy and I missed to adjust
- it properly to sys/xattr.h all over and this is a fix to cure that.
+ In makefile.m32, option -ssh2 (libssh2) automatically implied -ssl
+ (OpenSSL) option, with no way to override it with -winssl. Since both
+ libssh2 and curl support using Windows's built-in SSL backend, modify
+ the logic to allow that combination.
-- CURLOPT_RESOLVE: added
+- cookie: Don't expire session cookies in remove_expired
- CURLOPT_RESOLVE is a new option that sends along a curl_slist with
- name:port:address sets that will populate the DNS cache with entries so
- that request can be "fooled" to use another host than what otherwise
- would've been used. Previously we've encouraged the use of Host: for
- that when dealing with HTTP, but this new feature has the added bonus
- that it allows the name from the URL to be used for TLS SNI and server
- certificate name checks as well.
+ Prior to this change cookies with an expiry date that failed parsing
+ and were converted to session cookies could be purged in remove_expired.
- This is a first change. Surely more will follow to make it decent.
-
-Yang Tse (8 Nov 2010)
-- fix compiler warning
-
-Dan Fandrich (7 Nov 2010)
-- Added os-specific.c and xattr.c to the Symbian build files
+ Bug: https://github.com/curl/curl/issues/697
+ Reported-by: Seth Mos
-Yang Tse (7 Nov 2010)
-- xattr: fix VisualStudio builds
+Daniel Stenberg (3 Mar 2016)
+- cookie: remove redundant check
+
+ ... as it was already checked previously within the function.
+
+ Reported-by: Dmitry-Me
+ Closes #695
-- fix snapshot generation
+Jay Satiro (1 Mar 2016)
+- [Anders Bakken brought this change]
-Daniel Stenberg (5 Nov 2010)
-- --libcurl: simplify output
+ url: if Curl_done is premature then pipeline not in use
- Removed the code that was needed for libcurl before 7.19.0 which now is
- more than two years old.
+ Prevent a crash if 2 (or more) requests are made to the same host and
+ pipelining is enabled and the connection does not complete.
- Simplified the top comment and corrected the URL.
+ Bug: https://github.com/curl/curl/pull/690
-- [Alfred Gebert brought this change]
+- [Viktor Szakats brought this change]
- LDAP: detect non-binary attributes properly
+ makefile.m32: allow to pass .dll/.exe-specific LDFLAGS
- If the query result has a binary attribute, the binary attribute is
- base64 encoded. But all following non binary attributes are also base64
- encoded which is wrong.
+ using envvars `CURL_LDFLAG_EXTRAS_DLL` and
+ `CURL_LDFLAG_EXTRAS_EXE` respectively. This
+ is useful f.e. to pass ASLR-related extra
+ options, that are required to make this
+ feature work when using the mingw toolchain.
- This is a test (LDAP server is public).
+ Ref: https://github.com/curl/curl/pull/670#issuecomment-190863985
- curl
- ldap://x500.bund.de:389/o=Bund,c=DE?userCertificate,certificateSerialNumber?sub
- ?cn=*Woehleke*
+ Closes https://github.com/curl/curl/pull/689
-- xattr: add configure check and #ifdefs
+Daniel Stenberg (29 Feb 2016)
+- formpost: fix memory leaks in AddFormData error branches
- setxattr is a glibc call to set extended attributes, so configure now
- checks for it and the code is adapted to only build when the
- functionality is present.
+ Reported-by: Dmitry-Me
+ Fixes #688
-- [Stefan Tomanek brought this change]
+Jay Satiro (28 Feb 2016)
+- getinfo: Fix syntax error when mbedTLS
+
+ The assignment of the mbedTLS TLS session info in the parent commit was
+ incorrect. Change the assignment to a pointer to the session structure.
- save metadata to extended file attributes
+- getinfo: Add support for mbedTLS TLS session info
- It is often convinient to track back the source of a once downloaded
- file; this patch makes curl store the source URL and other metadata
- alongside the retrieved file by using the extended attributes (if
- supported by the file system and enabled by --xattr).
+ .. and preprocessor check TLS session info is defined for all backends.
+
+Daniel Stenberg (26 Feb 2016)
+- ROADMAP: clarify on the TLS proxy, mention HTTP cookies to work on
-- test: remove test 580
+- file: try reading from files with no size
- Test 580 is removed again for two reasons:
+ Some systems have special files that report as 0 bytes big, but still
+ contain data that can be read (for example /proc/cpuinfo on
+ Linux). Starting now, a zero byte size is considered "unknown" size and
+ will be read as far as possible anyway.
- 1) Some compilers aren't satisfied by just a data variable called 'test'
- when first.o wants a function called 'test'. The Solaris compiler says
- "ld: warning: symbol `test' has differing types:" while the AIX compiler
- downright rejects it.
+ Reported-by: Jesse Tan
- 2) Test case 1119 that was added after this test is way more complete
- and cover everything test 580 does and more without introducing the same
- problems.
+ Closes #681
-- Revert: use Host: name for SNI and cert name checks
+Jay Satiro (25 Feb 2016)
+- configure: warn on invalid ca bundle or path
- This reverts commit b0fd03f5b8d4520dd232a9d13567d16bd0ad8951,
- 4b2fbe1e97891f, afecd1aa13b4f, 68cde058f66b3
-
-- TODO-RELEASE: "TLS SNI use Host:" is done
+ - Warn if --with-ca-bundle file does not exist.
- 262 - Manual setting of TLS Server Name Indication - use Host:
-
-- RELEASE-NOTES: synced with 7b823badbcab9d330
-
-- curl.1: added a few missing exit codes
-
-- certcheck: use the custom Host: name for checks
+ - Warn if --with-ca-path directory does not contain certificates.
- If you use a custom Host: name in a request to a SSL server, libcurl
- will now use that given name when it verifies the server certificate to
- be correct rather than using the host name used in the actual URL.
-
-- SNI: simplify the custom host name use
+ - Improve help messages for both.
- The redirect check is already done at the position where the customhost
- field is assigned so there's no point in doing that a second time.
-
-- host: get the custom Host: name more genericly
+ Example configure output:
- When given a custom host name in a Host: header, we can use it for
- several different purposes other than just cookies, so we rename it and
- use it for SSL SNI etc.
-
-- [Hongli Lai (Phusion) brought this change]
-
- SNI: set name to custom Host header
+ ca cert bundle: /some/file (warning: certs not found)
+ ca cert path: /some/dir (warning: certs not found)
- OpenSSL SNI host name should be set to the custom Host header, if the
- user provided one.
+ Bug: https://github.com/curl/curl/issues/404
+ Reported-by: Jeffrey Walton
-- fopen.c: re-indented, fixed previous mistake
+Daniel Stenberg (24 Feb 2016)
+- Curl_read: check for activated HTTP/1 pipelining, not only requested
- I've made the code intended using curl-style now to look more like other
- examples.
+ ... as when pipelining is used, we read things into a unified buffer and
+ we don't do that with HTTP/2. This could then easily make programs that
+ set CURLMOPT_PIPELINING = CURLPIPE_HTTP1|CURLPIPE_MULTIPLEX to get data
+ intermixed or plain broken between HTTP/2 streams.
- My previous "fix" was a bit too invasive but is now fixed again.
+ Reported-by: Anders Bakken
-- multi use: call multi_perform even on select() timeouts
+Patrick Monnerat (24 Feb 2016)
+- os400: Fix ILE/RPG definition of CURLOPT_TFTP_NO_OPTIONS
-- example: add smtp-multi.c
+Jay Satiro (23 Feb 2016)
+- getinfo: CURLINFO_TLS_SSL_PTR supersedes CURLINFO_TLS_SESSION
- An example application source code sending SMTP mail with the multi
- interface. It is based on the code Alona Rossen provided, which in turn
- is based on existing example/test code, and I converted it even more
- into a decent example with a fair multi API use, put the info required
- to edit at the top and I added some comments.
-
-- CURLOPT_NOSIGNAL: add blurb about SIGPIPE
-
-Dan Fandrich (3 Nov 2010)
-- Allow building test 580 out of tree
-
-Daniel Stenberg (3 Nov 2010)
-- dist: add symbol-scan.pl to the tarball
-
-- test1119: verify symbols-in-versions
-
-- runtests: allow tests written as perl scripts
-
- If a command is set type="perl", it can now specify a perl program that will
- be run instead of an ordinary curl or built tool.
-
- A perl test automatically disables memory and valgrind debugging.
-
-- symbol-scan: verifies symbols-in-versions
+ The two options are almost the same, except in the case of OpenSSL:
- This new script scans for all enums and #defines used by the curl/curl.h
- and curl/multi.h headers. Then it reads all symbols mentioned in
- symbols-in-vesions and make sure that there's no entries missing in
- there. It then proceeds to verify that the entries that
- symbols-in-vesions mentions but aren't found in the sources are truly
- documented as removed.
+ CURLINFO_TLS_SESSION OpenSSL session internals is SSL_CTX *.
- This script is used in the new test case 1119
-
-- symbols-in-versions: added 119 missing symbols
+ CURLINFO_TLS_SSL_PTR OpenSSL session internals is SSL *.
- I've developed a script I call symbol-scan.pl that scans the curl.h and
- multi.h header files and compare the symbols it finds in there with the
- symbols symbols-in-versions documents and outputs a report on the
- differences. Using this I've dug through the history to fill up
- symbols-in-versions with all the symbols my script found mismatches for.
+ For backwards compatibility we couldn't modify CURLINFO_TLS_SESSION to
+ return an SSL pointer for OpenSSL.
- I will commit symbol-scan.pl separatly and think of a way to put it to
- use in the build/tests so that we from now on will get this in-sync
- check automatically.
-
-Dan Fandrich (2 Nov 2010)
-- Added mk580.pl to the tar ball
-
-Daniel Stenberg (2 Nov 2010)
-- symbols-in-versions: added missing symbols
-
-- ignore: lib580.c is generated by mk580.pl
-
-- test: added test 580 - verifies symbols-in-versions
+ Also, add support for the 'internals' member to point to SSL object for
+ the other backends axTLS, PolarSSL, Secure Channel, Secure Transport and
+ wolfSSL.
- The new perl script mk580.pl generates a C table in a fresh source file
- named lib580.c and if that compiles fine we know that the file
- docs/libcurl/symbols-in-versions at least doesn't include any symbols
- that are misspelled.
+ Bug: https://github.com/curl/curl/issues/234
+ Reported-by: dkjjr89@users.noreply.github.com
- An additional feature would be to somehow scan curl/curl.h and compare
- with symbols-in-versions to see if there are symbols missing.
-
-- spellfix: CURLOPT_TFTP_BLKSIZE it is
+ Bug: https://curl.haxx.se/mail/lib-2015-09/0127.html
+ Reported-by: Michael König
-Kamil Dudka (29 Oct 2010)
-- ftp: prevent server from hanging on closed data connection
+Daniel Stenberg (23 Feb 2016)
+- multi_remove_handle: keep the timeout list until after disconnect
- Some FTP servers (e.g. Pure-ftpd) end up hanging if we close the data
- connection before transferring all the requested data. If we send ABOR
- in that case, it prevents the server from hanging.
+ The internal Curl_done() function uses Curl_expire() at times and that
+ uses the timeout list. Better clean up the list once we're done using
+ it. This caused a segfault.
- Bug: https://bugzilla.redhat.com/643656
- Reported by: Pasi Karkkainen, Patrick Monnerat
+ Reported-by: 蔡文凱
+ Bug: https://curl.haxx.se/mail/lib-2016-02/0097.html
-Dan Fandrich (28 Oct 2010)
-- Removed a leftover mention of FTP in an error message
-
-- Removed the native Makefile.riscos files
+Kamil Dudka (23 Feb 2016)
+- tests/sshserver.pl: use RSA instead of DSA for host auth
- These haven't worked in at least 8 years due to missing source
- files, and most active RiscOS developers these days apparently
- cross-compile anyway.
+ DSA is no longer supported by OpenSSH 7.0, which causes all SCP/SFTP
+ test cases to be skipped. Using RSA for host authentication works with
+ both old and new versions of OpenSSH.
- Signed-off-by: James Bursa <james@zamez.org>
-
-- Lightened the stack in wc_statemach to permit deeper recursion
+ Reported-by: Karlson2k
- Also, added a few hints to help compilers to perform tail call
- recursion optimization.
+ Closes #676
-Daniel Stenberg (20 Oct 2010)
-- SSH: use libssh2_session_handshake()
+Jay Satiro (23 Feb 2016)
+- TFTP: add option to suppress TFTP option requests (Part 2)
- In libssh2 1.2.8, libssh2_session_handshake() replaces
- libssh2_session_startup() to fix the previous portability problem with
- the socket type that was too small for win64 and thus easily could cause
- crashes and more.
-
-- SSH: avoid using the libssh2_ prefix
+ - Add tests.
- It is a bad idea to use the public prefix used by another library and
- now we realize that libssh2 introduces a symbol in the upcoming version
- 1.2.8 that conflicts with our static function named libssh2_free.
-
-- formdata: provide error message
+ - Add an example to CURLOPT_TFTP_NO_OPTIONS.3.
- When failing to build form post due to an error, the code now does a
- proper failf(). Previously libcurl would report an error like "failed
- creating formpost data" when a file wasn't possible to open which was
- not easy for users to figure out.
+ - Add --tftp-no-options to expose CURLOPT_TFTP_NO_OPTIONS.
- I also lower cased a function name to be named more curl-style and
- removed some unnecessary code.
+ Bug: https://github.com/curl/curl/issues/481
-- URL-parsing: consider ? a divider
-
- The URL parser got a little stricter as it now considers a ? to be a
- host name divider so that the slightly sloppier URLs work too. The
- problem that made me do this change was the reported problem with an URL
- like: www.example.com?email=name@example.com This form of URL is not
- really a legal URL (due to the missing slash after the host name) but is
- widely accepted by all major browsers and libcurl also already accepted
- it, it was just the '@' letter that triggered the problem now.
+- [Michael Koenig brought this change]
+
+ TFTP: add option to suppress TFTP option requests (Part 1)
- The side-effect of this change is that now libcurl no longer accepts the
- ? letter as part of user-name or password when given in the URL, which
- it used to accept (and is tested in test 191). That letter is however
- mentioned in RFC3986 to be required to be percent encoded since it is
- used as a divider.
+ Some TFTP server implementations ignore the "TFTP Option extension"
+ (RFC 1782-1784, 2347-2349), or implement it in a flawed way, causing
+ problems with libcurl. Another switch for curl_easy_setopt
+ "CURLOPT_TFTP_NO_OPTIONS" is introduced which prevents libcurl from
+ sending TFTP option requests to a server, avoiding many problems caused
+ by faulty implementations.
- Bug: http://curl.haxx.se/bug/view.cgi?id=3090268
+ Bug: https://github.com/curl/curl/issues/481
-- curl_easy_setopt.3: spellfix
+Daniel Stenberg (22 Feb 2016)
+- [Karlson2k brought this change]
-- curl_easy_setopt.3: CURLOPT_USE_SSL is not just for FTP
+ runtests: Fixed usage of %PWD on MinGW64
- It is for FTP, SMTP, POP3, IMAP at least.
+ Closes #672
-- krb4.h: removed unused prototypes
+Jay Satiro (20 Feb 2016)
+- CURLOPT_DEBUGFUNCTION.3: Fix example
-- krb4: make a few functions static
+- [Viktor Szakats brought this change]
-- TODO-RELEASE: cleanup for 7.21.3 works
+ src/Makefile.m32: add CURL_{LD,C}FLAGS_EXTRAS support
- "SFTP resume with 4GB file does not work" is now removed as I'm sure
- this is really a libssh2 bug and not a libcurl bug.
+ Sync with lib/Makefile.m32 which already uses those variables.
- 7.21.2 is released already
+ Bug: https://github.com/curl/curl/pull/670
-- RELEASE-NOTES: sync with 09a2d93a0f17ca
+Dan Fandrich (20 Feb 2016)
+- Enabled test 1437 after the bug fix in commit 3fa220a6
-- http_chunks: remove debug output
-
- Accidentally left in there during my previous debugging of this
+Jay Satiro (19 Feb 2016)
+- [Emil Lerner brought this change]
-- Curl_setopt: disallow CURLOPT_USE_SSL without SSL support
+ curl_sasl: Fix memory leak in digest parser
- In order to avoid for example the pingpong protocols to issue STARTTLS
- (or equivalent) even though there's no SSL support built-in.
+ If any parameter in a HTTP DIGEST challenge message is present multiple
+ times, memory allocated for all but the last entry should be freed.
- Reported by: Sune Ahlgren
- Bug: http://curl.haxx.se/mail/archive-2010-10/0045.html
+ Bug: https://github.com/curl/curl/pull/667
-- options: check for features for some options
+Dan Fandrich (19 Feb 2016)
+- Added test 1437 to verify a memory leak
- Some options, such as the automatic decompression and some SSL related
- ones now will bail out if the underlying libcurl doesn't have support
- for the particular feature needed.
+ Reported-by: neex@users.noreply.github.com
-Dan Fandrich (14 Oct 2010)
-- Fixed the IPv6 host address in test1203
+Jay Satiro (18 Feb 2016)
+- CURLOPT_COOKIEFILE.3: HTTP headers must be Set-Cookie style
- Reported by: Christian Weisgerber
- Bug: http://curl.haxx.se/bug/view.cgi?id=3087479
+ Bug: https://github.com/curl/curl/issues/666
+ Reported-by: baumanj@users.noreply.github.com
-Daniel Stenberg (14 Oct 2010)
-- curl_easy_setopt.3: clarify CURLOPT_CRLF
-
- The option takes a parameter that should be 1 or 0 to enable or disable
- the feature.
+- curl.1: HTTP headers for --cookie must be Set-Cookie style
- URL: http://curl.haxx.se/bug/view.cgi?id=3086428
+ Bug: https://github.com/curl/curl/issues/666
+ Reported-by: baumanj@users.noreply.github.com
-Guenter Knauf (14 Oct 2010)
-- Some more small Watcom makefile fixes.
+Daniel Stenberg (18 Feb 2016)
+- curl.1: add a missing dash
-- Added --noconfigure switch to testcurl.pl.
+- CONTRIBUTING.md: fix links
-- Modified Watcom makefiles to work on Linux too.
-
-- Added MingW32 rtmp target; changed Watcom targets.
+- ISSUE_TEMPLATE: github issue template
- Modified Watcom targets to avoid backslashs so that they can
- work on Linux too.
+ First version, try this out!
-Daniel Stenberg (13 Oct 2010)
-- gitignore: ignore Makefile.vc10.dist made by maketgz
+- CONTRIBUTING.md: move into .github
+
+ To hide github specific files somewhat from the rest.
-- curlver.h: start over at 7.21.3
+- opts: add references
-- RELEASE-NOTES: start over towards 7.21.3
+- examples/make: add 'checksrc' target
-- THANKS: added contributors from 7.21.2
+- 10-at-a-time: typecast the argument passed to sleep()
-Version 7.21.2 (12 Oct 2010)
+- externalsocket.c: fix compiler warning for fwrite return type
-Daniel Stenberg (12 Oct 2010)
-- RELEASE-NOTES: synced with ecd624b8e774a85
+- anyauthput.c: fix compiler warnings
-- [Julien Chaffraix brought this change]
+- simplessl.c: warning: while with space
- CMake: Build fix.
+- curlx.c: i2s_ASN1_IA5STRING() clashes with an openssl function
- Do not match the trailing '\n' in the regular expression as this would
- make us dump a ) parenthesis on a new line.
-
- This fixes the following error:
+ Reported-By: Gisle Vanem
+
+- http2: don't decompress gzip decoding automatically
- would get transformed into:
+ At one point during the development of HTTP/2, the commit 133cdd29ea0
+ introduced automatic decompression of Content-Encoding as that was what
+ the spec said then. Now however, HTTP/2 should work the same way as
+ HTTP/1 in this regard.
- )
+ Reported-by: Kazuho Oku
- Bug: http://curl.haxx.se/mail/lib-2010-10/0065.html
- Reported by: Dimitre Dimitrov
+ Closes #661
-- header_callback: strip off file path separated with backslashes
-
- If the filename contains a backslash, only use filename portion. The
- idea is that even systems that don't handle backslashes as path
- separators probably want that path removed for convenience.
-
- This flaw is considered a security problem, see the curl security
- vulnerability http://curl.haxx.se/docs/adv_20101013.html
+Jay Satiro (16 Feb 2016)
+- [Tatsuhiro Tsujikawa brought this change]
-Dan Fandrich (12 Oct 2010)
-- Get the curl source files for Amiga from Makefile.inc
+ http: Don't break the header into chunks if HTTP/2
- This is similar to how it's done in the lib directory.
- The Amiga build appears to have been broken for a year because
- of a missing homedir.c
-
-- Added section on server-supplied names to security considerations
+ nghttp2 callback deals with TLS layer and therefore the header does not
+ need to be broken into chunks.
+
+ Bug: https://github.com/curl/curl/issues/659
+ Reported-by: Kazuho Oku
-Guenter Knauf (12 Oct 2010)
-- Fixed Watcom makefile.
+Daniel Stenberg (16 Feb 2016)
+- [Viktor Szakats brought this change]
-- Added build bits for librtmp / libssh2 to Watcom makefiles.
+ openssl: use macro to guard the opaque EVP_PKEY branch
-- Added build bits for librtmp to NetWare makefiles.
+- [Viktor Szakats brought this change]
-Daniel Stenberg (12 Oct 2010)
-- SFTP: more ignoring negative file sizes
+ openssl: avoid direct PKEY access with OpenSSL 1.1.0
- As the change in 5f0ae7a0626cbe709 added a precaution against negative
- file sizes that for some reason managed to get returned, this change now
- introduces the same check at the second place in the code where the file
- size from the libssh2 stat call is used.
-
- This check might not be suitable for a 32 bit curl_off_t, but libssh2.h
- assumes long long to work and to be 64 bit so I believe such a small
- curl_off_t will be very unlikely to occur in the wild.
-
-- SMTP: debug output for no known auth mechanisms supported
+ by using API instead of accessing an internal structure.
+ This is required starting OpenSSL 1.1.0-pre3.
- ... and some minor source code whitespace edits
+ Closes #650
-- test: urlglob error messages have no extra newline anymore
+- RELEASE-NOTES: synced with ede0bfc079da
-Guenter Knauf (11 Oct 2010)
-- Added build bits for librtmp to MingW32 makefiles.
+- [Clint Clayton brought this change]
-Daniel Stenberg (8 Oct 2010)
-- RELEASE-NOTES: synced with 61f4cdb73ae4
-
-- globbing: fix crash on unballanced open brace
+ CURLOPT_CONNECTTIMEOUT_MS.3: Fix example to use milliseconds option
- Having an open brace without a closing brace caused a segfault.
+ Change the example in the docs for CURLOPT_CONNECTTIMEOUT_MS to use
+ CURLOPT_CONNECTTIMEOUT_MS instead of CURLOPT_CONNECTTIMEOUT.
- Having a closing brace too many caused a silent error to occur, which
- caused curl to bail out and return an error code but no error message
- was shown. It does now!
+ Closes #653
+
+- opt-docs: add more references
+
+- [David Byron brought this change]
+
+ SCP: use libssh2_scp_recv2 to support > 2GB files on windows
- All error message outputs no longer wrongly get _two_ newlines written
- after the error message.
+ libssh2_scp_recv2 is introduced in libssh2 1.7.0 - to be released "any
+ day now.
- Reported by: Vlad Ureche
- Bug: http://curl.haxx.se/bug/view.cgi?id=3083942
+ Closes #451
-- [Dan Locks brought this change]
+Jay Satiro (13 Feb 2016)
+- [Shine Fan brought this change]
- libcurl.m4: AC_PATH_PROG fixes
+ gtls: fix for builds lacking encrypted key file support
- The invocation of autoconf's AC_PATH_PROG( ) is not quite right for
- finding curl-config. This fix corrects the negative case (where
- curl-config is not found).
+ Bug: https://github.com/curl/curl/pull/651
-- FAQ: added "How do I submit my patch?"
+Dan Fandrich (13 Feb 2016)
+- test1604: Add to Makefile.inc so it gets run
-- examples: use example.com in example URLs
-
-- TODO-RELEASE: libidn problem not repeatable
+Jay Satiro (12 Feb 2016)
+- generate.bat: Fix comment bug by removing old comments
- "261 - configure and libidn" is removed from the list since Julien
- Chaffraix tried to repeat it but failed and the reporter did not return
- to provide further details.
+ Remove NOTES section, it's no longer needed since we aren't setting the
+ errorlevel and more importantly the recently updated URL in the comments
+ is causing some unusual behavior that breaks the script.
- Reported by: Lyndon Hill
- Bug: http://curl.haxx.se/mail/lib-2010-07/0029.html
+ Closes https://github.com/curl/curl/issues/649
-- libcurl.m4: mention argument is PREFIX
+Kamil Dudka (12 Feb 2016)
+- curl.1: --disable-{eprt,epsv} are ignored for IPv6 hosts
- The macro provides a --with-libcurl option that expects a PREFIX to be
- specified and not actually a "directory" in which libcurl will be found.
- This now spells that out more clearly.
+ The behavior has been clarified in CURLOPT_FTP_USE_{EPRT,EPSV}.3 man
+ pages since curl-7_12_3~131. This patch makes it clear in the curl.1
+ man page, too.
- Reported by: Dan Locks
- Bug: http://curl.haxx.se/bug/view.cgi?id=3079891
+ Bug: https://bugzilla.redhat.com/1305970
-Guenter Knauf (3 Oct 2010)
-- Some NetWare makefile tweaks.
+Daniel Stenberg (12 Feb 2016)
+- dist: ship buildconf.bat too
- Renamed SDK_* to NDK_*; made NDK_* defines overwriteable from
- environment; removed now obsolete YACC macro;
- moved some curl_config.h defines to IPv6 section since they
- are only needed when IPv6 is enabled - this makes libcurl compile
- with older NDKs too which were not IPv6-aware.
+ As the winbuild/* stuff uses it!
-Daniel Stenberg (2 Oct 2010)
-- TODO-RELEASE: 416 error fixed
+- curlx_tvdiff: handle 32bit time_t overflows
- "3076808 Requests fail silently following a 416 error" done
-
-Julien Chaffraix (2 Oct 2010)
-- krb5-gssapi: Removed a memory leak in krb5_auth.
+ On 32bit systems, make sure we don't overflow and return funky values
+ for very large time differences.
- We forgot to release the buffer passed to gss_init_sec_context.
+ Reported-by: Anders Bakken
- The previous logic was difficult to read as we were reusing the same
- variable (gssbuf) for both input buffer and output buffer. Splitted the
- logic in 2 variables to better underline who needs to be released.
- Also made the code break at 80 lines.
+ Closes #646
-- krb5-gssapi: Made the function always return a value.
-
- kr5_auth missed a final 'return' statement. This is not an error in
- gcc but can lead to potential bugs.
+- examples: fix some compiler warnings
+
+- simplessl.c: fix my breakage
-- krb5-gssapi: Delete the GSS-API context.
+- examples: adhere to curl code style
- This fixes a memory leak related to the GSS-API code.
+ All plain C examples now (mostly) adhere to the curl code style. While
+ they are only examples, they had diverted so much and contained all
+ sorts of different mixed code styles by now. Having them use a unified
+ style helps users and readability. Also, as they get copy-and-pasted
+ widely by users, making sure they're clean and nice is a good idea.
- Added a krb5_init and krb5_end functions. Also removed a work-around
- the lack of proper initialization of the GSS-API context.
+ 573 checksrc warnings were addressed.
-Daniel Stenberg (2 Oct 2010)
-- HTTP: remove special case for 416
+- examples/cookie_interface.c: add cleanup call
- It was pointed out that the special case libcurl did for 416 was
- incorrect and wrong. 416 is not really different to other errors so the
- response body must be handled like for other errors/http responses.
+ cleaning up handles is a good idea as we leak memory otherwise
- Reported by: Chris Smowton
- Bug: http://curl.haxx.se/bug/view.cgi?id=3076808
+ Also, line wrapped before 80 columns.
-- [Dan Fandrich brought this change]
-
- sws: Added writedelay HTTP server command
+Kamil Dudka (10 Feb 2016)
+- nss: search slash in forward direction in dup_nickname()
- This delays between write operations, hopefully making it easier
- to spot problems where libcurl doesn't flush the socket properly
- before waiting for the next response.
+ It is wasteful to search it backwards if we look for _any_ slash.
-- TODO-RELEASE: no bug in ftp_nextconnect
+- nss: do not count enabled cipher-suites
- The issue named "266 - Bug in ftp_nextconnect?" was deemed to not be a
- bug and instead resulted in clarified docs.
+ We only care if at least one cipher-suite is enabled, so it does
+ not make any sense to iterate till the end and count all enabled
+ cipher-suites.
-- curl_easy_setopt.3: CURLOPT_DIRLISTONLY implies dir list
-
- Make it explicit that setting CURLOPT_DIRLISTONLY to 1 will make libcurl
- to list the directory.
+Daniel Stenberg (10 Feb 2016)
+- contributors.sh: make 79 the max column width (from 80)
-- RELEASE-NOTES: synced up to 588402585bae
+- RELEASE-NOTES: synced with c276aefee3995
-- TODO-RELEASE: move new features to next release
+- mbedtls.c: re-indent to better match curl standards
-- README.ares: we know require c-ares 1.6.0
+- [Rafael Antonio brought this change]
+
+ mbedtls: fix memory leak when destroying SSL connection data
+
+ Closes #626
-- SFTP: avoid downloading negative sizes!
+- mbedtls: fix ALPN usage segfault
- It is still not clarified exactly why this happens, but libssh2
- sometimes report a negative file size for the remote SFTP file and that
- deeply confuses libcurl (or crashes it) so this precaution is added to
- avoid badness.
+ Since we didn't keep the input argument around after having called
+ mbedtls, it could end up accessing the wrong memory when figuring out
+ the ALPN protocols.
- Reported by: Ernest Beinrohr
- Bug: http://curl.haxx.se/bug/view.cgi?id=3076430
+ Closes #642
-- TODO-RELEASE: drop curl_easy_setoptv
+Jay Satiro (9 Feb 2016)
+- [Timotej Lazar brought this change]
+
+ opts: update references to renamed options
+
+- KNOWN_BUGS: Update #92 - Windows device prefix
+
+- tool_doswin: Support for literal path prefix \\?\
- I haven't read any really convincing arguments for adding it
+ For example something like --output \\?\C:\foo
+
+Daniel Stenberg (9 Feb 2016)
+- configure: state "BoringSSL" in summary when that was detected
-- [Dirk Manske brought this change]
+- [David Benjamin brought this change]
- multi & hiper examples: updates and cleanups
+ openssl: remove most BoringSSL #ifdefs.
- all multi and hiper examples:
+ As of https://boringssl-review.googlesource.com/#/c/6980/, almost all of
+ BoringSSL #ifdefs in cURL should be unnecessary:
- * don't loop curl_multi_perform calls, that was <7.20.0 style, currently
- the exported multi functions will not return CURLM_CALL_MULTI_PERFORM
+ - BoringSSL provides no-op stubs for compatibility which replaces most
+ #ifdefs.
- all hiper examples:
- * renamed check_run_count to check_multi_info
- * don't compare current running handle count with previous value, this
- was the wrong way to check for finished requests, simply call
- curl_multi_info_read
- * it's also safe to call curl_multi_remove_handle inside the
- curl_multi_info_read loop.
+ - DES_set_odd_parity has been in BoringSSL for nearly a year now. Remove
+ the compatibility codepath.
- ghiper.c:
- * replaced curl_multi_socket (that function is marked as obsolete) calls
- with curl_multi_socket_action calls (as in hiperfifo.c and
- evhiperfifo.c)
+ - With a small tweak to an extend_key_56_to_64 call, the NTLM code
+ builds fine.
- ghiper.c and evhiperfifo.c:
- * be smart as hiperfifo.c, don't do uncessary curl_multi_* calls in
- new_conn and main
-
-- TODO-RELEASE: one fixed, one postponed, one added
+ - Switch OCSP-related #ifdefs to the more generally useful
+ OPENSSL_NO_OCSP.
- As we're already in feature freeze, I pushed the feature onwards.
-
-Dan Fandrich (29 Sep 2010)
-- Renamed test1204 to test1117 to move it into the normal range
+ The only #ifdefs which remain are Curl_ossl_version and the #undefs to
+ work around OpenSSL and wincrypt.h name conflicts. (BoringSSL leaves
+ that to the consumer. The in-header workaround makes things sensitive to
+ include order.)
+
+ This change errs on the side of removing conditionals despite many of
+ the restored codepaths being no-ops. (BoringSSL generally adds no-op
+ compatibility stubs when possible. OPENSSL_VERSION_NUMBER #ifdefs are
+ bad enough!)
+
+ Closes #640
-Patrick Monnerat (29 Sep 2010)
-- Add gopher protocol definition to ILE/RPG binding.
- OS400 compile script in test dir updated for chkhostname.
+Jay Satiro (8 Feb 2016)
+- KNOWN_BUGS: Windows device prefix is required for devices
-Julien Chaffraix (28 Sep 2010)
-- krb5-gssapi: Remove several memory leaks.
+- tool_urlglob: Allow reserved dos device names (Windows)
- Remove a leak seen on Kerberos/MIT (gss_OID is copied internally and
- we were leaking it). Now we just pass NULL as advised in RFC2744.
+ Allow --output to reserved dos device names without the device prefix
+ for backwards compatibility.
- |tmp| was never set back to buf->data.
+ Example: --output NUL can be used instead of --output \\.\NUL
- Cleaned up Curl_sec_end to take into account failure in Curl_sec_login
- (where conn->mech would be NULL but not conn->app_data or
- conn->in_buffer->data).
+ Bug: https://github.com/curl/curl/commit/4520534#commitcomment-15954863
+ Reported-by: Gisle Vanem
-- security.c: Remove Curl_sec_fflush_fd.
+Daniel Stenberg (8 Feb 2016)
+- cookies: allow spaces in cookie names, cut of trailing spaces
- The current implementation would make us send wrong data on a closed
- socket. We don't buffer our data so the method can be safely removed.
-
-- security.c: We should always register the socket handler.
+ It turns out Firefox and Chrome both allow spaces in cookie names and
+ there are sites out there using that.
- Following a change in the way socket handler are registered, the custom
- recv and send method were conditionaly registered.
- We need to register them everytime to handle the ftp security
- extensions.
+ Turned out the code meant to strip off trailing space from cookie names
+ didn't work. Fixed now.
- Re-added the clear text handling in sec_recv.
-
-- security.c: Fix Curl_sec_login after rewrite.
+ Test case 8 modified to verify both these changes.
- Curl_sec_login was returning the opposite result that the code in ftp.c
- was expecting. Simplified the return code (using a CURLcode) so to see
- more clearly what is going on.
+ Closes #639
-- security.c: Readd the '\n' to the infof() calls.
-
- They are not automatically added and make the output of the verbose
- mode a lot more readable.
+Patrick Monnerat (8 Feb 2016)
+- Merge branch 'master' of github.com:curl/curl
-- security.c: Fix typo (PSBZ -> PBSZ)
+- os400: sync ILE/RPG definitions with latest public header files.
-- security.c: Fix ftp_send_command.
-
- My use of va_args was completely wrong. Fixed the usage so that
- we send the right commands!
+Daniel Stenberg (8 Feb 2016)
+- [Ludwig Nussel brought this change]
-Daniel Stenberg (28 Sep 2010)
-- curl_easy_escape: don't escape "unreserved" characters
+ SSLCERTS: update wrt SSL CA certificate store
+
+- [Ludwig Nussel brought this change]
+
+ configure: --with-ca-fallback: use built-in TLS CA fallback
- According to RFC3986 section 2.3 the letters -, ., _ and ~ should not be
- percent-encoded.
+ When trying to verify a peer without having any root CA certificates
+ set, this makes libcurl use the TLS library's built in default as
+ fallback.
- Reported by: Miguel Diaz
- Bug: http://curl.haxx.se/mail/lib-2010-09/0227.html
+ Closes #569
-- multi: don't expire timeouts at disonnect or done
+- Proxy-Connection: stop sending this header by default
- The functions Curl_disconnect() and Curl_done() are both used within the
- scope of a single request so they cannot be allowed to use
- Curl_expire(... 0) to kill all timeouts as there are some timeouts that
- are set before a request that are supposed to remain until the request
- is done.
+ RFC 7230 says we should stop. Firefox already stopped.
- The timeouts are now instead cleared at curl_easy_cleanup() and when the
- multi state machine changes a handle to the complete state.
-
-Dan Fandrich (27 Sep 2010)
-- Changed the TPF make file to get source files from Makefile.inc
+ Bug: https://github.com/curl/curl/issues/633
+ Reported-By: Brad Fitzpatrick
- Patch was fixed and validated by David McCreedy.
+ Closes #633
-- Added test case 1204 to test HTTP range failure
-
- This is an attempt to reproduce bug #3076808
+- bump: work toward the next release
-Daniel Stenberg (27 Sep 2010)
-- [Dirk Manske brought this change]
+- THANKS: 2 contributors from the 7.47.1 release
- multi_runsingle: set timeout error messages
+- RELEASE-PROCEDURE: remove the github upload part
- With the latest changes to fix the timeout handling with multi interface
- we lost the timeout error messages. This patch brings them back.
+ ... as we're HTTPS on the main site now, there's no point in that
+ extra step
-- TODO-RELEASE: updated list of issues to work on
+Version 7.47.1 (8 Feb 2016)
-- parsedate: allow time specified without seconds
+Daniel Stenberg (8 Feb 2016)
+- RELEASE-NOTES: curl 7.47.1 time!
+
+Jay Satiro (8 Feb 2016)
+- tool_operhlp: Check for backslashes in get_url_file_name
+
+ Extract the filename from the last slash or backslash. Prior to this
+ change backslashes could be part of the filename.
- The date format in RFC822 allows that the seconds part of HH:MM:SS is
- left out, but this function didn't allow it. This change also includes a
- modified test case that makes sure that this now works.
+ This change needed for the curl tool built for Cygwin. Refer to the
+ CYGWIN addendum in advisory 20160127B.
- Reported by: Matt Ford
- Bug: http://curl.haxx.se/bug/view.cgi?id=3076529
+ Bug: https://curl.haxx.se/docs/adv_20160127B.html
-- TFTP: re-indented the source code
+Daniel Stenberg (7 Feb 2016)
+- RELEASE-NOTES: synced with d6a8869ea34
+
+Jay Satiro (6 Feb 2016)
+- openssl: Fix signed/unsigned mismatch warning in X509V3_ext
+
+ sk_X509_EXTENSION_num may return an unsigned integer, however the value
+ will fit in an int.
- Just made sure that the good old curl indentation style is used all over
- this file.
+ Bug: https://github.com/curl/curl/commit/dd1b44c#commitcomment-15913896
+ Reported-by: Gisle Vanem
-- [Tim Newsome brought this change]
+Daniel Stenberg (7 Feb 2016)
+- TODO: 17.11 -w output to stderr
- TFTP: Work around tftpd-hpa upload bug
+Jay Satiro (6 Feb 2016)
+- [Michael Kaufmann brought this change]
+
+ idn_win32: Better error checking
+
+ .. also fix a conversion bug in the unused function
+ curl_win32_ascii_to_idn().
- tftpd-hpa has a bug where it will send an incorrect ack when the block
- counter wraps and tftp options have been sent. Work around that by
- accepting an ack for 65535 when we're expecting one for 0.
+ And remove wprintfs on error (Jay).
+
+ Bug: https://github.com/curl/curl/pull/637
+
+- [Gisle Vanem brought this change]
-- Revert "security.c: buffer_read various fixes."
+ examples/asiohiper: Avoid function name collision on Windows
- This reverts commit fbb38de415b7bb7d743e53a7b4b887ffb12b3e5b.
+ closesocket => close_socket
+ Winsock already has the former.
+
+ Bug: https://curl.haxx.se/mail/lib-2016-02/0016.html
+
+- [Gisle Vanem brought this change]
-- security.c: removed superfluous parentheses
+ examples/htmltitle: Use _stricmp on Windows
- And also removed the FIXME where memory was zeroed just before freed,
- and some other minor whitespace changes.
+ Bug: https://curl.haxx.se/mail/lib-2016-02/0017.html
-- [Julien Chaffraix brought this change]
+Daniel Stenberg (6 Feb 2016)
+- COPYING: clarify that Daniel is not the sole author
+
+ ... done on request and as it is a fair point.
- security.c: Update the #include statements after the rewrite.
+Jay Satiro (5 Feb 2016)
+- unit1604: Fix unit setup return code
-- [Julien Chaffraix brought this change]
+- tool_doswin: Use type SANITIZEcode in sanitize_file_name
- security.c: sec_write tweaks
+- tool_doswin: Improve sanitization processing
+
+ - Add unit test 1604 to test the sanitize_file_name function.
- - |fd| is now a curl_socket_t and |len| a size_t to avoid conversions.
- - Added 2 FIXMEs about the 2 unsigned -> signed conversions.
- - Included 2 minor changes to Curl_sec_end.
+ - Use -DCURL_STATICLIB when building libcurltool for unit testing.
+
+ - Better detection of reserved DOS device names.
+
+ - New flags to modify sanitize behavior:
+
+ SANITIZE_ALLOW_COLONS: Allow colons
+ SANITIZE_ALLOW_PATH: Allow path separators and colons
+ SANITIZE_ALLOW_RESERVED: Allow reserved device names
+ SANITIZE_ALLOW_TRUNCATE: Allow truncating a long filename
+
+ - Restore sanitization of banned characters from user-specified outfile.
+
+ Prior to this commit sanitization of a user-specified outfile was
+ temporarily disabled in 2b6dadc because there was no way to allow path
+ separators and colons through while replacing other banned characters.
+ Now in such a case we call the sanitize function with
+ SANITIZE_ALLOW_PATH which allows path separators and colons to pass
+ through.
+
+
+ Closes https://github.com/curl/curl/issues/624
+ Reported-by: Octavio Schroeder
+
+- [Viktor Szakats brought this change]
-- [Julien Chaffraix brought this change]
+ URLs: change more http to https
- security.c: _sec_send tweaks
+- sasl_sspi: Fix memory leak in domain populate
- - Renamed the method to sec_send now that we
- renamed sec_send to do_sec_send.
- - Some more variable renaming.
+ Free an existing domain before replacing it.
+
+ Bug: https://github.com/curl/curl/issues/635
+ Reported-by: silveja1@users.noreply.github.com
-- [Julien Chaffraix brought this change]
+Daniel Stenberg (4 Feb 2016)
+- [Viktor Szakats brought this change]
- security.c: sec_read tweaks
+ URLs: follow GitHub project rename (also Travis CI)
- - Renamed the function to sec_recv.
- - Renamed the parameters and variable to match the rest of the code.
-
-- [Julien Chaffraix brought this change]
+ Closes #632
- security.c: Curl_sec_fflush_fd tweaks
+- CHANGES.o: fix references to curl.haxx.nu
- - Use an early return as it makes the code more readable.
- - Added a FIXME about a conversion.
+ I removed the scheme prefix from the URLs references this host name, as
+ we don't own/run that anymore but the name is kept for historic reasons.
-- [Julien Chaffraix brought this change]
+- HISTORY: add some info about when we used which host names
- security.c: sec_send tweaks
-
- - Renamed it to do_sec_send as it is the function doing the actual
- transfer.
- - Do not return any values as no one was checking it and it never
- reported a failure (added a FIXME about checking for errors).
- - Renamed the variables to make their use more specific.
- - Removed some casts (int -> curl_socket_t, ...)
- - Avoid doing the htnl <-> nthl twice by caching the 2 results.
+Jay Satiro (2 Feb 2016)
+- [Viktor Szakats brought this change]
+
+ URLs: change more http to https
-- [Julien Chaffraix brought this change]
+Dan Fandrich (3 Feb 2016)
+- URLs: Change more haxx.se URLs from http: to https:
- security.c: Curl_sec_read_msg tweaks
+Daniel Stenberg (3 Feb 2016)
+- RELEASE-NOTES: synced with 4af40b364
+
+- URLs: change all http:// URLs to https://
+
+- configure: update the copyright year range in output
+
+- dotdot: allow an empty input string too
+
+ It isn't used by the code in current conditions but for safety it seems
+ sensible to at least not crash on such input.
- - Renamed the variables name to better match their intend.
- - Unified the |decoded_len| checks.
- - Added some FIXMEs to flag some improvement that did not go in this
- change.
+ Extended unit test 1395 to verify this too as well as a plain "/" input.
-- [Julien Chaffraix brought this change]
+- HTTPS: update a bunch of URLs from HTTP to HTTPS
- security.c: Curl_sec_set_protection_level tweaking
+- [Sergei Nikulov brought this change]
+
+ AppVeyor: updated to handle OpenSSL/WinSSL builds
- - Removed sec_prot_internal as it is now inlined in the function (this removed
- a redundant check).
- - Changed the prototype to return an error code.
- - Updated the method to use the new ftp_send_command function.
- - Added a level_to_char helper method to avoid relying on the compiler's
- bound checks. This default to the maximum security we have in case of a
- wrong input.
+ Closes #621
-- [Julien Chaffraix brought this change]
+Jay Satiro (1 Feb 2016)
+- tool_operate: Don't sanitize --output path (Windows)
+
+ Due to path separators being incorrectly sanitized in --output
+ pathnames, eg -o c:\foo => c__foo
+
+ This is a partial revert of 3017d8a until I write a proper fix. The
+ remote-name will continue to be sanitized, but if the user specified an
+ --output with string replacement (#1, #2, etc) that data is unsanitized
+ until I finish a fix.
+
+ Bug: https://github.com/bagder/curl/issues/624
+ Reported-by: Octavio Schroeder
- security.c: factored the logic from Curl_sec_login into a dedicated method that better reflect its intent.
+- curl.1: Explain remote-name behavior if file already exists
- Introduced a helper method ftp_send_command that synchronously send
- an FTP query.
+ .. also warn about letting the server pick the filename.
-- [Julien Chaffraix brought this change]
+- [Gisle Vanem brought this change]
- security.c: Remove out_buffer as it was never written into.
+ urldata: Error on missing SSL backend-specific connect info
-- [Julien Chaffraix brought this change]
+Daniel Stenberg (28 Jan 2016)
+- bump: towards the next (7.47.1 ?)
- security.c: buffer_read various fixes.
-
- Tighten the type of the |data| parameter to avoid a cast. Also made
- it const as we should not modify it.
+- [Sergei Nikulov brought this change]
+
+ cmake: fixed when OpenSSL enabled on Windows and schannel detected
- Added a DEBUGASSERT on the size to be written while changing it.
+ Closes #617
-- [Julien Chaffraix brought this change]
+Jay Satiro (28 Jan 2016)
+- [Sergei Nikulov brought this change]
- security.c: Made block_write return a CURLcode.
+ urldata: moved common variable out of ifdef
- While doing so, renamed it to socket_write to better match its
- function.
+ Closes https://github.com/bagder/curl/pull/618
-- [Julien Chaffraix brought this change]
+- [Viktor Szakats brought this change]
- security.c: Made block_read and sec_get_data return CURLcode.
+ tool_doswin: silence unused function warning
- To do so, made block_read call Curl_read_plain instead of read.
+ tool_doswin.c:185:14: warning: 'msdosify' defined but not used
+ [-Wunused-function]
- While changing them renamed block_read to socket_read and sec_get_data
- to read_data to better match their function.
+ Closes https://github.com/bagder/curl/pull/616
+
+Daniel Stenberg (27 Jan 2016)
+- getredirect.c: fix variable name
- Also fixed a potential memory leak in block_read.
+ Reported-by: Bernard Spil
+
+Version 7.47.0 (27 Jan 2016)
-- [Julien Chaffraix brought this change]
+Daniel Stenberg (27 Jan 2016)
+- examples/Makefile.inc: specify programs without .c!
- Security.c: Fix headers guard to match the rest of the code.
+- THANKS: 6 new contributors from 7.47.0 release notes
-- [Julien Chaffraix brought this change]
+- [Isaac Boukris brought this change]
- configure: Fix the LDAPS disable message
+ NTLM: Fix ConnectionExists to compare Proxy credentials
- ... for example when LDAP is not compiled.
+ Proxy NTLM authentication should compare credentials when
+ re-using a connection similar to host authentication, as it
+ authenticate the connection.
- Fixed the logic to match the rest of the options' message that is we
- update the default message only if the option is not disabled after the
- different checks.
+ Example:
+ curl -v -x http://proxy:port http://host/ -U good_user:good_pwd
+ --proxy-ntlm --next -x http://proxy:port http://host/
+ [-U fake_user:fake_pwd --proxy-ntlm]
- Reported by: Guenter Knauf
+ CVE-2016-0755
+
+ Bug: http://curl.haxx.se/docs/adv_20160127A.html
-- RELEASE-NOTES: sync with 8665d4e5 and c-ares >= 1.6.0 note
+- [Ray Satiro brought this change]
-- parse_remote_port: ignore colons without port number
+ curl: avoid local drive traversal when saving file (Windows)
+
+ curl does not sanitize colons in a remote file name that is used as the
+ local file name. This may lead to a vulnerability on systems where the
+ colon is a special path character. Currently Windows/DOS is the only OS
+ where this vulnerability applies.
- Obviously, browsers ignore a colon without a following port number. Both
- Firefox and Chrome just removes the colon for such URLs. This change
- does not remove the colon for URLs sent over a HTTP proxy, so we should
- consider doing that change as well.
+ CVE-2016-0754
- Reported by: github user 'kreshano'
+ Bug: http://curl.haxx.se/docs/adv_20160127B.html
-- RELEASE-NOTES: in sync with 19f45eaa799
+- RELEASE-NOTES: 7.47.0
-- duphandle: use ares_dup()
-
- curl_easy_duphandle() was not properly duping the ares channel. The
- ares_dup() function was introduced in c-ares 1.6.0 so by starting to use
- this function we also raise the bar and require c-ares >= 1.6.0
- (released Dec 9, 2008) for such builds.
-
- Reported by: Ning Dong
- Bug: http://curl.haxx.se/mail/lib-2010-08/0318.html
+- FAQ: language fix in 4.19
-- [Hendrik Visage brought this change]
+- [paulehoffman brought this change]
- MacOSX-Framework: updates for Snowleopard
+ FAQ: Update to point to GitHub
- 1) PPC64 appears to be an 10.5 only supported architecture, so I
- forced 10.5 for 64bit if there is a need for PPC64, else 64bit only
- does x86_64
+ Current FAQ didn't make it clear where the main repo is.
- 2) proper "make clean" after every ./configure. fixes a bug where
- subsequent runs the 32bit do not get compiled
-
- 3) Added a version numbering curl-$VERSION} rather than the "stock standard" A
+ Closes #612
-- RELEASE-NOTES: synced with 5fcc4332d62fe
+- maketgz: generate date stamp with LC_TIME=C
- Removed the duplicate entry of Kamil in the credits.
+ bug: http://curl.haxx.se/mail/lib-2016-01/0123.html
-- configure: don't enable RTMP if the lib detect fails
-
- librtmp is often statically linked and using sub dependencies like
- OpenSSL, so we need to make sure we can actually link with it properly
- before enabling it. Otherwise we easily end up trying to link with a
- RTMP lib that fails.
+- curl_multi_socket_action.3: line wrap
-- TODO: added 8.4 non-gcrypt under GnuTLS
-
- We must not assume gcrypt just because of GnuTLS
+- RELEASE-NOTES: synced with d58ba66eeceb
+
+Steve Holme (21 Jan 2016)
+- TODO: "Create remote directories" for SMB
-- configure: check for gcrypt if using GnuTLS
+Jay Satiro (18 Jan 2016)
+- mbedtls: Fix pinned key return value on fail
- 1 - libcurl assumes that there are gcrypt functions available when
- GnuTLS is.
+ - Switch from verifying a pinned public key in a callback during the
+ certificate verification to inline after the certificate verification.
- 2 - GnuTLS can be built to use libnettle instead as crypto library,
- which breaks assumption (1)
+ The callback method had three problems:
- This change makes configure make sure that if GnuTLS is requested and
- detected, it also makes sure that gcrypt is present or it errors
- out. This is mostly a way to make the user more aware of this flaw, the
- correct fix would be to detect which crypto layer that is in use and
- adapt our code to use that instead of blindly assuming gcrypt.
+ 1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH
+ was not returned.
- Reported by: Michal Gorny
- Bug: http://curl.haxx.se/bug/view.cgi?id=3071038
-
-- RELEASE-NOTES: sync from d2a7fd2fe65b to HEAD
-
-- FTP: fix bad check of Curl_timeleft() return code
+ 2. If peer certificate verification was disabled the pinned key
+ verification did not take place as it should.
- When it returns 0 it means no timeout. Only a negative value means that
- we're out of time.
-
-- LDAP: moved variable declaration to avoid compiler warn
+ 3. (related to #2) If there was no certificate of depth 0 the callback
+ would not have checked the pinned public key.
- If built without HTTP or proxy support it would cause a compiler warning
- due to the unused variable. I moved the declaration of it into the only
- scope it is used.
-
-Tor Arntsen (18 Sep 2010)
-- LDAP: Use FALSE instead of bool_false when setting bits.close
+ Though all those problems could have been fixed it would have made the
+ code more complex. Instead we now verify inline after the certificate
+ verification in mbedtls_connect_step2.
- bool_false is the internal name used in the setup_once.h definition
- we fall back to for non-C99 non-stdbool systems, it's not the actual
- name to use in assignments (we use bool_false, bool_true there to
- avoid global namespace problems, see comment in setup_once.h).
- The correct C99 value to use is 'false', but let's use FALSE as
- used elsewhere when assigning to bits.close. FALSE is set equal
- to 'false' in setup_once.h when possible.
+ Ref: http://curl.haxx.se/mail/lib-2016-01/0047.html
+ Ref: https://github.com/bagder/curl/pull/601
+
+- tests: Add a test for pinnedpubkey fail even when insecure
- This fixes a build problem on C99 targets.
+ Because disabling the peer verification (--insecure) must not disable
+ the public key pinning check (--pinnedpubkey).
-- LDAP: Add missing declaration for 'result'
+- [Daniel Schauenberg brought this change]
-Daniel Stenberg (18 Sep 2010)
-- [Mauro Iorio brought this change]
+ CURLINFO_RESPONSE_CODE.3: add example
- LDAP: Support for tunnelling queries through HTTP proxy
+Kamil Dudka (15 Jan 2016)
+- ssh: make CURLOPT_SSH_PUBLIC_KEYFILE treat "" as NULL
- As of curl-7.21.1 tunnelling ldap queries through HTTP Proxies is not
- supported. Actually if --proxytunnel command-line option (or equivalent
- CURLOPT_HTTPPROXYTUNNEL) is used for ldap queries like
- ldap://ldap.my.server.com/... You are unable to successfully execute the
- query. In facts ldap_*_bind is executed directly against the ldap server
- and proxy is totally ignored. This is true for both openLDAP and
- Microsoft LDAP API.
+ The CURLOPT_SSH_PUBLIC_KEYFILE option has been documented to handle
+ empty strings specially since curl-7_25_0-31-g05a443a but the behavior
+ was unintentionally removed in curl-7_38_0-47-gfa7d04f.
- Step to reproduce the error:
- Just launch "curl --proxytunnel --proxy 192.168.1.1:8080
- ldap://ldap.my.server.com/dc=... "
+ This commit restores the original behavior and clarifies it in the
+ documentation that NULL and "" have both the same meaning when passed
+ to CURLOPT_SSH_PUBLIC_KEYFILE.
- This fix adds an invocation to Curl_proxyCONNECT against the provided
- proxy address and on successful "CONNECT" it tunnels ldap query to the
- final ldap server through the HTTP proxy. As far as I know Microsoft
- LDAP APIs don't permit tunnelling in any way so the patch provided is
- for OpenLDAP only. The patch has been developed against OpenLDAP 2.4.23
- and has been tested with Microsoft ISA Server 2006 and works properly
- with basic, digest and NTLM authentication.
+ Bug: http://curl.haxx.se/mail/lib-2016-01/0072.html
-- timeout: use the correct start value as offset
-
- Rodric provide an awesome recipe that proved libcurl didn't timeout at
- the requested time - it instead often timed out at [connect time] +
- [timeout time] instead of the documented and intended [timeout time]
- only. This bug was due to the code using the wrong base offset when
- comparing against "now". I could also take the oppurtinity to simplify
- the code by properly using of the generic help function for this:
- Curl_timeleft.
+Daniel Stenberg (14 Jan 2016)
+- RELEASE-NOTES: synced with 35083ca60ed035a
+
+- openssl: improved error detection/reporting
- Reported by: Rodric Glaser
- Bug: http://curl.haxx.se/bug/view.cgi?id=3061535
+ ... by extracting the LIB + REASON from the OpenSSL error code. OpenSSL
+ 1.1.0+ returned a new func number of another cerfificate fail so this
+ required a fix and this is the better way to catch this error anyway.
+
+- openssl: for 1.1.0+ they now provide a SSLeay() macro of their own
-- Curl_timeleft: avoid returning "no timeout" by mistake
+- CURLOPT_RESOLVE.3: minor language polish
+
+- configure: assume IPv6 works when cross-compiled
- As this function uses return code 0 to mean that there is no timeout, it
- needs to check that it doesn't return a time left value that is exactly
- zero. It could lead to libcurl doing an extra 1000 ms select() call and
- thus not timing out as accurately as it should.
+ The configure test uses AC_TRY_RUN to figure out if an ipv6 socket
+ works, and testing like that doesn't work for cross-compiles. These days
+ IPv6 support is widespread so a blind guess is probably more likely to
+ be 'yes' than 'no' now.
- I fell over this bug when working on the bug 3061535 but this fix does
- not correct that problem alone, although this is a problem that needs to
- be fixed.
+ Further: anyone who cross-compiles can use configure's --disable-ipv6 to
+ explicitly disable IPv6 and that also works for cross-compiles.
- Reported by: Rodric Glaser
- Bug: http://curl.haxx.se/bug/view.cgi?id=3061535
+ Made happen after discussions in issue #594
-- whitespace: unified source
-
- if ( => if(
- while ( => while(
+- TODO: "Try to URL encode given URL"
- and some other changes in the similar spirit, trying to make the
- whole file use the same style
-
-- remote-header-name: don't output filename when NULL
-
-- [James Bursa brought this change]
+ Closes #514
- TheArtOfHttpScripting: use long options
+- ConnectionExists: only do pipelining/multiplexing when asked
+
+ When an HTTP/2 upgrade request fails (no protocol switch), it would
+ previously detect that as still possible to pipeline on (which is
+ acorrect) and do that when PIPEWAIT was enabled even if pipelining was
+ not explictily enabled.
+
+ It should only pipelined if explicitly asked to.
+
+ Closes #584
-- [James Bursa brought this change]
+- [Mohammad AlSaleh brought this change]
- getinmemory: make the example easier to follow
+ lib: Prefix URLs with lower-case protocol names/schemes
- 1. Remove the comment warning that it's "not been verified to work". It
- works with no problems in my testing.
+ Before this patch, if a URL does not start with the protocol
+ name/scheme, effective URLs would be prefixed with upper-case protocol
+ names/schemes. This behavior might not be expected by library users or
+ end users.
- 2. Remove 2 unnecessary includes.
+ For example, if `CURLOPT_DEFAULT_PROTOCOL` is set to "https". And the
+ URL is "hostname/path". The effective URL would be
+ "HTTPS://hostname/path" instead of "https://hostname/path".
- 3. Remove the myrealloc(). Initialize chunk.memory with malloc() instead
- of NULL. The comments for these two parts contradicted each other.
+ After this patch, effective URLs would be prefixed with a lower-case
+ protocol name/scheme.
- 4. Handle out of memory from realloc() instead of continuing.
+ Closes #597
- 5. Print a brief status message at the end.
+ Signed-off-by: Mohammad AlSaleh <CE.Mohammad.AlSaleh@gmail.com>
-- multi: don't do extra expire calls for the connection
-
- The timeout is set for the connect phase already at the start of the
- request so we should not add a new one, and we MUST not set expire to 0
- as that will remove any other potentially existing timeouts.
+- [Alessandro Ghedini brought this change]
-- [Peter Pentchev brought this change]
+ scripts: don't generate and install zsh completion when cross-compiling
- Fix a bashism: test a = b is more portable than ==.
+- [Alessandro Ghedini brought this change]
-- glob_word: remove a check that is always false
+ scripts: fix zsh completion generation
+
+ The script should use the just-built curl, not the system one. This fixes
+ zsh completion generation when no system curl is installed.
-- inflate_stream: remove redundant check that is always true
+- [Alessandro Ghedini brought this change]
-- digest: make it clear the condition is always true
+ zsh.pl: fail if no curl is found
+
+ Instead of generation a broken completion file.
-- ssluse: removed redundant check that is always true
+- [Michael Kaufmann brought this change]
-Dan Fandrich (11 Sep 2010)
-- Link curl and the test apps with -lrt explicitly when necessary
+ IDN host names: Remove the port number before converting to ACE
- When curl calls a function from that library then it needs to
- explicitly link to the library instead of piggybacking on
- libcurl's own dependency. Without this, GNU ld with the
- --no-add-needed flag fails when linking (which Fedora now does
- by default).
+ Closes #596
+
+Jay Satiro (10 Jan 2016)
+- runtests: Add mbedTLS to the SSL backends
- Reported by: Quanah Gibson-Mount
- Bug: http://curl.haxx.se/mail/lib-2010-09/0085.html
+ .. and enable SSLpinning tests for mbedTLS, BoringSSL and LibreSSL.
-- Mention the Debian Popularity Contest
+Daniel Stenberg (10 Jan 2016)
+- [Thomas Glanzmann brought this change]
-Tor Arntsen (9 Sep 2010)
-- test565: Don't hardcode IP:PORT
-
- Use %HOSTIP:%HTTPPORT instead of 127.0.0.1:8990 so that
- verification works if the baseport change option is used
- when executing runtests.pl.
+ mbedtls: implement CURLOPT_PINNEDPUBLICKEY
-Daniel Stenberg (9 Sep 2010)
-- curl.1: updated protocols and polished language
+Jay Satiro (9 Jan 2016)
+- [Tatsuhiro Tsujikawa brought this change]
-- FAQ: CURL_STATICLIB for visual studio users
+ url: Fix compile error with --enable-werror
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Ensure that http2_handle_stream_close is called
- Clarified as it isn't used with a -D option for them.
+ Previously, when HTTP/2 is enabled and used, and stream has content
+ length known, Curl_read was not called when there was no bytes left to
+ read. Because of this, we could not make sure that
+ http2_handle_stream_close was called for every stream. Since we use
+ http2_handle_stream_close to emit trailer fields, they were
+ effectively ignored. This commit changes the code so that Curl_read is
+ called even if no bytes left to read, to ensure that
+ http2_handle_stream_close is called for every stream.
- Reported by: Artfunkel
- Bug: http://curl.haxx.se/bug/view.cgi?id=3060381
+ Discussed in https://github.com/bagder/curl/pull/564
-- FAQ: updated and added host with custom IP question
+Daniel Stenberg (8 Jan 2016)
+- http2: handle the received SETTINGS frame
- Added "3.19 How do I get HTTP from a host using a specific IP address?"
- and updated some stuff about certs etc.
+ This regression landed in 5778e6f5 and made libcurl not act on received
+ settings and instead stayed with its internal defaults.
+
+ Bug: http://curl.haxx.se/mail/lib-2016-01/0031.html
+ Reported-by: Bankde
-- chunky parser: only rewind if needed
+- Revert "multiplex: allow only once HTTP/2 is actually used"
- The code reading chunked encoding attempts to rewind the code if it had
- read more data than the chunky parser consumes. The rewinding can fail
- and it will then cause an error. This change now makes the rewinding
- only happen if pipelining is in use - as that's the only time it really
- needs to be done.
+ This reverts commit 46cb70e9fa81c9a56de484cdd7c5d9d0d9fbec36.
- Bug: http://curl.haxx.se/mail/lib-2010-08/0297.html
- Reported by: Ron Parker
-
-Kamil Dudka (6 Sep 2010)
-- rtsp: avoid SIGSEGV on malformed header
+ Bug: http://curl.haxx.se/mail/lib-2016-01/0031.html
-- rtsp: avoid SIGSEGV on malformed header
+Jay Satiro (8 Jan 2016)
+- [Tatsuhiro Tsujikawa brought this change]
-Daniel Stenberg (6 Sep 2010)
-- warning: fix conversion to 'int' from 'size_t'
-
-- portabilty: use proper variable type to hold sockets
+ http2: Fix PUSH_PROMISE headers being treated as trailers
- Curl_getconnectinfo() is changed to return a proper curl_socket_t for
- the last socket so that it'll work more portably (and cause less
- compiler warnings).
+ Discussed in https://github.com/bagder/curl/pull/564
-Guenter Knauf (3 Sep 2010)
-- Trial to fix another compiler warning with braces.
+Daniel Stenberg (8 Jan 2016)
+- [Michael Kaufmann brought this change]
-Dan Fandrich (2 Sep 2010)
-- Use checkprefix() to compare protocol-specific strings
+ connection reuse: IDN host names fixed
- Otherwise, there could be problems running in certain locales.
-
-Guenter Knauf (2 Sep 2010)
-- Moved S_ISREG define to setup as suggested by Dan.
-
-- Use own typedef as workaround for broken sspi.h header (f.e. Watcom).
-
-- Added some hacks in order to build with VC from git.
+ Use the ACE form of IDN hostnames as key in the connection cache. Add
+ new tests.
- Adam Light posted this patch to the list which enables builds from
- git with VC versions other than vc6; also he added a vc10 target.
+ Closes #592
-- Added S_ISREG define for Win32.
+- tests: mark IPv6 FTP and FTPS tests with the FTP keyword
-Daniel Stenberg (1 Sep 2010)
-- multi: fixes for timing out handles
+Jay Satiro (7 Jan 2016)
+- mbedtls: Fix ALPN support
- Add a timeout check for handles in the state machine so that they will
- timeout in all states disregarding what actions that may or may not
- happen.
+ - Fix ALPN reply detection.
- Fixed a bug in socket_action introduced recently when looping over timed
- out handles: it wouldn't assign the 'data' variable and thus it wouldn't
- properly take care of handles.
+ - Wrap nghttp2 code in ifdef USE_NGHTTP2.
- In the update_timer function, the code now checks if the timeout has
- been removed and then it tells the application. Previously it would
- always let the remaining timeout(s) just linger to expire later on.
+
+ Prior to this change ALPN and HTTP/2 did not work properly in mbedTLS.
-- threaded resolver: no more expire 0 calls
+- http2: Fix client write for trailers on stream close
+
+ Check that the trailer buffer exists before attempting a client write
+ for trailers on stream close.
- Curl_expire() set to 0 expires ALL timeouts so it should only be called
- if we truly and really want to remove all timeouts for the handle.
+ Refer to comments in https://github.com/bagder/curl/pull/564
-- resolve_server: simplify code
+Daniel Stenberg (7 Jan 2016)
+- COPYING: update general copyright year range
+
+- ConnectionExists: add missing newline in infof() call
- Make use of the helper function Curl_timeleft() instead of duplicating
- code.
+ Mistake from commit a464f33843ee1
-- multi: make sure the next timeout is used when one expires
+- multiplex: allow only once HTTP/2 is actually used
- Each easy handle has a list of timeouts, so as soon as the main timeout
- for a handle expires, we must make sure to get the next entry from the
- list and re-add the handle to the splay tree.
+ To make sure curl doesn't allow multiplexing before a connection is
+ upgraded to HTTP/2 (like when Upgrade: h2c fails), we must make sure the
+ connection uses HTTP/2 as well and not only check what's wanted.
- This was attempted previously but was done poorly in my commit
- 232ad6549a68450.
-
-Dan Fandrich (30 Aug 2010)
-- Added proxy keyword to allow skipping test in proxyless configs
+ Closes #584
+
+ Patch-by: c0ff
-Daniel Stenberg (29 Aug 2010)
-- multi: set timeouts when transfer begins
+Jay Satiro (4 Jan 2016)
+- curl_global_init.3: Add Windows-specific info for init via DLL
+
+ - Add to both curl_global_init.3 and libcurl.3 the caveat for Windows
+ that initializing libcurl via a DLL's DllMain or static initializer
+ could cause a deadlock.
- When a new transfer is about to start we now set the proper timeouts to
- expire for the multi interface if they are set for the handle. This is a
- follow-up bugfix to make sure that easy handles timeout properly when
- the times expire and the multi interface is used. This also improves
- curl_multi_timeout().
+ Bug: https://github.com/bagder/curl/issues/586
+ Reported-by: marc-groundctl@users.noreply.github.com
-- CURLOPT_DIRLISTONLY: don't use with CURLOPT_WILDCARDMATCH
+Daniel Stenberg (4 Jan 2016)
+- FAQ: clarify who to mail about ECCN clarifications
-- FAQ: update list of supported protocols
+- progressfunc.c: spellfix description
-- [Fabian Keil brought this change]
+- docs/examples/multi-app.c: fix bad desc formatting
- In the m4 detection line, factor out the 2>dev/null
+- examples: added descriptions
-- [Fabian Keil brought this change]
+- example/simple.c: add description
- If m4 doesn't support --version, try if gm4 does.
+- getredirect.c: a new example
-- [Fabian Keil brought this change]
+Marc Hoersken (27 Dec 2015)
+- RELEASE-NOTES: add 5e0e81a9c4e35f04ca
- If the m4 version isn't recognized at all, just say so
-
- 'm4 version found. You need a GNU m4 installed!' is a bit confusing.
+Daniel Stenberg (26 Dec 2015)
+- RELEASE-NOTES: synced with 2aec4359db1088b10d
-- HISTORY: mention the gopher story
+Marc Hoersken (26 Dec 2015)
+- test 1515: add data check
-Dan Fandrich (25 Aug 2010)
-- Tweaked some test data files
+- test 1515: add MSYS support by passing a relative path
- Fixed some issues that caused xmllint failures, added features
- and keywords, fixed some quotes and removed some <strip> sections
- that unnecessarily limited test checking.
-
-- Added new source files to Symbian and TPF makefiles
+ MSYS would otherwise turn a /-style path into a C:\-style path.
-Daniel Stenberg (25 Aug 2010)
-- RELEASE-NOTES: sync from b980c9a02 to HEAD
+- test 539: use datacheck mode text for ASCII-mode LISTings
+
+ While still using datacheck mode binary for the inline reply data.
-- Makefile: add gopher.c file to build
+- runtests.pl: check up to 5 data parts with different text modes
- As the VC and RISCOS makefiles don't use the .inc file
+ Move the text-mode conversion for reply/replycheck from the verify
+ section into the load section and add support for 4 more check parts.
-- runtests: fix uninitialized variable warning
+Daniel Stenberg (24 Dec 2015)
+- CURLOPT_RANGE: for HTTP servers, range support is optional
-- gopher tests: revert parts of gopher in the pingpong server
-
- Introduced in the initial gopher commits, there was added logic to do
- GOPHER test serving in the pingpong server but as it resembles HTTP much
- more than FTP or SMTP, the gopher testing has been moved over to instead
- use the sws (HTTP) server. This change simply removes unused code.
+Marc Hoersken (24 Dec 2015)
+- tests 1048 and 1050: use datacheck mode text for ASCII-mode LISTings
-- gopher tests: use sws and adjusted to more standard style
+- tests 706 and 707: use datacheck mode text for ASCII-mode LISTings
-- sws: added basic gopher support
+- tests 400,403,406: use datacheck mode text for ASCII-mode LISTings
-- gopher: enable the header callback/verbosity
+- sockfilt.c: fix calculation of sleep timeout on Windows
+
+ Not converting to double caused small timeouts to be skipped.
-- gopher: fix test case line endings
+- tests first.c: fix calculation of sleep timeout on Windows
- Patches over email very easily lose CRLF line endings in files otherwise
- LF-only so I had to put them back where needed.
+ Not converting to double caused small timeouts to be skipped.
+
+- test 573: add more debug output
-- gopher: fix memory leak and busyloop
+- ftplistparser.c: fix handling of file LISTings using Windows EOL
- The fix for the busyloop really only is a temporary work-around. It
- causes a BLOCKING behavior which is a NO-NO. This function should rather
- be split up in a do and a doing piece where the pieces that aren't
- possible to send now will be sent in the doing function repeatedly until
- the entire request is sent.
+ Previously file.txt[CR][LF] would have been returned as file.tx
+ (without the last t) if filetype is symlink. Now the t is
+ included and the internal item_length includes the zero byte.
+
+ Spotted using test 576 on Windows.
-- [Cameron Kaiser brought this change]
+- test 16: fix on Linux (and Windows) by using plain ASCII characters
+
+ Follow up on b064ff0c351bb287557228575ef4c1d079b866fb, thanks Daniel.
- Gopher using Curl_write; test suite (4 tests)
+- tftpd server: add Windows support by writing files in binary mode
-- [Cameron Kaiser brought this change]
+- tests 252-255: use datacheck mode text for ASCII-mode LISTings
- Remove url.c test
+- test 16: fix on Windows by converting data file from ANSI to UTF-8
-- [Cameron Kaiser brought this change]
+Daniel Stenberg (23 Dec 2015)
+- Makefile.inc: s/curl_SOURCES/CURL_FILES
+
+ This allows the root Makefile.am to include the Makefile.inc without
+ causing automake to warn on it (variables named *_SOURCES are
+ magic). curl_SOURCES is then instead assigned properly in
+ src/Makefile.am only.
+
+ Closes #577
- Forgot gopher.h in Makefile.inc
+- [Anders Bakken brought this change]
-- [Cameron Kaiser brought this change]
+ ConnectionExists: with *PIPEWAIT, wait for connections
+
+ Try harder to prevent libcurl from opening up an additional socket when
+ CURLOPT_PIPEWAIT is set. Accomplished by letting ongoing TCP and TLS
+ handshakes complete first before the decision is made.
+
+ Closes #575
- Gopher protocol support (initial release)
+- [Anders Bakken brought this change]
-- http: handle trailer headers in all chunked responses
+ Add .dir-locals and set c-basic-offset to 2.
- HTTP allows that a server sends trailing headers after all the chunks
- have been sent WITHOUT signalling their presence in the first response
- headers. The "Trailer:" header is only a SHOULD there and as we need to
- handle the situation even without that header I made libcurl ignore
- Trailer: completely.
+ This makes it easier for emacs users to automatically get the right
+ 2-space indentation when they edit curl source files.
- Test case 1116 was added to verify this and to make sure we handle more
- than one trailer header properly.
+ c++-mode is in there as well because Emacs can't easily know if
+ something is a C or C++ header.
- Reported by: Patrick McManus
- Bug: http://curl.haxx.se/bug/view.cgi?id=3052450
+ Closes #574
-- TODO: we now support RTMP
+- [Johannes Schindelin brought this change]
-- TODO: done "NTLM with other crypto functions"
+ configure: detect IPv6 support on Windows
- Since NTLM was made to work with the NSS API as well, the primary SSL
- alternatives will be built with NTLM support in libcurl.
+ This patch was "nicked" from the MINGW-packages project by Daniel.
+
+ https://github.com/Alexpux/MINGW-packages/commit/9253d0bf58a1486e91f7efb5316e7fdb48fa4007
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- TODO: fixed "Make curl_multi_info_read faster"
+- configure: allow static builds on mingw
+
+ This patch is adopted from the MINGW-packages project. It makes it
+ possible to build curl both shared and static again.
- It is really fast now
+ URL: https://github.com/Alexpux/MINGW-packages/tree/master/mingw-w64-curl
-Dan Fandrich (24 Aug 2010)
-- Fixed a NULL pointer dereference in form posting
+Marc Hoersken (17 Dec 2015)
+- test 1326: fix file check since curl is outputting binary data
+
+- test 1326: fix getting stuck on Windows due to incomplete request
- It was introduced in commit eeb2cb05 along with the -F type=
- change. Also fixed a typo in the name of the magic filename=
- parameter. Tweaked tests 39 and 173 to better test this path.
+ The request needs to be read and send in binary mode in order to use
+ CRLF instead of LF. Adding --upload-file - causes curl to read stdin
+ in binary mode.
-Daniel Stenberg (24 Aug 2010)
-- [Ben Greear brought this change]
+Daniel Stenberg (17 Dec 2015)
+- RELEASE-NOTES: command line option recount
- multi: Fix compile warning on 64-bit systems
+Dan Fandrich (16 Dec 2015)
+- scripts/Makefile: build zsh script even in an out-of-tree build
-Dan Fandrich (23 Aug 2010)
-- Mention PolarSSL in tutorial & add some URLs to INSTALL
+Marc Hoersken (16 Dec 2015)
+- sockfilt.c: added some debug output to select_ws
-Daniel Stenberg (23 Aug 2010)
-- RESUME_FROM: clarify what ftp uploads do
-
- The numerical value passed to CURLOPT_RESUME_FROM for FTP uploads is
- interpreted and used as position where to resume the _reading_ of the
- local file and it will "blindly" append that data on the remote
- file. This was certainly not clear in the docs previously.
-
- Reported by: catalin
- Bug: http://curl.haxx.se/bug/view.cgi?id=3048174
+- sockfilt.c: keep lines shorter than 80 chars
-- [Dirk Manske brought this change]
+- sockfilt.c: do not wait on unreliable file or pipe handle
+
+ The previous implementation caused issues on modern MSYS2 runtimes.
- Curl_is_connected: use correct errno
+Daniel Stenberg (16 Dec 2015)
+- cyassl: deal with lack of *get_peer_certificate
- The correctly extracted errno contents were mistakenly overwritten by a newer
- value that wasn't the correct error value.
+ The function is only present in wolfssl/cyassl if it was built with
+ --enable-opensslextra. With these checks added, pinning support is disabled
+ unless the TLS lib has that function available.
- Bug: http://curl.haxx.se/mail/lib-2010-08/0242.html
+ Also fix the mistake in configure that checks for the wrong lib name.
+
+ Closes #566
+
+- wolfssl: handle builds without SSLv3 support
-- cmdline: make -F type= accept ;charset=
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Support trailer fields
+
+ This commit adds trailer support in HTTP/2. In HTTP/1.1, chunked
+ encoding must be used to send trialer fields. HTTP/2 deprecated any
+ trandfer-encoding, including chunked. But trailer fields are now
+ always available.
- The -F option allows some custom parameters within the given string, and
- those strings are separated with semicolons. You can for example specify
- "name=daniel;type=text/plain" to set content-type for the
- field. However, the use of semicolons like that made it not work fine if
- you specified one within the content-type, like for:
- "name=daniel;type=text/plain;charset=UTF-8"
- ... as the second one would be seen as a separator and "charset" is no
- parameter curl knows anything about so it was just silently discarded.
+ Since trailer fields are relatively rare these days (gRPC uses them
+ extensively though), allocating buffer for trailer fields is done when
+ we detect that HEADERS frame containing trailer fields is started. We
+ use Curl_add_buffer_* functions to buffer all trailers, just like we
+ do for regular header fields. And then deliver them when stream is
+ closed. We have to be careful here so that all data are delivered to
+ upper layer before sending trailers to the application.
- The new logic now checks if the semicolon and following keyword looks
- like a parameter it knows about and if it isn't it is assumed to be
- meant to be used within the content-type string itself.
+ We can deliver trailer field one by one using NGHTTP2_ERR_PAUSE
+ mechanism, but current method is far more simple.
- I modified test case 186 to verify that this works as intended.
+ Another possibility is use chunked encoding internally for HTTP/2
+ traffic. I have not tested it, but it could add another overhead.
- Reported by: Larry Stone
- Bug: http://curl.haxx.se/bug/view.cgi?id=3048988
+ Closes #564
-Guenter Knauf (20 Aug 2010)
-- Added mk-ca-bundle.vbs script.
+- RELEASE-NOTES: synced with 6c2c019654e658a
+
+Jay Satiro (15 Dec 2015)
+- x509asn1: Fix host altname verification
+
+ - In Curl_verifyhost check all altnames in the certificate.
- The script works exactly same as the Perl one except for one thing:
- when the text descriptions generated with openssl are included then
- the md5 fingerprints are missing; seems openssl has either a bug or
- a feature which prints the md5 fingerprint output to stdout instead
- of writing them to specified file; this script could here do the same
- as what the Perl scripr does (redirect stdout into file) but this
- makes the script take up double the time because it needs to launch
- cmd.exe 140 times (fo each openssl call). So I think for now we just
- ommit the md5 fingerprints, and see if openssl will be fixed.
+ Prior to this change only the first altname was checked. Only the GSKit
+ SSL backend was affected by this bug.
+
+ Bug: http://curl.haxx.se/mail/lib-2015-12/0062.html
+ Reported-by: John Kohl
-- Trial to fix win32 autobuilds.
+Daniel Stenberg (15 Dec 2015)
+- curl --expect100-timeout: added
- It seems that its time to look at some better ideas for the win32
- non-configure builds; probably a prebuild target which copies
- config-win32.h to curl_config.h and appends also then feature
- defines like USE_ARES.
+ This is the new command line option to set the value for the existing
+ libcurl option CURLOPT_EXPECT_100_TIMEOUT_MS
+
+- cyassl: fix compiler warning on type conversion
-Dan Fandrich (19 Aug 2010)
-- Use the S_ISREG macro to determine what is a regular file
+- curlver: the pending release will become 7.47.0
-Kamil Dudka (19 Aug 2010)
-- AC_INIT: avoid a warning with autoconf 2.66
+- [Anders Bakken brought this change]
+
+ setstropt: const-correctness
- It was complaining about the '=>' operator, introduced in e3fc0d5.
+ Closes #565
-Dan Fandrich (18 Aug 2010)
-- Fixed a memory leak during OOM in the multi timeout code
+- ROADMAP: implemented HTTP2 for HTTPS-only
-- Removed a C99ism & made an array const
+- HTTP2.md: spell fix and remove TODO now implemented
-Daniel Stenberg (19 Aug 2010)
-- [Julien Chaffraix brought this change]
+- libressl: the latest openssl x509 funcs are not in libressl
- test: added test 579 to verify progress callback for chunked post
-
- The 66 bytes checked are those 38 bytes with the chunked encoding
- headers added: 8+8+10+35+5 = 66
+- curl: use 2TLS by default
- The three-letter words become 8 bytes on the wire because they are sent
- like: "3\r\none\r\n"
+ Make this the default for the curl tool (if built with HTTP/2 powers
+ enabled) unless a specific HTTP version is requested on the command
+ line.
- ... and there's the trailing 5 bytes write after the four lines since
- the final chunk is sent (which is "0\r\n\r\n").
+ This should allow more users to get HTTP/2 powers without having to
+ change anything.
-- multi: avoid sending multiple complete messages
+- http: add libcurl option to allow HTTP/2 for HTTPS only
- I fell over this bug report that mentioned that libcurl could wrongly
- send more than one complete messages at the end of a transfer. Reading
- the code confirmed this, so I've added a new multi state to make it not
- happen. The mentioned bug report was made by Brad Jorsch but is (oddly
- enough) filed in Debian's bug tracker for the "wmweather+" tool.
-
- Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=593390
-
-- FAQ: update the list of supported protocols
+ ... and stick to 1.1 for HTTP. This is in line with what browsers do and
+ should have very little risk.
-- FAQ: added blurb about ECCN
+- openssl: adapt to openssl >= 1.1.0 X509 opaque structs
- "1.13 curl's ECCN number" is a new section mostly made up from
- Alessandro Vesely's very informative ML post on the subject:
- http://curl.haxx.se/mail/lib-2008-03/0251.html
+ Closes #491
-Guenter Knauf (18 Aug 2010)
-- It is sufficient to pipe stderr to NUL to get rid of the nasty messages.
+- openssl: avoid BIO_reset() warnings since it returns a value
-- Added SSPI build to Watcom makefile.
+- openssl: adapt to 1.1.0+ name changes
-Daniel Stenberg (16 Aug 2010)
-- [Julien Chaffraix brought this change]
+- scripts/makefile: add standard header
- progress: callback for POSTs less than MAX_INITIAL_POST_SIZE
+- scripts/Makefile: fix GNUism and survive no perl
- Add a call to Curl_pgrsSetUploadSize in this case valided by a test
- case.
+ Closes #555
- Reported by: Никита Дорохин.
- Bug: http://curl.haxx.se/mail/lib-2010-04/0173.html
+ Reported-by: Thomas Klausner
-Dan Fandrich (16 Aug 2010)
-- Make the LD_PRELOAD path absolute in the tests that use it
-
- In some situations, libtool will change directories and perform
- a link step before executing the libtest test app. Since
- LD_PRELOAD is in effect for this entire process, the path to the
- binary must be absolute so it will be valid no matter in which
- directory the app is running.
+- fix b6d5cb40d7038fe
+
+- [Tatsuhiro Tsujikawa brought this change]
-Daniel Stenberg (16 Aug 2010)
-- negotiation: Wrong proxy authorization
+ http2: Fix hanging paused stream
- There's an error in http_negotiation.c where a mistake is using only
- userpwd even for proxy requests. Ludek provided a patch, but I decided
- to write the fix slightly different using his patch as inspiration.
+ When NGHTTP2_ERR_PAUSE is returned from data_source_read_callback, we
+ might not process DATA frame fully. Calling nghttp2_session_mem_recv()
+ again will continue to process DATA frame, but if there is no incoming
+ frames, then we have to call it again with 0-length data. Without this,
+ on_stream_close callback will not be called, and stream could be hanged.
- Reported by: Ludek Finstrle
- Bug: http://curl.haxx.se/bug/view.cgi?id=3046066
+ Bug: http://curl.haxx.se/mail/lib-2015-11/0103.html
+ Reported-by: Francisco Moraes
-Dan Fandrich (16 Aug 2010)
-- Clear stdout and stderr files on each test run
+- [Christian Stewart brought this change]
+
+ build: fix compilation error with CURL_DISABLE_VERBOSE_STRINGS
+
+ With curl disable verbose strings in http.c the compilation fails due to
+ the data variable being undefined later on in the function.
- This allows a test to be run several times in the same test
- session even when the -k option is given.
+ Closes #558
-Guenter Knauf (15 Aug 2010)
-- Syncroniszed vclean target; fixed some comments.
+Jay Satiro (7 Dec 2015)
+- [Gisle Vanem brought this change]
-Daniel Stenberg (15 Aug 2010)
-- THANKS: added contributors from 7.21.1
+ config-win32: Fix warning HAVE_WINSOCK2_H undefined
-- multi: two fixes done
+- [Gisle Vanem brought this change]
-- multi: use timeouts properly for MAX_RECV/SEND_SPEED
-
- When detecting that the send or recv speed, the multi interface changes
- state to TOOFAST and previously there was no timeout set that would
- force a recheck but it would rely on the application to somehow call
- libcurl anyway. This now sets a timeout for a suitable future time to
- check again if the average transfer speed is then below the threshold
- again.
+ openssl: BoringSSL doesn't have CONF_modules_free
+
+- [Gisle Vanem brought this change]
-- multi: support timeouts
+ lwip: Fix compatibility issues with later versions
- Curl_expire() is now expanded to hold a list of timeouts for each easy
- handle. Only the closest in time will be the one used as the primary
- timeout for the handle and will be used for the splay tree (which sorts
- and lists all handles within the multi handle).
+ The name of the header guard in lwIP's <lwip/opt.h> has changed from
+ '__LWIP_OPT_H__' to 'LWIP_HDR_OPT_H' (bug #35874 in May 2015).
- When the main timeout has triggered/expired, the next timeout in time
- that is kept in the list will be moved to the main timeout position and
- used as the key to splay with. This way, all timeouts that are set with
- Curl_expire() internally will end up as a proper timeout. Previously any
- Curl_expire() that set a _later_ timeout than what was already set was
- just silently ignored and thus missed.
+ Other fixes:
- Setting Curl_expire() with timeout 0 (zero) will cancel all previously
- added timeouts.
+ - In curl_setup.h, the problem with an old PSDK doesn't apply if lwIP is
+ used.
- Corrects known bug #62.
-
-- Curl_llist_insert_next: allow insertion first in the list
+ - In memdebug.h, the 'socket' should be undefined first due to lwIP's
+ lwip_socket() macro.
- When we specify the "insert after" entry as NULL, this function now
- inserts the new entry first in the list.
-
-- multi: make curl_multi_info_read perform O(1)
+ - In curl_addrinfo.c lwIP's getaddrinfo() + freeaddrinfo() macros need
+ special handling because they were undef'ed in memdebug.h.
- Instead of looping over all attached easy handles, this now keeps a list
- of messages in the multi handle. It allows curl_multi_info_read() to
- perform O(1) no matter how many easy handles that are handled. This is
- of importance since this function may be polled very frequently by apps
- using the multi interface.
-
-Kamil Dudka (15 Aug 2010)
-- curl -T: ignore file size of special files
+ - In select.c we can't use preprocessor conditionals inside select if
+ MSVC and select is a macro, as it is with lwIP.
- original bug report at https://bugzilla.redhat.com/622520
+ http://curl.haxx.se/mail/lib-2015-12/0023.html
+ http://curl.haxx.se/mail/lib-2015-12/0024.html
-Dan Fandrich (13 Aug 2010)
-- Reset environment variables before starting servers
-
- Otherwise, variables from tests could affect the servers
- themselves.
+Patrick Monnerat (7 Dec 2015)
+- os400: define CURL_VERSION_PSL in ILE/RPG binding
+
+Jay Satiro (7 Dec 2015)
+- [Gisle Vanem brought this change]
+
+ version: Add flag CURL_VERSION_PSL for libpsl
-Kamil Dudka (12 Aug 2010)
-- typecheck-gcc: work around gcc upstream bug #32061
+- formdata: Check if length is too large for memory
- original bug report at https://bugzilla.redhat.com/617757
+ - If the size of the length type (curl_off_t) is greater than the size
+ of the size_t type then check before allocating memory to make sure the
+ value of length will fit in a size_t without overflow. If it doesn't
+ then return CURLE_BAD_FUNCTION_ARGUMENT.
+
+ Bug: https://github.com/bagder/curl/issues/425#issuecomment-154518679
+ Reported-by: Steve Holme
-Daniel Stenberg (11 Aug 2010)
-- release cycle loop: start over toward 7.21.2
+Steve Holme (3 Dec 2015)
+- tests: Corrected copy and pasted comments from commit e643c5c908
-Version 7.21.1 (11 Aug 2010)
+Daniel Stenberg (3 Dec 2015)
+- curl: remove keepalive #ifdef checks done on libcurl's behalf
+
+ They didn't match the ifdef logic used within libcurl anyway so they
+ could indeed warn for the wrong case - plus the tool cannot know how the
+ lib actually performs at that level.
-Daniel Stenberg (11 Aug 2010)
-- RELEASE-NOTES: mention the runtests fix as well
+Steve Holme (2 Dec 2015)
+- test947: Corrected typo in test name
-- runtests: clear old setenv remainders before test
+- tests: Disable the OAUTHBEARER tests when using a non-default port number
- Due to the layout of the singletest function there are situations where
- it returns before it clears the environment variables that were
- especially set for the single specific test case. That could lead to
- subsequent tests getting executed with environment variables sticking
- around from a previous test which could lead to badness.
+ Tests 842, 843, 844, 845, 887, 888, 889, 890, 946, 947, 948 and 949 fail
+ if a custom port number is specified via the -b option of runtests.pl.
- This change makes sure to clear all custom variables that may be laying
- around from a previous round, before running a test case.
+ Suggested by: Kamil Dudka
+ Bug: http://curl.haxx.se/mail/lib-2015-12/0003.html
+
+Daniel Stenberg (2 Dec 2015)
+- bump: towards next release
- Reported by: Kamil Dudka
- Bug: http://curl.haxx.se/mail/lib-2010-08/0141.html
+ for all we know now, it might be called 7.46.1
-Guenter Knauf (11 Aug 2010)
-- Added OpenSSL builds to Watcom makefiles.
+Version 7.46.0 (1 Dec 2015)
-Yang Tse (11 Aug 2010)
-- configure: werror related adjustments
+Daniel Stenberg (1 Dec 2015)
+- RELEASE-NOTES: updated contributor count for 7.46.0
-Daniel Stenberg (11 Aug 2010)
-- FAQ: s/libcurl.so.3/libcurl.so.X
+- THANKS: new contributors from the 7.46.0 release
-Dan Fandrich (10 Aug 2010)
-- KNOWN_BUG #59 is fixed. Clarify support of IPv6 zone IDs.
+- THANKS-filter: single Tim Rühsen spelling
-- Fixed typo in Android configure command
+- docs/examples: gitignore some more built examples
-Daniel Stenberg (11 Aug 2010)
-- HISTORY: added stuff from recent years
+- RELEASE-NOTES; this bug was never released
-- warning: silence the compiler
-
- warning: conversion to 'long int' from 'time_t' may alter its value
+- RELEASE-NOTES: synced with e55f15454efacb0
+
+- [Flavio Medeiros brought this change]
+
+ Curl_read_plain: clean up ifdefs that break statements
- ... on win64 when time_t is 64bit and long is 32bit.
+ Closes #546
-- RELEASE-NOTES: synced, 3 additional bugfixes
+- http2: convert some verbose output into debug-only output
+
+- http2 push: add missing inits of new stream
+
+ - set the correct stream_id for pushed streams
+ - init maxdownload and size properly
-- multi_socket_action: clarify how to kickstart it
+- http2 push: set weight for new stream
- The callbacks are called when curl_multi_socket_action() is called, not
- when handles are added. This is now mentioned in the "TYPICAL USAGE"
- section.
+ give the new stream the old one's stream_weight internally to avoid
+ sending a PRIORITY frame unless asked for it
-- callbacks: acknowledge progress callback error returns
+- curl_setup.h: undef freeaddrinfo in c-ares block to fix build
- When the progress callback is called during the TCP connection, an error
- return would accidentally not abort the operation as intended but would
- instead be counted as a failure to connect to that particular IP and
- libcurl would just continue to try the next. I made singleipconnect()
- and trynextip() return CURLcode properly.
+ Fixes warnings 78c25c854a added.
+
+- nonblock: fix setting non-blocking mode for Amiga
- Added bonus: it corrected the error code for bad --interface usages,
- like tested in test 1084 and test 1085.
+ IoctlSocket() apparently wants a pointer to a long, passed as a char *
+ in its third parameter. This bug was introduced already back in commit
+ c5fdeef41d from October 1 2001!
- Reported by: Adam Light
- Bug: http://curl.haxx.se/mail/lib-2010-08/0105.html
+ Bug: http://curl.haxx.se/mail/lib-2015-11/0088.html
+ Reported-by: Norbert Kett
-Guenter Knauf (10 Aug 2010)
-- More Watcom makefile fixes ...
+- zsh install: fix DESTDIR support
- Final fix (hopefully!) for dll wlink loader;
- prefer faster internal rm if available.
+ Reported-by: Mohammad AlSaleh
-- Fixed my wrong edit.
+Dan Fandrich (27 Nov 2015)
+- lib: Only define curl_dofreeaddrinfo if struct addrinfo is available
-- More Watcom makefile fixes.
+Steve Holme (27 Nov 2015)
+- tool_paramhlp: Fixed display of URL index in password prompt for --next
- Added the -br switch to dynamic builds which fixes the issue I saw
- with curl's --version output. Added debug info and symfile for debug
- builds to linker opts. Added DLL loader for wlink back, but this time
- dependend on wlink version.
- Patch posted to the list by malak.jiri AT gmail.com.
+ Commit f3bae6ed73 added the URL index to the password prompt when using
+ --next. Unfortunately, because the size_t specifier (%zu) is not
+ supported by all sprintf() implementations we use the curl_off_t format
+ specifier instead. The display of an incorrect value arises on platforms
+ where size_t and curl_off_t are of a different size.
-- Changed test for -u switch in order to enable other wmake switches.
+Daniel Stenberg (25 Nov 2015)
+- timecond: do not add if-modified-since without timecondition
- The var %MAKEFLAGS is only set in 3 cases: if set as environment
- var or as macro definition from commandline, and either with the
- -u or -ms switch. Since all these cases are unlikely for the average
- user it should be safe to only test if %MAKEFLAGS is defined; this
- has the benefit that now all other switches can be used again in
- addition to the -u which was formerly not possible.
-
-Daniel Stenberg (10 Aug 2010)
-- llist: hide Curl_llist_init
+ The RTSP code path didn't skip adding the if-modified-since for certain
+ RTSP code paths, even if CURLOPT_TIMECONDITION was set to
+ CURL_TIMECOND_NONE.
- Curl_llist_init is never used outside of llist.c and thus it should be
- static. I also removed the protos for Curl_llist_insert_prev and
- Curl_llist_remove_next which are functions we removed from llist.c ages
- ago.
-
-Guenter Knauf (10 Aug 2010)
-- Added msys Perl since git for Win32 comes with own Perl which identifies as msys.
-
-- Updated lib dependency versions.
+ Also, an unknown non-zero CURLOPT_TIMECONDITION value no longer equals
+ CURL_TIMECOND_IFMODSINCE.
+
+ Bug: http://stackoverflow.com/questions/33903982/curl-timecond-none-doesnt-work-how-to-remove-if-modified-since-header
-- Make testcurl.pl Watcom-aware.
+- RELEASE-NOTES: synced with 99d17a5e2ba77e58
-Daniel Stenberg (10 Aug 2010)
-- parse_remote_port: fix ;type= URL suffix over HTTP proxy
+- examples/README: cut out the incomplete list
- Test 563 is enabled now and verifies that the combo FTP type=A URL,
- CURLOPT_PORT set and proxy work fine. As a bonus I managed to remove the
- somewhat odd FTP check in parse_remote_port() and instead converted it
- to a better and more generic 'slash_removed' struct field. Checking the
- ->protocol field isn't right since when an FTP:// URL is sent over a
- HTTP proxy, the protocol is HTTP but the URL was handled by the FTP code
- and thus slash_removed is set TRUE for this case.
+ ... and add a generic explanation for them instead. Each example file
+ should contain its own description these days.
-- indent: white space fixes only
+- test1513: make sure the callback is only called once
-Yang Tse (9 Aug 2010)
-- build: fix previous push
+- [Daniel Shahaf brought this change]
-- build: don't build libhostname unless shared libcurl is built
+ build: Install zsh completion
+
+ Fixes #534
+ Closes #537
-- build: libhostname and chkhostname linkage adjustments followup
+- done: make sure the final progress update is made
+
+ It would previously be skipped if an existing error was returned, but
+ would lead to a previous value being left there and later used.
+ CURLINFO_TOTAL_TIME for example.
+
+ Still it avoids that final progress update if we reached DONE as the
+ result of a callback abort to avoid another callback to be called after
+ an abort-by-callback.
+
+ Reported-by: Lukas Ruzicka
+
+ Closes #538
-Daniel Stenberg (8 Aug 2010)
-- typo: remove duplicate semicolon
+- curl: expanded the -XHEAD warning text
+
+ ... to also mention the specific options used.
-- multi: avoid a malloc() when a transfer is complete
+- Revert "cleanup: general removal of TODO (and similar) comments"
+
+ This reverts commit 64e959ffe37c436503f9fed1ce2d6ee6ae50bd9a.
- The struct used for storing the message for a completed transfer is now
- no longer allocated separatly but is kept within the main struct kept
- for each easy handle so that we avoid one malloc (and the subsequent
- free).
+ Feedback-by: Dan Fandrich
+ URL: http://curl.haxx.se/mail/lib-2015-11/0062.html
-Yang Tse (8 Aug 2010)
-- build: libhostname linkage adjustments followup
+- CURLOPT_HEADERFUNCTION.3: fix typo
+
+ Refer to _HEADERDATA not _WRITEDATA.
+
+ Reported-by: Michał Piechowski
-Guenter Knauf (7 Aug 2010)
-- Fix to overwrite libcurl name.
+- TODO: TCP Fast Open
-Yang Tse (7 Aug 2010)
-- build: chkhostname build adjustments followup
+Steve Holme (22 Nov 2015)
+- examples: Added website parse-able descriptions to the e-mail examples
-U-D5B1PQ1J\Administrador (7 Aug 2010)
-- build: allow NTLM tests to run on more build configurations
+- TODO: Added another 'multi-interface' idea
-Daniel Stenberg (7 Aug 2010)
-- curl_easy_setopt.3: rename stream to userdata
+- smb.c: Fixed compilation warnings
- In some places where the name 'stream' has been used for naming a
- function argument that is in fact settable with a setopt() option we now
- call that argument 'userdata' to make it more obvious that it is in fact
- possible to set by the application.
-
- Suggested by: Jeff Pohlmeyer
-
-Guenter Knauf (7 Aug 2010)
-- Block created curlbuild.h for NetWare to avoid usage from other platforms.
+ smb.c:134:3: warning: conversion to 'short unsigned int' from 'int' may
+ alter its value
+ smb.c:146:42: warning: conversion to 'unsigned int' from 'long long
+ unsigned int' may alter its value
+ smb.c:146:65: warning: conversion to 'unsigned int' from 'long long
+ unsigned int' may alter its value
-Daniel Stenberg (7 Aug 2010)
-- RELEASE-NOTES: synced with recent changes
+- schannel: Corrected copy/paste error in commit 8d17117683
-Yang Tse (6 Aug 2010)
-- build: ensure that libhostname doesn't get installed
+- schannel: Use GetVersionEx() when VerifyVersionInfo() isn't available
+
+ Regression from commit 7a8e861a5 as highlighted in the msys autobuilds.
-Daniel Stenberg (6 Aug 2010)
-- multi_socket: set timeout for 100-continue
+- examples: Fixed compilation warnings
- When libcurl internally decided to wait for a 100-continue header, there
- was no call to the timeout function so there was no timeout callback
- called when the multi_socket API was used and thus applications became
- either completely wrong or at least ineffecient depending on how they
- handled the situation. We now set a timeout to get triggered.
+ pop3-multi.c:96:5: warning: implicit declaration of function 'memset'
+ imap-multi.c:96:5: warning: implicit declaration of function 'memset'
+ http2-download.c:226:5: warning: implicit declaration of function 'memset'
+ http2-upload.c:290:5: warning: implicit declaration of function 'memset'
+ http2-upload.c:290:5: warning: implicit declaration of function 'memset'
+
+- Makefile.inc: Fixed test run error
- Reported by: Ben Darnell
- Bug: http://curl.haxx.se/bug/view.cgi?id=3039744
+ test845 not present in tests/data/Makefile.inc
-Guenter Knauf (6 Aug 2010)
-- Some more Watcom makefile massage ...
+Daniel Stenberg (20 Nov 2015)
+- TODO: remove duplicated title
+
+- TODO: added two more libcurl ideas
- For now removed the .autodepend directive until I've figured out
- which of my changes broke it again.
+ Moved some ideas from "next major" to just ordinary ideas since we can
+ always add new things while keeping the old without doing a "next
+ major".
+
+Steve Holme (20 Nov 2015)
+- tests: Re-enabled tests 889 and 890 following POP3 fix
-Yang Tse (5 Aug 2010)
-- build: fix libssh2_scp_send64() availability
+- pop3: Differentiate between success and continuation responses
-- build: remove unneeded cast to (void *)
+- pop3: Added clarity on some server response codes
-- build: remove unused file
+Daniel Stenberg (20 Nov 2015)
+- [Daniel Shahaf brought this change]
-Daniel Stenberg (4 Aug 2010)
-- SCP: send large files properly with new enough libssh2
+ build: Fix theoretical infinite loops
- libssh2 1.2.6 and later handle >32bit file sizes properly even on 32bit
- architectures and we make sure to use that ability.
+ Add error-checking to 'cd' in a few cases where omitting the checks
+ might result in an infinite loop.
- Reported by: Mikael Johansson
- Bug: http://curl.haxx.se/mail/lib-2010-08/0052.html
+ Closes #535
-Yang Tse (3 Aug 2010)
-- build: add missing new files to non-configure target build files
+Patrick Monnerat (19 Nov 2015)
+- curl.h: s/#defien/#define/
-- md4: replace bcopy usage with memcpy
+- os400: synchronize ILE/RPG header file
-Daniel Stenberg (3 Aug 2010)
-- RELEASE-NOTES: synced with recent changes
+- os400: Provide options for libssh2 use in compile scripts. Adjust README.
-- TODO-RELEASE: clear, file not really used ATM
+Daniel Stenberg (19 Nov 2015)
+- [danielsh@apache.org brought this change]
-- typecheck-gcc: add checks for recently added options
+ zsh completion: Preserve single quotes in output
- I added all OBJECTPOINT curl_easy_setopt() options from 178 to 202. Left
- to add: the five FUNCTIONPOINT (callbacks) options added since:
+ When an option's help string contains literal single quotes, those
+ single quotes would be stripped from the option's description in the
+ completion output (unless the zsh RC_QUOTES option were set while the
+ completion function was being sourced, which is not the default). This
+ patch makes the completion output contain single quotes where the --help
+ output does.
- SSH_KEYFUNCTION
- INTERLEAVEFUNCTION
- CHUNK_BGN_FUNCTION
- CHUNK_END_FUNCTION
- FNMATCH_FUNCTION
+ Closes #532
-- .gitignore: ignore all built examples
+Jay Satiro (18 Nov 2015)
+- [MaxGiting brought this change]
-- example: fix code to build warning-free
-
-- Curl_connected_proxy: skip the bits.tcpconnect check
-
- Simply because the TCP might be connected already we cannot skip the
- proxy connect procedure. We need to be careful to not overload more
- meaning to the bits.tcpconnect field like this.
-
- With this fix, SOCKS proxies work again when the multi interface is
- used. I believe this regression was added with commit 4b351d018e,
- released as 7.20.1.
-
- Left todo: add a test case that verifies this functionality that
- prevents us from breaking it again in the future!
+ FAQ: Grammar changes
- Reported by: Robin Cornelius
- Bug: http://curl.haxx.se/bug/view.cgi?id=3033966
+ Closes https://github.com/bagder/curl/pull/533
-- sethostname: provide local prototype for gethostname
+Daniel Stenberg (17 Nov 2015)
+- http2: http_done: don't free already-freed push headers
- This is only to avoid warnings on some systems.
-
-- build: add typecast to avoid warning
+ The push headers are freed after the push callback has been invoked,
+ meaning this code should only free the headers if the callback was never
+ invoked and thus the headers weren't freed at that time.
- There is an implicit conversion from "unsigned long" to "long";
- rounding, sign extension, or loss of accuracy may result.
+ Reported-by: Davey Shafik
-Guenter Knauf (2 Aug 2010)
-- Rename CURL_SOURCES macro; revert previous rename of curl_SOURCES macro.
+- [Anders Bakken brought this change]
-- Removed ugly dependency lists since wmake knows the .autodepend directive.
+ getconnectinfo: Don't call recv(2) if socket == -1
+
+ Closes #528
-- Use suffix search path for sources in lib folder.
+- CURLMOPT_PUSHFUNCTION.3: *_byname() returns only the first header
+
+ ... if there are more than one using the same name
-- Changed src/Makefile.Watcom to use CURL_SOURCES from src/Makefile.inc.
+- http2: minor comment typo
-- Renamed curl_SOURCES to CURL_ALLFILES to overcome wmake's case-insensitivity.
+- sasl; fix checksrc warnings
-- Removed wlink from DLL loader list because it doesnt work with Watcom < 1.8.
+Steve Holme (15 Nov 2015)
+- RELEASE-NOTES: Adjusted for the recent OAuth 2.0 activity
-- Moved the LDAP API defines from Makefile.Watcom to config-win32.h.
+- tests: Disabled 889 and 890 until we support POP3 continuation responses
- These defines are only needed for older Watcom versions (< 1280).
-
-Daniel Stenberg (2 Aug 2010)
-- retry: consider retrying even if -f is used
+ As POP3 final and continuation responses both begin with a + character,
+ and both the finalcode and contcode variables in SASLprotoc are set as
+ such, we cannot tell the difference between them when we are expecting
+ an optional continuation from the server such as the following:
- The --retry logic does retry HTTP when some specific response codes are
- returned, but because the -f option sets the CURLOPT_FAILONERROR to
- libcurl, the return codes are different for such situations and then the
- curl tool failed to consider it for retrying.
+ + something else from the server
+ +OK final response
- Reported by: Mike Power
- Bug: http://curl.haxx.se/bug/view.cgi?id=3037362
+ Disabled these tests until such a time we can tell the responses apart.
-- multi: fix FTPS connecting the data connection with OpenSSL
+- tests: Corrected typos from commit ba4d8f7eba
+
+- tests: Added OAUTHBEARER failure response tests
+
+- oauth2: Support OAUTHBEARER failures sent as continuation responses
- Commit 496002ea1cd76af7f (released in 7.20.1) broke FTPS when using the
- multi interface and OpenSSL was used. The condition for the non-blocking
- connect was incorrect.
+ According to RFC7628 a failure message may be sent by the server in a
+ base64 encoded JSON string as a continuation response.
- Reported by: Georg Lippitsch
- Bug: http://curl.haxx.se/mail/lib-2010-07/0270.html
+ Currently only implemented for OAUTHBEARER and not XAUTH2.
-Guenter Knauf (1 Aug 2010)
-- Fixed curlbuild.h rule.
+Daniel Stenberg (15 Nov 2015)
+- RELEASE-NOTES: synced with 808a17ee675
-- Added rule to create curlbuild.h if not present (for builds from git).
+Steve Holme (14 Nov 2015)
+- tests: Renamed existing OAuth 2.0 (XOAUTH) tests
-- Added dependend libs for curl static linking.
+- tests: Added OAuth 2.0 (OAUTHBEARER) tests
-- Fixed curl.exe static linking.
-
-Daniel Stenberg (30 Jul 2010)
-- warning: silence a win64 compiler warning
-
- conversion from 'size_t' to 'curl_socklen_t', possible loss of data
+- oauth2: Added support for OAUTHBEARER SASL mechanism to IMAP, POP3 and SNMP
- Reported by: Adam Light
+ OAUTHBEARER is now the official "registered" SASL mechanism name for
+ OAuth 2.0. However, we don't want to drop support for XOAUTH2 as some
+ servers won't support the new mechanism yet.
-- KNOWN_BUG: The SOCKET type in Win64 is 64 bits
-
- The SOCKET type in Win64 is 64 bits large (and thus so is curl_socket_t
- on that platform), and long is only 32 bits. It makes it impossible for
- curl_easy_getinfo() to return a socket properly with the
- CURLINFO_LASTSOCKET option as for all other operating systems.
+Daniel Stenberg (13 Nov 2015)
+- RELEASE-NOTES: recounted curl_easy_setopt() options
-- smtp_connect: always provide host name buffer
+- typecheck-gcc.h: add missing slist-using options
- Previously the host name buffer was only used if gethostname() exists,
- but since we converted that into a curl private function that function
- always exists and will be used so the buffer needs to exist for all
- cases/systems.
-
-- sethostname: avoid including unistd.h to duck for warnings
+ CURLOPT_RESOLVE and CURLOPT_PROXYHEADER were missing
+
+ Also sorted the list.
-- sethostname: ISO C does not allow extra `;' outside of a function
+- typecheck-gcc.h: added CURLOPT_CLOSESOCKETDATA
+
+ ... and sorted curl_is_cb_data_option alphabetically
-- [Kamil Dudka brought this change]
+Jay Satiro (13 Nov 2015)
+- [Sebastian Pohlschmidt brought this change]
- NTLM tests: boost coverage by forcing the hostname
-
- A shared library tests/libtest/.libs/lihostname.so is preloaded in NTLM
- test-cases to override the system implementation of gethostname(). It
- makes it possible to test the NTLM authentication for exact match, and
- this way test the implementation of MD4 and DES.
+ openssl: Free modules on cleanup
- If LD_PRELOAD doesn't work, a debug build willl also workk as debug
- builds are now made to prefer a specific environment variable and will
- then return that content as host name instead of the actual one.
+ Curl_ossl_init calls OPENSSL_load_builtin_modules() but
+ Curl_ossl_cleanup doesn't make a call to free these modules.
- Kamil wrote the bulk of this, Daniel Stenberg polished it.
+ Bug: https://github.com/bagder/curl/issues/526
-Guenter Knauf (29 Jul 2010)
-- Added a comment with an alternate idea to avoid the backslash line contination character.
-
-- Changed comparison to match size_t var type.
+Steve Holme (13 Nov 2015)
+- symbols-in-versions: Added new CURLOPTTYPE_STRINGPOINT alias
+
+ ...following commit aba281e762 to fix test 1119.
-- Removed unused vars to avoid compiler warnings.
+Daniel Stenberg (13 Nov 2015)
+- curl: mark two more options strings for --libcurl output
-- Make Watcom makefiles use Makefile.inc to reduce future maintainance.
+- typecheck-gcc.h: add some missing string types
- lib/Makefile.Watcom works fine already, for src/Makefile.Watcom we
- need first to tweak src/Makefile.inc a bit - therefore the handtweaked
- list still exists for now.
+ Also sorted that list alphabetically
-- Watcom makefiles overhaul.
+- curl.h: introducing the STRINGPOINT alias
- - make both libcurl and curl makefiles use register calling convention
- (previously libcurl had stack calling convention).
- - added include paths to the Watcom headers so its no longer required
- to set the environment vars for this.
- - added -wcd=201 to supress compiler warning about unreachable code.
- - use macros for all tools, and removed dependency on GNU tools like rm.
- - make ipv6 and debug builds controlable via env vars and so make them
- optional instead of default.
- - commented WINLDAPAPI and WINBERAPI since they broke with OW 1.8, and
- it seems they're not needed (anymore?).
- - added rule for hugehelp.c.cvs so that it will be created when not
- already exist - this is required for building from a release tarball
- since there we have no hugehelp.c.cvs, thus compilation broke.
- - removed C_ARG creation from lib/Makefile.Watcom and use CFLAGS
- directly as done too in src/Makefile.Watcom - this has the benefit
- that we will see all active cflags and defines during compile.
- - added LINK-ARG to src/Makefile.Watcom in order to better control
- linker input.
- - a couple of other minor makefile tweaks here and there ...
- - added largefile support for Watcom builds to config-win32.h. Not yet
- tested if it really works, but should since Win32 supports it.
- - added loaddll stuff to speed up builds if supported.
+ As an alias for OBJECTPOINT. Provided to allow us to grep for all string
+ options easier.
-- some cosmetic changes.
+- cleanup: general removal of TODO (and similar) comments
+
+ They tend to never get updated anyway so they're frequently inaccurate
+ and we never go back to revisit them anyway. We document issues to work
+ on properly in KNOWN_BUGS and TODO instead.
-Dan Fandrich (26 Jul 2010)
-- Added md4.c to the Watcom makefile
+- ftplistparser: remove empty function
-- Added PolarSSL to the docs
+- openssl: remove #if check for 0.9.7 for ENGINE_load_private_key
-Daniel Stenberg (25 Jul 2010)
-- curl-config: --built-shared returns shared info
-
- The curl-config now features a --built-shared command line option that
- will output 'yes' or 'no' depending if the build process was asked to
- build shared library/libraries or not.
+- openssl: all supported versions have X509_STORE_set_flags
- It is primarily made to offer more details to the test suite to know
- what kind of stunts it can expect to work.
+ Simplify by removing #ifdefs and macros
-- add_buffer_send: fix compiler warning
-
- Win64's 32 bit long but 64 bit size_t caused a warning that we avoid
- with a typecast. A small whitespace indent fix was also applied.
+- openssl: remove 0.9.3 check
+
+- openssl: remove #ifdefs for < 0.9.5 support
- Reported by: Adam Light
+ We only support >= 0.9.7
-Guenter Knauf (22 Jul 2010)
-- Updated library versions.
+- lib/vtls/openssl: remove unused traces of yassl ifdefs
-- Fixed script version which was still based on CVS Revision tag.
+Dan Fandrich (12 Nov 2015)
+- [dfandrich brought this change]
-Dan Fandrich (21 Jul 2010)
-- FAQ: Why doesn't cURL error out when the cable is unplugged?
+ unit1603: Demote hash mismatch failure to a warning
- This one was long overdue to be mentioned in the FAQ. Also, mention the
- new ftp wildcard downloading feature.
+ The hashes can vary between architectures (e.g. Sparc differs from x86_64).
+ This is not a fatal problem but just reduces the coverage of these white-box
+ tests, as the assumptions about into which hash bucket each key falls are no
+ longer valid.
-Daniel Stenberg (21 Jul 2010)
-- [Ben Greear brought this change]
+- [dfandrich brought this change]
- ssh: Fix compile error on 64-bit systems.
-
- Signed-off-by: Ben Greear <greearb@candelatech.com>
+ unit1603: Added unit tests for hash functions
+
+- [dfandrich brought this change]
-- [Ben Greear brought this change]
+ unit1602: Fixed failure in torture test
- build: Enable configure --enable-werror
+Steve Holme (12 Nov 2015)
+- sasl: Re-introduced XOAUTH2 in the default enabled authentication mechanism
- This passes -Werror to gcc when building curl and libcurl,
- allowing easy dection of compile warnings.
+ Following the fix in commit d6d58dd558 it is necessary to re-introduce
+ XOAUTH2 in the default enabled authentication mechanism, which was
+ removed in commit 7b2012f262, otherwise users will have to specify
+ AUTH=XOAUTH2 in the URL.
- Signed-off-by: Ben Greear <greearb@candelatech.com>
+ Note: OAuth 2.0 will only be used when the bearer is specified.
+
+- [Stefan Bühler brought this change]
+
+ sasl_sspi: fix identity memory leak in digest authentication
-- [Ben Greear brought this change]
+- [Stefan Bühler brought this change]
- pingpong: Fix indentation (whitespace change only)
+ sasl_sspi: fixed unicode build for digest authentication
- Signed-off-by: Ben Greear <greearb@candelatech.com>
+ Closes #525
-- [Jan Van Boghout brought this change]
+- oauth2: Re-factored OAuth 2.0 state variable
- CUSTOMREQUEST: shouldn't be disabled when HTTP is disabled
+- sasl: Don't choose OAuth 2.0 if mechanism not advertised
- ... since FTP is using it as well, and potentially other protocols!
+ Regression from commit 9e8ced9890 which meant if --oauth2-bearer was
+ specified but the SASL mechanism wasn't supported by the server then
+ the mechanism would be chosen.
+
+Daniel Stenberg (12 Nov 2015)
+- runtests: more compact "System characteristics" output
+
+ - no point in repeating curl features that is already listed as features
+ from the curl -V output
- Also, an #endif CURL_DISABLE_HTTP was incorrectly marked, as it seems to
- end the proxy block instead.
+ - remove the port numbers/unix domain path from the output unless
+ verbose is used, as that is rarely interesting to users.
-- [Jan Van Boghout brought this change]
+- runtests: rename conditional curl-features to $has_[name]
- pingpong: response_time is milliseconds
+Steve Holme (11 Nov 2015)
+- oauth2: Introduced support for host and port details
- Fixed the comment/document for the response_time struct member.
+ Added support to the OAuth 2.0 message function for host and port, in
+ order to accommodate the official OAUTHBEARER SASL mechanism which is
+ to be added shortly.
-- [Jan Van Boghout brought this change]
+- curl_setup.h: Removed duplicate CURL_DISABLE_RTSP when HTTP_ONLY defined
- ftp: response timeout bug in "quote" sending
+- cmake: Add missing feature macros in config header (Part 2)
- The FTP implementation was missing a timestamp reset point, making the
- waiting for responses after sending a post-transfer "QUOTE" command not
- working as supposedly. This bug was introduced in 7.20.0
+ In addition to commit a215381c94 added the RTSP, RTMP and SMB protocols.
-- [Jeff Pohlmeyer brought this change]
+Daniel Stenberg (10 Nov 2015)
+- [Douglas Creager brought this change]
- remote-header-name: chop filename at next semicolon
+ cmake: Add missing feature macros in config header
- The --remote-header-name option for the command-line tool assumes that
- everything beyond the filename= field is part of the filename, but that
- might not always be the case, for example:
+ The curl_config.h file can be generated either from curl_config.h.cmake
+ or curl_config.h.in, depending on whether you're building using CMake or
+ the autotools. The CMake template header doesn't include entries for
+ all of the protocols that you can disable, which (I think) means that
+ you can't actually disable those protocols when building via CMake.
- Content-Disposition: attachment; filename=file.txt; modification-date=...
-
- This fix chops the filename off at the next semicolon, if there is one.
+ Closes #523
+
+- [Douglas Creager brought this change]
-- --retry: access violation with URL part sets continued
+ BoringSSL: Work with stricter BIO_get_mem_data()
- When getting multiple URLs, curl didn't properly reset the byte counter
- after a successful transfer so if the subsequent transfer failed it
- would wrongly use the previous byte counter and behave badly (segfault)
- because of that. The code assumes that the byte counter and the 'stream'
- pointer is well in synch.
+ BoringSSL implements `BIO_get_mem_data` as a function, instead of a
+ macro, and expects the output pointer to be a `char **`. We have to add
+ an explicit cast to grab the pointer as a `const char **`.
- Reported by: Jon Sargeant
- Bug: http://curl.haxx.se/bug/view.cgi?id=3028241
+ Closes #524
-- releasnote: synch up with commit f3b77e5611d
-
-- [Constantine Sapuntzakis brought this change]
-
- examples: add curl_multi_timeout
+- http2: rectify the http2 version #if check
- Make the multi-interface using examples use curl_multi_timeout to
- properly educate users how to do things.
+ We need 1.0.0 or later. Also verified by configure.
-- configure: document the STATICLIB variable
+Steve Holme (9 Nov 2015)
+- oauth2: Don't use XAUTH2 in OAuth 2.0 function name
-- [Constantine Sapuntzakis brought this change]
+- oauth2: Don't use XOAUTH2 in OAuth 2.0 variables
- multi: fix condition that remove timers before trigger
+- oauth2: Use OAuth 2.0 rather than XOAUTH2 in comments
- curl_multi perform has two phases: run through every easy handle calling
- multi_runsingle and remove expired timers (timer removal).
+ When referring to OAuth 2.0 we should use the official name rather the
+ SASL mechanism name.
+
+Daniel Stenberg (9 Nov 2015)
+- imap: avoid freeing constant string
- If a small timer (e.g. 1-10ms) is set during multi_runsingle, then it's
- possible that the timer has passed by when the timer removal runs. The
- timer which was just added is then removed. This will potentially cause
- the timer list to be empty and cause the next call to curl_multi_timeout
- to return -1. Ideally, curl_multi_timeout should return 0 in this case.
+ The fix in 1a614c6c3 was wrong and would leed to free() of a fixed
+ string.
- One way to fix this is to move the struct timeval now = Curl_tvnow(); to
- the top of curl_multi_perform. The change does that.
+ Pointed-out-by: Kamil Dudka
-- [Constantine Sapuntzakis brought this change]
+- ROADMAP: remove two items already done
- threaded resolver: fix timeout issue
-
- Reset old timer first so we can set a new one further in the future.
+- RELEASE-NOTES: synced with 2200bf62054
-- configure: allow environments variable to override internals
+Jay Satiro (9 Nov 2015)
+- acinclude: Remove check for 16-bit curl_off_t
- configure checks for grep, egrep, sed and ar and set the variables GREP,
- EGREP, SED and AR accordingly. We now let already set variables override
- the internal choices to let users make decisions when they know the
- right choice already. This is a regression as our configure script used
- to allow this back before commit 0b57c475 (up to 7.18.2).
+ Because it's illogical to check for a 16-bit curl_off_t.
- Reported by: "kdekker"
- Bug: http://curl.haxx.se/bug/view.cgi?id=3028318
+ Ref: https://github.com/bagder/curl/issues/425#issuecomment-154964205
-Dan Fandrich (9 Jul 2010)
-- Improved the Android build instructions
+Dan Fandrich (8 Nov 2015)
+- tool: Fixed a memory leak on OOM introduced in 19cb0c4a
-Daniel Stenberg (7 Jul 2010)
-- [Tor Arntsen brought this change]
+Steve Holme (8 Nov 2015)
+- [Justin Ehlert brought this change]
- upload: Avoid infinite loop when checking for auth bits
+ imap: Don't check for continuation when executing a CUSTOMREQUEST
- The test would loop forever if authtype bit 0 wasn't set.
+ Bug: https://github.com/bagder/curl/issues/486
+ Closes https://github.com/bagder/curl/pull/487
-- upload: warn users trying to upload from stdin with anyauth
-
- Since uploading from stdin is very likely to not work with anyauth and
- its multi-phase probing for what authentication to actually use, alert
- the user about it. Multi-phase negotiate almost certainly will involve
- sending data and thus libcurl will need to rewind the stream to send
- again, and it cannot do that with stdin.
+Daniel Stenberg (7 Nov 2015)
+- imap: checksrc: remove space after while before paren
-- http: don't enable chunked during authentication negotiations
-
- As mentioned in bug report #2956968, the HTTP code wouldn't send the
- first empty chunk during the auth negotiation phase of the HTTP request
- sending, so the server would wait for data to come and libcurl would
- wait for data to arrive... I've made the code not enable chunked
- encoding until the auth negotiation is done and thus this scenario
- doesn't occur anymore.
+- checksrc.whitelist: "missing space after close paren"
- Reported by: Sidney San Martín
- Bug: http://curl.haxx.se/bug/view.cgi?id=2956968
+ ... when it was within a string!
-- --libcurl: list the tricky options instead of using [REMARK]
+Steve Holme (7 Nov 2015)
+- opts: Corrected TLS protocols list to include POP3S rather than POP3
+
+- imap: Quote other 'atom-specials' and not just the space character
- I think the [REMARK] and commented function calls cluttered the code a
- bit too much and made the generated code ugly to read. Now we instead
- track the remarks one specially and just lists them at the end of the
- generated code more as additional information.
+ Closes #517
+
+- imap: Fixed double quote in LIST command when mailbox contains spaces
-- curl: avoid setting libcurl options to its default
+Daniel Stenberg (6 Nov 2015)
+- imap: fix compiler warning
- it makes the --libcurl output easier to follow.
+ imap.c:657:13: error: assignment discards 'const' qualifier from pointer
+ target type [-Werror=discarded-qualifiers]
-- --libcurl: hide setopt() calls setting default options
+Steve Holme (6 Nov 2015)
+- imap: Don't call imap_atom() when no mailbox specified in LIST command
+
+Daniel Stenberg (6 Nov 2015)
+- curl.1: remove the overlap --range example
- And additionally, don't show function or object pointers actual value
- since they make no sense to anyone. Show 'functionpointer' and
- 'objectpointer' instead.
+ ... it is just weird to include by default even if it still works.
-- --libcurl: use *_LARGE options with typecasted constants
+- tftp tests: verify sent options too
+
+ The tftpd test server now logs all received options and thus all TFTP
+ test cases need to match them exactly.
- In the generated code --libcurl makes, all calls to curl_easy_setopt()
- that use *_LARGE options now have the value typecasted to curl_off_t, so
- that it works correctly for 32bit systems with 64bit curl_off_t type.
+ Extended test 283 to use and verify --tftp-blksize.
-- multi: CURLINFO_LASTSOCKET doesn't work after remove_handle
+Jay Satiro (6 Nov 2015)
+- getinfo: CURLINFO_ACTIVESOCKET: fix bad socket value
- When curl_multi_remove_handle() is called and an easy handle is returned
- to the connection cache held in the multi handle, then we cannot allow
- CURLINFO_LASTSOCKET to extract it since that will more or less encourage
- that the user uses the socket while it can get used by libcurl again.
+ - Set user info param to the socket returned by Curl_getconnectinfo,
+ regardless of if the socket is bad. Effectively this means the user info
+ param now will receive CURL_SOCKET_BAD instead of -1 on bad socket.
- Without this fix, we'd get a segfault in Curl_getconnectinfo() trying to
- dereference the NULL pointer in 'data->state.connc'.
+ - Remove incorrect comments.
- Bug: http://curl.haxx.se/bug/view.cgi?id=3023840
+ CURLINFO_ACTIVESOCKET is documented to write CURL_SOCKET_BAD to user
+ info param but prior to this change it wrote -1.
+
+ Bug: https://github.com/bagder/curl/pull/518
+ Reported-by: Marcel Raad
-- [Pierre Joye brought this change]
+Patrick Monnerat (5 Nov 2015)
+- curl_ntlm_core: fix 2 curl_off_t constant overflows.
- build: add enable IPV6 option for the VC makefiles
+- os400: adjust specific code to support new options.
-- FAQ: the threaded resolver works universally now
+Daniel Stenberg (2 Nov 2015)
+- [Lauri Kasanen brought this change]
-Kamil Dudka (30 Jun 2010)
-- http_ntlm: add support for NSS
+ rawstr: Speed up Curl_raw_toupper by 40%
- When configured with '--without-ssl --with-nss', NTLM authentication
- now uses NSS crypto library for MD5 and DES. For MD4 we have a local
- implementation in that case. More details are available at
- https://bugzilla.redhat.com/603783
+ Rationale: when starting up a curl-using app, all cookies from the jar
+ are checked against each other. This was causing a startup delay in the
+ Fifth browser.
- In order to get it working, curl_global_init() must be called with
- CURL_GLOBAL_SSL or CURL_GLOBAL_ALL. That's necessary because NSS needs
- to be initialized globally and we do so only when the NSS library is
- actually required by protocol. The mentioned call of curl_global_init()
- is responsible for creating of the initialization mutex.
+ All tests pass.
- There was also slightly changed the NSS initialization scenario, in
- particular, loading of the NSS PEM module. It used to be loaded always
- right after the NSS library was initialized. Now the library is
- initialized as soon as any SSL or NTLM is required, while the PEM module
- is prevented from being loaded until the SSL is actually required.
+ Signed-off-by: Lauri Kasanen <cand@gmx.com>
-Daniel Stenberg (29 Jun 2010)
-- glob: backslash escaping bug
+- http redirects: %-encode bytes outside of ascii range
- curl didn't properly handle escaping characters in a URL with the use of
- backslash. It did an attempt, but that failed as reported in bug
- 3022551. The described example was using the URL
- "http://example.com?{AB,C\,D}".
+ Apparently there are sites out there that do redirects to URLs they
+ provide in plain UTF-8 or similar. Browsers and wget %-encode such
+ headers when doing a subsequent request. Now libcurl does too.
- I've now removed the special-handling of letters following the backslash
- and I also removed the bad extra check that triggered this particular
- bug.
+ Added test 1138 to verify.
- Bug: http://curl.haxx.se/bug/view.cgi?id=3022551
- Reported by: Jon Sargeant
+ Closes #473
-- release-notes: sync up with recent commits
+- RELEASE-NOTES: synced with cba5bc585410
-- CONTRIBUTE: the git commit message line length is 72 columns
+- symbols-in-version: add all CURL_HTTPPOST_* symbols
-- [Pavel Raiskup brought this change]
+- formadd: support >2GB files on windows
+
+ Closes #425
- ftp wildcard: FTP LIST parser FIX
+- curl.h: s/HTTPPOST_/CURL_HTTPOST_
- There was a problem when a UNIX-like server returned information
- about directory size (total NNNNNN) at the first line of
- response.
+ Fixes a name space pollution at the cost of programs using one of these
+ defines will no longer compile. However, the vast majority of libcurl
+ programs that do multipart formposts use curl_formadd() to build this
+ list.
+
+ Closes #506
-- [Pavel Raiskup brought this change]
+- mbedtls: fix "Structurally dead code"
+
+ CID 1332129
- examples: new FTP wildcard showcase
+- mbedtls: fix "Logically dead code"
+
+ CID 1332128
-- multi_socket: re-use of same socket without notifying app
+- Revert "openssl: engine: remove double-free"
- When a hostname resolves to multiple IP addresses and the first one
- tried doesn't work, the socket for the second attempt may get dropped on
- the floor, causing the request to eventually time out. The issue is that
- when using kqueue (as on mac and bsd platforms) instead of select, the
- kernel removes the first fd from kqueue when it is closed (in trynextip,
- connect.c:503). Trynextip() then goes on to open a new socket, which
- gets assigned the same number as the one it just closed. Later in
- multi.c, socket_cb is not called because the fd is already in
- multi->sockhash, so the new socket is never added to kqueue.
+ This reverts commit 370ee919b37cc9a46c36428b2bb1527eae5db2bd.
- The correct fix is to ensure that socket_cb is called to remove the fd
- when trynextip() closes the socket, and again to re-add it after
- singleipsocket(). I'm not sure how to cleanly do that, but the attached
- patch works around the problem in an admittedly kludgy way by delaying
- the close to ensure that the newly-opened socket gets a different fd.
+ Issue #509 has all the details but it was confirmed that the crash was
+ not due to this, so the previous commit was wrong.
+
+- curl.1: -E: s/private certificate/client certificate
- Daniel's added comment: I didn't spot a way to easily do a nicer fix so
- I've proceeded with Ben's patch.
+ ... as the certificate is strictly speaking not private.
- Bug: http://curl.haxx.se/bug/view.cgi?id=3017819
- Patch by: Ben Darnell
-
-Kamil Dudka (24 Jun 2010)
-- [Pavel Raiskup brought this change]
+ Reported-by: John Levon
- ftp-wildcard: avoid tight loop when used without any pattern
+- openssl: engine: remove double-free
- It was broken for URLs like "ftp://example.com/".
+ After a successful call to SSL_CTX_use_PrivateKey(), we must not call
+ EVP_PKEY_free() on the key.
+
+ Reported-by: nased0
+ Closes #509
+
+Jay Satiro (27 Oct 2015)
+- socks: Fix incorrect port numbers in failed connect messages
-Daniel Stenberg (21 Jun 2010)
-- maketgz: produce CHANGES automatically with the 1000 most recent commits
+Daniel Stenberg (26 Oct 2015)
+- DISTRO-DILEMMA: removed
- It passes the git log output through 'log2changes.pl' to produce
- the lot.
+ Out of date and not kept accurate. It was sort of a problem of the past
+ anyway.
-- ignore: CHANGES.dist gets generated by maketgz
+- [xiangbin li brought this change]
-- CHANGES: move all contents from CHANGES to CHANGES.0
+ MacOSX-Framework: sdk regex fix for sdk 10.10 and later
- CHANGES is no longer used for manually edited content. It is to
- be generated automatically by maketgz when we make release
- tarballs.
+ closes #507
-- log2changes: correct command line, fix tag usage, change Version output
+Jay Satiro (24 Oct 2015)
+- build: Fix support for PKG_CONFIG
- --decorate=full is needed with my git 1.7.1 to get the necessary
- output so that the previous edit would work to extract the
- Version stuff.
+ - Allow the user to use PKG_CONFIG but not PKGCONFIG.
- ... but I had to edit how the refs/tags was extracted since it
- had a little flaw that made it miss the 7.20.1 output.
+ Background:
- Finally, I changed so that Version is outputted even more similar
- to how CHANGES does it.
-
-Dan Fandrich (21 Jun 2010)
-- Make the output of log2changes.pl even more closely match CHANGES
+ Last week in 14d5a86 a change was made to allow the user to set the
+ PKGCONFIG variable. Today in 72d99f2 I supplemented that to allow the
+ more common PKG_CONFIG as an alternative if PKGCONFIG is not set.
- Add the ASCII art header, and list version commits by decoding
- the ref tag names, when available (using the git log --decorate
- option).
+ Neither of those changes worked as expected because PKGCONFIG is
+ occasionally reset in configure and by the CURL_CHECK_PKGCONFIG macro.
+ Instead in this commit I take the approach that the user may set
+ PKG_CONFIG only.
-Daniel Stenberg (19 Jun 2010)
-- log2changes: first version of the git log to CHANGES conversion script
+- build: Fix mingw ssl gdi32 order
- $ git log --pretty=fuller --no-color --date=short | ./log2changes.pl
+ - If mingw ssl make sure -lgdi32 comes after ssl libs
- Of course, limiting the log output with a range like with
- "[tag]..HEAD" appended can be very useful too.
-
-- sendrecv: treat all negative values from send/recv as errors
+ - Allow PKG_CONFIG to set pkg-config location and options
- For example the libssh2 based functions return other negative
- values than -1 to signal errors and it is important that we catch
- them properly. Right before this, various failures from libssh2
- were treated as negative download amounts which caused havoc.
+ Bug: https://github.com/bagder/curl/pull/501
+ Reported-by: Kang Lin
-- multi: prevent NULL pointer dereference
-
- My additional call to Curl_pgrsUpdate() would sometimes get
- called even though there's no connection (left) so a NULL pointer
- would get passed, causing a segfault.
+Daniel Stenberg (23 Oct 2015)
+- RELEASE-NOTES: synced with 03b6e078163f
-- smtp: fixed a few uses of size_t that seemed to believe it was signed
+- polarssl/mbedtls: fix name space pollution
- Reported-by: Steven M. Schweda
+ Global private symbols MUST start with Curl_!
+
+- [Dmitry S. Baikov brought this change]
-Dan Fandrich (17 Jun 2010)
-- Fixed an OOM memory leak in the FTP wildcard code
+ mbedTLS: THREADING_SUPPORT compilation fix
+
+ Closes #505
-Kamil Dudka (17 Jun 2010)
-- test575: do not fail with threaded DNS resolver
+- test1137: verify --ignore-content-length for FTP
-Daniel Stenberg (17 Jun 2010)
-- [Krister Johansen brought this change]
+- curl.1: --ignore-content-length now works for FTP too
- multi: unmark handle as used when no longer head of pipeline
+- [Kurt Fankhauser brought this change]
-- multi: call the progress function only once and allow abort
+ ftp: allow CURLOPT_IGNORE_CONTENT_LENGTH to ignore size
- 1) no need to call the progress function twice when in the
- CURLM_STATE_TOOFAST state.
+ This allows FTP transfers with growing (or shrinking) files without
+ causing a transfer error.
- 2) Make sure that the progress callback's return code is
- acknowledged when used
+ Closes #480
-- multi: call the progress callback in all states
+- CURLOPT_STREAM_WEIGHT.3: call argument 'weight' too
- As long as no error is reported, the progress function can get
- called. This may be a little TOO often so we should keep an eye
- on this and possibly make this conditional somehow.
+ ... and add a little example of what the weight actually means. "Relative
+ proportion of bandwidth".
+
+- http2: add stream options to dist and curl_easy_setopt.3
-- configure: spell --disable-threaded-resolver correctly
+- http2: s/priority/weight
+
+- http2: on_frame_recv: trust the conn/data input
- Previously we only accepted the option when named
- --disable-threaded-resover, which wasn't quite intended.
+ Removed wrong assert()s
- Reported by: Helwing Lutz
+ The 'conn' passed in as userdata can be used and there can be other
+ sessionhandles ('data') than the single one this checked for.
-- release: start on 7.21.1, bump contributor count
+- http2: added three stream prio/deps options
+
+ CURLOPT_STREAM_DEPENDS
+
+ CURLOPT_STREAM_DEPENDS_E
+
+ CURLOPT_STREAM_PRIORITY
-- version: start working on the 7.21.1-dev version
+- RELEASE-NOTES: synced with ace68fdc0cfed83d
-- THANKS: added contributors from the 7.21.0 release
+- [m-gardet brought this change]
-Version 7.21.0 (16 Jun 2010)
+ mbedtls:new profile with RSA min key len = 1024.
+
+ Closes #502
-Daniel Stenberg (16 Jun 2010)
-- release: 7.21.0
+- checksrc: add crude // detection
-Yang Tse (10 Jun 2010)
-- remove unused 'tmpdata' and 'backup' ftp_parselist_data struct members
+Jay Satiro (21 Oct 2015)
+- [Gisle Vanem brought this change]
-- replace isprint() with ISPRINT()
+ build: fix for MSDOS/djgpp
+
+ - Add a VPATH-statement for the vtls/*.c files.
+
+ - Due to 'vtls/*.c', remove that subdir part from $(OBJECTS).
-- ensure that Curl_wildcard_dtor() leaves WildcardData struct zero initialized
+Daniel Stenberg (20 Oct 2015)
+- copyrights: update Gisle Vanem's email
-Patrick Monnerat (9 Jun 2010)
-- ILE/RPG binding updated to current curl.h definitions.
+- vtls: fix compiler warning for TLS backends without sha256
+
+ ... noticed with mbedTLS.
-Yang Tse (9 Jun 2010)
-- code simplification
+- [Jonas Minnberg brought this change]
-- add Curl_ prefix to conform with cURL naming standards
+ vtls: added support for mbedTLS
+
+ closes #496
-- Merge branch 'master' of git@github.com:bagder/curl
+Jay Satiro (19 Oct 2015)
+- [Javier G. Sogo brought this change]
-- fix compiler warning using curl_socket_t to store socket descriptor
+ cmake: Fix for add_subdirectory(curl) use-case
+
+ - Use CURL_BINARY_DIR instead of CMAKE_BINARY_DIR.
+
+ When including CURL using add_subdirectory the variables
+ CMAKE_BINARY_DIR and CURL_BINARY_DIR hold different paths.
+
+ Closes https://github.com/bagder/curl/pull/488
+ Closes https://github.com/bagder/curl/pull/498
-Daniel Stenberg (8 Jun 2010)
-- inet_pton: warnings: use size_t to store pointer deltas
+Daniel Stenberg (18 Oct 2015)
+- RELEASE-NOTES: synced with 4c773bcb474e
-Yang Tse (8 Jun 2010)
-- avoid redundant work when reusing same connection
+- tests/FILEFORMAT: mention PSL as a valid feture to check for
+
+ For example in test 1136
-- fix function result checking
+- teste1136: only run when PSL is enabled
-Daniel Stenberg (8 Jun 2010)
-- transfer: warning: implicit conversion
-
- There is an implicit conversion from "unsigned long" to "long";
- rounding, sign extension, or loss of accuracy may result.
+- curl: slist_wc: remove curl_memory.h inclusion
- Fixed by an added typecast.
+ ... that's for the library only.
-- TFTP: fix compiler warning
+- configure: add PSL to the list of features
- Curl_fillreadbuffer()'s second argument takes an int, so
- typecasting to another is a bad idea.
+ ... to make test 1014 work again after e77b5b7453.
-- TFTP: fix warning for sendto() usage on non-POSIX systems
+- [Daniel Hwang brought this change]
+
+ tool: Generate easysrc with last cache linked-list
- Older unixes want an 'int' instead of 'size_t' as the 3rd
- argumment so before this change it would cause warnings such as:
+ Using a last cache linked-list improves the performance of easysrc
+ generation.
- There is an implicit conversion from "unsigned long" to "int";
- rounding, sign extension, or loss of accuracy may result.
-
-Dan Fandrich (7 Jun 2010)
-- Include Makefile.inc to get the list of source files for Amiga
+ Bug: https://github.com/bagder/curl/issues/444
+ Ref: https://github.com/bagder/curl/issues/429
- Signed-off-by: Diego Casorran <dcasorran@gmail.com>
+ Closes #452
-Yang Tse (7 Jun 2010)
-- Curl_updateconninfo() error handling fix
+- [Tim Rühsen brought this change]
-Daniel Stenberg (5 Jun 2010)
-- [Constantine Sapuntzakis brought this change]
-
- OpenSSL: fix spurious SSL connection aborts
+ cookies: Add support for Mozilla's Publix Suffix List
+
+ Use libpsl to check the domain value of Set-Cookie headers (and cookie
+ jar entries) for not being a Publix Suffix.
- Was seeing spurious SSL connection aborts using libcurl and
- OpenSSL. I tracked it down to uncleared error state on the
- OpenSSL error stack - patch attached deals with that.
+ The configure script checks for "libpsl" by default. Disable the check
+ with --without-libpsl.
- Rough idea of problem:
+ Ref: https://publicsuffix.org/
+ Ref: https://github.com/publicsuffix/list
+ Ref: https://github.com/rockdaboot/libpsl
+
+- [Richard Hosking brought this change]
+
+ curlbuild.h: Fix non-configure compiling to mips and sh4 targets
+
+- [Anders Bakken brought this change]
+
+ http2: Don't pass unitialized name+len pairs to nghttp2_submit_request
- Code that uses libcurl calls some library that uses OpenSSL but
- don't clear the OpenSSL error stack after an error.
+ bug introduced by 18691642931e5c7ac8af83ac3a84fbcb36000f96.
- ssluse.c calls SSL_read which eventually gets an EWOULDBLOCK from
- the OS. Returns -1 to indicate an error
+ Closes #493
+
+Dan Fandrich (16 Oct 2015)
+- test1601: fix compilation with --enable-debug and --disable-crypto-auth
+
+Daniel Stenberg (16 Oct 2015)
+- multi: fix off-by-one finit[] array size
- ssluse.c calls SSL_get_error. First thing, SSL_get_error calls
- ERR_get_error to check the OpenSSL error stack, finds an old
- error and returns SSL_ERROR_SSL instead of SSL_ERROR_WANT_READ or
- SSL_ERROR_WANT_WRITE.
+ introduced in c6aedf680f6. It needs to be CURLM_STATE_LAST big since it
+ must hande the range 0 .. CURLM_STATE_MSGSENT (18) and CURLM_STATE_LAST
+ is 19 right now.
- ssluse.c returns an error and aborts the connection
+ Reported-by: Dan Fandrich
+ Bug: http://curl.haxx.se/mail/lib-2015-10/0069.html
+
+- fread_func: move callback pointer from set to state struct
- Solution:
+ ... and assign it from the set.fread_func_set pointer in the
+ Curl_init_CONNECT function. This A) avoids that we have code that
+ assigns fields in the 'set' struct (which we always knew was bad) and
+ more importantly B) it makes it impossibly to accidentally leave the
+ wrong value for when the handle is re-used etc.
- Clear the openssl error stack before calling SSL_* operation if
- we're going to call SSL_get_error afterwards.
+ Introducing a state-init functionality in multi.c, so that we can set a
+ specific function to get called when we enter a state. The
+ Curl_init_CONNECT is thus called when switching to the CONNECT state.
- Notes:
+ Bug: https://github.com/bagder/curl/issues/346
- This is much more likely to happen with multi because it's easier
- to intersperse other calls to the OpenSSL library in the same
- thread.
+ Closes #346
-Yang Tse (5 Jun 2010)
-- replace socklen_t with curl_socklen_t
+Dan Fandrich (14 Oct 2015)
+- test1531: case the size to fix the test on non-largefile builds
-Daniel Stenberg (5 Jun 2010)
-- [Frank Meier brought this change]
+Daniel Stenberg (13 Oct 2015)
+- acinclude: remove PKGCONFIG override
+
+ ... and allow it to get set by a caller easier.
+
+ Reported-by: Rainer Jung
+ Bug: http://curl.haxx.se/mail/lib-2015-10/0035.html
- getinfo: added *_PRIMARY_PORT, *_LOCAL_IP and *_LOCAL_PORT
+Dan Fandrich (12 Oct 2015)
+- docs/INSTALL: Updated example minimal binary sizes
-- RELEASE-NOTES: add contributors not mentioned
+Daniel Stenberg (11 Oct 2015)
+- [Erik Johansson brought this change]
-Yang Tse (4 Jun 2010)
-- Enable OpenLDAP support for cygwin builds.
+ openssl: Fix set up of pkcs12 certificate verification chain
- Enable OpenLDAP support for cygwin builds. This support was disabled back
- in 2008 due to incompatibilities between OpenSSL and OpenLDAP headers.
- cygwin's OpenSSL 0.9.8l and OpenLDAP 2.3.43 versions on cygwin 1.5.25
- allow building an OpenLDAP enabled libcurl supporting back to Windows 95.
+ sk_X509_pop will decrease the size of the stack which means that the loop would
+ end after having added only half of the certificates.
- Remove non-functional CURL_LDAP_HYBRID code and references.
-
-Kamil Dudka (2 Jun 2010)
-- ftplistparser.c: oops, fix typo in the last commit
+ Also make sure that the X509 certificate is freed in case
+ SSL_CTX_add_extra_chain_cert fails.
-- ftplistparser.c: avoid some invalid dereferences
-
-- lib: eliminate some dead code
+- ntlm: error out without 64bit support as the code needs it
+
+ It makes it a clearer message for developers reaching that point without
+ the necessary support.
+
+ Thanks-by: Jay Satiro
+
+ Closes #78
-Daniel Stenberg (2 Jun 2010)
-- SSH: corrected the inability to respect the timeout
+- curl_global_init: set the memory function pointers correct
- Jason McDonald posted bug report #3006786 when he found that the
- SFTP code didn't timeout properly in several places in the code
- even if a timeout was set properly.
+ follow-up from 6f8ecea0
+
+- curl_global_init_mem: set function pointers before doing init
- Based on his suggested patch, I wrote a different implementation
- that I think addressed the issue better and also uses the connect
- timeout for the initial part of the SSH/SFTP done during the
- "protocol connect" phase.
+ ... as in the polarssl TLS backend for example it uses memory functions.
+
+Jay Satiro (9 Oct 2015)
+- http2: Fix http2_recv to return -1 if recv returned -1
- (http://curl.haxx.se/bug/view.cgi?id=3006786)
+ If the underlying recv called by http2_recv returns -1 then that is the
+ value http2_recv returns to the caller.
-Yang Tse (2 Jun 2010)
-- mention last changes
+Daniel Stenberg (8 Oct 2015)
+- [Svyatoslav Mishyn brought this change]
-- add missing new files to non-configure target build files
+ curl_easy_recv.3: CURLINFO_LASTSOCKET => CURLINFO_ACTIVESOCKET
+
+ Closes #479
-- include libcurl standard internal headers
+- [Svyatoslav Mishyn brought this change]
-Daniel Stenberg (2 Jun 2010)
-- TODO: add multi interface improvement remove ldap select
+ curl_easy_send.3: CURLINFO_LASTSOCKET => CURLINFO_ACTIVESOCKET
-Yang Tse (2 Jun 2010)
-- make setup.h first included file
+- [Svyatoslav Mishyn brought this change]
-- fix spnego memory leak
+ CURLOPT_CONNECT_ONLY.3: CURLINFO_LASTSOCKET => CURLINFO_ACTIVESOCKET
-- openldap header inclusions fix
+- CURLOPT_CERTINFO.3: fix reference to CURLINFO_CERTINFO
-Daniel Stenberg (1 Jun 2010)
-- multi_socket: handles timer inaccuracy better for timeouts
-
- Igor Novoseltsev reported a problem with the multi socket API and
- using timeouts and timers. It boiled down to a problem with
- libcurl's use of GetTickCount() interally to figure out the
- current time, while Igor's own application code used another
- function call.
+- ntlm: get rid of unconditional use of long long
- It made his app call the socket API timeout function a bit
- _before_ libcurl would consider the timeout to trigger, and that
- could easily lead to timeouts or stalls in the app. It seems
- GetTickCount() in general often has no better resolution than
- 16ms and switching to the alternative function
- QueryPerformanceCounter has its share of problems:
- http://www.virtualdub.org/blog/pivot/entry.php?id=106
+ ... since some compilers don't have it and instead use other types, such
+ as __int64.
- We address this problem by simply having libcurl treat timers
- that already has occured or will occur within 40ms subject for
- treatment. I'm confident that there are other implementations and
- operating systems with similarly in accurate timer functions so
- it makes sense to have applied generically and I don't believe we
- sacrifice much by adding a 40ms inaccuracy on these timeouts.
+ Reported by: gkinseyhpw
+ Closes #478
-Yang Tse (1 Jun 2010)
-- fix ldaps option issue
+Jay Satiro (8 Oct 2015)
+- [Anders Bakken brought this change]
+
+ des: Fix header conditional for Curl_des_set_odd_parity
+
+ Follow up to 613e502.
-- fix ldap related compilation issues
+Daniel Stenberg (7 Oct 2015)
+- configure: build silently by default
+
+ 'make V=1' will make the build verbose like before
-- fix compiler warning: enumerated type mixed with another type
+- bump: start climbing toward 7.46.0
-- fix compiler warning: enumerated type mixed with another type
+- RELEASE-PROCEDURE: add the github HTTPS download step
-Patrick Monnerat (31 May 2010)
-- smtp_authenticate: avoid compiler warnings
+Version 7.45.0 (7 Oct 2015)
-Yang Tse (31 May 2010)
-- fix compiler warning: enumerated type mixed with another type
+Daniel Stenberg (7 Oct 2015)
+- THANKS: 19 new contributors from the 7.45.0 announcement
-- fix compiler warning: enumerated type mixed with another type
+- RELEASE-NOTES: synced with 69ea57970080
-- fix compiler warning: enumerated type mixed with another type
+Jay Satiro (4 Oct 2015)
+- getinfo: Fix return code for unknown CURLINFO options
+
+ - If a CURLINFO option is unknown return CURLE_UNKNOWN_OPTION.
+
+ Prior to this change CURLE_BAD_FUNCTION_ARGUMENT was returned on
+ unknown. That return value is contradicted by the CURLINFO option
+ documentation which specifies a return of CURLE_UNKNOWN_OPTION on
+ unknown.
-- fix compiler warning: external declaration in primary source file
+- [rouzier brought this change]
-- fix compiler warning: variable was set but never used
+ hiperfifo: fix the pointer passed to WRITEDATA
+
+ Closes https://github.com/bagder/curl/pull/471
-- fix compiler warning: enumerated type mixed with another type
+- [Maksim Stsepanenka brought this change]
-- fix compiler warning: external declaration in primary source file
+ tool_setopt: fix c_escape truncated octal
+
+ Closes https://github.com/bagder/curl/pull/469
-- update year in copyright notice
+Daniel Stenberg (1 Oct 2015)
+- [Orange Tsai brought this change]
-Kamil Dudka (29 May 2010)
-- strtoofft: rename CURL_LLONG_MIN -> CURL_OFF_T_MIN
+ gopher: don't send NUL byte
- ... and CURL_LLONG_MAX -> CURL_OFF_T_MAX
+ Closes #466
-- CURL_LLONG_MAX: avoid constant overflow
+Jay Satiro (29 Sep 2015)
+- runtests: Fix pid check in checkdied
- ... when (CURL_SIZEOF_CURL_OFF_T == 4)
+ Because the 'not' operator has a very low precedence and as a result the
+ entire statement was erroneously negated and could never be true.
-Daniel Stenberg (28 May 2010)
-- [Howard Chu brought this change]
+Daniel Stenberg (30 Sep 2015)
+- [Thorsten Schöning brought this change]
- LDAPS: list availability depending on SSL's presence
+ win32: make recent Borland compilers use long long
-- [Howard Chu brought this change]
+- RELEASE-NOTES: synced with 69b89050d4
- LDAP: make it build without SSL if no such support is available
-
- of course it also goes for the case where SSL is explicitly
- disabled
+Jay Satiro (28 Sep 2015)
+- [Michael Kalinin brought this change]
-- TODO: removed fixed items
+ openssl: Fix algorithm init
- These two items are now actually implemented:
+ - Change algorithm init to happen after OpenSSL config load.
- 11.1 Content-Disposition
- 11.5 ftp wildcard download
-
-Kamil Dudka (28 May 2010)
-- lib: eliminate 'statement not reached' warnings
+ Additional algorithms may be available due to the user's config so we
+ initialize the algorithms after the user's config is loaded.
+
+ Bug: https://github.com/bagder/curl/issues/447
+ Reported-by: Denis Feklushkin
-Daniel Stenberg (28 May 2010)
-- test1115: verify that unexpected 1xx responses work fine
+- [Svyatoslav Mishyn brought this change]
-Kamil Dudka (28 May 2010)
-- lib577: avoid redefinition of ERROR
+ docs: fix unescaped '\n' in man pages
+
+ Closes https://github.com/bagder/curl/pull/459
-- test313: a new test for CRL support
+Daniel Stenberg (27 Sep 2015)
+- http2: set TCP_NODELAY unconditionally
+
+ For a single-stream download from localhost, we managed to increase
+ transfer speed from 1.6MB/sec to around 400MB/sec, mostly because of
+ this single fix.
-- tests/certs: re-generated because of lost pass-phrase
+- http2: avoid superfluous Curl_expire() calls
+
+ ... only call it when there is data arriving for another handle than the
+ one that is currently driving it.
+
+ Improves single-stream download performance quite a lot.
+
+ Thanks-to: Tatsuhiro Tsujikawa
+ Bug: http://curl.haxx.se/mail/lib-2015-09/0097.html
-- tests/certs/scripts: generate also CRL
+- readwrite_data: set a max number of loops
- ... and make it possible to do so without any user interaction
+ ... as otherwise a really fast pipe can "lock" one transfer for some
+ protocols, like with HTTP/2.
-Daniel Stenberg (27 May 2010)
-- [Howard Chu brought this change]
+- [Sergei Nikulov brought this change]
- openldap: fix compiler warnings
+ CI: Added AppVeyor-CI for curl
+
+ Closes #439
-- indent: some whitespace edits
+- FTP: fix uploading ASCII with unknown size
+
+ ... don't try to increase the supposed file size on newlines if we don't
+ know what file size it is!
+
+ Patch-by: lzsiga
-Kamil Dudka (27 May 2010)
-- wildcard.c: add missing include of "setup.h"
+- [Tatsuhiro Tsujikawa brought this change]
-- [Tor Arntsen brought this change]
+ build: fix failures with -Wcast-align and -Werror
+
+ Closes #457
- lib573: do not compare double for exact match
+- [Tatsuhiro Tsujikawa brought this change]
-- [Pavel Raiskup brought this change]
+ curl-confopts.m4: Add missing ')'
+
+ ... for CURL_CHECK_OPTION_RT
+
+ Closes #456
- wildcard.c: add missing include of "curl_memory.h"
+Jay Satiro (25 Sep 2015)
+- curl_easy_getinfo.3: Add brief description for each CURLINFO
-- [Tor Arntsen brought this change]
+Daniel Stenberg (23 Sep 2015)
+- [Jakub Zakrzewski brought this change]
- setup_once: use enum type for 'bool' on non-C99 platforms
+ CMake: Ensure discovered include dirs are considered
+
+ ...during header checks. Otherwise some following header tests
+ (incorrectly) fail.
- An enum will catch non-bool assignments to bool on platforms with
- a strict compiler, e.g MIPSPro.
+ Closes #436
+
+- [Jakub Zakrzewski brought this change]
+
+ CMake: Put "winsock2.h" before "windows.h" during configure checks
- Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+ "windows.h" includes "winsock.h" what causes many redefinition errors
+ if "winsock2.h" is included afterwards and can cause build to fail.
-- url.c: avoid implied cast to bool
+- tests: disable 1510 due to CI-problems on github
-- [Tor Arntsen brought this change]
+- [Mike Crowe brought this change]
- curl_fnmatch: remove use of register keyword
+ gnutls: Report actual GnuTLS error message for certificate errors
- Using the 'register' keyword rarely improves anything with modern
- compilers and architectures.
+ If GnuTLS fails to read the certificate then include whatever reason it
+ provides in the failure message reported to the client.
+
+ Signed-off-by: Mike Crowe <mac@mcrowe.com>
-Daniel Stenberg (26 May 2010)
-- [Julien Chaffraix brought this change]
+- RELEASE-NOTES: synced with 6b56901b56e
- RTMP: Fix compiler warnings
+- [Mike Crowe brought this change]
-- [Julien Chaffraix brought this change]
+ gnutls: Support CURLOPT_KEYPASSWD
+
+ The gnutls vtls back-end was previously ignoring any password set via
+ CURLOPT_KEYPASSWD. Presumably this was because
+ gnutls_certificate_set_x509_key_file did not support encrypted keys.
+
+ gnutls now has a gnutls_certificate_set_x509_key_file2 function that
+ does support encrypted keys. Let's determine at compile time whether the
+ available gnutls supports this new function. If it does then use it to
+ pass the password. If it does not then emit a helpful diagnostic if a
+ password is set. This is preferable to the previous behaviour of just
+ failing to read the certificate without giving a reason in that case.
+
+ Signed-off-by: Mike Crowe <mac@mcrowe.com>
- OOM fixes in http_negociate.c and lib/splay.c
+- CURLINFO_TLS_SESSION: always return backend info
- Fix 2 OOM errors: a missing NULL-check in lib/http_negociate.c
- and a potential NULL dereferencing in lib/splay.c
+ ... even for those that don't support providing anything in the
+ 'internals' struct member since it offers a convenient way for
+ applications to figure this out.
-- [Howard Chu brought this change]
+- [Daniel Hwang brought this change]
- LDAP: properly implemented as a curl_handler
+ tool: remove redundant libcurl check
- makes the LDAP code much cleaner, nicer and in general being a
- better libcurl citizen. If a new enough OpenLDAP version is
- detect, the new and shiny lib/openldap.c code is then used
- instead of the old cruft
+ The easysrc generation is run only when --libcurl is initialized.
- Code by Howard, minor cleanups by Daniel.
+ Ref: https://github.com/bagder/curl/issues/429
+
+ Closes #448
-- [Tor Arntsen brought this change]
+- [Richard van den Berg brought this change]
- curl_fnmatch: Use int not bool when function returns int
+ CURLOPT_PROXY.3: A proxy given as env variable gets no special treatment
- bool in curl internals is unsigned char and should not be used
- to receive return value from functions returning int - this fails
- when using IBM VisualAge and Tru64 compilers.
+ Closes #449
-- TFTP: send legal timeout value
-
- Eric Mertens posted bug #3003705: when we made TFTP use the
- correct timeout option when sent to the server (fixed May 18th
- 2010) it became obvious that libcurl used invalid timeout values
- (300 by default while the RFC allows nothing above 255). While of
- course it is obvious that as TFTP has worked thus far without
- being able to set timeout at all, just removing the setting
- wouldn't make any difference in behavior. I decided to still keep
- it (but fix the problem) as it now actually allows for easier
- (future) customization of the timeout.
+- TODO: 5.7 More compressions
- (http://curl.haxx.se/bug/view.cgi?id=3003705)
+ Like for example brotli, as being implemented in Firefox now.
-- TFTP: don't ack if wrong block num is received
+Jay Satiro (21 Sep 2015)
+- tool_operate: Don't call easysrc cleanup unless --libcurl
- If an unexpected block number was received, break out of the
- switch loop.
-
-- TFTP: block id wrap bug fix
+ - Review of 4d95491.
- In a normal expression, doing [unsigned short] + 1 will not wrap
- at 16 bits so the comparisons and outputs were done wrong. I
- added a macro do make sure it gets done right.
+ The author changed it so easysrc only initializes when --libcurl but did
+ not do the same for the call to easysrc cleanup.
- Douglas Kilpatrick filed bug report #3004787 about it:
- http://curl.haxx.se/bug/view.cgi?id=3004787
+ Ref: https://github.com/bagder/curl/issues/429
-- [Ben Greear brought this change]
+Daniel Stenberg (20 Sep 2015)
+- [Viktor Szakats brought this change]
- Fix build warnings.
+ CURLOPT_PINNEDPUBLICKEY.3: replace test.com with example.com
- Signed-off-by: Ben Greear <greearb@candelatech.com>
-
-- [Ben Greear brought this change]
+ closes #443
- setopt: Fix setting of set.is_fwrite_set
+- KNOWN_BUGS: 91 "curl_easy_perform hangs with imap and PolarSSL"
- Signed-off-by: Ben Greear <greearb@candelatech.com>
+ Closes #334
-- [Tanguy Fautre brought this change]
+- KNOWN_BUGS: add link to #85
- build: allow curl to build with Microsoft VC10
+- tests: disable 1801 until fixed
- By undefing a bunch of E* defines that VC10 has started to define
- but that we redefine internally to their WSA* alternatives when
- building for Windows.
-
-Kamil Dudka (20 May 2010)
-- [Tor Arntsen brought this change]
-
- Test 573: Use correct type for CURLINFO_CONNECT_TIME
+ It is unreliable and causes CI problems on github
- curl_easy_getinfo() called with a pointer to long instead of double
- would sigbus on RISC processors (e.g. MIPS) due to wrong alignment
- of pointer address.
+ Closes #380
-- [Tor Arntsen brought this change]
+- RELEASE-NOTES: synced with 4d95491636ee
- lib: Fix AIX build failure
+- [Daniel Lee Hwang brought this change]
-Dan Fandrich (19 May 2010)
-- Fixed some memory leaks in the POP3 torture tests
-
-- Fixed a memory leak in the SMTP torture tests
+ tool: generate easysrc only on --libcurl
+
+ Code should only be generated when --libcurl is used.
+
+ Bug: https://github.com/bagder/curl/issues/429
+ Reported-by: @greafhe, Jay Satiro
+
+ Closes #429
+ Closes #442
-Daniel Stenberg (18 May 2010)
-- TFTP: send timeout option correctly
+Jay Satiro (19 Sep 2015)
+- vtls: Change designator name for server's pubkey hash
- Eric Mertens posted bug report #3003005 pointing out that the
- libcurl TFTP code was not sending the timeout option properly to
- the server, and suggested a fix.
+ - Change the designator name we use to show the base64 encoded sha256
+ hash of the server's public key from 'pinnedpubkey' to
+ 'public key hash'.
- (http://curl.haxx.se/bug/view.cgi?id=3003005)
+ Though the server's public key hash is only shown when comparing pinned
+ public key hashes, the server's hash may not match one of the pinned.
-Kamil Dudka (16 May 2010)
-- [Tor Arntsen brought this change]
+Daniel Stenberg (19 Sep 2015)
+- [Isaac Boukris brought this change]
- lib: Change some CRLF line endings to LF
+ NTLM: Reset auth-done when using a fresh connection
- An update had added a couple of lines with DOS line endings,
- and some compilers will choke on that (e.g. the Tru64 compiler).
+ With NTLM a new connection will always require authentication.
+ Fixes #435
-- ftp wildcard: a new option CURLOPT_FNMATCH_DATA
+- [Daniel Hwang brought this change]
-Daniel Stenberg (15 May 2010)
-- [Howard Chu brought this change]
-
- RMTP: the version code is now rtmp aware
+ ssl: add server cert's "sha256//" hash to verbose
+
+ Add a "pinnedpubkey" section to the "Server Certificate" verbose
+
+ Bug: https://github.com/bagder/curl/issues/410
+ Reported-by: W. Mark Kubacki
+
+ Closes #430
+ Closes #410
-- [Howard Chu brought this change]
+- [Jakub Zakrzewski brought this change]
- RTMP: fix wrong #ifdef
+ openldap: only part of LDAP query results received
+
+ Introduced with commit 65d141e6da5c6003a1592bbc87ee550b0ad75c2f
+
+ Closes #440
-- [Pavel Raiskup brought this change]
+- [Alessandro Ghedini brought this change]
- ftp wildcard: fix int32_t and size/group mixups
+ openssl: don't output certinfo data
-Dan Fandrich (14 May 2010)
-- Fixed test 577 to work when --enable-hidden-symbols is configured
+- [Alessandro Ghedini brought this change]
-Daniel Stenberg (14 May 2010)
-- OpenSSL: multi interface handshake could hang
-
- John-Mark Bell filed bug #3000052 that identified a problem (with
- an associated patch) with the OpenSSL handshake state machine
- when the multi interface is used:
-
- Performing an https request using a curl multi handle and using
- select or epoll to wait for events results in a hang. It appears
- that the cause is the fix for bug #2958179, which makes
- ossl_connect_common unconditionally return from the step 2 loop
- when fetching from a multi handle.
+ openssl: refactor certificate parsing to use OpenSSL memory BIO
- When ossl_connect_step2 has completed, it updates
- connssl->connecting_state to ssl_connect_3. ossl_connect_common
- will then return to the caller, as a multi handle is in
- use. Eventually, the client code will call curl_multi_fdset to
- obtain an updated fdset to select or epoll on. For https
- requests, curl_multi_fdset will cause https_getsock to be called.
- https_getsock will only return a socket handle if the
- connecting_state is ssl_connect_2_reading or
- ssl_connect_2_writing. Therefore, the client will never obtain a
- valid fdset, and thus not drive the multi handle, resulting in a
- hang.
-
- (http://curl.haxx.se/bug/view.cgi?id=3000052)
-
-- changelog: add link to bug report
+ Fixes #427
-Dan Fandrich (14 May 2010)
-- Added directories.pm to the source tar ball
-
-Daniel Stenberg (14 May 2010)
-- follow redirect: ignore response-body on redirect even if compressed
+Kamil Dudka (18 Sep 2015)
+- nss: prevent NSS from incorrectly re-using a session
- Sebastian V reported bug #3000056 identifying a problem with
- redirect following. It showed that when curl followed redirects
- it didn't properly ignore the response body of the 30X response
- if that response was using compressed Content-Encoding!
+ Without this workaround, NSS re-uses a session cache entry despite the
+ server name does not match. This causes SNI host name to differ from
+ the actual host name. Consequently, certain servers (e.g. github.com)
+ respond by 400 to such requests.
- (http://curl.haxx.se/bug/view.cgi?id=3000056)
+ Bug: https://bugzilla.mozilla.org/1202264
-- version: we're now going for 7.21.0
+- nss: check return values of NSS functions
-- [Hoi-Ho Chan brought this change]
+Daniel Stenberg (17 Sep 2015)
+- CURLOPT_PINNEDPUBLICKEY.3: mention error code
- Remove support for BSD version of PolarSSL
+- openssl: build with < 0.9.8
- "The BSD version of PolarSSL was made for migratory purposes only and is not
- maintained. The GPL version of PolarSSL is actually the only actively
- developed version, so I would be very reluctant to use the BSD version." /
- Paul Bakker, PolarSSL hacker.
+ ... without sha256 support and no define saying so.
- Signed-off-by: Hoi-Ho Chan <hoiho.chan@gmail.com>
+ Reported-by: Rajkumar Mandal
-Dan Fandrich (12 May 2010)
-- Added Polar SSL and RTMP files to the non-autoconf build files
+- libcurl-errors.3: add two missing error codes
- I didn't bother with a few that have little hope of running the required
- dependent libraries.
-
-- Added the new ftp source files to the non-autoconf build files
+ CURLE_SSL_PINNEDPUBKEYNOTMATCH and CURLE_SSL_INVALIDCERTSTATUS
-- Copy the license file so it's seen by the Android build system
-
-Daniel Stenberg (13 May 2010)
-- updated with symbols added in recent commits for 7.21.0
+Jay Satiro (14 Sep 2015)
+- CURLOPT_PINNEDPUBLICKEY.3: Improve pubkey extraction example
+
+ - Show how a certificate can be obtained using OpenSSL.
+
+ Bug: https://github.com/bagder/curl/pull/430
+ Reported-by: Daniel Hwang
-- changelogs: mention RTMP and the FTP wildcard support
+Daniel Stenberg (13 Sep 2015)
+- http2: removed unused function
-- ftp wildcards: mention they're added in 7.21.0
+- CURLINFO_ACTIVESOCKET.3: mention it replaces *LASTSOCKET
-- style: minor whitespace change
+- opts: add CURLINFO_* man pages to dist
-- syntax: cleanups
+- opts: 19 more CURLINFO_* options made into stand-alone man pages
-- [Pavel Raiskup brought this change]
+- RELEASE-NOTES: synced with fad9604613
- FTP: WILDCARDMATCH/CHUNKING/FNMATCH added
+- curl: customrequest_helper: deal with NULL custom method
-- [Howard Chu brought this change]
+- [Svyatoslav Mishyn brought this change]
- RTMP: initial support added, powered by librtmp
+ CURLOPT_FNMATCH_FUNCTION.3: fix typo
- librtmp is found at http://rtmpdump.mplayerhq.hu/
-
-- [Howard Chu brought this change]
+ s => is
+
+ Closes #428
- sendrecv: make them two pairs of send/recv to properly deal with FTPS
+- curl: point out unnecessary uses of -X in verbose mode
+
+ It uses 'Note:' as a prefix as opposed to the common 'Warning:' to take
+ down the tone a bit.
- FTP(S) use two connections that can be set to different recv and
- send functions independently, so by introducing recv+send pairs
- in the same manner we already have sockets/connections we can
- work with FTPS fine.
+ It adds a warning for using -XHEAD on other methods becasue that may
+ lead to a hanging connection.
+
+Jay Satiro (10 Sep 2015)
+- curl_sspi: fix possibly undefined CRYPT_E_REVOKED
- This commit fixes the FTPS regression introduced in change d64bd82.
+ Bug: https://github.com/bagder/curl/pull/411
+ Reported-by: Viktor Szakats
-Kamil Dudka (11 May 2010)
-- changelog: fixed CRL support in libcurl-NSS
+- buildconf.bat: fix syntax error
-- nss: make it possible to read ASCII and DER CRL
+- [Benjamin Kircher brought this change]
-- nss: add CRL to cache instead of read-only NSS db
+ winbuild: run buildconf.bat if necessary
-Daniel Stenberg (10 May 2010)
-- git: how to write a fine commit message
+- [Svyatoslav Mishyn brought this change]
-- findtool: file name as a full path requires a slash
-
- Kalle Vahlman's patch applied a while ago broke how the findtool
- function searches for tools, as it would always check if "$file"
- was present first, which thus made the bad assumption that a file
- in the current directory would be a match.
+ docs: fix argument type for CURLINFO_SPEED_*, CURLINFO_SIZE_*
- I noticed when it found 'libtool' in the current directory but
- libtoolize is not there, which confused the script.
+ long => double
-Hacki (8 May 2010)
-- moved vars into conditional since seems that winsock implementation doesnt use them.
+Daniel Stenberg (8 Sep 2015)
+- [Sergei Nikulov brought this change]
-Daniel Stenberg (7 May 2010)
-- multi interface: missed storing connection time
+ cmake: IPv6 : disable Unix header check on Windows platform
- Dirk Manske reported a regression. When connecting with the multi
- interface, there were situations where libcurl wouldn't store
- connect time correctly as it used to (and is documented to) do.
+ Closes #409
+
+- parse_proxy: reject illegal port numbers
- Using his fine sample program we could repeat it, and I wrote up
- test case 573 using that code. The problem does not easily show
- itself using the local test suite though.
+ If the port number in the proxy string ended weirdly or the number is
+ too large, skip it. Mostly as a means to bail out early if a "bare" IPv6
+ numerical address is used without enclosing brackets.
- The fix, also as suggested by Dirk, is a bit on the ugly side as
- it adds yet another call to Curl_verboseconnect() and setting the
- TIMER_CONNECT time. That situation is subject for some closer
- inspection in the future.
-
-- verboseconnect: so the verbose checking within the function
+ Also mention the bracket requirement for IPv6 numerical addresses to the
+ man page for CURLOPT_PROXY.
- As the function is used more than once and libcurl can be built
- without it, do the conditional check within the verboseconnect()
- function itself.
-
-- changelogs: split the I/O handling
-
-- [Howard Chu brought this change]
+ Closes #415
+
+ Reported-by: Marcel Raad
- sendrecv: split the I/O handling into private handler
+- FTP: do_more: add check for wait_data_conn in upload case
- Howard Chu brought the bulk work of this patch that properly
- moves out the sending and recving of data to the parts of the
- code that are properly responsible for the various ways of doing
- so.
+ In some timing-dependnt cases when a 4xx response immediately followed
+ after a 150 when a STOR was issued, this function would wrongly return
+ 'complete == true' while 'wait_data_conn' was still set.
- Daniel Stenberg assisted with polishing a few bits and fixed some
- minor flaws in the original patch.
+ Closes #405
- Another upside of this patch is that we now abuse CURLcodes less
- with the "magic" -1 return codes and instead use CURLE_AGAIN more
- consistently.
-
-- changelog: PolarSSL
+ Reported-by: Patricia Muscalu
-- [Hoi-Ho Chan brought this change]
+- [Svyatoslav Mishyn brought this change]
- PolarSSL: initial support added
+ CURLOPT_TLSAUTH_TYPE.3: update description
- This is Hoi-Ho Chan's patch with some minor fixes by me. There
- are some potential issues in this, but none worse than we can
- sort out on the list and over time.
+ Closes #414
+ Closes #413
-- TODO: we've done PRET already, consider HOST for the future
-
- ... and GnuTLS connects are non-blocking, TFTP is better
- integrated as a "real" protocol and RTSP is supported.
+- [Svyatoslav Mishyn brought this change]
-- TODO: GnuTLS connects are now non-blocking
+ CURLOPT_PATH_AS_IS.3: fix typo
- Since commit c288860 by Jerome Vouillon
-
-- INTERNALS: tftp is decent now, ldap is not
+ leavit => leaveit
- It's not quite fair to list TFTP is a "crappy" member of the
- libcurl family so I removed its mentioning.
+ closes #412
-- changelog: mention Ben Greear's telnet work
+- [Svyatoslav Mishyn brought this change]
-- [Ben Greear brought this change]
+ CURLINFO_SSL_VERIFYRESULT.3: add short description
- telnet: Allow programatic use of telnet.
-
- The main change is to allow input from user-specified methods,
- when they are specified with CURLOPT_READFUNCTION.
- All calls to fflush(stdout) in telnet.c were removed, which makes
- using 'curl telnet://foo.com' painful since prompts and other data
- are not always returned to the user promptly. Use
- 'curl --no-buffer telnet://foo.com' instead. In general,
- the user should have their CURLOPT_WRITEFUNCTION do a fflush
- for interactive use.
-
- Also fix assumption that reading from stdin never returns < 0.
- Old code could crash in that case.
-
- Call progress functions in telnet main loop.
-
- Signed-off-by: Ben Greear <greearb@candelatech.com>
+- [Svyatoslav Mishyn brought this change]
-- test: enable valgrind for 604, seems to work
+ CURLINFO_SSL_ENGINES.3: add short description
-Kamil Dudka (28 Apr 2010)
-- [Paul Howarth brought this change]
+- [Svyatoslav Mishyn brought this change]
- add 1s post-command delay to tests 513 and 514
-
- addressing http://curl.haxx.se/mail/lib-2009-12/0031.html
+ CURLINFO_CONTENT_LENGTH_UPLOAD.3: replace "receive" with "get" for consistency
-Daniel Stenberg (26 Apr 2010)
-- [Kalle Vahlman brought this change]
+- [Svyatoslav Mishyn brought this change]
- Allow tools to be defined with full path in buildconf
-
- This is required in Scratchbox where
- LIBTOOL=/targets/links/arch_tools/bin/libtool
- is set in the environment.
+ CURLINFO_REDIRECT_TIME.3: remove redundant '!'
-- progress callback: can be called more than once per sec
+Kamil Dudka (4 Sep 2015)
+- Revert "has: generate the curl/has.h header"
+
+ This reverts commit a60bde79f9adeb135d5c642a07f0d783fbfbbc25 I have
+ pushed by mistake. Apologies for my incompetent use of the git repo!
-- SSH: init and cleanup libssh2 in global_init/cleanup
+- nss: do not directly access SSL_ImplementedCiphers[]
- The necessary libssh2 functions require libssh2 1.2.5 or later.
+ It causes dynamic linking issues at run-time after an update of NSS.
+
+ Bug: https://lists.fedoraproject.org/pipermail/devel/2015-September/214117.html
-- new configure option --enable-threaded-resolver
+- [Daniel Stenberg brought this change]
-- configure: check for libssh2_init and libssh2_exit
+ has: generate the curl/has.h header
+
+ changed macro name, moved and renamed script to become docs/libcurl/has.pl,
+ generate code that is checksrc compliant
-Kamil Dudka (24 Apr 2010)
-- nss: fix SSL handshake timeout underflow
+Daniel Stenberg (3 Sep 2015)
+- gitignore: ignore more generated VC Makefiles
-Guenter Knauf (24 Apr 2010)
-- encourage users to take latest lib dependencies.
+- projects/Windows/.gitignore: ignore generated files for release
-Daniel Stenberg (24 Apr 2010)
-- socks5: please static code analyzer
+- http2: don't pass on Connection: headers
- Make sure we don't call memcpy() if the argument is NULL even
- though we also passed a zero length then, as the clang analyzer
- whined and we want to limit warnings (even false positives) when
- they're this easy to fix.
+ RFC 7540 section 8.1.2.2 states: "An endpoint MUST NOT generate an
+ HTTP/2 message containing connection-specific header fields; any message
+ containing connection-specific header fields MUST be treated as
+ malformed"
- The change of (char) to (unsigned char) will fix long user names
- and passwords on systems that have the char type signed by
- default.
+ Closes #401
-- gzip: Value stored to 'data' is never read
+- curl.1: update RFC references
-- RELEASE-NOTES: update top numbers
+- CURLOPT_POSTREDIR.3: update RFC number and section
-- changelog: added the --proto and -proto-redir options
+- CURLOPT_FOLLOWLOCATION.3: mention methods for redirects
+
+ and some general cleaning up
-- [Alex Bligh brought this change]
+- [Marcel Raad brought this change]
- curl: added --proto and --proto-redir
+ inet_pton.c: Fix MSVC run-time check failure (2)
- --proto tells curl to use the listed protocols for its initial
- retrieval
+ This fixes another run-time check failure because of a narrowing cast on
+ Visual C++.
- --proto-redir tells curl to use the listed protocols after a
- redirect
+ Closes #408
-Kamil Dudka (24 Apr 2010)
-- test536: do not fail with threaded DNS resolver
+Jay Satiro (3 Sep 2015)
+- docs: Warn about any-domain cookies and multiple transfers
- Also tweaked comments in certain examples using curl_multi_fdset().
-
-Daniel Stenberg (21 Apr 2010)
-- curl: -O crash on windows
+ - Warn that cookies without a domain are sent to any domain:
+ CURLOPT_COOKIELIST, CURLOPT_COOKIEFILE, --cookie
- The -O option caused curl to crash on windows and DOS due to the
- tool writing out of boundary memory.
+ - Note that imported Set-Cookie cookies without a domain are no longer
+ exported:
+ CURLINFO_COOKIELIST, CURLOPT_COOKIEJAR, --cookie-jar
-Yang Tse (20 Apr 2010)
-- hmac.c related compilation adjustment
-
-- hmac.c related compilation adjustment
-
-monnerat (20 Apr 2010)
-- Add compilation directives for hmac in Watcom,riscos and vc6 platform-specific makefiles.
-
-Yang Tse (20 Apr 2010)
-- [Ruslan Gazizov brought this change]
+Steve Holme (2 Sep 2015)
+- tool_sdecls.h: Fixed compilation warning from commit 4a889441d3
+
+ tool_sdecls.h:139 warning: comma at end of enumerator list
- replaced wsock32.lib usage with ws2_32.lib in MSVC makefiles
+Daniel Stenberg (2 Sep 2015)
+- opts: 8 more CURLINFO* options as stand-alone man pages
-monnerat (19 Apr 2010)
-- Merge branch 'master' of github.com:bagder/curl
+- RELEASE-NOTES: synced with c764cb4add1a8
-- Remove null-effect leftover code.
+- man-pages: more SEE ALSO links
-Daniel Stenberg (19 Apr 2010)
-- changelog: -J/--remote-header-name strips CRLF
+- opts: more CURLINFO_* options as stand-alone man pages
-- parse_filename: strip trailing CRs and LFs
+Steve Holme (31 Aug 2015)
+- sasl: Only define Curl_sasl_digest_get_pair() when CRYPTO_AUTH enabled
- The feature that uses the file name given in a
- Content-disposition: header didn't properly skip trailing
- carriage returns and linefeed characters from the end of the file
- name when it was given without quotes.
+ Introduced in commit 59f3f92ba6 this function is only implemented when
+ CURL_DISABLE_CRYPTO_AUTH is not defined. As such we shouldn't define
+ the function in the header file either.
-- Curl_HMAC_MD5: fix the array init to not warn with picky compilers
+- sasl: Updated SPN variables and comments for consistency
+
+ In places the "host name" and "realm" variable was referred to as
+ "instance" whilst in others it was referred to as "host".
-monnerat (19 Apr 2010)
-- Fix GnuTLS compilation problem in md5.c
+Daniel Stenberg (30 Aug 2015)
+- configure: check for HMAC_Update in openssl
+
+ Turns out HMAC_Init is now deprecated in openssl master (and I spelled
+ HMAC_Init_ex wrong in previous commit)
-- Fix compilation problem: declare Curl_HMAC_MD5 as extern in include file.
+Steve Holme (30 Aug 2015)
+- win32: Use DES_set_odd_parity() from OpenSSL/BoringSSL by default
+
+ Set HAVE_DES_SET_ODD_PARITY when using OpenSSL/BoringSSL as native
+ Windows builds don't use the autoconf tools.
-- Merge branch 'master' of github.com:bagder/curl
+- des: Fixed compilation warning from commit 613e5022fe
+
+ curl_ntlm_core.c:150: warning 'Curl_des_set_odd_parity' undefined;
+ assuming extern returning int
-- Implement SMTP authentication
+- buildconf.bat: Fixed double blank line in 'curl manual' warning output
-Daniel Stenberg (17 Apr 2010)
-- parseconfig: Value stored to 'line' is never read
+- makefiles: Added our standard copyright header
- Make the function call with (void) as we don't care about the
- return code.
+ But kept the original author, when they were specified in a comment, as
+ the initial copyright holder.
-- parsedate: Value stored to 'found' is never read
+Jay Satiro (29 Aug 2015)
+- CURLOPT_FILETIME.3: CURLINFO_FILETIME has its own manpage now
-- check_gzip_header: Value stored to 'data' is never read
+Daniel Stenberg (29 Aug 2015)
+- CURLINFO_RESPONSE_CODE.3: added short description
-- dprintf_formatf: Value stored to 'left' is never read
+- opts: 7 initial CURLINFO_* options as stand-alone man pages
-- curl_version: remove superfluous assignments
+- [Nikolai Kondrashov brought this change]
-- FTP PORT: Value stored to 'rc' is never read
-
-- Curl_setup_transfer: no longer returns anything
+ libcurl.m4: Put braces around empty if body
- This function could only return CURLE_OK and by changing it to
- a void instead, we can simplify code all over.
-
-- PASV response: Value stored to 'rc' is never read
-
-- Curl_perform: Value stored to 'res2' is never read
+ Put braces around empty "if" body in libcurl.m4 check to avoid warning:
+
+ suggest braces around empty body in an 'if' statement
+
+ and make it work with -Werror builds.
+
+ Closes #402
-- sftp range: remove unnecessary check for NULL pointer
+- [Svyatoslav Mishyn brought this change]
-- ftp_range: remove unnecessary check for NULL pointer
+ curl_easy_escape.3: escape '\n'
+
+ Closes #398
-- file_range: remove unnecessary check for NULL pointer
+- [Svyatoslav Mishyn brought this change]
-- SOCKS4: Value stored to 'rc' is never read
+ curl_easy_{escape,setopt}.3: fix example
+
+ remove redundant '}'
-- FTP PASV: Value stored to 'rc' is never read
+- [Sergei Nikulov brought this change]
-- ftp_range: Value stored to 'totalsize' is never read
+ cmake: added Windows SSL support
- Simplified the code by removing a local variable completely.
+ Closes #399
-- SOCKS5: when name resolves fail return immediately
+- curl: point out the conflicting HTTP methods if used
- This makes the code flow more obvious and reacts on the return
- code properly, even if the code acted the same way before.
+ It isn't always clear to the user which options that cause the HTTP
+ methods to conflict so by spelling them out it should hopefully be
+ easier to understand why curl complains.
-- POP3: when USER command fails, don't even try PASS
+- curl: clarify that users can only specify one _METHOD_
-- tftp_rx: Value stored to 'sbytes' is never read
+- [Svyatoslav Mishyn brought this change]
-- file_range: Value stored to 'totalsize' is never read
-
-- changelog: GnuTLS: SSL handshake phase is non-blocking
+ curl_easy_{escape,unescape}.3: "char *" vs. "const char *"
+
+ Closes #395
-- [Jerome Vouillon brought this change]
+Patrick Monnerat (24 Aug 2015)
+- os400: include new options in wrappers and update ILE/RPG binding.
- GnuTLS: make the connection phase non-blocking
+Daniel Stenberg (24 Aug 2015)
+- KNOWN_BUGS: #2, not reading a HEAD response-body is not a bug
- When multi interface is used, the SSL handshake is no longer
- blocking when GnuTLS is used.
+ ... since HTTP is forbidden to return any such.
-- krb5_auth: fix my previous change to compile
+- KNOWN_BUGS: #78 zero-length files is already fixed!
-unknown (16 Apr 2010)
-- OS400 version V5R2M0 not supported anymore by IBM: default target release changed to V5R3M0.
+- [Razvan Cojocaru brought this change]
-Daniel Stenberg (16 Apr 2010)
-- changelog: GnuTLS fix, no reverse loopkups and fixed GSS detection
-
-- SSL_RECV: EOF is not an error here
+ getinfo: added CURLINFO_ACTIVESOCKET
- The recent overhaul of the SSL recv function made this treat a
- zero returned from gnutls_record_recv() as an error, and this
- caused our HTTPS test cases to fail. We leave it to upper layer
- code to detect if an EOF is a problem or not.
-
-- [Paul Howarth brought this change]
+ This patch addresses known bug #76, where on 64-bit Windows SOCKET is 64
+ bits wide, but long is only 32, making CURLINFO_LASTSOCKET unreliable.
+
+ Signed-off-by: Razvan Cojocaru <rcojocaru@bitdefender.com>
- configure: GSSAPI detection on ancient Linux distros
+- http2: remove dead code
- On some ancient distributions such as RHEL-3, <gssapi/gssapi_krb5.h> needs
- to be processed after <gssapi/gssapi.h>, but does not include it itself.
- This patch checks for <gssapi/gssapi.h> first and then includes it
- in the test for <gssapi/gssapi_krb5.h>, resolving the problem.
+ Leftovers from when we removed the private socket hash.
- Without the patch, <gssapi/gssapi_krb5.h> is "present but cannot be
- compiled".
+ Coverity CID 1317365, "Logically dead code"
-- resolvers: no more using AI_CANONNAME
+- ntlm: mark deliberate switch case fall-through
- No resolver anymore needs to use AI_CANONNAME and do reverse
- lookups. We should work hard to avoid having code that relies on
- it.
+ Coverity CID 1317367, "Missing break in switch"
-- KRB5: use given host name instead of reverse lookup'ed name
+- http2: on_frame_recv: get a proper 'conn' for the debug logging
- This code would previously use dns_entry->addr->ai_canonname
- instead of the given host name, which caused us grief and
- problems since not all our resolver options do the reverse lookup
- and I would also guess that it caused problems with KRB5/GSS with
- virtual name-based hosts. Now the host name from the URL is used.
-
-Dan Fandrich (15 Apr 2010)
-- Remove redundant conditional
-
-- Eliminated an unlikely race condition in some tests.
+ "Explicit null dereferenced (FORWARD_NULL)"
- Based on a patch from the FreeBSD ports by Peter Pentchev.
+ Coverity CID 1317366
-Daniel Stenberg (15 Apr 2010)
-- changelog: prevent needless reverse name lookups
+- RELEASE-NOTES: synced with 2acaf3c804
-- Curl_ipv4_resolve_r: only set AI_CANONNAME when needed
-
- As reported in bug report #2987196, the code for ipv6 already did
- the setting of this bit correctly so we copied that logic into
- the Curl_ipv4_resolve_r() function as well. KRB code is the only
- code we know that might need the cannonical name so only resolve
- it for such requests!
+Dan Fandrich (23 Aug 2015)
+- tool: fix memory leak with --proto-default option
-- IGNORE: files generated by maketgz
+Jay Satiro (22 Aug 2015)
+- [Nathaniel Waisbrot brought this change]
-- bumped to start the journey towards 7.20.2
+ CURLOPT_DEFAULT_PROTOCOL: added
+
+ - Add new option CURLOPT_DEFAULT_PROTOCOL to allow specifying a default
+ protocol for schemeless URLs.
+
+ - Add new tool option --proto-default to expose
+ CURLOPT_DEFAULT_PROTOCOL.
+
+ In the case of schemeless URLs libcurl will behave in this way:
+
+ When the option is used libcurl will use the supplied default.
+
+ When the option is not used, libcurl will follow its usual plan of
+ guessing from the hostname and falling back to 'http'.
-- added contributors from the 7.20.1 RELEASE-NOTES
+- runtests: Allow for spaces in server-verify curl custom path
-- ignore files generated by 'maketgz'
+Daniel Stenberg (22 Aug 2015)
+- NTLM: recent boringssl brought DES_set_odd_parity back
+
+ ... so improve the #ifdefs for using our local implementation.
-Version 7.20.1 (14 Apr 2010)
+- configure: detect latest boringssl
+
+ Since boringssl brought back DES_set_odd_parity again, it cannot be used
+ to differentiate from boringssl. Using the OPENSSL_IS_BORINGSSL define
+ seems better anyway.
+
+ URL: https://android.googlesource.com/platform/external/curl/+/f551028d5caab29d4b4a4ae8c159c76c3cfd4887%5E!/
+ Original-patch-by: Bertrand Simonnet
+
+ Closes #393
-Daniel Stenberg (14 Apr 2010)
-- 7.20.1: 14 April 2010
+- configure: change functions to detect openssl (clones)
+
+ ... since boringssl moved the former ones and the check started to fail.
+
+ URL: https://android.googlesource.com/platform/external/curl/+/f551028d5caab29d4b4a4ae8c159c76c3cfd4887%5E!/
+ Original-patch-by: Bertrand Simonnet
-Guenter Knauf (13 Apr 2010)
-- Use correct directory for c-ares git pull
- Signed-off-by: Tor Arntsen <tor@spacetec.no>
+- [Alessandro Ghedini brought this change]
-Yang Tse (13 Apr 2010)
-- fix compiler warning: variable might be clobbered by longjmp or vfork
+ openssl: handle lack of server cert when strict checking disabled
+
+ If strict certificate checking is disabled (CURLOPT_SSL_VERIFYPEER
+ and CURLOPT_SSL_VERIFYHOST are disabled) do not fail if the server
+ doesn't present a certificate at all.
+
+ Closes #392
-Guenter Knauf (13 Apr 2010)
-- added last git commit output for c-ares too.
+- ftp: clear the do_more bit when the server has connected
+
+ The multi state machine would otherwise go into the DO_MORE state after
+ DO, even for the case when the FTP state machine had already performed
+ those duties, which caused libcurl to get stuck in that state and fail
+ miserably. This occured for for active ftp uploads.
+
+ Reported-by: Patricia Muscalu
-- changed the git update block to take care of c-ares repo if detected.
+- [Jactry Zeng brought this change]
-- updated timestamp of the script.
+ travis.yml: Add OS X testbot.
-- removed obsolete var in gitpull() function
- no need to create a var - lets just return the status var itself.
+- [Rémy Léone brought this change]
-- added a cast to silent compiler warning with 64bit systems.
+ travis: Upgrading to container based build
+
+ http://docs.travis-ci.com/user/migrating-from-legacy
+
+ Closes #388
-- fixed a path typo in src/Makefile.netware.
+- RELEASE-NOTES: synced with 14ff86256b13e
-Daniel Stenberg (12 Apr 2010)
-- Added text for How To Make a Patch with git
+- [Erik Janssen brought this change]
-- update the section on timeouts
+ rtsp: stop reading empty DESCRIBE responses
- The section that describes how to work with timeouts was
- misleading and could easily trick users to use the wrong API.
+ Based-on-patch-by: Jim Hollinger
-- update URL and cut out wrong info on ipv6
-
- c-ares has had its own URL for a while and we should point
- people to that. It also works with IPv6 since a long time.
+- [Erik Janssen brought this change]
-- refer to CURLMOPT_TIMERFUNCTION for multi_socket users
-
- curl_multi_timeout(3) is simply the wrong function to use
- if you're using the multi_socket API and this document now
- states this pretty clearly to help guiding users.
+ rtsp: support basic/digest authentication
-- s/CVS/git
+- [Sam Roth brought this change]
-- modified to use the git file, not cvs
+ CURLMOPT_PUSHFUNCTION.3: fix argument types
- I've done this blindly, and the last piece that works with ares
- should possibly be done differently now that c-ares isn't a
- subtree within the curl tree anymore...
+ Closes #389
+ Closes #386
-- mention missing test servers for <server>
+- [Marcel Raad brought this change]
-- FTP quote commands prefixed with '*' now can fail without aborting
+ inet_pton.c: Fix MSVC run-time check failure
- Prefixing the FTP quote commands with an asterisk really only
- worked for the postquote actions. This is now fixed and test case
- 227 has been extended to verify.
+ Visual Studio complains with a message box:
+
+ "Run-Time Check Failure #1 - A cast to a smaller data type has caused a
+ loss of data. If this was intentional, you should mask the source of
+ the cast with the appropriate bitmask.
+
+ For example:
+ char c = (i & 0xFF);
+
+ Changing the code in this way will not affect the quality of the
+ resulting optimized code."
+
+ This is because only 'val' is cast to unsigned char, so the "& 0xff" has
+ no effect.
+
+ Closes #387
-Kamil Dudka (7 Apr 2010)
-- qssl: reflect recent code changes in SSL interface
+Jay Satiro (18 Aug 2015)
+- docs: Update the redirect protocols disabled by default
- Reported by Guenter Knauf.
+ - Clarify that FILE and SCP are disabled by default since 7.19.4
+ - Add that SMB and SMBS are disabled by default since 7.40.0
+ - Add CURLPROTO_SMBS to the list of protocols
-- nss: handle client certificate related errors
+- gitignore: Sort for readability
+
+ find . -name .gitignore -print0 | xargs -i -0 sort -o '{}' '{}'
-- [Ben Greear brought this change]
+Daniel Stenberg (15 Aug 2015)
+- curl_easy_getinfo.3: fix superfluous space
+
+ ... and changed "oriented" to "related"
+
+ Closes #378
+
+- CURLOPT_HTTP_VERSION.3: connection re-use goes before version
- ssl: Fix build when SSL isn't enabled
+- [Daniel Kahn Gillmor brought this change]
+
+ curl.1: Document weaknesses in SSLv2 and SSLv3
+
+ Acknowledge that SSLv3 is also widely considered to be insecure.
- Signed-off-by: Ben Greear <greearb@candelatech.com>
+ Also, provide references for people who want to know more about why it's
+ insecure.
-- refactorize interface of Curl_ssl_recv/Curl_ssl_send
+Steve Holme (14 Aug 2015)
+- generate.bat: Added support for generating only the prerequisite files
-- simplify code of Curl_resolv_timeout()
+- generate.bat: Only call buildconf.bat if it exists
-- eliminate a race condition in Curl_resolv_timeout()
+- generate.bat: Fixed issues when ran in directories with special chars
-Daniel Stenberg (2 Apr 2010)
-- [Ben Greear brought this change]
+Daniel Stenberg (14 Aug 2015)
+- [Brad King brought this change]
- fixed compiler warnings
+ cmake: Fix CurlTests check for gethostbyname_r with 5 arguments
+
+ Fix the check code to pass 5 arguments instead of 6. This typo was
+ introduced by commit aebfd4cfbf (cmake: fix gethostby{addr,name}_r in
+ CurlTests, 2014-10-31).
+
+Steve Holme (14 Aug 2015)
+- * buildconf.bat: Fixed issues when ran in directories with special chars
+
+ Bug: https://github.com/bagder/curl/pull/379
+ Reported-by: Daniel Seither
-- updated contributor count
+Jay Satiro (13 Aug 2015)
+- curl_global_init_mem.3: Stronger thread safety warning
+
+ Bug: http://curl.haxx.se/mail/lib-2015-08/0016.html
+ Reported-by: Eric Ridge
-- add contributors from the 7.20.0 release notes
+Daniel Stenberg (12 Aug 2015)
+- [Svyatoslav Mishyn brought this change]
-- fix SFTP download hang
+ curl_multi_add_handle.3: fix a typo
+
+ "can not" => "cannot"
- Matt Wixson found and fixed a bug in the SCP/SFTP area where the
- code treated a 0 return code from libssh2 to be the same as
- EAGAIN while in reality it isn't. The problem caused a hang in
- SFTP transfers from a MessageWay server.
+ closes #377
-Dan Fandrich (31 Mar 2010)
-- Fixed misleading test message
+- [Alessandro Ghedini brought this change]
-Daniel Stenberg (31 Mar 2010)
-- update the generic copyright year range
+ docs: fix typos
+
+ closes #376
-- removed README.cmake due to the improved situation
+- bump: start working toward 7.45.0
-Guenter Knauf (31 Mar 2010)
-- fix compiler warning with a cast.
+- THANKS: remove duplicate name
-- make folks use latest available dependent libraries.
+- THANKS-filter: merge Todd's names
-Dan Fandrich (30 Mar 2010)
-- Call curl_global_cleanup() in test 560 to avoid a memory leak
+- THANKS: 13 new contributors from the 7.44.0 RELEASE-NOTES
-- Allow test 538 to run even when proxy support is disabled
+Version 7.44.0 (11 Aug 2015)
-Daniel Stenberg (29 Mar 2010)
-- use (s)size_t for string lengths to fix compiler warns
+Daniel Stenberg (11 Aug 2015)
+- RELEASE-NOTES: synced with c75a1e775061
-- use size_t to hold string length
+- [Svyatoslav Mishyn brought this change]
+
+ curl_formget.3: correct return code
- using int is not fine on 64bit systems
+ Closes #375
-- [Ben Greear brought this change]
+- [Svyatoslav Mishyn brought this change]
- Fix compile warnings in ssh.c
+ libcurl-tutorial.3: fix formatting
- strlen() returns size_t, but ssh libraries are wanting 'unsigned int'. Add
- explicit casts and use _ex versions of the ssh library calls.
+ Closes #374
+
+- [Svyatoslav Mishyn brought this change]
+
+ curl_easy_recv.3: fix formatting
+
+- [Anders Bakken brought this change]
+
+ http2: discard frames with no SessionHandle
- Signed-off-by: Ben Greear <greearb@candelatech.com>
+ Return 0 instead of NGHTTP2_ERR_CALLBACK_FAILURE if we can't locate the
+ SessionHandle. Apparently mod_h2 will sometimes send a frame for a
+ stream_id we're finished with.
+
+ Use nghttp2_session_get_stream_user_data and
+ nghttp2_session_set_stream_user_data to identify SessionHandles instead
+ of a hash.
+
+ Closes #372
+
+- RELEASE-NOTES: synced with 9ee40ce2aba
-- [Ben Greear brought this change]
+- [Viktor Szakats brought this change]
- fix smtp compile warning
+ build: refer to fixed libidn versions
- Use ssize_t instead of int for the Curl_smtp_escape_eob nread
- argument.
+ closes #371
+
+- Revert "configure: disable libidn by default"
+
+ This reverts commit e6749055d65398315fd77f5b5b8234c5552ac2d3.
- Signed-off-by: Ben Greear <greearb@candelatech.com>
+ ... since libidn has since been fixed.
-- Ben's POP3 change
+- [Jakub Zakrzewski brought this change]
-- [Ben Greear brought this change]
+ CMake: s/HAVE_GSS_API/HAVE_GSSAPI/ to match header define
+
+ Otherwise the build only pretended to use GSS-API
+
+ Closes #370
- pop3: Get message listing if no mailbox in URL
+- SFTP: fix range request off-by-one in size check
+
+ Reported-by: Tim Stack
- If you pass a URL to pop3 that does not contain a message ID as
- part of the URL, it will currently ask for 'INBOX' which just
- causes the pop3 server to return an error.
+ Closes #359
+
+- test46: update cookie expire time
- The change makes libcurl treat en empty message ID as a request
- for LIST (list of pop3 message IDs). User's code could then
- parse this and download individual messages as desired.
+ ... since it went old and thus was expired and caused the test to fail!
-- [Ben Greear brought this change]
+Steve Holme (9 Aug 2015)
+- generate.bat: Use buildconf.bat for prerequisite file generation
- Allow running ./tests/testcurl.pl from within git repo.
+- buildconf.bat: Tidy up of comments after recent commits
+
+- buildconf.bat: Added full generation of src\tool_hugehelp.c
- My first instinct was to run the test script within the checked out
- repository. This small change to the script allows that to work as
- expected.
+ Added support for generating the full man page based on code from
+ generate.bat.
+
+- buildconf.bat: Added detection of groff, nroff, perl and gzip
- Signed-off-by: Ben Greear <greearb@candelatech.com>
+ To allow for the full generation of tool_hugehelp.c added detection of
+ the required programs - based on code from generate.bat.
-- minor language fix
+- buildconf.bat: Move DOS variable clean-up code to separate function
+
+ Rather than duplicate future variables, during clean-up of both success
+ and error conditions, use a common function that can be called by both.
+
+- RELEASE-NOTES: Synced with 39dcf352d2
+
+- buildconf.bat: Added error messages on failure
+
+- buildconf.bat: Generate and clean files in the same order
+
+- buildconf.bat: Maintain compatibility with DOS based systems
+
+ Commit f08e30d7bc broke compatibility with DOS and non Windows NT based
+ versions of Windows due to the use of the setlocal command.
-- [Ben Greear brought this change]
+Jay Satiro (9 Aug 2015)
+- CURLOPT_RESOLVE.3: Note removal support was added in 7.42
+
+ Bug: http://curl.haxx.se/mail/lib-2015-08/0019.html
+ Reported-by: Inca R
- allow user+password in the URL for all protocols
+Steve Holme (8 Aug 2015)
+- checksrc.bat: Fixed error when missing *.c and *.h files
- Ben Greear brought a patch that from now on allows all protocols
- to specify name and user within the URL, in the same manner HTTP
- and FTP have been allowed to in the past - although far from all
- of the libcurl supported protocols actually have that feature in
- their URL definition spec.
+ File Not Found
+
+- checksrc.bat: Fixed incorrect 'lib\vtls' path check in commit 333c36b276
-- ignore pid files and stunnel.conf
+- checksrc.bat: Fixed error when [directory] isn't a curl source directory
- all used while running tests
+ The system cannot find the file specified.
-- make sure git pull is actually done!
+- checksrc.bat: Added check for unknown arguments
-- changelogged: smoother rate limiting
+- scripts: Added missing comments
-- [Ben Greear brought this change]
+- scripts: Always perform setlocal and endlocal calls in pairs
+
+ Ensure that there isn't a mismatch between setlocal and endlocal calls,
+ which could have happened due to setlocal being called after certain
+ error conditions were checked for.
- Make rate-limitation logic smoother
+- scripts: Allow -help to be specified in any argument
- This gives a smoother rate limitation performance by using
- sub-second pauses and also taking the buffer sizes into
- account.
+ Allow the -help command line argument to be specified in any argument
+ and not just as the first.
-- remove all .cvsignore files
+Daniel Stenberg (6 Aug 2015)
+- [juef brought this change]
-- PROT_CLOSEACTION should not include TFTP
+ curl_multi_remove_handle.3: fix formatting
- TFTP is not a protocol that uses close actions so it should
- not be set in that bitmask!
+ closes #366
-- [Tor Arntsen brought this change]
+Steve Holme (6 Aug 2015)
+- README: Added notes about 'Running DLL based configurations'
+
+ ...as well as a TODO for a future enhancement to the project files.
+
+ Thanks-to: Jay Satiro
+
+- RELEASE-NOTES: Synced with cf8975387f
+
+- buildconf.bat: Synchronise no repository error with generate.bat
- Avoid double newline for the 'last commits' log in testcurl.pl
+- generate.bat: Added a check for the presence of a git repository
+
+- [Jay Satiro brought this change]
+
+ build: Added wolfSSL configurations to VC10+ project files
- The backtick command which extracts 'git log' lines come with a
- newline, so chomp the newline before calling logit(), as the logit
- function adds a newline by itself.
+ URL: https://github.com/bagder/curl/pull/174
-- [Tor Arntsen brought this change]
+- [Jay Satiro brought this change]
- Change to version-independent git option for 'git log --oneline'
+ build: Added wolfSSL build script for Visual Studio projects
- 'git log --oneline' is a relatively recent Git function. It is
- documented to be the same as 'git log --pretty=oneline --abbrev-commit',
- so use that instead. It works all the way back to Git 1.5.0.
+ Added the wolfSSL build script, based on build-openssl.bat, as well as
+ the property sheet and header file required for the upcoming additions
+ to the Visual Studio project files.
-- show 5 commits even if no git pull was made
+Daniel Stenberg (6 Aug 2015)
+- CHANGES: refer to the online changelog
+
+ Suggested-by: mc0e
-- don't touch ares/aclocal.m4 and show recent git commits
+- [Isaac Boukris brought this change]
+
+ NTLM: handle auth for only a single request
+
+ Currently when the server responds with 401 on NTLM authenticated
+ connection (re-used) we consider it to have failed. However this is
+ legitimate and may happen when for example IIS is set configured to
+ 'authPersistSingleRequest' or when the request goes thru a proxy (with
+ 'via' header).
+
+ Implemented by imploying an additional state once a connection is
+ re-used to indicate that if we receive 401 we need to restart
+ authentication.
- since c-ares no longer embedded, we must not touch such files
- anymore
+ Closes #363
+
+Steve Holme (5 Aug 2015)
+- RELEASE-NOTES: Synced with 473807b95f
+
+- generate.bat: Use buildconf.bat for prerequisite file clean-up
+
+- buildconf.bat: Added support for file clean-up via -clean
+
+- buildconf.bat: Added progress output
+
+- buildconf.bat: Avoid using goto for file not in repository
+
+Daniel Stenberg (5 Aug 2015)
+- curl_slist_append.3: add error checking to the example
+
+Steve Holme (5 Aug 2015)
+- buildconf.bat: Added display of usage text with -help
+
+- buildconf.bat: Added exit codes for error handling
+
+- buildconf.bat: Added our standard copyright header
+
+- buildconf.bat: Use lower-case for commands and reserved keywords
+
+- generate.bat: Only clean prerequisite files when in ALL mode
+
+- generate.bat: Moved error messages out of sub-routines
+
+- generate.bat: More use of lower-case for commands and reserved keywords
+
+Daniel Stenberg (3 Aug 2015)
+- libcurl.3: fix a single typo
- we show the 5 last git commits if git was proven in use, to help
- us see exactly what's being tested
+ Closes #361
+
+- RELEASE-NOTES: synced with c4eb10e2f06f
-- use CURL_SIZEOF_LONG instead of SIZEOF_LONG
+- SSH: three state machine fixups
- That's the symbol we have or generate in include/curl/curlbuild.h
+ The SSH state machine didn't clear the 'rc' variable appropriately in a
+ two places which prevented it from looping the way it should. And it
+ lacked an 'else' statement that made it possible to erroneously get
+ stuck in the SSH_AUTH_AGENT state.
+
+ Reported-by: Tim Stack
+
+ Closes #357
-- s/CVS/DEV in the version string from the git repo
+- curl_gssapi: remove 'const' to fix compiler warnings
+
+ initialization discards 'const' qualifier from pointer target type
-Bill Hoffman (24 Mar 2010)
-- Merge branch 'master' of github.com:bagder/curl
+- docs: formpost needs the full size at start of upload
+
+ Closes #360
-- Add .gitattributes files to turn off CRLF translation for some files
+Steve Holme (1 Aug 2015)
+- sspi: Fix typo from left over from old code which referenced NTLM
+
+ References to NTLM in the identity generation should have been removed
+ in commit c469941293 but not all were.
-Daniel Stenberg (24 Mar 2010)
-- provide a version number as today's date
+- win32: Fix compilation warnings from commit 40c921f8b8
- It should at least help visualize which autobuilds that are
- using this script.
+ connect.c:953:5: warning: initializer element is not computable at load
+ time
+ connect.c:953:5: warning: missing initializer for field 'dwMinorVersion'
+ of 'OSVERSIONINFOEX'
+ curl_sspi.c:97:5: warning: initializer element is not computable at load
+ time
+ curl_sspi.c:97:5: warning: missing initializer for field 'szCSDVersion'
+ of 'OSVERSIONINFOEX'
-- testcurl now uses git instead of CVS
+- schannel: Fix compilation warning from commit 7a8e861a56
+
+ schannel.c:1125:5: warning: missing initializer for field 'dwMinorVersion'
+ of 'OSVERSIONINFOEX' [-Wmissing-field-initializers
-Bill Hoffman (24 Mar 2010)
-- Merge branch 'master' of github.com:bagder/curl
+Daniel Stenberg (31 Jul 2015)
+- libcurl-thread.3: minor reformatting
-- Enable LDAP by default since it is now disabled when ldap.h is not found,
+Jay Satiro (31 Jul 2015)
+- curl_global_init_mem.3: Warn threaded resolver needs thread safe funcs
+
+ Bug: http://curl.haxx.se/mail/lib-2015-07/0149.html
+ Reported-by: Eric Ridge
-- CMake fixes for Linux.
+- libcurl-thread.3: Warn memory functions must be thread safe
- Make sure <sys/socket.h> is included if around when testing/using
- socklen_t. Also, disable LDAP if LDAP_H is not found on the system.
+ Bug: http://curl.haxx.se/mail/lib-2015-07/0149.html
+ Reported-by: Eric Ridge
-Daniel Stenberg (24 Mar 2010)
-- [Bob Richmond brought this change]
+Steve Holme (31 Jul 2015)
+- RELEASE-NOTES: Synced with 8b1d00ac1a
- fix: timeout after last data chunk was handled
+- INSTALL: Minor formatting correction in 'Legacy Windows and SSL' section
- Bob Richmond: There's an annoying situation where libcurl will
- read new HTTP response data from a socket, then check if it's a
- timeout if one is set. If the last packet received constitutes
- the end of the response body, libcurl still treats it as a
- timeout condition and reports a message like:
+ ...as well as some rewording.
+
+Kamil Dudka (30 Jul 2015)
+- http: move HTTP/2 cleanup code off http_disconnect()
- "Operation timed out after 3000 milliseconds with 876 out of 876
- bytes received"
+ Otherwise it would never be called for an HTTP/2 connection, which has
+ its own disconnect handler.
- It should only a timeout if the timer lapsed and we DIDN'T
- receive the end of the response body yet.
+ I spotted this while debugging <https://bugzilla.redhat.com/1248389>
+ where the http_disconnect() handler was called on an FTP session handle
+ causing 'dnf' to crash. conn->data->req.protop of type (struct FTP *)
+ was reinterpreted as type (struct HTTP *) which resulted in SIGSEGV in
+ Curl_add_buffer_free() after printing the "Connection cache is full,
+ closing the oldest one." message.
+
+ A previously working version of libcurl started to crash after it was
+ recompiled with the HTTP/2 support despite the HTTP/2 protocol was not
+ actually used. This commit makes it work again although I suspect the
+ root cause (reinterpreting session handle data of incompatible protocol)
+ still has to be fixed. Otherwise the same will happen when mixing FTP
+ and HTTP/2 connections and exceeding the connection cache limit.
+
+ Reported-by: Tomas Tomecek
+ Bug: https://bugzilla.redhat.com/1248389
+
+Daniel Stenberg (30 Jul 2015)
+- [Viktor Szakats brought this change]
+
+ ABI doc: use secure URL
+
+- ABI: remove the ascii logo
+
+ and made the indent level to 1
-- avoid compiler warning without USE_ALARM_TIMEOUT
+- libcurl-multi.3: mention curl_multi_wait
+
+ ... and some general rewordings to improve this docs.
+
+ Reported-by: Tim Stack
+
+ Closes #356
-Bill Hoffman (24 Mar 2010)
-- Fix curl CMake build.
+Steve Holme (30 Jul 2015)
+- maketgz: Fixed some VC makefiles missing from the release tarball
- This commit fixes the cmake build of curl, and cleans up the
- cmake code a little. It removes some commented out code and
- some trailing whitespace. To get curl to build the binary
- tree include/curl directory needed to be added to the include
- path. Also, SIZEOF_SHORT needed to be added. A check for the
- lack of defines of SIZEOF_* for warnless.c was added.
+ VC7, VC11, VC12 and VC14 makefiles were missing from the release
+ tarball.
-Daniel Stenberg (24 Mar 2010)
-- [Chris Conroy brought this change]
+- RELEASE-NOTES: Synced with 2d7e165761
- remove debug printfs
+- build: Added VC14 project files to Makefile.am
-- RTSP GET_PARAMETER fix
+- build: Added VC14 project files
- Christopher Conroy fixed a problem with RTSP and GET_PARAMETER
- reported to us by Massimo Callegari. There's a new test case 572
- that verifies this now.
+ Updates to Makefile.am for the generation of the project files in
+ the tarball to follow.
-- remove trace of CVS
+Jay Satiro (29 Jul 2015)
+- libcurl-thread.3: Clarify CURLOPT_NOSIGNAL takes long value 1L
-- [Chris Conroy brought this change]
+Steve Holme (28 Jul 2015)
+- generate.bat: Use lower-case for commands and reserved keywords
+
+ Whilst there are no coding standards for the batch files used in curl,
+ most tend to use lower-case for keywords and upper-case for variables.
- Fix RTSP GET_PARAMETER empty and non-empty operation.
+- build: Added initial VC14 support to generate.bat
- Test coverage included. Thanks to Massimo Callegari for the bug report
+ Visual Studio project files and updates to makefile.am to follow.
-- s/CVS/DEV/ in the version string for repo versions
+- build: Fixed missing .opensdf files from VC10+ .gitignore files
-- scrapped all left-over TODOs
+- build: Use $(ProjectName) macro for curl.exe and curld.exe filenames
- In order to get back on track, I've removed all the plans for
- stuff I had in the queue. I will instead focus on fixing bugs and
- relying on that people who truly want things added will come back
- on the mailing list and nag and provide patches.
+ This wasn't possible with the old curlsrc project filenames, but like
+ commit 2a615a2b64 and 11397eb6dd for libcurl use the built in Visual
+ Studio macros for the output filenames.
+
+- build: Renamed curl src Visual Studio project files
+
+ Following commit 957fcd9049 and in preparation for adding the VC14
+ project files renamed the curl source project files.
+
+Daniel Stenberg (28 Jul 2015)
+- [Jay Satiro brought this change]
+
+ libcurl-thread.3: Revert to stricter handle wording
- 7.20.1 should be possible to release in April 2010
+ .. also update formatting and add WinSSL and wolfSSL to the SSL/TLS
+ handlers list.
-- restore executable bits on some files
+- [Jay Satiro brought this change]
-- remove the CVSish $Id$ lines
+ libcurl-thread.3: Consolidate thread safety info
+
+ This is a new document to consolidate our thread safety information from
+ several documents (curl-www:features, libcurl.3, libcurl-tutorial.3).
+ Each document's section on multi-threading will now point to this one.
-- The 'ares' subtree has been removed from the source repository
+Steve Holme (27 Jul 2015)
+- README: Corrected formatting for 'Legacy Windows and SSL' section
+
+ ...as well as some wording.
-- s/CVS/git
+- build-openssl.bat: Added support for VC14
-- update to current state
+Daniel Stenberg (26 Jul 2015)
+- RELEASE-NOTES: synced with 0f645adc95390e8
-- remove the ares subtree
+- test1902: attempt to make the test more reliable
- c-ares is now hosted entirely separate from the curl project
- see http://c-ares.haxx.se/ for all details concerning c-ares,
- its source repository and more.
+ Closes #355
-- mark connection as connected
+- comment: fix comment about adding new option support
+
+Jay Satiro (25 Jul 2015)
+- build-openssl.bat: Show syntax if required args are missing
+
+Daniel Stenberg (26 Jul 2015)
+- TODO: improve how curl works in a windows console window
- Kenny To filed the bug report #2963679 with patch to fix a
- problem he experienced with doing multi interface HTTP POST over
- a proxy using PROXYTUNNEL. He found a case where it would connect
- fine but bits.tcpconnect was not set correct so libcurl didn't
- work properly.
+ Closes #322 for now
+
+- 1.11 minimize dependencies with dynamicly loaded modules
- (http://curl.haxx.se/bug/view.cgi?id=2963679)
+ Closes #349 for now
-- enabled valgrind
+Jay Satiro (25 Jul 2015)
+- tool_operate: Fix CURLOPT_SSL_OPTIONS for builds without HTTPS
+
+ - Set CURLOPT_SSL_OPTIONS only if the tool enabled an SSL option.
+
+ Broken by me several days ago in 172b2be.
+ https://github.com/bagder/curl/commit/172b2be#diff-70b44ee478e58d4e1ddcf9c9a73d257b
+
+ Bug: http://curl.haxx.se/mail/lib-2015-07/0119.html
+ Reported-by: Dan Fandrich
+
+Daniel Stenberg (25 Jul 2015)
+- configure: check if OpenSSL linking wants -ldl
+
+ To make it easier to link with static versions of OpenSSL, the configure
+ script now checks if -ldl is needed for linking.
+
+ Help-by: TJ Saunders
+
+- [Michael Kaufmann brought this change]
+
+ HTTP: ignore "Content-Encoding: compress"
+
+ Currently, libcurl rejects responses with "Content-Encoding: compress"
+ when CURLOPT_ACCEPT_ENCODING is set to "". I think that libcurl should
+ treat the Content-Encoding "compress" the same as other
+ Content-Encodings that it does not support, e.g. "bzip2". That means
+ just ignoring it.
+
+- [Marcel Raad brought this change]
+
+ openssl: work around MSVC warning
+
+ MSVC 12 complains:
- I ran it now successfully and it helped to pinpoint a libssh2
- memory leak!
+ lib\vtls\openssl.c(1554): warning C4701: potentially uninitialized local
+ variable 'verstr' used It's a false positive, but as it's normally not,
+ I have enabled warning-as-error for that warning.
-Dan Fandrich (23 Mar 2010)
-- Updated Symbian notes
+- [Michał Fita brought this change]
-Daniel Stenberg (23 Mar 2010)
-- chunked-encoding with Content-Length: header problem
+ configure: add --disable-rt option
- Akos Pasztory filed debian bug report #572276
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572276
- mentioning a problem with a resource that returns chunked-encoded
- _and_ with a Content-Length and libcurl failed to properly ignore
- the latter information.
+ This option disables any attempts in configure to create dependency on
+ stuff requiring linking to librt.so and libpthread.so, in this case this
+ means clock_gettime(CLOCK_MONOTONIC, &mt).
+
+ We were in need to build curl which doesn't link libpthread.so to avoid
+ the following bug:
+ https://sourceware.org/bugzilla/show_bug.cgi?id=16628.
+
+Kamil Dudka (23 Jul 2015)
+- http2: verify success of strchr() in http2_send()
+
+ Detected by Coverity.
+
+ Error: NULL_RETURNS:
+ lib/http2.c:1301: returned_null: "strchr" returns null (checked 103 out of 109 times).
+ lib/http2.c:1301: var_assigned: Assigning: "hdbuf" = null return value from "strchr".
+ lib/http2.c:1302: dereference: Incrementing a pointer which might be null: "hdbuf".
+ 1300|
+ 1301| hdbuf = strchr(hdbuf, 0x0a);
+ 1302|-> ++hdbuf;
+ 1303|
+ 1304| authority_idx = 0;
-- delayed easy handle kill caused double Curl_close() call
+Jay Satiro (22 Jul 2015)
+- Windows: Fix VerifyVersionInfo calls
+
+ - Fix the VerifyVersionInfo calls, which we use to test for the OS major
+ version, to also test for the minor version as well as the service pack
+ major and minor versions.
+
+ MSDN: "If you are testing the major version, you must also test the
+ minor version and the service pack major and minor versions."
- Hauke Duden provided an example program that made the multi
- interface crash. His example simply used the multi interface and
- did first one FTP transfer and after completion it used a second
- easy handle and did another FTP transfer on the same FTP server.
+ https://msdn.microsoft.com/en-us/library/windows/desktop/ms725492.aspx
- This triggered a bug in the "delayed easy handle kill" system
- that curl uses: when an FTP connection is left alive it must keep
- an easy handle around internally - only for the purpose of having
- an easy handle when it later disconnects it. The code assumed
- that when the easy handle was removed and an internal reference
- was made, that version could be killed later on when a new easy
- handle came using the same connection. This was wrong as Hauke's
- example showed that the removed handle wasn't killed for real
- until later. This caused a double close attempt => segfault.
+ Bug: https://github.com/bagder/curl/pull/353#issuecomment-123493098
+ Reported-by: Marcel Raad <MarcelRaad@users.noreply.github.com>
-- ignore more files generated when tests run in the source tree
+- [Marcel Raad brought this change]
-- Thomas Lopatic fixed the alarm()-based DNS timeout
+ schannel: Replace deprecated GetVersion with VerifyVersionInfo
-- [Thomas Lopatic brought this change]
+Steve Holme (21 Jul 2015)
+- makefile: Added support for VC14
- fix the alarm()-based DNS timeout
+Patrick Monnerat (21 Jul 2015)
+- os400: ebcdic wrappers for new functions. Upgrade ILE/RPG bindings.
+
+- libcurl: VERSIONINFO update
+ Addition of new procedures curl_pushheader_bynum and curl_pushheader_byname
+ requires VERSIONINFO updating.
+
+- http2: satisfy external references even if http2 is not compiled in.
+
+Daniel Stenberg (20 Jul 2015)
+- http2: add stream != NULL checks for reliability
- Looking at the code of Curl_resolv_timeout() in hostip.c, I think
- that in case of a timeout, the signal handler for SIGALRM never
- gets removed. I think that in my case it gets executed at some
- point later on when execution has long left Curl_resolv_timeout()
- or even the cURL library.
+ They should not trigger, but in case of internal problems we at least
+ avoid crashes this way.
+
+Jay Satiro (18 Jul 2015)
+- symbols-in-versions: Add new CURLSSLOPT_NO_REVOKE symbol
+
+- SSL: Add an option to disable certificate revocation checks
- The code that is jumped to with siglongjmp() simply sets the
- error message to "name lookup timed out" and then returns with
- CURLRESOLV_ERROR. I guess that instead of simply returning
- without cleaning up, the code should have a goto that jumps to
- the spot right after the call to Curl_resolv().
+ New tool option --ssl-no-revoke.
+ New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS.
+
+ Currently this option applies only to WinSSL where we have automatic
+ certificate revocation checking by default. According to the
+ ssl-compared chart there are other backends that have automatic checking
+ (NSS, wolfSSL and DarwinSSL) so we could possibly accommodate them at
+ some later point.
+
+ Bug: https://github.com/bagder/curl/issues/264
+ Reported-by: zenden2k <zenden2k@gmail.com>
+
+- runtests: Allow for spaces in curl custom path
+
+ .. also fix some typos in test's FILEFORMAT spec.
+
+- [David Woodhouse brought this change]
-- [Daniel Johnson brought this change]
+ ntlm_wb: Fix theoretical memory leak
+
+ Static analysis indicated that my commit 9008f3d564 ("ntlm_wb: Fix
+ hard-coded limit on NTLM auth packet size") introduced a potential
+ memory leak on an error path, because we forget to free the buffer
+ before returning an error.
+
+ Fix this.
+
+ Although actually, it never happens in practice because we never *get*
+ here with state == NTLMSTATE_TYPE1. The state is always zero. That
+ might want cleaning up in a separate patch.
+
+ Reported-by: Terri Oda
- Fix warnings for clang
+- strerror: Add CRYPT_E_REVOKED to SSPI error strings
-- Merge branch 'master' of github.com:bagder/curl
+Kamil Dudka (14 Jul 2015)
+- libtest: call PR_Cleanup() on exit if NSPR is used
+
+ This prevents valgrind from reporting possibly lost memory that NSPR
+ uses for file descriptor cache and other globally allocated internal
+ data structures.
+
+ Reported-by: Štefan Kremeň
-Kamil Dudka (22 Mar 2010)
-- [douglas steinwand brought this change]
+Jay Satiro (14 Jul 2015)
+- [John Malmberg brought this change]
- Fix insufficient initialization in Curl_clone_ssl_config()
+ openssl: VMS support for SHA256
+
+ setup-vms.h: More symbols for SHA256, hacks for older VAX
+
+ openssl.h: Use OpenSSL OPENSSL_NO_SHA256 macro to allow building on VAX.
- which could have caused a double free when reusing curl handle.
+ openssl.c: Use OpenSSL version checks and OPENSSL_NO_SHA256 macro to
+ allow building on VAX and 64 bit VMS.
+
+- examples: Fix typo in multi-single.c
+
+Daniel Stenberg (7 Jul 2015)
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Fix memory leak in push header array
-Daniel Stenberg (22 Mar 2010)
-- we never used this file anyway
+Dan Fandrich (2 Jul 2015)
+- test2041: fixed line endings in protocol part
-- s/CVS/git
+- cyassl: fixed mismatched sha256sum function prototype
-- various changes of CVS to git
+Daniel Stenberg (1 Jul 2015)
+- [moparisthebest brought this change]
-- remove references to CVS in the code and use DEV instead
+ SSL: Pinned public key hash support
-- Ben Greear's two fixes explained
+- examples: provide <DESC> sections
-- [Ben Greear brought this change]
+- [John Malmberg brought this change]
- Fix tftp return codes and tsize upload handling
+ OpenVMS: VMS Software, Inc now the supplier.
- Error codes were not properly returned to the main curl code (and on to apps
- using libcurl).
+ setup-vms.h: Symbol case fixups submitted by Michael Steve
- tftp was crapping out when tsize == 0 on upload, but I see no reason to fail
- to upload just because the remote file is zero-length. Ignore tsize option on
- upload.
+ build_gnv_curl_pcsi_desc.com: VSI aka as VMS Software, is now the
+ supplier of new versions of VMS. The install kit needs to accept
+ VSI as a producer.
-- more files to ignore
+Jay Satiro (30 Jun 2015)
+- multi: Move http2 push function declarations to header end
+
+ This change necessary for binary compatibility.
+
+ Prior to this change test 1135 failed due to the order of functions.
-- provide an initial set of .gitignore files
+- symbols-in-versions: Add new http2 push symbols
+
+ Prior to this change test 1119 failed due to the missing symbols.
-Kamil Dudka (19 Mar 2010)
-- - Improved Curl_read() to not ignore the error returned from Curl_ssl_recv().
+Daniel Stenberg (30 Jun 2015)
+- RELEASE-NOTES: synced with e6749055d653
-Daniel Stenberg (18 Mar 2010)
-- fix warning about conversions between curl_off_t and long
+- configure: disable libidn by default
+
+ For security reasons, until there is a fix.
+
+ Bug: http://curl.haxx.se/mail/lib-2015-06/0143.html
+ Reported-by: Gustavo Grieco, Feist Josselin
-Yang Tse (18 Mar 2010)
-- another shot at the ftp_init() icc 9.1 optimizer issue
+- SSL-PROBLEMS: mention WinSSL problems in WinXP
-- replaced intel compiler option -no-ansi-alias with -fno-strict-aliasing
+- CODE_OF_CONDUCT.md: added
+
+ Just to underscore how we treat each other in this project. Nothing new
+ really, but could be useful for newcomers and outsiders to see our
+ values.
-- update outdated serial number
+- tool_header_cb: fflush the header stream
+
+ Flush the header stream when -D is used so that they are sent off
+ earlier.
+
+ Bug: https://github.com/bagder/curl/issues/324
+ Reported-by: Cédric Connes
-Dan Fandrich (16 Mar 2010)
-- Factored out some code into a few independent functions
+- [Roger Leigh brought this change]
-Daniel Stenberg (15 Mar 2010)
-- - Constantine Sapuntzakis brought a patch:
+ tests: Distribute CMakeLists.txt files in subdirectories
+
+- CURLOPT_FAILONERROR.3: mention that it closes the connection
- The problem mentioned on Dec 10 2009
- (http://curl.haxx.se/bug/view.cgi?id=2905220) was only partially fixed.
- Partially because an easy handle can be associated with many connections in
- the cache (e.g. if there is a redirect during the lifetime of the easy
- handle). The previous patch only cleaned up the first one. The new fix now
- removes the easy handle from all connections, not just the first one.
+ Reported-by: bemoody
+ Bug: https://github.com/bagder/curl/issues/325
-Yang Tse (11 Mar 2010)
-- fix compiler warning
+- curl_multi_setopt.3: alpha sort the options
-Dan Fandrich (11 Mar 2010)
-- SSL should now be working out-of-the-box on Symbian S60.
+- curl_multi_setopt.3: add the new push options
-- Enable Symbian zlib support by default.
+- [Tatsuhiro Tsujikawa brought this change]
-- Allow compilation even when OpenSSL has been configured without MD4 support.
+ http2: Use nghttp2 library error code for error return value
-- A few Symbian build changes
+- [Tatsuhiro Tsujikawa brought this change]
-Yang Tse (9 Mar 2010)
-- watt32 compilation fix
+ http2: Harden header validation for curl_pushheader_byname
+
+ Since we do prefix match using given header by application code
+ against header name pair in format "NAME:VALUE", and VALUE part can
+ contain ":", we have to careful about existence of ":" in header
+ parameter. ":" should be allowed to match HTTP/2 pseudo-header field,
+ and other use of ":" in header must be treated as error, and
+ curl_pushheader_byname should return NULL. This commit implements
+ this behaviour.
-Daniel Stenberg (6 Mar 2010)
-- - Ben Greear brought a patch that fixed the rate limiting logic for TFTP when
- the easy interface was used.
+- [Tatsuhiro Tsujikawa brought this change]
-- indent fix by Ben Greear, I removed some braces for single-line conditional
- expressions
+ CURLMOPT_PUSHFUNCTION.3: Remove unused variable
-Yang Tse (6 Mar 2010)
-- Added another VS10 version string
+- CURLMOPT_PUSHFUNCTION.3: added example
-- fix line break
+- http2: curl_pushheader_byname now takes a const char *
-- removed usage of 's6_addr', fixing compilation issue triggered with no
- longer using 'in6_addr' but only our 'ares_in6_addr' struct
+- http2-serverpush.c: example code
-Daniel Stenberg (5 Mar 2010)
-- Daniel Johnson provided fixes for building with the clang compiler
+- http2: free all header memory after the push callback
-Yang Tse (5 Mar 2010)
-- Added IPv6 name servers support
+- http2: init the pushed transfer properly
-Gisle Vanem (5 Mar 2010)
-- Ops!. Readded ares_nowarn.h.
+- http2: fixed the header accessor functions for the push callback
-- Added ares_nowarn.c.
+- http2: setup the new pushed stream properly
-Yang Tse (5 Mar 2010)
-- Constantine Sapuntzakis detected and fixed a double free in builds done
- with threaded resolver enabled (Windows default configuration) that would
- get triggered when a curl handle is closed while doing DNS resolution.
+- http2: initial implementation of the push callback
-- Added SIZEOF_INT and SIZEOF_SHORT definitions for VMS configuration file
+- http2: initial HTTP/2 server push types/docs
-Daniel Stenberg (4 Mar 2010)
-- Julien Chaffraix clarified CURLOPT_HEADERFUNCTION and made
- CURLOPT_HEADERFUNCTION and CURLOPT_WRITEFUNCTION more consistent
+- test1531: verify POSTFIELDSIZE set after add_handle
+
+ Following the fix made in 903b6e05565bf.
-- - [Daniel Johnson] I've been trying to build libcurl with clang on Darwin and
- ran into some issues with the GSSAPI tests in configure.ac. The tests first
- try to determine the include dirs and libs and set CPPFLAGS and LIBS
- accordingly. It then checks for the headers and finally sets LIBS a second
- time, causing the libs to be included twice. The first setting of LIBS seems
- redundant and should be left out, since the first part is otherwise just
- about finding headers.
+- pretransfer: init state.infilesize here, not in add_handle
+
+ ... to properly support that options are set to the handle after it is
+ added to the multi handle.
- My second issue is that 'krb5-config --libs gssapi' on Darwin is less than
- useless and returns junk that, while it happens to work with gcc, causes
- clang to choke. For example, --libs returns $CFLAGS along with the libs,
- which is really retarded. Simply setting 'LIBS="$LIBS -lgssapi_krb5
- -lresolv"' on Darwin is sufficient.
+ Bug: http://curl.haxx.se/mail/lib-2015-06/0122.html
+ Reported-by: Stefan Bühler
-- - Based on patch provided by Jacob Moshenko, the transfer logic now properly
- makes sure that when using sub-second timeouts, there's no final bad 1000ms
- wait. Previously, a sub-second timeout would often make the elapsed time end
- up the time rounded up to the nearest second (e.g. 1s for 200ms timeout)
+Jay Satiro (21 Jun 2015)
+- [Lior Kaplan brought this change]
-- update the generic copyright year range to include 2010
+ tool_help: fix --tlsv1 help text to use >= for TLSv1
-- - Andrei Benea filed bug report #2956698 and pointed out that the
- CURLOPT_CERTINFO feature leaked memory due to a missing OpenSSL function
- call. He provided the patch to fix it too.
+- INSTALL: Advise use of non-native SSL for Windows <= XP
+
+ Advise that WinSSL in versions <= XP will not be able to connect to
+ servers that no longer support the legacy handshakes and algorithms used
+ by those versions, and to use an alternate backend like OpenSSL instead.
- http://curl.haxx.se/bug/view.cgi?id=2956698
+ Bug: https://github.com/bagder/curl/issues/253
+ Reported-by: zenden2k <zenden2k@gmail.com>
-- - Markus Duft pointed out in bug #2961796 that even though Interix has a
- poll() function it doesn't quite work the way we want it so we must disable
- it, and he also provided a patch for it.
+Kamil Dudka (19 Jun 2015)
+- curl_easy_setopt.3: restore contents removed by mistake
- http://curl.haxx.se/bug/view.cgi?id=2961796
+ ... in commit curl-7_43_0-18-g570076e
-- - Made the pingpong timeout code properly deal with the response timeout AND
- the global timeout if set. Also, as was reported in the bug report #2956437
- by Ryan Chan, the time stamp to use as basis for the per command timeout was
- not set properly in the DONE phase for FTP (and not for SMTP) so I fixed
- that just now. This was a regression compared to 7.19.7 due to the
- conversion of FTP code over to the generic pingpong concepts.
+Daniel Stenberg (19 Jun 2015)
+- curl_easy_setopt.3: mention CURLOPT_PIPEWAIT
+
+Jay Satiro (18 Jun 2015)
+- cookie: Fix bug in export if any-domain cookie is present
- http://curl.haxx.se/bug/view.cgi?id=2956437
+ In 3013bb6 I had changed cookie export to ignore any-domain cookies,
+ however the logic I used to do so was incorrect, and would lead to a
+ busy loop in the case of exporting a cookie list that contained
+ any-domain cookies. The result of that is worse though, because in that
+ case the other cookies would not be written resulting in an empty file
+ once the application is terminated to stop the busy loop.
+
+Dan Fandrich (18 Jun 2015)
+- FTP: fixed compiling with --disable-proxy, broken in b88f980a
-- remove assignment never used
+Daniel Stenberg (18 Jun 2015)
+- tool: always provide negotiate/kerberos options
+
+ libcurl can still be built with it, even if the tool is not. Maintain
+ independence!
-- - Ben Greear provided an update for TFTP that fixes upload.
+- TODO: Support IDNA2008
-- SSL, not SSH, SSL
+- [Viktor Szakats brought this change]
-- - Wesley Miaw reported bug #2958179 which identified a case of looping during
- OpenSSL based SSL handshaking even though the multi interface was used and
- there was no good reason for it.
+ Makefile.m32: add support for CURL_LDFLAG_EXTRAS
- http://curl.haxx.se/bug/view.cgi?id=2958179
+ It is similar to existing CURL_CFLAG_EXTRAS, but for
+ extra linker option.
-Yang Tse (28 Feb 2010)
-- Added SIZEOF_INT and SIZEOF_SHORT definitions for non-configure systems
+- RTSP: removed another piece of dead code
+
+ Coverity CID 1306668
-- Added ares_nowarn.* to VC6 project file
+- openssl: fix use of uninitialized buffer
+
+ Make sure that the error buffer is always initialized and simplify the
+ use of it to make the logic easier.
+
+ Bug: https://github.com/bagder/curl/issues/318
+ Reported-by: sneis
-Daniel Stenberg (26 Feb 2010)
-- spellchecked by Stéphane Fillod
+- examples: more descriptions
-- - Pat Ray in bug #2958474 pointed out an off-by-one case when receiving a
- chunked-encoding trailer.
+- examples: add descriptions with <DESC>
- http://curl.haxx.se/bug/view.cgi?id=2958474
+ Using this fixed format for example descriptions, we can generate a
+ better list on the web site.
-Dan Fandrich (26 Feb 2010)
-- Fixed a couple of out of memory leaks and a segfault in the IMAP code.
+- libcurl-errors.3: fix typo
-Yang Tse (26 Feb 2010)
-- fix sizeof short
+- curl_easy_setopt.3: option order doesn't matter
-- Added SIZEOF_INT and SIZEOF_SHORT definitions for non-configure systems
+- openssl: fix build with BoringSSL
+
+ OPENSSL_load_builtin_modules does not exist in BoringSSL. Regression
+ from cae43a1
-- Added SIZEOF_INT definition
+- [Paul Howarth brought this change]
-- fix compiler warning
+ openssl: Fix build with openssl < ~ 0.9.8f
+
+ The symbol SSL3_MT_NEWSESSION_TICKET appears to have been introduced at
+ around openssl 0.9.8f, and the use of it in lib/vtls/openssl.c breaks
+ builds with older openssls (certainly with 0.9.8b, which is the latest
+ older version I have to try with).
-- fix compiler warning
+- FTP: do the HTTP CONNECT for data connection blocking
+
+ ** WORK-AROUND **
+
+ The introduced non-blocking general behaviour for Curl_proxyCONNECT()
+ didn't work for the data connection establishment unless it was very
+ fast. The newly introduced function argument makes it operate in a more
+ blocking manner, more like it used to work in the past. This blocking
+ approach is only used when the FTP data connecting through HTTP proxy.
+
+ Blocking like this is bad. A better fix would make it work more
+ asynchronously.
+
+ Bug: https://github.com/bagder/curl/issues/278
-- fix compiler warning
+- bump: start the journey toward 7.44.0
-Dan Fandrich (25 Feb 2010)
-- Fixed a couple of out of memory leaks and a segfault in the SMTP code.
+Jay Satiro (17 Jun 2015)
+- CURLOPT_ERRORBUFFER.3: Fix example, escape backslashes
-Yang Tse (25 Feb 2010)
-- fix file name
+- CURLOPT_ERRORBUFFER.3: Improve example
-- Fixed bug report #2958074 indicating
- (http://curl.haxx.se/bug/view.cgi?id=2958074) that curl on Windows with
- option --trace-time did not use local time when timestamping trace lines.
- This could also happen on other systems depending on time souurce.
+Version 7.43.0 (17 Jun 2015)
-- enable 802 and 803
+Daniel Stenberg (17 Jun 2015)
+- RELEASE-NOTES: 7.43.0 release
-- fix compiler warning
+- THANKS: updated with 7.43.0 names
-- fix compiler warning
+- [Kamil Dudka brought this change]
+
+ http: do not leak basic auth credentials on re-used connections
+
+ CVE-2015-3236
+
+ This partially reverts commit curl-7_39_0-237-g87c4abb
+
+ Reported-by: Tomas Tomecek, Kamil Dudka
+ Bug: http://curl.haxx.se/docs/adv_20150617A.html
-- fix compiler warning
+- [Kamil Dudka brought this change]
+
+ test2040: verify basic auth on re-used connections
-- fix socket data type
+- SMB: rangecheck values read off incoming packet
+
+ CVE-2015-3237
+
+ Detected by Coverity. CID 1299430.
+
+ Bug: http://curl.haxx.se/docs/adv_20150617B.html
-- fix socket data type and logging format in debug tracking socket functions
+Jay Satiro (17 Jun 2015)
+- schannel: schannel_recv overhaul
+
+ This commit is several drafts squashed together. The changes from each
+ draft are noted below. If any changes are similar and possibly
+ contradictory the change in the latest draft takes precedence.
+
+ Bug: https://github.com/bagder/curl/issues/244
+ Reported-by: Chris Araman
+
+ %%
+ %% Draft 1
+ %%
+ - return 0 if len == 0. that will have to be documented.
+ - continue on and process the caches regardless of raw recv
+ - if decrypted data will be returned then set the error code to CURLE_OK
+ and return its count
+ - if decrypted data will not be returned and the connection has closed
+ (eg nread == 0) then return 0 and CURLE_OK
+ - if decrypted data will not be returned and the connection *hasn't*
+ closed then set the error code to CURLE_AGAIN --only if an error code
+ isn't already set-- and return -1
+ - narrow the Win2k workaround to only Win2k
+
+ %%
+ %% Draft 2
+ %%
+ - Trying out a change in flow to handle corner cases.
+
+ %%
+ %% Draft 3
+ %%
+ - Back out the lazier decryption change made in draft2.
+
+ %%
+ %% Draft 4
+ %%
+ - Some formatting and branching changes
+ - Decrypt all encrypted cached data when len == 0
+ - Save connection closed state
+ - Change special Win2k check to use connection closed state
+
+ %%
+ %% Draft 5
+ %%
+ - Default to CURLE_AGAIN in cleanup if an error code wasn't set and the
+ connection isn't closed.
+
+ %%
+ %% Draft 6
+ %%
+ - Save the last error only if it is an unrecoverable error.
+
+ Prior to this I saved the last error state in all cases; unfortunately
+ the logic to cover that in all cases would lead to some muddle and I'm
+ concerned that could then lead to a bug in the future so I've replaced
+ it by only recording an unrecoverable error and that state will persist.
+
+ - Do not recurse on renegotiation.
+
+ Instead we'll continue on to process any trailing encrypted data
+ received during the renegotiation only.
+
+ - Move the err checks in cleanup after the check for decrypted data.
+
+ In either case decrypted data is always returned but I think it's easier
+ to understand when those err checks come after the decrypted data check.
+
+ %%
+ %% Draft 7
+ %%
+ - Regardless of len value go directly to cleanup if there is an
+ unrecoverable error or a close_notify was already received. Prior to
+ this change we only acknowledged those two states if len != 0.
+
+ - Fix a bug in connection closed behavior: Set the error state in the
+ cleanup, because we don't know for sure it's an error until that time.
+
+ - (Related to above) In the case the connection is closed go "greedy"
+ with the decryption to make sure all remaining encrypted data has been
+ decrypted even if it is not needed at that time by the caller. This is
+ necessary because we can only tell if the connection closed gracefully
+ (close_notify) once all encrypted data has been decrypted.
+
+ - Do not renegotiate when an unrecoverable error is pending.
+
+ %%
+ %% Draft 8
+ %%
+ - Don't show 'server closed the connection' info message twice.
+
+ - Show an info message if server closed abruptly (missing close_notify).
-- convert Curl_ultous() and Curl_ultouc() functions to curlx_ultous() and
- curlx_ultouc(), exposing them through curlx.h to allow proper code reuse
- later in our test harness.
+Daniel Stenberg (16 Jun 2015)
+- [Paul Oliver brought this change]
-- updated sources
+ Fix typo in docs
+
+ s/curret/current/
-Patrick Monnerat (22 Feb 2010)
-- _ Adjusted RFC821 HELO fallback and enabled test804
+- [Viktor Szakats brought this change]
-- - Proper handling of STARTTLS on SMTP, taking CURLUSESSL_TRY into account.
- - SMTP falls back to RFC821 HELO when EHLO fails (and SSL is not required).
- - Use of true local host name (i.e.: via gethostname()) when available, as default argument to SMTP HELO/EHLO.
- - Test case 804 for HELO fallback.
+ docs: update URLs
-Yang Tse (22 Feb 2010)
-- add header inclusion
+- RELEASE-NOTES: synced with f29f2cbd00dbe5f
-- fix compiler warning
+- [Viktor Szakats brought this change]
-- fix compiler warning
+ README: use secure protocol for Git repository
-Daniel Stenberg (21 Feb 2010)
-- clarify more details on section "2.1 More non-blocking"
+- [Viktor Szakats brought this change]
-- TFTP transfers are not blocking since 7.20.0
+ HTTP2.md: use SSL/TLS IETF URLs
-- - Fixed the SMTP compliance by making sure RCPT TO addresses are specified
- properly in angle brackets. Recipients provided with CURLOPT_MAIL_RCPT now
- get angle bracket wrapping automatically by libcurl unless the recipient
- starts with an angle bracket as then the app is assumed to deal with that
- properly on its own.
+- [Viktor Szakats brought this change]
-- - I made the SMTP code expect a 250 response back from the server after the
- full DATA has been sent, and I modified the test SMTP server to also send
- that response. As usual, the DONE operation that is made after a completed
- transfer is still not doable in a non-blocking way so this waiting for 250
- is unfortunately made blockingly.
+ LICENSE-MIXING: update URLs
+
+ * use SSL/TLS where available
+ * follow permanent redirects
-- corected a comment and wrapped a few longish lines
+- LICENSE-MIXING: refreshed
-Yang Tse (20 Feb 2010)
-- fix compiler warning
+- curl_easy_duphandle: see also *reset
-- fix compiler warning
+- rtsp_do: fix DEAD CODE
+
+ "At condition p_request, the value of p_request cannot be NULL."
+
+ Coverity CID 1306668.
-- fix compiler warning
+- security:choose_mech fix DEAD CODE warning
+
+ ... by removing the "do {} while (0)" block.
+
+ Coverity CID 1306669
-- fix compiler warning
+- curl.1: netrc is in man section 5
-- fix compiler warning
+- curl.1: small format fix
+
+ use \fI-style instead of .BR for references
-Daniel Stenberg (17 Feb 2010)
-- ares_reinit()
+- urldata: store POST size in state.infilesize too
+
+ ... to simplify checking when PUT _or_ POST have completed.
- - To allow an app to force a re-read of /etc/resolv.conf etc, pretty much
- like the res_init() resolver function offers
+ Reported-by: Frank Meier
+ Bug: http://curl.haxx.se/mail/lib-2015-06/0019.html
-- use curl standard indentation and line lengths
+Dan Fandrich (14 Jun 2015)
+- test1530: added http to required features
-Yang Tse (16 Feb 2010)
-- replaced tabs with spaces
+Jay Satiro (14 Jun 2015)
+- [Drake Arconis brought this change]
-- fix Content-Length validation
+ build: Fix typo from OpenSSL 1.0.2 version detection fix
-Daniel Stenberg (15 Feb 2010)
-- use (void) in front of fwrite() calls that ignore the return code
+- [Drake Arconis brought this change]
-Yang Tse (15 Feb 2010)
-- fix compiler warning: conversion from "long" to "size_t" may lose sign
+ build: Properly detect OpenSSL 1.0.2 when using configure
-- fix compiler warning: conversion from "long" to "size_t" may lose sign
+- curl_multi_info_read.3: fix example formatting
-Daniel Stenberg (15 Feb 2010)
-- -w speed_download and speed_upload are measured in bytes per second
+Daniel Stenberg (13 Jun 2015)
+- BINDINGS: there's a new R binding in town!
-- 75. NTLM authentication involving unicode user name or password.
- http://curl.haxx.se/mail/lib-2009-10/0024.html
- http://curl.haxx.se/bug/view.cgi?id=2944325
+- BINDINGS: added the Xojo binding
-Yang Tse (14 Feb 2010)
-- removed trailing whitespace
+Jay Satiro (11 Jun 2015)
+- [Joel Depooter brought this change]
-- fix compiler warning
+ schannel: Add support for optional client certificates
+
+ Some servers will request a client certificate, but not require one.
+ This change allows libcurl to connect to such servers when using
+ schannel as its ssl/tls backend. When a server requests a client
+ certificate, libcurl will now continue the handshake without one,
+ rather than terminating the handshake. The server can then decide
+ if that is acceptable or not. Prior to this change, libcurl would
+ terminate the handshake, reporting a SEC_I_INCOMPLETE_CREDENTIALS
+ error.
-- Overhauled test suite getpart() function. Fixing potential out of bounds
- stack and memory overwrites triggered with huge test case definitions.
+Daniel Stenberg (11 Jun 2015)
+- curl_easy_cleanup.3: provide more SEE ALSO
-Daniel Stenberg (13 Feb 2010)
-- - Martin Hager reported and fixed a problem with a missing quote in libcurl.m4
+- debug: remove http2 debug leftovers
+
+- VERSIONS: now using markdown
+
+- RELEASE-PROCEDURE: remove ascii logo at the top of file
+
+- INTERNALS: absorbed docs/LIBCURL-STRUCTS
+
+- INTERNALS: cat lib/README* >> INTERNALS
+
+ and a conversion to markdown. Removed the lib/README.* files. The idea
+ being to move toward having INTERNALS as the one and only "book" of
+ internals documentation.
- (http://curl.haxx.se/bug/view.cgi?id=2951319)
+ Added a TOC to top of the document.
+
+Jay Satiro (8 Jun 2015)
+- openssl: LibreSSL and BoringSSL do not use TLS_client_method
+
+ Although OpenSSL 1.1.0+ deprecated SSLv23_client_method in favor of
+ TLS_client_method LibreSSL and BoringSSL didn't and still use
+ SSLv23_client_method.
+
+ Bug: https://github.com/bagder/curl/commit/49a6642#commitcomment-11578009
+ Reported-by: asavah@users.noreply.github.com
+
+Daniel Stenberg (9 Jun 2015)
+- RELEASE-NOTES: synced with 20ac3458068
+
+- CURLOPT_OPENSOCKETFUNCTION: return error at once
+
+ When CURL_SOCKET_BAD is returned in the callback, it should be treated
+ as an error (CURLE_COULDNT_CONNECT) if no other socket is subsequently
+ created when trying to connect to a server.
+
+ Bug: http://curl.haxx.se/mail/lib-2015-06/0047.html
+
+- fopen.c: fix a few compiler warnings
+
+- [Ville Skyttä brought this change]
+
+ docs: Spelling fixes
-Gunter Knauf (13 Feb 2010)
-- used allways #ifdef / #ifndef;
- moved gethostbyname_thread() to #else case to avoid 'not used' compiler warning.
+- [Ville Skyttä brought this change]
-- replaced tabs by spaces, removed trailing tabs/spaces.
+ docs: man page indentation and syntax fixes
-Daniel Stenberg (13 Feb 2010)
-- - Tom Donovan fixed the CURL_FORMAT_* defines when building with cmake.
+Linus Nielsen (8 Jun 2015)
+- help: Add --proxy-service-name and --service-name to the --help output
-- - Jack Zhang reported a problem with SMTP: we wrongly used multiple addresses
- in the same RCPT TO line, when they should be sent in separate single
- commands. I updated test case 802 to verify this.
+Jay Satiro (7 Jun 2015)
+- openssl: Fix verification of server-sent legacy intermediates
- - I also fixed a bad use of my_setopt_str() of CURLOPT_MAIL_RCPT in the curl
- tool which made it try to output it as string for the --libcurl feature
- which could lead to crashes.
+ - Try building a chain using issuers in the trusted store first to avoid
+ problems with server-sent legacy intermediates.
+
+ Prior to this change server-sent legacy intermediates with missing
+ legacy issuers would cause verification to fail even if the client's CA
+ bundle contained a valid replacement for the intermediate and an
+ alternate chain could be constructed that would verify successfully.
+
+ https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
-- CURLOPT_MAIL_RCPT is *not* a string so we must not try to printf() it
+Daniel Stenberg (5 Jun 2015)
+- BINDINGS: update several URLs
+
+ Stop linking to the curl.haxx.se anchor pages, they are usually only
+ themselves pointers to the real page so better point there directly
+ instead.
-- free --mail-from strings properly
+- BINDINGS: the curl-rust binding
-Patrick Monnerat (11 Feb 2010)
-- _ Make it compilable again on OS400.
- _ Upgrade OS400 EBCDIC wrappers for new options.
- _ Upgrade ILE/RPG bindings to current state.
+- curl.h: add CURL_HTTP_VERSION_2
+
+ The protocol is named "HTTP/2" after all. It is an alias for the
+ existing CURL_HTTP_VERSION_2_0 enum.
-Yang Tse (11 Feb 2010)
-- mention last changes
+- openssl: removed error string #ifdef
+
+ ERR_error_string_n() was introduced in 0.9.6, no need to #ifdef anymore
-- Steven M. Schweda updated VMS readme file
+- openssl: removed USERDATA_IN_PWD_CALLBACK kludge
+
+ Code for OpenSSL 0.9.4 serves no purpose anymore!
-- Steven M. Schweda removed batch_compile.com and defines.com
+- openssl: remove SSL_get_session()-using code
+
+ It was present for OpenSSL 0.9.5 code but we only support 0.9.7 or
+ later.
-- Steven M. Schweda fixed:
+- openssl: remove dummy callback use from SSL_CTX_set_verify()
- VMS builder bad behavior when used in a batch job.
+ The existing callback served no purpose.
+
+- LIBCURL-STRUCTS: clarify for multiplexing
+
+Jay Satiro (3 Jun 2015)
+- cookie: Stop exporting any-domain cookies
- Various ".LIS" and ".MAP" files created without being requested
- by a "LIST" command-line option, and in the wrong place, too.
+ Prior to this change any-domain cookies (cookies without a domain that
+ are sent to any domain) were exported with domain name "unknown".
- Some minor typographical changes.
+ Bug: https://github.com/bagder/curl/issues/292
-Dan Fandrich (10 Feb 2010)
-- Mention the minimum size of CURL_MAX_WRITE_SIZE
+Daniel Stenberg (3 Jun 2015)
+- RELEASE-PROCEDURE: refreshed 'coming dates'
-Yang Tse (10 Feb 2010)
-- - remove extra "\r\n" from doc404_RTSP
+Jay Satiro (2 Jun 2015)
+- curl_setup: Change fopen text macros to use 't' for MSDOS
- - avoid memory alignment issue when setting RTSP packet length
+ Bug: https://github.com/bagder/curl/pull/258#issuecomment-107915198
+ Reported-by: Gisle Vanem
-Dan Fandrich (9 Feb 2010)
-- Removed some erroneous "compressed" key words
+Daniel Stenberg (2 Jun 2015)
+- curl_multi_timeout.3: added example
-Daniel Stenberg (9 Feb 2010)
-- start working on 7.20.1
+- curl_multi_perform.3: added example
-Version 7.20.0 (9 Feb 2010)
+- curl_multi_info_read.3: added example
-Daniel Stenberg (9 Feb 2010)
-- spell and 7.20.0
+- checksrc: detect fopen() for text without the FOPEN_* macros
+
+ Follow-up to e8423f9ce150 with discussionis in
+ https://github.com/bagder/curl/pull/258
+
+ This check scans for fopen() with a mode string without 'b' present, as
+ it may indicate that an FOPEN_* define should rather be used.
-- - When downloading compressed content over HTTP and the app as asked libcurl
- to automatically uncompress it with the CURLOPT_ENCODING option, libcurl
- could wrongly provide the callback with more data than what the maximum
- documented amount. An application could thus get tricked into badness if the
- maximum limit was trusted to be enforced by libcurl itself (as it is
- documented).
+- curl_getdate.3: update RFC reference
+
+Jay Satiro (1 Jun 2015)
+- curl_setup: Add macros for FOPEN_READTEXT, FOPEN_WRITETEXT
+
+ - Change fopen calls to use FOPEN_READTEXT instead of "r" or "rt"
+ - Change fopen calls to use FOPEN_WRITETEXT instead of "w" or "wt"
+
+ This change is to explicitly specify when we need to read/write text.
+ Unfortunately 't' is not part of POSIX fopen so we can't specify it
+ directly. Instead we now have FOPEN_READTEXT, FOPEN_WRITETEXT.
+
+ Prior to this change we had an issue on Windows if an application that
+ uses libcurl overrides the default file mode to binary. The default file
+ mode in Windows is normally text mode (translation mode) and that's what
+ libcurl expects.
+
+ Bug: https://github.com/bagder/curl/pull/258#issuecomment-107093055
+ Reported-by: Orgad Shaneh
+
+Daniel Stenberg (1 Jun 2015)
+- http2-upload.c: use PIPEWAIT for playing HTTP/2 better
+
+- http2-download: check for CURLPIPE_MULTIPLEX properly
- This is further detailed and explained in the libcurl security advisory
- 20100209 at
+ Bug: http://curl.haxx.se/mail/lib-2015-06/0001.html
+ Reported-by: Rafayel Mkrtchyan
+
+- [Isaac Boukris brought this change]
+
+ HTTP-NTLM: fail auth on connection close instead of looping
- http://curl.haxx.se/docs/adv_20100209.html
+ Bug: https://github.com/bagder/curl/issues/256
+
+- 5.6 Refuse "downgrade" redirects
-- set VERSIONINFO accordingly for the 7.20.0 release
+- README.pingpong: removed
-Yang Tse (6 Feb 2010)
-- warning fix
+- ROADMAP: remove HTTP/2 multiplexing - its here now
-- OOM handling fix
+- HTTP2.md: formatted properly
-- OOM handling fix
+- HTTP2: moved docs into docs/ and make it markdown
-- fix compiler warning
+- README.http2: refreshed and added multiplexing info
-- fix compiler warning
+- dist: add the http2 examples
-- fix compiler warning
+- http2 examples: clean up some comments
-- Addes OOM handling for curl_easy_setopt() calls in test
+- examples: added two programs doing multiplexed HTTP/2
-- - avoid OpenSSL 0.9.8 ENGINE_by_id memory leak
+- scripts: moved contributors.sh and contrithanks.sh into subdir
+
+- RELEASE-NOTES: synced with c005790ff1c0a
+
+- [Daniel Melani brought this change]
+
+ openssl: typo in comment
+
+Jay Satiro (27 May 2015)
+- openssl: Use TLS_client_method for OpenSSL 1.1.0+
+
+ SSLv23_client_method is deprecated starting in OpenSSL 1.1.0. The
+ equivalent is TLS_client_method.
- - cleanup parenthesis usage in return statements
+ https://github.com/openssl/openssl/commit/13c9bb3#diff-708d3ae0f2c2973b272b811315381557
-- - attempt to workaround icc 9.1 optimizer issue
+Daniel Stenberg (26 May 2015)
+- FAQ: How do I port libcurl to my OS?
-- fix printf-style format strings
+Jay Satiro (25 May 2015)
+- CURLOPT_COOKIELIST.3: Explain Set-Cookie without a domain
+
+ Document that if Set-Cookie is used without a domain then the cookie is
+ sent for any domain and will not be modified.
+
+ Bug: http://curl.haxx.se/mail/lib-2015-05/0137.html
+ Reported-by: Alexander Dyagilev
-- Validate server port argument
+Daniel Stenberg (25 May 2015)
+- [Tatsuhiro Tsujikawa brought this change]
-- Fix variable initialization
+ http2: Copy data passed in Curl_http2_switched into HTTP/2 connection buffer
+
+ Previously, after seeing upgrade to HTTP/2, we feed data followed by
+ upgrade response headers directly to nghttp2_session_mem_recv() in
+ Curl_http2_switched(). But it turns out that passed buffer, mem, is
+ part of stream->mem, and callbacks called by
+ nghttp2_session_mem_recv() will write stream specific data into
+ stream->mem, overwriting input data. This will corrupt input, and
+ most likely frame length error is detected by nghttp2 library. The
+ fix is first copy the passed data to HTTP/2 connection buffer,
+ httpc->inbuf, and call nghttp2_session_mem_recv().
-- Modified test case 557 to additionally verify libcurl's internal curl_m*printf()
- functions formatting functionality when handling signed and unsigned shorts.
+Jay Satiro (24 May 2015)
+- CURLOPT_COOKIE.3: Explain that the cookies won't be modified
+
+ The CURLOPT_COOKIE doc says it "sets the cookie header explicitly in the
+ outgoing request(s)." However there seems to be some user confusion
+ about cookie modification. Document that the cookies set by this option
+ are not modified by the cookie engine.
+
+ Bug: http://curl.haxx.se/mail/lib-2015-05/0115.html
+ Reported-by: Alexander Dyagilev
-- Added size check for 'short' data type
+- CURLOPT_COOKIELIST.3: Add example
-- Fix compiler warning: unused variable
+Dan Fandrich (24 May 2015)
+- testcurl.pl: use rel2abs to make the source directory absolute
+
+ This function makes a platform-specific absolute path which uses
+ backslashes on Windows. This form works when passing it on the
+ command-line, as well as if the source is on another drive.
-- added an additional second to allow test to pass on heavily loaded servers
+- conncache: fixed memory leak on OOM (torture tests)
-Dan Fandrich (3 Feb 2010)
-- Changed the Watcom makefiles to make them easier to keep in sync with
- Makefile.inc since that can't be included directly.
+Daniel Stenberg (24 May 2015)
+- perl: remove subdir, not touched in 9 years
-Daniel Stenberg (3 Feb 2010)
-- more symbols added in 7.20.0
+- log2changes.pl: moved to scripts/
-Yang Tse (3 Feb 2010)
-- Fix OOM handling
+- [Alessandro Ghedini brought this change]
-- Fix progressmode Configurable struct member data type. Changed to
- 'int' which fits better with existing CURL_PROGRESS_* definitions.
+ scripts: add zsh.pl for generating zsh completion
-- Fix portability issue related with unaligned memory access
+Dan Fandrich (23 May 2015)
+- test1510: another flaky test
-- Fix compiler warnings: conversion from 'const int ' to 'unsigned char ', possible loss of data
+Daniel Stenberg (22 May 2015)
+- security: fix "Unchecked return value" from sscanf()
+
+ By (void) prefixing it and adding a comment. Did some minor related
+ cleanups.
+
+ Coverity CID 1299423.
-- cookies with same path length might get sorted in different order when
- using different qsort implementations. In order to make this test give
- same results on different systems, paths now have different lengths.
+- security: simplify choose_mech
+
+ Coverity CID 1299424 identified dead code because of checks that could
+ never equal true (if the mechanism's name was NULL).
+
+ Simplified the function by removing a level of pointers and removing the
+ loop and array that weren't used.
-- added an additional second to allow test to pass on heavily loaded servers
+- RTSP: catch attempted unsupported requests better
+
+ Replace use of assert with code that properly catches bad input at
+ run-time even in non-debug builds.
+
+ This flaw was sort of detected by Coverity CID 1299425 which claimed the
+ "case RTSPREQ_NONE" was dead code.
-- Fix compiler warning: conditional expression is constant
+- share_init: fix OOM crash
+
+ A failed calloc() would lead to NULL pointer use.
+
+ Coverity CID 1299427.
-- Fix compiler warning: local variable may be used without having been initialized.
+- parse_proxy: switch off tunneling if non-HTTP proxy
+
+ non-HTTP proxy implies not using CURLOPT_HTTPPROXYTUNNEL
+
+ Bug: http://curl.haxx.se/mail/lib-2015-05/0056.html
+ Reported-by: Sean Boudreau
-- Fix compiler warnings: conversion from 'const int ' to 'unsigned char ', possible loss of data
+- curl: fix potential NULL dereference
+
+ Coverity CID 1299428: Dereference after null check (FORWARD_NULL)
-- Fix compiler warnings:
+- http2: on_frame_recv: return early on stream 0
- (1) conversion from 'const int ' to 'unsigned char ', possible loss of data
- (2) conditional expression is constant
+ Coverity CID 1299426 warned about possible NULL dereference otherwise,
+ but that would only ever happen if we get invalid HTTP/2 data with
+ frames for stream 0. Avoid this risk by returning early when stream 0 is
+ used.
-- mention a couple of changes back from November
+- http: removed self assignment
+
+ Follow-up fix from b0143a2a33f0
+
+ Detected by coverity. CID 1299429
-- mention run time statistics options
+- [Tatsuhiro Tsujikawa brought this change]
-- - Symbol CURL_FORMAT_OFF_T now obsoleted, will be removed in a future release,
- symbol will not be available when building with CURL_NO_OLDIES defined. Use
- of CURL_FORMAT_CURL_OFF_T is preferred since 7.19.0
+ http2: Make HTTP Upgrade work
+
+ This commit just add implicitly opened stream 1 to streams hash.
-- avoid possibility of using obsoleted stuff
+Jay Satiro (22 May 2015)
+- strerror: Change SEC_E_ILLEGAL_MESSAGE description
+
+ Prior to this change the description for SEC_E_ILLEGAL_MESSAGE was OS
+ and language specific, and invariably translated to something not very
+ helpful like: "The message received was unexpected or badly formatted."
+
+ Bug: https://github.com/bagder/curl/issues/267
+ Reported-by: Michael Osipov
-- remove setup.h inclusion which is already done from test.h inclusion
+- telnet: Fix read-callback change for Windows builds
+
+ Refer to b0143a2 for more information on the read-callback change.
+
+Daniel Stenberg (21 May 2015)
+- CURLOPT_HTTPPROXYTUNNEL.3: only works with a HTTP proxy!
-Kamil Dudka (2 Feb 2010)
-- mention SOCKS related problems in the curl(1) man page
+Dan Fandrich (21 May 2015)
+- testcurl.pl: allow source to be in an arbitrary directory
+
+ This way, the build directory can be located on an entirely different
+ filesystem from the source code (e.g. a tmpfs).
+
+Daniel Stenberg (20 May 2015)
+- read_callback: move to SessionHandle from connectdata
+
+ With many easy handles using the same connection for multiplexing, it is
+ important we store and keep the transfer-oriented stuff in the
+ SessionHandle so that callbacks and callback data work fine even when
+ many easy handles share the same physical connection.
+
+- http2: show stream IDs in decimal
+
+ It makes them easier to match output from the nghttpd test server.
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Faster http2 upload
+
+ Previously, when we send all given buffer in data_source_callback, we
+ return NGHTTP2_ERR_DEFERRED, and nghttp2 library removes this stream
+ temporarily for writing. This itself is good. If this is the sole
+ stream in the session, nghttp2_session_want_write() returns zero,
+ which means that libcurl does not check writeability of the underlying
+ socket. This leads to very slow upload, because it seems curl only
+ upload 16k something per 1 second. To fix this, if we still have data
+ to send, call nghttp2_session_resume_data after nghttp2_session_send.
+ This makes nghttp2_session_want_write() returns nonzero (if connection
+ window still opens), and as a result, socket writeability is checked,
+ and upload speed becomes normal.
+
+- [Dmitry Eremin-Solenikov brought this change]
+
+ gtls: don't fail on non-fatal alerts during handshake
+
+ Stop curl from failing when non-fatal alert is received during
+ handshake. This e.g. fixes lots of problems when working with https
+ sites through proxies.
+
+- curl_easy_unescape.3: update RFC reference
+
+ Reported-by: bsammon
+ Bug: https://github.com/bagder/curl/issues/282
-Yang Tse (2 Feb 2010)
-- Fix compiler warning: variable was set but never used
+Jay Satiro (20 May 2015)
+- CURLOPT_POSTFIELDS.3: Mention curl_easy_escape
- Simplify preprocessor symbol checking
+ .. also correct some variable naming in curl_easy_escape.3
+
+ Bug: https://github.com/bagder/curl/issues/281
+ Reported-by: bsammon@users.noreply.github.com
-Daniel Stenberg (2 Feb 2010)
-- Julien Chaffraix pointed out a comment mistake, and I re-indented the code
- slightly while editing
+Daniel Stenberg (19 May 2015)
+- [Brian Prodoehl brought this change]
-Yang Tse (2 Feb 2010)
-- include headers
+ openssl: Use SSL_CTX_set_msg_callback and SSL_CTX_set_msg_callback_arg
+
+ BoringSSL removed support for direct callers of SSL_CTX_callback_ctrl
+ and SSL_CTX_ctrl, so move to a way that should work on BoringSSL and
+ OpenSSL.
+
+ re #275
-- Conroy added a check to the coded message size since the docs stipulate
- that each call will contain a full protocol packet.
+Jay Satiro (19 May 2015)
+- curl.1: fix missing space in section --data
-- Conroy's fix to make the code match with the RTP documentation regarding
- writing out the whole header. The docs say it writes the whole header,
- but the code (before this patch) did not write out the leading $.
+Daniel Stenberg (19 May 2015)
+- transfer: remove erroneous and misleading comment
-Daniel Stenberg (1 Feb 2010)
-- We introduce a loop in lib/multi.c around all calls to multi_runsingle() and
- simply check for CURLM_CALL_MULTI_PERFORM internally. This has the added
- benefit that this goes in line with my long-term wishes to get rid of the
- CURLM_CALL_MULTI_PERFORM all together from the public API.
+Kamil Dudka (19 May 2015)
+- http: silence compile-time warnings without USE_NGHTTP2
+
+ Error: CLANG_WARNING:
+ lib/http.c:173:16: warning: Value stored to 'http' during its initialization is never read
+
+ Error: COMPILER_WARNING:
+ lib/http.c: scope_hint: In function ‘http_disconnect’
+ lib/http.c:173:16: warning: unused variable ‘http’ [-Wunused-variable]
-Yang Tse (1 Feb 2010)
-- update rtsp server header field from SWS to RTSPD
+Jay Satiro (19 May 2015)
+- transfer: Replace __func__ instances with function name
+
+ .. also make __func__ replacement in multi.
+
+ Prior to this change debug builds would fail to build if the compiler
+ was building pre-c99 and didn't support __func__.
-- Test suite support for RTSP
+Daniel Stenberg (19 May 2015)
+- [Viktor Szakats brought this change]
-- Make Curl_pop3_write() additionally truncate trailing POP3_EOB from received
- string buffer, otherwise Curl_client_write() call with zero size would write
- to the end of string buffer including matched POP3_EOB.
+ build: bump version in default nghttp2 paths
-- WIN32 fix, _beginthreadex() may return either 0 or -1L upon failure
+- INTERNALS: we require nghttp2 1.0.0+ now
-- fix errno usage for WIN32 builds
+Jay Satiro (18 May 2015)
+- http: Add some include guards for the new HTTP/2 stuff
-- fix printf-style format strings
+Daniel Stenberg (18 May 2015)
+- http2: store upload state per stream
+
+ Use a curl_off_t for upload left
-- Chris Conroy fixed test #568 issues with carriage returns
+- http2: fix build when NOT h2-enabled
-- RTSP followup fix. Both the pipelined and non-pipelined case need to
- check for (excess > 0 && !k->ignorebody).
+- http2: switch to use Curl_hash_destroy()
+
+ as after 4883f7019d3, the *_clean() function only flushes the hash.
-Daniel Stenberg (28 Jan 2010)
-- - Tommie Gannert pointed out a silly bug in ares_process_fd() since it didn't
- check for broken connections like ares_process() did. Based on that, I
- merged the two functions into a single generic one with two front-ends.
+- curlver: restore LIBCURL_VERSION_NUM defined as a full number
+
+ As it breaks configure, curl-config and test 1023 if not.
-Yang Tse (28 Jan 2010)
-- fix printf-style format strings
+- [Anthony Avina brought this change]
-- Use 'size_t' for GETNAMEINFO_TYPE_ARG2 definition for VMS.
+ hostip: fix unintended destruction of hash table
- http://curl.haxx.se/mail/lib-2009-12/0293.html
+ .. and added unit1602 for hash.c
-- portability fix
+- curlver: introducing new version number (checking) macros
-- fix printf-style format strings
+- runtests.pl: use 'h2c' now, no -14 anymore
-- Known bug #64 fixed by Constantine Sapuntzakis and Joshua Kwan in 7.20.0
+- [Tatsuhiro Tsujikawa brought this change]
-- Chris Conroy provided first RTSP tests
+ http2: Ignore if we have stream ID not in hash in on_stream_close
+
+ We could get stream ID not in the hash in on_stream_close. For
+ example, if we decided to reject stream (e.g., PUSH_PROMISE), then we
+ don't create stream and store it in hash with its stream ID.
-- RTSP tests disabled until test harness RTSP support is updated
+- [Tatsuhiro Tsujikawa brought this change]
-- Chris Conroy's RTSP followup fixes
+ Require nghttp2 v1.0.0
+
+ This commit requires nghttp2 v1.0.0 to compile, and migrate to v1.0.0,
+ and utilize recent version of nghttp2 to simplify the code,
+
+ First we use nghttp2_option_set_no_recv_client_magic function to
+ detect nghttp2 v1.0.0. That function only exists since v1.0.0.
+
+ Since nghttp2 v0.7.5, nghttp2 ensures header field ordering, and
+ validates received header field. If it found error, RST_STREAM with
+ PROTOCOL_ERROR is issued. Since we require v1.0.0, we can utilize
+ this feature to simplify libcurl code. This commit does this.
+
+ Migration from 0.7 series are done based on nghttp2 migration
+ document. For libcurl, we removed the code sending first 24 bytes
+ client magic. It is now done by nghttp2 library.
+ on_invalid_frame_recv callback signature changed, and is updated
+ accordingly.
-- mention asynchronous DNS lookups enhancements
+- http2: infof length in on_frame_send()
-- Restore normal operation:
+- pipeline: switch some code over to functions
- c-ares is only enabled when specifically requested.
+ ... to "compartmentalize" a bit and make it easier to change behavior
+ when multiplexing is used instead of good old pipelining.
+
+- symbols-in-versions: add CURLOPT_PIPEWAIT
+
+- CURLOPT_PIPEWAIT: added
- Consequently, c-ares default setting is disabled.
+ By setting this option to 1 libcurl will wait for a connection to reveal
+ if it is possible to pipeline/multiplex on before it continues.
-- fix c-ares assumed check being skipped
+- Curl_http_readwrite_headers: minor code simplification
-- fix compiler warning
+- IsPipeliningPossible: fixed for http2
-- fix LDFLAGS preservation in CURL_CHECK_LIB_ARES
+- http2: bump the h2 buffer size to 32K for speed
-Daniel Stenberg (26 Jan 2010)
-- no need to take precautiono for how things were before 7.16.0 since that
- is now a very long time ago
+- http2: remove the stream from the hash in stream_close callback
+
+ ... and suddenly things work much better!
-- - Mike Crowe made libcurl return CURLE_COULDNT_RESOLVE_PROXY when it is the
- proxy that cannot be resolved when using c-ares. This matches the behaviour
- when not using c-ares.
+- http2: if there is paused data, do not clear the drain field
-Dan Fandrich (26 Jan 2010)
-- Added curl_threads.c to a few more non-configure build files
+- http2: rename s/data/pausedata
-Yang Tse (26 Jan 2010)
-- minor fixes for --enable-ares configure option
+- http2: "stream %x" in all outputs to make it easier to search for
-Daniel Stenberg (26 Jan 2010)
-- Andre Guibert de Bruet improved the libssh2 error code translation
+- http2: Curl_expire() all handles with incoming traffic
+
+ ... so that they'll get handled next in the multi loop.
-Yang Tse (26 Jan 2010)
-- resolver selection for non-configure Windows builds, default is threaded DNS
+- http2: don't signal settings change for same values
-- add curl_threads.c to non-configure target build files
+- http2: set default concurrency, fix ConnectionExists for multiplex
-- onstantine Sapuntzakis threaded resolver enhancements
+- bundles: store no/default/pipeline/multiplex
+
+ to allow code to act differently on the situation.
+
+ Also added some more info message for the connection re-use function to
+ make it clearer when connections are not re-used.
-- Constantine Sapuntzakis threaded resolver enhancements
+- http2: lazy init header_recvbuf
+
+ It makes us use less memory when not doing HTTP/2 and subsequently also
+ makes us not have to cleanup HTTP/2 related data when not using HTTP/2!
-- Constantine Sapuntzakis provided initial thread abstraction layer
+- http2: separate multiplex/pipelining + cleanup memory leaks
-- make Curl_handler_*_proxy definition static
+- CURLMOPT_PIPELINE: bit 1 is for multiplexing
-Dan Fandrich (25 Jan 2010)
-- Updated minimum library sizes
+- [Tatsuhiro Tsujikawa brought this change]
-Yang Tse (25 Jan 2010)
-- fix compiler warning
+ http2: Fix bug that data to be drained are overwritten by pending "paused" data
-Daniel Stenberg (24 Jan 2010)
-- Julien Chaffraix corrected bad #elif lines to silence warnings
+- [Tatsuhiro Tsujikawa brought this change]
-Yang Tse (24 Jan 2010)
-- HAVE_GETADDRINFO_THREADSAFE definition for non-configure win32 builds
+ http2: Don't call nghttp2_session_mem_recv while it is paused by a stream
-Bjorn Stenberg (23 Jan 2010)
-- Mention -J change
+- [Tatsuhiro Tsujikawa brought this change]
-- Added -J/--remote-header-name.
+ http2: Read data left in connection buffer after pause
+
+ Previously when we do pause because of out of buffer, we just throw
+ away unread data in connection buffer. This just broke protocol
+ framing, and I saw occasional FRAME_SIZE_ERROR. This commit fix this
+ issue by remembering how much data read, and in the next iteration, we
+ process remaining data.
-Daniel Stenberg (23 Jan 2010)
-- "remove progress meter from libcurl" at next API break
+- [Tatsuhiro Tsujikawa brought this change]
-Yang Tse (23 Jan 2010)
-- add inclusion of curl_memory.h
+ http2: Fix streams get stuck
+
+ This commit fixes the bug that streams get stuck if stream gets some
+ DATA, and stream->closed becomes true at the same time. Previously,
+ in this condition, after we processed DATA, we are going to try to
+ read data from underlying transport, but there is no data, and gets
+ EAGAIN. There was no code path to evaludate stream->closed.
-- adjust preprocessor symbol definition check relative to resolver specialty
+- http2: store incoming h2 SETTINGS
-- PKTSIZE might have been already defined in arpa/tftp.h
+- pipeline: move function to pipeline.c and make static
+
+ ... as it was only used from there.
-Dan Fandrich (23 Jan 2010)
-- Include "curl_memory.h" to get the strdup replacement when necessary
+- IsPipeliningPossible: http2 can always "pipeline" (multiplex)
-Daniel Stenberg (22 Jan 2010)
-- wrap long lines and do some indent policing
+- http2: remove debug logging from on_frame_recv
-Yang Tse (22 Jan 2010)
-- Definitions of resolver specialty compile-time defines CURLRES_* moved
- from hostip.h to setup.h in order to allow proper inclusion in any file.
+- http2: remove the closed check in http2_recv
- This represents no functional change at all in which resolver is used,
- everything still works as usual, internally and externally there is no
- difference in behavior.
+ With the "drained" functionality we can get here slightly asynchronously
+ so the stream have have been closed but there is pending data left to
+ read.
-- adjust rtsp protocol support in curl-config and libcurl.pc when http is disabled
+- http2: bump the h2 buffer to 8K
-- deal with the possibility that CURL_DISABLE_RTSP may already be defined
+- http2: Curl_read should not use the single buffer
+
+ ... as it does for pipelining when we're multiplexing, as we need the
+ different buffers to store incoming data correctly for all streams.
-- fix compiler warning: statement is unreachable
+- http2: more debug outputs
-- fix compilation when http is disabled
+- http2: leave WAITPERFORM when conn is multiplexed
+
+ No need to wait for our "spot" like for pipelining
-- disabling of rtsp when http isn't enabled required here for non-configure systems
+- http2: force "drainage" of streams
+
+ ... which is necessary since the socket won't be readable but there is
+ data waiting in the buffer.
-Daniel Stenberg (22 Jan 2010)
-- wrap long lines, remove (very old) attribution from code
+- http2: move the mem+len pair to the stream struct
-- cleanups by Julien Chaffraix
+- http2: more stream-oriented data, stream ID 0 is for connections
-- alphabetically sort the list of supported protocols
+- http2: move lots of state data to the 'stream' struct
+
+ ... from the connection struct. The stream one being the 'struct HTTP'
+ which is kept in the SessionHandle struct (easy handle).
+
+ lookup streams for incoming frames in the stream hash, hashing is based
+ on the stream id and we get the SessionHandle for the incoming stream
+ that way.
-- In spite claiming to tbe disabled by default, RTSP is enabled and it now
- also says so. I also made the list of protocols get sorted.
+- HTTP: partial start at fixing up hash-lookups on http2 frame receival
-- expanded to provide info about the newer protocols too
+- http: a stream hash for h2 multiplexing
-- s/RTPFUNCTION/INTERLEAVEFUNCTION/
- s/RTPDATA/INTERLEAVEDATA/
+- http: a stream hash for h2 multiplexing
-- keep lines shorter than 80 columns, and reduce/remove the use of the word
- 'note' in most description as it is mostly useless.
+- http2: debug log when receiving unexpected stream_id
-Yang Tse (22 Jan 2010)
-- Julien Chaffraix adjusted "<name> section" line length
+- http2: move stream_id to the HTTP struct (per-stream)
-- Constantine Sapuntzakis refactoring of async callbacks, allowing
- removal of Curl_addrinfo_copy(), Curl_addrinfo6_callback(), and
- Curl_addrinfo4_callback()
+- Curl_http2_setup: only do it once and enable multiplex on the server
+
+ Once we know we are HTTP/2 enabled we know the server can multiplex.
-Dan Fandrich (21 Jan 2010)
-- Added rtsp.c to the non-configure target build files
+- http: switch on "pipelining" (multiplexing) for HTTP/2 servers
+
+ ... and do not blacklist any.
-Yang Tse (21 Jan 2010)
-- fix compiler warning
+- README.pipelining: removed
+
+ All the details mentioned here are better documented in man pages
-- make tftp_translate_code() static, it is only used from within tftp.c
+Dan Fandrich (14 May 2015)
+- build: removed bundles.c from make files
+
+ This file was removed in commit fd137786
-- fix warning triggered when debugging on cygwin
+Daniel Stenberg (14 May 2015)
+- Curl_conncache_add_conn: fix memory leak on OOM
-- allow exporting of exe_ext() sub
+- CURLMOPT_MAX_HOST_CONNECTIONS: host = host name + port number
-- improve displaylogcontent() sub fixing a warning
+- conncache: keep bundles on host+port bases, not only host names
+
+ Previously we counted all connections to a specific host name and that
+ would be used for the CURLMOPT_MAX_HOST_CONNECTIONS check for example,
+ while servers on different port numbers are normally considered
+ different "origins" on the web and should thus be considered different
+ hosts.
+
+- bundles: merged into conncache.c
+
+ All the existing Curl_bundle* functions were only ever used from within
+ the conncache.c file, so I moved them over and made them static (and
+ removed the Curl_ prefix).
-Daniel Stenberg (21 Jan 2010)
-- remove typedef we ended up not using
+- hostcache: made all host caches use structs, not pointers
+
+ This avoids unnecessary dynamic allocs and as this also removed the last
+ users of *hash_alloc() and *hash_destroy(), those two functions are now
+ removed.
-- Chris Conroy brought support for RTSP transfers, and with it comes 8(!) new
- libcurl options for controlling what to get and how to receive posssibly
- interleaved RTP data. Initial commit.
+- multi: converted socket hash into non-allocated struct
+
+ avoids extra dynamic allocation
-- Julien Chaffraix fixed line lengths
+- connection cache: avoid Curl_hash_alloc()
+
+ ... by using plain structs instead of pointers for the connection cache,
+ we can avoid several dynamic allocations that weren't necessary.
-- Julien Chaffraix removed an old obsolete typedef
+- proxy: add newline to info message
-- Yun Fu pointed out a flaw in the loop that checks handles, and I indented
- the code more curl-style
+Patrick Monnerat (8 May 2015)
+- FTP: fix dangling conn->ip_addr dereference on verbose EPSV.
-- "5.3 Sort outgoing cookies" removed, we now sort them
+- FTP: Make EPSV use the control IP address rather than the original host.
+ This ensures an alternate address is not used.
+ Does not apply to proxy tunnel.
-Yang Tse (20 Jan 2010)
-- SIGTERM is the signal to trap here, SIGKILL can't be caught.
+Daniel Stenberg (8 May 2015)
+- [Alessandro Ghedini brought this change]
-- Use killsockfilters() to kill sockfilter processes, this ensures that when
- killing a sockfilter process the actual PID from the pid file is used and
- not the one returned by open2() which might be different.
+ tool_help: fix formatting for --next option
-- Allow killsockfilters() to take a 5th optional parameter that when provided
- indicates that only one of the two possible sockfilter processes should be
- killed. Valid values for this parameter are 'main' and 'data'.
+- [Egon Eckert brought this change]
-- Use delete() to unset environment variables instead of assigning undef which
- generates warning 'Use of uninitialized value in scalar assignment' with perl
- versions older than 5.10
+ opts: improved the TCP keepalive examples
-- Adjust valgrind logs file name detection.
+Jay Satiro (8 May 2015)
+- winbuild: Document the option used to statically link the CRT
- Adjust environment vars setting and restoring from test definition.
+ - Document option RTLIBCFG (runtime library configuration).
- Avoid using strftime in torture sub.
+ Bug: https://github.com/bagder/curl/issues/254
+ Reported-by: Bert Huijben
-Daniel Stenberg (20 Jan 2010)
-- modified test case 8 to also make sure that we deal with cookies using
- identical names but different paths properly
+- [Orgad Shaneh brought this change]
-- - As was pointed out on the http-state mailing list, the order of cookies in a
- HTTP Cookie: header _needs_ to be sorted on the path length in the cases
- where two cookies using the same name are set more than once using
- (overlapping) paths. Realizing this, identically named cookies must be
- sorted correctly. But detecting only identically named cookies and take care
- of them individually is harder than just to blindly and unconditionally sort
- all cookies based on their path lengths. All major browsers also already do
- this, so this makes our behavior one step closer to them in the cookie area.
+ netrc: Read in text mode when cygwin
- Test case 8 was the only one that broke due to this change and I updated it
- accordingly.
+ Use text mode when cygwin to eliminate trailing carriage returns.
+
+ Bug: https://github.com/bagder/curl/pull/258
-- oops, I forgot to cvs add this before my previous commit (Dan Fandrich
- pointed it out to me)
+Patrick Monnerat (5 May 2015)
+- OS400: Add SPNEGO service name options to ILE/RPG binding.
-- - David McCreedy brought a fix and a new test case (129) to make libcurl work
- again when downloading files over FTP using ASCII and it turns out that the
- final size of the file is not the same as the initial size the server
- reported. This is very common since servers don't take the newline
- conversions into account.
+Daniel Stenberg (4 May 2015)
+- curl_multi_info_read.3: fix typo
+
+ Reported-by: Liviu Chircu
-- "260 - IMAP, POP3 and SMTP support" done!
+- MANUAL: language fix
+
+ Reported-by: Fred Stluka
+ Bug: https://github.com/bagder/curl/issues/255
-- avoid "Use of uninitialized value $l in concatenation"
+- [Alessandro Ghedini brought this change]
-Yang Tse (19 Jan 2010)
-- Fail harder when curl coredumps trying to verify http and ftp servers.
+ gtls: properly retrieve certificate status
- Add some debug messages to see what's going on with valgrind logs.
+ Also print the revocation reason if appropriate.
-- prevent %runcert hash growth when clearing items
+- OpenSSL: conditional check for SSL3_RT_HEADER
+
+ The symbol is fairly new.
+
+ Reported-by: Kamil Dudka
-- update copyright year notice
+- openssl: skip trace outputs for ssl_ver == 0
+
+ The OpenSSL trace callback is wonderfully undocumented but given a
+ journey in the source code, it seems the cases were ssl_ver is zero
+ doesn't follow the same pattern and thus turned out confusing and
+ misleading. For now, we skip doing any CURLINFO_TEXT logging on those
+ but keep sending them as CURLINFO_SSL_DATA_OUT/IN.
+
+ Also, I added direction to the text info and I edited some functions
+ slightly.
+
+ Bug: https://github.com/bagder/curl/issues/219
+ Reported-by: Jay Satiro, Ashish Shukla
-- Constantine Sapuntzakis enhancements to make memory tracking log file writing
- of messages atomic, on systems where an fwrite of a memory buffer is atomic.
+Marc Hoersken (2 May 2015)
+- schannel.c: Small changes
-Dan Fandrich (18 Jan 2010)
-- Added PEM certificate keyword
+- schannel.c: Improve code path and readability
-Yang Tse (18 Jan 2010)
-- fix warnings
+- schannel.c: Improve error and return code handling upon aa99a63f03
-- Stop ssl running server when cert file currently used by server is
- different than the one specified in test definition for same server
+- [Chris Araman brought this change]
-- fix warnings
+ schannel: fix regression in schannel_recv
+
+ https://github.com/bagder/curl/issues/244
+
+ Commit 145c263 changed the behavior when Curl_read_plain returns
+ CURLE_AGAIN. We now handle CURLE_AGAIN and SEC_I_CONTEXT_EXPIRED
+ correctly.
-- - Remove QD restarting of https servers. Proper fixing required.
- This will make tests 310 311 and 312 fail while fixing.
+- Bug born in changes made several days ago 9a91e80.
- - Remove some debug messages
+ Commit: https://github.com/bagder/curl/commit/926cb9f
+ Reported-by: Ray Satiro
-- make verifyhttp use different file names depending on server characteristics
+Daniel Stenberg (30 Apr 2015)
+- [Michael Osipov brought this change]
-- add serverfactors() sub which returns server characterization factors
+ configure: remove missing and make it autogenerate
+
+ The missing file has not been autogenerated because a temporary fix was
+ employed in acinclude.m4 which blocked update. Removed that fix and a recent
+ version of missing is copied to build root.
-- fix warnings
+- [Michael Osipov brought this change]
-- fix warnings
+ acinclude.m4: fix test for default CA cert bundle/path
+
+ test(1) on HP-UX requires a single equals sign and fails with two.
+ Let's use one and make every OS happy.
-- fix warnings
+- CONTRIBUTING.md: remove the sourceforge mention
+
+ Reported-By: Michael Osipov
-- add some debug messages
+Dan Fandrich (30 Apr 2015)
+- http_negotiate_sspi: added missing data variable
-- use servername_id() from serverhelp.pm
+Daniel Stenberg (30 Apr 2015)
+- [Michael Osipov brought this change]
-- refactored stopping of test harness servers
+ configure: remove --automake from libtoolize call
+
+ That option is not mentioned in the man page of libtoolize 2.4.4.19-fda4.
+ Moveover, a comment in line 2623 says "--automake is for 1.5 compatibility".
+
+ This option is redundant now.
+
+- [Viktor Szakats brought this change]
-- Store now this file in CVS with unix line endings.
+ build: update depedency versions, urls, example makefiles
- maketgz already converts this file to DOS style with an awk filter.
+ - update default versions of dependencies (except for rare/old platforms)
+ - update urls
+ - sync examples makefiles with main ones
+ - remove line ending space
-- Declaration of $sshdlog is done in sshhelp.pm
+- [Michael Osipov brought this change]
-- Start using the centralized pidfile and logfile name generation
- subroutines for ssh and socks test suite servers.
+ configure: remove autogenerated files by autoconf
+
+ * install-sh is always regenerated
+ * mkinstalldirs was already redudant years ago. Automake uses install for
+ that. See: http://lists.gnu.org/archive/html/automake/2007-03/msg00015.html
-Dan Fandrich (15 Jan 2010)
-- Added the new protocol source files to the non-autoconf build files
+- [Anders Bakken brought this change]
-Yang Tse (14 Jan 2010)
-- Squeeze slack time when killing more than one server from
- the <killserver> section of test harness definition files.
+ curl_multi_add_handle: next is already NULL
-Kamil Dudka (14 Jan 2010)
-- - Suppressed side effect of OpenSSL configure checks, which prevented NSS from
- being properly detected under certain circumstances. It had been caused by
- strange behavior of pkg-config when handling PKG_CONFIG_LIBDIR. pkg-config
- distinguishes among empty and non-existent environment variable in that case.
+Jay Satiro (30 Apr 2015)
+- schannel: Fix out of bounds array
+
+ Bug born in changes made several days ago 9a91e80.
+
+ Bug: http://curl.haxx.se/mail/lib-2015-04/0199.html
+ Reported-by: Brian Chrisman
-Yang Tse (13 Jan 2010)
-- Give the test a bit mote time to run so it passes on slow machines
+- docs/libcurl: gitignore libcurl-symbols.3
+
+ Bug: http://curl.haxx.se/mail/lib-2015-04/0191.html
+ Reported-by: Michael Osipov
-Kamil Dudka (13 Jan 2010)
-- remove trailing spaces from configure.ac
+- [Viktor Szakats brought this change]
-Yang Tse (12 Jan 2010)
-- Added test case #1112 which does an FTPS download with strict timeout
- and slow data transfer in a similar way as test case #1086 does for FTP.
+ lib/makefile.m32: add arch -m32/-m64 to LDFLAGS
- This also exercises <killserver> section for the FTPS server.
+ This fixes using a multi-target mingw distro to build curl .dll for the
+ non-default target.
+ (mirroring the same patch present in src/makefile.m32)
-- Make runtests.pl actually support any (valid) server specification
- for the <killserver> section of test harness definition files.
+Daniel Stenberg (29 Apr 2015)
+- RELEASE-NOTES: synced with cd39b944afc
+
+ I've not mentioned the bug fixes that were shipped in 7.42.1 from the
+ 7_42 branch.
-- Fix tftp and sftp supported protocols in servername_str()
+- THANKS: merged from the 7.42.1 release
-- Make sockfilter kill messages look alike server ones
+- CURLOPT_HEADEROPT: default to separate
+
+ Make the HTTP headers separated by default for improved security and
+ reduced risk for information leakage.
+
+ Bug: http://curl.haxx.se/docs/adv_20150429.html
+ Reported-by: Yehezkel Horowitz, Oren Souroujon