Changelog
-Version 7.40.0 (7 Jan 2015)
+Version 7.48.0 (23 Mar 2016)
-Daniel Stenberg (7 Jan 2015)
-- RELEASE-NOTES: version 7.40.0
+Daniel Stenberg (23 Mar 2016)
+- RELEASE-NOTES: curl 7.48.0
-- darwinssl: fix session ID keys to only reuse identical sessions
-
- ...to avoid a session ID getting cached without certificate checking and
- then after a subsequent _enabling_ of the check libcurl could still
- re-use the session done without cert checks.
-
- Bug: http://curl.haxx.se/docs/adv_20150108A.html
- Reported-by: Marc Hesse
+- THANKS: 15 new contributors from 7.48.0 release
-- tests: make sure CRLFs can't be used in URLs passed to proxy
+Jay Satiro (23 Mar 2016)
+- CURLINFO_TLS_SSL_PTR.3: Warn about limitations
- Bug: http://curl.haxx.se/docs/adv_20150108B.html
+ Bug: https://github.com/curl/curl/issues/685
-- url-parsing: reject CRLFs within URLs
+Daniel Stenberg (22 Mar 2016)
+- Revert "sshserver: remove use of AuthorizedKeysFile2"
- Bug: http://curl.haxx.se/docs/adv_20150108B.html
- Reported-by: Andrey Labunets
-
-Steve Holme (7 Jan 2015)
-- ldap: Convert attribute output to UTF-8 when Unicode
-
-- ldap: Convert DN output to UTF-8 when Unicode
-
-Daniel Stenberg (7 Jan 2015)
-- hostip: remove 'stale' argument from Curl_fetch_addr proto
+ It seems we may have some autobuild problems after this commit went
+ in. Trying to see if a revert helps to get them back.
- Also, remove the log output of the resolved name is NOT in the cache in
- the spirit of only telling when something is actually happening.
+ This reverts commit 2716350d1f3edc8e929f6ceeee05051090f6d642.
-Steve Holme (7 Jan 2015)
-- ldap/imap: Fixed spelling mistake in comments and variable names
+- maketgz: add -j to make dist
- Reported-by: Michael Osipov
+ ... makes it a lot faster
-Daniel Stenberg (7 Jan 2015)
-- RELEASE-NOTES: updated with ./contributors.sh output
+- libcurl-thread.3: minor nroff format fix
-Dan Fandrich (5 Jan 2015)
-- curl_multibyte.h: Eliminated some trailing whitespace
+- CURLINFO_TLS_SSL_PTR.3: minor nroff format fix
-Steve Holme (4 Jan 2015)
-- RELEASE-NOTES: Synced with ea93252ef1
-
-- ldap: Fixed Unicode usage for all Win32 builds
+- CODE_STYLE: indend example code
- Otherwise, the fixes in the previous commits would only be applicable
- to IDN and SSPI based builds and not others such as OpenSSL with LDAP
- enabled.
-
-- ldap: Fixed memory leak from commit efb64fdf80
+ ... to make it look nicer in markdown outputa
-- ldap: Fix memory leak from commit 3a805c5cc1
+Jay Satiro (22 Mar 2016)
+- build-wolfssl: Update VS properties for wolfSSL v3.9.0
+
+ - Do not use wolfSSL's sample user-setting files.
+
+ wolfSSL starting in v3.9.0 has added their own sample user settings that
+ are applied by default, but we don't use them because we have our own
+ settings.
+
+ - Do not use wolfSSL's Visual Studio Unicode character setting.
+
+ wolfSSL Visual Studio projects use the Unicode character set however our
+ settings and options imitate mingw build which does not use the Unicode
+ character set. This does not appear to have any effect at the moment but
+ better safe than sorry.
+
+
+ These changes are backwards compatible with earlier versions.
-- ldap: Fixed attribute variable warnings when Unicode is enabled
+Steve Holme (22 Mar 2016)
+- hostip6: Fixed compilation warnings when verbose strings disabled
- Use 'TCHAR *' for local attribute variable rather than 'char *'.
+ warning C4189: 'data': local variable is initialized but not referenced
+
+ ...and some minor formatting/spacing changes.
-- ldap: Fixed DN variable warnings when Unicode is enabled
+Daniel Stenberg (21 Mar 2016)
+- sshserver: remove use of AuthorizedKeysFile2
+
+ Support for the (undocumented) AuthorizedKeysFile2 was removed in
+ OpenSSH 5.9, released in September 2011
- Use 'TCHAR *' for local DN variable rather than 'char *'.
+ Closes #715
-- ldap: Remove the unescape_elements() function
+Steve Holme (20 Mar 2016)
+- connect/ntlm/http: Fixed compilation warnings when verbose strings disabled
- Due to the recent modifications this function is no longer used.
+ warning C4189: 'data': local variable is initialized but not referenced
-- ldap.c: Fixed compilation warning
+- openssl: Fixed compilation warning when /Wall enabled
- ldap.c:98: warning: extra tokens at end of #endif directive
+ warning C4706: assignment within conditional expression
-- ldap: Fixed support for Unicode filter in Win32 search call
+- CODE_STYLE: Use boolean conditions
+
+ Rather than use TRUE, FALSE, NULL, 0 or != 0 in if/while conditions.
+
+ Additionally, corrected some example code to adhere to the recommended
+ coding style.
-- ldap.c: Fixed compilation warning
+- inet_pton.c: Fixed compilation warnings
- ldap.c:802: warning: comparison between signed and unsigned integer
- expressions
+ warning: conversion to 'unsigned char' from 'int' may alter its value
-- ldap: Fixed support for Unicode attributes in Win32 search call
+Daniel Stenberg (19 Mar 2016)
+- RELEASE-NOTES: synced with 80851028efc2fa9
-- ldap: Fixed memory leak from commit efb64fdf80
+- mbedtls: fix compiler warning
- The unescapped DN was not freed after a successful character conversion.
+ vtls/mbedtls.h:67:36: warning: implicit declaration of function
+ ‘mbedtls_sha256’ [-Wimplicit-function-declaration]
-- ldap.c: Fixed compilation error
+Steve Holme (19 Mar 2016)
+- easy: Minor coding standard and style updates
- ldap.c:738: error: macro "LDAP_TRACE" passed 2 arguments, but takes
- just 1
+ Following commit c5744340db. Additionally removes the need for a second
+ 'result code' variable as well.
-- ldap.c: Fixed compilation warning
+Jay Satiro (19 Mar 2016)
+- easy: Remove poll failure check in easy_transfer
+
+ .. because curl_multi_wait can no longer signal poll failure.
+
+ follow-up to 77e1726
- ldap.c:89: warning: extra tokens at end of #endif directive
+ Bug: https://github.com/curl/curl/issues/707
-- ldap: Fixed support for Unicode DN in Win32 search call
+Steve Holme (19 Mar 2016)
+- build: Added missing Visual Studio filter files for VC10 onwards
+
+ As these files don't need to contain references to the source files,
+ although typically do, added basic files which only include three
+ filters and don't require the project file generator to be modified.
+
+ These files allow the source code to be viewed in the Solution Explorer
+ in versions of Visual Studio from 2010 onwards in the same manner as
+ previous versions did rather than one large view of files.
-- ldap: Fixed Unicode user and password in Win32 bind calls
+- ftp/imap/pop3/smtp: Fixed compilation warning when /Wall enabled
+
+ warning C4706: assignment within conditional expression
-- ldap: Fixed Unicode host name in Win32 initialisation calls
+- config-w32.h: Fixed compilation warning when /Wall enabled
+
+ warning C4668: 'USE_IPV6' is not defined as a preprocessor macro,
+ replacing with '0' for '#if/#elif'
-- ldap: Use host.dispname for infof() connection failure messages
+- imap.c: Fixed compilation warning with /Wall enabled
- As host.name may be encoded use dispname for infof() failure messages.
+ warning C4701: potentially uninitialized local variable 'size' used
+
+ Technically this can't happen, as the usage of 'size' is protected by
+ 'if(parsed)' and 'parsed' is only set after 'size' has been parsed.
+
+ Anyway, lets keep the compiler happy.
-- ldap: Prefer 'CURLcode result' for curl result codes
+- KNOWN_BUGS: #93 Issue with CURLFORM_CONTENTLEN in arrays on 32-bit platforms
-- ldap: Pass write length in all Curl_client_write() calls
-
- As we get the length for the DN and attribute variables, and we know
- the length for the line terminator, pass the length values rather than
- zero as this will save Curl_client_write() from having to perform an
- additional strlen() call.
+Daniel Stenberg (18 Mar 2016)
+- bump: the coming release is 7.48.0
-- ldap: Fixed attribute memory leaks on failed client write
+- configure: use cpp -P when needed
- Fixed memory leaks from commit 086ad79970 as was noted in the commit
- comments.
-
-- ldap: Fixed DN memory leaks on failed client write
+ Since gcc 5, the processor output can get split up on multiple lines
+ that made the configure script fail to figure out values from
+ definitions. The fix is to use cpp -P, and this fix now first checks if
+ cpp -P is necessary and then if cpp -P works before it uses that to
+ extract defined values.
- Fixed memory leaks from commit 086ad79970 as was noted in the commit
- comments.
+ Fixes #719
-- curl_ntlm_core.c: Fixed compilation warning from commit 1cb17b2a5d
+Steve Holme (18 Mar 2016)
+- formdata.c: Fixed compilation warning
- curl_ntlm_core.c:146: warning: passing 'DES_cblock' (aka 'unsigned char
- [8]') to parameter of type 'char *' converts
- between pointers to integer types with different
- sign
-
-- ntlm: Use extend_key_56_to_64() for all cryptography engines
+ formdata.c:390: warning: cast from pointer to integer of different size
+
+ Introduced in commit ca5f9341ef this happens because a char*, which is
+ 32-bits wide in 32-bit land, is being cast to a curl_off_t which is
+ 64-bits wide where 64-bit integers are supported by the compiler.
- Rather than duplicate the code in setup_des_key() for OpenSSL and in
- extend_key_56_to_64() for non-OpenSSL based crypto engines, as it is
- the same, use extend_key_56_to_64() for all engines.
+ This doesn't happen in 64-bit land as a pointer is the same size as a
+ curl_off_t.
+
+ This fix doesn't address the fact that a 64-bit value cannot be used
+ for CURLFORM_CONTENTLEN when set in a form array and compiled on a
+ 32-bit platforms, it does at least suppress the compilation warning.
-- RELEASE-NOTES: Synced with 34f0bd110f
+Daniel Stenberg (18 Mar 2016)
+- FAQ: 2.5 Install libcurl for both 32bit and 64bit?
-- curl_ntlm_core.c: Fixed compilation warning
-
- curl_ntlm_core.c:458: warning: 'ascii_uppercase_to_unicode_le' defined
- but not used
+- [Gisle Vanem brought this change]
-- endian: Fixed bit-shift in 64-bit integer read functions
+ openssl: adapt to API breakage in ERR_remove_thread_state()
- From commit 43792592ca and 4bb5a351b2.
+ The OpenSSL API change that broke this is "Convert ERR_STATE to new
+ multi-threading API": openssl commit 8509dcc.
- Reported-by: Michael Osipov
+ Closes #713
-- smb: Use endian functions for reading NBT and message size values
+- version: init moved to private name space, added protos
+
+ follow-up to 80015cdd52145
-- endian: Added big endian read functions
+- openssl: verbose: show matching SAN pattern
+
+ ... to allow users to see which specfic wildcard that matched when such
+ is used.
+
+ Also minor logic cleanup to simplify the code, and I removed all tabs
+ from verbose strings.
-- endian: Added 64-bit integer read function
+Jay Satiro (16 Mar 2016)
+- version: thread safety
-- COPYING: Bumped copyright year to 2015
+Steve Holme (16 Mar 2016)
+- transfer: Removed redundant HTTP authentication include files
+
+ It would also seem that share.h is not required here either as there
+ are no references to the Curl_share structure or functions.
-- version: Bump copyright year to 2015
+- easy: Removed redundant HTTP authentication include files
-- smb.c: Fixed compilation warnings
+Jay Satiro (15 Mar 2016)
+- CURLOPT_SSLENGINE.3: Only for OpenSSL built with engine support
- smb.c:780: warning: passing 'char *' to parameter of type 'unsigned
- char *' converts between pointers to integer types with
- different sign
- smb.c:781: warning: passing 'char *' to parameter of type 'unsigned
- char *' converts between pointers to integer types with
- different sign
- smb.c:804: warning: passing 'char *' to parameter of type 'unsigned
- char *' converts between pointers to integer types with
- different sign
+ Bug: https://curl.haxx.se/mail/lib-2016-03/0150.html
+ Reported-by: Oliver Graute
-- smb: Use endian functions for reading length and offset values
+Steve Holme (15 Mar 2016)
+- curl_sasl: Minor code indent fixes
-- endian: Added 16-bit integer write function
+Daniel Stenberg (14 Mar 2016)
+- runtests: mention when run event-based
-- endian: Fixed Linux compilation issues
+- easy: add check to malloc() when running event-based
- Having files named endian.[c|h] seemed to cause issues under Linux so
- renamed them both to have the curl_ prefix in the filenames.
+ ... to allow torture tests then too.
+
+- memdebug: skip logging the limit countdown, fflush when reached
-- [Julien Nabet brought this change]
+- CODE_STYLE: Space around operators
+
+ As just discussed on the mailing list, also document how we prefer
+ spacing in expressions.
- lib1900.c: Fixed cppcheck error
+- curl: glob_range: no need to check unsigned variable for negative
- lib1900.c:182: (style) Array index 'handlenum' is used before limits
- check
+ cppcheck warned:
- Bug: https://github.com/bagder/curl/pull/133
+ [src/tool_urlglob.c:283]: (style) Checking if unsigned variable 'step_n'
+ is less than zero.
-- endian: Added standard function descriptions
+- CODE_STYLE: add example for indent style as well
-- endian: Renamed functions for curl API naming convention
+- CODE_STYLE: mention braces for functions too
-- endian: Moved write functions to new module
+- docs/Makefile.am: include CODE_STYLE in tarball too
-- endian: Moved read functions to new module
+- CONTRIBUTE: moved out code style to a separate document
-- endian: Introduced endian module
+- CODE_STYLE: initial version
- To allow the little endian functions, currently used in two of the NTLM
- source files, to be used by other modules such as the SMB module.
-
-- sepheaders.c: Applied curl oding standards
+ Ripped out from CONTRIBUTE into its own document, but also extended from
+ there.
-- [Julien Nabet brought this change]
+- curl_sasl.c: minor code indent fixes
- sepheaders.c: Fixed resource leak on failure
-
-- vtls: Use '(void) arg' for unused parameters
+- multi: simplified singlesocket
- Prefer void for unused parameters, rather than assigning an argument to
- itself as a) unintelligent compilers won't optimize it out, b) it can't
- be used for const parameters, c) it will cause compilation warnings for
- clang with -Wself-assign and d) is inconsistent with other areas of the
- curl source code.
+ Since sh_getentry() now checks for invalid sockets itself and by
+ narrowing the scope of the remove_sock_from_hash variable.
-- smb.c: Fixed compilation warning
+- multi: introduce sh_getentry() for looking up sockets in the sockhash
- smb.c:586: warning: conversion to 'short unsigned int' from 'int' may
- alter its value
+ Simplify the code by using a single entry that looks for a socket in the
+ socket hash. As indicated in #712, the code looked for CURL_SOCKET_BAD
+ at some point and that is ineffective/wrong and this makes it easier to
+ avoid that.
-- [Bill Nagel brought this change]
+- [Jaime Fullaondo brought this change]
- smb: Use the connection's upload buffer
+ multi hash: ensure modulo performed on curl_socket_t
- Use the connection's upload buffer instead of allocating our own send
- buffer.
+ Closes #712
-- RELEASE-NOTES: Synced with 1933f9d33c
+Steve Holme (13 Mar 2016)
+- base64: Minor coding standard and style updates
-- schannel: Moved the ISC return flag definitions to the SSPI module
-
- Moved our Initialize Security Context return attribute definitions to
- the SSPI module, as a) these can be used by other SSPI based providers
- and b) the ISC required attributes are defined there.
+- base64: Use 'CURLcode result' for curl result codes
-- [Bill Nagel brought this change]
+- negotiate: Use 'CURLcode result' for curl result codes
- smb: Close the connection after a failed client write
+Daniel Stenberg (13 Mar 2016)
+- [Maksim Kuzevanov brought this change]
-- darwinssl: Fixed compilation warning
+ multi_runsingle: avoid loop in CURLM_STATE_WAITPROXYCONNECT
- vtls.c:683:43: warning: unused parameter 'data'
+ Closes #703
-- sockfilt.c: Fixed compilation warnings
-
- sockfilt.c:288: warning: conversion to 'DWORD' from 'size_t' may alter
- its value
- sockfilt.c:291: warning: conversion to 'DWORD' from 'size_t' may alter
- its value
- sockfilt.c:323: warning: conversion to 'DWORD' from 'size_t' may alter
- its value
- sockfilt.c:326: warning: conversion to 'DWORD' from 'size_t' may alter
- its value
+- TODO: Use the RFC6265 test suite
-- test1509: Fixed compilation warning
-
- lib1509.c:93:18: warning: conversion to 'long int' from 'size_t' may
- alter its value
+Steve Holme (13 Mar 2016)
+- checksrc.bat: Added the ability to scan src and lib source independently
-- test556: Fixed compilation warning
+- digest: Use boolean based success code for Curl_sasl_digest_get_pair()
- lib556.c:90: warning: conversion to 'unsigned int' from 'size_t' may
- alter its value
+ Rather than use a 0 and 1 integer base result code use a TRUE / FALSE
+ based success code.
-- sasl_gssapi: Fixed use of dummy username with real username
+- digest: Corrected some typos in comments
-- vtls: Fixed compilation warning and an ignored return code
-
- curl_schannel.h:123: warning: right-hand operand of comma expression
- has no effect
-
- Some instances of the curlssl_close_all() function were declared with a
- void return type whilst others as int. The schannel version returned
- CURLE_NOT_BUILT_IN and others simply returned zero, but in all cases the
- return code was ignored by the calling function Curl_ssl_close_all().
-
- For the time being and to keep the internal API consistent, changed all
- declarations to use a void return type.
-
- To reduce code we might want to consider removing the unimplemented
- versions and use a void #define like schannel does.
+- krb5: Corrected some typos in function descriptions
+
+- ntlm: Corrected some typos in function descriptions
-Daniel Stenberg (28 Dec 2014)
-- TODO: 2.3 Better support for same name resolves
+- url: Corrected indentation when calling idna_to_ascii_lz()
-Steve Holme (28 Dec 2014)
-- test1520: Fixed initial teething problems
+- idn_win32: Use boolean based success codes
- * Missing initialisation of upload status caused a seg fault
- * Missing data termination caused corrupt data to be uploaded
- * Data verification should be performed in <upload> element
- * Added missing recipient list cleanup
+ Rather than use 0 and 1 integer base result codes use a FALSE / TRUE
+ based success code.
-- test1520: Fixed compilation errors
+Daniel Stenberg (10 Mar 2016)
+- idn_win32.c: warning: Trailing whitespace
-- tests: Added test for bug #1456
+Steve Holme (10 Mar 2016)
+- idn_win32.c: Fixed compilation warning from commit 9e7fcd4291
+
+ warning C4267: 'function': conversion from 'size_t' to 'int',
+ possible loss of data
-- checksrc.bat: Fixed a problem opening files with spaces in the filename
+Daniel Stenberg (10 Mar 2016)
+- THANKS-filter: unify Michael König
-- openldap: Prefer use of 'CURLcode result'
+- RELEASE-NOTES: synced with 863c5766dd
-- openldap: Use 'LDAPMessage *msg' for messages
+- ftp: remove a check for NULL(!)
- This frees up the 'result' variable for CURLcode based result codes.
-
-- nss: Don't ignore Curl_extract_certinfo() OOM failure
+ ... as it implies we need to check for that on all the other variable
+ references as well (as Coverity otherwise warns us for missing NULL
+ checks), and we're alredy making sure that the pointer is never NULL.
-- nss: Don't ignore Curl_ssl_init_certinfo() OOM failure
-
-- nss: Use 'CURLcode result' for curl result codes
+- cookies: first n/v pair in Set-Cookie: is the cookie, then parameters
+
+ RFC 6265 section 4.1.1 spells out that the first name/value pair in the
+ header is the actual cookie name and content, while the following are
+ the parameters.
- ...and don't use CURLE_OK in failure/success comparisons.
+ libcurl previously had a more liberal approach which causes significant
+ problems when introducing new cookie parameters, like the suggested new
+ cookie priority draft.
+
+ The previous logic read all n/v pairs from left-to-right and the first
+ name used that wassn't a known parameter name would be used as the
+ cookie name, thus accepting "Set-Cookie: Max-Age=2; person=daniel" to be
+ a cookie named 'person' while an RFC 6265 compliant parser should
+ consider that to be a cookie named 'Max-Age' with an (unknown) parameter
+ 'person'.
+
+ Fixes #709
-- getinfo: Code style policing
+- krb5: improved type handling to avoid clang compiler warnings
-- getinfo: Use 'CURLcode result' for curl result codes
+- url.c: fix clang warning: no newline at end of file
+
+- curl_multi_wait: never return -1 in 'numfds'
+
+ Such a return value isn't documented but could still happen, and the
+ curl tool code checks for it. It would happen when the underlying
+ Curl_poll() function returns an error. Starting now we mask that error
+ as a user of curl_multi_wait() would have no way to handle it anyway.
+
+ Reported-by: Jay Satiro
+ Closes #707
-- darwinssl: Use 'CURLcode result' for curl result codes
+- HTTP2.md: add CURL_HTTP_VERSION_2TLS and updated alt-svc link
-- polarssl: Use 'CURLcode result' for curl result codes
+- curl_multi_wait.3: add example
-- docs: Updated following the addition of SASL GSSAPI via GSS-API libraries
+Steve Holme (8 Mar 2016)
+- imap/pop3/smtp: Fixed connections upgraded with TLS are not reused
- As this feature has been implemented for 7.40.0.
-
-- asiohiper.cpp: No need to initialise members of ConnInfo
+ Regression since commit 710f14edba.
- ...as calloc() automatically clears the area of memory with zeros.
+ Bug: https://github.com/curl/curl/issues/422
+ Reported-by: Justin Ehlert
-- asiohiper.cpp: Updated for curl coding standards
+Jay Satiro (8 Mar 2016)
+- opt-docs: fix heading macros
- ...with the exception of the start of block statement curly brackets.
-
-- code/docs: Use correct case for IPv4 and IPv6
+ ..SH should be .SH
- For consistency, as we seem to have a bit of a mixed bag, changed all
- instances of ipv4 and ipv6 in comments and documentations to use the
- correct case.
+ Bug: https://github.com/curl/curl/issues/705
+ Reported-by: Eric S. Raymond
-- runtests: Fixed detection of Unix Sockets feature
-
- ...following change in curl --version output.
+Kamil Dudka (8 Mar 2016)
+- [Tim Rühsen brought this change]
-- code/docs: Use Unix rather than UNIX to avoid use of the trademark
+ cookie: do not refuse cookies for localhost
- Use Unix when generically writing about Unix based systems as UNIX is
- the trademark and should only be used in a particular product's name.
+ Closes #658
-- ip2ip.c: Fixed compilation warning when IPv6 Scope ID not supported
+Daniel Stenberg (8 Mar 2016)
+- ftp_done: clear tunnel_state when secondary socket closes
- if2ip.c:119: warning: unused parameter 'remote_scope_id'
+ Introducing a function for closing the secondary connection to make this
+ bug less likely to happen again.
- ...and some minor code style policing in the same function.
+ Reported-by: daboul
+ Closes #701
-- vtls: Don't set cert info count until memory allocation is successful
-
- Otherwise Curl_ssl_init_certinfo() can fail and set the num_of_certs
- member variable to the requested count, which could then be used
- incorrectly as libcurl closes down.
+- [Gisle Vanem brought this change]
+
+ openssl: use the correct OpenSSL/BoringSSL/LibreSSL in messages
+
+- HTTP2.md: HTTP/2 by default for curl's HTTPS connections
-- vtls: Use CURLcode for Curl_ssl_init_certinfo() return type
+- [Anders Bakken brought this change]
+
+ pipeline: Sanity check pipeline pointer before accessing it.
- The return type for this function was 0 on success and 1 on error. This
- was then examined by the calling functions and, in most cases, used to
- return CURLE_OUT_OF_MEMORY.
+ I got a crash with this stack:
- Instead use CURLcode for the return type and return the out of memory
- error directly, propagating it up the call stack.
-
-- configure: Use camel case for UNIX sockets feature output
+ curl/lib/url.c:2873 (Curl_removeHandleFromPipeline)
+ curl/lib/url.c:2919 (Curl_getoff_all_pipelines)
+ curl/lib/multi.c:561 (curl_multi_remove_handle)
+ curl/lib/url.c:415 (Curl_close)
+ curl/lib/easy.c:859 (curl_easy_cleanup)
- To match the curl --version output.
+ Closes #704
-Marc Hoersken (26 Dec 2014)
-- sockfilt.c: Reduce the number of individual memory allocations
+- HTTP2.md: mention the disable ALPN and NPN options
+
+- TODO: 17.12 keep running, read instructions from pipe/socket
- Merge multiple internal arrays into one, even if some variables
- will not not be used. They are all created with the number of
- file descriptors as their size.
+ And delete trailing whitespace
+ And rename section 17 to "command line tool" from "client"
- Also fix possible thread handle leak in CloseHandle-loop.
+ Closes #702
-- sockfilt.c: Replace 100ms sleep with thread throttle
-
- Improves performance of test cases 574 and 575 by 50%.
+- README.md: linkified
- A value of zero causes the thread to relinquish the remainder
- of its time slice to any other thread of equal priority that is
- ready to run. If there are no other threads of equal priority
- ready to run, the function returns immediately, and the thread
- continues execution.
+ It also makes it less readable as plain text, so let's keep this
+ primarily for github use.
- http://msdn.microsoft.com/library/windows/desktop/ms686307.aspx
+ Removed the top ascii art logo, as it looks weird when markdownified.
-Steve Holme (25 Dec 2014)
-- tool_help: Use camel case for UNIX sockets feature output
+- README.md: markdown version of README
- In line with the other features listed in the --version output,
- capitalise the UNIX socket feature.
+ Attempt to make it look more appealing on github
-- vtls: Use bool for Curl_ssl_getsessionid() return type
-
- The return type of this function is a boolean value, and even uses a
- bool internally, so use bool in the function declaration as well as
- the variables that store the return value, to avoid any confusion.
+Jay Satiro (6 Mar 2016)
+- mprintf: update trio project link
-- schannel: Minor code style policing for casts
+Daniel Stenberg (6 Mar 2016)
+- CURLOPT_ACCEPTTIMEOUT_MS.3: added example
-- schannel: Prefer 'CURLcode result' for curl result codes
+- CURLOPT_ACCEPT_ENCODING.3: added example
-- cyassl: Prefer 'CURLcode result' for curl result codes
+- CURLOPT_APPEND.3: added example
-- tool_xattr: Use 'CURLcode result' for curl result codes
+- CURLOPT_NOPROGRESS.3: added example, conform to stardard style
-- curl_ntlm_core.c: Fixed compilation warnings
+Steve Holme (6 Mar 2016)
+- build-openssl/checksrc.bat: Fixed prepend vs append of Perl path
- curl_ntlm_core.c:301: warning: pointer targets in passing argument 2 of
- 'CryptImportKey' differ in signedness
- curl_ntlm_core.c:310: warning: passing argument 6 of 'CryptEncrypt' from
- incompatible pointer type
- curl_ntlm_core.c:540: warning: passing argument 4 of 'CryptGetHashParam'
- from incompatible pointer type
+ Fixed inconsistency from commit 1eae114065 and 0ad6c72227 of the order
+ in which Perl was added to the PATH.
-- RELEASE-NOTES: Synced with 8830df8b66
+Daniel Stenberg (6 Mar 2016)
+- opts: added two examples
-- gtls: Use preferred 'CURLcode result'
+- CURLOPT_SSL_CTX_FUNCTION.3: use .NF for example
-- openldap: Use standard naming for setup connection function
+- CURLOPT_SSL_CTX_FUNCTION.3: added example
- Renamed ldap_setup() to ldap_setup_connection() to follow more widely
- used function naming.
+ and removed erroneous reference to test case lib509
-- rtmp: Use standard naming for setup connection function
-
- Renamed rtmp_setup() to rtmp_setup_connection() to follow more widely
- used function naming.
+- curlx.c: use more curl style code
-- smb: Use standard naming for setup connection function
+- test46: change cookie expiry date
- Renamed smb_setup() to smb_setup_connection() to follow more widely
- used function naming.
+ Since two of the cookies would now otherwise expire and cause the test
+ to fail after commit 20de9b4f09
+
+ Discussed in #697
-- config-win32.h: Fixed line length > 79 columns
+Jay Satiro (5 Mar 2016)
+- [Viktor Szakats brought this change]
-- openssl: Prefer we don't use NULL in comparisons
+ makefile.m32: add missing libs for static -winssl-ssh2 builds
+
+ Bug: https://github.com/curl/curl/pull/693
-- build: Removed WIN32 definition from the Visual Studio projects
+- mbedtls: fix user-specified SSL protocol version
- As this pre-processor definition is defined in curl_setup.h there is no
- need to include it in the Visual Studio project files.
+ Prior to this change when a single protocol CURL_SSLVERSION_ was
+ specified by the user that version was set only as the minimum version
+ but not as the maximum version as well.
+
+Steve Holme (5 Mar 2016)
+- .gitignore: Added *.VC.opendb and *.vcxproj.user files for VC14
+
+- build-openssl.bat: Fixed cannot find perl if installed but not in path
+
+- checksrc.bat: Fixed cannot find perl if installed but not in path
+
+Jay Satiro (5 Mar 2016)
+- [Viktor Szakats brought this change]
-- build: Removed WIN64 definition from the libcurl Visual Studio projects
+ makefile.m32: fix to allow -ssh2-winssl combination
- Removed the WIN64 pre-processor definition from the libcurl project
- files as:
+ In makefile.m32, option -ssh2 (libssh2) automatically implied -ssl
+ (OpenSSL) option, with no way to override it with -winssl. Since both
+ libssh2 and curl support using Windows's built-in SSL backend, modify
+ the logic to allow that combination.
+
+- cookie: Don't expire session cookies in remove_expired
- * WIN64 is not used in our source code
- * The curl projects files don't define it
- * It isn't required by or used in the platform SDK
- * For backwards compatability curl_setup.h defines WIN32
- * The compiler automatically defines _WIN64 for x64 builds
+ Prior to this change cookies with an expiry date that failed parsing
+ and were converted to session cookies could be purged in remove_expired.
- Historically Visual Studio projects have defined WIN32, in addition to
- the compiler defined _WIN32 definition, and I had incorrectly changed
- that to WIN64 for the x64 libcurl builds but not in the curl projects.
+ Bug: https://github.com/curl/curl/issues/697
+ Reported-by: Seth Mos
+
+Daniel Stenberg (3 Mar 2016)
+- cookie: remove redundant check
- As such, it is questionable whether this should be defined or not. For
- more information see the following cache of a discussion that took
- place on the microsoft.public.vc.mfc newsgroup:
+ ... as it was already checked previously within the function.
- http://www.tech-archive.net/Archive/VC/microsoft.public.vc.mfc/2008-06/msg00074.html
+ Reported-by: Dmitry-Me
+ Closes #695
-- openssl.c Fix for compilation errors with older versions of OpenSSL
+Jay Satiro (1 Mar 2016)
+- [Anders Bakken brought this change]
+
+ url: if Curl_done is premature then pipeline not in use
+
+ Prevent a crash if 2 (or more) requests are made to the same host and
+ pipelining is enabled and the connection does not complete.
- openssl.c:1408: error: 'TLS1_1_VERSION' undeclared
- openssl.c:1411: error: 'TLS1_2_VERSION' undeclared
+ Bug: https://github.com/curl/curl/pull/690
-Daniel Stenberg (22 Dec 2014)
-- [John Malmberg brought this change]
+- [Viktor Szakats brought this change]
- Fix comment edit in vms/backup_gnv_curl_src.com
+ makefile.m32: allow to pass .dll/.exe-specific LDFLAGS
+
+ using envvars `CURL_LDFLAG_EXTRAS_DLL` and
+ `CURL_LDFLAG_EXTRAS_EXE` respectively. This
+ is useful f.e. to pass ASLR-related extra
+ options, that are required to make this
+ feature work when using the mingw toolchain.
- packages/vms/backup_gnv_curl_src.com: Originally copied from Bash port.
+ Ref: https://github.com/curl/curl/pull/670#issuecomment-190863985
+
+ Closes https://github.com/curl/curl/pull/689
-- curl: show size of inhibited data when using -v
+Daniel Stenberg (29 Feb 2016)
+- formpost: fix memory leaks in AddFormData error branches
- To offer some more info and yet it doesn't use more lines.
+ Reported-by: Dmitry-Me
+ Fixes #688
-- openssl: fix SSL/TLS versions in verbose output
+Jay Satiro (28 Feb 2016)
+- getinfo: Fix syntax error when mbedTLS
+
+ The assignment of the mbedTLS TLS session info in the parent commit was
+ incorrect. Change the assignment to a pointer to the session structure.
-- openssl: make it compile against openssl 1.1.0-DEV master branch
+- getinfo: Add support for mbedTLS TLS session info
+
+ .. and preprocessor check TLS session info is defined for all backends.
-Marc Hoersken (22 Dec 2014)
-- sshserver.pl: clarify and streamline variable names
+Daniel Stenberg (26 Feb 2016)
+- ROADMAP: clarify on the TLS proxy, mention HTTP cookies to work on
-Daniel Stenberg (21 Dec 2014)
-- openssl: warn for SRP set if SSLv3 is used, not for TLS version
+- file: try reading from files with no size
- ... as it requires TLS and it was was left to warn on the default from
- when default was SSL...
-
-- smb: use memcpy() instead of strncpy()
+ Some systems have special files that report as 0 bytes big, but still
+ contain data that can be read (for example /proc/cpuinfo on
+ Linux). Starting now, a zero byte size is considered "unknown" size and
+ will be read as far as possible anyway.
- ... as it never copies the trailing zero anyway and always just the four
- bytes so let's not mislead anyone into thinking it is actually treated
- as a string.
+ Reported-by: Jesse Tan
- Coverity CID: 1260214
+ Closes #681
-- [John E. Malmberg brought this change]
-
- VMS: Updates for 0740-0D1220
+Jay Satiro (25 Feb 2016)
+- configure: warn on invalid ca bundle or path
- lib/setup-vms.h : VAX HP OpenSSL port is ancient, needs help.
- More defines to set symbols to uppercase.
+ - Warn if --with-ca-bundle file does not exist.
- src/tool_main.c : Fix parameter to vms_special_exit() call.
+ - Warn if --with-ca-path directory does not contain certificates.
- packages/vms/ :
- backup_gnv_curl_src.com : Fix the error message to have the correct package.
+ - Improve help messages for both.
- build_curl-config_script.com : Rewrite to be more accurate.
+ Example configure output:
- build_libcurl_pc.com : Use tool_version.h now.
+ ca cert bundle: /some/file (warning: certs not found)
+ ca cert path: /some/dir (warning: certs not found)
- build_vms.com : Fix to handle lib/vtls directory.
+ Bug: https://github.com/curl/curl/issues/404
+ Reported-by: Jeffrey Walton
+
+Daniel Stenberg (24 Feb 2016)
+- Curl_read: check for activated HTTP/1 pipelining, not only requested
- curl_gnv_build_steps.txt : Updated build procedure documentation.
+ ... as when pipelining is used, we read things into a unified buffer and
+ we don't do that with HTTP/2. This could then easily make programs that
+ set CURLMOPT_PIPELINING = CURLPIPE_HTTP1|CURLPIPE_MULTIPLEX to get data
+ intermixed or plain broken between HTTP/2 streams.
- generate_config_vms_h_curl.com :
- * VAX does not support 64 bit ints, so no NTLM support for now.
- * VAX HP SSL port is ancient, needs some help.
- * Disable NGHTTP2 for now, not ported to VMS.
- * Disable UNIX_SOCKETS, not available on VMS yet.
- * HP GSSAPI port does not have gss_nt_service_name.
+ Reported-by: Anders Bakken
+
+Patrick Monnerat (24 Feb 2016)
+- os400: Fix ILE/RPG definition of CURLOPT_TFTP_NO_OPTIONS
+
+Jay Satiro (23 Feb 2016)
+- getinfo: CURLINFO_TLS_SSL_PTR supersedes CURLINFO_TLS_SESSION
- gnv_link_curl.com : Update for new curl structure.
+ The two options are almost the same, except in the case of OpenSSL:
- pcsi_product_gnv_curl.com : Set up to optionally do a complete build.
-
-Marc Hoersken (21 Dec 2014)
-- sockfilt.c: use non-Ex functions that are available before WinXP
+ CURLINFO_TLS_SESSION OpenSSL session internals is SSL_CTX *.
- It was initially reported by Guenter that GetFileSizeEx
- requires (_WIN32_WINNT >= 0x0500) to be true.
-
-- tests: use Cygwin-style paths in SSH, SSHD and SFTP config files
+ CURLINFO_TLS_SSL_PTR OpenSSL session internals is SSL *.
- Second patch to enable Windows support using Cygwin-based OpenSSH.
+ For backwards compatibility we couldn't modify CURLINFO_TLS_SESSION to
+ return an SSL pointer for OpenSSL.
- Tested with CopSSH 5.0.0 free edition using an msys shell on Windows 7.
-
-- tests: support spaces in paths to SSH, SSHD and SFTP binaries
+ Also, add support for the 'internals' member to point to SSL object for
+ the other backends axTLS, PolarSSL, Secure Channel, Secure Transport and
+ wolfSSL.
- First patch to enable Windows support using Cygwin-based OpenSSH.
-
-Steve Holme (20 Dec 2014)
-- non-ascii: Reduce variable usage
+ Bug: https://github.com/curl/curl/issues/234
+ Reported-by: dkjjr89@users.noreply.github.com
- Removed 'next' variable in Curl_convert_form(). Rather than setting it
- from 'form->next' and using that to set 'form' after the conversion
- just use 'form = form->next' instead.
+ Bug: https://curl.haxx.se/mail/lib-2015-09/0127.html
+ Reported-by: Michael König
-- non-ascii: Prefer while loop rather than a do loop
+Daniel Stenberg (23 Feb 2016)
+- multi_remove_handle: keep the timeout list until after disconnect
- This also removes the need to check that the 'form' argument is valid.
-
-- non-ascii: Reduce variable scope
+ The internal Curl_done() function uses Curl_expire() at times and that
+ uses the timeout list. Better clean up the list once we're done using
+ it. This caused a segfault.
- As 'result' isn't used out side the conversion callback code and
- previously caused variable shadowing in the libiconv based code.
+ Reported-by: 蔡文凱
+ Bug: https://curl.haxx.se/mail/lib-2016-02/0097.html
-- non-ascii: We prefer 'CURLcode result'
+Kamil Dudka (23 Feb 2016)
+- tests/sshserver.pl: use RSA instead of DSA for host auth
- This also fixes a variable shadowing issue when HAVE_ICONV is defined
- as rc was declared for the result code of libiconv based functions.
-
-Marc Hoersken (19 Dec 2014)
-- secureserver.pl: clean up formatting of config and fix verbose output
+ DSA is no longer supported by OpenSSH 7.0, which causes all SCP/SFTP
+ test cases to be skipped. Using RSA for host authentication works with
+ both old and new versions of OpenSSH.
- Verbose output was not matching the actual configuration file,
- because FIPS and Windows conditions were ignored.
-
-- secureserver.pl: update Windows detection and fix path conversion
-
-- secureserver.pl: make OpenSSL CApath and cert absolute path values
+ Reported-by: Karlson2k
- Recent stunnel versions (5.08) seem to have trouble with relative
- paths on Windows. This turns the relative paths into absolute ones.
-
-Patrick Monnerat (18 Dec 2014)
-- if2ip: dummy scope parameter for Curl_if2ip() call in SIOCGIFADDR-enabled code.
-
-- [Kyle J. McKay brought this change]
+ Closes #676
- parseurlandfillconn(): fix improper non-numeric scope_id stripping.
- Fixes SF bug 1149: http://sourceforge.net/p/curl/bugs/1449/
-
-- IPV6: address scope != scope id
- There was a confusion between these: this commit tries to disambiguate them.
- - Scope can be computed from the address itself.
- - Scope id is scope dependent: it is currently defined as 1-based local
- interface index for link-local scoped addresses, and as a site index(?) for
- (obsolete) site-local addresses. Linux only supports it for link-local
- addresses.
- The URL parser properly parses a scope id as an interface index, but stores it
- in a field named "scope": confusion. The field has been renamed into "scope_id".
- Curl_if2ip() used the scope id as it was a scope. This caused failures
- to bind to an interface.
- Scope is now computed from the addresses and Curl_if2ip() matches them.
- If redundantly specified in the URL, scope id is check for mismatch with
- the interface index.
+Jay Satiro (23 Feb 2016)
+- TFTP: add option to suppress TFTP option requests (Part 2)
- This commit should fix SF bug #1451.
-
-- connect: singleipconnect(): properly try other address families after failure
-
-Daniel Stenberg (16 Dec 2014)
-- SFTP: work-around servers that return zero size on STAT
+ - Add tests.
- Bug: http://curl.haxx.se/mail/lib-2014-12/0103.html
- Pathed-by: Marc Renault
-
-- glob_next_url: make the loop count upwards
+ - Add an example to CURLOPT_TFTP_NO_OPTIONS.3.
- As the former contruct apparently caused a compiler warning, mentioned
- in d8efde07e556c.
+ - Add --tftp-no-options to expose CURLOPT_TFTP_NO_OPTIONS.
+
+ Bug: https://github.com/curl/curl/issues/481
-- tool_operate: we prefer 'CURLcode result'
+- [Michael Koenig brought this change]
-- tool_urlglob: unify return codes to use CURLcode
+ TFTP: add option to suppress TFTP option requests (Part 1)
+
+ Some TFTP server implementations ignore the "TFTP Option extension"
+ (RFC 1782-1784, 2347-2349), or implement it in a flawed way, causing
+ problems with libcurl. Another switch for curl_easy_setopt
+ "CURLOPT_TFTP_NO_OPTIONS" is introduced which prevents libcurl from
+ sending TFTP option requests to a server, avoiding many problems caused
+ by faulty implementations.
- There was a mix of GlobCode, CURLcode and ints and they were mostly
- passing around CURLcode errors. This change makes the functions use only
- CURLcode and removes the GlobCode type completely.
+ Bug: https://github.com/curl/curl/issues/481
-- tool_urlglob.c: partly reverse dc19789444
+Daniel Stenberg (22 Feb 2016)
+- [Karlson2k brought this change]
+
+ runtests: Fixed usage of %PWD on MinGW64
- The loop in glob_next_url() needs to be done backwards to maintain the
- logic. dc19789444 caused test 1235 to fail.
+ Closes #672
-- KNOWN_BUGS: the SFTP code doesn't support CURLINFO_FILETIME
+Jay Satiro (20 Feb 2016)
+- CURLOPT_DEBUGFUNCTION.3: Fix example
-- [Jay Satiro brought this change]
+- [Viktor Szakats brought this change]
- opts: Warn CURLOPT_TIMEOUT overrides when set after CURLOPT_TIMEOUT_MS
+ src/Makefile.m32: add CURL_{LD,C}FLAGS_EXTRAS support
- Change CURLOPT_TIMEOUT doc to warn that if CURLOPT_TIMEOUT and
- CURLOPT_TIMEOUT_MS are both set whichever one is set last is the one
- that will be used.
+ Sync with lib/Makefile.m32 which already uses those variables.
- Prior to this change that behavior was only noted in the
- CURLOPT_TIMEOUT_MS doc.
+ Bug: https://github.com/curl/curl/pull/670
-Nick Zitzmann (15 Dec 2014)
-- darwinssl: fix incorrect usage of aprintf()
-
- Commit b13923f changed an snprintf() to use aprintf(), but the API usage
- wasn't correct, and was causing a crash to occur. This fixes it.
+Dan Fandrich (20 Feb 2016)
+- Enabled test 1437 after the bug fix in commit 3fa220a6
-Steve Holme (14 Dec 2014)
-- copyright: Updated the copyright year following recent updates
+Jay Satiro (19 Feb 2016)
+- [Emil Lerner brought this change]
-Daniel Stenberg (14 Dec 2014)
-- tool_urlglob.c: reverse two loops
+ curl_sasl: Fix memory leak in digest parser
- By counting from 0 and up instead of backwards like before, we remove
- the need for the "funny" check of the unsigned variable when decreased
- passed zero. Easier to read and less risk for compiler warnings.
-
-Marc Hoersken (14 Dec 2014)
-- tool_urlglob.c: Added braces to clarify the conditions
-
-- tool_urlglob.c: Silence warning C6293: Ill-defined for-loop
+ If any parameter in a HTTP DIGEST challenge message is present multiple
+ times, memory allocated for all but the last entry should be freed.
- The >= 0 is actually not required, since i underflows and
- the for-loop is stopped using the < condition, but this
- makes the VS2012 compiler and code analysis happy.
+ Bug: https://github.com/curl/curl/pull/667
-- tool_binmode.c: Explicitly ignore the return code of setmode
+Dan Fandrich (19 Feb 2016)
+- Added test 1437 to verify a memory leak
- Fixes code analysis warning C6031:
- return value ignored: <function> could return unexpected value
+ Reported-by: neex@users.noreply.github.com
-- lib: Fixed multiple code analysis warnings if SAL are available
+Jay Satiro (18 Feb 2016)
+- CURLOPT_COOKIEFILE.3: HTTP headers must be Set-Cookie style
- warning C28252: Inconsistent annotation for function:
- parameter has another annotation on this instance
+ Bug: https://github.com/curl/curl/issues/666
+ Reported-by: baumanj@users.noreply.github.com
-Steve Holme (14 Dec 2014)
-- smb.c: Fixed code analysis warning
+- curl.1: HTTP headers for --cookie must be Set-Cookie style
- smb.c:320: warning C6297: Arithmetic overflow: 32-bit value is shifted,
- then cast to 64-bit value. Result may not be an expected
- value
+ Bug: https://github.com/curl/curl/issues/666
+ Reported-by: baumanj@users.noreply.github.com
-Marc Hoersken (14 Dec 2014)
-- tool_util.c: Use GetTickCount64 if it is available
+Daniel Stenberg (18 Feb 2016)
+- curl.1: add a missing dash
-Steve Holme (14 Dec 2014)
-- smb: Use HAVE_PROCESS_H for process.h inclusion
-
- Rather than testing against _WIN32 use the preferred HAVE_PROCESS_H
- pre-processor define when including process.h.
+- CONTRIBUTING.md: fix links
-Daniel Stenberg (14 Dec 2014)
-- darwinssl: aprintf() to allocate the session key
+- ISSUE_TEMPLATE: github issue template
- ... to avoid using a fixed memory size that risks being too large or too
- small.
+ First version, try this out!
-Marc Hoersken (14 Dec 2014)
-- curl_schannel: Improvements to memory re-allocation strategy
+- CONTRIBUTING.md: move into .github
- - do not grow memory by doubling its size
- - do not leak previously allocated memory if reallocation fails
- - replace while-loop with a single check to make sure
- that the requested amount of data fits into the buffer
-
- Bug: http://curl.haxx.se/bug/view.cgi?id=1450
- Reported-by: Warren Menzer
+ To hide github specific files somewhat from the rest.
-Steve Holme (14 Dec 2014)
-- asyn-ares: We prefer use of 'CURLcode result'
+- opts: add references
-Marc Hoersken (14 Dec 2014)
-- curl_schannel.c: Data may be available before connection shutdown
+- examples/make: add 'checksrc' target
-Steve Holme (14 Dec 2014)
-- http2: Use 'CURLcode result' for curl result codes
+- 10-at-a-time: typecast the argument passed to sleep()
-- asyn-thread: We prefer 'CURLcode result'
+- externalsocket.c: fix compiler warning for fwrite return type
-- smb: Fixed unnecessary initialisation of struct member variables
-
- There is no need to set the 'state' and 'result' member variables to
- SMB_REQUESTING (0) and CURLE_OK (0) after the allocation via calloc()
- as calloc() initialises the contents to zero.
+- anyauthput.c: fix compiler warnings
-- ntlm: Fixed return code for bad type-2 Target Info
-
- Use CURLE_BAD_CONTENT_ENCODING for bad type-2 Target Info security
- buffers just like we do for bad decodes.
+- simplessl.c: warning: while with space
-- ntlm: Remove unnecessary casts in readshort_le()
+- curlx.c: i2s_ASN1_IA5STRING() clashes with an openssl function
- I don't think both of my fix ups from yesterday were needed to fix the
- compilation warning, so remove the one that I think is unnecessary and
- let the next Android autobuild prove/disprove it.
+ Reported-By: Gisle Vanem
-- curl_ntlm_msgs.c: Another attempt to fix compilation warning
+- http2: don't decompress gzip decoding automatically
- curl_ntlm_msgs.c:170: warning: conversion to 'short unsigned int' from
- 'int' may alter its value
-
-Guenter Knauf (13 Dec 2014)
-- synctime.c: added own user-agent string.
+ At one point during the development of HTTP/2, the commit 133cdd29ea0
+ introduced automatic decompression of Content-Encoding as that was what
+ the spec said then. Now however, HTTP/2 should work the same way as
+ HTTP/1 in this regard.
+
+ Reported-by: Kazuho Oku
+
+ Closes #661
-Steve Holme (13 Dec 2014)
-- smb.c: Fixed line longer than 79 columns
+Jay Satiro (16 Feb 2016)
+- [Tatsuhiro Tsujikawa brought this change]
-- curl_ntlm_msgs.c: Fixed compilation warning from commit 783b5c3b11
+ http: Don't break the header into chunks if HTTP/2
+
+ nghttp2 callback deals with TLS layer and therefore the header does not
+ need to be broken into chunks.
- curl_ntlm_msgs.c:169: warning: conversion to 'short unsigned int' from
- 'int' may alter its value
+ Bug: https://github.com/curl/curl/issues/659
+ Reported-by: Kazuho Oku
-Guenter Knauf (13 Dec 2014)
-- mk-ca-bundle.pl: restored forced run again.
+Daniel Stenberg (16 Feb 2016)
+- [Viktor Szakats brought this change]
-- synctime.c: removed another timeserver URL.
-
- worldtimeserver.com seems also no longer available.
+ openssl: use macro to guard the opaque EVP_PKEY branch
-- synctime.c: fixed timeserver URLs.
-
- For getting the date header its not necessary to access special
- pages or even CGI scripts - all pages including the main index
- reply with the date header, therefore shortened URLs to domain.
- Removed worldtime.com; added pool.ntp.org.
+- [Viktor Szakats brought this change]
-Steve Holme (13 Dec 2014)
-- ftp.c: Fixed compilation warning when no verbose string support
+ openssl: avoid direct PKEY access with OpenSSL 1.1.0
- ftp.c:819: warning: unused parameter 'lineno'
-
-- smb: Added state change functions to assist with debugging
+ by using API instead of accessing an internal structure.
+ This is required starting OpenSSL 1.1.0-pre3.
- For debugging purposes, and as per other protocols within curl, added
- state change functions rather than changing the states directly.
+ Closes #650
-- ntlm: Use short integer when decoding 16-bit values
+- RELEASE-NOTES: synced with ede0bfc079da
-- RELEASE-NOTES: Synced with 6291a16b20
+- [Clint Clayton brought this change]
-- smtp.c: Fixed compilation warnings
+ CURLOPT_CONNECTTIMEOUT_MS.3: Fix example to use milliseconds option
- smtp.c:2357 warning: adding 'size_t' (aka 'unsigned long') to a string
- does not append to the string
- smtp.c:2375 warning: adding 'size_t' (aka 'unsigned long') to a string
- does not append to the string
- smtp.c:2386 warning: adding 'size_t' (aka 'unsigned long') to a string
- does not append to the string
+ Change the example in the docs for CURLOPT_CONNECTTIMEOUT_MS to use
+ CURLOPT_CONNECTTIMEOUT_MS instead of CURLOPT_CONNECTTIMEOUT.
- Used array index notation instead.
+ Closes #653
-- smb: Disable SMB when 64-bit integers are not supported
-
- This fixes compilation issues with compilers that don't support 64-bit
- integers through long long or __int64.
+- opt-docs: add more references
-- ntlm: Disable NTLM v2 when 64-bit integers are not supported
-
- This fixes compilation issues with compilers that don't support 64-bit
- integers through long long or __int64 which was introduced in commit
- 07b66cbfa4.
+- [David Byron brought this change]
-- ntlm: Allow NTLM2Session messages when USE_NTRESPONSES manually defined
+ SCP: use libssh2_scp_recv2 to support > 2GB files on windows
+
+ libssh2_scp_recv2 is introduced in libssh2 1.7.0 - to be released "any
+ day now.
- Previously USE_NTLM2SESSION would only be defined automatically when
- USE_NTRESPONSES wasn't already defined. Separated the two definitions
- so that the user can manually set USE_NTRESPONSES themselves but
- USE_NTLM2SESSION is defined automatically if they don't define it.
+ Closes #451
-- smtp.c: Fixed line longer than 79 columns
+Jay Satiro (13 Feb 2016)
+- [Shine Fan brought this change]
-- config-win32.h: Don't enable Windows Crypt API if using OpenSSL
+ gtls: fix for builds lacking encrypted key file support
- As the OpenSSL and NSS Crypto engines are prefered by the core NTLM
- routines, to the Windows Crypt API, don't define USE_WIN32_CRYPT
- automatically when either OpenSSL or NSS are in use - doing so would
- disable NTLM2Session responses in NTLM type-3 messages.
+ Bug: https://github.com/curl/curl/pull/651
-- smtp: Fixed inappropriate free of the scratch buffer
-
- If the scratch buffer was allocated in a previous call to
- Curl_smtp_escape_eob(), a new buffer not allocated in the subsequent
- call and no action taken by that call, then an attempt would be made to
- try and free the buffer which, by now, would be part of the data->state
- structure.
-
- This bug was introduced in commit 4bd860a001.
+Dan Fandrich (13 Feb 2016)
+- test1604: Add to Makefile.inc so it gets run
-- smtp: Fixed dot stuffing when EOL characters were at end of input buffers
+Jay Satiro (12 Feb 2016)
+- generate.bat: Fix comment bug by removing old comments
- Fixed a problem with the CRLF. detection when multiple buffers were
- used to upload an email to libcurl and the line ending character(s)
- appeared at the end of each buffer. This meant any lines which started
- with . would not be escaped into .. and could be interpreted as the end
- of transmission string instead.
+ Remove NOTES section, it's no longer needed since we aren't setting the
+ errorlevel and more importantly the recently updated URL in the comments
+ is causing some unusual behavior that breaks the script.
- This only affected libcurl based applications that used a read function
- and wasn't reproducible with the curl command-line tool.
-
- Bug: http://curl.haxx.se/bug/view.cgi?id=1456
- Assisted-by: Patrick Monnerat
-
-Daniel Stenberg (11 Dec 2014)
-- telnet: fix "cast increases required alignment of target type"
+ Closes https://github.com/curl/curl/issues/649
-- ntlm_wb_response: fix "statement not reached"
+Kamil Dudka (12 Feb 2016)
+- curl.1: --disable-{eprt,epsv} are ignored for IPv6 hosts
- ... and I could use a break instead of a goto to end the loop.
+ The behavior has been clarified in CURLOPT_FTP_USE_{EPRT,EPSV}.3 man
+ pages since curl-7_12_3~131. This patch makes it clear in the curl.1
+ man page, too.
- Bug: http://curl.haxx.se/mail/lib-2014-12/0089.html
- Reported-by: Tor Arntsen
+ Bug: https://bugzilla.redhat.com/1305970
-Steve Holme (10 Dec 2014)
-- RELEASE-NOTES: Synced with 1cc5194337
+Daniel Stenberg (12 Feb 2016)
+- dist: ship buildconf.bat too
- Added some bug fixes that I had missed in previous synchronisations.
+ As the winbuild/* stuff uses it!
-Daniel Stenberg (10 Dec 2014)
-- Curl_unix2addr: avoid using the variable name 'sun'
+- curlx_tvdiff: handle 32bit time_t overflows
- I suspect this causes compile failures on Solaris:
+ On 32bit systems, make sure we don't overflow and return funky values
+ for very large time differences.
- Bug: http://curl.haxx.se/mail/lib-2014-12/0081.html
-
-Steve Holme (10 Dec 2014)
-- url.c: Fixed compilation warning when USE_NTLM is not defined
+ Reported-by: Anders Bakken
- url.c:3078: warning: variable 'credentialsMatch' set but not used
+ Closes #646
+
+- examples: fix some compiler warnings
-- parsedate.c: Fixed compilation warning
+- simplessl.c: fix my breakage
+
+- examples: adhere to curl code style
- parsedate.c:548: warning: 'parsed' may be used uninitialized in this
- function
+ All plain C examples now (mostly) adhere to the curl code style. While
+ they are only examples, they had diverted so much and contained all
+ sorts of different mixed code styles by now. Having them use a unified
+ style helps users and readability. Also, as they get copy-and-pasted
+ widely by users, making sure they're clean and nice is a good idea.
- As curl_getdate() returns -1 when parsedate() fails we can initialise
- parsed to -1.
+ 573 checksrc warnings were addressed.
-Daniel Stenberg (10 Dec 2014)
-- TODO: Cache negative name resolves
+- examples/cookie_interface.c: add cleanup call
- Worth exploring
-
-- ldap: check Curl_client_write() return codes
+ cleaning up handles is a good idea as we leak memory otherwise
- There might be one or two memory leaks left in the error paths.
-
-- ldap: rename variables to comply to curl standards
-
-Dan Fandrich (10 Dec 2014)
-- sws.c: Fixed 'rc' may be used uninitialized warning
+ Also, line wrapped before 80 columns.
-- cookies: Improved OOM handling in cookies
+Kamil Dudka (10 Feb 2016)
+- nss: search slash in forward direction in dup_nickname()
- This fixes the test 506 torture test. The internal cookie API really
- ought to be improved to separate cookie parsing errors (which may be
- ignored) with OOM errors (which should be fatal).
+ It is wasteful to search it backwards if we look for _any_ slash.
-Guenter Knauf (9 Dec 2014)
-- synctime.c: fixed user-agent setting.
+- nss: do not count enabled cipher-suites
- Some websites meanwhile refuse to reply to requests from ancient
- browsers like IE6, therefore I've comment out this setting, but
- also fixed the string to now fake IE8 if someone enables it.
+ We only care if at least one cipher-suite is enabled, so it does
+ not make any sense to iterate till the end and count all enabled
+ cipher-suites.
-Daniel Stenberg (9 Dec 2014)
-- smb: fix unused return code warning
+Daniel Stenberg (10 Feb 2016)
+- contributors.sh: make 79 the max column width (from 80)
-Patrick Monnerat (9 Dec 2014)
-- Curl_client_write() & al.: chop long data, convert data only once.
+- RELEASE-NOTES: synced with c276aefee3995
-Guenter Knauf (9 Dec 2014)
-- VC build: added sspi define for winssl-zlib builds.
+- mbedtls.c: re-indent to better match curl standards
-Daniel Stenberg (9 Dec 2014)
-- schannel_recv: return the correct code
+- [Rafael Antonio brought this change]
+
+ mbedtls: fix memory leak when destroying SSL connection data
- Bug: http://curl.haxx.se/bug/view.cgi?id=1462
- Reported-by: Tae Hyoung Ahn
+ Closes #626
-- http2: avoid logging neg "failure" if h2 was not requested
+- mbedtls: fix ALPN usage segfault
+
+ Since we didn't keep the input argument around after having called
+ mbedtls, it could end up accessing the wrong memory when figuring out
+ the ALPN protocols.
+
+ Closes #642
-- openldap: do not ignore Curl_client_write() return codes
+Jay Satiro (9 Feb 2016)
+- [Timotej Lazar brought this change]
-- compile: warn on unused return code from Curl_client_write()
+ opts: update references to renamed options
-Patrick Monnerat (8 Dec 2014)
-- SMB: Fix a data size mismatch that broke SMB on big-endian platforms
+- KNOWN_BUGS: Update #92 - Windows device prefix
-Steve Holme (7 Dec 2014)
-- smb: Fixed Windows autoconf builds following commit eb88d778e7
-
- As Windows based autoconf builds don't yet define USE_WIN32_CRYPTO
- either explicitly through --enable-win32-cypto or automatically on
- _WIN32 based platforms, subsequent builds broke with the following
- error message:
+- tool_doswin: Support for literal path prefix \\?\
- "Can't compile NTLM support without a crypto library."
+ For example something like --output \\?\C:\foo
-- RELEASE-NOTES: Synced with 526603ff05
+Daniel Stenberg (9 Feb 2016)
+- configure: state "BoringSSL" in summary when that was detected
-- [Bill Nagel brought this change]
+- [David Benjamin brought this change]
- smb: Build with SSPI enabled
+ openssl: remove most BoringSSL #ifdefs.
- Build SMB/CIFS protocol support when SSPI is enabled.
-
-- [Bill Nagel brought this change]
-
- ntlm: Use Windows Crypt API
+ As of https://boringssl-review.googlesource.com/#/c/6980/, almost all of
+ BoringSSL #ifdefs in cURL should be unnecessary:
- Allow the use of the Windows Crypt API for NTLMv1 functions.
-
-Dan Fandrich (7 Dec 2014)
-- cookie.c: Refactored cleanup code to simplify
+ - BoringSSL provides no-op stubs for compatibility which replaces most
+ #ifdefs.
- Also, fixed the outdated comments on the cookie API.
-
-- get_url_file_name: Fixed crash on OOM on debug build
+ - DES_set_odd_parity has been in BoringSSL for nearly a year now. Remove
+ the compatibility codepath.
- This caused a null-pointer dereference which caused a few dozen
- torture tests to fail.
-
-Steve Holme (6 Dec 2014)
-- sws.c: Fixed compilation warning
+ - With a small tweak to an extend_key_56_to_64 call, the NTLM code
+ builds fine.
- sws.c:2191 warning: 'rc' may be used uninitialized in this function
-
-- ftp.c: Fixed compilation warnings when proxy support disabled
+ - Switch OCSP-related #ifdefs to the more generally useful
+ OPENSSL_NO_OCSP.
- ftp.c:1827 warning: unused parameter 'newhost'
- ftp.c:1827 warning: unused parameter 'newport'
-
-- smb: Fixed a problem with large file transfers
+ The only #ifdefs which remain are Curl_ossl_version and the #undefs to
+ work around OpenSSL and wincrypt.h name conflicts. (BoringSSL leaves
+ that to the consumer. The in-header workaround makes things sensitive to
+ include order.)
- Fixed an issue with the message size calculation where the raw bytes
- from the buffer were interpreted as signed values rather than unsigned
- values.
+ This change errs on the side of removing conditionals despite many of
+ the restored codepaths being no-ops. (BoringSSL generally adds no-op
+ compatibility stubs when possible. OPENSSL_VERSION_NUMBER #ifdefs are
+ bad enough!)
- Reported-by: Gisle Vanem
- Assisted-by: Bill Nagel
-
-- smb: Moved the URL decoding into a separate function
+ Closes #640
-- smb: Fixed URL encoded URLs not working
+Jay Satiro (8 Feb 2016)
+- KNOWN_BUGS: Windows device prefix is required for devices
-- Makefile.inc: Added our standard header and updated file formatting
-
-- Makefile.inc: Updated file formatting
+- tool_urlglob: Allow reserved dos device names (Windows)
- Aligned continuation character and used space as the separator
- character as per other makefile files.
-
-- curl_md4.h: Updated copyright year following recent edit
+ Allow --output to reserved dos device names without the device prefix
+ for backwards compatibility.
- ...and minor layout adjustment.
-
-Patrick Monnerat (5 Dec 2014)
-- SMB: Fix big endian problems. Make it OS/400 aware.
-
-- OS400: enable NTLM authentication
-
-Steve Holme (5 Dec 2014)
-- multi.c: Fixed compilation warning
+ Example: --output NUL can be used instead of --output \\.\NUL
- multi.c:2695: warning: declaration of `exp' shadows a global declaration
-
-Guenter Knauf (5 Dec 2014)
-- build: updated dependencies in makefiles.
-
-Steve Holme (5 Dec 2014)
-- sasl: Corrected formatting of function descriptions
-
-- sasl_gssapi: Added missing function description
+ Bug: https://github.com/curl/curl/commit/4520534#commitcomment-15954863
+ Reported-by: Gisle Vanem
-- RELEASE-NOTES: Provided better descriptions
+Daniel Stenberg (8 Feb 2016)
+- cookies: allow spaces in cookie names, cut of trailing spaces
- As it is often difficult to choose the best description for a single
- feature when it spans many commits, updated the descriptions for the
- recent SMB/CIFS protocol and GSS-API additions.
-
-- sasl_sspi: Corrected some typos
-
-- sasl_sspi: Don't use hard coded sizes in Kerberos V5 security data
+ It turns out Firefox and Chrome both allow spaces in cookie names and
+ there are sites out there using that.
- Don't use a hard coded size of 4 for the security layer and buffer size
- in Curl_sasl_create_gssapi_security_message(), instead, use sizeof() as
- we have done in the sasl_gssapi module.
-
-- sasl_sspi: Free the Kerberos V5 challenge as soon as we're done with it
+ Turned out the code meant to strip off trailing space from cookie names
+ didn't work. Fixed now.
- Reduced the amount of free's required for the decoded challenge message
- in Curl_sasl_create_gssapi_security_message() as a result of coding it
- differently in the sasl_gssapi module.
+ Test case 8 modified to verify both these changes.
+
+ Closes #639
-- gssapi: Corrected typo in comments
+Patrick Monnerat (8 Feb 2016)
+- Merge branch 'master' of github.com:curl/curl
-- sasl_gssapi: Added body to Curl_sasl_create_gssapi_security_message()
+- os400: sync ILE/RPG definitions with latest public header files.
-Daniel Stenberg (4 Dec 2014)
-- [Stefan Bühler brought this change]
+Daniel Stenberg (8 Feb 2016)
+- [Ludwig Nussel brought this change]
- http_perhapsrewind: don't abort CONNECT requests
-
- ...they never have a body
+ SSLCERTS: update wrt SSL CA certificate store
-- [Stefan Bühler brought this change]
+- [Ludwig Nussel brought this change]
- HTTP: Free (proxy)userpwd for NTLM/Negotiate after sending a request
+ configure: --with-ca-fallback: use built-in TLS CA fallback
- Sending NTLM/Negotiate header again after successful authentication
- breaks the connection with certain Proxies and request types (POST to MS
- Forefront).
-
-- [Stefan Bühler brought this change]
-
- HTTP: don't abort connections with pending Negotiate authentication
+ When trying to verify a peer without having any root CA certificates
+ set, this makes libcurl use the TLS library's built in default as
+ fallback.
- ... similarly to how NTLM works as Negotiate is in fact often NTLM with
- another name.
-
-- [Stefan Bühler brought this change]
+ Closes #569
- fix gdb libtool invocation path
+- Proxy-Connection: stop sending this header by default
+
+ RFC 7230 says we should stop. Firefox already stopped.
+
+ Bug: https://github.com/curl/curl/issues/633
+ Reported-By: Brad Fitzpatrick
+
+ Closes #633
-Steve Holme (4 Dec 2014)
-- sasl_gssapi: Fixed missing include from commit d3cca934ee
+- bump: work toward the next release
-Daniel Stenberg (4 Dec 2014)
-- [Jay Satiro brought this change]
+- THANKS: 2 contributors from the 7.47.1 release
- examples: remove sony.com from 10-at-a-time
+- RELEASE-PROCEDURE: remove the github upload part
- Prior to this change the 10-at-a-time example showed CURLE_RECV_ERROR
- for the sony website because it ends the connection when the request is
- missing a user agent.
-
-Steve Holme (4 Dec 2014)
-- sasl_gssapi: Fixed missing decoding debug failure message
+ ... as we're HTTPS on the main site now, there's no point in that
+ extra step
-- sasl_gssapi: Fixed honouring of no mutual authentication
+Version 7.47.1 (8 Feb 2016)
-- sasl_sspi: Added more Kerberos V5 decoding debug failure messages
+Daniel Stenberg (8 Feb 2016)
+- RELEASE-NOTES: curl 7.47.1 time!
-Daniel Stenberg (4 Dec 2014)
-- [Anthon Pang brought this change]
-
- docs: Fix FAILONERROR typos
+Jay Satiro (8 Feb 2016)
+- tool_operhlp: Check for backslashes in get_url_file_name
+
+ Extract the filename from the last slash or backslash. Prior to this
+ change backslashes could be part of the filename.
- It returns error for >= 400 HTTP responses.
+ This change needed for the curl tool built for Cygwin. Refer to the
+ CYGWIN addendum in advisory 20160127B.
- Bug: https://github.com/bagder/curl/pull/129
+ Bug: https://curl.haxx.se/docs/adv_20160127B.html
-- [Peter Wu brought this change]
+Daniel Stenberg (7 Feb 2016)
+- RELEASE-NOTES: synced with d6a8869ea34
- tool: fix CURLOPT_UNIX_SOCKET_PATH in --libcurl output
+Jay Satiro (6 Feb 2016)
+- openssl: Fix signed/unsigned mismatch warning in X509V3_ext
- Mark CURLOPT_UNIX_SOCKET_PATH as string to ensure that it ends up as
- option in the file generated by --libcurl.
+ sk_X509_EXTENSION_num may return an unsigned integer, however the value
+ will fit in an int.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Bug: https://github.com/curl/curl/commit/dd1b44c#commitcomment-15913896
+ Reported-by: Gisle Vanem
+
+Daniel Stenberg (7 Feb 2016)
+- TODO: 17.11 -w output to stderr
-- [Peter Wu brought this change]
+Jay Satiro (6 Feb 2016)
+- [Michael Kaufmann brought this change]
- opts: fix CURLOPT_UNIX_SOCKET_PATH formatting
+ idn_win32: Better error checking
- Add .nf and .fi such that the code gets wrapped in a pre on the web.
- Fixed grammar, fixed formatting of the "See also" items.
+ .. also fix a conversion bug in the unused function
+ curl_win32_ascii_to_idn().
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
-
-Patrick Monnerat (4 Dec 2014)
-- OS400: enable Unix sockets.
-
-Daniel Stenberg (3 Dec 2014)
-- RELEASE-NOTES: synced with b216427e73b5e9
+ And remove wprintfs on error (Jay).
+
+ Bug: https://github.com/curl/curl/pull/637
-- opts: added CURLOPT_UNIX_SOCKET_PATH to Makefile.am
+- [Gisle Vanem brought this change]
-- updateconninfo: clear destination struct before getsockname()
+ examples/asiohiper: Avoid function name collision on Windows
- Otherwise we may read uninitialized bytes later in the unix-domain
- sockets case.
+ closesocket => close_socket
+ Winsock already has the former.
+
+ Bug: https://curl.haxx.se/mail/lib-2016-02/0016.html
-- curl.1: added --unix-socket
+- [Gisle Vanem brought this change]
-- [Peter Wu brought this change]
+ examples/htmltitle: Use _stricmp on Windows
+
+ Bug: https://curl.haxx.se/mail/lib-2016-02/0017.html
- tool: add --unix-socket option
+Daniel Stenberg (6 Feb 2016)
+- COPYING: clarify that Daniel is not the sole author
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ ... done on request and as it is a fair point.
-- [Peter Wu brought this change]
+Jay Satiro (5 Feb 2016)
+- unit1604: Fix unit setup return code
- libcurl: add UNIX domain sockets support
-
- The ability to do HTTP requests over a UNIX domain socket has been
- requested before, in Apr 2008 [0][1] and Sep 2010 [2]. While a
- discussion happened, no patch seems to get through. I decided to give it
- a go since I need to test a nginx HTTP server which listens on a UNIX
- domain socket.
+- tool_doswin: Use type SANITIZEcode in sanitize_file_name
+
+- tool_doswin: Improve sanitization processing
- One patch [3] seems to make it possible to use the
- CURLOPT_OPENSOCKETFUNCTION function to gain a UNIX domain socket.
- Another person wrote a Go program which can do HTTP over a UNIX socket
- for Docker[4] which uses a special URL scheme (though the name contains
- cURL, it has no relation to the cURL library).
+ - Add unit test 1604 to test the sanitize_file_name function.
- This patch considers support for UNIX domain sockets at the same level
- as HTTP proxies / IPv6, it acts as an intermediate socket provider and
- not as a separate protocol. Since this feature affects network
- operations, a new feature flag was added ("unix-sockets") with a
- corresponding CURL_VERSION_UNIX_SOCKETS macro.
+ - Use -DCURL_STATICLIB when building libcurltool for unit testing.
- A new CURLOPT_UNIX_SOCKET_PATH option is added and documented. This
- option enables UNIX domain sockets support for all requests on the
- handle (replacing IP sockets and skipping proxies).
+ - Better detection of reserved DOS device names.
- A new configure option (--enable-unix-sockets) and CMake option
- (ENABLE_UNIX_SOCKETS) can disable this optional feature. Note that I
- deliberately did not mark this feature as advanced, this is a
- feature/component that should easily be available.
+ - New flags to modify sanitize behavior:
- [0]: http://curl.haxx.se/mail/lib-2008-04/0279.html
- [1]: http://daniel.haxx.se/blog/2008/04/14/http-over-unix-domain-sockets/
- [2]: http://sourceforge.net/p/curl/feature-requests/53/
- [3]: http://curl.haxx.se/mail/lib-2008-04/0361.html
- [4]: https://github.com/Soulou/curl-unix-socket
+ SANITIZE_ALLOW_COLONS: Allow colons
+ SANITIZE_ALLOW_PATH: Allow path separators and colons
+ SANITIZE_ALLOW_RESERVED: Allow reserved device names
+ SANITIZE_ALLOW_TRUNCATE: Allow truncating a long filename
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
-
-- [Peter Wu brought this change]
-
- tests: add two HTTP over UNIX socket tests
+ - Restore sanitization of banned characters from user-specified outfile.
- test1435: a simple test that checks whether a HTTP request can be
- performed over the UNIX socket. The hostname/port are interpreted
- by sws and should be ignored by cURL.
+ Prior to this commit sanitization of a user-specified outfile was
+ temporarily disabled in 2b6dadc because there was no way to allow path
+ separators and colons through while replacing other banned characters.
+ Now in such a case we call the sanitize function with
+ SANITIZE_ALLOW_PATH which allows path separators and colons to pass
+ through.
- test1436: test for the ability to do two requests to the same host,
- interleaved with one to a different hostname.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
-
-- [Peter Wu brought this change]
+ Closes https://github.com/curl/curl/issues/624
+ Reported-by: Octavio Schroeder
- tests: add HTTP UNIX socket server testing support
-
- The variable `$ipvnum` can now contain "unix" besides the integers 4
- and 6 since the variable. Functions which receive this parameter
- have their `$port` parameter renamed to `$port_or_path` to support a
- path to the UNIX domain socket (as a "port" is only meaningful for TCP).
-
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+- [Viktor Szakats brought this change]
-- [Peter Wu brought this change]
+ URLs: change more http to https
- sws: try to remove socket and retry bind
+- sasl_sspi: Fix memory leak in domain populate
- If sws is killed it might leave a stale socket file on the filesystem
- which would cause an EADDRINUSE error. After this patch, it is checked
- whether the socket is really stale and if so, the socket file gets
- removed and another bind is executed.
+ Free an existing domain before replacing it.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Bug: https://github.com/curl/curl/issues/635
+ Reported-by: silveja1@users.noreply.github.com
-- [Peter Wu brought this change]
+Daniel Stenberg (4 Feb 2016)
+- [Viktor Szakats brought this change]
- sws: add UNIX domain socket support
+ URLs: follow GitHub project rename (also Travis CI)
- This extends sws with a --unix-socket option which causes the port to
- be ignored (as the server now listens on the path specified by
- --unix-socket). This feature will be available in the following patch
- that enables checking for UNIX domain socket support.
-
- Proxy support (CONNECT) is not considered nor tested. It does not make
- sense anyway, first connecting through a TCP proxy, then let that TCP
- proxy connect to a UNIX socket.
+ Closes #632
+
+- CHANGES.o: fix references to curl.haxx.nu
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ I removed the scheme prefix from the URLs references this host name, as
+ we don't own/run that anymore but the name is kept for historic reasons.
-- [Peter Wu brought this change]
+- HISTORY: add some info about when we used which host names
- sws: restrict TCP_NODELAY to IP sockets
-
- TCP_NODELAY does not make sense for Unix sockets, so enable it only if
- the socket is using IP.
-
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+Jay Satiro (2 Feb 2016)
+- [Viktor Szakats brought this change]
-Dan Fandrich (3 Dec 2014)
-- [Dave Reisner brought this change]
+ URLs: change more http to https
- curl.1: fix trivial typo
+Dan Fandrich (3 Feb 2016)
+- URLs: Change more haxx.se URLs from http: to https:
-Steve Holme (3 Dec 2014)
-- sasl_gssapi: Added body to Curl_sasl_create_gssapi_user_message()
+Daniel Stenberg (3 Feb 2016)
+- RELEASE-NOTES: synced with 4af40b364
-- sasl_gssapi: Added body to Curl_sasl_gssapi_cleanup()
+- URLs: change all http:// URLs to https://
-- sasl_gssapi: Added Curl_sasl_build_gssapi_spn() function
-
- Added helper function for returning a GSS-API compatible SPN.
+- configure: update the copyright year range in output
-Daniel Stenberg (3 Dec 2014)
-- NSS: enable the CAPATH option
+- dotdot: allow an empty input string too
+
+ It isn't used by the code in current conditions but for safety it seems
+ sensible to at least not crash on such input.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1457
- Patch-by: Tomasz Kojm
+ Extended unit test 1395 to verify this too as well as a plain "/" input.
-Steve Holme (3 Dec 2014)
-- sasl_gssapi: Enable USE_KERBEROS5 for GSS-API based builds
+- HTTPS: update a bunch of URLs from HTTP to HTTPS
-- sasl_gssapi: Added GSS-API based Kerberos V5 variables
+- [Sergei Nikulov brought this change]
-- sws.c: Fixed compilation warning when IPv6 is disabled
+ AppVeyor: updated to handle OpenSSL/WinSSL builds
- sws.c:69: warning: comma at end of enumerator list
+ Closes #621
-- sasl_gssapi: Made log_gss_error() a common GSS-API function
+Jay Satiro (1 Feb 2016)
+- tool_operate: Don't sanitize --output path (Windows)
- Made log_gss_error() a common function so that it can be used in both
- the http_negotiate code as well as the curl_sasl_gssapi code.
-
-- sasl_gssapi: Introduced GSS-API based SASL module
+ Due to path separators being incorrectly sanitized in --output
+ pathnames, eg -o c:\foo => c__foo
- Added the initial version of curl_sasl_gssapi.c and updated the project
- files in preparation for adding GSS-API based Kerberos V5 support.
-
-- smb: Don't try to connect with empty credentials
+ This is a partial revert of 3017d8a until I write a proper fix. The
+ remote-name will continue to be sanitized, but if the user specified an
+ --output with string replacement (#1, #2, etc) that data is unsanitized
+ until I finish a fix.
- On some platforms curl would crash if no credentials were used. As such
- added detection of such a use case to prevent this from happening.
+ Bug: https://github.com/bagder/curl/issues/624
+ Reported-by: Octavio Schroeder
+
+- curl.1: Explain remote-name behavior if file already exists
- Reported-by: Gisle Vanem
+ .. also warn about letting the server pick the filename.
-- smb.c: Coding policing of pointer usage
+- [Gisle Vanem brought this change]
-- configure: Fixed inclusion of SMB when no crypto engines available
+ urldata: Error on missing SSL backend-specific connect info
-Guenter Knauf (1 Dec 2014)
-- build: in Makefile.m32 simplified autodetection.
+Daniel Stenberg (28 Jan 2016)
+- bump: towards the next (7.47.1 ?)
-Daniel Stenberg (30 Nov 2014)
-- [Peter Wu brought this change]
+- [Sergei Nikulov brought this change]
- sws: move away from IPv4/IPv4-only assumption
-
- Instead of depending the socket domain type on use_ipv6, specify the
- domain type (AF_INET / AF_INET6) as variable. An enum is used here with
- switch to avoid compiler warnings in connect_to, complaining that rc
- is possibly undefined (which is not possible as socket_domain is
- always set).
+ cmake: fixed when OpenSSL enabled on Windows and schannel detected
- Besides abstracting the socket type, make the debugging messages be
- independent on IP (introduce location_str which points to "port XXXXX").
- Rename "ipv_inuse" to "socket_type" and tighten the scope (main).
-
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Closes #617
-- [Peter Wu brought this change]
+Jay Satiro (28 Jan 2016)
+- [Sergei Nikulov brought this change]
- lib/connect: restrict IP/TCP options to said sockets
+ urldata: moved common variable out of ifdef
- This patch prepares for adding UNIX domain sockets support.
+ Closes https://github.com/bagder/curl/pull/618
+
+- [Viktor Szakats brought this change]
+
+ tool_doswin: silence unused function warning
- TCP_NODELAY and TCP_KEEPALIVE are specific to TCP/IP sockets, so do not
- apply these to other socket types. bindlocal only works for IP sockets
- (independent of TCP/UDP), so filter that out too for other types.
+ tool_doswin.c:185:14: warning: 'msdosify' defined but not used
+ [-Wunused-function]
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Closes https://github.com/bagder/curl/pull/616
-- smb.c: use size_t as input argument types for msg sizes
+Daniel Stenberg (27 Jan 2016)
+- getredirect.c: fix variable name
- This fixes warnings about conversions to int
+ Reported-by: Bernard Spil
-Steve Holme (30 Nov 2014)
-- version: The next release will become 7.40.0
+Version 7.47.0 (27 Jan 2016)
-- [Bill Nagel brought this change]
+Daniel Stenberg (27 Jan 2016)
+- examples/Makefile.inc: specify programs without .c!
- docs: Updated for the SMB protocol
-
- This patch updates the documentation for the SMB/CIFS protocol.
+- THANKS: 6 new contributors from 7.47.0 release notes
-- curl tool: Exclude SMB from the protocol redirect
+- [Isaac Boukris brought this change]
+
+ NTLM: Fix ConnectionExists to compare Proxy credentials
+
+ Proxy NTLM authentication should compare credentials when
+ re-using a connection similar to host authentication, as it
+ authenticate the connection.
- As local files could be accessed through \\localhost\c$.
+ Example:
+ curl -v -x http://proxy:port http://host/ -U good_user:good_pwd
+ --proxy-ntlm --next -x http://proxy:port http://host/
+ [-U fake_user:fake_pwd --proxy-ntlm]
+
+ CVE-2016-0755
+
+ Bug: http://curl.haxx.se/docs/adv_20160127A.html
-- [Bill Nagel brought this change]
+- [Ray Satiro brought this change]
- curl tool: Enable support for the SMB protocol
+ curl: avoid local drive traversal when saving file (Windows)
- This patch enables SMB/CIFS support in the curl command-line tool.
-
-- smb.c: Fixed compilation warnings
+ curl does not sanitize colons in a remote file name that is used as the
+ local file name. This may lead to a vulnerability on systems where the
+ colon is a special path character. Currently Windows/DOS is the only OS
+ where this vulnerability applies.
- smb.c:398: warning: comparison of integers of different signs:
- 'ssize_t' (aka 'long') and 'unsigned long'
- smb.c:443: warning: comparison of integers of different signs:
- 'ssize_t' (aka 'long') and 'unsigned long'
-
-- libcurl: Exclude SMB from the protocol redirect
+ CVE-2016-0754
- As local files could be accessed through \\localhost\c$.
+ Bug: http://curl.haxx.se/docs/adv_20160127B.html
-- [Bill Nagel brought this change]
+- RELEASE-NOTES: 7.47.0
- libcurl: Enable support for the SMB protocol
-
- This patch enables SMB/CIFS support in libcurl.
+- FAQ: language fix in 4.19
-- smb.c: Fixed compilation warnings
-
- smb.c:322: warning: conversion to 'short unsigned int' from 'unsigned
- int' may alter its value
- smb.c:323: warning: conversion to 'short unsigned int' from 'unsigned
- int' may alter its value
- smb.c:482: warning: conversion to 'short unsigned int' from 'int' may
- alter its value
- smb.c:521: warning: conversion to 'unsigned int' from 'curl_off_t' may
- alter its value
- smb.c:549: warning: conversion to 'unsigned int' from 'curl_off_t' may
- alter its value
- smb.c:550: warning: conversion to 'short unsigned int' from 'int' may
- alter its value
-
-- smb.c: Renamed SMB command message variables to avoid compiler warnings
-
- smb.c:489: warning: declaration of 'close' shadows a global declaration
- smb.c:511: warning: declaration of 'read' shadows a global declaration
- smb.c:528: warning: declaration of 'write' shadows a global declaration
+- [paulehoffman brought this change]
-- smb.c: Fixed compilation warnings
+ FAQ: Update to point to GitHub
- smb.c:212: warning: unused parameter 'done'
- smb.c:380: warning: ISO C does not allow extra ';' outside of a function
- smb.c:812: warning: unused parameter 'premature'
- smb.c:822: warning: unused parameter 'dead'
-
-- smb.c: Fixed compilation warnings
+ Current FAQ didn't make it clear where the main repo is.
- smb.c:311: warning: conversion from 'unsigned __int64' to 'u_short',
- possible loss of data
- smb.c:425: warning: conversion from '__int64' to 'unsigned short',
- possible loss of data
- smb.c:452: warning: conversion from '__int64' to 'unsigned short',
- possible loss of data
+ Closes #612
-- smb.c: Fixed compilation warnings
+- maketgz: generate date stamp with LC_TIME=C
- smb.c:162: error: comma at end of enumerator list
- smb.c:469: warning: conversion from 'size_t' to 'unsigned short',
- possible loss of data
- smb.c:517: warning: conversion from 'curl_off_t' to 'unsigned int',
- possible loss of data
- smb.c:545: warning: conversion from 'curl_off_t' to 'unsigned int',
- possible loss of data
+ bug: http://curl.haxx.se/mail/lib-2016-01/0123.html
-- [Bill Nagel brought this change]
+- curl_multi_socket_action.3: line wrap
- smb: Added initial SMB functionality
-
- Initial implementation of the SMB/CIFS protocol.
+- RELEASE-NOTES: synced with d58ba66eeceb
-- [Bill Nagel brought this change]
+Steve Holme (21 Jan 2016)
+- TODO: "Create remote directories" for SMB
- smb: Added SMB handler interfaces
+Jay Satiro (18 Jan 2016)
+- mbedtls: Fix pinned key return value on fail
- Added the SMB and SMBS handler interface structures and associated
- functions required for SMB/CIFS operation.
-
-- transfer: Code style policing
+ - Switch from verifying a pinned public key in a callback during the
+ certificate verification to inline after the certificate verification.
- Prefer ! rather than NULL in if statements, added comments and updated
- function spacing, argument spacing and line spacing to be more readble.
-
-- transfer: Fixed existing scratch buffer being checked for NULL twice
+ The callback method had three problems:
- If the scratch buffer already existed when the CRLF conversion was
- performed then the buffer pointer would be checked twice for NULL. This
- second check is only necessary if the call to malloc() was performed by
- the first check.
-
-- smtp: Fixed dot stuffing being performed when no new data read
+ 1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH
+ was not returned.
+
+ 2. If peer certificate verification was disabled the pinned key
+ verification did not take place as it should.
- Whilst I had moved the dot stuffing code from being performed before
- CRLF conversion takes place to after it, in commit 4bd860a001, I had
- moved it outside the 'when something read' block of code when meant
- it could perform the dot stuffing twice on partial send if nread
- happened to contain the right values. It also meant the function could
- potentially read past the end of buffer. This was highlighted by the
- following warning:
+ 3. (related to #2) If there was no certificate of depth 0 the callback
+ would not have checked the pinned public key.
- warning: `nread' might be used uninitialized in this function
+ Though all those problems could have been fixed it would have made the
+ code more complex. Instead we now verify inline after the certificate
+ verification in mbedtls_connect_step2.
+
+ Ref: http://curl.haxx.se/mail/lib-2016-01/0047.html
+ Ref: https://github.com/bagder/curl/pull/601
-Daniel Stenberg (29 Nov 2014)
-- smb.h: fixed picky compiler warning
+- tests: Add a test for pinnedpubkey fail even when insecure
- smb.h:30:16: error: comma at end of enumerator list [-Werror=pedantic]
+ Because disabling the peer verification (--insecure) must not disable
+ the public key pinning check (--pinnedpubkey).
-Steve Holme (29 Nov 2014)
-- tests: Disable test 1013 until SMB is fully added
+- [Daniel Schauenberg brought this change]
-- [Bill Nagel brought this change]
+ CURLINFO_RESPONSE_CODE.3: add example
- smb: Added SMB protocol and port definitions
+Kamil Dudka (15 Jan 2016)
+- ssh: make CURLOPT_SSH_PUBLIC_KEYFILE treat "" as NULL
- Added the necessary protocol and port definitions in order to support
- SMB/CIFS.
-
-- [Bill Nagel brought this change]
-
- smb: Added internal SMB definitions and structures
+ The CURLOPT_SSH_PUBLIC_KEYFILE option has been documented to handle
+ empty strings specially since curl-7_25_0-31-g05a443a but the behavior
+ was unintentionally removed in curl-7_38_0-47-gfa7d04f.
- Added the internal definitions and structures necessary for SMB/CIFS
- support.
-
-- [Bill Nagel brought this change]
-
- smb: Added SMB connection structure
+ This commit restores the original behavior and clarifies it in the
+ documentation that NULL and "" have both the same meaning when passed
+ to CURLOPT_SSH_PUBLIC_KEYFILE.
- Added the connection structure that will be required in urldata.h for
- SMB/CIFS based connections.
+ Bug: http://curl.haxx.se/mail/lib-2016-01/0072.html
-- [Bill Nagel brought this change]
+Daniel Stenberg (14 Jan 2016)
+- RELEASE-NOTES: synced with 35083ca60ed035a
- smb: Added initial source files for SMB
+- openssl: improved error detection/reporting
- Added the initial source files and updated the relevant project files in
- order to support SMB/CIFS.
+ ... by extracting the LIB + REASON from the OpenSSL error code. OpenSSL
+ 1.1.0+ returned a new func number of another cerfificate fail so this
+ required a fix and this is the better way to catch this error anyway.
+
+- openssl: for 1.1.0+ they now provide a SSLeay() macro of their own
-- [Bill Nagel brought this change]
+- CURLOPT_RESOLVE.3: minor language polish
- smb: Added configuration options for SMB
+- configure: assume IPv6 works when cross-compiled
- Added --enable-smb and --disable-smb configuration options for the
- upcoming SMB/CIFS protocol support.
+ The configure test uses AC_TRY_RUN to figure out if an ipv6 socket
+ works, and testing like that doesn't work for cross-compiles. These days
+ IPv6 support is widespread so a blind guess is probably more likely to
+ be 'yes' than 'no' now.
+
+ Further: anyone who cross-compiles can use configure's --disable-ipv6 to
+ explicitly disable IPv6 and that also works for cross-compiles.
+
+ Made happen after discussions in issue #594
-Daniel Stenberg (28 Nov 2014)
-- [Peter Wu brought this change]
+- TODO: "Try to URL encode given URL"
+
+ Closes #514
- runtests.pl: fix startup of IPv6 servers
+- ConnectionExists: only do pipelining/multiplexing when asked
- Commit curl-7_23_1-143-g8218064 changed the parameter of
- responsive_http_server to accept types other than IPv6 (converting
- from a boolean to a string), but only considered the lower-case "ipv6"
- and not the "IPv6" variant. This caused all servers to start in IPv4
- mode instead.
+ When an HTTP/2 upgrade request fails (no protocol switch), it would
+ previously detect that as still possible to pipeline on (which is
+ acorrect) and do that when PIPEWAIT was enabled even if pipelining was
+ not explictily enabled.
- This patch converts the remaining cases to "ipv6". While not strictly
- necessary for the run*server variants, these got also converted for
- consistency and to prevent future errors.
+ It should only pipelined if explicitly asked to.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Closes #584
-- [Peter Wu brought this change]
+- [Mohammad AlSaleh brought this change]
- runtests.pl: fix warning message, remove duplicate value
+ lib: Prefix URLs with lower-case protocol names/schemes
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
-
-Steve Holme (27 Nov 2014)
-- http.c: Fixed compilation warnings from features being disabled
+ Before this patch, if a URL does not start with the protocol
+ name/scheme, effective URLs would be prefixed with upper-case protocol
+ names/schemes. This behavior might not be expected by library users or
+ end users.
- warning: unused variable 'data'
- warning: variable 'addcookies' set but not used
+ For example, if `CURLOPT_DEFAULT_PROTOCOL` is set to "https". And the
+ URL is "hostname/path". The effective URL would be
+ "HTTPS://hostname/path" instead of "https://hostname/path".
- ...and some very minor coding style policing.
+ After this patch, effective URLs would be prefixed with a lower-case
+ protocol name/scheme.
+
+ Closes #597
+
+ Signed-off-by: Mohammad AlSaleh <CE.Mohammad.AlSaleh@gmail.com>
-- RELEASE-NOTES: Synced with c5399c827d
+- [Alessandro Ghedini brought this change]
-- tests: Added SMTP with --crlf test case
+ scripts: don't generate and install zsh completion when cross-compiling
-- docs: Updated for commit 4bd860a001 and SMTP Unix line ending conversion
+- [Alessandro Ghedini brought this change]
-- smtp: Fixed const'ness of nread parameter in Curl_smtp_escape_eob()
+ scripts: fix zsh completion generation
- ...and some comment typos!
+ The script should use the just-built curl, not the system one. This fixes
+ zsh completion generation when no system curl is installed.
-- smtp: Added support for the conversion of Unix newlines during mail send
-
- Added support for the automatic conversion of Unix newlines to CRLF
- during mail uploads.
+- [Alessandro Ghedini brought this change]
+
+ zsh.pl: fail if no curl is found
- Feature: http://curl.haxx.se/bug/view.cgi?id=1456
+ Instead of generation a broken completion file.
-- CURLOPT_CRLF.3: Fixed inclusion of SMTP in listed protocols
+- [Michael Kaufmann brought this change]
-Daniel Stenberg (25 Nov 2014)
-- curl*3: added small examples
+ IDN host names: Remove the port number before converting to ACE
- and some minor edits
+ Closes #596
-- libcurl.3: fix formatting
+Jay Satiro (10 Jan 2016)
+- runtests: Add mbedTLS to the SSL backends
- refer to functions with the man page section properly
+ .. and enable SSLpinning tests for mbedTLS, BoringSSL and LibreSSL.
-- man pages: SEE ALSO curl_multi_wait
+Daniel Stenberg (10 Jan 2016)
+- [Thomas Glanzmann brought this change]
-- curl_multi_wait.3: clarify numfds being used if not NULL
+ mbedtls: implement CURLOPT_PINNEDPUBLICKEY
-- multi-single.c: switch to use curl_multi_wait
-
- Makes the example much easier and straight-forward!
+Jay Satiro (9 Jan 2016)
+- [Tatsuhiro Tsujikawa brought this change]
-- testcurl: bump the version of this script!
+ url: Fix compile error with --enable-werror
-- testcurl: skip reading the setup file if given enough cmdline info
-
- This makes it much easier to run multiple tests in the same directory,
- just altering the command lines used.
+- [Tatsuhiro Tsujikawa brought this change]
-- select.c: fix compilation for VxWorks
+ http2: Ensure that http2_handle_stream_close is called
+
+ Previously, when HTTP/2 is enabled and used, and stream has content
+ length known, Curl_read was not called when there was no bytes left to
+ read. Because of this, we could not make sure that
+ http2_handle_stream_close was called for every stream. Since we use
+ http2_handle_stream_close to emit trailer fields, they were
+ effectively ignored. This commit changes the code so that Curl_read is
+ called even if no bytes left to read, to ensure that
+ http2_handle_stream_close is called for every stream.
- Reported-by: Brian
- Bug: http://curl.haxx.se/bug/view.cgi?id=1455
+ Discussed in https://github.com/bagder/curl/pull/564
-Patrick Monnerat (24 Nov 2014)
-- [moparisthebest brought this change]
-
- SSL: Add PEM format support for public key pinning
+Daniel Stenberg (8 Jan 2016)
+- http2: handle the received SETTINGS frame
+
+ This regression landed in 5778e6f5 and made libcurl not act on received
+ settings and instead stayed with its internal defaults.
+
+ Bug: http://curl.haxx.se/mail/lib-2016-01/0031.html
+ Reported-by: Bankde
-Kamil Dudka (24 Nov 2014)
-- Revert "repository: ignore patch files generated by git"
+- Revert "multiplex: allow only once HTTP/2 is actually used"
- This reverts commit 217024a687ce86eb6d2317822ed81c7e5abc4b61.
+ This reverts commit 46cb70e9fa81c9a56de484cdd7c5d9d0d9fbec36.
- Bug: https://github.com/bagder/curl/commit/217024a6#commitcomment-8693738
+ Bug: http://curl.haxx.se/mail/lib-2016-01/0031.html
-Steve Holme (23 Nov 2014)
-- multi.c: Fixed compilation warnings when no verbose string support
+Jay Satiro (8 Jan 2016)
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Fix PUSH_PROMISE headers being treated as trailers
- warning: variable 'connection_id' set but not used
- warning: unused parameter 'lineno'
+ Discussed in https://github.com/bagder/curl/pull/564
-- RELEASE-NOTES: Synced with 1450712e76
+Daniel Stenberg (8 Jan 2016)
+- [Michael Kaufmann brought this change]
-- sasl: Tidied up some parameter comments
+ connection reuse: IDN host names fixed
+
+ Use the ACE form of IDN hostnames as key in the connection cache. Add
+ new tests.
+
+ Closes #592
-- sasl: Reduced the need for two sets of NTLM functions
+- tests: mark IPv6 FTP and FTPS tests with the FTP keyword
-- ntlm: Moved NSS initialisation to base decode function
+Jay Satiro (7 Jan 2016)
+- mbedtls: Fix ALPN support
+
+ - Fix ALPN reply detection.
+
+ - Wrap nghttp2 code in ifdef USE_NGHTTP2.
+
+
+ Prior to this change ALPN and HTTP/2 did not work properly in mbedTLS.
-- http_ntlm: Fixed additional NSS initialisation call when decoding type-2
+- http2: Fix client write for trailers on stream close
- After commit 48d19acb7c the HTTP code would call Curl_nss_force_init()
- twice when decoding a NTLM type-2 message, once directly and the other
- through the call to Curl_sasl_decode_ntlm_type2_message().
+ Check that the trailer buffer exists before attempting a client write
+ for trailers on stream close.
+
+ Refer to comments in https://github.com/bagder/curl/pull/564
-- ntlm: Fixed static'ness of local decode function
+Daniel Stenberg (7 Jan 2016)
+- COPYING: update general copyright year range
-- ntlm: Corrected some parameter names and comments
+- ConnectionExists: add missing newline in infof() call
+
+ Mistake from commit a464f33843ee1
-- runtests.pl: Re-aligned feature support comments
+- multiplex: allow only once HTTP/2 is actually used
+
+ To make sure curl doesn't allow multiplexing before a connection is
+ upgraded to HTTP/2 (like when Upgrade: h2c fails), we must make sure the
+ connection uses HTTP/2 as well and not only check what's wanted.
+
+ Closes #584
+
+ Patch-by: c0ff
-- runtests.pl: Use Kerberos and SPNEGO as proxies for the crypto feature
+Jay Satiro (4 Jan 2016)
+- curl_global_init.3: Add Windows-specific info for init via DLL
- In addition to NTLM, use Kerberos and SPNEGO as proxies to the crypto
- feature.
+ - Add to both curl_global_init.3 and libcurl.3 the caveat for Windows
+ that initializing libcurl via a DLL's DllMain or static initializer
+ could cause a deadlock.
- ...and converted tab characters, from commit 4b4e8a5853, to spaces.
+ Bug: https://github.com/bagder/curl/issues/586
+ Reported-by: marc-groundctl@users.noreply.github.com
-- runtests.pl: Added support for SPNEGO
+Daniel Stenberg (4 Jan 2016)
+- FAQ: clarify who to mail about ECCN clarifications
-- runtests.pl: Added Kerberos detection
+- progressfunc.c: spellfix description
-- runtests.pl: Added GSS-API detection
+- docs/examples/multi-app.c: fix bad desc formatting
-- FILEFORMAT: Added SSPI, GSS-API and Kerberos to the features list
+- examples: added descriptions
-- FILEFORMAT: Added test requires feature not present information
-
- Such as !SSPI as we do for the NTLM and Digest tests.
+- example/simple.c: add description
-Daniel Stenberg (20 Nov 2014)
-- http.c: log if it notices HTTP 1.1 after a upgrade to http2
+- getredirect.c: a new example
-- test1801: first real http2 test case
+Marc Hoersken (27 Dec 2015)
+- RELEASE-NOTES: add 5e0e81a9c4e35f04ca
-- sws: initial tiny steps toward http2 support
+Daniel Stenberg (26 Dec 2015)
+- RELEASE-NOTES: synced with 2aec4359db1088b10d
-- FILEFORMAT: mention the new upgrade support
+Marc Hoersken (26 Dec 2015)
+- test 1515: add data check
-- test1800: first plain-text http2 test case
+- test 1515: add MSYS support by passing a relative path
- Verifies the upgrade request, but gets a plain 1.1 response
-
-- [Tatsuhiro Tsujikawa brought this change]
+ MSYS would otherwise turn a /-style path into a C:\-style path.
- http: Disable pipelining for HTTP/2 and upgraded connections
+- test 539: use datacheck mode text for ASCII-mode LISTings
- This commit disables pipelining for HTTP/2 or upgraded connections. For
- HTTP/2, we do not support multiplexing. In general, requests cannot be
- pipelined in an upgraded connection, since it is now different protocol.
+ While still using datacheck mode binary for the inline reply data.
-- [Brad Harder brought this change]
+- runtests.pl: check up to 5 data parts with different text modes
+
+ Move the text-mode conversion for reply/replycheck from the verify
+ section into the load section and add support for 4 more check parts.
- CURLOPT_POSTFIELDS.3: mention the COPYPOSTFIELDS option
+Daniel Stenberg (24 Dec 2015)
+- CURLOPT_RANGE: for HTTP servers, range support is optional
-Steve Holme (19 Nov 2014)
-- multi-uv.c: Updated for curl coding standards
+Marc Hoersken (24 Dec 2015)
+- tests 1048 and 1050: use datacheck mode text for ASCII-mode LISTings
-- conncache: Fixed specifiers in infof() for long and size_t variables
+- tests 706 and 707: use datacheck mode text for ASCII-mode LISTings
-- [Peter Wu brought this change]
+- tests 400,403,406: use datacheck mode text for ASCII-mode LISTings
- cmake: add Kerberos to the supported features
+- sockfilt.c: fix calculation of sleep timeout on Windows
- Updated following commit eda919f and a4b7f71.
+ Not converting to double caused small timeouts to be skipped.
+
+- tests first.c: fix calculation of sleep timeout on Windows
- Acked-by: Brad King <brad.king@kitware.com>
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Not converting to double caused small timeouts to be skipped.
-- [Peter Wu brought this change]
+- test 573: add more debug output
- cmake: fix NTLM detection when CURL_DISABLE_HTTP defined
+- ftplistparser.c: fix handling of file LISTings using Windows EOL
- Updated following changes in commit f0d860d.
+ Previously file.txt[CR][LF] would have been returned as file.tx
+ (without the last t) if filetype is symlink. Now the t is
+ included and the internal item_length includes the zero byte.
- Acked-by: Brad King <brad.king@kitware.com>
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
-
-Daniel Stenberg (19 Nov 2014)
-- RELEASE-NOTES: synced with cb13fad733e
-
-- [Jay Satiro brought this change]
+ Spotted using test 576 on Windows.
- examples: Wait recommended 100ms when no file descriptors are ready
-
- Prior to this change when no file descriptors were ready on platforms
- other than Windows the multi examples would sleep whatever was in
- timeout, which may or may not have been less than the minimum
- recommended value [1] of 100ms.
+- test 16: fix on Linux (and Windows) by using plain ASCII characters
- [1]: http://curl.haxx.se/libcurl/c/curl_multi_fdset.html
+ Follow up on b064ff0c351bb287557228575ef4c1d079b866fb, thanks Daniel.
-- [Waldek Kozba brought this change]
+- tftpd server: add Windows support by writing files in binary mode
- multi-uv.c: close the file handle after download
+- tests 252-255: use datacheck mode text for ASCII-mode LISTings
-- [Jon Spencer brought this change]
+- test 16: fix on Windows by converting data file from ANSI to UTF-8
- multi: inform about closed sockets before they are closed
+Daniel Stenberg (23 Dec 2015)
+- Makefile.inc: s/curl_SOURCES/CURL_FILES
- When the connection code decides to close a socket it informs the multi
- system via the Curl_multi_closed function. The multi system may, in
- turn, invoke the CURLMOPT_SOCKETFUNCTION function with
- CURL_POLL_REMOVE. This happens after the socket has already been
- closed. Reorder the code so that CURL_POLL_REMOVE is called before the
- socket is closed.
-
-Guenter Knauf (19 Nov 2014)
-- build: in Makefile.m32 moved target autodetection.
+ This allows the root Makefile.am to include the Makefile.inc without
+ causing automake to warn on it (variables named *_SOURCES are
+ magic). curl_SOURCES is then instead assigned properly in
+ src/Makefile.am only.
- Moved target autodetection block after defining CC macro.
+ Closes #577
-- build: in Makefile.m32 simplify platform flags.
+- [Anders Bakken brought this change]
-- build: in Makefile.m32 try to detect 64bit target.
+ ConnectionExists: with *PIPEWAIT, wait for connections
+
+ Try harder to prevent libcurl from opening up an additional socket when
+ CURLOPT_PIPEWAIT is set. Accomplished by letting ongoing TCP and TLS
+ handshakes complete first before the decision is made.
+
+ Closes #575
-Daniel Stenberg (19 Nov 2014)
-- [Brad King brought this change]
+- [Anders Bakken brought this change]
- CMake: Simplify if() conditions on check result variables
+ Add .dir-locals and set c-basic-offset to 2.
- Remove use of an old hack that takes advantage of the auto-dereference
- behavior of the if() command to detect if a variable is defined. The
- hack has the form:
+ This makes it easier for emacs users to automatically get the right
+ 2-space indentation when they edit curl source files.
- if("${VAR} MATCHES "^${VAR}$")
+ c++-mode is in there as well because Emacs can't easily know if
+ something is a C or C++ header.
- where "${VAR}" is a macro argument reference. Use if(DEFINED) instead.
- This also avoids warnings for CMake Policy CMP0054 in CMake 3.1.
+ Closes #574
-- TODO-RELEASE: removed
+- [Johannes Schindelin brought this change]
-- [Carlo Wood brought this change]
-
- debug: added new connection cache output, plus fixups
-
- Debug output 'typo' fix.
+ configure: detect IPv6 support on Windows
- Don't print an extra "0x" in
- * Pipe broke: handle 0x0x2546d88, url = /
+ This patch was "nicked" from the MINGW-packages project by Daniel.
- Add debug output.
- Print the number of connections in the connection cache when
- adding one, and not only when one is removed.
-
- Fix typos in comments.
+ https://github.com/Alexpux/MINGW-packages/commit/9253d0bf58a1486e91f7efb5316e7fdb48fa4007
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- multi: move the ending condition into the loop as well
+- configure: allow static builds on mingw
- ... as it was before I changed the loop in commit e04ccbd50. It caused
- test 2030 and 2032 to fail.
-
-Steve Holme (18 Nov 2014)
-- multi: Prefer we don't use CURLE_OK and NULL in comparisons
-
-Daniel Stenberg (18 Nov 2014)
-- multi_runsingle: use 'result' for local CURLcode storage
+ This patch is adopted from the MINGW-packages project. It makes it
+ possible to build curl both shared and static again.
- ... and assign data->result only at the end. Makes the code more compact
- (easier to read) and more similar to other code.
+ URL: https://github.com/Alexpux/MINGW-packages/tree/master/mingw-w64-curl
-- multi_runsingle: rename result to rc
-
- save 'result' for CURLcode types
+Marc Hoersken (17 Dec 2015)
+- test 1326: fix file check since curl is outputting binary data
-- multi: make multi_runsingle loop internally
+- test 1326: fix getting stuck on Windows due to incomplete request
- simplifies the use of this function at little cost.
+ The request needs to be read and send in binary mode in order to use
+ CRLF instead of LF. Adding --upload-file - causes curl to read stdin
+ in binary mode.
-- [Carlo Wood brought this change]
+Daniel Stenberg (17 Dec 2015)
+- RELEASE-NOTES: command line option recount
- multi: when leaving for timeout, close accordingly
-
- Fixes the problem when a transfer in a pipeline times out.
+Dan Fandrich (16 Dec 2015)
+- scripts/Makefile: build zsh script even in an out-of-tree build
-Guenter Knauf (18 Nov 2014)
-- build: in Makefile.m32 add -m32 flag for 32bit.
+Marc Hoersken (16 Dec 2015)
+- sockfilt.c: added some debug output to select_ws
-- mk-ca-bundle.vbs: update copyright year.
+- sockfilt.c: keep lines shorter than 80 chars
-- build: in Makefile.m32 pass -F flag to windres.
+- sockfilt.c: do not wait on unreliable file or pipe handle
+
+ The previous implementation caused issues on modern MSYS2 runtimes.
-Steve Holme (17 Nov 2014)
-- config-win32: Fixed build targets for the VS2012+ Windows XP toolset
+Daniel Stenberg (16 Dec 2015)
+- cyassl: deal with lack of *get_peer_certificate
+
+ The function is only present in wolfssl/cyassl if it was built with
+ --enable-opensslextra. With these checks added, pinning support is disabled
+ unless the TLS lib has that function available.
+
+ Also fix the mistake in configure that checks for the wrong lib name.
- Even though commit 23e70e1cc6 mentioned the v110_xp toolset, I had
- forgotten to include the relevant pre-processor definitions.
+ Closes #566
-- sasl_sspi: Removed note about the NTLM functions being a wrapper
+- wolfssl: handle builds without SSLv3 support
-- connect.c: Fixed compilation warning when no verbose string support
-
- warning: unused parameter 'reason'
+- [Tatsuhiro Tsujikawa brought this change]
-- easy.c: Fixed compilation warning when no verbose string support
+ http2: Support trailer fields
- warning: unused parameter 'easy'
-
-- win32: Updated some legacy APIs to use the newer extended versions
+ This commit adds trailer support in HTTP/2. In HTTP/1.1, chunked
+ encoding must be used to send trialer fields. HTTP/2 deprecated any
+ trandfer-encoding, including chunked. But trailer fields are now
+ always available.
- Updated the usage of some legacy APIs, that are preventing curl from
- compiling for Windows Store and Windows Phone build targets.
+ Since trailer fields are relatively rare these days (gRPC uses them
+ extensively though), allocating buffer for trailer fields is done when
+ we detect that HEADERS frame containing trailer fields is started. We
+ use Curl_add_buffer_* functions to buffer all trailers, just like we
+ do for regular header fields. And then deliver them when stream is
+ closed. We have to be careful here so that all data are delivered to
+ upper layer before sending trailers to the application.
- Suggested-by: Stefan Neis
- Feature: http://sourceforge.net/p/curl/feature-requests/82/
-
-- config-win32: Introduce build targets for VS2012+
+ We can deliver trailer field one by one using NGHTTP2_ERR_PAUSE
+ mechanism, but current method is far more simple.
- Visual Studio 2012 introduced support for Windows Store apps as well as
- supporting Windows Phone 8. Introduced build targets that allow more
- modern APIs to be used as certain legacy ones are not available on these
- new platforms.
+ Another possibility is use chunked encoding internally for HTTP/2
+ traffic. I have not tested it, but it could add another overhead.
+
+ Closes #564
-- sasl_sspi: Fixed compilation warnings when no verbose string support
+- RELEASE-NOTES: synced with 6c2c019654e658a
-- sasl_sspi: Added base64 decoding debug failure messages
+Jay Satiro (15 Dec 2015)
+- x509asn1: Fix host altname verification
+
+ - In Curl_verifyhost check all altnames in the certificate.
- Just like in the NTLM code, added infof() failure messages for
- DIGEST-MD5 and GSSAPI authentication when base64 decoding fails.
+ Prior to this change only the first altname was checked. Only the GSKit
+ SSL backend was affected by this bug.
+
+ Bug: http://curl.haxx.se/mail/lib-2015-12/0062.html
+ Reported-by: John Kohl
-- ntlm: Moved the SSPI based Type-3 message generation into the SASL module
+Daniel Stenberg (15 Dec 2015)
+- curl --expect100-timeout: added
+
+ This is the new command line option to set the value for the existing
+ libcurl option CURLOPT_EXPECT_100_TIMEOUT_MS
-- ntlm: Moved the SSPI based Type-2 message decoding into the SASL module
+- cyassl: fix compiler warning on type conversion
-- ntlm: Moved the SSPI based Type-1 message generation into the SASL module
+- curlver: the pending release will become 7.47.0
-- [Michael Osipov brought this change]
+- [Anders Bakken brought this change]
- kerberos: Use symbol qualified with _KERBEROS5
+ setstropt: const-correctness
- For consistency renamed USE_KRB5 to USE_KERBEROS5.
+ Closes #565
-Daniel Stenberg (15 Nov 2014)
-- [Jay Satiro brought this change]
+- ROADMAP: implemented HTTP2 for HTTPS-only
- examples: Don't call select() to sleep on windows
-
- Windows does not support using select() for sleeping without a dummy
- socket. Instead use Windows' Sleep() and sleep for 100ms which is the
- minimum suggested value in the curl_multi_fdset() doc.
-
- Prior to this change the multi examples would exit prematurely since
- select() would error instead of sleeping when called without an fd.
-
- Reported-by: Johan Lantz
- Bug: http://curl.haxx.se/mail/lib-2014-11/0221.html
+- HTTP2.md: spell fix and remove TODO now implemented
-- [Tatsuhiro Tsujikawa brought this change]
+- libressl: the latest openssl x509 funcs are not in libressl
- http2: Don't send Upgrade headers when we already do HTTP/2
+- curl: use 2TLS by default
+
+ Make this the default for the curl tool (if built with HTTP/2 powers
+ enabled) unless a specific HTTP version is requested on the command
+ line.
+
+ This should allow more users to get HTTP/2 powers without having to
+ change anything.
-Steve Holme (15 Nov 2014)
-- sasl: Corrected Curl_sasl_build_spn() function description
+- http: add libcurl option to allow HTTP/2 for HTTPS only
- There was a mismatch in function parameter names.
+ ... and stick to 1.1 for HTTP. This is in line with what browsers do and
+ should have very little risk.
-- tool: Removed krb4 from the supported features
+- openssl: adapt to openssl >= 1.1.0 X509 opaque structs
- Although libcurl would never return CURL_VERSION_KERBEROS4 after 7.33,
- so would not be output with --version, removed krb4 from the supported
- features output.
+ Closes #491
-- [Michael Osipov brought this change]
+- openssl: avoid BIO_reset() warnings since it returns a value
+
+- openssl: adapt to 1.1.0+ name changes
- tool: Use Kerberos for supported features
+- scripts/makefile: add standard header
-- urldata: Don't define sec_complete when no GSS-API support present
+- scripts/Makefile: fix GNUism and survive no perl
- This variable is only used with HAVE_GSSAPI is defined by the FTP code
- so let's place the definition with the other GSS-API based variables.
+ Closes #555
+
+ Reported-by: Thomas Klausner
-- [Michael Osipov brought this change]
+- fix b6d5cb40d7038fe
- docs: Use consistent naming for Kerberos
+- [Tatsuhiro Tsujikawa brought this change]
-- TODO: Lets support QOP options in GSSAPI authentication
+ http2: Fix hanging paused stream
+
+ When NGHTTP2_ERR_PAUSE is returned from data_source_read_callback, we
+ might not process DATA frame fully. Calling nghttp2_session_mem_recv()
+ again will continue to process DATA frame, but if there is no incoming
+ frames, then we have to call it again with 0-length data. Without this,
+ on_stream_close callback will not be called, and stream could be hanged.
+
+ Bug: http://curl.haxx.se/mail/lib-2015-11/0103.html
+ Reported-by: Francisco Moraes
-- sasl_sspi: Corrected a couple of comment typos
+- [Christian Stewart brought this change]
-- sasl: Moved Curl_sasl_gssapi_cleanup() definition into header file
+ build: fix compilation error with CURL_DISABLE_VERBOSE_STRINGS
- Rather than define the function as extern in the source files that use
- it, moved the function declaration into the SASL header file just like
- the Digest and NTLM clean-up functions.
+ With curl disable verbose strings in http.c the compilation fails due to
+ the data variable being undefined later on in the function.
- Additionally, added a function description comment block.
+ Closes #558
+
+Jay Satiro (7 Dec 2015)
+- [Gisle Vanem brought this change]
-- sasl_sspi: Added missing RFC reference for HTTP Digest authentication
+ config-win32: Fix warning HAVE_WINSOCK2_H undefined
-- ntlm: Clean-up and standardisation of base64 decoding
+- [Gisle Vanem brought this change]
-- ntlm: We prefer 'CURLcode result'
+ openssl: BoringSSL doesn't have CONF_modules_free
-Daniel Stenberg (13 Nov 2014)
-- [Brad King brought this change]
+- [Gisle Vanem brought this change]
- CMake: Restore order-dependent library checks
+ lwip: Fix compatibility issues with later versions
- Revert commit 2257deb502 (Cmake: Avoid cycle directory dependencies,
- 2014-08-22) and add a comment explaining the purpose of the original
- code.
+ The name of the header guard in lwIP's <lwip/opt.h> has changed from
+ '__LWIP_OPT_H__' to 'LWIP_HDR_OPT_H' (bug #35874 in May 2015).
- The check_library_exists_concat macro is intended to be called multiple
- times on a sequence of possibly dependent libraries. Later libraries
- may depend on earlier libraries when they are static. They cannot be
- safely linked in reverse order on some platforms.
+ Other fixes:
- Signed-off-by: Brad King <brad.king@kitware.com>
-
-- [Brad King brought this change]
-
- CMake: Restore order-dependent header checks
+ - In curl_setup.h, the problem with an old PSDK doesn't apply if lwIP is
+ used.
- Revert commit 1269df2e3b (Cmake: Don't check for all headers each
- time, 2014-08-15) and add a comment explaining the purpose of the
- original code.
+ - In memdebug.h, the 'socket' should be undefined first due to lwIP's
+ lwip_socket() macro.
- The check_include_file_concat macro is intended to be called multiple
- times on a sequence of possibly dependent headers. Later headers
- may depend on earlier headers to provide declarations. They cannot
- be safely included independently on some platforms.
+ - In curl_addrinfo.c lwIP's getaddrinfo() + freeaddrinfo() macros need
+ special handling because they were undef'ed in memdebug.h.
- For example, many POSIX APIs document including sys/types.h before some
- other headers. Also on some OS X versions sys/socket.h must be included
- before net/if.h or the check for the latter will fail.
+ - In select.c we can't use preprocessor conditionals inside select if
+ MSVC and select is a macro, as it is with lwIP.
- Signed-off-by: Brad King <brad.king@kitware.com>
+ http://curl.haxx.se/mail/lib-2015-12/0023.html
+ http://curl.haxx.se/mail/lib-2015-12/0024.html
+
+Patrick Monnerat (7 Dec 2015)
+- os400: define CURL_VERSION_PSL in ILE/RPG binding
-- [Peter Wu brought this change]
+Jay Satiro (7 Dec 2015)
+- [Gisle Vanem brought this change]
+
+ version: Add flag CURL_VERSION_PSL for libpsl
- test22: expand a backtick command
+- formdata: Check if length is too large for memory
- This is the only user of the backtick operator in the command. As the
- commands will soon not be executed by a shell anymore (but by perl),
- replace the command with its output.
+ - If the size of the length type (curl_off_t) is greater than the size
+ of the size_t type then check before allocating memory to make sure the
+ value of length will fit in a size_t without overflow. If it doesn't
+ then return CURLE_BAD_FUNCTION_ARGUMENT.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Bug: https://github.com/bagder/curl/issues/425#issuecomment-154518679
+ Reported-by: Steve Holme
-- RELEASE-NOTES: synced with 2ee3c63b13
+Steve Holme (3 Dec 2015)
+- tests: Corrected copy and pasted comments from commit e643c5c908
-- http2: fix switched macro when http2 is not enabled
+Daniel Stenberg (3 Dec 2015)
+- curl: remove keepalive #ifdef checks done on libcurl's behalf
+
+ They didn't match the ifdef logic used within libcurl anyway so they
+ could indeed warn for the wrong case - plus the tool cannot know how the
+ lib actually performs at that level.
-- [Tatsuhiro Tsujikawa brought this change]
+Steve Holme (2 Dec 2015)
+- test947: Corrected typo in test name
- http2: Deal with HTTP/2 data inside response header buffer
+- tests: Disable the OAUTHBEARER tests when using a non-default port number
- Previously if HTTP/2 traffic is appended to HTTP Upgrade response header
- (thus they are in the same buffer), the trailing HTTP/2 traffic is not
- processed and lost. The appended data is most likely SETTINGS frame.
- If it is lost, nghttp2 library complains server does not obey the HTTP/2
- protocol and issues GOAWAY frame and curl eventually drops connection.
- This commit fixes this problem and now trailing data is processed.
-
-Steve Holme (11 Nov 2014)
-- configure: Fixed inclusion of krb5 when CURL_DISABLE_CRYPTO_AUTH is defined
+ Tests 842, 843, 844, 845, 887, 888, 889, 890, 946, 947, 948 and 949 fail
+ if a custom port number is specified via the -b option of runtests.pl.
- Commit fe0f8967bf fixed a problem with krb5 not being defined as a
- supported feature when HAVE_GSSAPI is defined, however, it should
- only be included if CURL_DISABLE_CRYPTO_AUTH is not set, like when
- SPNEGO is listed as a feature.
+ Suggested by: Kamil Dudka
+ Bug: http://curl.haxx.se/mail/lib-2015-12/0003.html
-Daniel Stenberg (10 Nov 2014)
-- multi: removed Curl_multi_set_easy_connection
-
- It isn't used anywhere!
+Daniel Stenberg (2 Dec 2015)
+- bump: towards next release
- Reported-by: Carlo Wood
+ for all we know now, it might be called 7.46.1
-- [Peter Wu brought this change]
+Version 7.46.0 (1 Dec 2015)
- symbol-scan.pl: do not require autotools
-
- Makes test1119 pass when building with cmake.
-
- configurehelp.pm is generated by configure (autotools). As cmake does
- not provide a separate variable for the C preprocessor, default to cpp.
- Before commit ef24ecde68a5f577a7f0f423a767620f09a0ab16 ("symbol-scan:
- use configure script knowledge about how to run the C preprocessor"),
- this tool would also use 'cpp'.
-
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+Daniel Stenberg (1 Dec 2015)
+- RELEASE-NOTES: updated contributor count for 7.46.0
-- [Peter Wu brought this change]
+- THANKS: new contributors from the 7.46.0 release
- cmake: add ENABLE_THREADED_RESOLVER, rename ARES
-
- Fix detection of the AsynchDNS feature which not just depends on
- pthreads support, but also on whether USE_POSIX_THREADS is set or not.
- Caught by test 1014.
-
- This patch adds a new ENABLE_THREADED_RESOLVER option (corresponding to
- --enable-threaded-resolver of autotools) which also needs a check for
- HAVE_PTHREAD_H.
-
- For symmetry with autotools, CURL_USE_ARES is renamed to ENABLE_ARES
- (--enable-ares). Checks that test for the availability actually use
- USE_ARES instead as that is the result of whether a-res is available or
- not (in practice this does not matter as CARES is marked as required
- package, but nevertheless it is better to write the intent).
-
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+- THANKS-filter: single Tim Rühsen spelling
-- [Peter Wu brought this change]
+- docs/examples: gitignore some more built examples
- cmake: build libhostname for test suite
-
- Used by some test cases via LD_PRELOAD in order to fake the host name.
-
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+- RELEASE-NOTES; this bug was never released
-- [Peter Wu brought this change]
+- RELEASE-NOTES: synced with e55f15454efacb0
- cmake: fix HAVE_GETHOSTNAME definition
-
- Otherwise Curl_gethostname always fails. Windows has gethostname
- since Vista according to
- http://msdn.microsoft.com/en-us/library/ms738527%28VS.85%29.aspx, but
- accordings to byte_bucket's VC 2005 documentation, it is available even
- in Windows 95. (possibly after installing a Platform SDK, the
- Windows Server 2003 SP1 Platform SDK should be sufficient).
+- [Flavio Medeiros brought this change]
+
+ Curl_read_plain: clean up ifdefs that break statements
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Closes #546
-- [Peter Wu brought this change]
+- http2: convert some verbose output into debug-only output
- tests: fix libhostname visibility
+- http2 push: add missing inits of new stream
- I noticed that a patched cmake build would pass tests with a fake local
- hostname, but the autotools build skips them:
+ - set the correct stream_id for pushed streams
+ - init maxdownload and size properly
+
+- http2 push: set weight for new stream
- got unexpected host name back, LD_PRELOAD failed
+ give the new stream the old one's stream_weight internally to avoid
+ sending a PRIORITY frame unless asked for it
+
+- curl_setup.h: undef freeaddrinfo in c-ares block to fix build
- It turns out that -fvisibility=hidden hides the symbol, and since the
- tests are not part of libcurl, it fails too. Just remove the LIBCURL
- guard.
+ Fixes warnings 78c25c854a added.
+
+- nonblock: fix setting non-blocking mode for Amiga
- Broken since cURL 7.30 (commit 83a42ee20ea7fc25abb61c0b7ef56ebe712d7093,
- "curl.h: stricter CURL_EXTERN linkage decorations logic").
+ IoctlSocket() apparently wants a pointer to a long, passed as a char *
+ in its third parameter. This bug was introduced already back in commit
+ c5fdeef41d from October 1 2001!
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
-
-- [Peter Wu brought this change]
+ Bug: http://curl.haxx.se/mail/lib-2015-11/0088.html
+ Reported-by: Norbert Kett
- tests: fix memleak in server/resolve.c
+- zsh install: fix DESTDIR support
- This makes LeakSanitizer happy.
-
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Reported-by: Mohammad AlSaleh
+
+Dan Fandrich (27 Nov 2015)
+- lib: Only define curl_dofreeaddrinfo if struct addrinfo is available
-- configure: assume krb5 when gss-api works
+Steve Holme (27 Nov 2015)
+- tool_paramhlp: Fixed display of URL index in password prompt for --next
- To please test 1014 while we work out if this is truly the a correct
- assumption.
+ Commit f3bae6ed73 added the URL index to the password prompt when using
+ --next. Unfortunately, because the size_t specifier (%zu) is not
+ supported by all sprintf() implementations we use the curl_off_t format
+ specifier instead. The display of an incorrect value arises on platforms
+ where size_t and curl_off_t are of a different size.
-Steve Holme (9 Nov 2014)
-- vtls.h: Fixed compiler warning when compiled without SSL
+Daniel Stenberg (25 Nov 2015)
+- timecond: do not add if-modified-since without timecondition
- vtls.c:185:46: warning: unused parameter 'data'
+ The RTSP code path didn't skip adding the if-modified-since for certain
+ RTSP code paths, even if CURLOPT_TIMECONDITION was set to
+ CURL_TIMECOND_NONE.
+
+ Also, an unknown non-zero CURLOPT_TIMECONDITION value no longer equals
+ CURL_TIMECOND_IFMODSINCE.
+
+ Bug: http://stackoverflow.com/questions/33903982/curl-timecond-none-doesnt-work-how-to-remove-if-modified-since-header
-- RELEASE-NOTES: Synced with 2fbf23875f
+- RELEASE-NOTES: synced with 99d17a5e2ba77e58
-- ntlm: Added separate SSPI based functions
+- examples/README: cut out the incomplete list
- In preparation for moving the NTLM message code into the SASL module,
- and separating the native code from the SSPI code, added functions that
- simply call the functions in curl_ntlm_msg.c.
+ ... and add a generic explanation for them instead. Each example file
+ should contain its own description these days.
+
+- test1513: make sure the callback is only called once
+
+- [Daniel Shahaf brought this change]
-- http_ntlm: Use the SASL functions instead
+ build: Install zsh completion
- In preparation for moving the NTLM message code into the SASL module
- use the SASL functions in the HTTP code instead.
+ Fixes #534
+ Closes #537
-Daniel Stenberg (9 Nov 2014)
-- libssh2: detect features based on version, not configure checks
+- done: make sure the final progress update is made
- ... so that non-configure builds get the correct functions too based on
- the libssh2 version used.
+ It would previously be skipped if an existing error was returned, but
+ would lead to a previous value being left there and later used.
+ CURLINFO_TOTAL_TIME for example.
+
+ Still it avoids that final progress update if we reached DONE as the
+ result of a callback abort to avoid another callback to be called after
+ an abort-by-callback.
+
+ Reported-by: Lukas Ruzicka
+
+ Closes #538
-- [Nobuhiro Ban brought this change]
+- curl: expanded the -XHEAD warning text
+
+ ... to also mention the specific options used.
- SSH: use the port number as well for known_known checks
+- Revert "cleanup: general removal of TODO (and similar) comments"
- ... if the libssh2 version is new enough.
+ This reverts commit 64e959ffe37c436503f9fed1ce2d6ee6ae50bd9a.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1448
+ Feedback-by: Dan Fandrich
+ URL: http://curl.haxx.se/mail/lib-2015-11/0062.html
-Steve Holme (9 Nov 2014)
-- INSTALL: Updated pre-processor references to the old VC6 project files
+- CURLOPT_HEADERFUNCTION.3: fix typo
- Reworked the two sections that discuss modifying the Visual Studio pre-
- processor settings, and vc6libcurl.dsw/vc6libcurl.dsp, to remove the
- project files references as they have been superseded by a more thorough
- set of project files for VC6 through VC12, but to also give the correct
- reference to this setting in later versions of Visual Studio.
+ Refer to _HEADERDATA not _WRITEDATA.
+
+ Reported-by: Michał Piechowski
-- INSTALL: Added email protocols to the "Disabling in Win32 builds" section
+- TODO: TCP Fast Open
-- configure: Fixed NTLM missing from features when CURL_DISABLE_HTTP defined
+Steve Holme (22 Nov 2015)
+- examples: Added website parse-able descriptions to the e-mail examples
-- build: Fixed no NTLM support for email when CURL_DISABLE_HTTP is defined
-
- USE_NTLM would only be defined if: HTTP support was enabled, NTLM and
- cryptography weren't disabled, and either a supporting cryptography
- library or Windows SSPI was being compiled against.
-
- This means it was not possible to build libcurl without HTTP support
- and use NTLM for other protocols such as IMAP, POP3 and SMTP. Rather
- than introduce a new SASL pre-processor definition, removed the HTTP
- prerequisite just like USE_SPNEGO and USE_KRB5.
+- TODO: Added another 'multi-interface' idea
+
+- smb.c: Fixed compilation warnings
- Note: Winbind support still needs to be dependent on CURL_DISABLE_HTTP
- as it is only available to HTTP at present.
+ smb.c:134:3: warning: conversion to 'short unsigned int' from 'int' may
+ alter its value
+ smb.c:146:42: warning: conversion to 'unsigned int' from 'long long
+ unsigned int' may alter its value
+ smb.c:146:65: warning: conversion to 'unsigned int' from 'long long
+ unsigned int' may alter its value
+
+- schannel: Corrected copy/paste error in commit 8d17117683
+
+- schannel: Use GetVersionEx() when VerifyVersionInfo() isn't available
- This bug dates back to August 2011 when I started to add support for
- NTLM to SMTP.
+ Regression from commit 7a8e861a5 as highlighted in the msys autobuilds.
-- ntlm: Removed an unnecessary free of native Target Info
+- examples: Fixed compilation warnings
- Due to commit 40ee1ba0dc the free in Curl_ntlm_decode_type2_target() is
- longer required.
+ pop3-multi.c:96:5: warning: implicit declaration of function 'memset'
+ imap-multi.c:96:5: warning: implicit declaration of function 'memset'
+ http2-download.c:226:5: warning: implicit declaration of function 'memset'
+ http2-upload.c:290:5: warning: implicit declaration of function 'memset'
+ http2-upload.c:290:5: warning: implicit declaration of function 'memset'
-- ntlm: Moved the native Target Info clean-up from HTTP specific function
+- Makefile.inc: Fixed test run error
+
+ test845 not present in tests/data/Makefile.inc
-- ntlm: Moved SSPI clean-up code into SASL module
+Daniel Stenberg (20 Nov 2015)
+- TODO: remove duplicated title
-- Makefile.dist: Added support for WinIDN
+- TODO: added two more libcurl ideas
+
+ Moved some ideas from "next major" to just ordinary ideas since we can
+ always add new things while keeping the old without doing a "next
+ major".
-- Makefile.vc6: Added support for WinIDN
+Steve Holme (20 Nov 2015)
+- tests: Re-enabled tests 889 and 890 following POP3 fix
-- Makefile.dist: Added some missing SSPI configurations
+- pop3: Differentiate between success and continuation responses
-- Makefile.dist: Separated the groups of SSL configurations from each other
+- pop3: Added clarity on some server response codes
-- Makefile.dist: Grouped the x64 configurations next to their x86 counterparts
+Daniel Stenberg (20 Nov 2015)
+- [Daniel Shahaf brought this change]
-- curl.h: Tidy up of CURL_VERSION_* flags
+ build: Fix theoretical infinite loops
- As the list has gotten a little messy and hard to read, especially with
- the introduction of deprecated items, aligned the values and comments
- into clean columns and reworked some of the comments in the process.
-
-- curl_tool: Added krb5 to the supported features
+ Add error-checking to 'cd' in a few cases where omitting the checks
+ might result in an infinite loop.
+
+ Closes #535
-- configure: Added krb5 to the supported features
+Patrick Monnerat (19 Nov 2015)
+- curl.h: s/#defien/#define/
-- version info: Added Kerberos V5 to the supported features
+- os400: synchronize ILE/RPG header file
-Guenter Knauf (7 Nov 2014)
-- mk-ca-bundle.vbs: switch to new certdata.txt url.
+- os400: Provide options for libssh2 use in compile scripts. Adjust README.
-Steve Holme (7 Nov 2014)
-- RELEASE-NOTES: Synced with dcad09e125
+Daniel Stenberg (19 Nov 2015)
+- [danielsh@apache.org brought this change]
-- http_digest: Fixed some memory leaks introduced in commit 6f8d8131b1
+ zsh completion: Preserve single quotes in output
- Fixed a couple of memory leaks as a result of moving code that used to
- populate allocuserpwd and relied on it's clean up.
+ When an option's help string contains literal single quotes, those
+ single quotes would be stripped from the option's description in the
+ completion output (unless the zsh RC_QUOTES option were set while the
+ completion function was being sourced, which is not the default). This
+ patch makes the completion output contain single quotes where the --help
+ output does.
+
+ Closes #532
-- docs: Updated following the addition of SSPI based HTTP digest auth
+Jay Satiro (18 Nov 2015)
+- [MaxGiting brought this change]
-- sasl_sspi: Tidy up of the existing digest code
+ FAQ: Grammar changes
- Following the addition of SSPI support for HTTP digest, synchronised
- elements of the email digest code with that of the new HTTP code.
+ Closes https://github.com/bagder/curl/pull/533
-- http_digest: Post SSPI support tidy up
+Daniel Stenberg (17 Nov 2015)
+- http2: http_done: don't free already-freed push headers
+
+ The push headers are freed after the push callback has been invoked,
+ meaning this code should only free the headers if the callback was never
+ invoked and thus the headers weren't freed at that time.
- Post tidy up to ensure commonality of code style and variable names.
+ Reported-by: Davey Shafik
-Dan Fandrich (6 Nov 2014)
-- test552: Don't run HTTP digest tests for SSPI based builds
+- [Anders Bakken brought this change]
+
+ getconnectinfo: Don't call recv(2) if socket == -1
- Technical difficulties prevented this from going into the
- previous commit.
+ Closes #528
-Steve Holme (6 Nov 2014)
-- tests: Don't run HTTP digest tests for SSPI based builds
+- CURLMOPT_PUSHFUNCTION.3: *_byname() returns only the first header
- Added !SSPI to the features list of the HTTP digest tests, as SSPI
- based builds now use the Windows SSPI messaging API rather than the
- internal functions, and we can't control the random numbers that get
- used as part of the digest.
+ ... if there are more than one using the same name
-Daniel Stenberg (6 Nov 2014)
-- curl.1: show zone index use in a URL
+- http2: minor comment typo
-Steve Holme (6 Nov 2014)
-- http_digest: Fixed auth retry loop when SSPI based authentication fails
+- sasl; fix checksrc warnings
-- http_digest: Reworked the SSPI based input token storage
-
- Reworked the input token (challenge message) storage as what is passed
- to the buf and desc in the response generation are typically blobs of
- data rather than strings, so this is more in keeping with other areas
- of the SSPI code, such as the NTLM message functions.
+Steve Holme (15 Nov 2015)
+- RELEASE-NOTES: Adjusted for the recent OAuth 2.0 activity
-- sasl_sspi: Fixed compilation warning from commit 2d2a62e3d9
+- tests: Disabled 889 and 890 until we support POP3 continuation responses
- Added void reference to unused 'data' parameter back to fix compilation
- warning.
+ As POP3 final and continuation responses both begin with a + character,
+ and both the finalcode and contcode variables in SASLprotoc are set as
+ such, we cannot tell the difference between them when we are expecting
+ an optional continuation from the server such as the following:
+
+ + something else from the server
+ +OK final response
+
+ Disabled these tests until such a time we can tell the responses apart.
-- sspi: Align definition values to even columns as we use 2 char spacing
+- tests: Corrected typos from commit ba4d8f7eba
-- sspi: Fixed missing definition of ISC_REQ_USE_HTTP_STYLE
-
- Some versions of Microsoft's sspi.h don't define this.
+- tests: Added OAUTHBEARER failure response tests
-- sasl: Removed non-SSPI Digest functions and defines from SSPI based builds
+- oauth2: Support OAUTHBEARER failures sent as continuation responses
+
+ According to RFC7628 a failure message may be sent by the server in a
+ base64 encoded JSON string as a continuation response.
- Introduced in commit 7e6d51a73c these functions and definitions are only
- required by the internal challenge-response functions now.
+ Currently only implemented for OAUTHBEARER and not XAUTH2.
-- sasl_sspi: Added HTTP digest response generation code
+Daniel Stenberg (15 Nov 2015)
+- RELEASE-NOTES: synced with 808a17ee675
-- http_digest: Added SSPI based challenge decoding code
+Steve Holme (14 Nov 2015)
+- tests: Renamed existing OAuth 2.0 (XOAUTH) tests
-- http_digest: Added SSPI based clean-up code
+- tests: Added OAuth 2.0 (OAUTHBEARER) tests
-- http_digest: Added SSPI based authentication functions
+- oauth2: Added support for OAUTHBEARER SASL mechanism to IMAP, POP3 and SNMP
- This temporarily breaks HTTP digest authentication in SSPI based builds,
- causing CURLE_NOT_BUILT_IN to be returned. A follow up commit will
- resume normal operation.
+ OAUTHBEARER is now the official "registered" SASL mechanism name for
+ OAuth 2.0. However, we don't want to drop support for XOAUTH2 as some
+ servers won't support the new mechanism yet.
-- http_digest: Added required SSPI based variables to digest structure
+Daniel Stenberg (13 Nov 2015)
+- RELEASE-NOTES: recounted curl_easy_setopt() options
-Daniel Stenberg (6 Nov 2014)
-- [Frank Gevaerts brought this change]
+- typecheck-gcc.h: add missing slist-using options
+
+ CURLOPT_RESOLVE and CURLOPT_PROXYHEADER were missing
+
+ Also sorted the list.
- contributors.sh: --releasenotes reads in names from RELEASE-NOTES
+- typecheck-gcc.h: added CURLOPT_CLOSESOCKETDATA
- This is very handy when updating the RELEASE-NOTES as then we sometimes
- have names added manually in the existing list and we use this script to
- update the set.
+ ... and sorted curl_is_cb_data_option alphabetically
-- RELEASE-NOTES: synced with 68542e72a9
+Jay Satiro (13 Nov 2015)
+- [Sebastian Pohlschmidt brought this change]
-- curl_easy_setopt.3: add CURLOPT_PINNEDPUBLICKEY
+ openssl: Free modules on cleanup
- Reported-by: Christian Hägele
- Bug: http://curl.haxx.se/mail/lib-2014-11/0078.html
-
-Steve Holme (5 Nov 2014)
-- build: Fixed Visual Studio project file generation of strdup.[c|h]
+ Curl_ossl_init calls OPENSSL_load_builtin_modules() but
+ Curl_ossl_cleanup doesn't make a call to free these modules.
- As the curl command-line tool now includes it's own version of strdup(),
- for platforms that don't have it, fixed up the git respository Visual
- Studio project file generator to not include the version from lib in the
- tool project files, rather than having both lib\strdup.[c|h] and
- src\tool_strdup.[c|h] present.
+ Bug: https://github.com/bagder/curl/issues/526
-Daniel Stenberg (5 Nov 2014)
-- tool_strdup.c: include the tool strdup.h
+Steve Holme (13 Nov 2015)
+- symbols-in-versions: Added new CURLOPTTYPE_STRINGPOINT alias
- ... not the lib/ one that the tool no longer uses!
+ ...following commit aba281e762 to fix test 1119.
-- THANKS-filter: added another Michał Górny version we've used
+Daniel Stenberg (13 Nov 2015)
+- curl: mark two more options strings for --libcurl output
-- contributors.sh: split lists using " and "
+- typecheck-gcc.h: add some missing string types
- ... and require the space after the filtering to make the filter able to
- remove names.
-
-Steve Holme (5 Nov 2014)
-- http_digest: Fixed memory leaks from commit 6f8d8131b1
+ Also sorted that list alphabetically
-- sasl: Fixed compilation warning from commit 25264131e2
+- curl.h: introducing the STRINGPOINT alias
- Added forward declaration of digestdata to overcome the following
- compilation warning:
-
- warning: 'struct digestdata' declared inside parameter list
+ As an alias for OBJECTPOINT. Provided to allow us to grep for all string
+ options easier.
+
+- cleanup: general removal of TODO (and similar) comments
- Additionally made the ntlmdata forward declaration dependent on
- USE_NTLM similar to how digestdata and kerberosdata are.
+ They tend to never get updated anyway so they're frequently inaccurate
+ and we never go back to revisit them anyway. We document issues to work
+ on properly in KNOWN_BUGS and TODO instead.
+
+- ftplistparser: remove empty function
+
+- openssl: remove #if check for 0.9.7 for ENGINE_load_private_key
-- sasl: Fixed HTTP digest challenges with spaces between auth parameters
+- openssl: all supported versions have X509_STORE_set_flags
- Broken as part of the rework, in commit 7e6d51a73c, to assist with the
- addition of HTTP digest via Windows SSPI.
+ Simplify by removing #ifdefs and macros
-- http_digest: Fixed compilation errors from commit 6f8d8131b1
+- openssl: remove 0.9.3 check
+
+- openssl: remove #ifdefs for < 0.9.5 support
- error: invalid operands to binary
- warning: pointer targets in assignment differ in signedness
+ We only support >= 0.9.7
-- http_digest: Moved response generation into SASL module
+- lib/vtls/openssl: remove unused traces of yassl ifdefs
-- http_digest: Moved challenge decoding into SASL module
+Dan Fandrich (12 Nov 2015)
+- [dfandrich brought this change]
-- http_digest: Moved clean-up function into SASL module
+ unit1603: Demote hash mismatch failure to a warning
+
+ The hashes can vary between architectures (e.g. Sparc differs from x86_64).
+ This is not a fatal problem but just reduces the coverage of these white-box
+ tests, as the assumptions about into which hash bucket each key falls are no
+ longer valid.
-- http_digest: Moved algorithm definitions to SASL module
+- [dfandrich brought this change]
-- [Gisle Vanem brought this change]
+ unit1603: Added unit tests for hash functions
- ssh: Fixed build on platforms where R_OK is not defined
-
- Bug: http://curl.haxx.se/mail/lib-2014-11/0035.html
- Reported-by: Jan Ehrhardt
+- [dfandrich brought this change]
-- strdup: Removed irrelevant comment
-
- ...as Curl_memdup() duplicates an area of fix size memory, that may be
- binary, and not a null terminated string.
+ unit1602: Fixed failure in torture test
-- url.c: Fixed compilation warning
+Steve Holme (12 Nov 2015)
+- sasl: Re-introduced XOAUTH2 in the default enabled authentication mechanism
- conversion from 'curl_off_t' to 'size_t', possible loss of data
-
-- http_digest: Use CURLcode instead of CURLdigest
+ Following the fix in commit d6d58dd558 it is necessary to re-introduce
+ XOAUTH2 in the default enabled authentication mechanism, which was
+ removed in commit 7b2012f262, otherwise users will have to specify
+ AUTH=XOAUTH2 in the URL.
- To provide consistent behaviour between the various HTTP authentication
- functions use CURLcode based error codes for Curl_input_digest()
- especially as the calling code doesn't use the specific error code just
- that it failed.
+ Note: OAuth 2.0 will only be used when the bearer is specified.
-Daniel Stenberg (5 Nov 2014)
-- contributors.sh: filter common alternative name spellings
-
- docs/THANKS-filter is a new filter file for converting contributor names
- we get or have recorded in alternative formats to the one we already use
- in THANKS. To help us show individual contributors using a single
- presentation of their names.
+- [Stefan Bühler brought this change]
-- THANKS: added missing contributor from 2012
+ sasl_sspi: fix identity memory leak in digest authentication
-- [Frank Gevaerts brought this change]
+- [Stefan Bühler brought this change]
- Remove duplicate names.
+ sasl_sspi: fixed unicode build for digest authentication
- The removed names also appear as:
- Andrés García, François Charlier, Gökhan Şengün, Michał Górny, Sébastien
- Willemijns, Christopher Conroy, John E. Malmberg, Luca Altea, Peter Su,
- S. Moonesamy, Samuel Listopad, Yasuharu Yamada, Karl Moerder
+ Closes #525
-Steve Holme (5 Nov 2014)
-- sspi: Define authentication package name constants
-
- These were previously hard coded, and whilst defined in security.h,
- they may or may not be present in old header files given that these
- defines were never used in the original code.
-
- Not only that, but there appears to be some ambiguity between the ANSI
- and UNICODE NTLM definition name in security.h.
+- oauth2: Re-factored OAuth 2.0 state variable
-Patrick Monnerat (5 Nov 2014)
-- Adjust OS400-specific support to last release
+- sasl: Don't choose OAuth 2.0 if mechanism not advertised
+
+ Regression from commit 9e8ced9890 which meant if --oauth2-bearer was
+ specified but the SASL mechanism wasn't supported by the server then
+ the mechanism would be chosen.
-Daniel Stenberg (5 Nov 2014)
-- THANKS: added two missing names and removed a duplicate
+Daniel Stenberg (12 Nov 2015)
+- runtests: more compact "System characteristics" output
- ./contributors.sh found these extra ones that somehow had fallen
- through the cracks and never gotten added here.
+ - no point in repeating curl features that is already listed as features
+ from the curl -V output
- Reported-by: Frank Gevaerts
+ - remove the port numbers/unix domain path from the output unless
+ verbose is used, as that is rarely interesting to users.
-- bump: towards next release
-
-- THANKS: added names from 7.39.0 release notes
+- runtests: rename conditional curl-features to $has_[name]
-Version 7.39.0 (5 Nov 2014)
+Steve Holme (11 Nov 2015)
+- oauth2: Introduced support for host and port details
+
+ Added support to the OAuth 2.0 message function for host and port, in
+ order to accommodate the official OAUTHBEARER SASL mechanism which is
+ to be added shortly.
-Daniel Stenberg (5 Nov 2014)
-- RELEASE-NOTES: 7.39.0 release (commit b3875606925)
+- curl_setup.h: Removed duplicate CURL_DISABLE_RTSP when HTTP_ONLY defined
-- curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of bounds
+- cmake: Add missing feature macros in config header (Part 2)
- When duplicating a handle, the data to post was duplicated using
- strdup() when it could be binary and contain zeroes and it was not even
- zero terminated! This caused read out of bounds crashes/segfaults.
+ In addition to commit a215381c94 added the RTSP, RTMP and SMB protocols.
+
+Daniel Stenberg (10 Nov 2015)
+- [Douglas Creager brought this change]
+
+ cmake: Add missing feature macros in config header
- Since the lib/strdup.c file no longer is easily shared with the curl
- tool with this change, it now uses its own version instead.
+ The curl_config.h file can be generated either from curl_config.h.cmake
+ or curl_config.h.in, depending on whether you're building using CMake or
+ the autotools. The CMake template header doesn't include entries for
+ all of the protocols that you can disable, which (I think) means that
+ you can't actually disable those protocols when building via CMake.
- Bug: http://curl.haxx.se/docs/adv_20141105.html
- CVE: CVE-2014-3707
- Reported-By: Symeon Paraschoudis
+ Closes #523
+
+- [Douglas Creager brought this change]
-- lib544.c: use duphandle for test 545
+ BoringSSL: Work with stricter BIO_get_mem_data()
- To verify that curl_easy_duphandle() works fine on a handle that has
- gotten data stored with *_COPYPOSTFIELDS.
+ BoringSSL implements `BIO_get_mem_data` as a function, instead of a
+ macro, and expects the output pointer to be a `char **`. We have to add
+ an explicit cast to grab the pointer as a `const char **`.
+
+ Closes #524
-- tests: add new feature 'SSLpinning'
+- http2: rectify the http2 version #if check
- ... and make test 2034 and 2035 require it, and have it set when built
- with OpenSSL or GnuTLS.
+ We need 1.0.0 or later. Also verified by configure.
-- buildconf: update copyright year
+Steve Holme (9 Nov 2015)
+- oauth2: Don't use XAUTH2 in OAuth 2.0 function name
-Steve Holme (4 Nov 2014)
-- INSTALL: Consistent spacing in section headings, paragraphs and examples
+- oauth2: Don't use XOAUTH2 in OAuth 2.0 variables
-Daniel Stenberg (4 Nov 2014)
-- buildconf: stop checking for libtool
+- oauth2: Use OAuth 2.0 rather than XOAUTH2 in comments
- As we only use libtoolize, only check for that!
-
-Steve Holme (4 Nov 2014)
-- INSTALL: Corrected MIT Kerberos and Heimdal package names
+ When referring to OAuth 2.0 we should use the official name rather the
+ SASL mechanism name.
-- README: Corrected inconsistent use of --help
-
-- INSTALL: Use GSS-API rather than GSSAPI
+Daniel Stenberg (9 Nov 2015)
+- imap: avoid freeing constant string
- As implementations are refereed to GSS-API libraries as per the RFC and
- GSSAPI typically refers to the SASL authentication mechanism.
+ The fix in 1a614c6c3 was wrong and would leed to free() of a fixed
+ string.
- ...and minor rewording on the same paragraph.
+ Pointed-out-by: Kamil Dudka
-- README: Added note about using Visual Studio projects out of git repository
+- ROADMAP: remove two items already done
-Daniel Stenberg (4 Nov 2014)
-- [K. R. Walker brought this change]
+- RELEASE-NOTES: synced with 2200bf62054
- cmake: fix ZLIB_INCLUDE_DIRS use
+Jay Satiro (9 Nov 2015)
+- acinclude: Remove check for 16-bit curl_off_t
- CMake 2.8's FindZLIB.cmake documents ZLIB_INCLUDE_DIRS, see
- http://www.cmake.org/cmake/help/v2.8.0/cmake.html#module:FindZLIB
+ Because it's illogical to check for a 16-bit curl_off_t.
- Bug: https://github.com/bagder/curl/pull/123
+ Ref: https://github.com/bagder/curl/issues/425#issuecomment-154964205
-- [Jay Satiro brought this change]
+Dan Fandrich (8 Nov 2015)
+- tool: Fixed a memory leak on OOM introduced in 19cb0c4a
- SSL: PolarSSL default min SSL version TLS 1.0
+Steve Holme (8 Nov 2015)
+- [Justin Ehlert brought this change]
+
+ imap: Don't check for continuation when executing a CUSTOMREQUEST
- - Prior to this change no SSL minimum version was set by default at
- runtime for PolarSSL. Therefore in most cases PolarSSL would probably
- have defaulted to a minimum version of SSLv3 which is no longer secure.
+ Bug: https://github.com/bagder/curl/issues/486
+ Closes https://github.com/bagder/curl/pull/487
-- opts-Makefile: put more man pages into dist and make hmtl+pdf
+Daniel Stenberg (7 Nov 2015)
+- imap: checksrc: remove space after while before paren
-- curl_multi_setopt.3: refer to stand-alone pages
+- checksrc.whitelist: "missing space after close paren"
- ... instead of duplicating info.
+ ... when it was within a string!
-- opts: more multi options as stand-alone man pages
+Steve Holme (7 Nov 2015)
+- opts: Corrected TLS protocols list to include POP3S rather than POP3
-- Makefile.am: two cmake files are gone
+- imap: Quote other 'atom-specials' and not just the space character
- 8cb010144 removed the CurlCheckCSourceCompiles.cmake and
- CurlCheckCSourceRuns.cmake files
+ Closes #517
+
+- imap: Fixed double quote in LIST command when mailbox contains spaces
-- opts: made stand-alone man-pages for several multi options
+Daniel Stenberg (6 Nov 2015)
+- imap: fix compiler warning
+
+ imap.c:657:13: error: assignment discards 'const' qualifier from pointer
+ target type [-Werror=discarded-qualifiers]
-- [Carlo Wood brought this change]
+Steve Holme (6 Nov 2015)
+- imap: Don't call imap_atom() when no mailbox specified in LIST command
- Curl_single_getsock: fix hold/pause sock handling
+Daniel Stenberg (6 Nov 2015)
+- curl.1: remove the overlap --range example
- The previous condition that checked if the socket was marked as readable
- when also adding a writable one, was incorrect and didn't take the pause
- bits properly into account.
+ ... it is just weird to include by default even if it still works.
-- [Peter Wu brought this change]
+- tftp tests: verify sent options too
+
+ The tftpd test server now logs all received options and thus all TFTP
+ test cases need to match them exactly.
+
+ Extended test 283 to use and verify --tftp-blksize.
- cmake: fix struct sockaddr_storage check
+Jay Satiro (6 Nov 2015)
+- getinfo: CURLINFO_ACTIVESOCKET: fix bad socket value
- CHECK_TYPE_SIZE_PREINCLUDE is an internal, undocumented variable which
- was removed in cmake 2.8.1. According to the MSDN docs[1], inclusion
- of winsock2.h is sufficient. WIN32_LEAN_AND_MEAN does not really seem
- to affect the tests, so remove it too[2].
+ - Set user info param to the socket returned by Curl_getconnectinfo,
+ regardless of if the socket is bad. Effectively this means the user info
+ param now will receive CURL_SOCKET_BAD instead of -1 on bad socket.
- For the non-windows case, remove inet headers as POSIX only requires
- sys/socket.h.
+ - Remove incorrect comments.
- [1]: http://msdn.microsoft.com/en-us/library/windows/desktop/ms740504%28v=vs.85%29.aspx
- [2]: http://stackoverflow.com/questions/11040133/what-does-defining-win32-lean-and-mean-exclude-exactly
+ CURLINFO_ACTIVESOCKET is documented to write CURL_SOCKET_BAD to user
+ info param but prior to this change it wrote -1.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Bug: https://github.com/bagder/curl/pull/518
+ Reported-by: Marcel Raad
-- [Peter Wu brought this change]
+Patrick Monnerat (5 Nov 2015)
+- curl_ntlm_core: fix 2 curl_off_t constant overflows.
- cmake: clean OtherTests, fixing -Werror
-
- There were several -Wunused warnings and one duplicate macro definition.
- The EXTRA_DEFINES variable of the CurlCheckCSources macro was being
- abused ("__unused1\n#undef inline\n#define __unused2", seriously?) to
- insert extra C code. Avoid this broken abstraction and use cmake's
- check_c_source_compiles directly (works fine with CMake 2.8, maybe
- even cmake 2.6).
-
- After cleaning up all related variables (EXTRA_DEFINES,
- HEADER_INCLUDES, auxiliary headers_hack), also remove a duplicate
- add_headers_include macro and remove duplicate header additions before
- the struct timeval check.
+- os400: adjust specific code to support new options.
+
+Daniel Stenberg (2 Nov 2015)
+- [Lauri Kasanen brought this change]
+
+ rawstr: Speed up Curl_raw_toupper by 40%
- Oh, and now the code is converted to use CheckCSourceRuns and
- CheckCSourceCompiles, the two curl-specific helpers can be removed.
- Unfortunately, the cmake output is now slightly more verbose. Before:
+ Rationale: when starting up a curl-using app, all cookies from the jar
+ are checked against each other. This was causing a startup delay in the
+ Fifth browser.
- Performing Test int send(int, const void *, size_t, int) (curl_cv_func_send_test)
- Performing Test int send(int, const void *, size_t, int) (curl_cv_func_send_test) - Failed
+ All tests pass.
- Since check_c_source_compiles prints the varname, now you see:
+ Signed-off-by: Lauri Kasanen <cand@gmx.com>
+
+- http redirects: %-encode bytes outside of ascii range
- Performing Test curl_cv_func_send_test
- Performing Test curl_cv_func_send_test - Failed
- Tested: int send(int, const void *, size_t, int)
+ Apparently there are sites out there that do redirects to URLs they
+ provide in plain UTF-8 or similar. Browsers and wget %-encode such
+ headers when doing a subsequent request. Now libcurl does too.
- Compared cmake output with each other using vimdiff, no functional
- differences were found. Tested with GCC 4.9.1 and Clang 3.5.0.
+ Added test 1138 to verify.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Closes #473
-- [Peter Wu brought this change]
+- RELEASE-NOTES: synced with cba5bc585410
- cmake: fix gethostby{addr,name}_r in CurlTests
-
- This patch cleans up the automatically-generated (?) code and fixes one
- case that will always fail due to syntax error.
+- symbols-in-version: add all CURL_HTTPPOST_* symbols
+
+- formadd: support >2GB files on windows
- HAVE_GETHOSTBYADDR_R_5_REENTRANT always failed because of a trailing
- character ("int length;q"). Several parameter type and unused variable
- warnings popped up. This causes a detection failure with -Werror.
+ Closes #425
+
+- curl.h: s/HTTPPOST_/CURL_HTTPOST_
- Observe that the REENTRANT cases are exactly the same as their
- non-REENTRANT cases except for a `_REENTRANT` macro definition.
- Merge all these pieces and build one big main function with different
- cases, but reusing variables where logical.
+ Fixes a name space pollution at the cost of programs using one of these
+ defines will no longer compile. However, the vast majority of libcurl
+ programs that do multipart formposts use curl_formadd() to build this
+ list.
- For the cases where the parameters where NULL, I looked at
- lib/hostip4.c to get an idea of the parameters types.
+ Closes #506
+
+- mbedtls: fix "Structurally dead code"
- void-cast variables such as 'rc' to avoid -Wuninitialized errors.
+ CID 1332129
+
+- mbedtls: fix "Logically dead code"
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ CID 1332128
-- [Peter Wu brought this change]
+- Revert "openssl: engine: remove double-free"
+
+ This reverts commit 370ee919b37cc9a46c36428b2bb1527eae5db2bd.
+
+ Issue #509 has all the details but it was confirmed that the crash was
+ not due to this, so the previous commit was wrong.
- cmake: drop _BSD_SOURCE macro usage
+- curl.1: -E: s/private certificate/client certificate
- autotools does not use features.h nor _BSD_SOURCE. As this macro
- triggers warnings since glibc 2.20, remove it. It should not have
- functional differences.
+ ... as the certificate is strictly speaking not private.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Reported-by: John Levon
-Steve Holme (2 Nov 2014)
-- RELEASE-NOTES: Synced with d71ea7c01e
+- openssl: engine: remove double-free
- Additionally, updated "GSSAPI" to "GSS-API" for a Cmake related change
- as GSSAPI can be confused with the authentication mechanism rather than
- a GSS-API implementation library such as MIT or Heimdal.
+ After a successful call to SSL_CTX_use_PrivateKey(), we must not call
+ EVP_PKEY_free() on the key.
+
+ Reported-by: nased0
+ Closes #509
+
+Jay Satiro (27 Oct 2015)
+- socks: Fix incorrect port numbers in failed connect messages
-- build: Added WinIDN build configuration options
+Daniel Stenberg (26 Oct 2015)
+- DISTRO-DILEMMA: removed
- Added support for WinIDN build configurations to the VC6 project files.
+ Out of date and not kept accurate. It was sort of a problem of the past
+ anyway.
-- build: Added WinIDN build configuration options
+- [xiangbin li brought this change]
+
+ MacOSX-Framework: sdk regex fix for sdk 10.10 and later
- Added support for WinIDN build configurations to the VC7 and VC7.1
- project files.
+ closes #507
-- build: Fixed the pre-processor separator in Visual Studio project files
+Jay Satiro (24 Oct 2015)
+- build: Fix support for PKG_CONFIG
- A left over from the VC6 project files, so mainly cosmetic in Visual
- Studio .NET as it can handle both comma and semi-colon characters for
- separating multiple pre-processor definitions.
+ - Allow the user to use PKG_CONFIG but not PKGCONFIG.
- However, the IDE uses semi-colons if the value is edited, and as such,
- this may cause problems in future for anyone updating the files or
- merging patches.
+ Background:
- Used the Visual Studio IDE to correct the separator character.
-
-- build: Added optional specific version generation of VC project files
+ Last week in 14d5a86 a change was made to allow the user to set the
+ PKGCONFIG variable. Today in 72d99f2 I supplemented that to allow the
+ more common PKG_CONFIG as an alternative if PKGCONFIG is not set.
- ..when working from the git repository. This is particularly useful
- for single development environments where the project files for all
- supported versions of Visual Studio may not be required.
+ Neither of those changes worked as expected because PKGCONFIG is
+ occasionally reset in configure and by the CURL_CHECK_PKGCONFIG macro.
+ Instead in this commit I take the approach that the user may set
+ PKG_CONFIG only.
-- [Jay Satiro brought this change]
-
- build-openssl.bat: Fix x64 release build
+- build: Fix mingw ssl gdi32 order
+
+ - If mingw ssl make sure -lgdi32 comes after ssl libs
+
+ - Allow PKG_CONFIG to set pkg-config location and options
- Prior to this change if x64 release was specified a failed attempt was
- made to build x86 release instead.
+ Bug: https://github.com/bagder/curl/pull/501
+ Reported-by: Kang Lin
-- CURLOPT_XOAUTH2_BEARER.3: Corrected the OAuth version number
+Daniel Stenberg (23 Oct 2015)
+- RELEASE-NOTES: synced with 03b6e078163f
-- CURLOPT_SASL_IR.3: Added supported mechanism information
+- polarssl/mbedtls: fix name space pollution
- ...and removed duplication of what protocols are supported from the
- description text.
+ Global private symbols MUST start with Curl_!
-- opts: Use common wording for MAIL related names
+- [Dmitry S. Baikov brought this change]
-- opts: Use common wording for TLS user/password option names
+ mbedTLS: THREADING_SUPPORT compilation fix
- ...and revised the proxy wording a little as well.
+ Closes #505
-- CURLOPT_MAXCONNECTS.3: Reworked the description to be less confusing
-
- ...and corrected a related typo in curl_easy_setopt.3.
+- test1137: verify --ignore-content-length for FTP
-Guenter Knauf (2 Nov 2014)
-- RELEASE-NOTES: removed obsolete entry; fixed entry.
+- curl.1: --ignore-content-length now works for FTP too
-Steve Holme (2 Nov 2014)
-- RELEASE-NOTES: Synced with e7da67f5d3
+- [Kurt Fankhauser brought this change]
-- docs: Added mention of Kerberos for CURL_VERSION_SSPI
+ ftp: allow CURLOPT_IGNORE_CONTENT_LENGTH to ignore size
- As this has been present for SOCKSv5 proxy since v7.19.4 and for IMAP,
- POP3 and SMTP authentication since v7.38.0.
-
-- CURL_VERSION_KERBEROS4: Mark as deprecated
+ This allows FTP transfers with growing (or shrinking) files without
+ causing a transfer error.
- Support for Kerberos V4 was removed in v7.33.0.
+ Closes #480
-- sasl: Fixed Kerberos V5 inclusion when CURL_DISABLE_CRYPTO_AUTH is used
+- CURLOPT_STREAM_WEIGHT.3: call argument 'weight' too
- Typically the USE_WINDOWS_SSPI definition would not be used when the
- CURL_DISABLE_CRYPTO_AUTH define is, however, it is still a valid build
- configuration and, as such, the SASL Kerberos V5 (GSSAPI) authentication
- data structures and functions would incorrectly be used when they
- shouldn't be.
-
- Introduced a new USE_KRB5 definition that takes into account the use of
- CURL_DISABLE_CRYPTO_AUTH like USE_SPNEGO and USE_NTLM do.
+ ... and add a little example of what the weight actually means. "Relative
+ proportion of bandwidth".
+
+- http2: add stream options to dist and curl_easy_setopt.3
-- openssl: Use 'CURLcode result'
+- http2: s/priority/weight
+
+- http2: on_frame_recv: trust the conn/data input
+
+ Removed wrong assert()s
- More CURLcode fixes.
+ The 'conn' passed in as userdata can be used and there can be other
+ sessionhandles ('data') than the single one this checked for.
-Daniel Stenberg (1 Nov 2014)
-- resume: consider a resume from [content-length] to be OK
+- http2: added three stream prio/deps options
- Basically since servers often then don't respond well to this and
- instead send the full contents and then libcurl would instead error out
- with the assumption that the server doesn't support resume. As the data
- is then already transfered, this is now considered fine.
+ CURLOPT_STREAM_DEPENDS
- Test case 1434 added to verify this. Test case 1042 slightly modified.
+ CURLOPT_STREAM_DEPENDS_E
- Reported-by: hugo
- Bug: http://curl.haxx.se/bug/view.cgi?id=1443
+ CURLOPT_STREAM_PRIORITY
-Steve Holme (1 Nov 2014)
-- openssl: Use 'CURLcode result'
-
- More standardisation of CURLcode usage and coding style.
+- RELEASE-NOTES: synced with ace68fdc0cfed83d
+
+- [m-gardet brought this change]
-- openssl: Use 'CURLcode result'
+ mbedtls:new profile with RSA min key len = 1024.
- ...and some minor code style changes.
+ Closes #502
-- ftplistparser: We prefer 'CURLcode result'
+- checksrc: add crude // detection
-- opts: Use common wording for user/password option names
+Jay Satiro (21 Oct 2015)
+- [Gisle Vanem brought this change]
-- CURLOPT_CONNECT_ONLY.3: Removed "This option is implemented for..." text
+ build: fix for MSDOS/djgpp
+
+ - Add a VPATH-statement for the vtls/*.c files.
- As this is covered by the PROTOCOLS section and saves having to update
- two parts of the document with the same information in future.
+ - Due to 'vtls/*.c', remove that subdir part from $(OBJECTS).
-- CURLOPT_GSSAPI_DELEGATION.3: Use GSS-API rather than GSSAPI
+Daniel Stenberg (20 Oct 2015)
+- copyrights: update Gisle Vanem's email
+
+- vtls: fix compiler warning for TLS backends without sha256
- As implementations are refereed to GSS-API libraries as per the RFC and
- GSSAPI typically refers to an authentication mechanism.
+ ... noticed with mbedTLS.
+
+- [Jonas Minnberg brought this change]
-- CURLOPT_CONNECT_ONLY.3: Fixed incomplete protocol list
+ vtls: added support for mbedTLS
- Added missing IMAP to the protocol list.
+ closes #496
-- code cleanup: Use 'CURLcode result'
+Jay Satiro (19 Oct 2015)
+- [Javier G. Sogo brought this change]
-- curl_easy_setopt.3: Fixed lots of typos
+ cmake: Fix for add_subdirectory(curl) use-case
+
+ - Use CURL_BINARY_DIR instead of CMAKE_BINARY_DIR.
+
+ When including CURL using add_subdirectory the variables
+ CMAKE_BINARY_DIR and CURL_BINARY_DIR hold different paths.
+
+ Closes https://github.com/bagder/curl/pull/488
+ Closes https://github.com/bagder/curl/pull/498
+
+Daniel Stenberg (18 Oct 2015)
+- RELEASE-NOTES: synced with 4c773bcb474e
-- curl_easy_setopt.3: Moved CURLOPT_DIRLISTONLY into PROTOCOL OPTIONS
+- tests/FILEFORMAT: mention PSL as a valid feture to check for
- ...as this option affects more that just FTP.
+ For example in test 1136
-Guenter Knauf (30 Oct 2014)
-- build: added Watcom support to build with WinSSL.
+- teste1136: only run when PSL is enabled
-Daniel Stenberg (30 Oct 2014)
-- CURLOPT_PINNEDPUBLICKEY.3: added details
+- curl: slist_wc: remove curl_memory.h inclusion
+
+ ... that's for the library only.
-Steve Holme (30 Oct 2014)
-- CURLOPT_CUSTOMREQUEST.3: Fixed incomplete protocol list
+- configure: add PSL to the list of features
- Whilst the description included information about SMTP, the protocol
- list only showed "TTP, FTP, IMAP, POP3".
+ ... to make test 1014 work again after e77b5b7453.
-- CURLOPT_DIRLISTONLY.3: Added information about the usage in POP3
+- [Daniel Hwang brought this change]
-Daniel Stenberg (29 Oct 2014)
-- openssl: enable NPN separately from ALPN
+ tool: Generate easysrc with last cache linked-list
+
+ Using a last cache linked-list improves the performance of easysrc
+ generation.
- ... and allow building with nghttp2 but completely without NPN and ALPN,
- as nghttp2 can still be used for plain-text HTTP.
+ Bug: https://github.com/bagder/curl/issues/444
+ Ref: https://github.com/bagder/curl/issues/429
- Reported-by: Lucas Pardue
+ Closes #452
-- configure.ac: remove checks for OpenSSL NPN/ALPN funcs again
+- [Tim Rühsen brought this change]
+
+ cookies: Add support for Mozilla's Publix Suffix List
+
+ Use libpsl to check the domain value of Set-Cookie headers (and cookie
+ jar entries) for not being a Publix Suffix.
- ... since the conditional in the code are now based on OpenSSL versions
- instead to better support non-configure builds.
+ The configure script checks for "libpsl" by default. Disable the check
+ with --without-libpsl.
+
+ Ref: https://publicsuffix.org/
+ Ref: https://github.com/publicsuffix/list
+ Ref: https://github.com/rockdaboot/libpsl
-- opts: added some "SEE ALSO" references
+- [Richard Hosking brought this change]
-Steve Holme (29 Oct 2014)
-- RELEASE-NOTES: Synced with 32913182dc
+ curlbuild.h: Fix non-configure compiling to mips and sh4 targets
-- vtls.c: Fixed compilation warning
-
- conversion from 'size_t' to 'unsigned int', possible loss of data
+- [Anders Bakken brought this change]
-- sspi: Return CURLE_LOGIN_DENIED on AcquireCredentialsHandle() failure
+ http2: Don't pass unitialized name+len pairs to nghttp2_submit_request
- Return a more appropriate error, rather than CURLE_OUT_OF_MEMORY when
- acquiring the credentials handle fails. This is then consistent with
- the code prior to commit f7e24683c4 when log-in credentials were empty.
+ bug introduced by 18691642931e5c7ac8af83ac3a84fbcb36000f96.
+
+ Closes #493
+
+Dan Fandrich (16 Oct 2015)
+- test1601: fix compilation with --enable-debug and --disable-crypto-auth
-- sasl_sspi: Allow DIGEST-MD5 to use current windows credentials
+Daniel Stenberg (16 Oct 2015)
+- multi: fix off-by-one finit[] array size
- Fixed the ability to use the current log-in credentials with DIGEST-MD5.
- I had previously disabled this functionality in commit 607883f13c as I
- couldn't get this to work under Windows 8, however, from testing HTTP
- Digest authentication through Windows SSPI and then further testing of
- this code I have found it works in Windows 7.
+ introduced in c6aedf680f6. It needs to be CURLM_STATE_LAST big since it
+ must hande the range 0 .. CURLM_STATE_MSGSENT (18) and CURLM_STATE_LAST
+ is 19 right now.
- Some further investigation is required to see what the differences are
- between Windows 7 and 8, but for now enable this functionality as the
- code will return an error when AcquireCredentialsHandle() fails.
+ Reported-by: Dan Fandrich
+ Bug: http://curl.haxx.se/mail/lib-2015-10/0069.html
-Kamil Dudka (29 Oct 2014)
-- transfer: drop the code handling the ssl_connect_retry flag
+- fread_func: move callback pointer from set to state struct
- Its last use has been removed by the previous commit.
-
-- nss: drop the code for libcurl-level downgrade to SSLv3
+ ... and assign it from the set.fread_func_set pointer in the
+ Curl_init_CONNECT function. This A) avoids that we have code that
+ assigns fields in the 'set' struct (which we always knew was bad) and
+ more importantly B) it makes it impossibly to accidentally leave the
+ wrong value for when the handle is re-used etc.
- This code was already deactivated by commit
- ec783dc142129d3860e542b443caaa78a6172d56.
-
-- openssl: fix a line length warning
-
-Guenter Knauf (29 Oct 2014)
-- Added NetWare support to build with nghttp2.
+ Introducing a state-init functionality in multi.c, so that we can set a
+ specific function to get called when we enter a state. The
+ Curl_init_CONNECT is thus called when switching to the CONNECT state.
+
+ Bug: https://github.com/bagder/curl/issues/346
+
+ Closes #346
-- Fixed error message since we require ALPN support.
+Dan Fandrich (14 Oct 2015)
+- test1531: case the size to fix the test on non-largefile builds
-- Check for ALPN via OpenSSL version number.
+Daniel Stenberg (13 Oct 2015)
+- acinclude: remove PKGCONFIG override
- This check works also with to non-configure platforms.
-
-Steve Holme (28 Oct 2014)
-- sasl_sspi: Fixed typo in comment
+ ... and allow it to get set by a caller easier.
+
+ Reported-by: Rainer Jung
+ Bug: http://curl.haxx.se/mail/lib-2015-10/0035.html
-- code cleanup: We prefer 'CURLcode result'
+Dan Fandrich (12 Oct 2015)
+- docs/INSTALL: Updated example minimal binary sizes
-Daniel Stenberg (28 Oct 2014)
-- TODO: consider supporting STAT
+Daniel Stenberg (11 Oct 2015)
+- [Erik Johansson brought this change]
-- mk-ca-bundle: spell fix "version"
+ openssl: Fix set up of pkcs12 certificate verification chain
+
+ sk_X509_pop will decrease the size of the stack which means that the loop would
+ end after having added only half of the certificates.
+
+ Also make sure that the X509 certificate is freed in case
+ SSL_CTX_add_extra_chain_cert fails.
-- HTTP: return larger than 3 digit response codes too
+- ntlm: error out without 64bit support as the code needs it
+
+ It makes it a clearer message for developers reaching that point without
+ the necessary support.
- HTTP 1.1 is clearly specified to only allow three digit response codes,
- and libcurl used sscanf("%3d") for that purpose. This made libcurl
- support smaller numbers but not larger. It does now, but we will not
- make any specific promises nor document this further since it is going
- outside of what HTTP is.
+ Thanks-by: Jay Satiro
- Bug: http://curl.haxx.se/bug/view.cgi?id=1441
- Reported-by: Balaji
+ Closes #78
-- src/: remove version.h.dist from gitignore
+- curl_global_init: set the memory function pointers correct
- It has not been used since commit f7bfdbab in 2011
+ follow-up from 6f8ecea0
-Steve Holme (26 Oct 2014)
-- ntlm: We prefer 'CURLcode result'
+- curl_global_init_mem: set function pointers before doing init
- Continuing commit 0eb3d15ccb more return code variable name changes.
+ ... as in the polarssl TLS backend for example it uses memory functions.
-Guenter Knauf (26 Oct 2014)
-- Cosmetics: lowercase non-special subroutine names.
+Jay Satiro (9 Oct 2015)
+- http2: Fix http2_recv to return -1 if recv returned -1
+
+ If the underlying recv called by http2_recv returns -1 then that is the
+ value http2_recv returns to the caller.
-Steve Holme (26 Oct 2014)
-- RELEASE-NOTES: Synced with 07ac29a058
+Daniel Stenberg (8 Oct 2015)
+- [Svyatoslav Mishyn brought this change]
-- http_negotiate: We prefer 'CURLcode result'
+ curl_easy_recv.3: CURLINFO_LASTSOCKET => CURLINFO_ACTIVESOCKET
- Continuing commit 0eb3d15ccb more return code variable name changes.
+ Closes #479
-- http_negotiate: Fixed missing check for USE_SPNEGO
+- [Svyatoslav Mishyn brought this change]
-- sspi: Synchronization of cleanup code between auth mechanisms
+ curl_easy_send.3: CURLINFO_LASTSOCKET => CURLINFO_ACTIVESOCKET
-- sspi: Renamed max token length variables
-
- Code cleanup to try and synchronise code between the different SSPI
- based authentication mechanisms.
+- [Svyatoslav Mishyn brought this change]
-- sspi: Renamed expiry time stamp variables
-
- Code cleanup to try and synchronise code between the different SSPI
- based authentication mechanisms.
+ CURLOPT_CONNECT_ONLY.3: CURLINFO_LASTSOCKET => CURLINFO_ACTIVESOCKET
+
+- CURLOPT_CERTINFO.3: fix reference to CURLINFO_CERTINFO
-- sspi: Only call CompleteAuthToken() when complete is needed
+- ntlm: get rid of unconditional use of long long
- Don't call CompleteAuthToken() after InitializeSecurityContext() has
- returned SEC_I_CONTINUE_NEEDED as this return code only indicates the
- function should be called again after receiving a response back from
- the server.
+ ... since some compilers don't have it and instead use other types, such
+ as __int64.
- This only affected the Digest and NTLM authentication code.
+ Reported by: gkinseyhpw
+ Closes #478
-Dan Fandrich (26 Oct 2014)
-- Added the "flaky" keyword to a number of tests
+Jay Satiro (8 Oct 2015)
+- [Anders Bakken brought this change]
+
+ des: Fix header conditional for Curl_des_set_odd_parity
- Each shows evidence of flakiness on at least one platform on
- the autobuilds. Users can use this keyword to skip these tests
- if desired.
+ Follow up to 613e502.
-Steve Holme (26 Oct 2014)
-- ntlm: Return all errors from Curl_ntlm_core_mk_nt_hash()
+Daniel Stenberg (7 Oct 2015)
+- configure: build silently by default
- For consistency with other areas of the NTLM code propagate all errors
- from Curl_ntlm_core_mk_nt_hash() up the call stack rather than just
- CURLE_OUT_OF_MEMORY.
+ 'make V=1' will make the build verbose like before
-- ntlm: Return CURLcode from Curl_ntlm_core_mk_lm_hash()
+- bump: start climbing toward 7.46.0
-- ntlm: Use 'CURLcode result'
-
- Continuing commit 0eb3d15ccb more return code variable name changes.
+- RELEASE-PROCEDURE: add the github HTTPS download step
-- ntlm: Only define ntlm data structure when USE_NTLM is defined
+Version 7.45.0 (7 Oct 2015)
-- ntlm: Changed handles to be dynamic like other SSPI handles
-
- Code cleanup to try and synchronise code between the different SSPI
- based authentication mechanisms.
+Daniel Stenberg (7 Oct 2015)
+- THANKS: 19 new contributors from the 7.45.0 announcement
-- ntlm: Renamed handle variables to match other SSPI structures
-
- Code cleanup to try and synchronise code between the different SSPI
- based authentication mechanisms.
+- RELEASE-NOTES: synced with 69ea57970080
-- ntlm: Renamed SSPI based input token variables
+Jay Satiro (4 Oct 2015)
+- getinfo: Fix return code for unknown CURLINFO options
- Code cleanup to try and synchronise code between the different SSPI
- based authentication mechanisms.
-
-- ntlm: We prefer 'CURLcode result'
+ - If a CURLINFO option is unknown return CURLE_UNKNOWN_OPTION.
- Continuing commit 0eb3d15ccb more return code variable name changes.
+ Prior to this change CURLE_BAD_FUNCTION_ARGUMENT was returned on
+ unknown. That return value is contradicted by the CURLINFO option
+ documentation which specifies a return of CURLE_UNKNOWN_OPTION on
+ unknown.
-- build: Added WinIDN build configuration options
-
- Added support for WinIDN build configurations to the VC8 and VC9
- project files.
+- [rouzier brought this change]
-Nick Zitzmann (24 Oct 2014)
-- darwinssl: detect possible future removal of SSLv3 from the framework
+ hiperfifo: fix the pointer passed to WRITEDATA
- If Apple ever drops SSLv3 support from the Security framework, we'll fail with an error if the user insists on using SSLv3.
+ Closes https://github.com/bagder/curl/pull/471
-Patrick Monnerat (24 Oct 2014)
-- gskit.c: remove SSLv3 from SSL default.
+- [Maksim Stsepanenka brought this change]
-- gskit.c: use 'CURLcode result'
+ tool_setopt: fix c_escape truncated octal
+
+ Closes https://github.com/bagder/curl/pull/469
-Daniel Stenberg (24 Oct 2014)
-- [Jay Satiro brought this change]
+Daniel Stenberg (1 Oct 2015)
+- [Orange Tsai brought this change]
- SSL: Remove SSLv3 from SSL default due to POODLE attack
+ gopher: don't send NUL byte
- - Remove SSLv3 from SSL default in darwinssl, schannel, cyassl, nss,
- openssl effectively making the default TLS 1.x. axTLS is not affected
- since it supports only TLS, and gnutls is not affected since it already
- defaults to TLS 1.x.
+ Closes #466
+
+Jay Satiro (29 Sep 2015)
+- runtests: Fix pid check in checkdied
- - Update CURLOPT_SSLVERSION doc
+ Because the 'not' operator has a very low precedence and as a result the
+ entire statement was erroneously negated and could never be true.
-- pipelining: only output "is not blacklisted" in debug builds
+Daniel Stenberg (30 Sep 2015)
+- [Thorsten Schöning brought this change]
-- *.3: add/extend "SEE ALSO" sections
+ win32: make recent Borland compilers use long long
-- curl_easy_pause.3: minor wording edit
+- RELEASE-NOTES: synced with 69b89050d4
-- curl_getdate.3: provide a "SEE ALSO" section
+Jay Satiro (28 Sep 2015)
+- [Michael Kalinin brought this change]
-- curl_global_init.3: minor formatting fix, add version info
+ openssl: Fix algorithm init
+
+ - Change algorithm init to happen after OpenSSL config load.
+
+ Additional algorithms may be available due to the user's config so we
+ initialize the algorithms after the user's config is loaded.
+
+ Bug: https://github.com/bagder/curl/issues/447
+ Reported-by: Denis Feklushkin
-- url.c: use 'CURLcode result'
+- [Svyatoslav Mishyn brought this change]
-- code cleanup: we prefer 'CURLcode result'
+ docs: fix unescaped '\n' in man pages
- ... for the local variable name in functions holding the return
- code. Using the same name universally makes code easier to read and
- follow.
+ Closes https://github.com/bagder/curl/pull/459
+
+Daniel Stenberg (27 Sep 2015)
+- http2: set TCP_NODELAY unconditionally
- Also, unify code for checking for CURLcode errors with:
+ For a single-stream download from localhost, we managed to increase
+ transfer speed from 1.6MB/sec to around 400MB/sec, mostly because of
+ this single fix.
+
+- http2: avoid superfluous Curl_expire() calls
- if(result) or if(!result)
+ ... only call it when there is data arriving for another handle than the
+ one that is currently driving it.
- instead of
+ Improves single-stream download performance quite a lot.
- if(result == CURLE_OK), if(CURLE_OK == result) or if(result != CURLE_OK)
+ Thanks-to: Tatsuhiro Tsujikawa
+ Bug: http://curl.haxx.se/mail/lib-2015-09/0097.html
-- Curl_add_timecondition: skip superfluous varible assignment
+- readwrite_data: set a max number of loops
- Detected by cppcheck.
+ ... as otherwise a really fast pipe can "lock" one transfer for some
+ protocols, like with HTTP/2.
-- Curl_pp_flushsend: skip superfluous assignment
-
- Detected by cppcheck.
+- [Sergei Nikulov brought this change]
-- Curl_pp_readresp: remove superfluous assignment
-
- Variable already assigned a few lines up.
+ CI: Added AppVeyor-CI for curl
- Detected by cppcheck.
+ Closes #439
-- Curl_proxyCONNECT: remove superfluous statement
+- FTP: fix uploading ASCII with unknown size
- The variable is already assigned, skip the duplicate assignment.
+ ... don't try to increase the supposed file size on newlines if we don't
+ know what file size it is!
- Pointed out by cppcheck.
+ Patch-by: lzsiga
-Guenter Knauf (24 Oct 2014)
-- Added MinGW support to build with nghttp2.
+- [Tatsuhiro Tsujikawa brought this change]
-- Added VC ssh2 target to main Makefile.
+ build: fix failures with -Wcast-align and -Werror
+
+ Closes #457
-- Some cosmetics and simplifies.
+- [Tatsuhiro Tsujikawa brought this change]
-- Remove dependency on openssl and cut.
+ curl-confopts.m4: Add missing ')'
- Prefer usage of Perl modules for sha1 calculation since there
- might be systems where openssl is not installed or not in path.
- If openssl is used for sha1 calculation then dont rely on cut
- since it is usually not available on other systems than Linux.
-
-Daniel Stenberg (23 Oct 2014)
-- RELEASE-NOTES: synced with e116d0a62
+ ... for CURL_CHECK_OPTION_RT
+
+ Closes #456
-- CURLOPT_RESOLVE.3: add an example
+Jay Satiro (25 Sep 2015)
+- curl_easy_getinfo.3: Add brief description for each CURLINFO
-- gnutls: removed dead code
-
- Bug: http://curl.haxx.se/bug/view.cgi?id=1437
- Reported-by: Julien
+Daniel Stenberg (23 Sep 2015)
+- [Jakub Zakrzewski brought this change]
-- Curl_rand: Uninitialized variable: r
+ CMake: Ensure discovered include dirs are considered
- This is not actually used uninitialized but we silence warnings.
+ ...during header checks. Otherwise some following header tests
+ (incorrectly) fail.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1437
- Reported-by: Julien
+ Closes #436
-- opts: provide more and updated examples
+- [Jakub Zakrzewski brought this change]
-- CURLOPT_RANGE.3: works for SFTP as well
+ CMake: Put "winsock2.h" before "windows.h" during configure checks
- ... and added a small example
+ "windows.h" includes "winsock.h" what causes many redefinition errors
+ if "winsock2.h" is included afterwards and can cause build to fail.
-- curl.1: edited for clarity
+- tests: disable 1510 due to CI-problems on github
-- CURLOPT_SSLVERSION.3: provide an example
+- [Mike Crowe brought this change]
-- docs/libcurl/ABI: more markdown friendly
-
-- docs: edited lots of libcurl docs for clarity
+ gnutls: Report actual GnuTLS error message for certificate errors
+
+ If GnuTLS fails to read the certificate then include whatever reason it
+ provides in the failure message reported to the client.
+
+ Signed-off-by: Mike Crowe <mac@mcrowe.com>
-- opts: added examples
+- RELEASE-NOTES: synced with 6b56901b56e
-- HISTORY: two glimpses in 2014
+- [Mike Crowe brought this change]
-Kamil Dudka (20 Oct 2014)
-- nss: reset SSL handshake state machine
+ gnutls: Support CURLOPT_KEYPASSWD
- ... when the handshake succeeds
+ The gnutls vtls back-end was previously ignoring any password set via
+ CURLOPT_KEYPASSWD. Presumably this was because
+ gnutls_certificate_set_x509_key_file did not support encrypted keys.
- This fixes a connection failure when FTPS handle is reused.
-
-Daniel Stenberg (20 Oct 2014)
-- [Peter Wu brought this change]
+ gnutls now has a gnutls_certificate_set_x509_key_file2 function that
+ does support encrypted keys. Let's determine at compile time whether the
+ available gnutls supports this new function. If it does then use it to
+ pass the password. If it does not then emit a helpful diagnostic if a
+ password is set. This is preferable to the previous behaviour of just
+ failing to read the certificate without giving a reason in that case.
+
+ Signed-off-by: Mike Crowe <mac@mcrowe.com>
- cmake: generate pkg-config and curl-config
+- CURLINFO_TLS_SESSION: always return backend info
- Initial work to generate a pkg-config and curl-config script. Static
- linking (`curl-config --static-libs` and `pkg-config --shared --libs
- libcurl`) is broken and therefore disabled.
+ ... even for those that don't support providing anything in the
+ 'internals' struct member since it offers a convenient way for
+ applications to figure this out.
+
+- [Daniel Hwang brought this change]
+
+ tool: remove redundant libcurl check
- CONFIGURE_OPTIONS does not make sense for CMake, use an empty string
- for now.
+ The easysrc generation is run only when --libcurl is initialized.
- At least `curl-config --features` and `curl-config --protocols` work
- which is needed by runtests.pl.
+ Ref: https://github.com/bagder/curl/issues/429
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Closes #448
-- [Peter Wu brought this change]
+- [Richard van den Berg brought this change]
- cmake: use LIBCURL_VERSION from curlver.h
-
- This matches the behavior from autotools. The auxiliary major, minor
- and patch components are not needed anymore and therefore removed.
+ CURLOPT_PROXY.3: A proxy given as env variable gets no special treatment
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Closes #449
-- [Peter Wu brought this change]
+- TODO: 5.7 More compressions
+
+ Like for example brotli, as being implemented in Firefox now.
- cmake: add SUPPORT_FEATURES and SUPPORT_PROTOCOLS
+Jay Satiro (21 Sep 2015)
+- tool_operate: Don't call easysrc cleanup unless --libcurl
- For compatibility with autoconf, it will be used later for curl-config
- and pkg-config. Not all features and or protocols can be enabled as
- these are missing additional checks (see new TODOs).
+ - Review of 4d95491.
- SUPPORT_PROTOCOLS is partially scripted (grep for SUPPORT_PROTOCOLS=)
- and manually verified/modified. SUPPORT_FEATURES is manually added.
+ The author changed it so easysrc only initializes when --libcurl but did
+ not do the same for the call to easysrc cleanup.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Ref: https://github.com/bagder/curl/issues/429
-- cmake: add CMake/Macros.cmake to the release tarball
+Daniel Stenberg (20 Sep 2015)
+- [Viktor Szakats brought this change]
-- test545: make it not use a trailing zero
+ CURLOPT_PINNEDPUBLICKEY.3: replace test.com with example.com
- CURLOPT_COPYPOSTFIELDS with a given CURLOPT_POSTFIELDSIZE does not
- require a trailing zero of the data and by making sure this test doesn't
- use one we know it works (combined with valgrind).
+ closes #443
-Steve Holme (16 Oct 2014)
-- ntlm: Fixed empty type-2 decoded message info text
+- KNOWN_BUGS: 91 "curl_easy_perform hangs with imap and PolarSSL"
- Updated the info text when the base-64 decode of the type-2 message
- returns a null buffer to be more specific.
-
-- ntlm: Fixed empty/bad base-64 decoded buffer return codes
+ Closes #334
-- ntlm: Avoid unnecessary buffer allocation for SSPI based type-2 token
+- KNOWN_BUGS: add link to #85
-Daniel Stenberg (16 Oct 2014)
-- httpcustomheader.c: make use of more CURLOPT_HTTPHEADER features
+- tests: disable 1801 until fixed
- ... and only do a single request for clarity.
-
-Steve Holme (15 Oct 2014)
-- sasl_sspi: Fixed some typos
+ It is unreliable and causes CI problems on github
+
+ Closes #380
-- sasl_sspi: Fixed Kerberos response buffer not being allocated when using SSO
+- RELEASE-NOTES: synced with 4d95491636ee
-Daniel Stenberg (15 Oct 2014)
-- [Bruno Thomsen brought this change]
+- [Daniel Lee Hwang brought this change]
- mk-ca-bundle: added SHA-384 signature algorithm
+ tool: generate easysrc only on --libcurl
- Certificates based on SHA-1 are being phased out[1].
- So we should expect a rise in certificates based on SHA-2.
- Adding SHA-384 as a valid signature algorithm.
+ Code should only be generated when --libcurl is used.
- [1] https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/
+ Bug: https://github.com/bagder/curl/issues/429
+ Reported-by: @greafhe, Jay Satiro
- Signed-off-by: Bruno Thomsen <bth@kamstrup.dk>
+ Closes #429
+ Closes #442
-Patrick Monnerat (14 Oct 2014)
-- OS400: fix bugs in curl_*escape_ccsid() and reduce variables scope
+Jay Satiro (19 Sep 2015)
+- vtls: Change designator name for server's pubkey hash
+
+ - Change the designator name we use to show the base64 encoded sha256
+ hash of the server's public key from 'pinnedpubkey' to
+ 'public key hash'.
+
+ Though the server's public key hash is only shown when comparing pinned
+ public key hashes, the server's hash may not match one of the pinned.
-- Implement pinned public key in GSKit backend
+Daniel Stenberg (19 Sep 2015)
+- [Isaac Boukris brought this change]
-Daniel Stenberg (14 Oct 2014)
-- CURLOPT_TLSAUTH_*.3: fix reference typos
-
-- cleanups: reduce variable scope
+ NTLM: Reset auth-done when using a fresh connection
- cppcheck pointed these out.
+ With NTLM a new connection will always require authentication.
+ Fixes #435
-- singleipconnect: remove dead assignment never used
-
- cppcheck pointed this out.
+- [Daniel Hwang brought this change]
-- pinning: minor code style policing
+ ssl: add server cert's "sha256//" hash to verbose
+
+ Add a "pinnedpubkey" section to the "Server Certificate" verbose
+
+ Bug: https://github.com/bagder/curl/issues/410
+ Reported-by: W. Mark Kubacki
+
+ Closes #430
+ Closes #410
-Patrick Monnerat (13 Oct 2014)
-- Factorize pinned public key code into generic file handling and backend specific
+- [Jakub Zakrzewski brought this change]
-- vtls: remove QsoSSL
+ openldap: only part of LDAP query results received
+
+ Introduced with commit 65d141e6da5c6003a1592bbc87ee550b0ad75c2f
+
+ Closes #440
-- gskit: supply dummy randomization function
+- [Alessandro Ghedini brought this change]
-- vtls/*: deprecate have_curlssl_md5sum and set-up default md5sum implementation
+ openssl: don't output certinfo data
-Daniel Stenberg (13 Oct 2014)
-- [Peter Wu brought this change]
+- [Alessandro Ghedini brought this change]
- tests: move TESTCASES to Makefile.inc, add show for cmake
+ openssl: refactor certificate parsing to use OpenSSL memory BIO
- This change allows runtests.pl to be run from the CMake builddir:
-
- export srcdir=/tmp/curl/tests;
- perl -I$srcdir $srcdir/runtests.pl -l
+ Fixes #427
+
+Kamil Dudka (18 Sep 2015)
+- nss: prevent NSS from incorrectly re-using a session
- In order to make this possible, all test cases have been moved from
- Makefile.am to Makefile.inc.
+ Without this workaround, NSS re-uses a session cache entry despite the
+ server name does not match. This causes SNI host name to differ from
+ the actual host name. Consequently, certain servers (e.g. github.com)
+ respond by 400 to such requests.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Bug: https://bugzilla.mozilla.org/1202264
-- [Peter Wu brought this change]
+- nss: check return values of NSS functions
- cmake: enable IPv6 by default if available
-
- ENABLE_IPV6 depends on HAVE_GETADDRINFO or you will get a
- Curl_getaddrinfo_ex error. Enable IPv6 by default, disabling it if
- struct sockaddr_in6 is not found in netinet/in.h.
-
- Note that HAVE_GETADDRINFO_THREADSAFE is still not set as it needs more
- platform checks even though POSIX requires a thread-safe getaddrinfo.
+Daniel Stenberg (17 Sep 2015)
+- CURLOPT_PINNEDPUBLICKEY.3: mention error code
+
+- openssl: build with < 0.9.8
- Verified on Arch Linux x86_64 with glibc 2.20-2 and Linux 3.16-rc7.
+ ... without sha256 support and no define saying so.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Reported-by: Rajkumar Mandal
-- [Peter Wu brought this change]
+- libcurl-errors.3: add two missing error codes
+
+ CURLE_SSL_PINNEDPUBKEYNOTMATCH and CURLE_SSL_INVALIDCERTSTATUS
- cmake: build tool_hugehelp (ENABLE_MANUAL)
+Jay Satiro (14 Sep 2015)
+- CURLOPT_PINNEDPUBLICKEY.3: Improve pubkey extraction example
- Rather than always outputting an empty manual page for the '-M' option,
- generate a full manual page as done by autotools. For simplicity in
- CMake, always generate the gzipped page as it will not be used anyway
- when zlib is not available.
+ - Show how a certificate can be obtained using OpenSSL.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Bug: https://github.com/bagder/curl/pull/430
+ Reported-by: Daniel Hwang
-- [Peter Wu brought this change]
+Daniel Stenberg (13 Sep 2015)
+- http2: removed unused function
- tests/http_pipe.py: Python 3 support
-
- The 2to3 tool converted socketserver (which I manually fixed up with an
- import fallback) and the print(e) line. The xrange option was converted
- to range, but it seems better to use the '*' operator here for
- simplicity.
-
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+- CURLINFO_ACTIVESOCKET.3: mention it replaces *LASTSOCKET
+
+- opts: add CURLINFO_* man pages to dist
-- SECURITY: slightly nicer markdown format
+- opts: 19 more CURLINFO_* options made into stand-alone man pages
-- RELEASE-PROCEDURE: better markdown, more content
+- RELEASE-NOTES: synced with fad9604613
-- RELEASE-NOTES: synced with 6637b237e6eb
+- curl: customrequest_helper: deal with NULL custom method
+
+- [Svyatoslav Mishyn brought this change]
+
+ CURLOPT_FNMATCH_FUNCTION.3: fix typo
+
+ s => is
- ... and bumped the planned release version.
+ Closes #428
-- vtls: have vtls.h include the backend header files
+- curl: point out unnecessary uses of -X in verbose mode
- It turned out some features were not enabled in the build since for
- example url.c #ifdefs on features that are defined on a per-backend
- basis but vtls.h didn't include the backend headers.
+ It uses 'Note:' as a prefix as opposed to the common 'Warning:' to take
+ down the tone a bit.
- CURLOPT_CERTINFO was one such feature that was accidentally disabled.
+ It adds a warning for using -XHEAD on other methods becasue that may
+ lead to a hanging connection.
-- test2036: verify -O with no slash at all in the URL
+Jay Satiro (10 Sep 2015)
+- curl_sspi: fix possibly undefined CRYPT_E_REVOKED
- Similar to test 76 but that test's URL has a slash just no file name
- part.
+ Bug: https://github.com/bagder/curl/pull/411
+ Reported-by: Viktor Szakats
-- get_url_file_name: make no slash equal empty string
+- buildconf.bat: fix syntax error
-- get_url_file_name: never return a NULL string *and* OK
-
- Change 987a4a73 assumes that as it simplifies life in the calling
- function.
-
- Reported-by: Fabian Keil
+- [Benjamin Kircher brought this change]
-- [Jakub Zakrzewski brought this change]
+ winbuild: run buildconf.bat if necessary
- Cmake: Build with GSSAPI (MIT or Heimdal)
-
- It tries hard to recognise SDK's on different platforms. On windows MIT
- Kerberos installs SDK with other things and puts path into registry.
- Heimdal have separate zip archive. On linux pkg-config is tried, then
- krb5-config script and finally old-style libs and headers detection.
+- [Svyatoslav Mishyn brought this change]
+
+ docs: fix argument type for CURLINFO_SPEED_*, CURLINFO_SIZE_*
- Command line args:
- * CMAKE_USE_GSSAPI - enables GSSAPI detection
- * GSS_ROOT_DIR - if set, should point to the root of GSSAPI installation
- (the one with include and lib directories)
+ long => double
-- [Jakub Zakrzewski brought this change]
+Daniel Stenberg (8 Sep 2015)
+- [Sergei Nikulov brought this change]
- Cmake: Got rid of setup_curl_dependencies
+ cmake: IPv6 : disable Unix header check on Windows platform
- There is no need for such function. Include_directories propagate by
- themselves and having a function with one simple link statement makes
- little sense.
+ Closes #409
-- [Jakub Zakrzewski brought this change]
+- parse_proxy: reject illegal port numbers
+
+ If the port number in the proxy string ended weirdly or the number is
+ too large, skip it. Mostly as a means to bail out early if a "bare" IPv6
+ numerical address is used without enclosing brackets.
+
+ Also mention the bracket requirement for IPv6 numerical addresses to the
+ man page for CURLOPT_PROXY.
+
+ Closes #415
+
+ Reported-by: Marcel Raad
- Cmake: Avoid cycle directory dependencies.
+- FTP: do_more: add check for wait_data_conn in upload case
+
+ In some timing-dependnt cases when a 4xx response immediately followed
+ after a 150 when a STOR was issued, this function would wrongly return
+ 'complete == true' while 'wait_data_conn' was still set.
+
+ Closes #405
- Because we prepended libraries to list, CMake had troubles resolving
- link directory order as it detected some cycles. Appending to list ensures
- that dependencies will preceed dependees.
+ Reported-by: Patricia Muscalu
-- [Jakub Zakrzewski brought this change]
+- [Svyatoslav Mishyn brought this change]
- Cmake: Fix library list provided to cURL tests.
+ CURLOPT_TLSAUTH_TYPE.3: update description
- The list must be set after those nice CMake tests as we mess with
- CMAKE_REQUIRED_LIBRARIES there.
+ Closes #414
+ Closes #413
-- [Jakub Zakrzewski brought this change]
+- [Svyatoslav Mishyn brought this change]
- Cmake: Check for OpenSSL before OpenLDAP.
+ CURLOPT_PATH_AS_IS.3: fix typo
- OpenLDAP might have been build with OpenSSL. Checking for OpenLDAP first
- may result in undefined symbols. Of course, the found OpenSSL libraries
- must also be linked whenever OpenLDAP is.
+ leavit => leaveit
+
+ closes #412
-- curl_multi_fdset.3: improved the formatting slightly
+- [Svyatoslav Mishyn brought this change]
-- curl_multi_fdset: explain the fd_set arguments
+ CURLINFO_SSL_VERIFYRESULT.3: add short description
-Kamil Dudka (8 Oct 2014)
-- nss: do not fail if a CRL is already cached
-
- This fixes a copy-paste mistake from commit 2968f957.
+- [Svyatoslav Mishyn brought this change]
-Patrick Monnerat (8 Oct 2014)
-- OS400: upgrade interface for pinned public key (no implementation yet)
+ CURLINFO_SSL_ENGINES.3: add short description
-Daniel Stenberg (8 Oct 2014)
-- FormAdd: precaution against memdup() of NULL pointer
-
- Coverity CID 252518. This function is in general far too complicated for
- its own good and really should be broken down into several smaller
- funcitons instead - but I'm adding this protection here now since it
- seems there's a risk the code flow can end up here and dereference a
- NULL pointer.
+- [Svyatoslav Mishyn brought this change]
-- operate: avoid NULL dereference
-
- Coverity CID 1241948. dumpeasysrc() would get called with
- config->current set to NULL which could be dereferenced by a warnf()
- call.
+ CURLINFO_CONTENT_LENGTH_UPLOAD.3: replace "receive" with "get" for consistency
-- do_sec_send: remove dead code
-
- Coverity CID 1241951. The condition 'len >= 0' would always be true at
- that point and thus not necessary to check for.
+- [Svyatoslav Mishyn brought this change]
-- krb5_encode: remove unused argument
-
- Coverity CID 1241957. Removed the unused argument. As this struct and
- pointer now are used only for krb5, there's no need to keep unused
- function arguments around.
+ CURLINFO_REDIRECT_TIME.3: remove redundant '!'
-- operate_do: skip superfluous check for NULL pointer
+Kamil Dudka (4 Sep 2015)
+- Revert "has: generate the curl/has.h header"
- Coverity CID 1243583. get_url_file_name() cannot fail and return a NULL
- file name pointer so skip the check for that - it tricks coverity into
- believing it can happen and it then warns later on when we use 'outfile'
- without checking for NULL.
+ This reverts commit a60bde79f9adeb135d5c642a07f0d783fbfbbc25 I have
+ pushed by mistake. Apologies for my incompetent use of the git repo!
-- curl_easy_getinfo.3: spell-fix
+- nss: do not directly access SSL_ImplementedCiphers[]
+
+ It causes dynamic linking issues at run-time after an update of NSS.
- Reported-By: Luan Cestari
+ Bug: https://lists.fedoraproject.org/pipermail/devel/2015-September/214117.html
-- [moparisthebest brought this change]
+- [Daniel Stenberg brought this change]
- GnuTLS: Implement public key pinning
+ has: generate the curl/has.h header
+
+ changed macro name, moved and renamed script to become docs/libcurl/has.pl,
+ generate code that is checksrc compliant
-- [moparisthebest brought this change]
+Daniel Stenberg (3 Sep 2015)
+- gitignore: ignore more generated VC Makefiles
- SSL: implement public key pinning
-
- Option --pinnedpubkey takes a path to a public key in DER format and
- only connect if it matches (currently only implemented with OpenSSL).
+- projects/Windows/.gitignore: ignore generated files for release
+
+- http2: don't pass on Connection: headers
- Provides CURLOPT_PINNEDPUBLICKEY for curl_easy_setopt().
+ RFC 7540 section 8.1.2.2 states: "An endpoint MUST NOT generate an
+ HTTP/2 message containing connection-specific header fields; any message
+ containing connection-specific header fields MUST be treated as
+ malformed"
- Extract a public RSA key from a website like so:
- openssl s_client -connect google.com:443 2>&1 < /dev/null | \
- sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -pubkey \
- | openssl rsa -pubin -outform DER > google.com.der
+ Closes #401
-- multi_runsingle: fix possible memory leak
-
- Coverity CID 1202837. 'newurl' can in fact be allocated even when
- Curl_retry_request() returns failure so free it if need be.
+- curl.1: update RFC references
-- ares::Curl_resolver_cancel: skip checking for NULL conn
-
- Coverity CID 1243581. 'conn' will never be NULL here, and if it would be
- the subsequent statement would dereference it!
+- CURLOPT_POSTREDIR.3: update RFC number and section
-- parseconfig: skip a NULL check
+- CURLOPT_FOLLOWLOCATION.3: mention methods for redirects
- Coverity CID 1154198. This NULL check implies that the pointer _can_ be
- NULL at this point, which it can't. Thus it is dead code. It tricks
- static analyzers to warn about dereferencing the pointer since the code
- seems to imply it can be NULL.
+ and some general cleaning up
-- [Waldek Kozba brought this change]
+- [Marcel Raad brought this change]
- multi-uv.c: call curl_multi_info_read() better
+ inet_pton.c: Fix MSVC run-time check failure (2)
- Improves it for low-latency cases (like the communication with
- localhost)
-
-- tool_go_sleep: use (void) to spell out we ignore the return value
+ This fixes another run-time check failure because of a narrowing cast on
+ Visual C++.
- Coverity CID 1222080.
+ Closes #408
-- ssh_statemach_act: split out assignment from check
+Jay Satiro (3 Sep 2015)
+- docs: Warn about any-domain cookies and multiple transfers
- just a minor code style thing to make the code clearer
-
-Marc Hoersken (4 Oct 2014)
-- curl_schannel.c: Fixed possible memory or handle leak
+ - Warn that cookies without a domain are sent to any domain:
+ CURLOPT_COOKIELIST, CURLOPT_COOKIEFILE, --cookie
- First try to fix possible memory leaks, in this case:
- Only connssl->ctxt xor onnssl->cred being initialized.
+ - Note that imported Set-Cookie cookies without a domain are no longer
+ exported:
+ CURLINFO_COOKIELIST, CURLOPT_COOKIEJAR, --cookie-jar
-Daniel Stenberg (4 Oct 2014)
-- getparameter: remove dead code
+Steve Holme (2 Sep 2015)
+- tool_sdecls.h: Fixed compilation warning from commit 4a889441d3
- Coverity CID 1061126. 'parse' will always be non-NULL here.
+ tool_sdecls.h:139 warning: comma at end of enumerator list
+
+Daniel Stenberg (2 Sep 2015)
+- opts: 8 more CURLINFO* options as stand-alone man pages
+
+- RELEASE-NOTES: synced with c764cb4add1a8
-- getparameter: comment a switch FALLTHROUGH
+- man-pages: more SEE ALSO links
+
+- opts: more CURLINFO_* options as stand-alone man pages
+
+Steve Holme (31 Aug 2015)
+- sasl: Only define Curl_sasl_digest_get_pair() when CRYPTO_AUTH enabled
- Coverity CID 1061118. Point out that it is on purpose.
+ Introduced in commit 59f3f92ba6 this function is only implemented when
+ CURL_DISABLE_CRYPTO_AUTH is not defined. As such we shouldn't define
+ the function in the header file either.
-- choose_mech: fix return code
+- sasl: Updated SPN variables and comments for consistency
- Coverity CID 1241950. The pointer is never NULL but it might point to
- NULL.
+ In places the "host name" and "realm" variable was referred to as
+ "instance" whilst in others it was referred to as "host".
-- Curl_sec_read_msg: spell out that we ignore return code
+Daniel Stenberg (30 Aug 2015)
+- configure: check for HMAC_Update in openssl
- Coverity CID 1241947. Since if sscanf() fails, the previously set value
- remains set.
+ Turns out HMAC_Init is now deprecated in openssl master (and I spelled
+ HMAC_Init_ex wrong in previous commit)
-- nonblock: call with (void) to show we ignore the return code
+Steve Holme (30 Aug 2015)
+- win32: Use DES_set_odd_parity() from OpenSSL/BoringSSL by default
- Coverity pointed out several of these.
+ Set HAVE_DES_SET_ODD_PARITY when using OpenSSL/BoringSSL as native
+ Windows builds don't use the autoconf tools.
-- parse_proxy: remove dead code.
+- des: Fixed compilation warning from commit 613e5022fe
- Coverity CID 982331.
+ curl_ntlm_core.c:150: warning 'Curl_des_set_odd_parity' undefined;
+ assuming extern returning int
-- Curl_debug: document switch fallthroughs
+- buildconf.bat: Fixed double blank line in 'curl manual' warning output
-- curl_multi_remove_handle: remove dead code
+- makefiles: Added our standard copyright header
- Coverify CID 1157776. Removed a superfluous if() that always evaluated
- true (and an else clause that never ran), and then re-indented the
- function accordingly.
+ But kept the original author, when they were specified in a comment, as
+ the initial copyright holder.
-- Curl_pipeline_server_blacklisted: handle a NULL server name
-
- Coverity CID 1215284. The server name is extracted with
- Curl_copy_header_value() and passed in to this function, and
- copy_header_value can actually can fail and return NULL.
+Jay Satiro (29 Aug 2015)
+- CURLOPT_FILETIME.3: CURLINFO_FILETIME has its own manpage now
+
+Daniel Stenberg (29 Aug 2015)
+- CURLINFO_RESPONSE_CODE.3: added short description
-- ssh: comment "fallthrough" in switch statement
+- opts: 7 initial CURLINFO_* options as stand-alone man pages
-- [Jeremy Lin brought this change]
+- [Nikolai Kondrashov brought this change]
- ssh: improve key file search
+ libcurl.m4: Put braces around empty if body
- For private keys, use the first match from: user-specified key file
- (if provided), ~/.ssh/id_rsa, ~/.ssh/id_dsa, ./id_rsa, ./id_dsa
+ Put braces around empty "if" body in libcurl.m4 check to avoid warning:
- Note that the previous code only looked for id_dsa files. id_rsa is
- now generally preferred, as it supports larger key sizes.
+ suggest braces around empty body in an 'if' statement
- For public keys, use the user-specified key file, if provided.
- Otherwise, try to extract the public key from the private key file.
- This means that passing --pubkey is typically no longer required,
- and makes the key-handling behavior more like OpenSSH.
+ and make it work with -Werror builds.
+
+ Closes #402
-- CURLOPT_HTTPHEADER.3: libcurl doesn't copy the whole list
+- [Svyatoslav Mishyn brought this change]
-- detect_proxy: fix possible single-byte memory leak
+ curl_easy_escape.3: escape '\n'
- Coverity CID 1202836. If the proxy environment variable returned an empty
- string, it would be leaked. While an empty string is not really a proxy, other
- logic in this function already allows a blank string to be returned so allow
- that here to avoid the leak.
+ Closes #398
+
+- [Svyatoslav Mishyn brought this change]
-- multi_runsingle: fix memory leak
+ curl_easy_{escape,setopt}.3: fix example
- Coverity CID 1202837. There's a potential risk that 'newurl' gets
- overwritten when it was already pointing to allocated memory.
+ remove redundant '}'
-- pop3_perform_authentication: fix memory leak
+- [Sergei Nikulov brought this change]
+
+ cmake: added Windows SSL support
- Coverity CID 1215287. There's a potential risk for a memory leak in
- here, and moving the free call to be unconditional seems like a cheap
- price to remove the risk.
+ Closes #399
-- imap_perform_authentication: fix memory leak
+- curl: point out the conflicting HTTP methods if used
- Coverity CID 1215296. There's a potential risk for a memory leak in
- here, and moving the free call to be unconditional seems like a cheap
- price to remove the risk.
+ It isn't always clear to the user which options that cause the HTTP
+ methods to conflict so by spelling them out it should hopefully be
+ easier to understand why curl complains.
+
+- curl: clarify that users can only specify one _METHOD_
-- wait_or_timeout: return failure when Curl_poll() fails
+- [Svyatoslav Mishyn brought this change]
+
+ curl_easy_{escape,unescape}.3: "char *" vs. "const char *"
- Coverity detected this. CID 1241954. When Curl_poll() returns a negative value
- 'mcode' was uninitialized. Pretty harmless since this is debug code only and
- would at worst cause an error to _not_ be returned...
+ Closes #395
+
+Patrick Monnerat (24 Aug 2015)
+- os400: include new options in wrappers and update ILE/RPG binding.
-- curl.1: mention quoting in the URL section
+Daniel Stenberg (24 Aug 2015)
+- KNOWN_BUGS: #2, not reading a HEAD response-body is not a bug
- and separate the example URLs with newlines
+ ... since HTTP is forbidden to return any such.
-Steve Holme (30 Sep 2014)
-- [Bill Nagel brought this change]
+- KNOWN_BUGS: #78 zero-length files is already fixed!
- smtp: Fixed intermittent "SSL3_WRITE_PENDING: bad write retry" error
+- [Razvan Cojocaru brought this change]
+
+ getinfo: added CURLINFO_ACTIVESOCKET
- This patch fixes the "SSL3_WRITE_PENDING: bad write retry" error that
- sometimes occurs when sending an email over SMTPS with OpenSSL. OpenSSL
- appears to require the same pointer on a write that follows a retry
- (CURLE_AGAIN) as discussed here:
+ This patch addresses known bug #76, where on 64-bit Windows SOCKET is 64
+ bits wide, but long is only 32, making CURLINFO_LASTSOCKET unreliable.
- http://stackoverflow.com/questions/2997218/why-am-i-getting-error1409f07fssl-routinesssl3-write-pending-bad-write-retr
-
-Daniel Stenberg (30 Sep 2014)
-- RELEASE-NOTES: synced with 53cbea22310f15
+ Signed-off-by: Razvan Cojocaru <rcojocaru@bitdefender.com>
-- file: reject paths using embedded %00
+- http2: remove dead code
- Mostly because we use C strings and they end at a binary zero so we know
- we can't open a file name using an embedded binary zero.
+ Leftovers from when we removed the private socket hash.
- Reported-by: research@g0blin.co.uk
+ Coverity CID 1317365, "Logically dead code"
-Dan Fandrich (26 Sep 2014)
-- test506: Fixed a couple of memory leaks in test
+- ntlm: mark deliberate switch case fall-through
+
+ Coverity CID 1317367, "Missing break in switch"
-Daniel Stenberg (25 Sep 2014)
-- [Yousuke Kimoto brought this change]
+- http2: on_frame_recv: get a proper 'conn' for the debug logging
+
+ "Explicit null dereferenced (FORWARD_NULL)"
+
+ Coverity CID 1317366
- CURLOPT_COOKIELIST: Added "RELOAD" command
+- RELEASE-NOTES: synced with 2acaf3c804
-- [Michael Wallner brought this change]
+Dan Fandrich (23 Aug 2015)
+- tool: fix memory leak with --proto-default option
- CURLOPT_POSTREDIR.3: Added availability for CURL_REDIR_POST_303
+Jay Satiro (22 Aug 2015)
+- [Nathaniel Waisbrot brought this change]
-- threaded-resolver: revert Curl_expire_latest() switch
+ CURLOPT_DEFAULT_PROTOCOL: added
- The switch to using Curl_expire_latest() in commit cacdc27f52b was a
- mistake and was against the advice even mentioned in that commit. The
- comparison in asyn-thread.c:Curl_resolver_is_resolved() makes
- Curl_expire() the suitable function to use.
+ - Add new option CURLOPT_DEFAULT_PROTOCOL to allow specifying a default
+ protocol for schemeless URLs.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1426
- Reported-By: graysky
+ - Add new tool option --proto-default to expose
+ CURLOPT_DEFAULT_PROTOCOL.
+
+ In the case of schemeless URLs libcurl will behave in this way:
+
+ When the option is used libcurl will use the supplied default.
+
+ When the option is not used, libcurl will follow its usual plan of
+ guessing from the hostname and falling back to 'http'.
-- libcurl docs: improvements all over
+- runtests: Allow for spaces in server-verify curl custom path
-Steve Holme (19 Sep 2014)
-- build: Added WinIDN build configuration options
+Daniel Stenberg (22 Aug 2015)
+- NTLM: recent boringssl brought DES_set_odd_parity back
- Added initial support for WinIDN build configurations to the VC10+
- project files.
-
-Daniel Stenberg (19 Sep 2014)
-- tutorial: signals aren't used for the threaded resolver
+ ... so improve the #ifdefs for using our local implementation.
-- FAQ: update the pronunciation section
+- configure: detect latest boringssl
- As we weren't using the correct phonetic description and doing it correctly
- involves funny letters that I'm sure will cause problems for people in a text
- document so I instead rephrased it and link to a WAV file with a person
- actually saying 'curl'.
+ Since boringssl brought back DES_set_odd_parity again, it cannot be used
+ to differentiate from boringssl. Using the OPENSSL_IS_BORINGSSL define
+ seems better anyway.
- Reported-By: Dimitar Boevski
-
-- CURLOPT_COOKIE*: added more cross-references
-
-- BINDINGS: add node-libcurl
+ URL: https://android.googlesource.com/platform/external/curl/+/f551028d5caab29d4b4a4ae8c159c76c3cfd4887%5E!/
+ Original-patch-by: Bertrand Simonnet
- Reported-By: Jonathan Cardoso Machado
- URL: http://curl.haxx.se/mail/lib-2014-09/0102.html
+ Closes #393
-- README.http2: updated to reflect current status
+- configure: change functions to detect openssl (clones)
+
+ ... since boringssl moved the former ones and the check started to fail.
+
+ URL: https://android.googlesource.com/platform/external/curl/+/f551028d5caab29d4b4a4ae8c159c76c3cfd4887%5E!/
+ Original-patch-by: Bertrand Simonnet
-- formdata: removed unnecessary USE_SSLEAY use
+- [Alessandro Ghedini brought this change]
-- curlssl: make tls backend symbols use curlssl in the name
+ openssl: handle lack of server cert when strict checking disabled
+
+ If strict certificate checking is disabled (CURLOPT_SSL_VERIFYPEER
+ and CURLOPT_SSL_VERIFYHOST are disabled) do not fail if the server
+ doesn't present a certificate at all.
+
+ Closes #392
-- url: let the backend decide CURLOPT_SSL_CTX_ support
+- ftp: clear the do_more bit when the server has connected
- ... to further remove specific TLS backend knowledge from url.c
+ The multi state machine would otherwise go into the DO_MORE state after
+ DO, even for the case when the FTP state machine had already performed
+ those duties, which caused libcurl to get stuck in that state and fail
+ miserably. This occured for for active ftp uploads.
+
+ Reported-by: Patricia Muscalu
+
+- [Jactry Zeng brought this change]
-- vtls: have the backend tell if it supports CERTINFO
+ travis.yml: Add OS X testbot.
-- [Catalin Patulea brought this change]
+- [Rémy Léone brought this change]
- configure: allow --with-ca-path with PolarSSL too
+ travis: Upgrading to container based build
- Missed this in af45542c.
+ http://docs.travis-ci.com/user/migrating-from-legacy
- Signed-off-by: Catalin Patulea <cat@vv.carleton.ca>
+ Closes #388
-- CURLOPT_CAPATH: return failure if set without backend support
+- RELEASE-NOTES: synced with 14ff86256b13e
-- [Tatsuhiro Tsujikawa brought this change]
+- [Erik Janssen brought this change]
- http2: Fix busy loop when EOF is encountered
+ rtsp: stop reading empty DESCRIBE responses
- Previously we did not handle EOF from underlying transport socket and
- wrongly just returned error code CURL_AGAIN from http2_recv, which
- caused busy loop since socket has been closed. This patch adds the
- code to handle EOF situation and tells the upper layer that we got
- EOF.
+ Based-on-patch-by: Jim Hollinger
-Steve Holme (13 Sep 2014)
-- build: Added batch wrapper to checksrc.pl
+- [Erik Janssen brought this change]
-- RELEASE-NOTES: Synced with bd3df5ec6d
+ rtsp: support basic/digest authentication
-- [Marcel Raad brought this change]
+- [Sam Roth brought this change]
- sasl_sspi: Fixed Unicode build
+ CURLMOPT_PUSHFUNCTION.3: fix argument types
- Bug: http://curl.haxx.se/bug/view.cgi?id=1422
- Verified-by: Steve Holme
+ Closes #389
+ Closes #386
-Daniel Stenberg (12 Sep 2014)
-- libcurl-tutorial.3: fix GnuTLS link to thread-safety guidelines
-
- The former link was turned into a 404 at some point.
-
- Reported-By: Askar Safin
+- [Marcel Raad brought this change]
-- contributors.sh: split list of names at comma
+ inet_pton.c: Fix MSVC run-time check failure
- ... to support a list of names provided in a commit message.
-
-Steve Holme (12 Sep 2014)
-- [Ulrich Telle brought this change]
-
- ntlm: Fixed HTTP proxy authentication when using Windows SSPI
+ Visual Studio complains with a message box:
- Removed ISC_REQ_* flags from calls to InitializeSecurityContext to fix
- bug in NTLM handshake for HTTP proxy authentication.
+ "Run-Time Check Failure #1 - A cast to a smaller data type has caused a
+ loss of data. If this was intentional, you should mask the source of
+ the cast with the appropriate bitmask.
- NTLM handshake for HTTP proxy authentication failed with error
- SEC_E_INVALID_TOKEN from InitializeSecurityContext for certain proxy
- servers on generating the NTLM Type-3 message.
+ For example:
+ char c = (i & 0xFF);
- The flag ISC_REQ_CONFIDENTIALITY seems to cause the problem according
- to the observations and suggestions made in a bug report for the
- QT project (https://bugreports.qt-project.org/browse/QTBUG-17322).
+ Changing the code in this way will not affect the quality of the
+ resulting optimized code."
- Removing all the flags solved the problem.
+ This is because only 'val' is cast to unsigned char, so the "& 0xff" has
+ no effect.
- Bug: http://curl.haxx.se/mail/lib-2014-08/0273.html
- Reported-by: Ulrich Telle
- Assisted-by: Steve Holme, Daniel Stenberg
+ Closes #387
-Daniel Stenberg (12 Sep 2014)
-- [Ray Satiro brought this change]
+Jay Satiro (18 Aug 2015)
+- docs: Update the redirect protocols disabled by default
+
+ - Clarify that FILE and SCP are disabled by default since 7.19.4
+ - Add that SMB and SMBS are disabled by default since 7.40.0
+ - Add CURLPROTO_SMBS to the list of protocols
- newlines: fix mixed newlines to LF-only
+- gitignore: Sort for readability
- I use the curl repo mainly on Windows with the typical Windows git
- checkout which converts the LF line endings in the curl repo to CRLF
- automatically on checkout. The automatic conversion is not done on files
- in the repo with mixed line endings. I recently noticed some weird
- output with projects/build-openssl.bat that I traced back to mixed line
- endings, so I scanned the repo and there are files (excluding the
- test data) that have mixed line endings.
+ find . -name .gitignore -print0 | xargs -i -0 sort -o '{}' '{}'
+
+Daniel Stenberg (15 Aug 2015)
+- curl_easy_getinfo.3: fix superfluous space
- I used this command below to do the scan. Unfortunately it's not as easy
- as git grep, at least not on Windows. This gets the names of all the
- files in the repo's HEAD, gets each of those files raw from HEAD, checks
- for mixed line endings of both LF and CRLF, and prints the name if
- mixed. I excluded path tests/data/test* because those can have mixed
- line endings if I understand correctly.
+ ... and changed "oriented" to "related"
- for f in `git ls-tree --name-only --full-tree -r HEAD`;
- do if [ -n "${f##tests/data/test*}" ];
- then git show "HEAD:$f" | \
- perl -0777 -ne 'exit 1 if /([^\r]\n.*\r\n)|(\r\n.*[^\r]\n)/';
- if [ $? -ne 0 ];
- then echo "$f";
- fi;
- fi;
- done
+ Closes #378
-- [Viktor Szakáts brought this change]
+- CURLOPT_HTTP_VERSION.3: connection re-use goes before version
- mk-ca-bundle.pl: converted tabs to spaces, deleted trailing spaces
+- [Daniel Kahn Gillmor brought this change]
-- ROADMAP: markdown eats underscores
+ curl.1: Document weaknesses in SSLv2 and SSLv3
- It interprets them as italic indictors unless we backtick the word.
+ Acknowledge that SSLv3 is also widely considered to be insecure.
+
+ Also, provide references for people who want to know more about why it's
+ insecure.
-- ROADMAP: tiny formatting edit for nicer web output
+Steve Holme (14 Aug 2015)
+- generate.bat: Added support for generating only the prerequisite files
-Steve Holme (10 Sep 2014)
-- ROADMAP.md: Updated GSSAPI authentication following 7.38.0 additions
+- generate.bat: Only call buildconf.bat if it exists
-- INTERNALS: Added email and updated Kerberos details
+- generate.bat: Fixed issues when ran in directories with special chars
-- FEATURES: Updated Kerberos details
-
- Added support for Kerberos 5 to the email protocols following the recent
- additions in 7.38.0.
-
- Removed Kerberos 4 as this has been gone for a while now.
-
-Daniel Stenberg (10 Sep 2014)
-- [Paul Howarth brought this change]
+Daniel Stenberg (14 Aug 2015)
+- [Brad King brought this change]
- openssl: build fix for versions < 0.9.8e
+ cmake: Fix CurlTests check for gethostbyname_r with 5 arguments
- Bug: http://curl.haxx.se/mail/lib-2014-09/0064.html
+ Fix the check code to pass 5 arguments instead of 6. This typo was
+ introduced by commit aebfd4cfbf (cmake: fix gethostby{addr,name}_r in
+ CurlTests, 2014-10-31).
-- mk-ca-bundle.pl: first, try downloading HTTPS with curl
-
- As a sort of step forward, this script will now first try to get the
- data from the HTTPS URL using curl, and only if that fails it will
- switch back to the HTTP transfer using perl's native LWP functionality.
- To reduce the risk of this script being tricked.
+Steve Holme (14 Aug 2015)
+- * buildconf.bat: Fixed issues when ran in directories with special chars
- Using HTTPS to get a cert bundle introduces a chicken-and-egg problem so
- we can't really ever completely disable HTTP, but chances are that most
- users already have a ca cert bundle that trusts the mozilla.org site
- that this script downloads from.
-
- A future version of this script will probably switch to require a
- dedicated "insecure" command line option to allow downloading over HTTP
- (or unverified HTTPS).
+ Bug: https://github.com/bagder/curl/pull/379
+ Reported-by: Daniel Seither
-- LICENSE-MIXING: removed krb4 info
+Jay Satiro (13 Aug 2015)
+- curl_global_init_mem.3: Stronger thread safety warning
- krb4 has been dropped since a while now
+ Bug: http://curl.haxx.se/mail/lib-2015-08/0016.html
+ Reported-by: Eric Ridge
-- bump: on the 7.38.1-DEV train now!
+Daniel Stenberg (12 Aug 2015)
+- [Svyatoslav Mishyn brought this change]
-- SSLCERTS: minor updates
+ curl_multi_add_handle.3: fix a typo
+
+ "can not" => "cannot"
- Edited format to look better on the web, added a "it is about trust"
- section.
+ closes #377
-Version 7.38.0 (10 Sep 2014)
+- [Alessandro Ghedini brought this change]
-Daniel Stenberg (10 Sep 2014)
-- dist: two cmake files are no more
+ docs: fix typos
- CMake/FindOpenSSL.cmake and FindZLIB.cmake are gone since 14aa8f0c117b
+ closes #376
-- RELEASE-NOTES: final update for 7.38.0
+- bump: start working toward 7.45.0
-- cookies: reject incoming cookies set for TLDs
-
- Test 61 was modified to verify this.
-
- CVE-2014-3620
-
- Reported-by: Tim Ruehsen
- URL: http://curl.haxx.se/docs/adv_20140910B.html
+- THANKS: remove duplicate name
-- [Tim Ruehsen brought this change]
+- THANKS-filter: merge Todd's names
- cookies: only use full host matches for hosts used as IP address
-
- By not detecting and rejecting domain names for partial literal IP
- addresses properly when parsing received HTTP cookies, libcurl can be
- fooled to both send cookies to wrong sites and to allow arbitrary sites
- to set cookies for others.
-
- CVE-2014-3613
-
- Bug: http://curl.haxx.se/docs/adv_20140910A.html
+- THANKS: 13 new contributors from the 7.44.0 RELEASE-NOTES
-- HISTORY: fix the 1998 title position
+Version 7.44.0 (11 Aug 2015)
-- HISTORY: extended and now markdown
+Daniel Stenberg (11 Aug 2015)
+- RELEASE-NOTES: synced with c75a1e775061
-- SSLCERTS: converted to markdown
-
- Only minor edits to make it generate nice HTML output using markdown, as
- this document serves both in source release tarballs as on the web site.
-
- URL: http://curl.haxx.se/docs/sslcerts.html
+- [Svyatoslav Mishyn brought this change]
-- ftp-wildcard.c: spell fix
+ curl_formget.3: correct return code
- Reported-By: Frank Gevaerts
-
-- RELEASE-NOTES: synced with 921a0c22a6f
+ Closes #375
-- THANKS: synced with RELEASE-NOTES for 921a0c22a6f
+- [Svyatoslav Mishyn brought this change]
-- polarassl: avoid memset() when clearing the first byte is enough
+ libcurl-tutorial.3: fix formatting
+
+ Closes #374
-- [Catalin Patulea brought this change]
+- [Svyatoslav Mishyn brought this change]
- polarssl: support CURLOPT_CAPATH / --capath
-
- Signed-off-by: Catalin Patulea <cat@vv.carleton.ca>
+ curl_easy_recv.3: fix formatting
-- SECURITY: eh, make more sense!
+- [Anders Bakken brought this change]
-- SECURITY: how to join the curl-security list
+ http2: discard frames with no SessionHandle
+
+ Return 0 instead of NGHTTP2_ERR_CALLBACK_FAILURE if we can't locate the
+ SessionHandle. Apparently mod_h2 will sometimes send a frame for a
+ stream_id we're finished with.
+
+ Use nghttp2_session_get_stream_user_data and
+ nghttp2_session_set_stream_user_data to identify SessionHandles instead
+ of a hash.
+
+ Closes #372
-- RELEASE-NOTES: fix the required nghttp2 version typo
+- RELEASE-NOTES: synced with 9ee40ce2aba
-- [Brandon Casey brought this change]
+- [Viktor Szakats brought this change]
- Ensure progress.size_dl/progress.size_ul are always >= 0
-
- Historically the default "unknown" value for progress.size_dl and
- progress.size_ul has been zero, since these values are initialized
- implicitly by the calloc that allocates the curl handle that these
- variables are a part of. Users of curl that install progress
- callbacks may expect these values to always be >= 0.
+ build: refer to fixed libidn versions
- Currently it is possible for progress.size_dl and progress.size_ul
- to by set to a value of -1, if Curl_pgrsSetDownloadSize() or
- Curl_pgrsSetUploadSize() are passed a "size" of -1 (which a few
- places currently do, and a following patch will add more). So
- lets update Curl_pgrsSetDownloadSize() and Curl_pgrsSetUploadSize()
- so they make sure that these variables always contain a value that
- is >= 0.
+ closes #371
+
+- Revert "configure: disable libidn by default"
- Updates test579 and test599.
+ This reverts commit e6749055d65398315fd77f5b5b8234c5552ac2d3.
- Signed-off-by: Brandon Casey <drafnel@gmail.com>
+ ... since libidn has since been fixed.
-Steve Holme (7 Sep 2014)
-- tests: Added test1420 to the makefile
+- [Jakub Zakrzewski brought this change]
-- test1420: Removed unnecessary CURLOPT setting
+ CMake: s/HAVE_GSS_API/HAVE_GSSAPI/ to match header define
+
+ Otherwise the build only pretended to use GSS-API
+
+ Closes #370
-- tests: Added more "Clear Text" authentication keywords
+- SFTP: fix range request off-by-one in size check
+
+ Reported-by: Tim Stack
+
+ Closes #359
-- tests: Updated "based on" text due to email test renumbering
+- test46: update cookie expire time
+
+ ... since it went old and thus was expired and caused the test to fail!
-- tests: For consistency added --libcurl to test name
+Steve Holme (9 Aug 2015)
+- generate.bat: Use buildconf.bat for prerequisite file generation
-- tests: Added --libcurl for IMAP test case
+- buildconf.bat: Tidy up of comments after recent commits
-- multi.c: Avoid invalid memory read after free() from commit 3c8c873252
+- buildconf.bat: Added full generation of src\tool_hugehelp.c
- As the current element in the list is free()d by Curl_llist_remove(),
- when the associated connection is pending, reworked the loop to avoid
- accessing the next element through e->next afterward.
+ Added support for generating the full man page based on code from
+ generate.bat.
-- multi.c: Fixed compilation warning from commit 3c8c873252
+- buildconf.bat: Added detection of groff, nroff, perl and gzip
- warning: implicit conversion from enumeration type 'CURLMcode' to
- different enumeration type 'CURLcode'
+ To allow for the full generation of tool_hugehelp.c added detection of
+ the required programs - based on code from generate.bat.
-- url.c: Use CURLAUTH_NONE constant rather than 0
+- buildconf.bat: Move DOS variable clean-up code to separate function
- Small follow up to commit 898808fa8c to use auth constants rather than
- hard code value when clearing picked authentication mechanism.
+ Rather than duplicate future variables, during clean-up of both success
+ and error conditions, use a common function that can be called by both.
+
+- RELEASE-NOTES: Synced with 39dcf352d2
-- RELEASE-NOTES: Synced with fd1ce3856a
+- buildconf.bat: Added error messages on failure
-Nick Zitzmann (4 Sep 2014)
-- [Vilmos Nebehaj brought this change]
+- buildconf.bat: Generate and clean files in the same order
- darwinssl: Use CopyCertSubject() to check CA cert.
+- buildconf.bat: Maintain compatibility with DOS based systems
- SecCertificateCopyPublicKey() is not available on iPhone. Use
- CopyCertSubject() instead to see if the certificate returned by
- SecCertificateCreateWithData() is valid.
+ Commit f08e30d7bc broke compatibility with DOS and non Windows NT based
+ versions of Windows due to the use of the setlocal command.
+
+Jay Satiro (9 Aug 2015)
+- CURLOPT_RESOLVE.3: Note removal support was added in 7.42
- Reported-by: Toby Peterson
+ Bug: http://curl.haxx.se/mail/lib-2015-08/0019.html
+ Reported-by: Inca R
-Steve Holme (4 Sep 2014)
-- RELEASE-NOTES: Clarify email Kerberos support is currently via Windows SSPI
+Steve Holme (8 Aug 2015)
+- checksrc.bat: Fixed error when missing *.c and *.h files
+
+ File Not Found
-Daniel Stenberg (4 Sep 2014)
-- MAIL-ETIQUETTE: "1.8 I posted, now what?"
+- checksrc.bat: Fixed incorrect 'lib\vtls' path check in commit 333c36b276
-- CURLOPT_CA*: better refering between *CAINFO and *CAPATH
+- checksrc.bat: Fixed error when [directory] isn't a curl source directory
- ... and a minor wording edit
+ The system cannot find the file specified.
+
+- checksrc.bat: Added check for unknown arguments
-- THANKS: added Dennis Clarke
+- scripts: Added missing comments
+
+- scripts: Always perform setlocal and endlocal calls in pairs
- Dennis Clarke from Blastwave.org for ensuring that nightly builds run
- smooth on Solaris!
+ Ensure that there isn't a mismatch between setlocal and endlocal calls,
+ which could have happened due to setlocal being called after certain
+ error conditions were checked for.
-- curl_multi_cleanup: remove superfluous NULL assigns
+- scripts: Allow -help to be specified in any argument
- ... as the struct is free()d in the end anyway. It was first pointed out
- to me that one of the ->msglist assignments were supposed to have been
- ->pending but was a copy and paste mistake when I realized none of the
- clearing of pointers had to be there.
+ Allow the -help command line argument to be specified in any argument
+ and not just as the first.
+
+Daniel Stenberg (6 Aug 2015)
+- [juef brought this change]
-- multi: convert CURLM_STATE_CONNECT_PEND handling to a list
+ curl_multi_remove_handle.3: fix formatting
- ... instead of scanning through all handles, stash only the actual
- handles that are in that state in the new ->pending list and scan that
- list only. It should be mostly empty or very short. And only used for
- pipelining.
+ closes #366
+
+Steve Holme (6 Aug 2015)
+- README: Added notes about 'Running DLL based configurations'
- This avoids a rather hefty slow-down especially notable if you add many
- handles to the same multi handle. Regression introduced in commit
- 0f147887 (version 7.30.0).
+ ...as well as a TODO for a future enhancement to the project files.
- Bug: http://curl.haxx.se/mail/lib-2014-07/0206.html
- Reported-by: David Meyer
+ Thanks-to: Jay Satiro
-- RELEASE-NOTES: synced with e608324f9f9
+- RELEASE-NOTES: Synced with cf8975387f
-- [Andre Heinecke brought this change]
+- buildconf.bat: Synchronise no repository error with generate.bat
- polarssl: implement CURLOPT_SSLVERSION
-
- Forwards the setting as minimum ssl version (if set) to polarssl. If
- the server does not support the requested version the SSL Handshake will
- fail.
-
- Bug: http://curl.haxx.se/bug/view.cgi?id=1419
+- generate.bat: Added a check for the presence of a git repository
-nickzman (1 Sep 2014)
-- Merge pull request #115 from ldx/darwinsslfixpr
-
- darwinssl: now accepts cacert bundles in PEM format in addition to single certs
+- [Jay Satiro brought this change]
-Vilmos Nebehaj (1 Sep 2014)
-- Check CA certificate in curl_darwinssl.c.
+ build: Added wolfSSL configurations to VC10+ project files
- SecCertificateCreateWithData() returns a non-NULL SecCertificateRef even
- if the buffer holds an invalid or corrupt certificate. Call
- SecCertificateCopyPublicKey() to make sure cacert is a valid
- certificate.
+ URL: https://github.com/bagder/curl/pull/174
+
+- [Jay Satiro brought this change]
-Daniel Stenberg (31 Aug 2014)
-- low-speed-limit: avoid timeout flood
+ build: Added wolfSSL build script for Visual Studio projects
- Introducing Curl_expire_latest(). To be used when we the code flow only
- wants to get called at a later time that is "no later than X" so that
- something can be checked (and another timeout be added).
+ Added the wolfSSL build script, based on build-openssl.bat, as well as
+ the property sheet and header file required for the upcoming additions
+ to the Visual Studio project files.
+
+Daniel Stenberg (6 Aug 2015)
+- CHANGES: refer to the online changelog
- The low-speed logic for example could easily be made to set very many
- expire timeouts if it would be called faster or sooner than what it had
- set its own timer and this goes for a few other timers too that aren't
- explictiy checked for timer expiration in the code.
+ Suggested-by: mc0e
+
+- [Isaac Boukris brought this change]
+
+ NTLM: handle auth for only a single request
- If there's no condition the code that says if(time-passed >= TIME), then
- Curl_expire_latest() is preferred to Curl_expire().
+ Currently when the server responds with 401 on NTLM authenticated
+ connection (re-used) we consider it to have failed. However this is
+ legitimate and may happen when for example IIS is set configured to
+ 'authPersistSingleRequest' or when the request goes thru a proxy (with
+ 'via' header).
- If there exists such a condition, it is on the other hand important that
- Curl_expire() is used and not the other.
+ Implemented by imploying an additional state once a connection is
+ re-used to indicate that if we receive 401 we need to restart
+ authentication.
- Bug: http://curl.haxx.se/mail/lib-2014-06/0235.html
- Reported-by: Florian Weimer
+ Closes #363
-- [Michael Wallner brought this change]
+Steve Holme (5 Aug 2015)
+- RELEASE-NOTES: Synced with 473807b95f
- resolve: cache lookup for async resolvers
-
- While waiting for a host resolve, check if the host cache may have
- gotten the name already (by someone else), for when the same name is
- resolved by several simultanoues requests.
-
- The resolver thread occasionally gets stuck in getaddrinfo() when the
- DNS or anything else is crappy or slow, so when a host is found in the
- DNS cache, leave the thread alone and let itself cleanup the mess.
+- generate.bat: Use buildconf.bat for prerequisite file clean-up
-Vilmos Nebehaj (30 Aug 2014)
-- Fix CA certificate bundle handling in darwinssl.
-
- If the --cacert option is used with a CA certificate bundle that
- contains multiple CA certificates, iterate through it, adding each
- certificate as a trusted root CA.
+- buildconf.bat: Added support for file clean-up via -clean
-Daniel Stenberg (29 Aug 2014)
-- [Askar Safin brought this change]
+- buildconf.bat: Added progress output
- getinfo-times: Typo fixed
+- buildconf.bat: Avoid using goto for file not in repository
-- [Askar Safin brought this change]
+Daniel Stenberg (5 Aug 2015)
+- curl_slist_append.3: add error checking to the example
- libcurl.3: Typo fixed
+Steve Holme (5 Aug 2015)
+- buildconf.bat: Added display of usage text with -help
-- curl_formadd.3: setting CURLFORM_CONTENTSLENGTH 0 zero means strlen
+- buildconf.bat: Added exit codes for error handling
-- curl.1: add an example for -H
+- buildconf.bat: Added our standard copyright header
-- FAQ: mention -w in the 4.20 answer as well
+- buildconf.bat: Use lower-case for commands and reserved keywords
-- FAQ: 4.20 curl doesn't return error for HTTP non-200 responses
+- generate.bat: Only clean prerequisite files when in ALL mode
-- CURLOPT_NOBODY.3: clarify this option is for downloads
-
- When enabling CURLOPT_NOBODY, libcurl effectively switches off upload
- mode and will do a download (without a body). This is now better
- explained in this man page.
-
- Bug: http://curl.haxx.se/mail/lib-2014-08/0236.html
- Reported-by: John Coffey
+- generate.bat: Moved error messages out of sub-routines
-- INTERNALS: nghttp2 must be 0.6.0 or later
+- generate.bat: More use of lower-case for commands and reserved keywords
-- [Tatsuhiro Tsujikawa brought this change]
+Daniel Stenberg (3 Aug 2015)
+- libcurl.3: fix a single typo
+
+ Closes #361
- Compile with latest nghttp2
+- RELEASE-NOTES: synced with c4eb10e2f06f
-Dan Fandrich (26 Aug 2014)
-- THANKS: removed a few more duplicates
+- SSH: three state machine fixups
+
+ The SSH state machine didn't clear the 'rc' variable appropriately in a
+ two places which prevented it from looping the way it should. And it
+ lacked an 'else' statement that made it possible to erroneously get
+ stuck in the SSH_AUTH_AGENT state.
+
+ Reported-by: Tim Stack
+
+ Closes #357
-Daniel Stenberg (26 Aug 2014)
-- RELEASE-NOTES: synced with 007242257683a
+- curl_gssapi: remove 'const' to fix compiler warnings
- ... and bumped the contributor amount after recount
+ initialization discards 'const' qualifier from pointer target type
-- THANKS: added 52 missing contributors
+- docs: formpost needs the full size at start of upload
- I re-ran contributors.sh on all changes since 7.10 and I found these
- contributors who are mentioned in the commits but never were added to
- THANKS before!
+ Closes #360
+
+Steve Holme (1 Aug 2015)
+- sspi: Fix typo from left over from old code which referenced NTLM
- I also removed a couple of duplicates (mostly due to different
- spellings).
+ References to NTLM in the identity generation should have been removed
+ in commit c469941293 but not all were.
-- contributors: grep and sort case insensitively
+- win32: Fix compilation warnings from commit 40c921f8b8
+
+ connect.c:953:5: warning: initializer element is not computable at load
+ time
+ connect.c:953:5: warning: missing initializer for field 'dwMinorVersion'
+ of 'OSVERSIONINFOEX'
+ curl_sspi.c:97:5: warning: initializer element is not computable at load
+ time
+ curl_sspi.c:97:5: warning: missing initializer for field 'szCSDVersion'
+ of 'OSVERSIONINFOEX'
-- [Michael Osipov brought this change]
+- schannel: Fix compilation warning from commit 7a8e861a56
+
+ schannel.c:1125:5: warning: missing initializer for field 'dwMinorVersion'
+ of 'OSVERSIONINFOEX' [-Wmissing-field-initializers
- configure.ac: Add support for recent GSS-API implementations for HP-UX
+Daniel Stenberg (31 Jul 2015)
+- libcurl-thread.3: minor reformatting
+
+Jay Satiro (31 Jul 2015)
+- curl_global_init_mem.3: Warn threaded resolver needs thread safe funcs
- By default, configure script assumes that libcurl will use the
- HP-supplied GSS-API implementation which does not have krb5-config.
- If a dev needs a more recent version which has that config script,
- the change will allow to pass an appropriate GSSAPI_ROOT.
+ Bug: http://curl.haxx.se/mail/lib-2015-07/0149.html
+ Reported-by: Eric Ridge
-- CONNECT: close proxy connections that fail to CONNECT
+- libcurl-thread.3: Warn memory functions must be thread safe
- This is usually due to failed auth. There's no point in us keeping such
- a connection alive since it shouldn't be re-used anyway.
+ Bug: http://curl.haxx.se/mail/lib-2015-07/0149.html
+ Reported-by: Eric Ridge
+
+Steve Holme (31 Jul 2015)
+- RELEASE-NOTES: Synced with 8b1d00ac1a
+
+- INSTALL: Minor formatting correction in 'Legacy Windows and SSL' section
- Bug: http://curl.haxx.se/bug/view.cgi?id=1381
- Reported-by: Marcel Raad
+ ...as well as some rewording.
-- RELEASE-NOTES: added two missing HTTP/2 bug fixes
+Kamil Dudka (30 Jul 2015)
+- http: move HTTP/2 cleanup code off http_disconnect()
+
+ Otherwise it would never be called for an HTTP/2 connection, which has
+ its own disconnect handler.
+
+ I spotted this while debugging <https://bugzilla.redhat.com/1248389>
+ where the http_disconnect() handler was called on an FTP session handle
+ causing 'dnf' to crash. conn->data->req.protop of type (struct FTP *)
+ was reinterpreted as type (struct HTTP *) which resulted in SIGSEGV in
+ Curl_add_buffer_free() after printing the "Connection cache is full,
+ closing the oldest one." message.
+
+ A previously working version of libcurl started to crash after it was
+ recompiled with the HTTP/2 support despite the HTTP/2 protocol was not
+ actually used. This commit makes it work again although I suspect the
+ root cause (reinterpreting session handle data of incompatible protocol)
+ still has to be fixed. Otherwise the same will happen when mixing FTP
+ and HTTP/2 connections and exceeding the connection cache limit.
- And renamed all http2 references to HTTP/2 in this file
+ Reported-by: Tomas Tomecek
+ Bug: https://bugzilla.redhat.com/1248389
-- RELEASE-NOTES: synced with f646e9075f47
+Daniel Stenberg (30 Jul 2015)
+- [Viktor Szakats brought this change]
-- [Jakub Zakrzewski brought this change]
+ ABI doc: use secure URL
- Cmake: Possibility to use OpenLDAP, OpenSSL, LibSSH2 on windows
+- ABI: remove the ascii logo
- At this point I can build libcurl on windows. It provides at least the same
- list of protocols as for linux build and works with our software.
+ and made the indent level to 1
-- [Jakub Zakrzewski brought this change]
+- libcurl-multi.3: mention curl_multi_wait
+
+ ... and some general rewordings to improve this docs.
+
+ Reported-by: Tim Stack
+
+ Closes #356
- Cmake: Removed repeated content from ending blocks
+Steve Holme (30 Jul 2015)
+- maketgz: Fixed some VC makefiles missing from the release tarball
- They are unnecesary in modern CMake and removing them improves readability.
+ VC7, VC11, VC12 and VC14 makefiles were missing from the release
+ tarball.
-- [Jakub Zakrzewski brought this change]
+- RELEASE-NOTES: Synced with 2d7e165761
+
+- build: Added VC14 project files to Makefile.am
- Cmake: Removed some useless empty SET statements.
+- build: Added VC14 project files
- Undefined variables resolve to empty strings and we do not ever test if
- the variable is defined thus those SETs are superfluous.
+ Updates to Makefile.am for the generation of the project files in
+ the tarball to follow.
-- [Jakub Zakrzewski brought this change]
+Jay Satiro (29 Jul 2015)
+- libcurl-thread.3: Clarify CURLOPT_NOSIGNAL takes long value 1L
- Cmake: Removed useless comments from CMakeLists.txt
+Steve Holme (28 Jul 2015)
+- generate.bat: Use lower-case for commands and reserved keywords
- They look like some relics after changes.
+ Whilst there are no coding standards for the batch files used in curl,
+ most tend to use lower-case for keywords and upper-case for variables.
-- [Jakub Zakrzewski brought this change]
+- build: Added initial VC14 support to generate.bat
+
+ Visual Studio project files and updates to makefile.am to follow.
- Cmake: Don't check for all headers each time
-
- One header at a time is the right way. Apart from that the output on
- windows goes from:
- ...
- -- Looking for include files I:/src/libssh2-1.4.3/include/libssh2.h, ws2tcpip.h
- -- Looking for include files I:/src/libssh2-1.4.3/include/libssh2.h, ws2tcpip.h
- - found
- -- Looking for 3 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., wins
- ock2.h
- -- Looking for 3 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., wins
- ock2.h - found
- -- Looking for 4 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., stdi
- o.h
- -- Looking for 4 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., stdi
- o.h - found
- -- Looking for 5 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., wind
- ows.h
- -- Looking for 5 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., wind
- ows.h - found
- -- Looking for 6 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., wins
- ock.h
- -- Looking for 6 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., wins
- ock.h - found
- -- Looking for 7 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., sys/
- filio.h
- -- Looking for 7 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., sys/
- filio.h - not found
- -- Looking for 7 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., sys/
- ioctl.h
- -- Looking for 7 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., sys/
- ioctl.h - not found
- -- Looking for 7 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., sys/
- resource.h
- ...
-
- To much nicer:
- ...
- -- Looking for ws2tcpip.h
- -- Looking for ws2tcpip.h - found
- -- Looking for winsock2.h
- -- Looking for winsock2.h - found
- -- Looking for stdio.h
- -- Looking for stdio.h - found
- -- Looking for windows.h
- -- Looking for windows.h - found
- -- Looking for winsock.h
- -- Looking for winsock.h - found
- -- Looking for sys/filio.h
- -- Looking for sys/filio.h - not found
- -- Looking for sys/ioctl.h
- -- Looking for sys/ioctl.h - not found
- -- Looking for sys/resource.h
+- build: Fixed missing .opensdf files from VC10+ .gitignore files
-- [Jakub Zakrzewski brought this change]
+- build: Use $(ProjectName) macro for curl.exe and curld.exe filenames
+
+ This wasn't possible with the old curlsrc project filenames, but like
+ commit 2a615a2b64 and 11397eb6dd for libcurl use the built in Visual
+ Studio macros for the output filenames.
- Cmake: Append OpenSSL include directory to search path
+- build: Renamed curl src Visual Studio project files
- At this point I can build libcurl with OpenSSL, OpenLDAP and LibSSH2.
- Supported protocols are at least:
- HTTP, HTTPS, FTP, SFTP, TFTP, LDAP, LDAPS, POP3, SMTP
- (those are the ones we have regression tests for
- in our product's testsuite)
+ Following commit 957fcd9049 and in preparation for adding the VC14
+ project files renamed the curl source project files.
-- [Jakub Zakrzewski brought this change]
+Daniel Stenberg (28 Jul 2015)
+- [Jay Satiro brought this change]
- Cmake: Search for liblber, LDAP SSL headers, swith for using OpenLDAP code.
+ libcurl-thread.3: Revert to stricter handle wording
+
+ .. also update formatting and add WinSSL and wolfSSL to the SSL/TLS
+ handlers list.
-- [Jakub Zakrzewski brought this change]
+- [Jay Satiro brought this change]
- Cmake: LibSSH2 detection and use.
+ libcurl-thread.3: Consolidate thread safety info
+
+ This is a new document to consolidate our thread safety information from
+ several documents (curl-www:features, libcurl.3, libcurl-tutorial.3).
+ Each document's section on multi-threading will now point to this one.
-- [Jakub Zakrzewski brought this change]
+Steve Holme (27 Jul 2015)
+- README: Corrected formatting for 'Legacy Windows and SSL' section
+
+ ...as well as some wording.
- Cmake: Moved macros out of the main CMakeLists.txt
+- build-openssl.bat: Added support for VC14
-- [Jakub Zakrzewski brought this change]
+Daniel Stenberg (26 Jul 2015)
+- RELEASE-NOTES: synced with 0f645adc95390e8
- Cmake: Added missing protocol-disable switches
+- test1902: attempt to make the test more reliable
- They already have their defines in config.h. This makes it possible to
- disable the protocols from command line during configure step.
+ Closes #355
-- [Jakub Zakrzewski brought this change]
+- comment: fix comment about adding new option support
- Cmake: Made boolean defines be defined to "1" instead of "ON"
-
- It's by convention, for compatibility and because the comments say so.
- Just mabe someone have written a test like "#if HAVE_XX==1"
+Jay Satiro (25 Jul 2015)
+- build-openssl.bat: Show syntax if required args are missing
-- [Jakub Zakrzewski brought this change]
+Daniel Stenberg (26 Jul 2015)
+- TODO: improve how curl works in a windows console window
+
+ Closes #322 for now
- Cmake: Require at least CMake 2.8.
+- 1.11 minimize dependencies with dynamicly loaded modules
- CMake 2.6 is already a bit old. Many bugs have been fixed since
- its release. We use 2.8 in our company and we have no intention
- of polluting our environment with old software, so 2.6 would
- not be tested. This shouldn't be a problem since all one need
- to build CMake from source is C and C++ compiler.
+ Closes #349 for now
-- disconnect: don't touch easy-related state on disconnects
+Jay Satiro (25 Jul 2015)
+- tool_operate: Fix CURLOPT_SSL_OPTIONS for builds without HTTPS
- This was done to make sure NTLM state that is bound to a connection
- doesn't survive and gets used for the subsequent request - but
- disconnects can also be done to for example make room in the connection
- cache and thus that connection is not strictly related to the easy
- handle's current operation.
+ - Set CURLOPT_SSL_OPTIONS only if the tool enabled an SSL option.
- The http authentication state is still kept in the easy handle since all
- http auth _except_ NTLM is connection independent and thus survive over
- multiple connections.
+ Broken by me several days ago in 172b2be.
+ https://github.com/bagder/curl/commit/172b2be#diff-70b44ee478e58d4e1ddcf9c9a73d257b
- Bug: http://curl.haxx.se/mail/lib-2014-08/0148.html
- Reported-by: Paras S
+ Bug: http://curl.haxx.se/mail/lib-2015-07/0119.html
+ Reported-by: Dan Fandrich
-- curl.1: clarify --limit-rate's effect on both directions
+Daniel Stenberg (25 Jul 2015)
+- configure: check if OpenSSL linking wants -ldl
+
+ To make it easier to link with static versions of OpenSSL, the configure
+ script now checks if -ldl is needed for linking.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1414
- Reported-by: teo8976
+ Help-by: TJ Saunders
-- curl.1: mention the --post30x options within the --location desc
+- [Michael Kaufmann brought this change]
-Dan Fandrich (22 Aug 2014)
-- sasl: Fixed a memory leak on OOM
+ HTTP: ignore "Content-Encoding: compress"
+
+ Currently, libcurl rejects responses with "Content-Encoding: compress"
+ when CURLOPT_ACCEPT_ENCODING is set to "". I think that libcurl should
+ treat the Content-Encoding "compress" the same as other
+ Content-Encodings that it does not support, e.g. "bzip2". That means
+ just ignoring it.
-Daniel Stenberg (22 Aug 2014)
-- [Frank Meier brought this change]
+- [Marcel Raad brought this change]
- NTLM: ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth
-
- Problem: if CURLOPT_FORBID_REUSE is set, requests using NTLM failed
- since NTLM requires multiple requests that re-use the same connection
- for the authentication to work
+ openssl: work around MSVC warning
- Solution: Ignore the forbid reuse flag in case the NTLM authentication
- handshake is in progress, according to the NTLM state flag.
+ MSVC 12 complains:
- Fixed known bug #77.
+ lib\vtls\openssl.c(1554): warning C4701: potentially uninitialized local
+ variable 'verstr' used It's a false positive, but as it's normally not,
+ I have enabled warning-as-error for that warning.
-Steve Holme (22 Aug 2014)
-- openssl.c: Fixed longer than 79 columns
+- [Michał Fita brought this change]
-- openssl.c: Fixed compilation warning
+ configure: add --disable-rt option
- warning: declaration of 'minor' shadows a global declaration
-
-Daniel Stenberg (21 Aug 2014)
-- [Haris Okanovic brought this change]
+ This option disables any attempts in configure to create dependency on
+ stuff requiring linking to librt.so and libpthread.so, in this case this
+ means clock_gettime(CLOCK_MONOTONIC, &mt).
+
+ We were in need to build curl which doesn't link libpthread.so to avoid
+ the following bug:
+ https://sourceware.org/bugzilla/show_bug.cgi?id=16628.
- win32: Fixed WinSock 2 #if
+Kamil Dudka (23 Jul 2015)
+- http2: verify success of strchr() in http2_send()
- A conditionally compiled block in connect.c references WinSock 2
- symbols, but used `#ifdef HAVE_WINSOCK_H` instead of `#ifdef
- HAVE_WINSOCK2_H`.
+ Detected by Coverity.
- Bug: http://curl.haxx.se/mail/lib-2014-08/0155.html
+ Error: NULL_RETURNS:
+ lib/http2.c:1301: returned_null: "strchr" returns null (checked 103 out of 109 times).
+ lib/http2.c:1301: var_assigned: Assigning: "hdbuf" = null return value from "strchr".
+ lib/http2.c:1302: dereference: Incrementing a pointer which might be null: "hdbuf".
+ 1300|
+ 1301| hdbuf = strchr(hdbuf, 0x0a);
+ 1302|-> ++hdbuf;
+ 1303|
+ 1304| authority_idx = 0;
-- Curl_disconnect: don't free the URL
+Jay Satiro (22 Jul 2015)
+- Windows: Fix VerifyVersionInfo calls
- The URL is not a property of the connection so it should not be freed in
- the connection disconnect but in the Curl_close() that frees the easy
- handle.
+ - Fix the VerifyVersionInfo calls, which we use to test for the OS major
+ version, to also test for the minor version as well as the service pack
+ major and minor versions.
- Bug: http://curl.haxx.se/mail/lib-2014-08/0148.html
- Reported-by: Paras S
-
-- help output: minor whitespace edits
+ MSDN: "If you are testing the major version, you must also test the
+ minor version and the service pack major and minor versions."
+
+ https://msdn.microsoft.com/en-us/library/windows/desktop/ms725492.aspx
- Should've been amended in the previous commit but wasn't due to a
- mistake.
+ Bug: https://github.com/bagder/curl/pull/353#issuecomment-123493098
+ Reported-by: Marcel Raad <MarcelRaad@users.noreply.github.com>
-- [Zearin brought this change]
+- [Marcel Raad brought this change]
- help output: use ≥2 spaces between option and description
-
- ... and some other cleanups
+ schannel: Replace deprecated GetVersion with VerifyVersionInfo
+
+Steve Holme (21 Jul 2015)
+- makefile: Added support for VC14
-- FAQ: some actually sometimes get paid...
+Patrick Monnerat (21 Jul 2015)
+- os400: ebcdic wrappers for new functions. Upgrade ILE/RPG bindings.
-Steve Holme (17 Aug 2014)
-- sasl_sspi: Fixed a memory leak with the GSSAPI base-64 decoded challenge
+- libcurl: VERSIONINFO update
+ Addition of new procedures curl_pushheader_bynum and curl_pushheader_byname
+ requires VERSIONINFO updating.
-- sasl_sspi: Renamed GSSAPI mutual authentication parameter
+- http2: satisfy external references even if http2 is not compiled in.
+
+Daniel Stenberg (20 Jul 2015)
+- http2: add stream != NULL checks for reliability
- ...From "mutual" to "mutual_auth" which better describes what it is.
+ They should not trigger, but in case of internal problems we at least
+ avoid crashes this way.
+
+Jay Satiro (18 Jul 2015)
+- symbols-in-versions: Add new CURLSSLOPT_NO_REVOKE symbol
-- sasl_sspi: Corrected some of the GSSAPI security message error codes
+- SSL: Add an option to disable certificate revocation checks
- Corrected a number of the error codes that can be returned from the
- Curl_sasl_create_gssapi_security_message() function when things go
- wrong.
+ New tool option --ssl-no-revoke.
+ New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS.
- It makes more sense to return CURLE_BAD_CONTENT_ENCODING when the
- inbound security challenge can't be decoded correctly or doesn't
- contain the KERB_WRAP_NO_ENCRYPT flag and CURLE_OUT_OF_MEMORY when
- EncryptMessage() fails. Unfortunately the previous error code of
- CURLE_RECV_ERROR was a copy and paste mistakes on my part and should
- have been correct in commit 4b491c675f :(
+ Currently this option applies only to WinSSL where we have automatic
+ certificate revocation checking by default. According to the
+ ssl-compared chart there are other backends that have automatic checking
+ (NSS, wolfSSL and DarwinSSL) so we could possibly accommodate them at
+ some later point.
+
+ Bug: https://github.com/bagder/curl/issues/264
+ Reported-by: zenden2k <zenden2k@gmail.com>
-- docs: Escaped single backslash
+- runtests: Allow for spaces in curl custom path
+
+ .. also fix some typos in test's FILEFORMAT spec.
-- TODO: Updated following GSSAPI (Kerberos V5) additions
+- [David Woodhouse brought this change]
+
+ ntlm_wb: Fix theoretical memory leak
- Updated "FTP 4.6 GSSAPI via Windows SSPI" and "SASL 14.1 Other
- authentication mechanisms" following recent additions.
+ Static analysis indicated that my commit 9008f3d564 ("ntlm_wb: Fix
+ hard-coded limit on NTLM auth packet size") introduced a potential
+ memory leak on an error path, because we forget to free the buffer
+ before returning an error.
- Added SASL 14.2 GSSAPI via GSS-API libraries.
-
-- CURLOPT_USERNAME.3: Added Kerberos V5 and NTLM domain information
+ Fix this.
- This repeats what has already been documented in both the curl manpage
- and CURLOPT_USERPWD documentation but is provided here for completeness
- as someone may not especially read the latter when using libcurl.
+ Although actually, it never happens in practice because we never *get*
+ here with state == NTLMSTATE_TYPE1. The state is always zero. That
+ might want cleaning up in a separate patch.
+
+ Reported-by: Terri Oda
+
+- strerror: Add CRYPT_E_REVOKED to SSPI error strings
-- CURLOPT_USERPWD.3: Updated following Kerberos V5 SSPI changes
+Kamil Dudka (14 Jul 2015)
+- libtest: call PR_Cleanup() on exit if NSPR is used
- Added information about Kerberos V5 requiring the domain part in the
- user name.
+ This prevents valgrind from reporting possibly lost memory that NSPR
+ uses for file descriptor cache and other globally allocated internal
+ data structures.
- Mentioned that the user name can be specified in UPN format, and not
- just in Down-Level Logon Name format, following the information
- added in commit 7679cb3fa8 reworking the exisitng information in the
- process.
+ Reported-by: Štefan Kremeň
-- docs: Added Kerberos V5 and NTLM domain information to --user
+Jay Satiro (14 Jul 2015)
+- [John Malmberg brought this change]
-- docs: Added Kerberos V5 to the --user SSPI current credentials usage
+ openssl: VMS support for SHA256
+
+ setup-vms.h: More symbols for SHA256, hacks for older VAX
+
+ openssl.h: Use OpenSSL OPENSSL_NO_SHA256 macro to allow building on VAX.
+
+ openssl.c: Use OpenSSL version checks and OPENSSL_NO_SHA256 macro to
+ allow building on VAX and 64 bit VMS.
-- sasl_sspi: Tell the server we don't support a GSSAPI receive buffer
+- examples: Fix typo in multi-single.c
-- smtp: Added support for GSSAPI (Kerberos V5) authentication via Windows SSPI
+Daniel Stenberg (7 Jul 2015)
+- [Tatsuhiro Tsujikawa brought this change]
-- pop3: Added support for GSSAPI (Kerberos V5) authentication via Windows SSPI
+ http2: Fix memory leak in push header array
-- imap: Added support for GSSAPI (Kerberos V5) authentication via Windows SSPI
+Dan Fandrich (2 Jul 2015)
+- test2041: fixed line endings in protocol part
-- email: Added mutual authentication flag
+- cyassl: fixed mismatched sha256sum function prototype
-Daniel Stenberg (15 Aug 2014)
-- RELEASE-NOTES: synced with 0187c9e11d079
+Daniel Stenberg (1 Jul 2015)
+- [moparisthebest brought this change]
-- http: fix the Content-Range: parser
-
- ... to handle "*/[total]". Also, removed the strange hack that made
- CURLOPT_FAILONERROR on a 416 response after a *RESUME_FROM return
- CURLE_OK.
-
- Reported-by: Dimitrios Siganos
- Bug: http://curl.haxx.se/mail/lib-2014-06/0221.html
+ SSL: Pinned public key hash support
-Steve Holme (14 Aug 2014)
-- email: Introduced the GSSAPI states
+- examples: provide <DESC> sections
-- curl_sasl_sspi.c: Fixed more compilation warnings from commit 4b491c675f
-
- warning: unused variable 'resp'
-
- warning: no previous prototype for 'Curl_sasl_gssapi_cleanup'
+- [John Malmberg brought this change]
-- SHA-1: 61c93383b7f6cf79d12ff99e9dced1d1cc2a7064
+ OpenVMS: VMS Software, Inc now the supplier.
- * curl_sasl_sspi.c: Fixed compilation warning from commit 4b491c675f
+ setup-vms.h: Symbol case fixups submitted by Michael Steve
- warning: declaration of 'result' shadows a previous local
+ build_gnv_curl_pcsi_desc.com: VSI aka as VMS Software, is now the
+ supplier of new versions of VMS. The install kit needs to accept
+ VSI as a producer.
-- curl_sasl.h: Fixed compilation error from commit 4b491c675f
+Jay Satiro (30 Jun 2015)
+- multi: Move http2 push function declarations to header end
- warning: 'struct kerberos5data' declared inside parameter list
+ This change necessary for binary compatibility.
- Due to missing forward declaration.
+ Prior to this change test 1135 failed due to the order of functions.
-- urldata.h: Fixed compilation warnings from commit 3ec253532e
+- symbols-in-versions: Add new http2 push symbols
- warning: extra tokens at end of #endif directive
+ Prior to this change test 1119 failed due to the missing symbols.
-- sasl_sspi: Added GSSAPI message functions
+Daniel Stenberg (30 Jun 2015)
+- RELEASE-NOTES: synced with e6749055d653
-- urldata: Introduced a GSSAPI (Kerberos V5) data structure
+- configure: disable libidn by default
- Added a kerberos5data structure which is similar in nature to the
- ntlmdata and negotiatedata structures.
-
-- sspi: Moved KERB_WRAP_NO_ENCRYPT from socks_sspi module
+ For security reasons, until there is a fix.
- In preparation for the upcoming SSPI implementation of GSSAPI
- authentication, moved the definition of KERB_WRAP_NO_ENCRYPT from
- socks_sspi.c to curl_sspi.h allowing it to be shared amongst other
- SSPI based code.
+ Bug: http://curl.haxx.se/mail/lib-2015-06/0143.html
+ Reported-by: Gustavo Grieco, Feist Josselin
-Daniel Stenberg (13 Aug 2014)
-- mk-ca-bundle.pl: add missing $
+- SSL-PROBLEMS: mention WinSSL problems in WinXP
-- mk-ca-bundle.pl: switched to using hg.mozilla.org
-
- ... as mxr.mozilla.org is due to be retired.
+- CODE_OF_CONDUCT.md: added
- The new host doesn't support If-Modified-Since nor ETags, meaning that
- the script will now defer to download and do a post-transfer checksum
- check to see if a new output is to be generated. The new output format
- will hold the SHA1 checksum of the source file for that purpose.
+ Just to underscore how we treat each other in this project. Nothing new
+ really, but could be useful for newcomers and outsiders to see our
+ values.
+
+- tool_header_cb: fflush the header stream
- We call this version 1.22
+ Flush the header stream when -D is used so that they are sent off
+ earlier.
- Reported-by: Ed Morley
- Bug: http://curl.haxx.se/bug/view.cgi?id=1409
+ Bug: https://github.com/bagder/curl/issues/324
+ Reported-by: Cédric Connes
+
+- [Roger Leigh brought this change]
-- [Jose Alf brought this change]
+ tests: Distribute CMakeLists.txt files in subdirectories
- openssl: fix version report for the 0.9.8 branch
+- CURLOPT_FAILONERROR.3: mention that it closes the connection
- Fixed libcurl to correctly output the newer versions of OpenSSL 0.9.8,
- starting from openssl-0.9.8za.
+ Reported-by: bemoody
+ Bug: https://github.com/bagder/curl/issues/325
-- [Frank Meier brought this change]
+- curl_multi_setopt.3: alpha sort the options
- create_conn: prune dead connections
-
- Bringing back the old functionality that was mistakenly removed when the
- connection cache was remade. When creating a new connection, all the
- existing ones are checked and those that are known to be dead get
- disconnected for real and removed from the connection cache. It helps
- the cache from holding on to very many stale connections and aids in
- keeping down the number of system sockets in wait states.
-
- Help-by: Jonatan Vela <jonatan.vela@ergon.ch>
-
- Bug: http://curl.haxx.se/mail/lib-2014-06/0189.html
+- curl_multi_setopt.3: add the new push options
-Kamil Dudka (11 Aug 2014)
-- docs/SSLCERTS: update the section about NSS database
-
- Bug: http://curl.haxx.se/mail/lib-2014-07/0335.html
- Reported-by: David Shaw
+- [Tatsuhiro Tsujikawa brought this change]
-Daniel Stenberg (11 Aug 2014)
-- [Peter Wang brought this change]
+ http2: Use nghttp2 library error code for error return value
- Curl_poll + Curl_wait_ms: fix timeout return value
-
- Curl_poll and Curl_wait_ms require the fix applied to Curl_socket_check
- in commits b61e8b8 and c771968:
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Harden header validation for curl_pushheader_byname
- When poll or select are interrupted and coincides with the timeout
- elapsing, the functions return -1 indicating an error instead of 0 for
- the timeout.
+ Since we do prefix match using given header by application code
+ against header name pair in format "NAME:VALUE", and VALUE part can
+ contain ":", we have to careful about existence of ":" in header
+ parameter. ":" should be allowed to match HTTP/2 pseudo-header field,
+ and other use of ":" in header must be treated as error, and
+ curl_pushheader_byname should return NULL. This commit implements
+ this behaviour.
-Steve Holme (10 Aug 2014)
-- config-tpf.h: Fixed up line lengths > 79 characters
+- [Tatsuhiro Tsujikawa brought this change]
-- config-symbian.h: Fixed up line lengths > 79 characters
+ CURLMOPT_PUSHFUNCTION.3: Remove unused variable
-- tool_hugehelp.c.cvs: Added copyright
-
- Added copyright due to warning from checksrc.pl.
+- CURLMOPT_PUSHFUNCTION.3: added example
-- RELEASE-NOTES: Synced with cd6ecf6a89
+- http2: curl_pushheader_byname now takes a const char *
-- sasl_sspi: Fixed hard coded buffer for response generation
-
- Given the SSPI package info query indicates a token size of 4096 bytes,
- updated to use a dynamic buffer for the response message generation
- rather than a fixed buffer of 1024 bytes.
+- http2-serverpush.c: example code
-- sasl_sspi: Fixed missing free of challenge buffer on SPN failure
+- http2: free all header memory after the push callback
-- http_negotiate_sspi: Tidy up to remove the get_gss_name() function
-
- Due to the reduction of code in commit 3b924b29 of get_gss_name() the
- function isn't necessary anymore.
+- http2: init the pushed transfer properly
-- http_negotiate_sspi: Use a dynamic buffer for SPN generation
-
- Updated to use a dynamic buffer for the SPN generation via the recently
- introduced Curl_sasl_build_spn() function rather than a fixed buffer of
- 1024 characters, which should have been more than enough, but by using
- the new function removes the need for another variable sname to do the
- wide character conversion in Unicode builds.
+- http2: fixed the header accessor functions for the push callback
+
+- http2: setup the new pushed stream properly
+
+- http2: initial implementation of the push callback
-- sasl: Tidy up to rename SPN variable from URI
+- http2: initial HTTP/2 server push types/docs
-- sasl: Use a dynamic buffer for SPN generation
+- test1531: verify POSTFIELDSIZE set after add_handle
- Updated Curl_sasl_create_digest_md5_message() to use a dynamic buffer
- for the SPN generation via the recently introduced Curl_sasl_build_spn()
- function rather than a fixed buffer of 128 characters.
+ Following the fix made in 903b6e05565bf.
-- sasl_sspi: Fixed SPN not being converted to wchar under Unicode builds
+- pretransfer: init state.infilesize here, not in add_handle
- Curl_sasl_create_digest_md5_message() would simply cast the SPN variable
- to a TCHAR when calling InitializeSecurityContext(). This meant that,
- under Unicode builds, it would not be valid wide character string.
+ ... to properly support that options are set to the handle after it is
+ added to the multi handle.
- Updated to use the recently introduced Curl_sasl_build_spn() function
- which performs the correct conversion for us.
+ Bug: http://curl.haxx.se/mail/lib-2015-06/0122.html
+ Reported-by: Stefan Bühler
-- sasl: Introduced Curl_sasl_build_spn() for building a SPN
+Jay Satiro (21 Jun 2015)
+- [Lior Kaplan brought this change]
+
+ tool_help: fix --tlsv1 help text to use >= for TLSv1
+
+- INSTALL: Advise use of non-native SSL for Windows <= XP
- Various parts of the libcurl source code build a SPN for inclusion in
- authentication data. This information is either used by our own native
- generation routines or passed to authentication functions in third-party
- libraries such as SSPI. However, some of these instances use fixed
- buffers rather than dynamically allocated ones and not all of those that
- should, convert to wide character strings in Unicode builds.
+ Advise that WinSSL in versions <= XP will not be able to connect to
+ servers that no longer support the legacy handshakes and algorithms used
+ by those versions, and to use an alternate backend like OpenSSL instead.
- Implemented a common function that generates a SPN and performs the
- wide character conversion where necessary.
+ Bug: https://github.com/bagder/curl/issues/253
+ Reported-by: zenden2k <zenden2k@gmail.com>
-- sasl_sspi: Fixed memory leak with not releasing Package Info struct
+Kamil Dudka (19 Jun 2015)
+- curl_easy_setopt.3: restore contents removed by mistake
- Curl_sasl_create_digest_md5_message() wouldn't free the Package Info
- structure after QuerySecurityPackageInfo() had allocated it.
+ ... in commit curl-7_43_0-18-g570076e
-- [Michael Osipov brought this change]
+Daniel Stenberg (19 Jun 2015)
+- curl_easy_setopt.3: mention CURLOPT_PIPEWAIT
- docs: Update SPNEGO and GSS-API related doc sections
+Jay Satiro (18 Jun 2015)
+- cookie: Fix bug in export if any-domain cookie is present
- Reflect recent changes in SPNEGO and GSS-API code in the docs.
- Update them with appropriate namings and remove visible spots for
- GSS-Negotiate.
+ In 3013bb6 I had changed cookie export to ignore any-domain cookies,
+ however the logic I used to do so was incorrect, and would lead to a
+ busy loop in the case of exporting a cookie list that contained
+ any-domain cookies. The result of that is worse though, because in that
+ case the other cookies would not be written resulting in an empty file
+ once the application is terminated to stop the busy loop.
-- sspi: Minor code tidy up to standardise coding style
-
- Following the recent changes and in attempt to align the SSPI based
- authentication code performed the following:
-
- * Use NULL and SECBUFFVERSION rather than hard coded constants.
- * Avoid comparison of zero in if statements.
- * Standardised the buf and desc setup code.
+Dan Fandrich (18 Jun 2015)
+- FTP: fixed compiling with --disable-proxy, broken in b88f980a
-- schannel: Fixed compilation warning in vtls.c
+Daniel Stenberg (18 Jun 2015)
+- tool: always provide negotiate/kerberos options
- vtls.c:688:43: warning: unused parameter 'data'
+ libcurl can still be built with it, even if the tool is not. Maintain
+ independence!
-- tool_getparam.c: Fixed compilation warning
-
- warning: `orig_opt' might be used uninitialized in this function
+- TODO: Support IDNA2008
-- RELEASE-NOTES: Synced with 159c3aafd8
+- [Viktor Szakats brought this change]
-Daniel Stenberg (8 Aug 2014)
-- curl_ntlm_msgs: make < 80 columns wide
+ Makefile.m32: add support for CURL_LDFLAG_EXTRAS
+
+ It is similar to existing CURL_CFLAG_EXTRAS, but for
+ extra linker option.
-Steve Holme (8 Aug 2014)
-- ntlm: Fixed hard coded buffer for SSPI based auth packet generation
+- RTSP: removed another piece of dead code
- Given the SSPI package info query indicates a token size of 2888 bytes,
- and as with the Winbind code and commit 9008f3d56, use a dynamic buffer
- for the Type-1 and Type-3 message generation rather than a fixed buffer
- of 1024 bytes.
+ Coverity CID 1306668
-- ntlm: Added support for SSPI package info query
+- openssl: fix use of uninitialized buffer
- Just as with the SSPI implementations of Digest and Negotiate added a
- package info query so that libcurl can a) return a more appropriate
- error code when the NTLM package is not supported and b) it can be of
- use later to allocate a dynamic buffer for the Type-1 and Type-3
- output tokens rather than use a fixed buffer of 1024 bytes.
+ Make sure that the error buffer is always initialized and simplify the
+ use of it to make the logic easier.
+
+ Bug: https://github.com/bagder/curl/issues/318
+ Reported-by: sneis
-Daniel Stenberg (7 Aug 2014)
-- http2: added some more logging for debugging stream problems
+- examples: more descriptions
-- [Tatsuhiro Tsujikawa brought this change]
+- examples: add descriptions with <DESC>
+
+ Using this fixed format for example descriptions, we can generate a
+ better list on the web site.
- HTTP/2: Reset promised stream, not its associated stream.
+- libcurl-errors.3: fix typo
-- [Tatsuhiro Tsujikawa brought this change]
+- curl_easy_setopt.3: option order doesn't matter
- HTTP/2: Move :authority before non-pseudo header fields
+- openssl: fix build with BoringSSL
+
+ OPENSSL_load_builtin_modules does not exist in BoringSSL. Regression
+ from cae43a1
-- http2: show the received header for better debugging
+- [Paul Howarth brought this change]
-- openssl: replace call to OPENSSL_config
+ openssl: Fix build with openssl < ~ 0.9.8f
- OPENSSL_config() is "strongly recommended" to use but unfortunately that
- function makes an exit() call on wrongly formatted config files which
- makes it hard to use in some situations. OPENSSL_config() itself calls
- CONF_modules_load_file() and we use that instead and we ignore its
- return code!
+ The symbol SSL3_MT_NEWSESSION_TICKET appears to have been introduced at
+ around openssl 0.9.8f, and the use of it in lib/vtls/openssl.c breaks
+ builds with older openssls (certainly with 0.9.8b, which is the latest
+ older version I have to try with).
+
+- FTP: do the HTTP CONNECT for data connection blocking
- Reported-by: Jan Ehrhardt
- Bug: http://curl.haxx.se/bug/view.cgi?id=1401
+ ** WORK-AROUND **
+
+ The introduced non-blocking general behaviour for Curl_proxyCONNECT()
+ didn't work for the data connection establishment unless it was very
+ fast. The newly introduced function argument makes it operate in a more
+ blocking manner, more like it used to work in the past. This blocking
+ approach is only used when the FTP data connecting through HTTP proxy.
+
+ Blocking like this is bad. A better fix would make it work more
+ asynchronously.
+
+ Bug: https://github.com/bagder/curl/issues/278
-Dan Fandrich (7 Aug 2014)
-- [Fabian Keil brought this change]
+- bump: start the journey toward 7.44.0
- runtests.pl: Pad test case numbers with up to three zeroes
-
- Test case numbers with four digits have been available for a
- while now.
+Jay Satiro (17 Jun 2015)
+- CURLOPT_ERRORBUFFER.3: Fix example, escape backslashes
-Steve Holme (7 Aug 2014)
-- docs: Added Negotiate to the SSPI current credentials usage description
+- CURLOPT_ERRORBUFFER.3: Improve example
-- TODO: HTTP Digest via Windows SSPI
+Version 7.43.0 (17 Jun 2015)
-- TODO: FTP GSSAPI via Windows SSPI
+Daniel Stenberg (17 Jun 2015)
+- RELEASE-NOTES: 7.43.0 release
-- http_negotiate_sspi: Fixed specific username and password not working
-
- Bug: http://curl.haxx.se/mail/lib-2014-06/0224.html
- Reported-by: Leonardo Rosati
+- THANKS: updated with 7.43.0 names
+
+- [Kamil Dudka brought this change]
-- http_negotiate_sspi: Fixed endless unauthorized loop in commit 6bc76194e8
+ http: do not leak basic auth credentials on re-used connections
- If the server rejects our authentication attempt and curl hasn't
- called CompleteAuthToken() then the status variable will be
- SEC_I_CONTINUE_NEEDED and not SEC_E_OK.
+ CVE-2015-3236
- As such the existing detection mechanism for determining whether or not
- the authentication process has finished is not sufficient.
+ This partially reverts commit curl-7_39_0-237-g87c4abb
- However, the WWW-Authenticate: Negotiate header line will not contain
- any data when the server has exhausted the negotiation, so we can use
- that coupled with the already allocated context pointer.
-
-Daniel Stenberg (5 Aug 2014)
-- RELEASE-NOTES: synced with 5b37db44a3eb
+ Reported-by: Tomas Tomecek, Kamil Dudka
+ Bug: http://curl.haxx.se/docs/adv_20150617A.html
-Dan Fandrich (5 Aug 2014)
-- parsedate.c: fix the return code for an overflow edge condition
+- [Kamil Dudka brought this change]
-Daniel Stenberg (5 Aug 2014)
-- [Toby Peterson brought this change]
+ test2040: verify basic auth on re-used connections
- darwinssl: don't use strtok()
+- SMB: rangecheck values read off incoming packet
- The GetDarwinVersionNumber() function uses strtok, which is not
- thread-safe.
-
-- Curl_ossl_version: adapted to detect BoringSSL
+ CVE-2015-3237
+
+ Detected by Coverity. CID 1299430.
- This seems to be the way it should work. Right now we can't build with
- BoringSSL and try this out properly due to a minor API breakage.
+ Bug: http://curl.haxx.se/docs/adv_20150617B.html
-- Curl_ossl_version: detect and show libressl
+Jay Satiro (17 Jun 2015)
+- schannel: schannel_recv overhaul
+
+ This commit is several drafts squashed together. The changes from each
+ draft are noted below. If any changes are similar and possibly
+ contradictory the change in the latest draft takes precedence.
+
+ Bug: https://github.com/bagder/curl/issues/244
+ Reported-by: Chris Araman
+
+ %%
+ %% Draft 1
+ %%
+ - return 0 if len == 0. that will have to be documented.
+ - continue on and process the caches regardless of raw recv
+ - if decrypted data will be returned then set the error code to CURLE_OK
+ and return its count
+ - if decrypted data will not be returned and the connection has closed
+ (eg nread == 0) then return 0 and CURLE_OK
+ - if decrypted data will not be returned and the connection *hasn't*
+ closed then set the error code to CURLE_AGAIN --only if an error code
+ isn't already set-- and return -1
+ - narrow the Win2k workaround to only Win2k
+
+ %%
+ %% Draft 2
+ %%
+ - Trying out a change in flow to handle corner cases.
+
+ %%
+ %% Draft 3
+ %%
+ - Back out the lazier decryption change made in draft2.
- LibreSSL is otherwise OpenSSL API compliant (so far)
+ %%
+ %% Draft 4
+ %%
+ - Some formatting and branching changes
+ - Decrypt all encrypted cached data when len == 0
+ - Save connection closed state
+ - Change special Win2k check to use connection closed state
+
+ %%
+ %% Draft 5
+ %%
+ - Default to CURLE_AGAIN in cleanup if an error code wasn't set and the
+ connection isn't closed.
+
+ %%
+ %% Draft 6
+ %%
+ - Save the last error only if it is an unrecoverable error.
+
+ Prior to this I saved the last error state in all cases; unfortunately
+ the logic to cover that in all cases would lead to some muddle and I'm
+ concerned that could then lead to a bug in the future so I've replaced
+ it by only recording an unrecoverable error and that state will persist.
+
+ - Do not recurse on renegotiation.
+
+ Instead we'll continue on to process any trailing encrypted data
+ received during the renegotiation only.
+
+ - Move the err checks in cleanup after the check for decrypted data.
+
+ In either case decrypted data is always returned but I think it's easier
+ to understand when those err checks come after the decrypted data check.
+
+ %%
+ %% Draft 7
+ %%
+ - Regardless of len value go directly to cleanup if there is an
+ unrecoverable error or a close_notify was already received. Prior to
+ this change we only acknowledged those two states if len != 0.
+
+ - Fix a bug in connection closed behavior: Set the error state in the
+ cleanup, because we don't know for sure it's an error until that time.
+
+ - (Related to above) In the case the connection is closed go "greedy"
+ with the decryption to make sure all remaining encrypted data has been
+ decrypted even if it is not needed at that time by the caller. This is
+ necessary because we can only tell if the connection closed gracefully
+ (close_notify) once all encrypted data has been decrypted.
+
+ - Do not renegotiate when an unrecoverable error is pending.
+
+ %%
+ %% Draft 8
+ %%
+ - Don't show 'server closed the connection' info message twice.
+
+ - Show an info message if server closed abruptly (missing close_notify).
-- [Tatsuhiro Tsujikawa brought this change]
+Daniel Stenberg (16 Jun 2015)
+- [Paul Oliver brought this change]
- HTTP/2: Fix infinite loop in readwrite_data()
+ Fix typo in docs
- To prevent infinite loop in readwrite_data() function when stream is
- reset before any response body comes, reset closed flag to false once
- it is evaluated to true.
+ s/curret/current/
-Dan Fandrich (3 Aug 2014)
-- gtls: only define Curl_gtls_seed if Nettle is not being used
+- [Viktor Szakats brought this change]
-- ssl: provide Curl_ssl_backend even if no SSL library is available
+ docs: update URLs
-Daniel Stenberg (2 Aug 2014)
-- [Tatsuhiro Tsujikawa brought this change]
+- RELEASE-NOTES: synced with f29f2cbd00dbe5f
- HTTP2: Support expect: 100-continue
-
- "Expect: 100-continue", which was once deprecated in HTTP/2, is now
- resurrected in HTTP/2 draft 14. This change adds its support to
- HTTP/2 code. This change also includes stricter header field
- checking.
+- [Viktor Szakats brought this change]
-- CURLOPT_SSL_VERIFYPEER.3. add a warning about disabling it
+ README: use secure protocol for Git repository
-- FEATURES: minor update
+- [Viktor Szakats brought this change]
-- openssl: make ossl_send return CURLE_OK better
-
- Previously it only returned a CURLcode for errors, which is when it
- returns a different size than what was passed in to it.
-
- The http2 code only checked the curlcode and thus failed.
+ HTTP2.md: use SSL/TLS IETF URLs
-- RELEASE-NOTES: synced with 7bb4c8cadb5d0
+- [Viktor Szakats brought this change]
-- [Michael Wallner brought this change]
+ LICENSE-MIXING: update URLs
+
+ * use SSL/TLS where available
+ * follow permanent redirects
- CURLOPT_HEADEROPT.3: typo: do -> to
+- LICENSE-MIXING: refreshed
-- [Marcel Raad brought this change]
+- curl_easy_duphandle: see also *reset
- schannel: use CryptGenRandom for random numbers
+- rtsp_do: fix DEAD CODE
- This function is available for every Windows version since Windows 95/NT.
+ "At condition p_request, the value of p_request cannot be NULL."
- reference:
- http://msdn.microsoft.com/en-us/library/windows/desktop/aa379942.aspx
+ Coverity CID 1306668.
-- curl_version_info.3: 'ssl_version_num' is always 0
+- security:choose_mech fix DEAD CODE warning
- ... and has been so since 2005
-
-- ssl: generalize how the ssl backend identifier is set
+ ... by removing the "do {} while (0)" block.
- Each backend now defines CURL_SSL_BACKEND accordingly. Added the *AXTLS
- one which was missing previously.
+ Coverity CID 1306669
-Dan Fandrich (31 Jul 2014)
-- axtls: define curlssl_random using axTLS's PRNG
+- curl.1: netrc is in man section 5
-- cyassl: fix the test for ASN_NO_SIGNER_E
+- curl.1: small format fix
- It's an enum so a macro test won't work. The CyaSSL changelog doesn't
- say exactly when this error code was introduced, but it's likely
- to be 2.7.0.
+ use \fI-style instead of .BR for references
-- cyassl: use RNG_GenerateBlock to generate a good random number
+- urldata: store POST size in state.infilesize too
+
+ ... to simplify checking when PUT _or_ POST have completed.
+
+ Reported-by: Frank Meier
+ Bug: http://curl.haxx.se/mail/lib-2015-06/0019.html
-- opts: fixed some typos
+Dan Fandrich (14 Jun 2015)
+- test1530: added http to required features
-- smtp: fixed a segfault during test 1320 torture test
-
- Under these circumstances, the connection hasn't been fully established
- and smtp_connect hasn't been called, yet smtp_done still calls the state
- machine which dereferences the NULL conn pointer in struct pingpong.
+Jay Satiro (14 Jun 2015)
+- [Drake Arconis brought this change]
-Daniel Stenberg (30 Jul 2014)
-- vtls: repair build without TLS support
-
- ... by defining Curl_ssl_random() properly
+ build: Fix typo from OpenSSL 1.0.2 version detection fix
-- polarssl: provide a (weak) random function
-
- This now provides a weak random function since PolarSSL doesn't have a
- quick and easy way to provide a good one. It does however provide the
- framework to make one so it _can_ and _should_ be done...
+- [Drake Arconis brought this change]
-- [Michael Wallner brought this change]
+ build: Properly detect OpenSSL 1.0.2 when using configure
- curl_tlsinfo -> curl_tlssessioninfo
+- curl_multi_info_read.3: fix example formatting
-- cyassl: use the default (weeker) random
-
- I couldn't find any dedicated function in its API to get a "good" random
- with.
+Daniel Stenberg (13 Jun 2015)
+- BINDINGS: there's a new R binding in town!
+
+- BINDINGS: added the Xojo binding
+
+Jay Satiro (11 Jun 2015)
+- [Joel Depooter brought this change]
-- cyassl: made it compile with version 2.0.6 again
+ schannel: Add support for optional client certificates
- ASN_NO_SIGNER_E didn't exist back then!
+ Some servers will request a client certificate, but not require one.
+ This change allows libcurl to connect to such servers when using
+ schannel as its ssl/tls backend. When a server requests a client
+ certificate, libcurl will now continue the handshake without one,
+ rather than terminating the handshake. The server can then decide
+ if that is acceptable or not. Prior to this change, libcurl would
+ terminate the handshake, reporting a SEC_I_INCOMPLETE_CREDENTIALS
+ error.
-- vtls: make the random function mandatory in the TLS backend
+Daniel Stenberg (11 Jun 2015)
+- curl_easy_cleanup.3: provide more SEE ALSO
+
+- debug: remove http2 debug leftovers
+
+- VERSIONS: now using markdown
+
+- RELEASE-PROCEDURE: remove ascii logo at the top of file
+
+- INTERNALS: absorbed docs/LIBCURL-STRUCTS
+
+- INTERNALS: cat lib/README* >> INTERNALS
- To force each backend implementation to really attempt to provide proper
- random. If a proper random function is missing, then we can explicitly
- make use of the default one we use when TLS support is missing.
+ and a conversion to markdown. Removed the lib/README.* files. The idea
+ being to move toward having INTERNALS as the one and only "book" of
+ internals documentation.
- This commit makes sure it works for darwinssl, gnutls, nss and openssl.
+ Added a TOC to top of the document.
-- libcurl.m4: include the standard source header
+Jay Satiro (8 Jun 2015)
+- openssl: LibreSSL and BoringSSL do not use TLS_client_method
- ... with permission from David Shaw
-
-Kamil Dudka (28 Jul 2014)
-- nss: do not check the version of NSS at run time
+ Although OpenSSL 1.1.0+ deprecated SSLv23_client_method in favor of
+ TLS_client_method LibreSSL and BoringSSL didn't and still use
+ SSLv23_client_method.
- The minimal required version of NSS is 3.14.x so it does not make sense
- to check for NSS 3.12.0+ at run time.
+ Bug: https://github.com/bagder/curl/commit/49a6642#commitcomment-11578009
+ Reported-by: asavah@users.noreply.github.com
-Daniel Stenberg (28 Jul 2014)
-- [Anthon Pang brought this change]
+Daniel Stenberg (9 Jun 2015)
+- RELEASE-NOTES: synced with 20ac3458068
- curl.h: bring back CURLE_OBSOLETE16
+- CURLOPT_OPENSOCKETFUNCTION: return error at once
- Removing defines, even obsolete ones that haven't been used for a very
- long time, still break a lot of applications.
+ When CURL_SOCKET_BAD is returned in the callback, it should be treated
+ as an error (CURLE_COULDNT_CONNECT) if no other socket is subsequently
+ created when trying to connect to a server.
- Bug: https://github.com/bagder/curl/pull/106
+ Bug: http://curl.haxx.se/mail/lib-2015-06/0047.html
+
+- fopen.c: fix a few compiler warnings
-Dan Fandrich (26 Jul 2014)
-- [Fabian Keil brought this change]
+- [Ville Skyttä brought this change]
- tests: Fix a couple of incomplete response lines
+ docs: Spelling fixes
-- [Fabian Keil brought this change]
+- [Ville Skyttä brought this change]
- runtests.pl: Remove filteroff() which hasn't been used since 2001
+ docs: man page indentation and syntax fixes
-- [Fabian Keil brought this change]
+Linus Nielsen (8 Jun 2015)
+- help: Add --proxy-service-name and --service-name to the --help output
- runtests.pl: Don't expect $TESTDIR/DISABLED to exist
+Jay Satiro (7 Jun 2015)
+- openssl: Fix verification of server-sent legacy intermediates
- If a non-standard $TESTDIR is used the file may not be necessary.
+ - Try building a chain using issuers in the trusted store first to avoid
+ problems with server-sent legacy intermediates.
- Previously a "missing" file resulted in the warning:
- readline() on closed filehandle D at ./runtests.pl line 4940.
+ Prior to this change server-sent legacy intermediates with missing
+ legacy issuers would cause verification to fail even if the client's CA
+ bundle contained a valid replacement for the intermediate and an
+ alternate chain could be constructed that would verify successfully.
+
+ https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
-- [Fabian Keil brought this change]
+Daniel Stenberg (5 Jun 2015)
+- BINDINGS: update several URLs
+
+ Stop linking to the curl.haxx.se anchor pages, they are usually only
+ themselves pointers to the real page so better point there directly
+ instead.
- getpart.pm: Fix a comment typo
+- BINDINGS: the curl-rust binding
-Daniel Stenberg (25 Jul 2014)
-- c-ares: fix build without IPv6 support
+- curl.h: add CURL_HTTP_VERSION_2
- Bug: http://curl.haxx.se/mail/lib-2014-07/0337.html
- Reported-by: Spork Schivago
+ The protocol is named "HTTP/2" after all. It is an alias for the
+ existing CURL_HTTP_VERSION_2_0 enum.
-- Curl_base64url_encode: unit-tested in 1302
-
-- base64: added Curl_base64url_encode()
+- openssl: removed error string #ifdef
- This is now used by the http2 code. It has two different symbols at the
- end of the base64 table to make the output "url safe".
+ ERR_error_string_n() was introduced in 0.9.6, no need to #ifdef anymore
+
+- openssl: removed USERDATA_IN_PWD_CALLBACK kludge
- Bug: https://github.com/tatsuhiro-t/nghttp2/issues/62
+ Code for OpenSSL 0.9.4 serves no purpose anymore!
-- [Marcel Raad brought this change]
+- openssl: remove SSL_get_session()-using code
+
+ It was present for OpenSSL 0.9.5 code but we only support 0.9.7 or
+ later.
- SSPI Negotiate: Fix 3 memory leaks
+- openssl: remove dummy callback use from SSL_CTX_set_verify()
- Curl_base64_decode allocates the output string by itself and two other
- strings were not freed either.
+ The existing callback served no purpose.
-- symbols: CURL_VERSION_GSSNEGOTIATE is deprecated
+- LIBCURL-STRUCTS: clarify for multiplexing
-- test1013.pl: GSS-Negotiate doesn't exist as a feature anymore
+Jay Satiro (3 Jun 2015)
+- cookie: Stop exporting any-domain cookies
+
+ Prior to this change any-domain cookies (cookies without a domain that
+ are sent to any domain) were exported with domain name "unknown".
+
+ Bug: https://github.com/bagder/curl/issues/292
-- [Sergey Nikulov brought this change]
+Daniel Stenberg (3 Jun 2015)
+- RELEASE-PROCEDURE: refreshed 'coming dates'
- libtest: fixed duplicated line in Makefile
+Jay Satiro (2 Jun 2015)
+- curl_setup: Change fopen text macros to use 't' for MSDOS
- Bug: https://github.com/bagder/curl/pull/105
+ Bug: https://github.com/bagder/curl/pull/258#issuecomment-107915198
+ Reported-by: Gisle Vanem
-Patrick Monnerat (23 Jul 2014)
-- GSSAPI: remove useless *_MECHANISM defines.
+Daniel Stenberg (2 Jun 2015)
+- curl_multi_timeout.3: added example
-Daniel Stenberg (23 Jul 2014)
-- findprotocol: show unsupported protocol within quotes
-
- ... to aid when for example prefixed with a space or other weird
- character.
+- curl_multi_perform.3: added example
-Patrick Monnerat (23 Jul 2014)
-- GSSAPI: private export mechanisms OIDs. OS400: Make RPG binding up to date.
+- curl_multi_info_read.3: added example
-Daniel Stenberg (23 Jul 2014)
-- [Marcel Raad brought this change]
+- checksrc: detect fopen() for text without the FOPEN_* macros
+
+ Follow-up to e8423f9ce150 with discussionis in
+ https://github.com/bagder/curl/pull/258
+
+ This check scans for fopen() with a mode string without 'b' present, as
+ it may indicate that an FOPEN_* define should rather be used.
+
+- curl_getdate.3: update RFC reference
- conncache: fix compiler warning
+Jay Satiro (1 Jun 2015)
+- curl_setup: Add macros for FOPEN_READTEXT, FOPEN_WRITETEXT
- warning C4267: '=' : conversion from 'size_t' to 'long', possible loss
- of data
+ - Change fopen calls to use FOPEN_READTEXT instead of "r" or "rt"
+ - Change fopen calls to use FOPEN_WRITETEXT instead of "w" or "wt"
- The member connection_id of struct connectdata is a long (always a
- 32-bit signed integer on Visual C++) and the member next_connection_id
- of struct conncache is a size_t, so one of them should be changed to
- match the other.
+ This change is to explicitly specify when we need to read/write text.
+ Unfortunately 't' is not part of POSIX fopen so we can't specify it
+ directly. Instead we now have FOPEN_READTEXT, FOPEN_WRITETEXT.
- This patch the size_t in struct conncache to long (the less invasive
- change as that variable is only ever used in a single code line).
+ Prior to this change we had an issue on Windows if an application that
+ uses libcurl overrides the default file mode to binary. The default file
+ mode in Windows is normally text mode (translation mode) and that's what
+ libcurl expects.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1399
+ Bug: https://github.com/bagder/curl/pull/258#issuecomment-107093055
+ Reported-by: Orgad Shaneh
-- RELEASE-NOTES: synced with 81cd24adb8b
+Daniel Stenberg (1 Jun 2015)
+- http2-upload.c: use PIPEWAIT for playing HTTP/2 better
-- http2: more and better error checking
+- http2-download: check for CURLPIPE_MULTIPLEX properly
- 1 - fixes the warnings when built without http2 support
-
- 2 - adds CURLE_HTTP2, a new error code for errors detected by nghttp2
- basically when they are about http2 specific things.
+ Bug: http://curl.haxx.se/mail/lib-2015-06/0001.html
+ Reported-by: Rafayel Mkrtchyan
+
+- [Isaac Boukris brought this change]
-Dan Fandrich (23 Jul 2014)
-- cyassl.c: return the correct error code on no CA cert
+ HTTP-NTLM: fail auth on connection close instead of looping
- CyaSSL 3.0.0 returns a unique error code if no CA cert is available,
- so translate that into CURLE_SSL_CACERT_BADFILE when peer verification
- is requested.
+ Bug: https://github.com/bagder/curl/issues/256
-Daniel Stenberg (23 Jul 2014)
-- symbols-in-versions: new SPNEGO/GSS-API symbols in 7.38.0
+- 5.6 Refuse "downgrade" redirects
-- test1013.pl: remove SPNEGO/GSS-API tweaks
-
- No longer necessary after Michael Osipov's rework
+- README.pingpong: removed
-- http_negotiate: remove unused variable
+- ROADMAP: remove HTTP/2 multiplexing - its here now
-- [Michael Osipov brought this change]
+- HTTP2.md: formatted properly
- docs: Improve inline GSS-API naming in code documentation
+- HTTP2: moved docs into docs/ and make it markdown
-- [Michael Osipov brought this change]
+- README.http2: refreshed and added multiplexing info
- curl.h/features: Deprecate GSS-Negotiate macros due to bad naming
-
- - Replace CURLAUTH_GSSNEGOTIATE with CURLAUTH_NEGOTIATE
- - CURL_VERSION_GSSNEGOTIATE is deprecated which
- is served by CURL_VERSION_SSPI, CURL_VERSION_GSSAPI and
- CURUL_VERSION_SPNEGO now.
- - Remove display of feature 'GSS-Negotiate'
+- dist: add the http2 examples
-- [Michael Osipov brought this change]
+- http2 examples: clean up some comments
- configure/features: Add feature and version info for GSS-API and SPNEGO
+- examples: added two programs doing multiplexed HTTP/2
-- [Michael Osipov brought this change]
+- scripts: moved contributors.sh and contrithanks.sh into subdir
+
+- RELEASE-NOTES: synced with c005790ff1c0a
+
+- [Daniel Melani brought this change]
+
+ openssl: typo in comment
- HTTP: Remove checkprefix("GSS-Negotiate")
+Jay Satiro (27 May 2015)
+- openssl: Use TLS_client_method for OpenSSL 1.1.0+
- That auth mech has never existed neither on MS nor on Unix side.
- There is only Negotiate over SPNEGO.
+ SSLv23_client_method is deprecated starting in OpenSSL 1.1.0. The
+ equivalent is TLS_client_method.
+
+ https://github.com/openssl/openssl/commit/13c9bb3#diff-708d3ae0f2c2973b272b811315381557
-- [Michael Osipov brought this change]
+Daniel Stenberg (26 May 2015)
+- FAQ: How do I port libcurl to my OS?
- curl_gssapi: Add macros for common mechs and pass them appropriately
+Jay Satiro (25 May 2015)
+- CURLOPT_COOKIELIST.3: Explain Set-Cookie without a domain
+
+ Document that if Set-Cookie is used without a domain then the cookie is
+ sent for any domain and will not be modified.
- Macros defined: KRB5_MECHANISM and SPNEGO_MECHANISM called from
- HTTP, FTP and SOCKS on Unix
+ Bug: http://curl.haxx.se/mail/lib-2015-05/0137.html
+ Reported-by: Alexander Dyagilev
-- CONNECT: Revert Curl_proxyCONNECT back to 7.29.0 design
+Daniel Stenberg (25 May 2015)
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Copy data passed in Curl_http2_switched into HTTP/2 connection buffer
- This reverts commit cb3e6dfa3511 and instead fixes the problem
- differently.
+ Previously, after seeing upgrade to HTTP/2, we feed data followed by
+ upgrade response headers directly to nghttp2_session_mem_recv() in
+ Curl_http2_switched(). But it turns out that passed buffer, mem, is
+ part of stream->mem, and callbacks called by
+ nghttp2_session_mem_recv() will write stream specific data into
+ stream->mem, overwriting input data. This will corrupt input, and
+ most likely frame length error is detected by nghttp2 library. The
+ fix is first copy the passed data to HTTP/2 connection buffer,
+ httpc->inbuf, and call nghttp2_session_mem_recv().
+
+Jay Satiro (24 May 2015)
+- CURLOPT_COOKIE.3: Explain that the cookies won't be modified
- The reverted commit addressed a test failure in test 1021 by simplifying
- and generalizing the code flow in a way that damaged the
- performance. Now we modify the flow so that Curl_proxyCONNECT() again
- does as much as possible in one go, yet still do test 1021 with and
- without valgrind. It failed due to mistakes in the multi state machine.
+ The CURLOPT_COOKIE doc says it "sets the cookie header explicitly in the
+ outgoing request(s)." However there seems to be some user confusion
+ about cookie modification. Document that the cookies set by this option
+ are not modified by the cookie engine.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1397
- Reported-by: Paul Saab
+ Bug: http://curl.haxx.se/mail/lib-2015-05/0115.html
+ Reported-by: Alexander Dyagilev
-- [Marcel Raad brought this change]
+- CURLOPT_COOKIELIST.3: Add example
- url.c: use the preferred symbol name: *READDATA
+Dan Fandrich (24 May 2015)
+- testcurl.pl: use rel2abs to make the source directory absolute
- with CURL_NO_OLDIES defined, it doesn't compile because this deprecated
- symbol (*INFILE) is used
-
- Bug: http://curl.haxx.se/bug/view.cgi?id=1398
+ This function makes a platform-specific absolute path which uses
+ backslashes on Windows. This form works when passing it on the
+ command-line, as well as if the source is on another drive.
-Dan Fandrich (19 Jul 2014)
-- [Alessandro Ghedini brought this change]
+- conncache: fixed memory leak on OOM (torture tests)
+
+Daniel Stenberg (24 May 2015)
+- perl: remove subdir, not touched in 9 years
- CURLOPT_CHUNK_BGN_FUNCTION: fix typo
+- log2changes.pl: moved to scripts/
-Kamil Dudka (18 Jul 2014)
- [Alessandro Ghedini brought this change]
- build: link curl to NSS libraries when NSS support is enabled
+ scripts: add zsh.pl for generating zsh completion
+
+Dan Fandrich (23 May 2015)
+- test1510: another flaky test
+
+Daniel Stenberg (22 May 2015)
+- security: fix "Unchecked return value" from sscanf()
- This fixes a build failure on Debian caused by commit
- 24c3cdce88f39731506c287cb276e8bf4a1ce393.
+ By (void) prefixing it and adding a comment. Did some minor related
+ cleanups.
- Bug: http://curl.haxx.se/mail/lib-2014-07/0209.html
+ Coverity CID 1299423.
-Steve Holme (17 Jul 2014)
-- build: Removed unnecessary XML Documentation file directive from VC8 to VC12
+- security: simplify choose_mech
- The curl tool project files for VC8 to VC12 would set this setting to
- $(IntDir) which is the Visual Studio default value. To avoid confusion
- when viewing settings from within Visual Studio and for consistency
- with the libcurl project files removed this setting.
+ Coverity CID 1299424 identified dead code because of checks that could
+ never equal true (if the mechanism's name was NULL).
- Conflicts:
- projects/Windows/VC10/src/curlsrc.tmpl
- projects/Windows/VC11/src/curlsrc.tmpl
- projects/Windows/VC12/src/curlsrc.tmpl
- projects/Windows/VC8/src/curlsrc.tmpl
- projects/Windows/VC9/src/curlsrc.tmpl
+ Simplified the function by removing a level of pointers and removing the
+ loop and array that weren't used.
-- build: Removed unnecessary Precompiled Header file directive in VC7 to VC12
+- RTSP: catch attempted unsupported requests better
- The curl tool project files for VC7 to VC12 would set this settings to
- $(IntDir)$(TargetName).pch which is the Visual Studio default value. To
- avoid confusion when viewing settings from within Visual Studio and for
- consistency with the libcurl project files removed this setting.
+ Replace use of assert with code that properly catches bad input at
+ run-time even in non-debug builds.
- Conflicts:
- projects/Windows/VC10/src/curlsrc.tmpl
- projects/Windows/VC11/src/curlsrc.tmpl
- projects/Windows/VC12/src/curlsrc.tmpl
- projects/Windows/VC8/src/curlsrc.tmpl
- projects/Windows/VC9/src/curlsrc.tmpl
+ This flaw was sort of detected by Coverity CID 1299425 which claimed the
+ "case RTSPREQ_NONE" was dead code.
-- build: Removed unnecessary ASM and Object file directives in VC7 to VC12
+- share_init: fix OOM crash
- The curl tool project files for VC7 to VC12 would set these settings to
- $(IntDir) which is the Visual Studio default value. To avoid confusion
- when viewing settings from within Visual Studio and for consistency
- with the libcurl project files removed these two settings.
+ A failed calloc() would lead to NULL pointer use.
+
+ Coverity CID 1299427.
-Daniel Stenberg (17 Jul 2014)
-- [Dave Reisner brought this change]
+- parse_proxy: switch off tunneling if non-HTTP proxy
+
+ non-HTTP proxy implies not using CURLOPT_HTTPPROXYTUNNEL
+
+ Bug: http://curl.haxx.se/mail/lib-2015-05/0056.html
+ Reported-by: Sean Boudreau
- src/Makefile.am: add .DELETE_ON_ERROR
+- curl: fix potential NULL dereference
- This prevents targets like tool_hugehelp.c from leaving around
- half-constructed files if the rule fails with GNU make.
+ Coverity CID 1299428: Dereference after null check (FORWARD_NULL)
+
+- http2: on_frame_recv: return early on stream 0
- Reported-by: Rafaël Carré <funman@videolan.org>
+ Coverity CID 1299426 warned about possible NULL dereference otherwise,
+ but that would only ever happen if we get invalid HTTP/2 data with
+ frames for stream 0. Avoid this risk by returning early when stream 0 is
+ used.
-- THANKS: added new contributors from 7.37.1 announcement
+- http: removed self assignment
+
+ Follow-up fix from b0143a2a33f0
+
+ Detected by coverity. CID 1299429
-Dan Fandrich (17 Jul 2014)
-- testcurl.pl: log the value of --runtestopts in the test header
+- [Tatsuhiro Tsujikawa brought this change]
-Daniel Stenberg (16 Jul 2014)
-- RELEASE-NOTES: cleared, working towards next release
+ http2: Make HTTP Upgrade work
+
+ This commit just add implicitly opened stream 1 to streams hash.
-- curl_gssapi.c: make line shorter than 80 columns
+Jay Satiro (22 May 2015)
+- strerror: Change SEC_E_ILLEGAL_MESSAGE description
+
+ Prior to this change the description for SEC_E_ILLEGAL_MESSAGE was OS
+ and language specific, and invariably translated to something not very
+ helpful like: "The message received was unexpected or badly formatted."
+
+ Bug: https://github.com/bagder/curl/issues/267
+ Reported-by: Michael Osipov
-- [David Woodhouse brought this change]
+- telnet: Fix read-callback change for Windows builds
+
+ Refer to b0143a2 for more information on the read-callback change.
- Fix negotiate auth to proxies to track correct state
+Daniel Stenberg (21 May 2015)
+- CURLOPT_HTTPPROXYTUNNEL.3: only works with a HTTP proxy!
-- [David Woodhouse brought this change]
+Dan Fandrich (21 May 2015)
+- testcurl.pl: allow source to be in an arbitrary directory
+
+ This way, the build directory can be located on an entirely different
+ filesystem from the source code (e.g. a tmpfs).
- Don't abort Negotiate auth when the server has a response for us
+Daniel Stenberg (20 May 2015)
+- read_callback: move to SessionHandle from connectdata
- It's wrong to assume that we can send a single SPNEGO packet which will
- complete the authentication. It's a *negotiation* — the clue is in the
- name. So make sure we handle responses from the server.
+ With many easy handles using the same connection for multiplexing, it is
+ important we store and keep the transfer-oriented stuff in the
+ SessionHandle so that callbacks and callback data work fine even when
+ many easy handles share the same physical connection.
+
+- http2: show stream IDs in decimal
- Curl_input_negotiate() will already handle bailing out if it thinks the
- state is GSS_S_COMPLETE (or SEC_E_OK on Windows) and the server keeps
- talking to us, so we should avoid endless loops that way.
+ It makes them easier to match output from the nghttpd test server.
-- [David Woodhouse brought this change]
+- [Tatsuhiro Tsujikawa brought this change]
- Don't clear GSSAPI state between each exchange in the negotiation
-
- GSSAPI doesn't work very well if we forget everything ever time.
+ http2: Faster http2 upload
- XX: Is Curl_http_done() the right place to do the final cleanup?
+ Previously, when we send all given buffer in data_source_callback, we
+ return NGHTTP2_ERR_DEFERRED, and nghttp2 library removes this stream
+ temporarily for writing. This itself is good. If this is the sole
+ stream in the session, nghttp2_session_want_write() returns zero,
+ which means that libcurl does not check writeability of the underlying
+ socket. This leads to very slow upload, because it seems curl only
+ upload 16k something per 1 second. To fix this, if we still have data
+ to send, call nghttp2_session_resume_data after nghttp2_session_send.
+ This makes nghttp2_session_want_write() returns nonzero (if connection
+ window still opens), and as a result, socket writeability is checked,
+ and upload speed becomes normal.
-- [David Woodhouse brought this change]
+- [Dmitry Eremin-Solenikov brought this change]
- Use SPNEGO for HTTP Negotiate
+ gtls: don't fail on non-fatal alerts during handshake
- This is the correct way to do SPNEGO. Just ask for it
-
- Now I correctly see it trying NTLMSSP authentication when a Kerberos ticket
- isn't available. Of course, we bail out when the server responds with the
- challenge packet, since we don't expect that. But I'll fix that bug next...
+ Stop curl from failing when non-fatal alert is received during
+ handshake. This e.g. fixes lots of problems when working with https
+ sites through proxies.
-- [David Woodhouse brought this change]
+- curl_easy_unescape.3: update RFC reference
+
+ Reported-by: bsammon
+ Bug: https://github.com/bagder/curl/issues/282
- Remove all traces of FBOpenSSL SPNEGO support
+Jay Satiro (20 May 2015)
+- CURLOPT_POSTFIELDS.3: Mention curl_easy_escape
- This is just fundamentally broken. SPNEGO (RFC4178) is a protocol which
- allows client and server to negotiate the underlying mechanism which will
- actually be used to authenticate. This is *often* Kerberos, and can also
- be NTLM and other things. And to complicate matters, there are various
- different OIDs which can be used to specify the Kerberos mechanism too.
+ .. also correct some variable naming in curl_easy_escape.3
- A SPNEGO exchange will identify *which* GSSAPI mechanism is being used,
- and will exchange GSSAPI tokens which are appropriate for that mechanism.
+ Bug: https://github.com/bagder/curl/issues/281
+ Reported-by: bsammon@users.noreply.github.com
+
+Daniel Stenberg (19 May 2015)
+- [Brian Prodoehl brought this change]
+
+ openssl: Use SSL_CTX_set_msg_callback and SSL_CTX_set_msg_callback_arg
- But this SPNEGO implementation just strips the incoming SPNEGO packet
- and extracts the token, if any. And completely discards the information
- about *which* mechanism is being used. Then we *assume* it was Kerberos,
- and feed the token into gss_init_sec_context() with the default
- mechanism (GSS_S_NO_OID for the mech_type argument).
+ BoringSSL removed support for direct callers of SSL_CTX_callback_ctrl
+ and SSL_CTX_ctrl, so move to a way that should work on BoringSSL and
+ OpenSSL.
- Furthermore... broken as this code is, it was never even *used* for input
- tokens anyway, because higher layers of curl would just bail out if the
- server actually said anything *back* to us in the negotiation. We assume
- that we send a single token to the server, and it accepts it. If the server
- wants to continue the exchange (as is required for NTLM and for SPNEGO
- to do anything useful), then curl was broken anyway.
+ re #275
+
+Jay Satiro (19 May 2015)
+- curl.1: fix missing space in section --data
+
+Daniel Stenberg (19 May 2015)
+- transfer: remove erroneous and misleading comment
+
+Kamil Dudka (19 May 2015)
+- http: silence compile-time warnings without USE_NGHTTP2
- So the only bit which actually did anything was the bit in
- Curl_output_negotiate(), which always generates an *initial* SPNEGO
- token saying "Hey, I support only the Kerberos mechanism and this is its
- token".
+ Error: CLANG_WARNING:
+ lib/http.c:173:16: warning: Value stored to 'http' during its initialization is never read
- You could have done that by manually just prefixing the Kerberos token
- with the appropriate bytes, if you weren't going to do any proper SPNEGO
- handling. There's no need for the FBOpenSSL library at all.
+ Error: COMPILER_WARNING:
+ lib/http.c: scope_hint: In function ‘http_disconnect’
+ lib/http.c:173:16: warning: unused variable ‘http’ [-Wunused-variable]
+
+Jay Satiro (19 May 2015)
+- transfer: Replace __func__ instances with function name
- The sane way to do SPNEGO is just to *ask* the GSSAPI library to do
- SPNEGO. That's what the 'mech_type' argument to gss_init_sec_context()
- is for. And then it should all Just Work™.
+ .. also make __func__ replacement in multi.
- That 'sane way' will be added in a subsequent patch, as will bug fixes
- for our failure to handle any exchange other than a single outbound
- token to the server which results in immediate success.
+ Prior to this change debug builds would fail to build if the compiler
+ was building pre-c99 and didn't support __func__.
-- [David Woodhouse brought this change]
+Daniel Stenberg (19 May 2015)
+- [Viktor Szakats brought this change]
- ntlm_wb: Avoid invoking ntlm_auth helper with empty username
+ build: bump version in default nghttp2 paths
-- [David Woodhouse brought this change]
+- INTERNALS: we require nghttp2 1.0.0+ now
- ntlm_wb: Fix hard-coded limit on NTLM auth packet size
+Jay Satiro (18 May 2015)
+- http: Add some include guards for the new HTTP/2 stuff
+
+Daniel Stenberg (18 May 2015)
+- http2: store upload state per stream
- Bumping it to 1KiB in commit aaaf9e50ec is all very well, but having hit
- a hard limit once let's just make it cope by reallocating as necessary.
+ Use a curl_off_t for upload left
-Version 7.37.1 (16 Jul 2014)
+- http2: fix build when NOT h2-enabled
-Daniel Stenberg (16 Jul 2014)
-- RELEASE-NOTES: synced with 4cb2521595
+- http2: switch to use Curl_hash_destroy()
+
+ as after 4883f7019d3, the *_clean() function only flushes the hash.
-- test506: verify aa6884845168
+- curlver: restore LIBCURL_VERSION_NUM defined as a full number
- After the fixed cookie lock deadlock, this test now passes and it
- detects double-locking and double-unlocking of mutexes.
+ As it breaks configure, curl-config and test 1023 if not.
-- [Yousuke Kimoto brought this change]
+- [Anthony Avina brought this change]
- cookie: avoid mutex deadlock
-
- ... by removing the extra mutex locks around th call to
- Curl_flush_cookies() which takes care of the locking itself already.
+ hostip: fix unintended destruction of hash table
- Bug: http://curl.haxx.se/mail/lib-2014-02/0184.html
+ .. and added unit1602 for hash.c
-- gnutls: fix compiler warning
-
- conversion to 'int' from 'long int' may alter its value
+- curlver: introducing new version number (checking) macros
+
+- runtests.pl: use 'h2c' now, no -14 anymore
+
+- [Tatsuhiro Tsujikawa brought this change]
-Dan Fandrich (15 Jul 2014)
-- test320: strip off the actual negotiated cipher width
+ http2: Ignore if we have stream ID not in hash in on_stream_close
- It's irrelevant to the test, and will change depending on which SSL
- library is being used by libcurl.
+ We could get stream ID not in the hash in on_stream_close. For
+ example, if we decided to reject stream (e.g., PUSH_PROMISE), then we
+ don't create stream and store it in hash with its stream ID.
-- gnutls: detect lack of SRP support in GnuTLS at run-time and try without
+- [Tatsuhiro Tsujikawa brought this change]
+
+ Require nghttp2 v1.0.0
+
+ This commit requires nghttp2 v1.0.0 to compile, and migrate to v1.0.0,
+ and utilize recent version of nghttp2 to simplify the code,
- Reported-by: David Woodhouse
+ First we use nghttp2_option_set_no_recv_client_magic function to
+ detect nghttp2 v1.0.0. That function only exists since v1.0.0.
+
+ Since nghttp2 v0.7.5, nghttp2 ensures header field ordering, and
+ validates received header field. If it found error, RST_STREAM with
+ PROTOCOL_ERROR is issued. Since we require v1.0.0, we can utilize
+ this feature to simplify libcurl code. This commit does this.
+
+ Migration from 0.7 series are done based on nghttp2 migration
+ document. For libcurl, we removed the code sending first 24 bytes
+ client magic. It is now done by nghttp2 library.
+ on_invalid_frame_recv callback signature changed, and is updated
+ accordingly.
-Daniel Stenberg (14 Jul 2014)
-- [Michał Górny brought this change]
+- http2: infof length in on_frame_send()
- configure: respect host tool prefix for krb5-config
+- pipeline: switch some code over to functions
- Use ${host_alias}-krb5-config if available. This improves cross-
- compilation support and fixes multilib on Gentoo (at least).
+ ... to "compartmentalize" a bit and make it easier to change behavior
+ when multiplexing is used instead of good old pipelining.
-- [David Woodhouse brought this change]
+- symbols-in-versions: add CURLOPT_PIPEWAIT
- gnutls: handle IP address in cert name check
+- CURLOPT_PIPEWAIT: added
- Before GnuTLS 3.3.6, the gnutls_x509_crt_check_hostname() function
- didn't actually check IP addresses in SubjectAltName, even though it was
- explicitly documented as doing so. So do it ourselves...
+ By setting this option to 1 libcurl will wait for a connection to reveal
+ if it is possible to pipeline/multiplex on before it continues.
-Dan Fandrich (14 Jul 2014)
-- build: set _POSIX_PTHREAD_SEMANTICS on Solaris to get proper getpwuid_r
+- Curl_http_readwrite_headers: minor code simplification
-Daniel Stenberg (14 Jul 2014)
-- RELEASE-NOTES: next one is called 7.37.1
+- IsPipeliningPossible: fixed for http2
-Dan Fandrich (13 Jul 2014)
-- gnutls: improved error message if setting cipher list fails
-
- Reported-by: David Woodhouse
+- http2: bump the h2 buffer size to 32K for speed
-- netrc: fixed thread safety problem by using getpwuid_r if available
+- http2: remove the stream from the hash in stream_close callback
- The old way using getpwuid could cause problems in programs that enable
- reading from netrc files simultaneously in multiple threads.
-
- Reported-by: David Woodhouse
+ ... and suddenly things work much better!
-- RELEASE-NOTES: add the reporter of the previous bug fix
+- http2: if there is paused data, do not clear the drain field
-- netrc: treat failure to find home dir same as missing netrc file
-
- This previously caused a fatal error (with a confusing error code, at
- that).
-
- Reported by: Glen A Johnson Jr.
+- http2: rename s/data/pausedata
-Steve Holme (12 Jul 2014)
-- RELEASE-NOTES: Synced with aaaf9e50ec
+- http2: "stream %x" in all outputs to make it easier to search for
-- ntlm_wb: Fixed buffer size not being large enough for NTLMv2 sessions
+- http2: Curl_expire() all handles with incoming traffic
- Bug: http://curl.haxx.se/mail/lib-2014-07/0103.html
- Reported-by: David Woodhouse
+ ... so that they'll get handled next in the multi loop.
-- build: Fixed overridden compiler PDB settings in VC7 to VC12
+- http2: don't signal settings change for same values
+
+- http2: set default concurrency, fix ConnectionExists for multiplex
+
+- bundles: store no/default/pipeline/multiplex
- The curl tool project files for VC7 to VC12 would override the default
- setting with the output filename being the same as the linker PDB file.
- As such the compiler file would be overwritten with the linker file
- for all debug builds.
+ to allow code to act differently on the situation.
- To avoid this overwrite and for consistency with the libcurl project
- files, removed the setting to force the default filename to be used.
+ Also added some more info message for the connection re-use function to
+ make it clearer when connections are not re-used.
-Dan Fandrich (12 Jul 2014)
-- tests: added globbing keyword to URL globbing tests
+- http2: lazy init header_recvbuf
+
+ It makes us use less memory when not doing HTTP/2 and subsequently also
+ makes us not have to cleanup HTTP/2 related data when not using HTTP/2!
-- Fixed some "statement not reached" warnings
+- http2: separate multiplex/pipelining + cleanup memory leaks
-- gnutls: fixed a couple of uninitialized variable references
+- CURLMOPT_PIPELINE: bit 1 is for multiplexing
-- gnutls: fixed compilation against versions < 2.12.0
-
- The AES-GCM ciphers were added to GnuTLS as late as ver. 3.0.1 but
- the code path in which they're referenced here is only ever used for
- somewhat older GnuTLS versions. This caused undeclared identifier errors
- when compiling against those.
+- [Tatsuhiro Tsujikawa brought this change]
-- gnutls: explicitly added SRP to the priority string
-
- This seems to have become necessary for SRP support to work starting
- with GnuTLS ver. 2.99.0. Since support for SRP was added to GnuTLS
- before the function that takes this priority string, there should be no
- issue with backward compatibility.
+ http2: Fix bug that data to be drained are overwritten by pending "paused" data
-- tests: adjust for capitalization differences in newer gnutls-serv
+- [Tatsuhiro Tsujikawa brought this change]
-- test320/1/2/4: fix the port number substitution variables
-
- These tests have been broken since commit 1958fe57 in Oct. 2011
+ http2: Don't call nghttp2_session_mem_recv while it is paused by a stream
-- tests: document more test identifiers and variables
+- [Tatsuhiro Tsujikawa brought this change]
-- gnutls: ignore invalid certificate dates with VERIFYPEER disabled
+ http2: Read data left in connection buffer after pause
- This makes the behaviour consistent with what happens if a date can
- be extracted from the certificate but is expired.
+ Previously when we do pause because of out of buffer, we just throw
+ away unread data in connection buffer. This just broke protocol
+ framing, and I saw occasional FRAME_SIZE_ERROR. This commit fix this
+ issue by remembering how much data read, and in the next iteration, we
+ process remaining data.
-Steve Holme (10 Jul 2014)
-- CURLOPT_UPLOAD: Corrected argument type
+- [Tatsuhiro Tsujikawa brought this change]
-Daniel Stenberg (9 Jul 2014)
-- FAQ: expand the thread-safe section
+ http2: Fix streams get stuck
- ... with a mention of *NOSIGNAL, based on talk in bug #1386
+ This commit fixes the bug that streams get stuck if stream gets some
+ DATA, and stream->closed becomes true at the same time. Previously,
+ in this condition, after we processed DATA, we are going to try to
+ read data from underlying transport, but there is no data, and gets
+ EAGAIN. There was no code path to evaludate stream->closed.
+
+- http2: store incoming h2 SETTINGS
-Dan Fandrich (9 Jul 2014)
-- url.c: Fixed memory leak on OOM
+- pipeline: move function to pipeline.c and make static
- This showed itself on some systems with torture failures
- in tests 1060 and 1061
+ ... as it was only used from there.
-- Update instances of some obsolete CURLOPTs to their new names
+- IsPipeliningPossible: http2 can always "pipeline" (multiplex)
-Daniel Stenberg (5 Jul 2014)
-- [Marcel Raad brought this change]
+- http2: remove debug logging from on_frame_recv
- compiler warnings: potentially uninitialized variables
-
- ... pointed out by MSVC2013
+- http2: remove the closed check in http2_recv
- Bug: http://curl.haxx.se/bug/view.cgi?id=1391
+ With the "drained" functionality we can get here slightly asynchronously
+ so the stream have have been closed but there is pending data left to
+ read.
+
+- http2: bump the h2 buffer to 8K
-Kamil Dudka (4 Jul 2014)
-- nss: make the list of CRL items global
+- http2: Curl_read should not use the single buffer
- Otherwise NSS could use an already freed item for another connection.
+ ... as it does for pipelining when we're multiplexing, as we need the
+ different buffers to store incoming data correctly for all streams.
-- nss: fix a memory leak when CURLOPT_CRLFILE is used
+- http2: more debug outputs
-- nss: make crl_der allocated on heap
+- http2: leave WAITPERFORM when conn is multiplexed
- ... and spell it as crl_der instead of crlDER
+ No need to wait for our "spot" like for pipelining
-- nss: let nss_{cache,load}_crl return CURLcode
-
-- tool: oops, forgot to include <plarenas.h>
+- http2: force "drainage" of streams
- ... that contains the declaration of PL_ArenaFinish()
+ ... which is necessary since the socket won't be readable but there is
+ data waiting in the buffer.
+
+- http2: move the mem+len pair to the stream struct
-- tool: call PL_ArenaFinish() on exit if NSPR is used
+- http2: more stream-oriented data, stream ID 0 is for connections
+
+- http2: move lots of state data to the 'stream' struct
- This prevents valgrind from reporting still reachable memory allocated
- by NSPR arenas (mainly the freelist).
+ ... from the connection struct. The stream one being the 'struct HTTP'
+ which is kept in the SessionHandle struct (easy handle).
- Reported-by: Hubert Kario
+ lookup streams for incoming frames in the stream hash, hashing is based
+ on the stream id and we get the SessionHandle for the incoming stream
+ that way.
-Daniel Stenberg (3 Jul 2014)
-- [Dimitrios Siganos brought this change]
+- HTTP: partial start at fixing up hash-lookups on http2 frame receival
- example: use correct type (long) for CURLOPT_FOLLOWLOCATION
+- http: a stream hash for h2 multiplexing
-- [Dimitrios Siganos brought this change]
+- http: a stream hash for h2 multiplexing
- Document type of argument for CURLOPT_FOLLOWLOCATION.
+- http2: debug log when receiving unexpected stream_id
-- [Dimitrios Siganos brought this change]
+- http2: move stream_id to the HTTP struct (per-stream)
- Document type of argument for CURLOPT_ERRORBUFFER.
+- Curl_http2_setup: only do it once and enable multiplex on the server
+
+ Once we know we are HTTP/2 enabled we know the server can multiplex.
-- [Dimitrios Siganos brought this change]
+- http: switch on "pipelining" (multiplexing) for HTTP/2 servers
+
+ ... and do not blacklist any.
+
+- README.pipelining: removed
+
+ All the details mentioned here are better documented in man pages
- Document type of argument for CURLOPT_COPYPOSTFIELDS.
+Dan Fandrich (14 May 2015)
+- build: removed bundles.c from make files
+
+ This file was removed in commit fd137786
-- [Dimitrios Siganos brought this change]
+Daniel Stenberg (14 May 2015)
+- Curl_conncache_add_conn: fix memory leak on OOM
- Document type of argument for CURLOPT_ADDRESS_SCOPE.
+- CURLMOPT_MAX_HOST_CONNECTIONS: host = host name + port number
-- curl.1: minor language fix
+- conncache: keep bundles on host+port bases, not only host names
- Bug: http://curl.haxx.se/mail/archive-2014-07/0006.html
+ Previously we counted all connections to a specific host name and that
+ would be used for the CURLMOPT_MAX_HOST_CONNECTIONS check for example,
+ while servers on different port numbers are normally considered
+ different "origins" on the web and should thus be considered different
+ hosts.
-- [Ray Satiro brought this change]
+- bundles: merged into conncache.c
+
+ All the existing Curl_bundle* functions were only ever used from within
+ the conncache.c file, so I moved them over and made them static (and
+ removed the Curl_ prefix).
- progress callback: skip last callback update on errors
+- hostcache: made all host caches use structs, not pointers
- When an error has been detected, skip the final forced call to the
- progress callback by making sure to pass the current return code
- variable in the Curl_done() call in the CURLM_STATE_DONE state.
+ This avoids unnecessary dynamic allocs and as this also removed the last
+ users of *hash_alloc() and *hash_destroy(), those two functions are now
+ removed.
+
+- multi: converted socket hash into non-allocated struct
- This avoids the "extra" callback that could occur even if you returned
- error from the progress callback.
+ avoids extra dynamic allocation
+
+- connection cache: avoid Curl_hash_alloc()
- Bug: http://curl.haxx.se/mail/lib-2014-06/0062.html
- Reported by: Jonathan Cardoso Machado
+ ... by using plain structs instead of pointers for the connection cache,
+ we can avoid several dynamic allocations that weren't necessary.
-Dan Fandrich (2 Jul 2014)
-- opts: fixed some CURLOPT references so they get turned into links
+- proxy: add newline to info message
-Kamil Dudka (2 Jul 2014)
-- tool: call PR_Cleanup() on exit if NSPR is used
-
- This prevents valgrind from reporting possibly lost memory that NSPR
- uses for file descriptor cache and other globally allocated internal
- data structures.
+Patrick Monnerat (8 May 2015)
+- FTP: fix dangling conn->ip_addr dereference on verbose EPSV.
-- nss: make the fallback to SSLv3 work again
-
- This feature was unintentionally disabled by commit ff92fcfb.
+- FTP: Make EPSV use the control IP address rather than the original host.
+ This ensures an alternate address is not used.
+ Does not apply to proxy tunnel.
-- nss: do not abort on connection failure
-
- ... due to calling SSL_VersionRangeGet() with NULL file descriptor
-
- reported-by: upstream tests 305 and 404
+Daniel Stenberg (8 May 2015)
+- [Alessandro Ghedini brought this change]
+
+ tool_help: fix formatting for --next option
-Dan Fandrich (1 Jul 2014)
-- opts: Document the socket callback function parameters
+- [Egon Eckert brought this change]
-Steve Holme (28 Jun 2014)
-- opts: Fixed some typos
+ opts: improved the TCP keepalive examples
-Dan Fandrich (25 Jun 2014)
-- curl_easy_setopt.3: fixed the error code for an unsupported option
+Jay Satiro (8 May 2015)
+- winbuild: Document the option used to statically link the CRT
+
+ - Document option RTLIBCFG (runtime library configuration).
+
+ Bug: https://github.com/bagder/curl/issues/254
+ Reported-by: Bert Huijben
-- opts: added some DEFAULT and RETURN VALUE sections
+- [Orgad Shaneh brought this change]
-Daniel Stenberg (21 Jun 2014)
-- libcurl docs: man page edits
+ netrc: Read in text mode when cygwin
- mainly to improve how the web versions render
+ Use text mode when cygwin to eliminate trailing carriage returns.
+
+ Bug: https://github.com/bagder/curl/pull/258
-Dan Fandrich (21 Jun 2014)
-- curl_easy_setopt.3: fixed some typos
+Patrick Monnerat (5 May 2015)
+- OS400: Add SPNEGO service name options to ILE/RPG binding.
-Daniel Stenberg (21 Jun 2014)
-- lib man pages: update easy setopt option references
+Daniel Stenberg (4 May 2015)
+- curl_multi_info_read.3: fix typo
- ... by using the "\fIopt(3)\fP" syntax they will be linked properly when
- the web version of the page is generated.
+ Reported-by: Liviu Chircu
-- opts: the CURLOPT_SSL_ENABLE_*PN options are enabled by default
+- MANUAL: language fix
+
+ Reported-by: Fred Stluka
+ Bug: https://github.com/bagder/curl/issues/255
-- [Colin Hogben brought this change]
+- [Alessandro Ghedini brought this change]
- lib: documentation updates in README.hostip
+ gtls: properly retrieve certificate status
- c-ares now does support IPv6;
- avoid implying threaded resolver is Windows-only;
- two referenced source files were renamed in 7de2f92
+ Also print the revocation reason if appropriate.
-- curl_easy_setopt.3: CURLOPT_POSTFIELDS is the exception
+- OpenSSL: conditional check for SSL3_RT_HEADER
- ... to the always-copy-char *-argument.
+ The symbol is fairly new.
- And fix some minor mistakes.
+ Reported-by: Kamil Dudka
-- curl_easy_setopt.3: refer to the individual man pages
+- openssl: skip trace outputs for ssl_ver == 0
+
+ The OpenSSL trace callback is wonderfully undocumented but given a
+ journey in the source code, it seems the cases were ssl_ver is zero
+ doesn't follow the same pattern and thus turned out confusing and
+ misleading. For now, we skip doing any CURLINFO_TEXT logging on those
+ but keep sending them as CURLINFO_SSL_DATA_OUT/IN.
+
+ Also, I added direction to the text info and I edited some functions
+ slightly.
- With all the new individual option man pages created, this now refers to
- each separate one instead of duplicaing the info. Also makes this page
- easier to overview.
+ Bug: https://github.com/bagder/curl/issues/219
+ Reported-by: Jay Satiro, Ashish Shukla
-Dan Fandrich (21 Jun 2014)
-- opts: fixed mancheck for out-of-tree builds
+Marc Hoersken (2 May 2015)
+- schannel.c: Small changes
-Daniel Stenberg (21 Jun 2014)
-- curl_easy_setopt.3: shorten
+- schannel.c: Improve code path and readability
+
+- schannel.c: Improve error and return code handling upon aa99a63f03
+
+- [Chris Araman brought this change]
+
+ schannel: fix regression in schannel_recv
+
+ https://github.com/bagder/curl/issues/244
- shorten descriptions, mostly refer to the separate descriptions
+ Commit 145c263 changed the behavior when Curl_read_plain returns
+ CURLE_AGAIN. We now handle CURLE_AGAIN and SEC_I_CONTEXT_EXPIRED
+ correctly.
-- CURLOPT_DNS_LOCAL_IP4.3: better short desc
+- Bug born in changes made several days ago 9a91e80.
+
+ Commit: https://github.com/bagder/curl/commit/926cb9f
+ Reported-by: Ray Satiro
-Dan Fandrich (20 Jun 2014)
-- opts: document CURLE_OUT_OF_MEMORY among other return values
+Daniel Stenberg (30 Apr 2015)
+- [Michael Osipov brought this change]
-- opts: fixed some typos
+ configure: remove missing and make it autogenerate
+
+ The missing file has not been autogenerated because a temporary fix was
+ employed in acinclude.m4 which blocked update. Removed that fix and a recent
+ version of missing is copied to build root.
-Daniel Stenberg (20 Jun 2014)
-- opts: various corrections
+- [Michael Osipov brought this change]
-- opts: add the rest of the options
+ acinclude.m4: fix test for default CA cert bundle/path
- ... and fixed mancheck to ignore obsolete options
+ test(1) on HP-UX requires a single equals sign and fails with two.
+ Let's use one and make every OS happy.
-- opts: the final bunch of options as man pages
+- CONTRIBUTING.md: remove the sourceforge mention
- Now all current options have their own man pages.
+ Reported-By: Michael Osipov
-- opts: 37 additional man pages
+Dan Fandrich (30 Apr 2015)
+- http_negotiate_sspi: added missing data variable
-- CURLOPT_URL: move up the text from "Notes"
+Daniel Stenberg (30 Apr 2015)
+- [Michael Osipov brought this change]
-- ROADMAP: removed, now ROADMAP.md
+ configure: remove --automake from libtoolize call
+
+ That option is not mentioned in the man page of libtoolize 2.4.4.19-fda4.
+ Moveover, a comment in line 2623 says "--automake is for 1.5 compatibility".
+
+ This option is redundant now.
-- ROADMAP.md: make it markdown formatted
+- [Viktor Szakats brought this change]
-- ROADMAP: initial commit of "curl the next few years"
+ build: update depedency versions, urls, example makefiles
- To be further discussed, debated and edited
+ - update default versions of dependencies (except for rare/old platforms)
+ - update urls
+ - sync examples makefiles with main ones
+ - remove line ending space
-- opts: more man pages
+- [Michael Osipov brought this change]
-- CURLOPT_UNRESTRICTED_AUTH.3: added missing 'T'
+ configure: remove autogenerated files by autoconf
+
+ * install-sh is always regenerated
+ * mkinstalldirs was already redudant years ago. Automake uses install for
+ that. See: http://lists.gnu.org/archive/html/automake/2007-03/msg00015.html
-- opts: makefile now includes all current man pages
+- [Anders Bakken brought this change]
-- opts: 11 more man pages
+ curl_multi_add_handle: next is already NULL
-Dan Fandrich (18 Jun 2014)
-- opts: document CURLE_OUT_OF_MEMORY as RETURN VALUE
+Jay Satiro (30 Apr 2015)
+- schannel: Fix out of bounds array
+
+ Bug born in changes made several days ago 9a91e80.
+
+ Bug: http://curl.haxx.se/mail/lib-2015-04/0199.html
+ Reported-by: Brian Chrisman
-- opts: fixed a couple of typos
+- docs/libcurl: gitignore libcurl-symbols.3
+
+ Bug: http://curl.haxx.se/mail/lib-2015-04/0191.html
+ Reported-by: Michael Osipov
-Patrick Monnerat (18 Jun 2014)
-- OS400: make it compilable again. Make RPG binding up to date.
+- [Viktor Szakats brought this change]
-- buildconf: do not search tools in current directory.
+ lib/makefile.m32: add arch -m32/-m64 to LDFLAGS
+
+ This fixes using a multi-target mingw distro to build curl .dll for the
+ non-default target.
+ (mirroring the same patch present in src/makefile.m32)
-Dan Fandrich (18 Jun 2014)
-- curl.h: renamed CURLOPT_DEPRECATEDx to CURLOPT_OBSOLETEx
+Daniel Stenberg (29 Apr 2015)
+- RELEASE-NOTES: synced with cd39b944afc
- This is consistent with the existing obsolete error code naming
- convention.
+ I've not mentioned the bug fixes that were shipped in 7.42.1 from the
+ 7_42 branch.
-Daniel Stenberg (18 Jun 2014)
-- opts: 16 more man pages
+- THANKS: merged from the 7.42.1 release
+
+- CURLOPT_HEADEROPT: default to separate
+
+ Make the HTTP headers separated by default for improved security and
+ reduced risk for information leakage.
+
+ Bug: http://curl.haxx.se/docs/adv_20150429.html
+ Reported-by: Yehezkel Horowitz, Oren Souroujon
projects / platform / upstream / curl.git / blobdiff