Changelog
-Kamil Dudka (22 Mar 2010)
-- Douglas Steinwand contributed a patch fixing insufficient initialization in
- Curl_clone_ssl_config()
-
-Daniel Stenberg (21 Mar 2010)
-- Ben Greear improved TFTP: the error code returning and the treatment
- of TSIZE == 0 when uploading.
-
-- We've switched from CVS to git. See http://curl.haxx.se/source.html
-
-Kamil Dudka (19 Mar 2010)
-- Improved Curl_read() to not ignore the error returned from Curl_ssl_recv().
-
-Daniel Stenberg (15 Mar 2010)
-- Constantine Sapuntzakis brought a patch:
-
- The problem mentioned on Dec 10 2009
- (http://curl.haxx.se/bug/view.cgi?id=2905220) was only partially fixed.
- Partially because an easy handle can be associated with many connections in
- the cache (e.g. if there is a redirect during the lifetime of the easy
- handle). The previous patch only cleaned up the first one. The new fix now
- removes the easy handle from all connections, not just the first one.
-
-Daniel Stenberg (6 Mar 2010)
-- Ben Greear brought a patch that fixed the rate limiting logic for TFTP when
- the easy interface was used.
-
-Daniel Stenberg (5 Mar 2010)
-- Daniel Johnson provided fixes for building curl with the clang compiler.
-
-Yang Tse (5 Mar 2010)
-- Constantine Sapuntzakis detected and fixed a double free in builds done
- with threaded resolver enabled (Windows default configuration) that would
- get triggered when a curl handle is closed while doing DNS resolution.
+Version 7.48.0 (23 Mar 2016)
+
+Daniel Stenberg (23 Mar 2016)
+- RELEASE-NOTES: curl 7.48.0
+
+- THANKS: 15 new contributors from 7.48.0 release
+
+Jay Satiro (23 Mar 2016)
+- CURLINFO_TLS_SSL_PTR.3: Warn about limitations
+
+ Bug: https://github.com/curl/curl/issues/685
+
+Daniel Stenberg (22 Mar 2016)
+- Revert "sshserver: remove use of AuthorizedKeysFile2"
+
+ It seems we may have some autobuild problems after this commit went
+ in. Trying to see if a revert helps to get them back.
+
+ This reverts commit 2716350d1f3edc8e929f6ceeee05051090f6d642.
+
+- maketgz: add -j to make dist
+
+ ... makes it a lot faster
+
+- libcurl-thread.3: minor nroff format fix
+
+- CURLINFO_TLS_SSL_PTR.3: minor nroff format fix
+
+- CODE_STYLE: indend example code
+
+ ... to make it look nicer in markdown outputa
+
+Jay Satiro (22 Mar 2016)
+- build-wolfssl: Update VS properties for wolfSSL v3.9.0
+
+ - Do not use wolfSSL's sample user-setting files.
+
+ wolfSSL starting in v3.9.0 has added their own sample user settings that
+ are applied by default, but we don't use them because we have our own
+ settings.
+
+ - Do not use wolfSSL's Visual Studio Unicode character setting.
+
+ wolfSSL Visual Studio projects use the Unicode character set however our
+ settings and options imitate mingw build which does not use the Unicode
+ character set. This does not appear to have any effect at the moment but
+ better safe than sorry.
+
+
+ These changes are backwards compatible with earlier versions.
+
+Steve Holme (22 Mar 2016)
+- hostip6: Fixed compilation warnings when verbose strings disabled
+
+ warning C4189: 'data': local variable is initialized but not referenced
+
+ ...and some minor formatting/spacing changes.
+
+Daniel Stenberg (21 Mar 2016)
+- sshserver: remove use of AuthorizedKeysFile2
+
+ Support for the (undocumented) AuthorizedKeysFile2 was removed in
+ OpenSSH 5.9, released in September 2011
+
+ Closes #715
+
+Steve Holme (20 Mar 2016)
+- connect/ntlm/http: Fixed compilation warnings when verbose strings disabled
+
+ warning C4189: 'data': local variable is initialized but not referenced
+
+- openssl: Fixed compilation warning when /Wall enabled
+
+ warning C4706: assignment within conditional expression
+
+- CODE_STYLE: Use boolean conditions
+
+ Rather than use TRUE, FALSE, NULL, 0 or != 0 in if/while conditions.
+
+ Additionally, corrected some example code to adhere to the recommended
+ coding style.
+
+- inet_pton.c: Fixed compilation warnings
+
+ warning: conversion to 'unsigned char' from 'int' may alter its value
+
+Daniel Stenberg (19 Mar 2016)
+- RELEASE-NOTES: synced with 80851028efc2fa9
+
+- mbedtls: fix compiler warning
+
+ vtls/mbedtls.h:67:36: warning: implicit declaration of function
+ ‘mbedtls_sha256’ [-Wimplicit-function-declaration]
+
+Steve Holme (19 Mar 2016)
+- easy: Minor coding standard and style updates
+
+ Following commit c5744340db. Additionally removes the need for a second
+ 'result code' variable as well.
+
+Jay Satiro (19 Mar 2016)
+- easy: Remove poll failure check in easy_transfer
+
+ .. because curl_multi_wait can no longer signal poll failure.
+
+ follow-up to 77e1726
+
+ Bug: https://github.com/curl/curl/issues/707
+
+Steve Holme (19 Mar 2016)
+- build: Added missing Visual Studio filter files for VC10 onwards
+
+ As these files don't need to contain references to the source files,
+ although typically do, added basic files which only include three
+ filters and don't require the project file generator to be modified.
+
+ These files allow the source code to be viewed in the Solution Explorer
+ in versions of Visual Studio from 2010 onwards in the same manner as
+ previous versions did rather than one large view of files.
+
+- ftp/imap/pop3/smtp: Fixed compilation warning when /Wall enabled
+
+ warning C4706: assignment within conditional expression
+
+- config-w32.h: Fixed compilation warning when /Wall enabled
+
+ warning C4668: 'USE_IPV6' is not defined as a preprocessor macro,
+ replacing with '0' for '#if/#elif'
+
+- imap.c: Fixed compilation warning with /Wall enabled
+
+ warning C4701: potentially uninitialized local variable 'size' used
+
+ Technically this can't happen, as the usage of 'size' is protected by
+ 'if(parsed)' and 'parsed' is only set after 'size' has been parsed.
+
+ Anyway, lets keep the compiler happy.
+
+- KNOWN_BUGS: #93 Issue with CURLFORM_CONTENTLEN in arrays on 32-bit platforms
+
+Daniel Stenberg (18 Mar 2016)
+- bump: the coming release is 7.48.0
+
+- configure: use cpp -P when needed
+
+ Since gcc 5, the processor output can get split up on multiple lines
+ that made the configure script fail to figure out values from
+ definitions. The fix is to use cpp -P, and this fix now first checks if
+ cpp -P is necessary and then if cpp -P works before it uses that to
+ extract defined values.
+
+ Fixes #719
+
+Steve Holme (18 Mar 2016)
+- formdata.c: Fixed compilation warning
+
+ formdata.c:390: warning: cast from pointer to integer of different size
+
+ Introduced in commit ca5f9341ef this happens because a char*, which is
+ 32-bits wide in 32-bit land, is being cast to a curl_off_t which is
+ 64-bits wide where 64-bit integers are supported by the compiler.
+
+ This doesn't happen in 64-bit land as a pointer is the same size as a
+ curl_off_t.
+
+ This fix doesn't address the fact that a 64-bit value cannot be used
+ for CURLFORM_CONTENTLEN when set in a form array and compiled on a
+ 32-bit platforms, it does at least suppress the compilation warning.
+
+Daniel Stenberg (18 Mar 2016)
+- FAQ: 2.5 Install libcurl for both 32bit and 64bit?
+
+- [Gisle Vanem brought this change]
+
+ openssl: adapt to API breakage in ERR_remove_thread_state()
+
+ The OpenSSL API change that broke this is "Convert ERR_STATE to new
+ multi-threading API": openssl commit 8509dcc.
+
+ Closes #713
+
+- version: init moved to private name space, added protos
+
+ follow-up to 80015cdd52145
+
+- openssl: verbose: show matching SAN pattern
+
+ ... to allow users to see which specfic wildcard that matched when such
+ is used.
+
+ Also minor logic cleanup to simplify the code, and I removed all tabs
+ from verbose strings.
+
+Jay Satiro (16 Mar 2016)
+- version: thread safety
+
+Steve Holme (16 Mar 2016)
+- transfer: Removed redundant HTTP authentication include files
+
+ It would also seem that share.h is not required here either as there
+ are no references to the Curl_share structure or functions.
+
+- easy: Removed redundant HTTP authentication include files
+
+Jay Satiro (15 Mar 2016)
+- CURLOPT_SSLENGINE.3: Only for OpenSSL built with engine support
+
+ Bug: https://curl.haxx.se/mail/lib-2016-03/0150.html
+ Reported-by: Oliver Graute
+
+Steve Holme (15 Mar 2016)
+- curl_sasl: Minor code indent fixes
+
+Daniel Stenberg (14 Mar 2016)
+- runtests: mention when run event-based
+
+- easy: add check to malloc() when running event-based
+
+ ... to allow torture tests then too.
-Daniel Stenberg (2 Mar 2010)
-- [Daniel Johnson] I've been trying to build libcurl with clang on Darwin and
- ran into some issues with the GSSAPI tests in configure.ac. The tests first
- try to determine the include dirs and libs and set CPPFLAGS and LIBS
- accordingly. It then checks for the headers and finally sets LIBS a second
- time, causing the libs to be included twice. The first setting of LIBS seems
- redundant and should be left out, since the first part is otherwise just
- about finding headers.
-
- My second issue is that 'krb5-config --libs gssapi' on Darwin is less than
- useless and returns junk that, while it happens to work with gcc, causes
- clang to choke. For example, --libs returns $CFLAGS along with the libs,
- which is really retarded. Simply setting 'LIBS="$LIBS -lgssapi_krb5
- -lresolv"' on Darwin is sufficient.
+- memdebug: skip logging the limit countdown, fflush when reached
+
+- CODE_STYLE: Space around operators
+
+ As just discussed on the mailing list, also document how we prefer
+ spacing in expressions.
+
+- curl: glob_range: no need to check unsigned variable for negative
+
+ cppcheck warned:
+
+ [src/tool_urlglob.c:283]: (style) Checking if unsigned variable 'step_n'
+ is less than zero.
+
+- CODE_STYLE: add example for indent style as well
+
+- CODE_STYLE: mention braces for functions too
+
+- docs/Makefile.am: include CODE_STYLE in tarball too
+
+- CONTRIBUTE: moved out code style to a separate document
+
+- CODE_STYLE: initial version
+
+ Ripped out from CONTRIBUTE into its own document, but also extended from
+ there.
+
+- curl_sasl.c: minor code indent fixes
+
+- multi: simplified singlesocket
+
+ Since sh_getentry() now checks for invalid sockets itself and by
+ narrowing the scope of the remove_sock_from_hash variable.
+
+- multi: introduce sh_getentry() for looking up sockets in the sockhash
+
+ Simplify the code by using a single entry that looks for a socket in the
+ socket hash. As indicated in #712, the code looked for CURL_SOCKET_BAD
+ at some point and that is ineffective/wrong and this makes it easier to
+ avoid that.
-- Based on patch provided by Jacob Moshenko, the transfer logic now properly
- makes sure that when using sub-second timeouts, there's no final bad 1000ms
- wait. Previously, a sub-second timeout would often make the elapsed time end
- up the time rounded up to the nearest second (e.g. 1s for 200ms timeout)
+- [Jaime Fullaondo brought this change]
-- Andrei Benea filed bug report #2956698 and pointed out that the
- CURLOPT_CERTINFO feature leaked memory due to a missing OpenSSL function
- call. He provided the patch to fix it too.
+ multi hash: ensure modulo performed on curl_socket_t
+
+ Closes #712
- http://curl.haxx.se/bug/view.cgi?id=2956698
+Steve Holme (13 Mar 2016)
+- base64: Minor coding standard and style updates
-- Markus Duft pointed out in bug #2961796 that even though Interix has a
- poll() function it doesn't quite work the way we want it so we must disable
- it, and he also provided a patch for it.
+- base64: Use 'CURLcode result' for curl result codes
- http://curl.haxx.se/bug/view.cgi?id=2961796
+- negotiate: Use 'CURLcode result' for curl result codes
+
+Daniel Stenberg (13 Mar 2016)
+- [Maksim Kuzevanov brought this change]
+
+ multi_runsingle: avoid loop in CURLM_STATE_WAITPROXYCONNECT
+
+ Closes #703
-- Made the pingpong timeout code properly deal with the response timeout AND
- the global timeout if set. Also, as was reported in the bug report #2956437
- by Ryan Chan, the time stamp to use as basis for the per command timeout was
- not set properly in the DONE phase for FTP (and not for SMTP) so I fixed
- that just now. This was a regression compared to 7.19.7 due to the
- conversion of FTP code over to the generic pingpong concepts.
-
- http://curl.haxx.se/bug/view.cgi?id=2956437
-
-Daniel Stenberg (1 Mar 2010)
-- Ben Greear provided an update for TFTP that fixes upload.
+- TODO: Use the RFC6265 test suite
+
+Steve Holme (13 Mar 2016)
+- checksrc.bat: Added the ability to scan src and lib source independently
+
+- digest: Use boolean based success code for Curl_sasl_digest_get_pair()
+
+ Rather than use a 0 and 1 integer base result code use a TRUE / FALSE
+ based success code.
+
+- digest: Corrected some typos in comments
-- Wesley Miaw reported bug #2958179 which identified a case of looping during
- OpenSSL based SSL handshaking even though the multi interface was used and
- there was no good reason for it.
+- krb5: Corrected some typos in function descriptions
- http://curl.haxx.se/bug/view.cgi?id=2958179
-
-Daniel Stenberg (26 Feb 2010)
-- Pat Ray in bug #2958474 pointed out an off-by-one case when receiving a
- chunked-encoding trailer.
+- ntlm: Corrected some typos in function descriptions
- http://curl.haxx.se/bug/view.cgi?id=2958474
+- url: Corrected indentation when calling idna_to_ascii_lz()
-Daniel Fandrich (25 Feb 2010)
-- Fixed a couple of out of memory leaks and a segfault in the SMTP & IMAP code.
-
-Yang Tse (25 Feb 2010)
-- I fixed bug report #2958074 indicating
- (http://curl.haxx.se/bug/view.cgi?id=2958074) that curl on Windows with
- option --trace-time did not use local time when timestamping trace lines.
- This could also happen on other systems depending on time souurce.
-
-Patrick Monnerat (22 Feb 2010)
-- Proper handling of STARTTLS on SMTP, taking CURLUSESSL_TRY into account.
-- SMTP falls back to RFC821 HELO when EHLO fails (and SSL is not required).
-- Use of true local host name (i.e.: via gethostname()) when available, as
- default argument to SMTP HELO/EHLO.
-- Test case 804 for HELO fallback.
-
-Daniel Stenberg (20 Feb 2010)
-- Fixed the SMTP compliance by making sure RCPT TO addresses are specified
- properly in angle brackets. Recipients provided with CURLOPT_MAIL_RCPT now
- get angle bracket wrapping automatically by libcurl unless the recipient
- starts with an angle bracket as then the app is assumed to deal with that
- properly on its own.
-
-- I made the SMTP code expect a 250 response back from the server after the
- full DATA has been sent, and I modified the test SMTP server to also send
- that response. As usual, the DONE operation that is made after a completed
- transfer is still not doable in a non-blocking way so this waiting for 250
- is unfortunately made blockingly.
-
-Yang Tse (14 Feb 2010)
-- Overhauled test suite getpart() function. Fixing potential out of bounds
- stack and memory overwrites triggered with huge test case definitions.
-
-Daniel Stenberg (13 Feb 2010)
-- Martin Hager reported and fixed a problem with a missing quote in libcurl.m4
-
- (http://curl.haxx.se/bug/view.cgi?id=2951319)
-
-- Tom Donovan fixed the CURL_FORMAT_* defines when building with cmake.
-
- (http://curl.haxx.se/bug/view.cgi?id=2951269)
-
-Daniel Stenberg (12 Feb 2010)
-- Jack Zhang reported a problem with SMTP: we wrongly used multiple addresses
- in the same RCPT TO line, when they should be sent in separate single
- commands. I updated test case 802 to verify this.
-
-- I also fixed a bad use of my_setopt_str() of CURLOPT_MAIL_RCPT in the curl
- tool which made it try to output it as string for the --libcurl feature
- which could lead to crashes.
-
-Yang Tse (11 Feb 2010)
-- Steven M. Schweda fixed VMS builder bad behavior when used in a batch job,
- removed obsolete batch_compile.com and defines.com and updated VMS readme.
-
-Version 7.20.0 (9 February 2010)
-
-Daniel Stenberg (9 Feb 2010)
-- When downloading compressed content over HTTP and the app asked libcurl to
- automatically uncompress it with the CURLOPT_ENCODING option, libcurl could
- wrongly provide the callback with more data than the maximum documented
- amount. An application could thus get tricked into badness if the maximum
- limit was trusted to be enforced by libcurl itself (as it is documented).
-
- This is further detailed and explained in the libcurl security advisory
- 20100209 at
-
- http://curl.haxx.se/docs/adv_20100209.html
-
-Daniel Fandrich (3 Feb 2010)
-- Changed the Watcom makefiles to make them easier to keep in sync with
- Makefile.inc since that can't be included directly.
-
-Yang Tse (2 Feb 2010)
-- Symbol CURL_FORMAT_OFF_T now obsoleted, will be removed in a future release,
- symbol will not be available when building with CURL_NO_OLDIES defined. Use
- of CURL_FORMAT_CURL_OFF_T is preferred since 7.19.0
-
-Daniel Stenberg (1 Feb 2010)
-- Using the multi_socket API, it turns out at times it seemed to "forget"
- connections (which caused a hang). It turned out to be an existing (7.19.7)
- bug in libcurl (that's been around for a long time) and it happened like
- this:
-
- The app calls curl_multi_add_handle() to add a new easy handle, libcurl will
- then set it to timeout in 1 millisecond so libcurl will tell the app about
- it.
-
- The app's timeout fires off that there's a timeout, the app calls libcurl as
- we so often document it:
-
- do {
- res = curl_multi_socket_action(... TIMEOUT ...);
- } while(CURLM_CALL_MULTI_PERFORM == res);
-
- And this is the problem number one:
-
- When curl_multi_socket_action() is called with no specific handle, but only
- a timeout-action, it will *only* perform actions within libcurl that are
- marked to run at this time. In this case, the request would go from INIT to
- CONNECT and return CURLM_CALL_MULTI_PERFORM. When the app then calls libcurl
- again, there's no timer set for this handle so it remains in the CONNECT
- state. The CONNECT state is a transitional state in libcurl so it reports no
- sockets there, and thus libcurl never tells the app anything more about that
- easy handle/connection.
-
- libcurl _does_ set a 1ms timeout for the handle at the end of
- multi_runsingle() if it returns CURLM_CALL_MULTI_PERFORM, but since the loop
- is instant the new job is not ready to run at that point (and there's no
- code that makes libcurl call the app to update the timout for this new
- timeout). It will simply rely on that some other timeout will trigger later
- on or that something else will update the timeout callback. This makes the
- bug fairly hard to repeat.
-
- The fix made to adress this issue:
-
- We introduce a loop in lib/multi.c around all calls to multi_runsingle() and
- simply check for CURLM_CALL_MULTI_PERFORM internally. This has the added
- benefit that this goes in line with my long-term wishes to get rid of the
- CURLM_CALL_MULTI_PERFORM all together from the public API.
-
- The downside of this fix, is that the counter we return in 'running_handles'
- in several of our public functions then gets a slightly new and possibly
- confusing behavior during times:
-
- If an app adds a handle that fails to connect (very quickly) it may just
- as well never appear as a 'running_handle' with this fix. Previously it
- would first bump the counter only to get it decreased again at next call.
- Even I have used that change in handle counter to signal "end of a
- transfer". The only *good* way to find the end of a individual transfer
- is calling curl_multi_info_read() to see if it returns one.
-
- Of course, if the app previously did the looping before it checked the
- counter, it really shouldn't be any new effect.
-
-Yang Tse (26 Jan 2010)
-- Constantine Sapuntzakis' and Joshua Kwan's work done in the last four months
- relative to the asynchronous DNS lookups, along with with some integration
- adjustments I have done are finally committed to CVS.
-
- Currently these enhancements will benefit builds done using c-ares on any
- platform as well as Windows builds using the default threaded resolver.
-
- This release does not make generally available POSIX threaded DNS lookups
- yet. There is no configure option to enable this feature yet. It is possible
- to experimantally try this feature running configure with compiler flags that
- make simultaneous definition of preprocessor symbols USE_THREADS_POSIX and
- HAVE_PTHREAD_H, as well as whatever reentrancy compiler flags and linker ones
- are required to link and properly use pthread_* functions on each platform.
-
-Daniel Stenberg (26 Jan 2010)
-- Mike Crowe made libcurl return CURLE_COULDNT_RESOLVE_PROXY when it is the
- proxy that cannot be resolved when using c-ares. This matches the behaviour
- when not using c-ares.
-
-Björn Stenberg (23 Jan 2010)
-- Added a new flag: -J/--remote-header-name. This option tells the
- -O/--remote-name option to use the server-specified Content-Disposition
- filename instead of extracting a filename from the URL.
-
-Daniel Stenberg (21 Jan 2010)
-- Chris Conroy brought support for RTSP transfers, and with it comes 8(!) new
- libcurl options for controlling what to get and how to receive posssibly
- interleaved RTP data.
-
-Daniel Stenberg (20 Jan 2010)
-- As was pointed out on the http-state mailing list, the order of cookies in a
- HTTP Cookie: header _needs_ to be sorted on the path length in the cases
- where two cookies using the same name are set more than once using
- (overlapping) paths. Realizing this, identically named cookies must be
- sorted correctly. But detecting only identically named cookies and take care
- of them individually is harder than just to blindly and unconditionally sort
- all cookies based on their path lengths. All major browsers also already do
- this, so this makes our behavior one step closer to them in the cookie area.
-
- Test case 8 was the only one that broke due to this change and I updated it
+- idn_win32: Use boolean based success codes
+
+ Rather than use 0 and 1 integer base result codes use a FALSE / TRUE
+ based success code.
+
+Daniel Stenberg (10 Mar 2016)
+- idn_win32.c: warning: Trailing whitespace
+
+Steve Holme (10 Mar 2016)
+- idn_win32.c: Fixed compilation warning from commit 9e7fcd4291
+
+ warning C4267: 'function': conversion from 'size_t' to 'int',
+ possible loss of data
+
+Daniel Stenberg (10 Mar 2016)
+- THANKS-filter: unify Michael König
+
+- RELEASE-NOTES: synced with 863c5766dd
+
+- ftp: remove a check for NULL(!)
+
+ ... as it implies we need to check for that on all the other variable
+ references as well (as Coverity otherwise warns us for missing NULL
+ checks), and we're alredy making sure that the pointer is never NULL.
+
+- cookies: first n/v pair in Set-Cookie: is the cookie, then parameters
+
+ RFC 6265 section 4.1.1 spells out that the first name/value pair in the
+ header is the actual cookie name and content, while the following are
+ the parameters.
+
+ libcurl previously had a more liberal approach which causes significant
+ problems when introducing new cookie parameters, like the suggested new
+ cookie priority draft.
+
+ The previous logic read all n/v pairs from left-to-right and the first
+ name used that wassn't a known parameter name would be used as the
+ cookie name, thus accepting "Set-Cookie: Max-Age=2; person=daniel" to be
+ a cookie named 'person' while an RFC 6265 compliant parser should
+ consider that to be a cookie named 'Max-Age' with an (unknown) parameter
+ 'person'.
+
+ Fixes #709
+
+- krb5: improved type handling to avoid clang compiler warnings
+
+- url.c: fix clang warning: no newline at end of file
+
+- curl_multi_wait: never return -1 in 'numfds'
+
+ Such a return value isn't documented but could still happen, and the
+ curl tool code checks for it. It would happen when the underlying
+ Curl_poll() function returns an error. Starting now we mask that error
+ as a user of curl_multi_wait() would have no way to handle it anyway.
+
+ Reported-by: Jay Satiro
+ Closes #707
+
+- HTTP2.md: add CURL_HTTP_VERSION_2TLS and updated alt-svc link
+
+- curl_multi_wait.3: add example
+
+Steve Holme (8 Mar 2016)
+- imap/pop3/smtp: Fixed connections upgraded with TLS are not reused
+
+ Regression since commit 710f14edba.
+
+ Bug: https://github.com/curl/curl/issues/422
+ Reported-by: Justin Ehlert
+
+Jay Satiro (8 Mar 2016)
+- opt-docs: fix heading macros
+
+ ..SH should be .SH
+
+ Bug: https://github.com/curl/curl/issues/705
+ Reported-by: Eric S. Raymond
+
+Kamil Dudka (8 Mar 2016)
+- [Tim Rühsen brought this change]
+
+ cookie: do not refuse cookies for localhost
+
+ Closes #658
+
+Daniel Stenberg (8 Mar 2016)
+- ftp_done: clear tunnel_state when secondary socket closes
+
+ Introducing a function for closing the secondary connection to make this
+ bug less likely to happen again.
+
+ Reported-by: daboul
+ Closes #701
+
+- [Gisle Vanem brought this change]
+
+ openssl: use the correct OpenSSL/BoringSSL/LibreSSL in messages
+
+- HTTP2.md: HTTP/2 by default for curl's HTTPS connections
+
+- [Anders Bakken brought this change]
+
+ pipeline: Sanity check pipeline pointer before accessing it.
+
+ I got a crash with this stack:
+
+ curl/lib/url.c:2873 (Curl_removeHandleFromPipeline)
+ curl/lib/url.c:2919 (Curl_getoff_all_pipelines)
+ curl/lib/multi.c:561 (curl_multi_remove_handle)
+ curl/lib/url.c:415 (Curl_close)
+ curl/lib/easy.c:859 (curl_easy_cleanup)
+
+ Closes #704
+
+- HTTP2.md: mention the disable ALPN and NPN options
+
+- TODO: 17.12 keep running, read instructions from pipe/socket
+
+ And delete trailing whitespace
+ And rename section 17 to "command line tool" from "client"
+
+ Closes #702
+
+- README.md: linkified
+
+ It also makes it less readable as plain text, so let's keep this
+ primarily for github use.
+
+ Removed the top ascii art logo, as it looks weird when markdownified.
+
+- README.md: markdown version of README
+
+ Attempt to make it look more appealing on github
+
+Jay Satiro (6 Mar 2016)
+- mprintf: update trio project link
+
+Daniel Stenberg (6 Mar 2016)
+- CURLOPT_ACCEPTTIMEOUT_MS.3: added example
+
+- CURLOPT_ACCEPT_ENCODING.3: added example
+
+- CURLOPT_APPEND.3: added example
+
+- CURLOPT_NOPROGRESS.3: added example, conform to stardard style
+
+Steve Holme (6 Mar 2016)
+- build-openssl/checksrc.bat: Fixed prepend vs append of Perl path
+
+ Fixed inconsistency from commit 1eae114065 and 0ad6c72227 of the order
+ in which Perl was added to the PATH.
+
+Daniel Stenberg (6 Mar 2016)
+- opts: added two examples
+
+- CURLOPT_SSL_CTX_FUNCTION.3: use .NF for example
+
+- CURLOPT_SSL_CTX_FUNCTION.3: added example
+
+ and removed erroneous reference to test case lib509
+
+- curlx.c: use more curl style code
+
+- test46: change cookie expiry date
+
+ Since two of the cookies would now otherwise expire and cause the test
+ to fail after commit 20de9b4f09
+
+ Discussed in #697
+
+Jay Satiro (5 Mar 2016)
+- [Viktor Szakats brought this change]
+
+ makefile.m32: add missing libs for static -winssl-ssh2 builds
+
+ Bug: https://github.com/curl/curl/pull/693
+
+- mbedtls: fix user-specified SSL protocol version
+
+ Prior to this change when a single protocol CURL_SSLVERSION_ was
+ specified by the user that version was set only as the minimum version
+ but not as the maximum version as well.
+
+Steve Holme (5 Mar 2016)
+- .gitignore: Added *.VC.opendb and *.vcxproj.user files for VC14
+
+- build-openssl.bat: Fixed cannot find perl if installed but not in path
+
+- checksrc.bat: Fixed cannot find perl if installed but not in path
+
+Jay Satiro (5 Mar 2016)
+- [Viktor Szakats brought this change]
+
+ makefile.m32: fix to allow -ssh2-winssl combination
+
+ In makefile.m32, option -ssh2 (libssh2) automatically implied -ssl
+ (OpenSSL) option, with no way to override it with -winssl. Since both
+ libssh2 and curl support using Windows's built-in SSL backend, modify
+ the logic to allow that combination.
+
+- cookie: Don't expire session cookies in remove_expired
+
+ Prior to this change cookies with an expiry date that failed parsing
+ and were converted to session cookies could be purged in remove_expired.
+
+ Bug: https://github.com/curl/curl/issues/697
+ Reported-by: Seth Mos
+
+Daniel Stenberg (3 Mar 2016)
+- cookie: remove redundant check
+
+ ... as it was already checked previously within the function.
+
+ Reported-by: Dmitry-Me
+ Closes #695
+
+Jay Satiro (1 Mar 2016)
+- [Anders Bakken brought this change]
+
+ url: if Curl_done is premature then pipeline not in use
+
+ Prevent a crash if 2 (or more) requests are made to the same host and
+ pipelining is enabled and the connection does not complete.
+
+ Bug: https://github.com/curl/curl/pull/690
+
+- [Viktor Szakats brought this change]
+
+ makefile.m32: allow to pass .dll/.exe-specific LDFLAGS
+
+ using envvars `CURL_LDFLAG_EXTRAS_DLL` and
+ `CURL_LDFLAG_EXTRAS_EXE` respectively. This
+ is useful f.e. to pass ASLR-related extra
+ options, that are required to make this
+ feature work when using the mingw toolchain.
+
+ Ref: https://github.com/curl/curl/pull/670#issuecomment-190863985
+
+ Closes https://github.com/curl/curl/pull/689
+
+Daniel Stenberg (29 Feb 2016)
+- formpost: fix memory leaks in AddFormData error branches
+
+ Reported-by: Dmitry-Me
+ Fixes #688
+
+Jay Satiro (28 Feb 2016)
+- getinfo: Fix syntax error when mbedTLS
+
+ The assignment of the mbedTLS TLS session info in the parent commit was
+ incorrect. Change the assignment to a pointer to the session structure.
+
+- getinfo: Add support for mbedTLS TLS session info
+
+ .. and preprocessor check TLS session info is defined for all backends.
+
+Daniel Stenberg (26 Feb 2016)
+- ROADMAP: clarify on the TLS proxy, mention HTTP cookies to work on
+
+- file: try reading from files with no size
+
+ Some systems have special files that report as 0 bytes big, but still
+ contain data that can be read (for example /proc/cpuinfo on
+ Linux). Starting now, a zero byte size is considered "unknown" size and
+ will be read as far as possible anyway.
+
+ Reported-by: Jesse Tan
+
+ Closes #681
+
+Jay Satiro (25 Feb 2016)
+- configure: warn on invalid ca bundle or path
+
+ - Warn if --with-ca-bundle file does not exist.
+
+ - Warn if --with-ca-path directory does not contain certificates.
+
+ - Improve help messages for both.
+
+ Example configure output:
+
+ ca cert bundle: /some/file (warning: certs not found)
+ ca cert path: /some/dir (warning: certs not found)
+
+ Bug: https://github.com/curl/curl/issues/404
+ Reported-by: Jeffrey Walton
+
+Daniel Stenberg (24 Feb 2016)
+- Curl_read: check for activated HTTP/1 pipelining, not only requested
+
+ ... as when pipelining is used, we read things into a unified buffer and
+ we don't do that with HTTP/2. This could then easily make programs that
+ set CURLMOPT_PIPELINING = CURLPIPE_HTTP1|CURLPIPE_MULTIPLEX to get data
+ intermixed or plain broken between HTTP/2 streams.
+
+ Reported-by: Anders Bakken
+
+Patrick Monnerat (24 Feb 2016)
+- os400: Fix ILE/RPG definition of CURLOPT_TFTP_NO_OPTIONS
+
+Jay Satiro (23 Feb 2016)
+- getinfo: CURLINFO_TLS_SSL_PTR supersedes CURLINFO_TLS_SESSION
+
+ The two options are almost the same, except in the case of OpenSSL:
+
+ CURLINFO_TLS_SESSION OpenSSL session internals is SSL_CTX *.
+
+ CURLINFO_TLS_SSL_PTR OpenSSL session internals is SSL *.
+
+ For backwards compatibility we couldn't modify CURLINFO_TLS_SESSION to
+ return an SSL pointer for OpenSSL.
+
+ Also, add support for the 'internals' member to point to SSL object for
+ the other backends axTLS, PolarSSL, Secure Channel, Secure Transport and
+ wolfSSL.
+
+ Bug: https://github.com/curl/curl/issues/234
+ Reported-by: dkjjr89@users.noreply.github.com
+
+ Bug: https://curl.haxx.se/mail/lib-2015-09/0127.html
+ Reported-by: Michael König
+
+Daniel Stenberg (23 Feb 2016)
+- multi_remove_handle: keep the timeout list until after disconnect
+
+ The internal Curl_done() function uses Curl_expire() at times and that
+ uses the timeout list. Better clean up the list once we're done using
+ it. This caused a segfault.
+
+ Reported-by: 蔡文凱
+ Bug: https://curl.haxx.se/mail/lib-2016-02/0097.html
+
+Kamil Dudka (23 Feb 2016)
+- tests/sshserver.pl: use RSA instead of DSA for host auth
+
+ DSA is no longer supported by OpenSSH 7.0, which causes all SCP/SFTP
+ test cases to be skipped. Using RSA for host authentication works with
+ both old and new versions of OpenSSH.
+
+ Reported-by: Karlson2k
+
+ Closes #676
+
+Jay Satiro (23 Feb 2016)
+- TFTP: add option to suppress TFTP option requests (Part 2)
+
+ - Add tests.
+
+ - Add an example to CURLOPT_TFTP_NO_OPTIONS.3.
+
+ - Add --tftp-no-options to expose CURLOPT_TFTP_NO_OPTIONS.
+
+ Bug: https://github.com/curl/curl/issues/481
+
+- [Michael Koenig brought this change]
+
+ TFTP: add option to suppress TFTP option requests (Part 1)
+
+ Some TFTP server implementations ignore the "TFTP Option extension"
+ (RFC 1782-1784, 2347-2349), or implement it in a flawed way, causing
+ problems with libcurl. Another switch for curl_easy_setopt
+ "CURLOPT_TFTP_NO_OPTIONS" is introduced which prevents libcurl from
+ sending TFTP option requests to a server, avoiding many problems caused
+ by faulty implementations.
+
+ Bug: https://github.com/curl/curl/issues/481
+
+Daniel Stenberg (22 Feb 2016)
+- [Karlson2k brought this change]
+
+ runtests: Fixed usage of %PWD on MinGW64
+
+ Closes #672
+
+Jay Satiro (20 Feb 2016)
+- CURLOPT_DEBUGFUNCTION.3: Fix example
+
+- [Viktor Szakats brought this change]
+
+ src/Makefile.m32: add CURL_{LD,C}FLAGS_EXTRAS support
+
+ Sync with lib/Makefile.m32 which already uses those variables.
+
+ Bug: https://github.com/curl/curl/pull/670
+
+Dan Fandrich (20 Feb 2016)
+- Enabled test 1437 after the bug fix in commit 3fa220a6
+
+Jay Satiro (19 Feb 2016)
+- [Emil Lerner brought this change]
+
+ curl_sasl: Fix memory leak in digest parser
+
+ If any parameter in a HTTP DIGEST challenge message is present multiple
+ times, memory allocated for all but the last entry should be freed.
+
+ Bug: https://github.com/curl/curl/pull/667
+
+Dan Fandrich (19 Feb 2016)
+- Added test 1437 to verify a memory leak
+
+ Reported-by: neex@users.noreply.github.com
+
+Jay Satiro (18 Feb 2016)
+- CURLOPT_COOKIEFILE.3: HTTP headers must be Set-Cookie style
+
+ Bug: https://github.com/curl/curl/issues/666
+ Reported-by: baumanj@users.noreply.github.com
+
+- curl.1: HTTP headers for --cookie must be Set-Cookie style
+
+ Bug: https://github.com/curl/curl/issues/666
+ Reported-by: baumanj@users.noreply.github.com
+
+Daniel Stenberg (18 Feb 2016)
+- curl.1: add a missing dash
+
+- CONTRIBUTING.md: fix links
+
+- ISSUE_TEMPLATE: github issue template
+
+ First version, try this out!
+
+- CONTRIBUTING.md: move into .github
+
+ To hide github specific files somewhat from the rest.
+
+- opts: add references
+
+- examples/make: add 'checksrc' target
+
+- 10-at-a-time: typecast the argument passed to sleep()
+
+- externalsocket.c: fix compiler warning for fwrite return type
+
+- anyauthput.c: fix compiler warnings
+
+- simplessl.c: warning: while with space
+
+- curlx.c: i2s_ASN1_IA5STRING() clashes with an openssl function
+
+ Reported-By: Gisle Vanem
+
+- http2: don't decompress gzip decoding automatically
+
+ At one point during the development of HTTP/2, the commit 133cdd29ea0
+ introduced automatic decompression of Content-Encoding as that was what
+ the spec said then. Now however, HTTP/2 should work the same way as
+ HTTP/1 in this regard.
+
+ Reported-by: Kazuho Oku
+
+ Closes #661
+
+Jay Satiro (16 Feb 2016)
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http: Don't break the header into chunks if HTTP/2
+
+ nghttp2 callback deals with TLS layer and therefore the header does not
+ need to be broken into chunks.
+
+ Bug: https://github.com/curl/curl/issues/659
+ Reported-by: Kazuho Oku
+
+Daniel Stenberg (16 Feb 2016)
+- [Viktor Szakats brought this change]
+
+ openssl: use macro to guard the opaque EVP_PKEY branch
+
+- [Viktor Szakats brought this change]
+
+ openssl: avoid direct PKEY access with OpenSSL 1.1.0
+
+ by using API instead of accessing an internal structure.
+ This is required starting OpenSSL 1.1.0-pre3.
+
+ Closes #650
+
+- RELEASE-NOTES: synced with ede0bfc079da
+
+- [Clint Clayton brought this change]
+
+ CURLOPT_CONNECTTIMEOUT_MS.3: Fix example to use milliseconds option
+
+ Change the example in the docs for CURLOPT_CONNECTTIMEOUT_MS to use
+ CURLOPT_CONNECTTIMEOUT_MS instead of CURLOPT_CONNECTTIMEOUT.
+
+ Closes #653
+
+- opt-docs: add more references
+
+- [David Byron brought this change]
+
+ SCP: use libssh2_scp_recv2 to support > 2GB files on windows
+
+ libssh2_scp_recv2 is introduced in libssh2 1.7.0 - to be released "any
+ day now.
+
+ Closes #451
+
+Jay Satiro (13 Feb 2016)
+- [Shine Fan brought this change]
+
+ gtls: fix for builds lacking encrypted key file support
+
+ Bug: https://github.com/curl/curl/pull/651
+
+Dan Fandrich (13 Feb 2016)
+- test1604: Add to Makefile.inc so it gets run
+
+Jay Satiro (12 Feb 2016)
+- generate.bat: Fix comment bug by removing old comments
+
+ Remove NOTES section, it's no longer needed since we aren't setting the
+ errorlevel and more importantly the recently updated URL in the comments
+ is causing some unusual behavior that breaks the script.
+
+ Closes https://github.com/curl/curl/issues/649
+
+Kamil Dudka (12 Feb 2016)
+- curl.1: --disable-{eprt,epsv} are ignored for IPv6 hosts
+
+ The behavior has been clarified in CURLOPT_FTP_USE_{EPRT,EPSV}.3 man
+ pages since curl-7_12_3~131. This patch makes it clear in the curl.1
+ man page, too.
+
+ Bug: https://bugzilla.redhat.com/1305970
+
+Daniel Stenberg (12 Feb 2016)
+- dist: ship buildconf.bat too
+
+ As the winbuild/* stuff uses it!
+
+- curlx_tvdiff: handle 32bit time_t overflows
+
+ On 32bit systems, make sure we don't overflow and return funky values
+ for very large time differences.
+
+ Reported-by: Anders Bakken
+
+ Closes #646
+
+- examples: fix some compiler warnings
+
+- simplessl.c: fix my breakage
+
+- examples: adhere to curl code style
+
+ All plain C examples now (mostly) adhere to the curl code style. While
+ they are only examples, they had diverted so much and contained all
+ sorts of different mixed code styles by now. Having them use a unified
+ style helps users and readability. Also, as they get copy-and-pasted
+ widely by users, making sure they're clean and nice is a good idea.
+
+ 573 checksrc warnings were addressed.
+
+- examples/cookie_interface.c: add cleanup call
+
+ cleaning up handles is a good idea as we leak memory otherwise
+
+ Also, line wrapped before 80 columns.
+
+Kamil Dudka (10 Feb 2016)
+- nss: search slash in forward direction in dup_nickname()
+
+ It is wasteful to search it backwards if we look for _any_ slash.
+
+- nss: do not count enabled cipher-suites
+
+ We only care if at least one cipher-suite is enabled, so it does
+ not make any sense to iterate till the end and count all enabled
+ cipher-suites.
+
+Daniel Stenberg (10 Feb 2016)
+- contributors.sh: make 79 the max column width (from 80)
+
+- RELEASE-NOTES: synced with c276aefee3995
+
+- mbedtls.c: re-indent to better match curl standards
+
+- [Rafael Antonio brought this change]
+
+ mbedtls: fix memory leak when destroying SSL connection data
+
+ Closes #626
+
+- mbedtls: fix ALPN usage segfault
+
+ Since we didn't keep the input argument around after having called
+ mbedtls, it could end up accessing the wrong memory when figuring out
+ the ALPN protocols.
+
+ Closes #642
+
+Jay Satiro (9 Feb 2016)
+- [Timotej Lazar brought this change]
+
+ opts: update references to renamed options
+
+- KNOWN_BUGS: Update #92 - Windows device prefix
+
+- tool_doswin: Support for literal path prefix \\?\
+
+ For example something like --output \\?\C:\foo
+
+Daniel Stenberg (9 Feb 2016)
+- configure: state "BoringSSL" in summary when that was detected
+
+- [David Benjamin brought this change]
+
+ openssl: remove most BoringSSL #ifdefs.
+
+ As of https://boringssl-review.googlesource.com/#/c/6980/, almost all of
+ BoringSSL #ifdefs in cURL should be unnecessary:
+
+ - BoringSSL provides no-op stubs for compatibility which replaces most
+ #ifdefs.
+
+ - DES_set_odd_parity has been in BoringSSL for nearly a year now. Remove
+ the compatibility codepath.
+
+ - With a small tweak to an extend_key_56_to_64 call, the NTLM code
+ builds fine.
+
+ - Switch OCSP-related #ifdefs to the more generally useful
+ OPENSSL_NO_OCSP.
+
+ The only #ifdefs which remain are Curl_ossl_version and the #undefs to
+ work around OpenSSL and wincrypt.h name conflicts. (BoringSSL leaves
+ that to the consumer. The in-header workaround makes things sensitive to
+ include order.)
+
+ This change errs on the side of removing conditionals despite many of
+ the restored codepaths being no-ops. (BoringSSL generally adds no-op
+ compatibility stubs when possible. OPENSSL_VERSION_NUMBER #ifdefs are
+ bad enough!)
+
+ Closes #640
+
+Jay Satiro (8 Feb 2016)
+- KNOWN_BUGS: Windows device prefix is required for devices
+
+- tool_urlglob: Allow reserved dos device names (Windows)
+
+ Allow --output to reserved dos device names without the device prefix
+ for backwards compatibility.
+
+ Example: --output NUL can be used instead of --output \\.\NUL
+
+ Bug: https://github.com/curl/curl/commit/4520534#commitcomment-15954863
+ Reported-by: Gisle Vanem
+
+Daniel Stenberg (8 Feb 2016)
+- cookies: allow spaces in cookie names, cut of trailing spaces
+
+ It turns out Firefox and Chrome both allow spaces in cookie names and
+ there are sites out there using that.
+
+ Turned out the code meant to strip off trailing space from cookie names
+ didn't work. Fixed now.
+
+ Test case 8 modified to verify both these changes.
+
+ Closes #639
+
+Patrick Monnerat (8 Feb 2016)
+- Merge branch 'master' of github.com:curl/curl
+
+- os400: sync ILE/RPG definitions with latest public header files.
+
+Daniel Stenberg (8 Feb 2016)
+- [Ludwig Nussel brought this change]
+
+ SSLCERTS: update wrt SSL CA certificate store
+
+- [Ludwig Nussel brought this change]
+
+ configure: --with-ca-fallback: use built-in TLS CA fallback
+
+ When trying to verify a peer without having any root CA certificates
+ set, this makes libcurl use the TLS library's built in default as
+ fallback.
+
+ Closes #569
+
+- Proxy-Connection: stop sending this header by default
+
+ RFC 7230 says we should stop. Firefox already stopped.
+
+ Bug: https://github.com/curl/curl/issues/633
+ Reported-By: Brad Fitzpatrick
+
+ Closes #633
+
+- bump: work toward the next release
+
+- THANKS: 2 contributors from the 7.47.1 release
+
+- RELEASE-PROCEDURE: remove the github upload part
+
+ ... as we're HTTPS on the main site now, there's no point in that
+ extra step
+
+Version 7.47.1 (8 Feb 2016)
+
+Daniel Stenberg (8 Feb 2016)
+- RELEASE-NOTES: curl 7.47.1 time!
+
+Jay Satiro (8 Feb 2016)
+- tool_operhlp: Check for backslashes in get_url_file_name
+
+ Extract the filename from the last slash or backslash. Prior to this
+ change backslashes could be part of the filename.
+
+ This change needed for the curl tool built for Cygwin. Refer to the
+ CYGWIN addendum in advisory 20160127B.
+
+ Bug: https://curl.haxx.se/docs/adv_20160127B.html
+
+Daniel Stenberg (7 Feb 2016)
+- RELEASE-NOTES: synced with d6a8869ea34
+
+Jay Satiro (6 Feb 2016)
+- openssl: Fix signed/unsigned mismatch warning in X509V3_ext
+
+ sk_X509_EXTENSION_num may return an unsigned integer, however the value
+ will fit in an int.
+
+ Bug: https://github.com/curl/curl/commit/dd1b44c#commitcomment-15913896
+ Reported-by: Gisle Vanem
+
+Daniel Stenberg (7 Feb 2016)
+- TODO: 17.11 -w output to stderr
+
+Jay Satiro (6 Feb 2016)
+- [Michael Kaufmann brought this change]
+
+ idn_win32: Better error checking
+
+ .. also fix a conversion bug in the unused function
+ curl_win32_ascii_to_idn().
+
+ And remove wprintfs on error (Jay).
+
+ Bug: https://github.com/curl/curl/pull/637
+
+- [Gisle Vanem brought this change]
+
+ examples/asiohiper: Avoid function name collision on Windows
+
+ closesocket => close_socket
+ Winsock already has the former.
+
+ Bug: https://curl.haxx.se/mail/lib-2016-02/0016.html
+
+- [Gisle Vanem brought this change]
+
+ examples/htmltitle: Use _stricmp on Windows
+
+ Bug: https://curl.haxx.se/mail/lib-2016-02/0017.html
+
+Daniel Stenberg (6 Feb 2016)
+- COPYING: clarify that Daniel is not the sole author
+
+ ... done on request and as it is a fair point.
+
+Jay Satiro (5 Feb 2016)
+- unit1604: Fix unit setup return code
+
+- tool_doswin: Use type SANITIZEcode in sanitize_file_name
+
+- tool_doswin: Improve sanitization processing
+
+ - Add unit test 1604 to test the sanitize_file_name function.
+
+ - Use -DCURL_STATICLIB when building libcurltool for unit testing.
+
+ - Better detection of reserved DOS device names.
+
+ - New flags to modify sanitize behavior:
+
+ SANITIZE_ALLOW_COLONS: Allow colons
+ SANITIZE_ALLOW_PATH: Allow path separators and colons
+ SANITIZE_ALLOW_RESERVED: Allow reserved device names
+ SANITIZE_ALLOW_TRUNCATE: Allow truncating a long filename
+
+ - Restore sanitization of banned characters from user-specified outfile.
+
+ Prior to this commit sanitization of a user-specified outfile was
+ temporarily disabled in 2b6dadc because there was no way to allow path
+ separators and colons through while replacing other banned characters.
+ Now in such a case we call the sanitize function with
+ SANITIZE_ALLOW_PATH which allows path separators and colons to pass
+ through.
+
+
+ Closes https://github.com/curl/curl/issues/624
+ Reported-by: Octavio Schroeder
+
+- [Viktor Szakats brought this change]
+
+ URLs: change more http to https
+
+- sasl_sspi: Fix memory leak in domain populate
+
+ Free an existing domain before replacing it.
+
+ Bug: https://github.com/curl/curl/issues/635
+ Reported-by: silveja1@users.noreply.github.com
+
+Daniel Stenberg (4 Feb 2016)
+- [Viktor Szakats brought this change]
+
+ URLs: follow GitHub project rename (also Travis CI)
+
+ Closes #632
+
+- CHANGES.o: fix references to curl.haxx.nu
+
+ I removed the scheme prefix from the URLs references this host name, as
+ we don't own/run that anymore but the name is kept for historic reasons.
+
+- HISTORY: add some info about when we used which host names
+
+Jay Satiro (2 Feb 2016)
+- [Viktor Szakats brought this change]
+
+ URLs: change more http to https
+
+Dan Fandrich (3 Feb 2016)
+- URLs: Change more haxx.se URLs from http: to https:
+
+Daniel Stenberg (3 Feb 2016)
+- RELEASE-NOTES: synced with 4af40b364
+
+- URLs: change all http:// URLs to https://
+
+- configure: update the copyright year range in output
+
+- dotdot: allow an empty input string too
+
+ It isn't used by the code in current conditions but for safety it seems
+ sensible to at least not crash on such input.
+
+ Extended unit test 1395 to verify this too as well as a plain "/" input.
+
+- HTTPS: update a bunch of URLs from HTTP to HTTPS
+
+- [Sergei Nikulov brought this change]
+
+ AppVeyor: updated to handle OpenSSL/WinSSL builds
+
+ Closes #621
+
+Jay Satiro (1 Feb 2016)
+- tool_operate: Don't sanitize --output path (Windows)
+
+ Due to path separators being incorrectly sanitized in --output
+ pathnames, eg -o c:\foo => c__foo
+
+ This is a partial revert of 3017d8a until I write a proper fix. The
+ remote-name will continue to be sanitized, but if the user specified an
+ --output with string replacement (#1, #2, etc) that data is unsanitized
+ until I finish a fix.
+
+ Bug: https://github.com/bagder/curl/issues/624
+ Reported-by: Octavio Schroeder
+
+- curl.1: Explain remote-name behavior if file already exists
+
+ .. also warn about letting the server pick the filename.
+
+- [Gisle Vanem brought this change]
+
+ urldata: Error on missing SSL backend-specific connect info
+
+Daniel Stenberg (28 Jan 2016)
+- bump: towards the next (7.47.1 ?)
+
+- [Sergei Nikulov brought this change]
+
+ cmake: fixed when OpenSSL enabled on Windows and schannel detected
+
+ Closes #617
+
+Jay Satiro (28 Jan 2016)
+- [Sergei Nikulov brought this change]
+
+ urldata: moved common variable out of ifdef
+
+ Closes https://github.com/bagder/curl/pull/618
+
+- [Viktor Szakats brought this change]
+
+ tool_doswin: silence unused function warning
+
+ tool_doswin.c:185:14: warning: 'msdosify' defined but not used
+ [-Wunused-function]
+
+ Closes https://github.com/bagder/curl/pull/616
+
+Daniel Stenberg (27 Jan 2016)
+- getredirect.c: fix variable name
+
+ Reported-by: Bernard Spil
+
+Version 7.47.0 (27 Jan 2016)
+
+Daniel Stenberg (27 Jan 2016)
+- examples/Makefile.inc: specify programs without .c!
+
+- THANKS: 6 new contributors from 7.47.0 release notes
+
+- [Isaac Boukris brought this change]
+
+ NTLM: Fix ConnectionExists to compare Proxy credentials
+
+ Proxy NTLM authentication should compare credentials when
+ re-using a connection similar to host authentication, as it
+ authenticate the connection.
+
+ Example:
+ curl -v -x http://proxy:port http://host/ -U good_user:good_pwd
+ --proxy-ntlm --next -x http://proxy:port http://host/
+ [-U fake_user:fake_pwd --proxy-ntlm]
+
+ CVE-2016-0755
+
+ Bug: http://curl.haxx.se/docs/adv_20160127A.html
+
+- [Ray Satiro brought this change]
+
+ curl: avoid local drive traversal when saving file (Windows)
+
+ curl does not sanitize colons in a remote file name that is used as the
+ local file name. This may lead to a vulnerability on systems where the
+ colon is a special path character. Currently Windows/DOS is the only OS
+ where this vulnerability applies.
+
+ CVE-2016-0754
+
+ Bug: http://curl.haxx.se/docs/adv_20160127B.html
+
+- RELEASE-NOTES: 7.47.0
+
+- FAQ: language fix in 4.19
+
+- [paulehoffman brought this change]
+
+ FAQ: Update to point to GitHub
+
+ Current FAQ didn't make it clear where the main repo is.
+
+ Closes #612
+
+- maketgz: generate date stamp with LC_TIME=C
+
+ bug: http://curl.haxx.se/mail/lib-2016-01/0123.html
+
+- curl_multi_socket_action.3: line wrap
+
+- RELEASE-NOTES: synced with d58ba66eeceb
+
+Steve Holme (21 Jan 2016)
+- TODO: "Create remote directories" for SMB
+
+Jay Satiro (18 Jan 2016)
+- mbedtls: Fix pinned key return value on fail
+
+ - Switch from verifying a pinned public key in a callback during the
+ certificate verification to inline after the certificate verification.
+
+ The callback method had three problems:
+
+ 1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH
+ was not returned.
+
+ 2. If peer certificate verification was disabled the pinned key
+ verification did not take place as it should.
+
+ 3. (related to #2) If there was no certificate of depth 0 the callback
+ would not have checked the pinned public key.
+
+ Though all those problems could have been fixed it would have made the
+ code more complex. Instead we now verify inline after the certificate
+ verification in mbedtls_connect_step2.
+
+ Ref: http://curl.haxx.se/mail/lib-2016-01/0047.html
+ Ref: https://github.com/bagder/curl/pull/601
+
+- tests: Add a test for pinnedpubkey fail even when insecure
+
+ Because disabling the peer verification (--insecure) must not disable
+ the public key pinning check (--pinnedpubkey).
+
+- [Daniel Schauenberg brought this change]
+
+ CURLINFO_RESPONSE_CODE.3: add example
+
+Kamil Dudka (15 Jan 2016)
+- ssh: make CURLOPT_SSH_PUBLIC_KEYFILE treat "" as NULL
+
+ The CURLOPT_SSH_PUBLIC_KEYFILE option has been documented to handle
+ empty strings specially since curl-7_25_0-31-g05a443a but the behavior
+ was unintentionally removed in curl-7_38_0-47-gfa7d04f.
+
+ This commit restores the original behavior and clarifies it in the
+ documentation that NULL and "" have both the same meaning when passed
+ to CURLOPT_SSH_PUBLIC_KEYFILE.
+
+ Bug: http://curl.haxx.se/mail/lib-2016-01/0072.html
+
+Daniel Stenberg (14 Jan 2016)
+- RELEASE-NOTES: synced with 35083ca60ed035a
+
+- openssl: improved error detection/reporting
+
+ ... by extracting the LIB + REASON from the OpenSSL error code. OpenSSL
+ 1.1.0+ returned a new func number of another cerfificate fail so this
+ required a fix and this is the better way to catch this error anyway.
+
+- openssl: for 1.1.0+ they now provide a SSLeay() macro of their own
+
+- CURLOPT_RESOLVE.3: minor language polish
+
+- configure: assume IPv6 works when cross-compiled
+
+ The configure test uses AC_TRY_RUN to figure out if an ipv6 socket
+ works, and testing like that doesn't work for cross-compiles. These days
+ IPv6 support is widespread so a blind guess is probably more likely to
+ be 'yes' than 'no' now.
+
+ Further: anyone who cross-compiles can use configure's --disable-ipv6 to
+ explicitly disable IPv6 and that also works for cross-compiles.
+
+ Made happen after discussions in issue #594
+
+- TODO: "Try to URL encode given URL"
+
+ Closes #514
+
+- ConnectionExists: only do pipelining/multiplexing when asked
+
+ When an HTTP/2 upgrade request fails (no protocol switch), it would
+ previously detect that as still possible to pipeline on (which is
+ acorrect) and do that when PIPEWAIT was enabled even if pipelining was
+ not explictily enabled.
+
+ It should only pipelined if explicitly asked to.
+
+ Closes #584
+
+- [Mohammad AlSaleh brought this change]
+
+ lib: Prefix URLs with lower-case protocol names/schemes
+
+ Before this patch, if a URL does not start with the protocol
+ name/scheme, effective URLs would be prefixed with upper-case protocol
+ names/schemes. This behavior might not be expected by library users or
+ end users.
+
+ For example, if `CURLOPT_DEFAULT_PROTOCOL` is set to "https". And the
+ URL is "hostname/path". The effective URL would be
+ "HTTPS://hostname/path" instead of "https://hostname/path".
+
+ After this patch, effective URLs would be prefixed with a lower-case
+ protocol name/scheme.
+
+ Closes #597
+
+ Signed-off-by: Mohammad AlSaleh <CE.Mohammad.AlSaleh@gmail.com>
+
+- [Alessandro Ghedini brought this change]
+
+ scripts: don't generate and install zsh completion when cross-compiling
+
+- [Alessandro Ghedini brought this change]
+
+ scripts: fix zsh completion generation
+
+ The script should use the just-built curl, not the system one. This fixes
+ zsh completion generation when no system curl is installed.
+
+- [Alessandro Ghedini brought this change]
+
+ zsh.pl: fail if no curl is found
+
+ Instead of generation a broken completion file.
+
+- [Michael Kaufmann brought this change]
+
+ IDN host names: Remove the port number before converting to ACE
+
+ Closes #596
+
+Jay Satiro (10 Jan 2016)
+- runtests: Add mbedTLS to the SSL backends
+
+ .. and enable SSLpinning tests for mbedTLS, BoringSSL and LibreSSL.
+
+Daniel Stenberg (10 Jan 2016)
+- [Thomas Glanzmann brought this change]
+
+ mbedtls: implement CURLOPT_PINNEDPUBLICKEY
+
+Jay Satiro (9 Jan 2016)
+- [Tatsuhiro Tsujikawa brought this change]
+
+ url: Fix compile error with --enable-werror
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Ensure that http2_handle_stream_close is called
+
+ Previously, when HTTP/2 is enabled and used, and stream has content
+ length known, Curl_read was not called when there was no bytes left to
+ read. Because of this, we could not make sure that
+ http2_handle_stream_close was called for every stream. Since we use
+ http2_handle_stream_close to emit trailer fields, they were
+ effectively ignored. This commit changes the code so that Curl_read is
+ called even if no bytes left to read, to ensure that
+ http2_handle_stream_close is called for every stream.
+
+ Discussed in https://github.com/bagder/curl/pull/564
+
+Daniel Stenberg (8 Jan 2016)
+- http2: handle the received SETTINGS frame
+
+ This regression landed in 5778e6f5 and made libcurl not act on received
+ settings and instead stayed with its internal defaults.
+
+ Bug: http://curl.haxx.se/mail/lib-2016-01/0031.html
+ Reported-by: Bankde
+
+- Revert "multiplex: allow only once HTTP/2 is actually used"
+
+ This reverts commit 46cb70e9fa81c9a56de484cdd7c5d9d0d9fbec36.
+
+ Bug: http://curl.haxx.se/mail/lib-2016-01/0031.html
+
+Jay Satiro (8 Jan 2016)
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Fix PUSH_PROMISE headers being treated as trailers
+
+ Discussed in https://github.com/bagder/curl/pull/564
+
+Daniel Stenberg (8 Jan 2016)
+- [Michael Kaufmann brought this change]
+
+ connection reuse: IDN host names fixed
+
+ Use the ACE form of IDN hostnames as key in the connection cache. Add
+ new tests.
+
+ Closes #592
+
+- tests: mark IPv6 FTP and FTPS tests with the FTP keyword
+
+Jay Satiro (7 Jan 2016)
+- mbedtls: Fix ALPN support
+
+ - Fix ALPN reply detection.
+
+ - Wrap nghttp2 code in ifdef USE_NGHTTP2.
+
+
+ Prior to this change ALPN and HTTP/2 did not work properly in mbedTLS.
+
+- http2: Fix client write for trailers on stream close
+
+ Check that the trailer buffer exists before attempting a client write
+ for trailers on stream close.
+
+ Refer to comments in https://github.com/bagder/curl/pull/564
+
+Daniel Stenberg (7 Jan 2016)
+- COPYING: update general copyright year range
+
+- ConnectionExists: add missing newline in infof() call
+
+ Mistake from commit a464f33843ee1
+
+- multiplex: allow only once HTTP/2 is actually used
+
+ To make sure curl doesn't allow multiplexing before a connection is
+ upgraded to HTTP/2 (like when Upgrade: h2c fails), we must make sure the
+ connection uses HTTP/2 as well and not only check what's wanted.
+
+ Closes #584
+
+ Patch-by: c0ff
+
+Jay Satiro (4 Jan 2016)
+- curl_global_init.3: Add Windows-specific info for init via DLL
+
+ - Add to both curl_global_init.3 and libcurl.3 the caveat for Windows
+ that initializing libcurl via a DLL's DllMain or static initializer
+ could cause a deadlock.
+
+ Bug: https://github.com/bagder/curl/issues/586
+ Reported-by: marc-groundctl@users.noreply.github.com
+
+Daniel Stenberg (4 Jan 2016)
+- FAQ: clarify who to mail about ECCN clarifications
+
+- progressfunc.c: spellfix description
+
+- docs/examples/multi-app.c: fix bad desc formatting
+
+- examples: added descriptions
+
+- example/simple.c: add description
+
+- getredirect.c: a new example
+
+Marc Hoersken (27 Dec 2015)
+- RELEASE-NOTES: add 5e0e81a9c4e35f04ca
+
+Daniel Stenberg (26 Dec 2015)
+- RELEASE-NOTES: synced with 2aec4359db1088b10d
+
+Marc Hoersken (26 Dec 2015)
+- test 1515: add data check
+
+- test 1515: add MSYS support by passing a relative path
+
+ MSYS would otherwise turn a /-style path into a C:\-style path.
+
+- test 539: use datacheck mode text for ASCII-mode LISTings
+
+ While still using datacheck mode binary for the inline reply data.
+
+- runtests.pl: check up to 5 data parts with different text modes
+
+ Move the text-mode conversion for reply/replycheck from the verify
+ section into the load section and add support for 4 more check parts.
+
+Daniel Stenberg (24 Dec 2015)
+- CURLOPT_RANGE: for HTTP servers, range support is optional
+
+Marc Hoersken (24 Dec 2015)
+- tests 1048 and 1050: use datacheck mode text for ASCII-mode LISTings
+
+- tests 706 and 707: use datacheck mode text for ASCII-mode LISTings
+
+- tests 400,403,406: use datacheck mode text for ASCII-mode LISTings
+
+- sockfilt.c: fix calculation of sleep timeout on Windows
+
+ Not converting to double caused small timeouts to be skipped.
+
+- tests first.c: fix calculation of sleep timeout on Windows
+
+ Not converting to double caused small timeouts to be skipped.
+
+- test 573: add more debug output
+
+- ftplistparser.c: fix handling of file LISTings using Windows EOL
+
+ Previously file.txt[CR][LF] would have been returned as file.tx
+ (without the last t) if filetype is symlink. Now the t is
+ included and the internal item_length includes the zero byte.
+
+ Spotted using test 576 on Windows.
+
+- test 16: fix on Linux (and Windows) by using plain ASCII characters
+
+ Follow up on b064ff0c351bb287557228575ef4c1d079b866fb, thanks Daniel.
+
+- tftpd server: add Windows support by writing files in binary mode
+
+- tests 252-255: use datacheck mode text for ASCII-mode LISTings
+
+- test 16: fix on Windows by converting data file from ANSI to UTF-8
+
+Daniel Stenberg (23 Dec 2015)
+- Makefile.inc: s/curl_SOURCES/CURL_FILES
+
+ This allows the root Makefile.am to include the Makefile.inc without
+ causing automake to warn on it (variables named *_SOURCES are
+ magic). curl_SOURCES is then instead assigned properly in
+ src/Makefile.am only.
+
+ Closes #577
+
+- [Anders Bakken brought this change]
+
+ ConnectionExists: with *PIPEWAIT, wait for connections
+
+ Try harder to prevent libcurl from opening up an additional socket when
+ CURLOPT_PIPEWAIT is set. Accomplished by letting ongoing TCP and TLS
+ handshakes complete first before the decision is made.
+
+ Closes #575
+
+- [Anders Bakken brought this change]
+
+ Add .dir-locals and set c-basic-offset to 2.
+
+ This makes it easier for emacs users to automatically get the right
+ 2-space indentation when they edit curl source files.
+
+ c++-mode is in there as well because Emacs can't easily know if
+ something is a C or C++ header.
+
+ Closes #574
+
+- [Johannes Schindelin brought this change]
+
+ configure: detect IPv6 support on Windows
+
+ This patch was "nicked" from the MINGW-packages project by Daniel.
+
+ https://github.com/Alexpux/MINGW-packages/commit/9253d0bf58a1486e91f7efb5316e7fdb48fa4007
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- configure: allow static builds on mingw
+
+ This patch is adopted from the MINGW-packages project. It makes it
+ possible to build curl both shared and static again.
+
+ URL: https://github.com/Alexpux/MINGW-packages/tree/master/mingw-w64-curl
+
+Marc Hoersken (17 Dec 2015)
+- test 1326: fix file check since curl is outputting binary data
+
+- test 1326: fix getting stuck on Windows due to incomplete request
+
+ The request needs to be read and send in binary mode in order to use
+ CRLF instead of LF. Adding --upload-file - causes curl to read stdin
+ in binary mode.
+
+Daniel Stenberg (17 Dec 2015)
+- RELEASE-NOTES: command line option recount
+
+Dan Fandrich (16 Dec 2015)
+- scripts/Makefile: build zsh script even in an out-of-tree build
+
+Marc Hoersken (16 Dec 2015)
+- sockfilt.c: added some debug output to select_ws
+
+- sockfilt.c: keep lines shorter than 80 chars
+
+- sockfilt.c: do not wait on unreliable file or pipe handle
+
+ The previous implementation caused issues on modern MSYS2 runtimes.
+
+Daniel Stenberg (16 Dec 2015)
+- cyassl: deal with lack of *get_peer_certificate
+
+ The function is only present in wolfssl/cyassl if it was built with
+ --enable-opensslextra. With these checks added, pinning support is disabled
+ unless the TLS lib has that function available.
+
+ Also fix the mistake in configure that checks for the wrong lib name.
+
+ Closes #566
+
+- wolfssl: handle builds without SSLv3 support
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Support trailer fields
+
+ This commit adds trailer support in HTTP/2. In HTTP/1.1, chunked
+ encoding must be used to send trialer fields. HTTP/2 deprecated any
+ trandfer-encoding, including chunked. But trailer fields are now
+ always available.
+
+ Since trailer fields are relatively rare these days (gRPC uses them
+ extensively though), allocating buffer for trailer fields is done when
+ we detect that HEADERS frame containing trailer fields is started. We
+ use Curl_add_buffer_* functions to buffer all trailers, just like we
+ do for regular header fields. And then deliver them when stream is
+ closed. We have to be careful here so that all data are delivered to
+ upper layer before sending trailers to the application.
+
+ We can deliver trailer field one by one using NGHTTP2_ERR_PAUSE
+ mechanism, but current method is far more simple.
+
+ Another possibility is use chunked encoding internally for HTTP/2
+ traffic. I have not tested it, but it could add another overhead.
+
+ Closes #564
+
+- RELEASE-NOTES: synced with 6c2c019654e658a
+
+Jay Satiro (15 Dec 2015)
+- x509asn1: Fix host altname verification
+
+ - In Curl_verifyhost check all altnames in the certificate.
+
+ Prior to this change only the first altname was checked. Only the GSKit
+ SSL backend was affected by this bug.
+
+ Bug: http://curl.haxx.se/mail/lib-2015-12/0062.html
+ Reported-by: John Kohl
+
+Daniel Stenberg (15 Dec 2015)
+- curl --expect100-timeout: added
+
+ This is the new command line option to set the value for the existing
+ libcurl option CURLOPT_EXPECT_100_TIMEOUT_MS
+
+- cyassl: fix compiler warning on type conversion
+
+- curlver: the pending release will become 7.47.0
+
+- [Anders Bakken brought this change]
+
+ setstropt: const-correctness
+
+ Closes #565
+
+- ROADMAP: implemented HTTP2 for HTTPS-only
+
+- HTTP2.md: spell fix and remove TODO now implemented
+
+- libressl: the latest openssl x509 funcs are not in libressl
+
+- curl: use 2TLS by default
+
+ Make this the default for the curl tool (if built with HTTP/2 powers
+ enabled) unless a specific HTTP version is requested on the command
+ line.
+
+ This should allow more users to get HTTP/2 powers without having to
+ change anything.
+
+- http: add libcurl option to allow HTTP/2 for HTTPS only
+
+ ... and stick to 1.1 for HTTP. This is in line with what browsers do and
+ should have very little risk.
+
+- openssl: adapt to openssl >= 1.1.0 X509 opaque structs
+
+ Closes #491
+
+- openssl: avoid BIO_reset() warnings since it returns a value
+
+- openssl: adapt to 1.1.0+ name changes
+
+- scripts/makefile: add standard header
+
+- scripts/Makefile: fix GNUism and survive no perl
+
+ Closes #555
+
+ Reported-by: Thomas Klausner
+
+- fix b6d5cb40d7038fe
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Fix hanging paused stream
+
+ When NGHTTP2_ERR_PAUSE is returned from data_source_read_callback, we
+ might not process DATA frame fully. Calling nghttp2_session_mem_recv()
+ again will continue to process DATA frame, but if there is no incoming
+ frames, then we have to call it again with 0-length data. Without this,
+ on_stream_close callback will not be called, and stream could be hanged.
+
+ Bug: http://curl.haxx.se/mail/lib-2015-11/0103.html
+ Reported-by: Francisco Moraes
+
+- [Christian Stewart brought this change]
+
+ build: fix compilation error with CURL_DISABLE_VERBOSE_STRINGS
+
+ With curl disable verbose strings in http.c the compilation fails due to
+ the data variable being undefined later on in the function.
+
+ Closes #558
+
+Jay Satiro (7 Dec 2015)
+- [Gisle Vanem brought this change]
+
+ config-win32: Fix warning HAVE_WINSOCK2_H undefined
+
+- [Gisle Vanem brought this change]
+
+ openssl: BoringSSL doesn't have CONF_modules_free
+
+- [Gisle Vanem brought this change]
+
+ lwip: Fix compatibility issues with later versions
+
+ The name of the header guard in lwIP's <lwip/opt.h> has changed from
+ '__LWIP_OPT_H__' to 'LWIP_HDR_OPT_H' (bug #35874 in May 2015).
+
+ Other fixes:
+
+ - In curl_setup.h, the problem with an old PSDK doesn't apply if lwIP is
+ used.
+
+ - In memdebug.h, the 'socket' should be undefined first due to lwIP's
+ lwip_socket() macro.
+
+ - In curl_addrinfo.c lwIP's getaddrinfo() + freeaddrinfo() macros need
+ special handling because they were undef'ed in memdebug.h.
+
+ - In select.c we can't use preprocessor conditionals inside select if
+ MSVC and select is a macro, as it is with lwIP.
+
+ http://curl.haxx.se/mail/lib-2015-12/0023.html
+ http://curl.haxx.se/mail/lib-2015-12/0024.html
+
+Patrick Monnerat (7 Dec 2015)
+- os400: define CURL_VERSION_PSL in ILE/RPG binding
+
+Jay Satiro (7 Dec 2015)
+- [Gisle Vanem brought this change]
+
+ version: Add flag CURL_VERSION_PSL for libpsl
+
+- formdata: Check if length is too large for memory
+
+ - If the size of the length type (curl_off_t) is greater than the size
+ of the size_t type then check before allocating memory to make sure the
+ value of length will fit in a size_t without overflow. If it doesn't
+ then return CURLE_BAD_FUNCTION_ARGUMENT.
+
+ Bug: https://github.com/bagder/curl/issues/425#issuecomment-154518679
+ Reported-by: Steve Holme
+
+Steve Holme (3 Dec 2015)
+- tests: Corrected copy and pasted comments from commit e643c5c908
+
+Daniel Stenberg (3 Dec 2015)
+- curl: remove keepalive #ifdef checks done on libcurl's behalf
+
+ They didn't match the ifdef logic used within libcurl anyway so they
+ could indeed warn for the wrong case - plus the tool cannot know how the
+ lib actually performs at that level.
+
+Steve Holme (2 Dec 2015)
+- test947: Corrected typo in test name
+
+- tests: Disable the OAUTHBEARER tests when using a non-default port number
+
+ Tests 842, 843, 844, 845, 887, 888, 889, 890, 946, 947, 948 and 949 fail
+ if a custom port number is specified via the -b option of runtests.pl.
+
+ Suggested by: Kamil Dudka
+ Bug: http://curl.haxx.se/mail/lib-2015-12/0003.html
+
+Daniel Stenberg (2 Dec 2015)
+- bump: towards next release
+
+ for all we know now, it might be called 7.46.1
+
+Version 7.46.0 (1 Dec 2015)
+
+Daniel Stenberg (1 Dec 2015)
+- RELEASE-NOTES: updated contributor count for 7.46.0
+
+- THANKS: new contributors from the 7.46.0 release
+
+- THANKS-filter: single Tim Rühsen spelling
+
+- docs/examples: gitignore some more built examples
+
+- RELEASE-NOTES; this bug was never released
+
+- RELEASE-NOTES: synced with e55f15454efacb0
+
+- [Flavio Medeiros brought this change]
+
+ Curl_read_plain: clean up ifdefs that break statements
+
+ Closes #546
+
+- http2: convert some verbose output into debug-only output
+
+- http2 push: add missing inits of new stream
+
+ - set the correct stream_id for pushed streams
+ - init maxdownload and size properly
+
+- http2 push: set weight for new stream
+
+ give the new stream the old one's stream_weight internally to avoid
+ sending a PRIORITY frame unless asked for it
+
+- curl_setup.h: undef freeaddrinfo in c-ares block to fix build
+
+ Fixes warnings 78c25c854a added.
+
+- nonblock: fix setting non-blocking mode for Amiga
+
+ IoctlSocket() apparently wants a pointer to a long, passed as a char *
+ in its third parameter. This bug was introduced already back in commit
+ c5fdeef41d from October 1 2001!
+
+ Bug: http://curl.haxx.se/mail/lib-2015-11/0088.html
+ Reported-by: Norbert Kett
+
+- zsh install: fix DESTDIR support
+
+ Reported-by: Mohammad AlSaleh
+
+Dan Fandrich (27 Nov 2015)
+- lib: Only define curl_dofreeaddrinfo if struct addrinfo is available
+
+Steve Holme (27 Nov 2015)
+- tool_paramhlp: Fixed display of URL index in password prompt for --next
+
+ Commit f3bae6ed73 added the URL index to the password prompt when using
+ --next. Unfortunately, because the size_t specifier (%zu) is not
+ supported by all sprintf() implementations we use the curl_off_t format
+ specifier instead. The display of an incorrect value arises on platforms
+ where size_t and curl_off_t are of a different size.
+
+Daniel Stenberg (25 Nov 2015)
+- timecond: do not add if-modified-since without timecondition
+
+ The RTSP code path didn't skip adding the if-modified-since for certain
+ RTSP code paths, even if CURLOPT_TIMECONDITION was set to
+ CURL_TIMECOND_NONE.
+
+ Also, an unknown non-zero CURLOPT_TIMECONDITION value no longer equals
+ CURL_TIMECOND_IFMODSINCE.
+
+ Bug: http://stackoverflow.com/questions/33903982/curl-timecond-none-doesnt-work-how-to-remove-if-modified-since-header
+
+- RELEASE-NOTES: synced with 99d17a5e2ba77e58
+
+- examples/README: cut out the incomplete list
+
+ ... and add a generic explanation for them instead. Each example file
+ should contain its own description these days.
+
+- test1513: make sure the callback is only called once
+
+- [Daniel Shahaf brought this change]
+
+ build: Install zsh completion
+
+ Fixes #534
+ Closes #537
+
+- done: make sure the final progress update is made
+
+ It would previously be skipped if an existing error was returned, but
+ would lead to a previous value being left there and later used.
+ CURLINFO_TOTAL_TIME for example.
+
+ Still it avoids that final progress update if we reached DONE as the
+ result of a callback abort to avoid another callback to be called after
+ an abort-by-callback.
+
+ Reported-by: Lukas Ruzicka
+
+ Closes #538
+
+- curl: expanded the -XHEAD warning text
+
+ ... to also mention the specific options used.
+
+- Revert "cleanup: general removal of TODO (and similar) comments"
+
+ This reverts commit 64e959ffe37c436503f9fed1ce2d6ee6ae50bd9a.
+
+ Feedback-by: Dan Fandrich
+ URL: http://curl.haxx.se/mail/lib-2015-11/0062.html
+
+- CURLOPT_HEADERFUNCTION.3: fix typo
+
+ Refer to _HEADERDATA not _WRITEDATA.
+
+ Reported-by: Michał Piechowski
+
+- TODO: TCP Fast Open
+
+Steve Holme (22 Nov 2015)
+- examples: Added website parse-able descriptions to the e-mail examples
+
+- TODO: Added another 'multi-interface' idea
+
+- smb.c: Fixed compilation warnings
+
+ smb.c:134:3: warning: conversion to 'short unsigned int' from 'int' may
+ alter its value
+ smb.c:146:42: warning: conversion to 'unsigned int' from 'long long
+ unsigned int' may alter its value
+ smb.c:146:65: warning: conversion to 'unsigned int' from 'long long
+ unsigned int' may alter its value
+
+- schannel: Corrected copy/paste error in commit 8d17117683
+
+- schannel: Use GetVersionEx() when VerifyVersionInfo() isn't available
+
+ Regression from commit 7a8e861a5 as highlighted in the msys autobuilds.
+
+- examples: Fixed compilation warnings
+
+ pop3-multi.c:96:5: warning: implicit declaration of function 'memset'
+ imap-multi.c:96:5: warning: implicit declaration of function 'memset'
+ http2-download.c:226:5: warning: implicit declaration of function 'memset'
+ http2-upload.c:290:5: warning: implicit declaration of function 'memset'
+ http2-upload.c:290:5: warning: implicit declaration of function 'memset'
+
+- Makefile.inc: Fixed test run error
+
+ test845 not present in tests/data/Makefile.inc
+
+Daniel Stenberg (20 Nov 2015)
+- TODO: remove duplicated title
+
+- TODO: added two more libcurl ideas
+
+ Moved some ideas from "next major" to just ordinary ideas since we can
+ always add new things while keeping the old without doing a "next
+ major".
+
+Steve Holme (20 Nov 2015)
+- tests: Re-enabled tests 889 and 890 following POP3 fix
+
+- pop3: Differentiate between success and continuation responses
+
+- pop3: Added clarity on some server response codes
+
+Daniel Stenberg (20 Nov 2015)
+- [Daniel Shahaf brought this change]
+
+ build: Fix theoretical infinite loops
+
+ Add error-checking to 'cd' in a few cases where omitting the checks
+ might result in an infinite loop.
+
+ Closes #535
+
+Patrick Monnerat (19 Nov 2015)
+- curl.h: s/#defien/#define/
+
+- os400: synchronize ILE/RPG header file
+
+- os400: Provide options for libssh2 use in compile scripts. Adjust README.
+
+Daniel Stenberg (19 Nov 2015)
+- [danielsh@apache.org brought this change]
+
+ zsh completion: Preserve single quotes in output
+
+ When an option's help string contains literal single quotes, those
+ single quotes would be stripped from the option's description in the
+ completion output (unless the zsh RC_QUOTES option were set while the
+ completion function was being sourced, which is not the default). This
+ patch makes the completion output contain single quotes where the --help
+ output does.
+
+ Closes #532
+
+Jay Satiro (18 Nov 2015)
+- [MaxGiting brought this change]
+
+ FAQ: Grammar changes
+
+ Closes https://github.com/bagder/curl/pull/533
+
+Daniel Stenberg (17 Nov 2015)
+- http2: http_done: don't free already-freed push headers
+
+ The push headers are freed after the push callback has been invoked,
+ meaning this code should only free the headers if the callback was never
+ invoked and thus the headers weren't freed at that time.
+
+ Reported-by: Davey Shafik
+
+- [Anders Bakken brought this change]
+
+ getconnectinfo: Don't call recv(2) if socket == -1
+
+ Closes #528
+
+- CURLMOPT_PUSHFUNCTION.3: *_byname() returns only the first header
+
+ ... if there are more than one using the same name
+
+- http2: minor comment typo
+
+- sasl; fix checksrc warnings
+
+Steve Holme (15 Nov 2015)
+- RELEASE-NOTES: Adjusted for the recent OAuth 2.0 activity
+
+- tests: Disabled 889 and 890 until we support POP3 continuation responses
+
+ As POP3 final and continuation responses both begin with a + character,
+ and both the finalcode and contcode variables in SASLprotoc are set as
+ such, we cannot tell the difference between them when we are expecting
+ an optional continuation from the server such as the following:
+
+ + something else from the server
+ +OK final response
+
+ Disabled these tests until such a time we can tell the responses apart.
+
+- tests: Corrected typos from commit ba4d8f7eba
+
+- tests: Added OAUTHBEARER failure response tests
+
+- oauth2: Support OAUTHBEARER failures sent as continuation responses
+
+ According to RFC7628 a failure message may be sent by the server in a
+ base64 encoded JSON string as a continuation response.
+
+ Currently only implemented for OAUTHBEARER and not XAUTH2.
+
+Daniel Stenberg (15 Nov 2015)
+- RELEASE-NOTES: synced with 808a17ee675
+
+Steve Holme (14 Nov 2015)
+- tests: Renamed existing OAuth 2.0 (XOAUTH) tests
+
+- tests: Added OAuth 2.0 (OAUTHBEARER) tests
+
+- oauth2: Added support for OAUTHBEARER SASL mechanism to IMAP, POP3 and SNMP
+
+ OAUTHBEARER is now the official "registered" SASL mechanism name for
+ OAuth 2.0. However, we don't want to drop support for XOAUTH2 as some
+ servers won't support the new mechanism yet.
+
+Daniel Stenberg (13 Nov 2015)
+- RELEASE-NOTES: recounted curl_easy_setopt() options
+
+- typecheck-gcc.h: add missing slist-using options
+
+ CURLOPT_RESOLVE and CURLOPT_PROXYHEADER were missing
+
+ Also sorted the list.
+
+- typecheck-gcc.h: added CURLOPT_CLOSESOCKETDATA
+
+ ... and sorted curl_is_cb_data_option alphabetically
+
+Jay Satiro (13 Nov 2015)
+- [Sebastian Pohlschmidt brought this change]
+
+ openssl: Free modules on cleanup
+
+ Curl_ossl_init calls OPENSSL_load_builtin_modules() but
+ Curl_ossl_cleanup doesn't make a call to free these modules.
+
+ Bug: https://github.com/bagder/curl/issues/526
+
+Steve Holme (13 Nov 2015)
+- symbols-in-versions: Added new CURLOPTTYPE_STRINGPOINT alias
+
+ ...following commit aba281e762 to fix test 1119.
+
+Daniel Stenberg (13 Nov 2015)
+- curl: mark two more options strings for --libcurl output
+
+- typecheck-gcc.h: add some missing string types
+
+ Also sorted that list alphabetically
+
+- curl.h: introducing the STRINGPOINT alias
+
+ As an alias for OBJECTPOINT. Provided to allow us to grep for all string
+ options easier.
+
+- cleanup: general removal of TODO (and similar) comments
+
+ They tend to never get updated anyway so they're frequently inaccurate
+ and we never go back to revisit them anyway. We document issues to work
+ on properly in KNOWN_BUGS and TODO instead.
+
+- ftplistparser: remove empty function
+
+- openssl: remove #if check for 0.9.7 for ENGINE_load_private_key
+
+- openssl: all supported versions have X509_STORE_set_flags
+
+ Simplify by removing #ifdefs and macros
+
+- openssl: remove 0.9.3 check
+
+- openssl: remove #ifdefs for < 0.9.5 support
+
+ We only support >= 0.9.7
+
+- lib/vtls/openssl: remove unused traces of yassl ifdefs
+
+Dan Fandrich (12 Nov 2015)
+- [dfandrich brought this change]
+
+ unit1603: Demote hash mismatch failure to a warning
+
+ The hashes can vary between architectures (e.g. Sparc differs from x86_64).
+ This is not a fatal problem but just reduces the coverage of these white-box
+ tests, as the assumptions about into which hash bucket each key falls are no
+ longer valid.
+
+- [dfandrich brought this change]
+
+ unit1603: Added unit tests for hash functions
+
+- [dfandrich brought this change]
+
+ unit1602: Fixed failure in torture test
+
+Steve Holme (12 Nov 2015)
+- sasl: Re-introduced XOAUTH2 in the default enabled authentication mechanism
+
+ Following the fix in commit d6d58dd558 it is necessary to re-introduce
+ XOAUTH2 in the default enabled authentication mechanism, which was
+ removed in commit 7b2012f262, otherwise users will have to specify
+ AUTH=XOAUTH2 in the URL.
+
+ Note: OAuth 2.0 will only be used when the bearer is specified.
+
+- [Stefan Bühler brought this change]
+
+ sasl_sspi: fix identity memory leak in digest authentication
+
+- [Stefan Bühler brought this change]
+
+ sasl_sspi: fixed unicode build for digest authentication
+
+ Closes #525
+
+- oauth2: Re-factored OAuth 2.0 state variable
+
+- sasl: Don't choose OAuth 2.0 if mechanism not advertised
+
+ Regression from commit 9e8ced9890 which meant if --oauth2-bearer was
+ specified but the SASL mechanism wasn't supported by the server then
+ the mechanism would be chosen.
+
+Daniel Stenberg (12 Nov 2015)
+- runtests: more compact "System characteristics" output
+
+ - no point in repeating curl features that is already listed as features
+ from the curl -V output
+
+ - remove the port numbers/unix domain path from the output unless
+ verbose is used, as that is rarely interesting to users.
+
+- runtests: rename conditional curl-features to $has_[name]
+
+Steve Holme (11 Nov 2015)
+- oauth2: Introduced support for host and port details
+
+ Added support to the OAuth 2.0 message function for host and port, in
+ order to accommodate the official OAUTHBEARER SASL mechanism which is
+ to be added shortly.
+
+- curl_setup.h: Removed duplicate CURL_DISABLE_RTSP when HTTP_ONLY defined
+
+- cmake: Add missing feature macros in config header (Part 2)
+
+ In addition to commit a215381c94 added the RTSP, RTMP and SMB protocols.
+
+Daniel Stenberg (10 Nov 2015)
+- [Douglas Creager brought this change]
+
+ cmake: Add missing feature macros in config header
+
+ The curl_config.h file can be generated either from curl_config.h.cmake
+ or curl_config.h.in, depending on whether you're building using CMake or
+ the autotools. The CMake template header doesn't include entries for
+ all of the protocols that you can disable, which (I think) means that
+ you can't actually disable those protocols when building via CMake.
+
+ Closes #523
+
+- [Douglas Creager brought this change]
+
+ BoringSSL: Work with stricter BIO_get_mem_data()
+
+ BoringSSL implements `BIO_get_mem_data` as a function, instead of a
+ macro, and expects the output pointer to be a `char **`. We have to add
+ an explicit cast to grab the pointer as a `const char **`.
+
+ Closes #524
+
+- http2: rectify the http2 version #if check
+
+ We need 1.0.0 or later. Also verified by configure.
+
+Steve Holme (9 Nov 2015)
+- oauth2: Don't use XAUTH2 in OAuth 2.0 function name
+
+- oauth2: Don't use XOAUTH2 in OAuth 2.0 variables
+
+- oauth2: Use OAuth 2.0 rather than XOAUTH2 in comments
+
+ When referring to OAuth 2.0 we should use the official name rather the
+ SASL mechanism name.
+
+Daniel Stenberg (9 Nov 2015)
+- imap: avoid freeing constant string
+
+ The fix in 1a614c6c3 was wrong and would leed to free() of a fixed
+ string.
+
+ Pointed-out-by: Kamil Dudka
+
+- ROADMAP: remove two items already done
+
+- RELEASE-NOTES: synced with 2200bf62054
+
+Jay Satiro (9 Nov 2015)
+- acinclude: Remove check for 16-bit curl_off_t
+
+ Because it's illogical to check for a 16-bit curl_off_t.
+
+ Ref: https://github.com/bagder/curl/issues/425#issuecomment-154964205
+
+Dan Fandrich (8 Nov 2015)
+- tool: Fixed a memory leak on OOM introduced in 19cb0c4a
+
+Steve Holme (8 Nov 2015)
+- [Justin Ehlert brought this change]
+
+ imap: Don't check for continuation when executing a CUSTOMREQUEST
+
+ Bug: https://github.com/bagder/curl/issues/486
+ Closes https://github.com/bagder/curl/pull/487
+
+Daniel Stenberg (7 Nov 2015)
+- imap: checksrc: remove space after while before paren
+
+- checksrc.whitelist: "missing space after close paren"
+
+ ... when it was within a string!
+
+Steve Holme (7 Nov 2015)
+- opts: Corrected TLS protocols list to include POP3S rather than POP3
+
+- imap: Quote other 'atom-specials' and not just the space character
+
+ Closes #517
+
+- imap: Fixed double quote in LIST command when mailbox contains spaces
+
+Daniel Stenberg (6 Nov 2015)
+- imap: fix compiler warning
+
+ imap.c:657:13: error: assignment discards 'const' qualifier from pointer
+ target type [-Werror=discarded-qualifiers]
+
+Steve Holme (6 Nov 2015)
+- imap: Don't call imap_atom() when no mailbox specified in LIST command
+
+Daniel Stenberg (6 Nov 2015)
+- curl.1: remove the overlap --range example
+
+ ... it is just weird to include by default even if it still works.
+
+- tftp tests: verify sent options too
+
+ The tftpd test server now logs all received options and thus all TFTP
+ test cases need to match them exactly.
+
+ Extended test 283 to use and verify --tftp-blksize.
+
+Jay Satiro (6 Nov 2015)
+- getinfo: CURLINFO_ACTIVESOCKET: fix bad socket value
+
+ - Set user info param to the socket returned by Curl_getconnectinfo,
+ regardless of if the socket is bad. Effectively this means the user info
+ param now will receive CURL_SOCKET_BAD instead of -1 on bad socket.
+
+ - Remove incorrect comments.
+
+ CURLINFO_ACTIVESOCKET is documented to write CURL_SOCKET_BAD to user
+ info param but prior to this change it wrote -1.
+
+ Bug: https://github.com/bagder/curl/pull/518
+ Reported-by: Marcel Raad
+
+Patrick Monnerat (5 Nov 2015)
+- curl_ntlm_core: fix 2 curl_off_t constant overflows.
+
+- os400: adjust specific code to support new options.
+
+Daniel Stenberg (2 Nov 2015)
+- [Lauri Kasanen brought this change]
+
+ rawstr: Speed up Curl_raw_toupper by 40%
+
+ Rationale: when starting up a curl-using app, all cookies from the jar
+ are checked against each other. This was causing a startup delay in the
+ Fifth browser.
+
+ All tests pass.
+
+ Signed-off-by: Lauri Kasanen <cand@gmx.com>
+
+- http redirects: %-encode bytes outside of ascii range
+
+ Apparently there are sites out there that do redirects to URLs they
+ provide in plain UTF-8 or similar. Browsers and wget %-encode such
+ headers when doing a subsequent request. Now libcurl does too.
+
+ Added test 1138 to verify.
+
+ Closes #473
+
+- RELEASE-NOTES: synced with cba5bc585410
+
+- symbols-in-version: add all CURL_HTTPPOST_* symbols
+
+- formadd: support >2GB files on windows
+
+ Closes #425
+
+- curl.h: s/HTTPPOST_/CURL_HTTPOST_
+
+ Fixes a name space pollution at the cost of programs using one of these
+ defines will no longer compile. However, the vast majority of libcurl
+ programs that do multipart formposts use curl_formadd() to build this
+ list.
+
+ Closes #506
+
+- mbedtls: fix "Structurally dead code"
+
+ CID 1332129
+
+- mbedtls: fix "Logically dead code"
+
+ CID 1332128
+
+- Revert "openssl: engine: remove double-free"
+
+ This reverts commit 370ee919b37cc9a46c36428b2bb1527eae5db2bd.
+
+ Issue #509 has all the details but it was confirmed that the crash was
+ not due to this, so the previous commit was wrong.
+
+- curl.1: -E: s/private certificate/client certificate
+
+ ... as the certificate is strictly speaking not private.
+
+ Reported-by: John Levon
+
+- openssl: engine: remove double-free
+
+ After a successful call to SSL_CTX_use_PrivateKey(), we must not call
+ EVP_PKEY_free() on the key.
+
+ Reported-by: nased0
+ Closes #509
+
+Jay Satiro (27 Oct 2015)
+- socks: Fix incorrect port numbers in failed connect messages
+
+Daniel Stenberg (26 Oct 2015)
+- DISTRO-DILEMMA: removed
+
+ Out of date and not kept accurate. It was sort of a problem of the past
+ anyway.
+
+- [xiangbin li brought this change]
+
+ MacOSX-Framework: sdk regex fix for sdk 10.10 and later
+
+ closes #507
+
+Jay Satiro (24 Oct 2015)
+- build: Fix support for PKG_CONFIG
+
+ - Allow the user to use PKG_CONFIG but not PKGCONFIG.
+
+ Background:
+
+ Last week in 14d5a86 a change was made to allow the user to set the
+ PKGCONFIG variable. Today in 72d99f2 I supplemented that to allow the
+ more common PKG_CONFIG as an alternative if PKGCONFIG is not set.
+
+ Neither of those changes worked as expected because PKGCONFIG is
+ occasionally reset in configure and by the CURL_CHECK_PKGCONFIG macro.
+ Instead in this commit I take the approach that the user may set
+ PKG_CONFIG only.
+
+- build: Fix mingw ssl gdi32 order
+
+ - If mingw ssl make sure -lgdi32 comes after ssl libs
+
+ - Allow PKG_CONFIG to set pkg-config location and options
+
+ Bug: https://github.com/bagder/curl/pull/501
+ Reported-by: Kang Lin
+
+Daniel Stenberg (23 Oct 2015)
+- RELEASE-NOTES: synced with 03b6e078163f
+
+- polarssl/mbedtls: fix name space pollution
+
+ Global private symbols MUST start with Curl_!
+
+- [Dmitry S. Baikov brought this change]
+
+ mbedTLS: THREADING_SUPPORT compilation fix
+
+ Closes #505
+
+- test1137: verify --ignore-content-length for FTP
+
+- curl.1: --ignore-content-length now works for FTP too
+
+- [Kurt Fankhauser brought this change]
+
+ ftp: allow CURLOPT_IGNORE_CONTENT_LENGTH to ignore size
+
+ This allows FTP transfers with growing (or shrinking) files without
+ causing a transfer error.
+
+ Closes #480
+
+- CURLOPT_STREAM_WEIGHT.3: call argument 'weight' too
+
+ ... and add a little example of what the weight actually means. "Relative
+ proportion of bandwidth".
+
+- http2: add stream options to dist and curl_easy_setopt.3
+
+- http2: s/priority/weight
+
+- http2: on_frame_recv: trust the conn/data input
+
+ Removed wrong assert()s
+
+ The 'conn' passed in as userdata can be used and there can be other
+ sessionhandles ('data') than the single one this checked for.
+
+- http2: added three stream prio/deps options
+
+ CURLOPT_STREAM_DEPENDS
+
+ CURLOPT_STREAM_DEPENDS_E
+
+ CURLOPT_STREAM_PRIORITY
+
+- RELEASE-NOTES: synced with ace68fdc0cfed83d
+
+- [m-gardet brought this change]
+
+ mbedtls:new profile with RSA min key len = 1024.
+
+ Closes #502
+
+- checksrc: add crude // detection
+
+Jay Satiro (21 Oct 2015)
+- [Gisle Vanem brought this change]
+
+ build: fix for MSDOS/djgpp
+
+ - Add a VPATH-statement for the vtls/*.c files.
+
+ - Due to 'vtls/*.c', remove that subdir part from $(OBJECTS).
+
+Daniel Stenberg (20 Oct 2015)
+- copyrights: update Gisle Vanem's email
+
+- vtls: fix compiler warning for TLS backends without sha256
+
+ ... noticed with mbedTLS.
+
+- [Jonas Minnberg brought this change]
+
+ vtls: added support for mbedTLS
+
+ closes #496
+
+Jay Satiro (19 Oct 2015)
+- [Javier G. Sogo brought this change]
+
+ cmake: Fix for add_subdirectory(curl) use-case
+
+ - Use CURL_BINARY_DIR instead of CMAKE_BINARY_DIR.
+
+ When including CURL using add_subdirectory the variables
+ CMAKE_BINARY_DIR and CURL_BINARY_DIR hold different paths.
+
+ Closes https://github.com/bagder/curl/pull/488
+ Closes https://github.com/bagder/curl/pull/498
+
+Daniel Stenberg (18 Oct 2015)
+- RELEASE-NOTES: synced with 4c773bcb474e
+
+- tests/FILEFORMAT: mention PSL as a valid feture to check for
+
+ For example in test 1136
+
+- teste1136: only run when PSL is enabled
+
+- curl: slist_wc: remove curl_memory.h inclusion
+
+ ... that's for the library only.
+
+- configure: add PSL to the list of features
+
+ ... to make test 1014 work again after e77b5b7453.
+
+- [Daniel Hwang brought this change]
+
+ tool: Generate easysrc with last cache linked-list
+
+ Using a last cache linked-list improves the performance of easysrc
+ generation.
+
+ Bug: https://github.com/bagder/curl/issues/444
+ Ref: https://github.com/bagder/curl/issues/429
+
+ Closes #452
+
+- [Tim Rühsen brought this change]
+
+ cookies: Add support for Mozilla's Publix Suffix List
+
+ Use libpsl to check the domain value of Set-Cookie headers (and cookie
+ jar entries) for not being a Publix Suffix.
+
+ The configure script checks for "libpsl" by default. Disable the check
+ with --without-libpsl.
+
+ Ref: https://publicsuffix.org/
+ Ref: https://github.com/publicsuffix/list
+ Ref: https://github.com/rockdaboot/libpsl
+
+- [Richard Hosking brought this change]
+
+ curlbuild.h: Fix non-configure compiling to mips and sh4 targets
+
+- [Anders Bakken brought this change]
+
+ http2: Don't pass unitialized name+len pairs to nghttp2_submit_request
+
+ bug introduced by 18691642931e5c7ac8af83ac3a84fbcb36000f96.
+
+ Closes #493
+
+Dan Fandrich (16 Oct 2015)
+- test1601: fix compilation with --enable-debug and --disable-crypto-auth
+
+Daniel Stenberg (16 Oct 2015)
+- multi: fix off-by-one finit[] array size
+
+ introduced in c6aedf680f6. It needs to be CURLM_STATE_LAST big since it
+ must hande the range 0 .. CURLM_STATE_MSGSENT (18) and CURLM_STATE_LAST
+ is 19 right now.
+
+ Reported-by: Dan Fandrich
+ Bug: http://curl.haxx.se/mail/lib-2015-10/0069.html
+
+- fread_func: move callback pointer from set to state struct
+
+ ... and assign it from the set.fread_func_set pointer in the
+ Curl_init_CONNECT function. This A) avoids that we have code that
+ assigns fields in the 'set' struct (which we always knew was bad) and
+ more importantly B) it makes it impossibly to accidentally leave the
+ wrong value for when the handle is re-used etc.
+
+ Introducing a state-init functionality in multi.c, so that we can set a
+ specific function to get called when we enter a state. The
+ Curl_init_CONNECT is thus called when switching to the CONNECT state.
+
+ Bug: https://github.com/bagder/curl/issues/346
+
+ Closes #346
+
+Dan Fandrich (14 Oct 2015)
+- test1531: case the size to fix the test on non-largefile builds
+
+Daniel Stenberg (13 Oct 2015)
+- acinclude: remove PKGCONFIG override
+
+ ... and allow it to get set by a caller easier.
+
+ Reported-by: Rainer Jung
+ Bug: http://curl.haxx.se/mail/lib-2015-10/0035.html
+
+Dan Fandrich (12 Oct 2015)
+- docs/INSTALL: Updated example minimal binary sizes
+
+Daniel Stenberg (11 Oct 2015)
+- [Erik Johansson brought this change]
+
+ openssl: Fix set up of pkcs12 certificate verification chain
+
+ sk_X509_pop will decrease the size of the stack which means that the loop would
+ end after having added only half of the certificates.
+
+ Also make sure that the X509 certificate is freed in case
+ SSL_CTX_add_extra_chain_cert fails.
+
+- ntlm: error out without 64bit support as the code needs it
+
+ It makes it a clearer message for developers reaching that point without
+ the necessary support.
+
+ Thanks-by: Jay Satiro
+
+ Closes #78
+
+- curl_global_init: set the memory function pointers correct
+
+ follow-up from 6f8ecea0
+
+- curl_global_init_mem: set function pointers before doing init
+
+ ... as in the polarssl TLS backend for example it uses memory functions.
+
+Jay Satiro (9 Oct 2015)
+- http2: Fix http2_recv to return -1 if recv returned -1
+
+ If the underlying recv called by http2_recv returns -1 then that is the
+ value http2_recv returns to the caller.
+
+Daniel Stenberg (8 Oct 2015)
+- [Svyatoslav Mishyn brought this change]
+
+ curl_easy_recv.3: CURLINFO_LASTSOCKET => CURLINFO_ACTIVESOCKET
+
+ Closes #479
+
+- [Svyatoslav Mishyn brought this change]
+
+ curl_easy_send.3: CURLINFO_LASTSOCKET => CURLINFO_ACTIVESOCKET
+
+- [Svyatoslav Mishyn brought this change]
+
+ CURLOPT_CONNECT_ONLY.3: CURLINFO_LASTSOCKET => CURLINFO_ACTIVESOCKET
+
+- CURLOPT_CERTINFO.3: fix reference to CURLINFO_CERTINFO
+
+- ntlm: get rid of unconditional use of long long
+
+ ... since some compilers don't have it and instead use other types, such
+ as __int64.
+
+ Reported by: gkinseyhpw
+ Closes #478
+
+Jay Satiro (8 Oct 2015)
+- [Anders Bakken brought this change]
+
+ des: Fix header conditional for Curl_des_set_odd_parity
+
+ Follow up to 613e502.
+
+Daniel Stenberg (7 Oct 2015)
+- configure: build silently by default
+
+ 'make V=1' will make the build verbose like before
+
+- bump: start climbing toward 7.46.0
+
+- RELEASE-PROCEDURE: add the github HTTPS download step
+
+Version 7.45.0 (7 Oct 2015)
+
+Daniel Stenberg (7 Oct 2015)
+- THANKS: 19 new contributors from the 7.45.0 announcement
+
+- RELEASE-NOTES: synced with 69ea57970080
+
+Jay Satiro (4 Oct 2015)
+- getinfo: Fix return code for unknown CURLINFO options
+
+ - If a CURLINFO option is unknown return CURLE_UNKNOWN_OPTION.
+
+ Prior to this change CURLE_BAD_FUNCTION_ARGUMENT was returned on
+ unknown. That return value is contradicted by the CURLINFO option
+ documentation which specifies a return of CURLE_UNKNOWN_OPTION on
+ unknown.
+
+- [rouzier brought this change]
+
+ hiperfifo: fix the pointer passed to WRITEDATA
+
+ Closes https://github.com/bagder/curl/pull/471
+
+- [Maksim Stsepanenka brought this change]
+
+ tool_setopt: fix c_escape truncated octal
+
+ Closes https://github.com/bagder/curl/pull/469
+
+Daniel Stenberg (1 Oct 2015)
+- [Orange Tsai brought this change]
+
+ gopher: don't send NUL byte
+
+ Closes #466
+
+Jay Satiro (29 Sep 2015)
+- runtests: Fix pid check in checkdied
+
+ Because the 'not' operator has a very low precedence and as a result the
+ entire statement was erroneously negated and could never be true.
+
+Daniel Stenberg (30 Sep 2015)
+- [Thorsten Schöning brought this change]
+
+ win32: make recent Borland compilers use long long
+
+- RELEASE-NOTES: synced with 69b89050d4
+
+Jay Satiro (28 Sep 2015)
+- [Michael Kalinin brought this change]
+
+ openssl: Fix algorithm init
+
+ - Change algorithm init to happen after OpenSSL config load.
+
+ Additional algorithms may be available due to the user's config so we
+ initialize the algorithms after the user's config is loaded.
+
+ Bug: https://github.com/bagder/curl/issues/447
+ Reported-by: Denis Feklushkin
+
+- [Svyatoslav Mishyn brought this change]
+
+ docs: fix unescaped '\n' in man pages
+
+ Closes https://github.com/bagder/curl/pull/459
+
+Daniel Stenberg (27 Sep 2015)
+- http2: set TCP_NODELAY unconditionally
+
+ For a single-stream download from localhost, we managed to increase
+ transfer speed from 1.6MB/sec to around 400MB/sec, mostly because of
+ this single fix.
+
+- http2: avoid superfluous Curl_expire() calls
+
+ ... only call it when there is data arriving for another handle than the
+ one that is currently driving it.
+
+ Improves single-stream download performance quite a lot.
+
+ Thanks-to: Tatsuhiro Tsujikawa
+ Bug: http://curl.haxx.se/mail/lib-2015-09/0097.html
+
+- readwrite_data: set a max number of loops
+
+ ... as otherwise a really fast pipe can "lock" one transfer for some
+ protocols, like with HTTP/2.
+
+- [Sergei Nikulov brought this change]
+
+ CI: Added AppVeyor-CI for curl
+
+ Closes #439
+
+- FTP: fix uploading ASCII with unknown size
+
+ ... don't try to increase the supposed file size on newlines if we don't
+ know what file size it is!
+
+ Patch-by: lzsiga
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ build: fix failures with -Wcast-align and -Werror
+
+ Closes #457
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ curl-confopts.m4: Add missing ')'
+
+ ... for CURL_CHECK_OPTION_RT
+
+ Closes #456
+
+Jay Satiro (25 Sep 2015)
+- curl_easy_getinfo.3: Add brief description for each CURLINFO
+
+Daniel Stenberg (23 Sep 2015)
+- [Jakub Zakrzewski brought this change]
+
+ CMake: Ensure discovered include dirs are considered
+
+ ...during header checks. Otherwise some following header tests
+ (incorrectly) fail.
+
+ Closes #436
+
+- [Jakub Zakrzewski brought this change]
+
+ CMake: Put "winsock2.h" before "windows.h" during configure checks
+
+ "windows.h" includes "winsock.h" what causes many redefinition errors
+ if "winsock2.h" is included afterwards and can cause build to fail.
+
+- tests: disable 1510 due to CI-problems on github
+
+- [Mike Crowe brought this change]
+
+ gnutls: Report actual GnuTLS error message for certificate errors
+
+ If GnuTLS fails to read the certificate then include whatever reason it
+ provides in the failure message reported to the client.
+
+ Signed-off-by: Mike Crowe <mac@mcrowe.com>
+
+- RELEASE-NOTES: synced with 6b56901b56e
+
+- [Mike Crowe brought this change]
+
+ gnutls: Support CURLOPT_KEYPASSWD
+
+ The gnutls vtls back-end was previously ignoring any password set via
+ CURLOPT_KEYPASSWD. Presumably this was because
+ gnutls_certificate_set_x509_key_file did not support encrypted keys.
+
+ gnutls now has a gnutls_certificate_set_x509_key_file2 function that
+ does support encrypted keys. Let's determine at compile time whether the
+ available gnutls supports this new function. If it does then use it to
+ pass the password. If it does not then emit a helpful diagnostic if a
+ password is set. This is preferable to the previous behaviour of just
+ failing to read the certificate without giving a reason in that case.
+
+ Signed-off-by: Mike Crowe <mac@mcrowe.com>
+
+- CURLINFO_TLS_SESSION: always return backend info
+
+ ... even for those that don't support providing anything in the
+ 'internals' struct member since it offers a convenient way for
+ applications to figure this out.
+
+- [Daniel Hwang brought this change]
+
+ tool: remove redundant libcurl check
+
+ The easysrc generation is run only when --libcurl is initialized.
+
+ Ref: https://github.com/bagder/curl/issues/429
+
+ Closes #448
+
+- [Richard van den Berg brought this change]
+
+ CURLOPT_PROXY.3: A proxy given as env variable gets no special treatment
+
+ Closes #449
+
+- TODO: 5.7 More compressions
+
+ Like for example brotli, as being implemented in Firefox now.
+
+Jay Satiro (21 Sep 2015)
+- tool_operate: Don't call easysrc cleanup unless --libcurl
+
+ - Review of 4d95491.
+
+ The author changed it so easysrc only initializes when --libcurl but did
+ not do the same for the call to easysrc cleanup.
+
+ Ref: https://github.com/bagder/curl/issues/429
+
+Daniel Stenberg (20 Sep 2015)
+- [Viktor Szakats brought this change]
+
+ CURLOPT_PINNEDPUBLICKEY.3: replace test.com with example.com
+
+ closes #443
+
+- KNOWN_BUGS: 91 "curl_easy_perform hangs with imap and PolarSSL"
+
+ Closes #334
+
+- KNOWN_BUGS: add link to #85
+
+- tests: disable 1801 until fixed
+
+ It is unreliable and causes CI problems on github
+
+ Closes #380
+
+- RELEASE-NOTES: synced with 4d95491636ee
+
+- [Daniel Lee Hwang brought this change]
+
+ tool: generate easysrc only on --libcurl
+
+ Code should only be generated when --libcurl is used.
+
+ Bug: https://github.com/bagder/curl/issues/429
+ Reported-by: @greafhe, Jay Satiro
+
+ Closes #429
+ Closes #442
+
+Jay Satiro (19 Sep 2015)
+- vtls: Change designator name for server's pubkey hash
+
+ - Change the designator name we use to show the base64 encoded sha256
+ hash of the server's public key from 'pinnedpubkey' to
+ 'public key hash'.
+
+ Though the server's public key hash is only shown when comparing pinned
+ public key hashes, the server's hash may not match one of the pinned.
+
+Daniel Stenberg (19 Sep 2015)
+- [Isaac Boukris brought this change]
+
+ NTLM: Reset auth-done when using a fresh connection
+
+ With NTLM a new connection will always require authentication.
+ Fixes #435
+
+- [Daniel Hwang brought this change]
+
+ ssl: add server cert's "sha256//" hash to verbose
+
+ Add a "pinnedpubkey" section to the "Server Certificate" verbose
+
+ Bug: https://github.com/bagder/curl/issues/410
+ Reported-by: W. Mark Kubacki
+
+ Closes #430
+ Closes #410
+
+- [Jakub Zakrzewski brought this change]
+
+ openldap: only part of LDAP query results received
+
+ Introduced with commit 65d141e6da5c6003a1592bbc87ee550b0ad75c2f
+
+ Closes #440
+
+- [Alessandro Ghedini brought this change]
+
+ openssl: don't output certinfo data
+
+- [Alessandro Ghedini brought this change]
+
+ openssl: refactor certificate parsing to use OpenSSL memory BIO
+
+ Fixes #427
+
+Kamil Dudka (18 Sep 2015)
+- nss: prevent NSS from incorrectly re-using a session
+
+ Without this workaround, NSS re-uses a session cache entry despite the
+ server name does not match. This causes SNI host name to differ from
+ the actual host name. Consequently, certain servers (e.g. github.com)
+ respond by 400 to such requests.
+
+ Bug: https://bugzilla.mozilla.org/1202264
+
+- nss: check return values of NSS functions
+
+Daniel Stenberg (17 Sep 2015)
+- CURLOPT_PINNEDPUBLICKEY.3: mention error code
+
+- openssl: build with < 0.9.8
+
+ ... without sha256 support and no define saying so.
+
+ Reported-by: Rajkumar Mandal
+
+- libcurl-errors.3: add two missing error codes
+
+ CURLE_SSL_PINNEDPUBKEYNOTMATCH and CURLE_SSL_INVALIDCERTSTATUS
+
+Jay Satiro (14 Sep 2015)
+- CURLOPT_PINNEDPUBLICKEY.3: Improve pubkey extraction example
+
+ - Show how a certificate can be obtained using OpenSSL.
+
+ Bug: https://github.com/bagder/curl/pull/430
+ Reported-by: Daniel Hwang
+
+Daniel Stenberg (13 Sep 2015)
+- http2: removed unused function
+
+- CURLINFO_ACTIVESOCKET.3: mention it replaces *LASTSOCKET
+
+- opts: add CURLINFO_* man pages to dist
+
+- opts: 19 more CURLINFO_* options made into stand-alone man pages
+
+- RELEASE-NOTES: synced with fad9604613
+
+- curl: customrequest_helper: deal with NULL custom method
+
+- [Svyatoslav Mishyn brought this change]
+
+ CURLOPT_FNMATCH_FUNCTION.3: fix typo
+
+ s => is
+
+ Closes #428
+
+- curl: point out unnecessary uses of -X in verbose mode
+
+ It uses 'Note:' as a prefix as opposed to the common 'Warning:' to take
+ down the tone a bit.
+
+ It adds a warning for using -XHEAD on other methods becasue that may
+ lead to a hanging connection.
+
+Jay Satiro (10 Sep 2015)
+- curl_sspi: fix possibly undefined CRYPT_E_REVOKED
+
+ Bug: https://github.com/bagder/curl/pull/411
+ Reported-by: Viktor Szakats
+
+- buildconf.bat: fix syntax error
+
+- [Benjamin Kircher brought this change]
+
+ winbuild: run buildconf.bat if necessary
+
+- [Svyatoslav Mishyn brought this change]
+
+ docs: fix argument type for CURLINFO_SPEED_*, CURLINFO_SIZE_*
+
+ long => double
+
+Daniel Stenberg (8 Sep 2015)
+- [Sergei Nikulov brought this change]
+
+ cmake: IPv6 : disable Unix header check on Windows platform
+
+ Closes #409
+
+- parse_proxy: reject illegal port numbers
+
+ If the port number in the proxy string ended weirdly or the number is
+ too large, skip it. Mostly as a means to bail out early if a "bare" IPv6
+ numerical address is used without enclosing brackets.
+
+ Also mention the bracket requirement for IPv6 numerical addresses to the
+ man page for CURLOPT_PROXY.
+
+ Closes #415
+
+ Reported-by: Marcel Raad
+
+- FTP: do_more: add check for wait_data_conn in upload case
+
+ In some timing-dependnt cases when a 4xx response immediately followed
+ after a 150 when a STOR was issued, this function would wrongly return
+ 'complete == true' while 'wait_data_conn' was still set.
+
+ Closes #405
+
+ Reported-by: Patricia Muscalu
+
+- [Svyatoslav Mishyn brought this change]
+
+ CURLOPT_TLSAUTH_TYPE.3: update description
+
+ Closes #414
+ Closes #413
+
+- [Svyatoslav Mishyn brought this change]
+
+ CURLOPT_PATH_AS_IS.3: fix typo
+
+ leavit => leaveit
+
+ closes #412
+
+- [Svyatoslav Mishyn brought this change]
+
+ CURLINFO_SSL_VERIFYRESULT.3: add short description
+
+- [Svyatoslav Mishyn brought this change]
+
+ CURLINFO_SSL_ENGINES.3: add short description
+
+- [Svyatoslav Mishyn brought this change]
+
+ CURLINFO_CONTENT_LENGTH_UPLOAD.3: replace "receive" with "get" for consistency
+
+- [Svyatoslav Mishyn brought this change]
+
+ CURLINFO_REDIRECT_TIME.3: remove redundant '!'
+
+Kamil Dudka (4 Sep 2015)
+- Revert "has: generate the curl/has.h header"
+
+ This reverts commit a60bde79f9adeb135d5c642a07f0d783fbfbbc25 I have
+ pushed by mistake. Apologies for my incompetent use of the git repo!
+
+- nss: do not directly access SSL_ImplementedCiphers[]
+
+ It causes dynamic linking issues at run-time after an update of NSS.
+
+ Bug: https://lists.fedoraproject.org/pipermail/devel/2015-September/214117.html
+
+- [Daniel Stenberg brought this change]
+
+ has: generate the curl/has.h header
+
+ changed macro name, moved and renamed script to become docs/libcurl/has.pl,
+ generate code that is checksrc compliant
+
+Daniel Stenberg (3 Sep 2015)
+- gitignore: ignore more generated VC Makefiles
+
+- projects/Windows/.gitignore: ignore generated files for release
+
+- http2: don't pass on Connection: headers
+
+ RFC 7540 section 8.1.2.2 states: "An endpoint MUST NOT generate an
+ HTTP/2 message containing connection-specific header fields; any message
+ containing connection-specific header fields MUST be treated as
+ malformed"
+
+ Closes #401
+
+- curl.1: update RFC references
+
+- CURLOPT_POSTREDIR.3: update RFC number and section
+
+- CURLOPT_FOLLOWLOCATION.3: mention methods for redirects
+
+ and some general cleaning up
+
+- [Marcel Raad brought this change]
+
+ inet_pton.c: Fix MSVC run-time check failure (2)
+
+ This fixes another run-time check failure because of a narrowing cast on
+ Visual C++.
+
+ Closes #408
+
+Jay Satiro (3 Sep 2015)
+- docs: Warn about any-domain cookies and multiple transfers
+
+ - Warn that cookies without a domain are sent to any domain:
+ CURLOPT_COOKIELIST, CURLOPT_COOKIEFILE, --cookie
+
+ - Note that imported Set-Cookie cookies without a domain are no longer
+ exported:
+ CURLINFO_COOKIELIST, CURLOPT_COOKIEJAR, --cookie-jar
+
+Steve Holme (2 Sep 2015)
+- tool_sdecls.h: Fixed compilation warning from commit 4a889441d3
+
+ tool_sdecls.h:139 warning: comma at end of enumerator list
+
+Daniel Stenberg (2 Sep 2015)
+- opts: 8 more CURLINFO* options as stand-alone man pages
+
+- RELEASE-NOTES: synced with c764cb4add1a8
+
+- man-pages: more SEE ALSO links
+
+- opts: more CURLINFO_* options as stand-alone man pages
+
+Steve Holme (31 Aug 2015)
+- sasl: Only define Curl_sasl_digest_get_pair() when CRYPTO_AUTH enabled
+
+ Introduced in commit 59f3f92ba6 this function is only implemented when
+ CURL_DISABLE_CRYPTO_AUTH is not defined. As such we shouldn't define
+ the function in the header file either.
+
+- sasl: Updated SPN variables and comments for consistency
+
+ In places the "host name" and "realm" variable was referred to as
+ "instance" whilst in others it was referred to as "host".
+
+Daniel Stenberg (30 Aug 2015)
+- configure: check for HMAC_Update in openssl
+
+ Turns out HMAC_Init is now deprecated in openssl master (and I spelled
+ HMAC_Init_ex wrong in previous commit)
+
+Steve Holme (30 Aug 2015)
+- win32: Use DES_set_odd_parity() from OpenSSL/BoringSSL by default
+
+ Set HAVE_DES_SET_ODD_PARITY when using OpenSSL/BoringSSL as native
+ Windows builds don't use the autoconf tools.
+
+- des: Fixed compilation warning from commit 613e5022fe
+
+ curl_ntlm_core.c:150: warning 'Curl_des_set_odd_parity' undefined;
+ assuming extern returning int
+
+- buildconf.bat: Fixed double blank line in 'curl manual' warning output
+
+- makefiles: Added our standard copyright header
+
+ But kept the original author, when they were specified in a comment, as
+ the initial copyright holder.
+
+Jay Satiro (29 Aug 2015)
+- CURLOPT_FILETIME.3: CURLINFO_FILETIME has its own manpage now
+
+Daniel Stenberg (29 Aug 2015)
+- CURLINFO_RESPONSE_CODE.3: added short description
+
+- opts: 7 initial CURLINFO_* options as stand-alone man pages
+
+- [Nikolai Kondrashov brought this change]
+
+ libcurl.m4: Put braces around empty if body
+
+ Put braces around empty "if" body in libcurl.m4 check to avoid warning:
+
+ suggest braces around empty body in an 'if' statement
+
+ and make it work with -Werror builds.
+
+ Closes #402
+
+- [Svyatoslav Mishyn brought this change]
+
+ curl_easy_escape.3: escape '\n'
+
+ Closes #398
+
+- [Svyatoslav Mishyn brought this change]
+
+ curl_easy_{escape,setopt}.3: fix example
+
+ remove redundant '}'
+
+- [Sergei Nikulov brought this change]
+
+ cmake: added Windows SSL support
+
+ Closes #399
+
+- curl: point out the conflicting HTTP methods if used
+
+ It isn't always clear to the user which options that cause the HTTP
+ methods to conflict so by spelling them out it should hopefully be
+ easier to understand why curl complains.
+
+- curl: clarify that users can only specify one _METHOD_
+
+- [Svyatoslav Mishyn brought this change]
+
+ curl_easy_{escape,unescape}.3: "char *" vs. "const char *"
+
+ Closes #395
+
+Patrick Monnerat (24 Aug 2015)
+- os400: include new options in wrappers and update ILE/RPG binding.
+
+Daniel Stenberg (24 Aug 2015)
+- KNOWN_BUGS: #2, not reading a HEAD response-body is not a bug
+
+ ... since HTTP is forbidden to return any such.
+
+- KNOWN_BUGS: #78 zero-length files is already fixed!
+
+- [Razvan Cojocaru brought this change]
+
+ getinfo: added CURLINFO_ACTIVESOCKET
+
+ This patch addresses known bug #76, where on 64-bit Windows SOCKET is 64
+ bits wide, but long is only 32, making CURLINFO_LASTSOCKET unreliable.
+
+ Signed-off-by: Razvan Cojocaru <rcojocaru@bitdefender.com>
+
+- http2: remove dead code
+
+ Leftovers from when we removed the private socket hash.
+
+ Coverity CID 1317365, "Logically dead code"
+
+- ntlm: mark deliberate switch case fall-through
+
+ Coverity CID 1317367, "Missing break in switch"
+
+- http2: on_frame_recv: get a proper 'conn' for the debug logging
+
+ "Explicit null dereferenced (FORWARD_NULL)"
+
+ Coverity CID 1317366
+
+- RELEASE-NOTES: synced with 2acaf3c804
+
+Dan Fandrich (23 Aug 2015)
+- tool: fix memory leak with --proto-default option
+
+Jay Satiro (22 Aug 2015)
+- [Nathaniel Waisbrot brought this change]
+
+ CURLOPT_DEFAULT_PROTOCOL: added
+
+ - Add new option CURLOPT_DEFAULT_PROTOCOL to allow specifying a default
+ protocol for schemeless URLs.
+
+ - Add new tool option --proto-default to expose
+ CURLOPT_DEFAULT_PROTOCOL.
+
+ In the case of schemeless URLs libcurl will behave in this way:
+
+ When the option is used libcurl will use the supplied default.
+
+ When the option is not used, libcurl will follow its usual plan of
+ guessing from the hostname and falling back to 'http'.
+
+- runtests: Allow for spaces in server-verify curl custom path
+
+Daniel Stenberg (22 Aug 2015)
+- NTLM: recent boringssl brought DES_set_odd_parity back
+
+ ... so improve the #ifdefs for using our local implementation.
+
+- configure: detect latest boringssl
+
+ Since boringssl brought back DES_set_odd_parity again, it cannot be used
+ to differentiate from boringssl. Using the OPENSSL_IS_BORINGSSL define
+ seems better anyway.
+
+ URL: https://android.googlesource.com/platform/external/curl/+/f551028d5caab29d4b4a4ae8c159c76c3cfd4887%5E!/
+ Original-patch-by: Bertrand Simonnet
+
+ Closes #393
+
+- configure: change functions to detect openssl (clones)
+
+ ... since boringssl moved the former ones and the check started to fail.
+
+ URL: https://android.googlesource.com/platform/external/curl/+/f551028d5caab29d4b4a4ae8c159c76c3cfd4887%5E!/
+ Original-patch-by: Bertrand Simonnet
+
+- [Alessandro Ghedini brought this change]
+
+ openssl: handle lack of server cert when strict checking disabled
+
+ If strict certificate checking is disabled (CURLOPT_SSL_VERIFYPEER
+ and CURLOPT_SSL_VERIFYHOST are disabled) do not fail if the server
+ doesn't present a certificate at all.
+
+ Closes #392
+
+- ftp: clear the do_more bit when the server has connected
+
+ The multi state machine would otherwise go into the DO_MORE state after
+ DO, even for the case when the FTP state machine had already performed
+ those duties, which caused libcurl to get stuck in that state and fail
+ miserably. This occured for for active ftp uploads.
+
+ Reported-by: Patricia Muscalu
+
+- [Jactry Zeng brought this change]
+
+ travis.yml: Add OS X testbot.
+
+- [Rémy Léone brought this change]
+
+ travis: Upgrading to container based build
+
+ http://docs.travis-ci.com/user/migrating-from-legacy
+
+ Closes #388
+
+- RELEASE-NOTES: synced with 14ff86256b13e
+
+- [Erik Janssen brought this change]
+
+ rtsp: stop reading empty DESCRIBE responses
+
+ Based-on-patch-by: Jim Hollinger
+
+- [Erik Janssen brought this change]
+
+ rtsp: support basic/digest authentication
+
+- [Sam Roth brought this change]
+
+ CURLMOPT_PUSHFUNCTION.3: fix argument types
+
+ Closes #389
+ Closes #386
+
+- [Marcel Raad brought this change]
+
+ inet_pton.c: Fix MSVC run-time check failure
+
+ Visual Studio complains with a message box:
+
+ "Run-Time Check Failure #1 - A cast to a smaller data type has caused a
+ loss of data. If this was intentional, you should mask the source of
+ the cast with the appropriate bitmask.
+
+ For example:
+ char c = (i & 0xFF);
+
+ Changing the code in this way will not affect the quality of the
+ resulting optimized code."
+
+ This is because only 'val' is cast to unsigned char, so the "& 0xff" has
+ no effect.
+
+ Closes #387
+
+Jay Satiro (18 Aug 2015)
+- docs: Update the redirect protocols disabled by default
+
+ - Clarify that FILE and SCP are disabled by default since 7.19.4
+ - Add that SMB and SMBS are disabled by default since 7.40.0
+ - Add CURLPROTO_SMBS to the list of protocols
+
+- gitignore: Sort for readability
+
+ find . -name .gitignore -print0 | xargs -i -0 sort -o '{}' '{}'
+
+Daniel Stenberg (15 Aug 2015)
+- curl_easy_getinfo.3: fix superfluous space
+
+ ... and changed "oriented" to "related"
+
+ Closes #378
+
+- CURLOPT_HTTP_VERSION.3: connection re-use goes before version
+
+- [Daniel Kahn Gillmor brought this change]
+
+ curl.1: Document weaknesses in SSLv2 and SSLv3
+
+ Acknowledge that SSLv3 is also widely considered to be insecure.
+
+ Also, provide references for people who want to know more about why it's
+ insecure.
+
+Steve Holme (14 Aug 2015)
+- generate.bat: Added support for generating only the prerequisite files
+
+- generate.bat: Only call buildconf.bat if it exists
+
+- generate.bat: Fixed issues when ran in directories with special chars
+
+Daniel Stenberg (14 Aug 2015)
+- [Brad King brought this change]
+
+ cmake: Fix CurlTests check for gethostbyname_r with 5 arguments
+
+ Fix the check code to pass 5 arguments instead of 6. This typo was
+ introduced by commit aebfd4cfbf (cmake: fix gethostby{addr,name}_r in
+ CurlTests, 2014-10-31).
+
+Steve Holme (14 Aug 2015)
+- * buildconf.bat: Fixed issues when ran in directories with special chars
+
+ Bug: https://github.com/bagder/curl/pull/379
+ Reported-by: Daniel Seither
+
+Jay Satiro (13 Aug 2015)
+- curl_global_init_mem.3: Stronger thread safety warning
+
+ Bug: http://curl.haxx.se/mail/lib-2015-08/0016.html
+ Reported-by: Eric Ridge
+
+Daniel Stenberg (12 Aug 2015)
+- [Svyatoslav Mishyn brought this change]
+
+ curl_multi_add_handle.3: fix a typo
+
+ "can not" => "cannot"
+
+ closes #377
+
+- [Alessandro Ghedini brought this change]
+
+ docs: fix typos
+
+ closes #376
+
+- bump: start working toward 7.45.0
+
+- THANKS: remove duplicate name
+
+- THANKS-filter: merge Todd's names
+
+- THANKS: 13 new contributors from the 7.44.0 RELEASE-NOTES
+
+Version 7.44.0 (11 Aug 2015)
+
+Daniel Stenberg (11 Aug 2015)
+- RELEASE-NOTES: synced with c75a1e775061
+
+- [Svyatoslav Mishyn brought this change]
+
+ curl_formget.3: correct return code
+
+ Closes #375
+
+- [Svyatoslav Mishyn brought this change]
+
+ libcurl-tutorial.3: fix formatting
+
+ Closes #374
+
+- [Svyatoslav Mishyn brought this change]
+
+ curl_easy_recv.3: fix formatting
+
+- [Anders Bakken brought this change]
+
+ http2: discard frames with no SessionHandle
+
+ Return 0 instead of NGHTTP2_ERR_CALLBACK_FAILURE if we can't locate the
+ SessionHandle. Apparently mod_h2 will sometimes send a frame for a
+ stream_id we're finished with.
+
+ Use nghttp2_session_get_stream_user_data and
+ nghttp2_session_set_stream_user_data to identify SessionHandles instead
+ of a hash.
+
+ Closes #372
+
+- RELEASE-NOTES: synced with 9ee40ce2aba
+
+- [Viktor Szakats brought this change]
+
+ build: refer to fixed libidn versions
+
+ closes #371
+
+- Revert "configure: disable libidn by default"
+
+ This reverts commit e6749055d65398315fd77f5b5b8234c5552ac2d3.
+
+ ... since libidn has since been fixed.
+
+- [Jakub Zakrzewski brought this change]
+
+ CMake: s/HAVE_GSS_API/HAVE_GSSAPI/ to match header define
+
+ Otherwise the build only pretended to use GSS-API
+
+ Closes #370
+
+- SFTP: fix range request off-by-one in size check
+
+ Reported-by: Tim Stack
+
+ Closes #359
+
+- test46: update cookie expire time
+
+ ... since it went old and thus was expired and caused the test to fail!
+
+Steve Holme (9 Aug 2015)
+- generate.bat: Use buildconf.bat for prerequisite file generation
+
+- buildconf.bat: Tidy up of comments after recent commits
+
+- buildconf.bat: Added full generation of src\tool_hugehelp.c
+
+ Added support for generating the full man page based on code from
+ generate.bat.
+
+- buildconf.bat: Added detection of groff, nroff, perl and gzip
+
+ To allow for the full generation of tool_hugehelp.c added detection of
+ the required programs - based on code from generate.bat.
+
+- buildconf.bat: Move DOS variable clean-up code to separate function
+
+ Rather than duplicate future variables, during clean-up of both success
+ and error conditions, use a common function that can be called by both.
+
+- RELEASE-NOTES: Synced with 39dcf352d2
+
+- buildconf.bat: Added error messages on failure
+
+- buildconf.bat: Generate and clean files in the same order
+
+- buildconf.bat: Maintain compatibility with DOS based systems
+
+ Commit f08e30d7bc broke compatibility with DOS and non Windows NT based
+ versions of Windows due to the use of the setlocal command.
+
+Jay Satiro (9 Aug 2015)
+- CURLOPT_RESOLVE.3: Note removal support was added in 7.42
+
+ Bug: http://curl.haxx.se/mail/lib-2015-08/0019.html
+ Reported-by: Inca R
+
+Steve Holme (8 Aug 2015)
+- checksrc.bat: Fixed error when missing *.c and *.h files
+
+ File Not Found
+
+- checksrc.bat: Fixed incorrect 'lib\vtls' path check in commit 333c36b276
+
+- checksrc.bat: Fixed error when [directory] isn't a curl source directory
+
+ The system cannot find the file specified.
+
+- checksrc.bat: Added check for unknown arguments
+
+- scripts: Added missing comments
+
+- scripts: Always perform setlocal and endlocal calls in pairs
+
+ Ensure that there isn't a mismatch between setlocal and endlocal calls,
+ which could have happened due to setlocal being called after certain
+ error conditions were checked for.
+
+- scripts: Allow -help to be specified in any argument
+
+ Allow the -help command line argument to be specified in any argument
+ and not just as the first.
+
+Daniel Stenberg (6 Aug 2015)
+- [juef brought this change]
+
+ curl_multi_remove_handle.3: fix formatting
+
+ closes #366
+
+Steve Holme (6 Aug 2015)
+- README: Added notes about 'Running DLL based configurations'
+
+ ...as well as a TODO for a future enhancement to the project files.
+
+ Thanks-to: Jay Satiro
+
+- RELEASE-NOTES: Synced with cf8975387f
+
+- buildconf.bat: Synchronise no repository error with generate.bat
+
+- generate.bat: Added a check for the presence of a git repository
+
+- [Jay Satiro brought this change]
+
+ build: Added wolfSSL configurations to VC10+ project files
+
+ URL: https://github.com/bagder/curl/pull/174
+
+- [Jay Satiro brought this change]
+
+ build: Added wolfSSL build script for Visual Studio projects
+
+ Added the wolfSSL build script, based on build-openssl.bat, as well as
+ the property sheet and header file required for the upcoming additions
+ to the Visual Studio project files.
+
+Daniel Stenberg (6 Aug 2015)
+- CHANGES: refer to the online changelog
+
+ Suggested-by: mc0e
+
+- [Isaac Boukris brought this change]
+
+ NTLM: handle auth for only a single request
+
+ Currently when the server responds with 401 on NTLM authenticated
+ connection (re-used) we consider it to have failed. However this is
+ legitimate and may happen when for example IIS is set configured to
+ 'authPersistSingleRequest' or when the request goes thru a proxy (with
+ 'via' header).
+
+ Implemented by imploying an additional state once a connection is
+ re-used to indicate that if we receive 401 we need to restart
+ authentication.
+
+ Closes #363
+
+Steve Holme (5 Aug 2015)
+- RELEASE-NOTES: Synced with 473807b95f
+
+- generate.bat: Use buildconf.bat for prerequisite file clean-up
+
+- buildconf.bat: Added support for file clean-up via -clean
+
+- buildconf.bat: Added progress output
+
+- buildconf.bat: Avoid using goto for file not in repository
+
+Daniel Stenberg (5 Aug 2015)
+- curl_slist_append.3: add error checking to the example
+
+Steve Holme (5 Aug 2015)
+- buildconf.bat: Added display of usage text with -help
+
+- buildconf.bat: Added exit codes for error handling
+
+- buildconf.bat: Added our standard copyright header
+
+- buildconf.bat: Use lower-case for commands and reserved keywords
+
+- generate.bat: Only clean prerequisite files when in ALL mode
+
+- generate.bat: Moved error messages out of sub-routines
+
+- generate.bat: More use of lower-case for commands and reserved keywords
+
+Daniel Stenberg (3 Aug 2015)
+- libcurl.3: fix a single typo
+
+ Closes #361
+
+- RELEASE-NOTES: synced with c4eb10e2f06f
+
+- SSH: three state machine fixups
+
+ The SSH state machine didn't clear the 'rc' variable appropriately in a
+ two places which prevented it from looping the way it should. And it
+ lacked an 'else' statement that made it possible to erroneously get
+ stuck in the SSH_AUTH_AGENT state.
+
+ Reported-by: Tim Stack
+
+ Closes #357
+
+- curl_gssapi: remove 'const' to fix compiler warnings
+
+ initialization discards 'const' qualifier from pointer target type
+
+- docs: formpost needs the full size at start of upload
+
+ Closes #360
+
+Steve Holme (1 Aug 2015)
+- sspi: Fix typo from left over from old code which referenced NTLM
+
+ References to NTLM in the identity generation should have been removed
+ in commit c469941293 but not all were.
+
+- win32: Fix compilation warnings from commit 40c921f8b8
+
+ connect.c:953:5: warning: initializer element is not computable at load
+ time
+ connect.c:953:5: warning: missing initializer for field 'dwMinorVersion'
+ of 'OSVERSIONINFOEX'
+ curl_sspi.c:97:5: warning: initializer element is not computable at load
+ time
+ curl_sspi.c:97:5: warning: missing initializer for field 'szCSDVersion'
+ of 'OSVERSIONINFOEX'
+
+- schannel: Fix compilation warning from commit 7a8e861a56
+
+ schannel.c:1125:5: warning: missing initializer for field 'dwMinorVersion'
+ of 'OSVERSIONINFOEX' [-Wmissing-field-initializers
+
+Daniel Stenberg (31 Jul 2015)
+- libcurl-thread.3: minor reformatting
+
+Jay Satiro (31 Jul 2015)
+- curl_global_init_mem.3: Warn threaded resolver needs thread safe funcs
+
+ Bug: http://curl.haxx.se/mail/lib-2015-07/0149.html
+ Reported-by: Eric Ridge
+
+- libcurl-thread.3: Warn memory functions must be thread safe
+
+ Bug: http://curl.haxx.se/mail/lib-2015-07/0149.html
+ Reported-by: Eric Ridge
+
+Steve Holme (31 Jul 2015)
+- RELEASE-NOTES: Synced with 8b1d00ac1a
+
+- INSTALL: Minor formatting correction in 'Legacy Windows and SSL' section
+
+ ...as well as some rewording.
+
+Kamil Dudka (30 Jul 2015)
+- http: move HTTP/2 cleanup code off http_disconnect()
+
+ Otherwise it would never be called for an HTTP/2 connection, which has
+ its own disconnect handler.
+
+ I spotted this while debugging <https://bugzilla.redhat.com/1248389>
+ where the http_disconnect() handler was called on an FTP session handle
+ causing 'dnf' to crash. conn->data->req.protop of type (struct FTP *)
+ was reinterpreted as type (struct HTTP *) which resulted in SIGSEGV in
+ Curl_add_buffer_free() after printing the "Connection cache is full,
+ closing the oldest one." message.
+
+ A previously working version of libcurl started to crash after it was
+ recompiled with the HTTP/2 support despite the HTTP/2 protocol was not
+ actually used. This commit makes it work again although I suspect the
+ root cause (reinterpreting session handle data of incompatible protocol)
+ still has to be fixed. Otherwise the same will happen when mixing FTP
+ and HTTP/2 connections and exceeding the connection cache limit.
+
+ Reported-by: Tomas Tomecek
+ Bug: https://bugzilla.redhat.com/1248389
+
+Daniel Stenberg (30 Jul 2015)
+- [Viktor Szakats brought this change]
+
+ ABI doc: use secure URL
+
+- ABI: remove the ascii logo
+
+ and made the indent level to 1
+
+- libcurl-multi.3: mention curl_multi_wait
+
+ ... and some general rewordings to improve this docs.
+
+ Reported-by: Tim Stack
+
+ Closes #356
+
+Steve Holme (30 Jul 2015)
+- maketgz: Fixed some VC makefiles missing from the release tarball
+
+ VC7, VC11, VC12 and VC14 makefiles were missing from the release
+ tarball.
+
+- RELEASE-NOTES: Synced with 2d7e165761
+
+- build: Added VC14 project files to Makefile.am
+
+- build: Added VC14 project files
+
+ Updates to Makefile.am for the generation of the project files in
+ the tarball to follow.
+
+Jay Satiro (29 Jul 2015)
+- libcurl-thread.3: Clarify CURLOPT_NOSIGNAL takes long value 1L
+
+Steve Holme (28 Jul 2015)
+- generate.bat: Use lower-case for commands and reserved keywords
+
+ Whilst there are no coding standards for the batch files used in curl,
+ most tend to use lower-case for keywords and upper-case for variables.
+
+- build: Added initial VC14 support to generate.bat
+
+ Visual Studio project files and updates to makefile.am to follow.
+
+- build: Fixed missing .opensdf files from VC10+ .gitignore files
+
+- build: Use $(ProjectName) macro for curl.exe and curld.exe filenames
+
+ This wasn't possible with the old curlsrc project filenames, but like
+ commit 2a615a2b64 and 11397eb6dd for libcurl use the built in Visual
+ Studio macros for the output filenames.
+
+- build: Renamed curl src Visual Studio project files
+
+ Following commit 957fcd9049 and in preparation for adding the VC14
+ project files renamed the curl source project files.
+
+Daniel Stenberg (28 Jul 2015)
+- [Jay Satiro brought this change]
+
+ libcurl-thread.3: Revert to stricter handle wording
+
+ .. also update formatting and add WinSSL and wolfSSL to the SSL/TLS
+ handlers list.
+
+- [Jay Satiro brought this change]
+
+ libcurl-thread.3: Consolidate thread safety info
+
+ This is a new document to consolidate our thread safety information from
+ several documents (curl-www:features, libcurl.3, libcurl-tutorial.3).
+ Each document's section on multi-threading will now point to this one.
+
+Steve Holme (27 Jul 2015)
+- README: Corrected formatting for 'Legacy Windows and SSL' section
+
+ ...as well as some wording.
+
+- build-openssl.bat: Added support for VC14
+
+Daniel Stenberg (26 Jul 2015)
+- RELEASE-NOTES: synced with 0f645adc95390e8
+
+- test1902: attempt to make the test more reliable
+
+ Closes #355
+
+- comment: fix comment about adding new option support
+
+Jay Satiro (25 Jul 2015)
+- build-openssl.bat: Show syntax if required args are missing
+
+Daniel Stenberg (26 Jul 2015)
+- TODO: improve how curl works in a windows console window
+
+ Closes #322 for now
+
+- 1.11 minimize dependencies with dynamicly loaded modules
+
+ Closes #349 for now
+
+Jay Satiro (25 Jul 2015)
+- tool_operate: Fix CURLOPT_SSL_OPTIONS for builds without HTTPS
+
+ - Set CURLOPT_SSL_OPTIONS only if the tool enabled an SSL option.
+
+ Broken by me several days ago in 172b2be.
+ https://github.com/bagder/curl/commit/172b2be#diff-70b44ee478e58d4e1ddcf9c9a73d257b
+
+ Bug: http://curl.haxx.se/mail/lib-2015-07/0119.html
+ Reported-by: Dan Fandrich
+
+Daniel Stenberg (25 Jul 2015)
+- configure: check if OpenSSL linking wants -ldl
+
+ To make it easier to link with static versions of OpenSSL, the configure
+ script now checks if -ldl is needed for linking.
+
+ Help-by: TJ Saunders
+
+- [Michael Kaufmann brought this change]
+
+ HTTP: ignore "Content-Encoding: compress"
+
+ Currently, libcurl rejects responses with "Content-Encoding: compress"
+ when CURLOPT_ACCEPT_ENCODING is set to "". I think that libcurl should
+ treat the Content-Encoding "compress" the same as other
+ Content-Encodings that it does not support, e.g. "bzip2". That means
+ just ignoring it.
+
+- [Marcel Raad brought this change]
+
+ openssl: work around MSVC warning
+
+ MSVC 12 complains:
+
+ lib\vtls\openssl.c(1554): warning C4701: potentially uninitialized local
+ variable 'verstr' used It's a false positive, but as it's normally not,
+ I have enabled warning-as-error for that warning.
+
+- [Michał Fita brought this change]
+
+ configure: add --disable-rt option
+
+ This option disables any attempts in configure to create dependency on
+ stuff requiring linking to librt.so and libpthread.so, in this case this
+ means clock_gettime(CLOCK_MONOTONIC, &mt).
+
+ We were in need to build curl which doesn't link libpthread.so to avoid
+ the following bug:
+ https://sourceware.org/bugzilla/show_bug.cgi?id=16628.
+
+Kamil Dudka (23 Jul 2015)
+- http2: verify success of strchr() in http2_send()
+
+ Detected by Coverity.
+
+ Error: NULL_RETURNS:
+ lib/http2.c:1301: returned_null: "strchr" returns null (checked 103 out of 109 times).
+ lib/http2.c:1301: var_assigned: Assigning: "hdbuf" = null return value from "strchr".
+ lib/http2.c:1302: dereference: Incrementing a pointer which might be null: "hdbuf".
+ 1300|
+ 1301| hdbuf = strchr(hdbuf, 0x0a);
+ 1302|-> ++hdbuf;
+ 1303|
+ 1304| authority_idx = 0;
+
+Jay Satiro (22 Jul 2015)
+- Windows: Fix VerifyVersionInfo calls
+
+ - Fix the VerifyVersionInfo calls, which we use to test for the OS major
+ version, to also test for the minor version as well as the service pack
+ major and minor versions.
+
+ MSDN: "If you are testing the major version, you must also test the
+ minor version and the service pack major and minor versions."
+
+ https://msdn.microsoft.com/en-us/library/windows/desktop/ms725492.aspx
+
+ Bug: https://github.com/bagder/curl/pull/353#issuecomment-123493098
+ Reported-by: Marcel Raad <MarcelRaad@users.noreply.github.com>
+
+- [Marcel Raad brought this change]
+
+ schannel: Replace deprecated GetVersion with VerifyVersionInfo
+
+Steve Holme (21 Jul 2015)
+- makefile: Added support for VC14
+
+Patrick Monnerat (21 Jul 2015)
+- os400: ebcdic wrappers for new functions. Upgrade ILE/RPG bindings.
+
+- libcurl: VERSIONINFO update
+ Addition of new procedures curl_pushheader_bynum and curl_pushheader_byname
+ requires VERSIONINFO updating.
+
+- http2: satisfy external references even if http2 is not compiled in.
+
+Daniel Stenberg (20 Jul 2015)
+- http2: add stream != NULL checks for reliability
+
+ They should not trigger, but in case of internal problems we at least
+ avoid crashes this way.
+
+Jay Satiro (18 Jul 2015)
+- symbols-in-versions: Add new CURLSSLOPT_NO_REVOKE symbol
+
+- SSL: Add an option to disable certificate revocation checks
+
+ New tool option --ssl-no-revoke.
+ New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS.
+
+ Currently this option applies only to WinSSL where we have automatic
+ certificate revocation checking by default. According to the
+ ssl-compared chart there are other backends that have automatic checking
+ (NSS, wolfSSL and DarwinSSL) so we could possibly accommodate them at
+ some later point.
+
+ Bug: https://github.com/bagder/curl/issues/264
+ Reported-by: zenden2k <zenden2k@gmail.com>
+
+- runtests: Allow for spaces in curl custom path
+
+ .. also fix some typos in test's FILEFORMAT spec.
+
+- [David Woodhouse brought this change]
+
+ ntlm_wb: Fix theoretical memory leak
+
+ Static analysis indicated that my commit 9008f3d564 ("ntlm_wb: Fix
+ hard-coded limit on NTLM auth packet size") introduced a potential
+ memory leak on an error path, because we forget to free the buffer
+ before returning an error.
+
+ Fix this.
+
+ Although actually, it never happens in practice because we never *get*
+ here with state == NTLMSTATE_TYPE1. The state is always zero. That
+ might want cleaning up in a separate patch.
+
+ Reported-by: Terri Oda
+
+- strerror: Add CRYPT_E_REVOKED to SSPI error strings
+
+Kamil Dudka (14 Jul 2015)
+- libtest: call PR_Cleanup() on exit if NSPR is used
+
+ This prevents valgrind from reporting possibly lost memory that NSPR
+ uses for file descriptor cache and other globally allocated internal
+ data structures.
+
+ Reported-by: Štefan Kremeň
+
+Jay Satiro (14 Jul 2015)
+- [John Malmberg brought this change]
+
+ openssl: VMS support for SHA256
+
+ setup-vms.h: More symbols for SHA256, hacks for older VAX
+
+ openssl.h: Use OpenSSL OPENSSL_NO_SHA256 macro to allow building on VAX.
+
+ openssl.c: Use OpenSSL version checks and OPENSSL_NO_SHA256 macro to
+ allow building on VAX and 64 bit VMS.
+
+- examples: Fix typo in multi-single.c
+
+Daniel Stenberg (7 Jul 2015)
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Fix memory leak in push header array
+
+Dan Fandrich (2 Jul 2015)
+- test2041: fixed line endings in protocol part
+
+- cyassl: fixed mismatched sha256sum function prototype
+
+Daniel Stenberg (1 Jul 2015)
+- [moparisthebest brought this change]
+
+ SSL: Pinned public key hash support
+
+- examples: provide <DESC> sections
+
+- [John Malmberg brought this change]
+
+ OpenVMS: VMS Software, Inc now the supplier.
+
+ setup-vms.h: Symbol case fixups submitted by Michael Steve
+
+ build_gnv_curl_pcsi_desc.com: VSI aka as VMS Software, is now the
+ supplier of new versions of VMS. The install kit needs to accept
+ VSI as a producer.
+
+Jay Satiro (30 Jun 2015)
+- multi: Move http2 push function declarations to header end
+
+ This change necessary for binary compatibility.
+
+ Prior to this change test 1135 failed due to the order of functions.
+
+- symbols-in-versions: Add new http2 push symbols
+
+ Prior to this change test 1119 failed due to the missing symbols.
+
+Daniel Stenberg (30 Jun 2015)
+- RELEASE-NOTES: synced with e6749055d653
+
+- configure: disable libidn by default
+
+ For security reasons, until there is a fix.
+
+ Bug: http://curl.haxx.se/mail/lib-2015-06/0143.html
+ Reported-by: Gustavo Grieco, Feist Josselin
+
+- SSL-PROBLEMS: mention WinSSL problems in WinXP
+
+- CODE_OF_CONDUCT.md: added
+
+ Just to underscore how we treat each other in this project. Nothing new
+ really, but could be useful for newcomers and outsiders to see our
+ values.
+
+- tool_header_cb: fflush the header stream
+
+ Flush the header stream when -D is used so that they are sent off
+ earlier.
+
+ Bug: https://github.com/bagder/curl/issues/324
+ Reported-by: Cédric Connes
+
+- [Roger Leigh brought this change]
+
+ tests: Distribute CMakeLists.txt files in subdirectories
+
+- CURLOPT_FAILONERROR.3: mention that it closes the connection
+
+ Reported-by: bemoody
+ Bug: https://github.com/bagder/curl/issues/325
+
+- curl_multi_setopt.3: alpha sort the options
+
+- curl_multi_setopt.3: add the new push options
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Use nghttp2 library error code for error return value
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Harden header validation for curl_pushheader_byname
+
+ Since we do prefix match using given header by application code
+ against header name pair in format "NAME:VALUE", and VALUE part can
+ contain ":", we have to careful about existence of ":" in header
+ parameter. ":" should be allowed to match HTTP/2 pseudo-header field,
+ and other use of ":" in header must be treated as error, and
+ curl_pushheader_byname should return NULL. This commit implements
+ this behaviour.
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ CURLMOPT_PUSHFUNCTION.3: Remove unused variable
+
+- CURLMOPT_PUSHFUNCTION.3: added example
+
+- http2: curl_pushheader_byname now takes a const char *
+
+- http2-serverpush.c: example code
+
+- http2: free all header memory after the push callback
+
+- http2: init the pushed transfer properly
+
+- http2: fixed the header accessor functions for the push callback
+
+- http2: setup the new pushed stream properly
+
+- http2: initial implementation of the push callback
+
+- http2: initial HTTP/2 server push types/docs
+
+- test1531: verify POSTFIELDSIZE set after add_handle
+
+ Following the fix made in 903b6e05565bf.
+
+- pretransfer: init state.infilesize here, not in add_handle
+
+ ... to properly support that options are set to the handle after it is
+ added to the multi handle.
+
+ Bug: http://curl.haxx.se/mail/lib-2015-06/0122.html
+ Reported-by: Stefan Bühler
+
+Jay Satiro (21 Jun 2015)
+- [Lior Kaplan brought this change]
+
+ tool_help: fix --tlsv1 help text to use >= for TLSv1
+
+- INSTALL: Advise use of non-native SSL for Windows <= XP
+
+ Advise that WinSSL in versions <= XP will not be able to connect to
+ servers that no longer support the legacy handshakes and algorithms used
+ by those versions, and to use an alternate backend like OpenSSL instead.
+
+ Bug: https://github.com/bagder/curl/issues/253
+ Reported-by: zenden2k <zenden2k@gmail.com>
+
+Kamil Dudka (19 Jun 2015)
+- curl_easy_setopt.3: restore contents removed by mistake
+
+ ... in commit curl-7_43_0-18-g570076e
+
+Daniel Stenberg (19 Jun 2015)
+- curl_easy_setopt.3: mention CURLOPT_PIPEWAIT
+
+Jay Satiro (18 Jun 2015)
+- cookie: Fix bug in export if any-domain cookie is present
+
+ In 3013bb6 I had changed cookie export to ignore any-domain cookies,
+ however the logic I used to do so was incorrect, and would lead to a
+ busy loop in the case of exporting a cookie list that contained
+ any-domain cookies. The result of that is worse though, because in that
+ case the other cookies would not be written resulting in an empty file
+ once the application is terminated to stop the busy loop.
+
+Dan Fandrich (18 Jun 2015)
+- FTP: fixed compiling with --disable-proxy, broken in b88f980a
+
+Daniel Stenberg (18 Jun 2015)
+- tool: always provide negotiate/kerberos options
+
+ libcurl can still be built with it, even if the tool is not. Maintain
+ independence!
+
+- TODO: Support IDNA2008
+
+- [Viktor Szakats brought this change]
+
+ Makefile.m32: add support for CURL_LDFLAG_EXTRAS
+
+ It is similar to existing CURL_CFLAG_EXTRAS, but for
+ extra linker option.
+
+- RTSP: removed another piece of dead code
+
+ Coverity CID 1306668
+
+- openssl: fix use of uninitialized buffer
+
+ Make sure that the error buffer is always initialized and simplify the
+ use of it to make the logic easier.
+
+ Bug: https://github.com/bagder/curl/issues/318
+ Reported-by: sneis
+
+- examples: more descriptions
+
+- examples: add descriptions with <DESC>
+
+ Using this fixed format for example descriptions, we can generate a
+ better list on the web site.
+
+- libcurl-errors.3: fix typo
+
+- curl_easy_setopt.3: option order doesn't matter
+
+- openssl: fix build with BoringSSL
+
+ OPENSSL_load_builtin_modules does not exist in BoringSSL. Regression
+ from cae43a1
+
+- [Paul Howarth brought this change]
+
+ openssl: Fix build with openssl < ~ 0.9.8f
+
+ The symbol SSL3_MT_NEWSESSION_TICKET appears to have been introduced at
+ around openssl 0.9.8f, and the use of it in lib/vtls/openssl.c breaks
+ builds with older openssls (certainly with 0.9.8b, which is the latest
+ older version I have to try with).
+
+- FTP: do the HTTP CONNECT for data connection blocking
+
+ ** WORK-AROUND **
+
+ The introduced non-blocking general behaviour for Curl_proxyCONNECT()
+ didn't work for the data connection establishment unless it was very
+ fast. The newly introduced function argument makes it operate in a more
+ blocking manner, more like it used to work in the past. This blocking
+ approach is only used when the FTP data connecting through HTTP proxy.
+
+ Blocking like this is bad. A better fix would make it work more
+ asynchronously.
+
+ Bug: https://github.com/bagder/curl/issues/278
+
+- bump: start the journey toward 7.44.0
+
+Jay Satiro (17 Jun 2015)
+- CURLOPT_ERRORBUFFER.3: Fix example, escape backslashes
+
+- CURLOPT_ERRORBUFFER.3: Improve example
+
+Version 7.43.0 (17 Jun 2015)
+
+Daniel Stenberg (17 Jun 2015)
+- RELEASE-NOTES: 7.43.0 release
+
+- THANKS: updated with 7.43.0 names
+
+- [Kamil Dudka brought this change]
+
+ http: do not leak basic auth credentials on re-used connections
+
+ CVE-2015-3236
+
+ This partially reverts commit curl-7_39_0-237-g87c4abb
+
+ Reported-by: Tomas Tomecek, Kamil Dudka
+ Bug: http://curl.haxx.se/docs/adv_20150617A.html
+
+- [Kamil Dudka brought this change]
+
+ test2040: verify basic auth on re-used connections
+
+- SMB: rangecheck values read off incoming packet
+
+ CVE-2015-3237
+
+ Detected by Coverity. CID 1299430.
+
+ Bug: http://curl.haxx.se/docs/adv_20150617B.html
+
+Jay Satiro (17 Jun 2015)
+- schannel: schannel_recv overhaul
+
+ This commit is several drafts squashed together. The changes from each
+ draft are noted below. If any changes are similar and possibly
+ contradictory the change in the latest draft takes precedence.
+
+ Bug: https://github.com/bagder/curl/issues/244
+ Reported-by: Chris Araman
+
+ %%
+ %% Draft 1
+ %%
+ - return 0 if len == 0. that will have to be documented.
+ - continue on and process the caches regardless of raw recv
+ - if decrypted data will be returned then set the error code to CURLE_OK
+ and return its count
+ - if decrypted data will not be returned and the connection has closed
+ (eg nread == 0) then return 0 and CURLE_OK
+ - if decrypted data will not be returned and the connection *hasn't*
+ closed then set the error code to CURLE_AGAIN --only if an error code
+ isn't already set-- and return -1
+ - narrow the Win2k workaround to only Win2k
+
+ %%
+ %% Draft 2
+ %%
+ - Trying out a change in flow to handle corner cases.
+
+ %%
+ %% Draft 3
+ %%
+ - Back out the lazier decryption change made in draft2.
+
+ %%
+ %% Draft 4
+ %%
+ - Some formatting and branching changes
+ - Decrypt all encrypted cached data when len == 0
+ - Save connection closed state
+ - Change special Win2k check to use connection closed state
+
+ %%
+ %% Draft 5
+ %%
+ - Default to CURLE_AGAIN in cleanup if an error code wasn't set and the
+ connection isn't closed.
+
+ %%
+ %% Draft 6
+ %%
+ - Save the last error only if it is an unrecoverable error.
+
+ Prior to this I saved the last error state in all cases; unfortunately
+ the logic to cover that in all cases would lead to some muddle and I'm
+ concerned that could then lead to a bug in the future so I've replaced
+ it by only recording an unrecoverable error and that state will persist.
+
+ - Do not recurse on renegotiation.
+
+ Instead we'll continue on to process any trailing encrypted data
+ received during the renegotiation only.
+
+ - Move the err checks in cleanup after the check for decrypted data.
+
+ In either case decrypted data is always returned but I think it's easier
+ to understand when those err checks come after the decrypted data check.
+
+ %%
+ %% Draft 7
+ %%
+ - Regardless of len value go directly to cleanup if there is an
+ unrecoverable error or a close_notify was already received. Prior to
+ this change we only acknowledged those two states if len != 0.
+
+ - Fix a bug in connection closed behavior: Set the error state in the
+ cleanup, because we don't know for sure it's an error until that time.
+
+ - (Related to above) In the case the connection is closed go "greedy"
+ with the decryption to make sure all remaining encrypted data has been
+ decrypted even if it is not needed at that time by the caller. This is
+ necessary because we can only tell if the connection closed gracefully
+ (close_notify) once all encrypted data has been decrypted.
+
+ - Do not renegotiate when an unrecoverable error is pending.
+
+ %%
+ %% Draft 8
+ %%
+ - Don't show 'server closed the connection' info message twice.
+
+ - Show an info message if server closed abruptly (missing close_notify).
+
+Daniel Stenberg (16 Jun 2015)
+- [Paul Oliver brought this change]
+
+ Fix typo in docs
+
+ s/curret/current/
+
+- [Viktor Szakats brought this change]
+
+ docs: update URLs
+
+- RELEASE-NOTES: synced with f29f2cbd00dbe5f
+
+- [Viktor Szakats brought this change]
+
+ README: use secure protocol for Git repository
+
+- [Viktor Szakats brought this change]
+
+ HTTP2.md: use SSL/TLS IETF URLs
+
+- [Viktor Szakats brought this change]
+
+ LICENSE-MIXING: update URLs
+
+ * use SSL/TLS where available
+ * follow permanent redirects
+
+- LICENSE-MIXING: refreshed
+
+- curl_easy_duphandle: see also *reset
+
+- rtsp_do: fix DEAD CODE
+
+ "At condition p_request, the value of p_request cannot be NULL."
+
+ Coverity CID 1306668.
+
+- security:choose_mech fix DEAD CODE warning
+
+ ... by removing the "do {} while (0)" block.
+
+ Coverity CID 1306669
+
+- curl.1: netrc is in man section 5
+
+- curl.1: small format fix
+
+ use \fI-style instead of .BR for references
+
+- urldata: store POST size in state.infilesize too
+
+ ... to simplify checking when PUT _or_ POST have completed.
+
+ Reported-by: Frank Meier
+ Bug: http://curl.haxx.se/mail/lib-2015-06/0019.html
+
+Dan Fandrich (14 Jun 2015)
+- test1530: added http to required features
+
+Jay Satiro (14 Jun 2015)
+- [Drake Arconis brought this change]
+
+ build: Fix typo from OpenSSL 1.0.2 version detection fix
+
+- [Drake Arconis brought this change]
+
+ build: Properly detect OpenSSL 1.0.2 when using configure
+
+- curl_multi_info_read.3: fix example formatting
+
+Daniel Stenberg (13 Jun 2015)
+- BINDINGS: there's a new R binding in town!
+
+- BINDINGS: added the Xojo binding
+
+Jay Satiro (11 Jun 2015)
+- [Joel Depooter brought this change]
+
+ schannel: Add support for optional client certificates
+
+ Some servers will request a client certificate, but not require one.
+ This change allows libcurl to connect to such servers when using
+ schannel as its ssl/tls backend. When a server requests a client
+ certificate, libcurl will now continue the handshake without one,
+ rather than terminating the handshake. The server can then decide
+ if that is acceptable or not. Prior to this change, libcurl would
+ terminate the handshake, reporting a SEC_I_INCOMPLETE_CREDENTIALS
+ error.
+
+Daniel Stenberg (11 Jun 2015)
+- curl_easy_cleanup.3: provide more SEE ALSO
+
+- debug: remove http2 debug leftovers
+
+- VERSIONS: now using markdown
+
+- RELEASE-PROCEDURE: remove ascii logo at the top of file
+
+- INTERNALS: absorbed docs/LIBCURL-STRUCTS
+
+- INTERNALS: cat lib/README* >> INTERNALS
+
+ and a conversion to markdown. Removed the lib/README.* files. The idea
+ being to move toward having INTERNALS as the one and only "book" of
+ internals documentation.
+
+ Added a TOC to top of the document.
+
+Jay Satiro (8 Jun 2015)
+- openssl: LibreSSL and BoringSSL do not use TLS_client_method
+
+ Although OpenSSL 1.1.0+ deprecated SSLv23_client_method in favor of
+ TLS_client_method LibreSSL and BoringSSL didn't and still use
+ SSLv23_client_method.
+
+ Bug: https://github.com/bagder/curl/commit/49a6642#commitcomment-11578009
+ Reported-by: asavah@users.noreply.github.com
+
+Daniel Stenberg (9 Jun 2015)
+- RELEASE-NOTES: synced with 20ac3458068
+
+- CURLOPT_OPENSOCKETFUNCTION: return error at once
+
+ When CURL_SOCKET_BAD is returned in the callback, it should be treated
+ as an error (CURLE_COULDNT_CONNECT) if no other socket is subsequently
+ created when trying to connect to a server.
+
+ Bug: http://curl.haxx.se/mail/lib-2015-06/0047.html
+
+- fopen.c: fix a few compiler warnings
+
+- [Ville Skyttä brought this change]
+
+ docs: Spelling fixes
+
+- [Ville Skyttä brought this change]
+
+ docs: man page indentation and syntax fixes
+
+Linus Nielsen (8 Jun 2015)
+- help: Add --proxy-service-name and --service-name to the --help output
+
+Jay Satiro (7 Jun 2015)
+- openssl: Fix verification of server-sent legacy intermediates
+
+ - Try building a chain using issuers in the trusted store first to avoid
+ problems with server-sent legacy intermediates.
+
+ Prior to this change server-sent legacy intermediates with missing
+ legacy issuers would cause verification to fail even if the client's CA
+ bundle contained a valid replacement for the intermediate and an
+ alternate chain could be constructed that would verify successfully.
+
+ https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
+
+Daniel Stenberg (5 Jun 2015)
+- BINDINGS: update several URLs
+
+ Stop linking to the curl.haxx.se anchor pages, they are usually only
+ themselves pointers to the real page so better point there directly
+ instead.
+
+- BINDINGS: the curl-rust binding
+
+- curl.h: add CURL_HTTP_VERSION_2
+
+ The protocol is named "HTTP/2" after all. It is an alias for the
+ existing CURL_HTTP_VERSION_2_0 enum.
+
+- openssl: removed error string #ifdef
+
+ ERR_error_string_n() was introduced in 0.9.6, no need to #ifdef anymore
+
+- openssl: removed USERDATA_IN_PWD_CALLBACK kludge
+
+ Code for OpenSSL 0.9.4 serves no purpose anymore!
+
+- openssl: remove SSL_get_session()-using code
+
+ It was present for OpenSSL 0.9.5 code but we only support 0.9.7 or
+ later.
+
+- openssl: remove dummy callback use from SSL_CTX_set_verify()
+
+ The existing callback served no purpose.
+
+- LIBCURL-STRUCTS: clarify for multiplexing
+
+Jay Satiro (3 Jun 2015)
+- cookie: Stop exporting any-domain cookies
+
+ Prior to this change any-domain cookies (cookies without a domain that
+ are sent to any domain) were exported with domain name "unknown".
+
+ Bug: https://github.com/bagder/curl/issues/292
+
+Daniel Stenberg (3 Jun 2015)
+- RELEASE-PROCEDURE: refreshed 'coming dates'
+
+Jay Satiro (2 Jun 2015)
+- curl_setup: Change fopen text macros to use 't' for MSDOS
+
+ Bug: https://github.com/bagder/curl/pull/258#issuecomment-107915198
+ Reported-by: Gisle Vanem
+
+Daniel Stenberg (2 Jun 2015)
+- curl_multi_timeout.3: added example
+
+- curl_multi_perform.3: added example
+
+- curl_multi_info_read.3: added example
+
+- checksrc: detect fopen() for text without the FOPEN_* macros
+
+ Follow-up to e8423f9ce150 with discussionis in
+ https://github.com/bagder/curl/pull/258
+
+ This check scans for fopen() with a mode string without 'b' present, as
+ it may indicate that an FOPEN_* define should rather be used.
+
+- curl_getdate.3: update RFC reference
+
+Jay Satiro (1 Jun 2015)
+- curl_setup: Add macros for FOPEN_READTEXT, FOPEN_WRITETEXT
+
+ - Change fopen calls to use FOPEN_READTEXT instead of "r" or "rt"
+ - Change fopen calls to use FOPEN_WRITETEXT instead of "w" or "wt"
+
+ This change is to explicitly specify when we need to read/write text.
+ Unfortunately 't' is not part of POSIX fopen so we can't specify it
+ directly. Instead we now have FOPEN_READTEXT, FOPEN_WRITETEXT.
+
+ Prior to this change we had an issue on Windows if an application that
+ uses libcurl overrides the default file mode to binary. The default file
+ mode in Windows is normally text mode (translation mode) and that's what
+ libcurl expects.
+
+ Bug: https://github.com/bagder/curl/pull/258#issuecomment-107093055
+ Reported-by: Orgad Shaneh
+
+Daniel Stenberg (1 Jun 2015)
+- http2-upload.c: use PIPEWAIT for playing HTTP/2 better
+
+- http2-download: check for CURLPIPE_MULTIPLEX properly
+
+ Bug: http://curl.haxx.se/mail/lib-2015-06/0001.html
+ Reported-by: Rafayel Mkrtchyan
+
+- [Isaac Boukris brought this change]
+
+ HTTP-NTLM: fail auth on connection close instead of looping
+
+ Bug: https://github.com/bagder/curl/issues/256
+
+- 5.6 Refuse "downgrade" redirects
+
+- README.pingpong: removed
+
+- ROADMAP: remove HTTP/2 multiplexing - its here now
+
+- HTTP2.md: formatted properly
+
+- HTTP2: moved docs into docs/ and make it markdown
+
+- README.http2: refreshed and added multiplexing info
+
+- dist: add the http2 examples
+
+- http2 examples: clean up some comments
+
+- examples: added two programs doing multiplexed HTTP/2
+
+- scripts: moved contributors.sh and contrithanks.sh into subdir
+
+- RELEASE-NOTES: synced with c005790ff1c0a
+
+- [Daniel Melani brought this change]
+
+ openssl: typo in comment
+
+Jay Satiro (27 May 2015)
+- openssl: Use TLS_client_method for OpenSSL 1.1.0+
+
+ SSLv23_client_method is deprecated starting in OpenSSL 1.1.0. The
+ equivalent is TLS_client_method.
+
+ https://github.com/openssl/openssl/commit/13c9bb3#diff-708d3ae0f2c2973b272b811315381557
+
+Daniel Stenberg (26 May 2015)
+- FAQ: How do I port libcurl to my OS?
+
+Jay Satiro (25 May 2015)
+- CURLOPT_COOKIELIST.3: Explain Set-Cookie without a domain
+
+ Document that if Set-Cookie is used without a domain then the cookie is
+ sent for any domain and will not be modified.
+
+ Bug: http://curl.haxx.se/mail/lib-2015-05/0137.html
+ Reported-by: Alexander Dyagilev
+
+Daniel Stenberg (25 May 2015)
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Copy data passed in Curl_http2_switched into HTTP/2 connection buffer
+
+ Previously, after seeing upgrade to HTTP/2, we feed data followed by
+ upgrade response headers directly to nghttp2_session_mem_recv() in
+ Curl_http2_switched(). But it turns out that passed buffer, mem, is
+ part of stream->mem, and callbacks called by
+ nghttp2_session_mem_recv() will write stream specific data into
+ stream->mem, overwriting input data. This will corrupt input, and
+ most likely frame length error is detected by nghttp2 library. The
+ fix is first copy the passed data to HTTP/2 connection buffer,
+ httpc->inbuf, and call nghttp2_session_mem_recv().
+
+Jay Satiro (24 May 2015)
+- CURLOPT_COOKIE.3: Explain that the cookies won't be modified
+
+ The CURLOPT_COOKIE doc says it "sets the cookie header explicitly in the
+ outgoing request(s)." However there seems to be some user confusion
+ about cookie modification. Document that the cookies set by this option
+ are not modified by the cookie engine.
+
+ Bug: http://curl.haxx.se/mail/lib-2015-05/0115.html
+ Reported-by: Alexander Dyagilev
+
+- CURLOPT_COOKIELIST.3: Add example
+
+Dan Fandrich (24 May 2015)
+- testcurl.pl: use rel2abs to make the source directory absolute
+
+ This function makes a platform-specific absolute path which uses
+ backslashes on Windows. This form works when passing it on the
+ command-line, as well as if the source is on another drive.
+
+- conncache: fixed memory leak on OOM (torture tests)
+
+Daniel Stenberg (24 May 2015)
+- perl: remove subdir, not touched in 9 years
+
+- log2changes.pl: moved to scripts/
+
+- [Alessandro Ghedini brought this change]
+
+ scripts: add zsh.pl for generating zsh completion
+
+Dan Fandrich (23 May 2015)
+- test1510: another flaky test
+
+Daniel Stenberg (22 May 2015)
+- security: fix "Unchecked return value" from sscanf()
+
+ By (void) prefixing it and adding a comment. Did some minor related
+ cleanups.
+
+ Coverity CID 1299423.
+
+- security: simplify choose_mech
+
+ Coverity CID 1299424 identified dead code because of checks that could
+ never equal true (if the mechanism's name was NULL).
+
+ Simplified the function by removing a level of pointers and removing the
+ loop and array that weren't used.
+
+- RTSP: catch attempted unsupported requests better
+
+ Replace use of assert with code that properly catches bad input at
+ run-time even in non-debug builds.
+
+ This flaw was sort of detected by Coverity CID 1299425 which claimed the
+ "case RTSPREQ_NONE" was dead code.
+
+- share_init: fix OOM crash
+
+ A failed calloc() would lead to NULL pointer use.
+
+ Coverity CID 1299427.
+
+- parse_proxy: switch off tunneling if non-HTTP proxy
+
+ non-HTTP proxy implies not using CURLOPT_HTTPPROXYTUNNEL
+
+ Bug: http://curl.haxx.se/mail/lib-2015-05/0056.html
+ Reported-by: Sean Boudreau
+
+- curl: fix potential NULL dereference
+
+ Coverity CID 1299428: Dereference after null check (FORWARD_NULL)
+
+- http2: on_frame_recv: return early on stream 0
+
+ Coverity CID 1299426 warned about possible NULL dereference otherwise,
+ but that would only ever happen if we get invalid HTTP/2 data with
+ frames for stream 0. Avoid this risk by returning early when stream 0 is
+ used.
+
+- http: removed self assignment
+
+ Follow-up fix from b0143a2a33f0
+
+ Detected by coverity. CID 1299429
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Make HTTP Upgrade work
+
+ This commit just add implicitly opened stream 1 to streams hash.
+
+Jay Satiro (22 May 2015)
+- strerror: Change SEC_E_ILLEGAL_MESSAGE description
+
+ Prior to this change the description for SEC_E_ILLEGAL_MESSAGE was OS
+ and language specific, and invariably translated to something not very
+ helpful like: "The message received was unexpected or badly formatted."
+
+ Bug: https://github.com/bagder/curl/issues/267
+ Reported-by: Michael Osipov
+
+- telnet: Fix read-callback change for Windows builds
+
+ Refer to b0143a2 for more information on the read-callback change.
+
+Daniel Stenberg (21 May 2015)
+- CURLOPT_HTTPPROXYTUNNEL.3: only works with a HTTP proxy!
+
+Dan Fandrich (21 May 2015)
+- testcurl.pl: allow source to be in an arbitrary directory
+
+ This way, the build directory can be located on an entirely different
+ filesystem from the source code (e.g. a tmpfs).
+
+Daniel Stenberg (20 May 2015)
+- read_callback: move to SessionHandle from connectdata
+
+ With many easy handles using the same connection for multiplexing, it is
+ important we store and keep the transfer-oriented stuff in the
+ SessionHandle so that callbacks and callback data work fine even when
+ many easy handles share the same physical connection.
+
+- http2: show stream IDs in decimal
+
+ It makes them easier to match output from the nghttpd test server.
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Faster http2 upload
+
+ Previously, when we send all given buffer in data_source_callback, we
+ return NGHTTP2_ERR_DEFERRED, and nghttp2 library removes this stream
+ temporarily for writing. This itself is good. If this is the sole
+ stream in the session, nghttp2_session_want_write() returns zero,
+ which means that libcurl does not check writeability of the underlying
+ socket. This leads to very slow upload, because it seems curl only
+ upload 16k something per 1 second. To fix this, if we still have data
+ to send, call nghttp2_session_resume_data after nghttp2_session_send.
+ This makes nghttp2_session_want_write() returns nonzero (if connection
+ window still opens), and as a result, socket writeability is checked,
+ and upload speed becomes normal.
+
+- [Dmitry Eremin-Solenikov brought this change]
+
+ gtls: don't fail on non-fatal alerts during handshake
+
+ Stop curl from failing when non-fatal alert is received during
+ handshake. This e.g. fixes lots of problems when working with https
+ sites through proxies.
+
+- curl_easy_unescape.3: update RFC reference
+
+ Reported-by: bsammon
+ Bug: https://github.com/bagder/curl/issues/282
+
+Jay Satiro (20 May 2015)
+- CURLOPT_POSTFIELDS.3: Mention curl_easy_escape
+
+ .. also correct some variable naming in curl_easy_escape.3
+
+ Bug: https://github.com/bagder/curl/issues/281
+ Reported-by: bsammon@users.noreply.github.com
+
+Daniel Stenberg (19 May 2015)
+- [Brian Prodoehl brought this change]
+
+ openssl: Use SSL_CTX_set_msg_callback and SSL_CTX_set_msg_callback_arg
+
+ BoringSSL removed support for direct callers of SSL_CTX_callback_ctrl
+ and SSL_CTX_ctrl, so move to a way that should work on BoringSSL and
+ OpenSSL.
+
+ re #275
+
+Jay Satiro (19 May 2015)
+- curl.1: fix missing space in section --data
+
+Daniel Stenberg (19 May 2015)
+- transfer: remove erroneous and misleading comment
+
+Kamil Dudka (19 May 2015)
+- http: silence compile-time warnings without USE_NGHTTP2
+
+ Error: CLANG_WARNING:
+ lib/http.c:173:16: warning: Value stored to 'http' during its initialization is never read
+
+ Error: COMPILER_WARNING:
+ lib/http.c: scope_hint: In function ‘http_disconnect’
+ lib/http.c:173:16: warning: unused variable ‘http’ [-Wunused-variable]
+
+Jay Satiro (19 May 2015)
+- transfer: Replace __func__ instances with function name
+
+ .. also make __func__ replacement in multi.
+
+ Prior to this change debug builds would fail to build if the compiler
+ was building pre-c99 and didn't support __func__.
+
+Daniel Stenberg (19 May 2015)
+- [Viktor Szakats brought this change]
+
+ build: bump version in default nghttp2 paths
+
+- INTERNALS: we require nghttp2 1.0.0+ now
+
+Jay Satiro (18 May 2015)
+- http: Add some include guards for the new HTTP/2 stuff
+
+Daniel Stenberg (18 May 2015)
+- http2: store upload state per stream
+
+ Use a curl_off_t for upload left
+
+- http2: fix build when NOT h2-enabled
+
+- http2: switch to use Curl_hash_destroy()
+
+ as after 4883f7019d3, the *_clean() function only flushes the hash.
+
+- curlver: restore LIBCURL_VERSION_NUM defined as a full number
+
+ As it breaks configure, curl-config and test 1023 if not.
+
+- [Anthony Avina brought this change]
+
+ hostip: fix unintended destruction of hash table
+
+ .. and added unit1602 for hash.c
+
+- curlver: introducing new version number (checking) macros
+
+- runtests.pl: use 'h2c' now, no -14 anymore
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Ignore if we have stream ID not in hash in on_stream_close
+
+ We could get stream ID not in the hash in on_stream_close. For
+ example, if we decided to reject stream (e.g., PUSH_PROMISE), then we
+ don't create stream and store it in hash with its stream ID.
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ Require nghttp2 v1.0.0
+
+ This commit requires nghttp2 v1.0.0 to compile, and migrate to v1.0.0,
+ and utilize recent version of nghttp2 to simplify the code,
+
+ First we use nghttp2_option_set_no_recv_client_magic function to
+ detect nghttp2 v1.0.0. That function only exists since v1.0.0.
+
+ Since nghttp2 v0.7.5, nghttp2 ensures header field ordering, and
+ validates received header field. If it found error, RST_STREAM with
+ PROTOCOL_ERROR is issued. Since we require v1.0.0, we can utilize
+ this feature to simplify libcurl code. This commit does this.
+
+ Migration from 0.7 series are done based on nghttp2 migration
+ document. For libcurl, we removed the code sending first 24 bytes
+ client magic. It is now done by nghttp2 library.
+ on_invalid_frame_recv callback signature changed, and is updated
accordingly.
-Daniel Stenberg (19 Jan 2010)
-- David McCreedy brought a fix and a new test case (129) to make libcurl work
- again when downloading files over FTP using ASCII and it turns out that the
- final size of the file is not the same as the initial size the server
- reported. This is very common since servers don't take the newline
- conversions into account.
-
-Kamil Dudka (14 Jan 2010)
-- Suppressed side effect of OpenSSL configure checks, which prevented NSS from
- being properly detected under certain circumstances. It had been caused by
- strange behavior of pkg-config when handling PKG_CONFIG_LIBDIR. pkg-config
- distinguishes among empty and non-existent environment variable in that case.
-
-Daniel Stenberg (12 Jan 2010)
-- Gil Weber reported a peculiar flaw with the multi interface when doing SFTP
- transfers: curl_multi_fdset() would return -1 and not set and file
- descriptors several times during a transfer of a single file. It turned out
- to be due to two different flaws now fixed. Gil's excellent recipe helped me
- nail this.
-
-Daniel Stenberg (11 Jan 2010)
-- Made sure that the progress callback is repeatedly called at a regular
- interval even during very slow connects.
-
-- The tests/runtests.pl script now checks to see if the test case that runs is
- present in the tests/data/Makefile.am and outputs a notice message on the
- screen if not. Each test file has to be included in that Makefile.am to get
- included in release archives and forgetting to add files there is a common
- mistake. This is an attempt to make it harder to forget.
-
-Daniel Stenberg (9 Jan 2010)
-- Johan van Selst found and fixed a OpenSSL session ref count leak:
-
- ossl_connect_step3() increments an SSL session handle reference counter on
- each call. When sessions are re-used this reference counter may be
- incremented many times, but it will be decremented only once when done (by
- Curl_ossl_session_free()); and the internal OpenSSL data will not be freed
- if this reference count remains positive. When a session is re-used the
- reference counter should be corrected by explicitly calling
- SSL_SESSION_free() after each consecutive SSL_get1_session() to avoid
- introducing a memory leak.
-
- (http://curl.haxx.se/bug/view.cgi?id=2926284)
-
-Daniel Stenberg (7 Jan 2010)
-- Make sure the progress callback is called repeatedly even during very slow
- name resolves when c-ares is used for resolving.
-
-Claes Jakobsson (6 Jan 2010)
-- Julien Chaffraix fixed so that the fragment part in an URL is not sent
- to the server anymore.
-
-Kamil Dudka (3 Jan 2010)
-- Julien Chaffraix eliminated a duplicated initialization in singlesocket().
-
-Daniel Stenberg (2 Jan 2010)
-- Make curl support --ssl and --ssl-reqd instead of the previous FTP-specific
- versions --ftp-ssl and --ftp-ssl-reqd as these options are now used to
- control SSL/TLS for IMAP, POP3 and SMTP as well in addition to FTP. The old
- option names are still working but the new ones are the ones listed and
- documented.
-
-Daniel Stenberg (1 Jan 2010)
-- Ingmar Runge enhanced libcurl's FTP engine to support the PRET command. This
- command is a special "hack" used by the drftpd server, but even though it is
- a custom extension I've deemed it fine to add to libcurl since this server
- seems to survive and people keep using it and want libcurl to support
- it. The new libcurl option is named CURLOPT_FTP_USE_PRET, and it is also
- usable from the curl tool with --ftp-pret. Using this option on a server
- that doesn't support this command will make libcurl fail.
-
- I added test cases 1107 and 1108 to verify the functionality.
-
- The PRET command is documented at
- http://www.drftpd.org/index.php/Distributed_PASV
-
-Yang Tse (30 Dec 2009)
-- Steven M. Schweda improved VMS build system, and Craig A. Berry helped
- with the patch and testing.
-
-Daniel Stenberg (26 Dec 2009)
-- Renato Botelho and Peter Pentchev brought a patch that makes the libcurl
- headers work correctly even on FreeBSD systems before v8.
-
- (http://curl.haxx.se/bug/view.cgi?id=2916915)
-
-Daniel Stenberg (17 Dec 2009)
-- David Byron fixed Curl_ossl_cleanup to actually call ENGINE_cleanup when
- available.
-
-- Follow-up fix for the proxy fix I did for Jon Nelson's bug. It turned out I
- was a bit too quick and broke test case 1101 with that change. The order of
- some of the setups is sensitive. I now changed it slightly again to make
- sure we do them in this order:
-
- 1 - parse URL and figure out what protocol is used in the URL
- 2 - prepend protocol:// to URL if missing
- 3 - parse name+password off URL, which needs to know what protocol is used
- (since only some allows for name+password in the URL)
- 4 - figure out if a proxy should be used set by an option
- 5 - if no proxy option, check proxy environment variables
- 6 - run the protocol-specific setup function, which needs to have the proxy
- already set
-
-Daniel Stenberg (15 Dec 2009)
-- Jon Nelson found a regression that turned out to be a flaw in how libcurl
- detects and uses proxies based on the environment variables. If the proxy
- was given as an explicit option it worked, but due to the setup order
- mistake proxies would not be used fine for a few protocols when picked up
- from '[protocol]_proxy'. Obviously this broke after 7.19.4. I now also added
- test case 1106 that verifies this functionality.
-
- (http://curl.haxx.se/bug/view.cgi?id=2913886)
-
-Daniel Stenberg (12 Dec 2009)
-- IMAP, POP3 and SMTP support and their TLS versions (including IMAPS, POP3S
- and SMTPS) are now supported. The current state may not yet be solid, but
- the foundation is in place and the test suite has some initial support for
- these protocols. Work will now persue to make them nice libcurl citizens
- until release.
-
- The work with supporting these new protocols was sponsored by
- networking4all.com - thanks!
-
-Daniel Stenberg (10 Dec 2009)
-- Siegfried Gyuricsko found out that the curl manual said --retry would retry
- on FTP errors in the transient 5xx range. Transient FTP errors are in the
- 4xx range. The code itself only tried on 5xx errors that occured _at login_.
- Now the retry code retries on all FTP transfer failures that ended with a
- 4xx response.
-
- (http://curl.haxx.se/bug/view.cgi?id=2911279)
-
-- Constantine Sapuntzakis figured out a case which would lead to libcurl
- accessing alredy freed memory and thus crash when using HTTPS (with
- OpenSSL), multi interface and the CURLOPT_DEBUGFUNCTION and a certain order
- of cleaning things up. I fixed it.
-
- (http://curl.haxx.se/bug/view.cgi?id=2905220)
-
-Daniel Stenberg (7 Dec 2009)
-- Martin Storsjo made libcurl use the Expect: 100-continue header for posts
- with unknown size. Previously it was only used for posts with a known size
- larger than 1024 bytes.
-
-Daniel Stenberg (1 Dec 2009)
-- If the Expect: 100-continue header has been set by the application through
- curl_easy_setopt with CURLOPT_HTTPHEADER, the library should set
- data->state.expect100header accordingly - the current code (in 7.19.7 at
- least) doesn't handle this properly. Martin Storsjo provided the fix!
-
-Yang Tse (28 Nov 2009)
-- Added Diffie-Hellman parameters to several test harness certificate files in
- PEM format. Required by several stunnel versions used by our test harness.
-
-Daniel Stenberg (28 Nov 2009)
-- Markus Koetter provided a polished and updated version of Chad Monroe's TFTP
- rework patch that now integrates TFTP properly into libcurl so that it can
- be used non-blocking with the multi interface and more. BLKSIZE also works.
-
- The --tftp-blksize option was added to allow setting the TFTP BLKSIZE from
- the command line.
-
-Daniel Stenberg (26 Nov 2009)
-- Extended and fixed the change I did on Dec 11 for the the progress
- meter/callback during FTP command/response sequences. It turned out it was
- really lame before and now the progress meter SHOULD get called at least
- once per second.
-
-Daniel Stenberg (23 Nov 2009)
-- Bjorn Augustsson reported a bug which made curl not report any problems even
- though it failed to write a very small download to disk (done in a single
- fwrite call). It turned out to be because fwrite() returned success, but
- there was insufficient error-checking for the fclose() call which tricked
- curl to believe things were fine.
-
-Yang Tse (23 Nov 2009)
-- David Byron modified Makefile.dist vc8 and vc9 targets in order to allow
- finer granularity control when generating src and lib makefiles.
-
-Yang Tse (22 Nov 2009)
-- I modified configure to force removal of the curlbuild.h file included in
- distribution tarballs for use by non-configure systems. As intended, this
- would get overwriten when doing in-tree builds. But VPATH builds would end
- having two curlbuild.h files, one in the source tree and another in the
- build tree. With the modification I introduced 5 Nov 2009 this could become
- an issue when running libcurl's test suite.
-
-Daniel Stenberg (20 Nov 2009)
-- Constantine Sapuntzakis identified a write after close, as the sockets were
- closed by libcurl before the SSL lib were shutdown and they may write to its
- socket. Detected to at least happen with OpenSSL builds.
-
-- Jad Chamcham pointed out a bug with connection re-use. If a connection had
- CURLOPT_HTTPPROXYTUNNEL enabled over a proxy, a subsequent request using the
- same proxy with the tunnel option disabled would still wrongly re-use that
- previous connection and the outcome would only be badness.
-
-Yang Tse (18 Nov 2009)
-- I modified the memory tracking system to make it intolerant with zero sized
- malloc(), calloc() and realloc() function calls.
-
-Daniel Stenberg (17 Nov 2009)
-- Constantine Sapuntzakis provided another fix for the DNS cache that could
- end up with entries that wouldn't time-out:
-
- 1. Set up a first web server that redirects (307) to a http://server:port
- that's down
- 2. Have curl connect to the first web server using curl multi
-
- After the curl_easy_cleanup call, there will be curl dns entries hanging
- around with in_use != 0.
-
- (http://curl.haxx.se/bug/view.cgi?id=2891591)
-
-- Marc Kleine-Budde fixed: curl saved the LDFLAGS set during configure into
- its pkg-config file. So -Wl stuff ended up in the .pc file, which is really
- bad, and breaks if there are multiple -Wl in our LDFLAGS (which are in
- PTXdist). bug #2893592 (http://curl.haxx.se/bug/view.cgi?id=2893592)
-
-Kamil Dudka (15 Nov 2009)
-- David Byron improved the configure script to use pkg-config to find OpenSSL
- (and in particular the list of required libraries) even if a path is given
- as argument to --with-ssl
-
-Yang Tse (15 Nov 2009)
-- I removed enable-thread / disable-thread configure option. These were only
- placebo options. The library is always built as thread safe as possible on
- every system.
-
-Claes Jakobsson (14 Nov 2009)
-- curl-config now accepts '--configure' to see what arguments was
- passed to the configure script when building curl.
-
-Daniel Stenberg (14 Nov 2009)
-- Claes Jakobsson restored the configure functionality to detect NSS when
- --with-nss is set but not "yes".
-
- I think we can still improve that to check for pkg-config in that path etc,
- but at least this patch brings back the same functionality we had before.
-
-- Camille Moncelier added support for the file type SSL_FILETYPE_ENGINE for
- the client certificate. It also disable the key name test as some engines
- can select a private key/cert automatically (When there is only one key
- and/or certificate on the hardware device used by the engine)
-
-Yang Tse (14 Nov 2009)
-- Constantine Sapuntzakis provided the fix that ensures that an SSL connection
- won't be reused unless protection level for peer and host verification match.
-
- I refactored how preprocessor symbol _THREAD_SAFE definition is done.
-
-Kamil Dudka (12 Nov 2009)
-- Kevin Baughman provided a fix preventing libcurl-NSS from crash on doubly
- closed NSPR descriptor. The issue was hard to find, reported several times
- before and always closed unresolved. More info at the RH bug:
- https://bugzilla.redhat.com/534176
-
-- libcurl-NSS now tries to reconnect with TLS disabled in case it detects
- a broken TLS server. However it does not happen if SSL version is selected
- manually. The approach was originally taken from PSM. Kaspar Brand helped me
- to complete the patch. Original bug reports:
- https://bugzilla.redhat.com/525496
- https://bugzilla.redhat.com/527771
-
-Yang Tse (12 Nov 2009)
-- I modified configure script to make the getaddrinfo function check also
- verify if the function is thread safe.
-
-Yang Tse (11 Nov 2009)
-- Marco Maggi reported that compilation failed when configured --with-gssapi
- and GNU GSS installed due to a missing mutual exclusion of header files in
- the Kerberos 5 code path. He also verified that my patch worked for him.
-
-Daniel Stenberg (11 Nov 2009)
-- Constantine Sapuntzakis posted bug #2891595
- (http://curl.haxx.se/bug/view.cgi?id=2891595) which identified how an entry
- in the DNS cache would linger too long if the request that added it was in
- use that long. He also provided the patch that now makes libcurl capable of
- still doing a request while the DNS hash entry may get timed out.
-
-- Christian Schmitz noticed that the progress meter/callback was not properly
- used during the FTP connection phase (after the actual TCP connect), while
- it of course should be. I also made the speed check get called correctly so
- that really slow servers will trigger that properly too.
-
-Kamil Dudka (5 Nov 2009)
-- Dropped misleading timeouts in libcurl-NSS and made sure the SSL socket works
- in non-blocking mode.
-
-Yang Tse (5 Nov 2009)
-- I removed leading 'curl' path on the 'curlbuild.h' include statement in
- curl.h, adjusting auto-makefiles include path, to enhance portability to
- OS's without an orthogonal directory tree structure such as OS/400.
-
-Daniel Stenberg (4 Nov 2009)
-- I fixed several problems with the transfer progress meter. It showed the
- wrong percentage for small files, most notable for <1000 bytes and could
- easily end up showing more than 100% at the end. It also didn't show any
- percentage, transfer size or estimated transfer times when transferring
- less than 100 bytes.
-
-Version 7.19.7 (4 November 2009)
-
-Daniel Stenberg (2 Nov 2009)
-- As reported independent by both Stan van de Burgt and Didier Brisebourg,
- CURLINFO_SIZE_DOWNLOAD (the -w variable size_download) didn't work when
- getting data from ldap!
-
-Daniel Stenberg (31 Oct 2009)
-- Gabriel Kuri reported a problem with CURLINFO_CONTENT_LENGTH_DOWNLOAD if the
- download was 0 bytes, as libcurl would then return the size as unknown (-1)
- and not 0. I wrote a fix and test case 566 to verify it.
-
-Daniel Stenberg (30 Oct 2009)
-- Liza Alenchery mentioned a problem with re-used SCP connection when a bad
- auth is used, as it caused a crash. I failed to repeat the issue, but still
- made a change that now forces the TCP connection used for a freed SCP
- session to get closed and not be re-used.
-
-- "Tom" posted a bug report that mentioned how libcurl did wrong when doing a
- POST using a read callback, with Digest authentication and
- "Transfer-Encoding: chunked" enforced. I would then cause the first request
- to be wrongly sent and then basically hang until the server closed the
- connection. I fixed the problem and added test case 565 to verify it.
-
-Daniel Stenberg (25 Oct 2009)
-- Dima Barsky made the curl cookie parser accept cookies even with blank or
- unparsable expiry dates and then treat them as session cookies - previously
- libcurl would reject cookies with a date format it couldn't parse. Research
- shows that the major browser treat such cookies as session cookies. I
- modified test 8 and 31 to verify this.
-
-Daniel Stenberg (21 Oct 2009)
-- Attempt to use pkg-config for finding out libssh2 installation details
- during configure.
-
-- A patch in bug report #2883177 (http://curl.haxx.se/bug/view.cgi?id=2883177)
- by Johan van Selst introduced the --crlfile option to curl, which makes curl
- tell libcurl about a file with CRL (certificate revocation list) data to
+- http2: infof length in on_frame_send()
+
+- pipeline: switch some code over to functions
+
+ ... to "compartmentalize" a bit and make it easier to change behavior
+ when multiplexing is used instead of good old pipelining.
+
+- symbols-in-versions: add CURLOPT_PIPEWAIT
+
+- CURLOPT_PIPEWAIT: added
+
+ By setting this option to 1 libcurl will wait for a connection to reveal
+ if it is possible to pipeline/multiplex on before it continues.
+
+- Curl_http_readwrite_headers: minor code simplification
+
+- IsPipeliningPossible: fixed for http2
+
+- http2: bump the h2 buffer size to 32K for speed
+
+- http2: remove the stream from the hash in stream_close callback
+
+ ... and suddenly things work much better!
+
+- http2: if there is paused data, do not clear the drain field
+
+- http2: rename s/data/pausedata
+
+- http2: "stream %x" in all outputs to make it easier to search for
+
+- http2: Curl_expire() all handles with incoming traffic
+
+ ... so that they'll get handled next in the multi loop.
+
+- http2: don't signal settings change for same values
+
+- http2: set default concurrency, fix ConnectionExists for multiplex
+
+- bundles: store no/default/pipeline/multiplex
+
+ to allow code to act differently on the situation.
+
+ Also added some more info message for the connection re-use function to
+ make it clearer when connections are not re-used.
+
+- http2: lazy init header_recvbuf
+
+ It makes us use less memory when not doing HTTP/2 and subsequently also
+ makes us not have to cleanup HTTP/2 related data when not using HTTP/2!
+
+- http2: separate multiplex/pipelining + cleanup memory leaks
+
+- CURLMOPT_PIPELINE: bit 1 is for multiplexing
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Fix bug that data to be drained are overwritten by pending "paused" data
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Don't call nghttp2_session_mem_recv while it is paused by a stream
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Read data left in connection buffer after pause
+
+ Previously when we do pause because of out of buffer, we just throw
+ away unread data in connection buffer. This just broke protocol
+ framing, and I saw occasional FRAME_SIZE_ERROR. This commit fix this
+ issue by remembering how much data read, and in the next iteration, we
+ process remaining data.
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Fix streams get stuck
+
+ This commit fixes the bug that streams get stuck if stream gets some
+ DATA, and stream->closed becomes true at the same time. Previously,
+ in this condition, after we processed DATA, we are going to try to
+ read data from underlying transport, but there is no data, and gets
+ EAGAIN. There was no code path to evaludate stream->closed.
+
+- http2: store incoming h2 SETTINGS
+
+- pipeline: move function to pipeline.c and make static
+
+ ... as it was only used from there.
+
+- IsPipeliningPossible: http2 can always "pipeline" (multiplex)
+
+- http2: remove debug logging from on_frame_recv
+
+- http2: remove the closed check in http2_recv
+
+ With the "drained" functionality we can get here slightly asynchronously
+ so the stream have have been closed but there is pending data left to
read.
-Daniel Stenberg (18 Oct 2009)
-- Ray Dassen provided a patch in Debian's bug tracker (bug number #551461)
- that now makes curl_getdate(3) actually handles RFC 822 formatted dates that
- use the "single letter military timezones".
- http://www.rfc-ref.org/RFC-TEXTS/822/chapter5.html has the details.
-
-- Fixed memory leak in the SCP/SFTP code as it never freed the knownhosts
- data!
-
-- John Dennis filed bug report #2873666
- (http://curl.haxx.se/bug/view.cgi?id=2873666) which identified a problem
- which made libcurl loop infinitely when given incorrect credentials when
- using HTTP GSS negotiate authentication. He also provided a small and simple
- patch for it.
-
-- Kevin Baughman found a double close() problem with libcurl-NSS, as when
- libcurl called NSS to close the SSL "session" it also closed the actual
- socket.
-
-Yang Tse (17 Oct 2009)
-- Bug report #2866724 indicated
- (http://curl.haxx.se/bug/view.cgi?id=2866724) that curl on Windows failed
- when writing files whose file names originally contained characters which
- are not valid for file names on Windows. Dan Fandrich provided an initial
- patch and another revised one to fix this issue.
-
-Daniel Stenberg (1 Oct 2009)
-- Tom Mueller correctly reported in bug report #2870221
- (http://curl.haxx.se/bug/view.cgi?id=2870221) that libcurl returned an
- incorrect return code from the internal trynextip() function which caused
- him grief. This is a regression that was introduced in 7.19.1 and I find it
- strange it hasn't hit us harder, but I won't persue into figuring out
- exactly why.
-
-- Constantine Sapuntzakis: The current implementation will always set
- SO_SNDBUF to CURL_WRITE_SIZE even if the SO_SNDBUF starts out larger. The
- patch doesn't do a setsockopt if SO_SNDBUF is already greater than
- CURL_WRITE_SIZE. This should help folks who have set up their computer with
- large send buffers.
-
-Daniel Stenberg (27 Sep 2009)
-- I introduced a maximum limit for received HTTP headers. It is controlled by
- the define CURL_MAX_HTTP_HEADER which is even exposed in the public header
- file to allow for users to fairly easy rebuild libcurl with a modified
- limit. The rationale for a fixed limit is that libcurl is realloc()ing a
- buffer to be able to put a full header into it, so that it can call the
- header callback with the entire header, but that also risk getting it into
- trouble if a server by mistake or willingly sends a header that is more or
- less without an end. The limit is set to 100K.
-
-Daniel Stenberg (26 Sep 2009)
-- John P. McCaskey posted a bug report that showed how libcurl did wrong when
- saving received cookies with no given path, if the path in the request had a
- query part. That is means a question mark (?) and characters on the right
- side of that. I wrote test case 1105 and fixed this problem.
-
-Kamil Dudka (26 Sep 2009)
-- Implemented a protocol independent way to specify blocking direction, used by
- transfer.c for blocking. It is currently used only by SCP and SFTP protocols.
- This enhancement resolves an issue with 100% CPU usage during SFTP upload,
- reported by Vourhey.
-
-Daniel Stenberg (25 Sep 2009)
-- Chris Mumford filed bug report #2861587
- (http://curl.haxx.se/bug/view.cgi?id=2861587) identifying that libcurl used
- the OpenSSL function X509_load_crl_file() wrongly and failed if it would
- load a CRL file with more than one certificate within. This is now fixed.
-
-Daniel Stenberg (16 Sep 2009)
-- Sven Anders reported that we introduced a cert verfication flaw for OpenSSL-
- powered libcurl in 7.19.6. If there was a X509v3 Subject Alternative Name
- field in the certficate it had to match and so even if non-DNS and non-IP
- entry was present it caused the verification to fail.
-
-Daniel Fandrich (15 Sep 2009)
-- Moved the libssh2 checks after the SSL library checks. This helps when
- statically linking since libssh2 needs the SSL library link flags to be
- set up already to satisfy its dependencies. This wouldn't be necessary if
- the libssh2 configure check was changed to use pkg-config since the
- --static flag would add the dependencies automatically.
-
-Yang Tse (14 Sep 2009)
-- Revert Joshua Kwan's patch committed 11 Sep 2009.
-
- Some systems poll function sets POLLHUP in revents without setting
- POLLIN, and sets POLLERR without setting POLLIN and POLLOUT. In some
- libcurl code execution paths this could trigger busy wait loops with
- high CPU usage until a timeout condition aborted the loop.
-
- The reverted patch addressed the above issue for a very specific case,
- when awaiting c-ares to resolve. A libcurl-wide fix for Curl_poll now
- superceeds this one.
-
-Guenter Knauf (11 Sep 2009)
-- Joshua Kwan provided a patch to pass POLLERR / POLLHUP back to c-ares.
- This fixes a loop problem with high CPU usage.
-
-Daniel Stenberg (10 Sep 2009)
-- Claes Jakobsson fixed a problem with cookie expiry dates at exctly the epoch
- start second "Thu Jan 1 00:00:00 GMT 1970" as the date parser then returns 0
- which internally then is treated as a session cookie. That particular date
- is now made to get the value of 1.
-
-Daniel Stenberg (2 Sep 2009)
-- Daniel Johnson found a flaw in the code converting sftp-errors to libcurl
- errors.
-
-Daniel Stenberg (1 Sep 2009)
-- Peter Sylvester made a debug feature for Curl_resolv() that now will force
- libcurl to resolve 'localhost' whatever name you use in the URL *if* you set
- the --interface option to (exactly) "LocalHost". This will enable us to
- write tests for custom hosts names but still use a local host server.
-
-- configure now tries to use pkg-config for a number of sub-dependencies even
- when cross-compiling. The key to success is then you properly setup
- PKG_CONFIG_PATH before invoking configure.
-
- I also improved how NSS is detected by trying nss-config if pkg-config isn't
- present, and as a last resort just use the lib name and force the user to
- setup the LIBS/LDFLAGS/CFLAGS etc properly. The previous last resort would
- add a range of various libs that would almost never be quite correct.
-
-Daniel Stenberg (31 Aug 2009)
-- When using the multi interface with FTP and you asked for NOBODY, you did no
- QUOTE commands and the request used the same path as the connection had
- already changed to, it would decide that no commands would be necessary for
- the "DO" action and that was not handled properly but libcurl would instead
- hang.
-
-Kamil Dudka (28 Aug 2009)
-- Improved error message for not matching certificate subject name in
- libcurl-NSS. Originally reported at:
- https://bugzilla.redhat.com/show_bug.cgi?id=516056#c9
-
-Patrick Monnerat (24 Aug 2009)
-- Introduced a SYST-based test to properly set-up name format when dealing
- with the OS/400 FTP server.
-
-- Fixed an ftp_readresp() bug preventing detection of failing control socket
- and causing FTP client to loop forever.
-
-Daniel Stenberg (24 Aug 2009)
-- Marc de Bruin pointed out that configure --with-gnutls=PATH didn't work
- properly and provided a fix. http://curl.haxx.se/bug/view.cgi?id=2843008
-
-- Eric Wong introduced support for the new option -T. (dot) that makes curl
- read stdin in a non-blocking fashion. This also brings back -T- (minus) to
- the previous blocking behavior since it could break stuff for people at
- times.
-
-Michal Marek (21 Aug 2009)
-- With CURLOPT_PROXY_TRANSFER_MODE, avoid sending invalid URLs like
- ftp://example.com;type=i if the user specified ftp://example.com without the
- slash.
-
-Daniel Stenberg (21 Aug 2009)
-- Andre Guibert de Bruet pointed out a missing return code check for a
- strdup() that could lead to segfault if it returned NULL. I extended his
- suggest patch to now have Curl_retry_request() return a regular return code
- and better check that.
-
-- Lots of good work by Krister Johansen, mostly related to pipelining:
-
- Fix SIGSEGV on free'd easy_conn when pipe unexpectedly breaks
- Fix data corruption issue with re-connected transfers
- Fix use after free if we're completed but easy_conn not NULL
-
-Kamil Dudka (13 Aug 2009)
-- Changed NSS code to not ignore the value of ssl.verifyhost and produce more
- verbose error messages. Originally reported at:
- https://bugzilla.redhat.com/show_bug.cgi?id=516056
-
-Daniel Stenberg (12 Aug 2009)
-- Karl Moerder fixed the Makefile.vc* makefiles to include the new file
- nonblock.c so that they work fine again
-
-- I expanded test 517 with a bunch of more dates that originate from the
- Chrome browser test suite. It turns out most of them get parsed the same
- way.
-
-Version 7.19.6 (12 August 2009)
-
-Daniel Stenberg (12 Aug 2009)
-- Carsten Lange reported a bug and provided a patch for TFTP upload and the
- sending of the TSIZE option. I don't like fixing bugs just hours before
- a release, but since it was broken and the patch fixes this for him I decided
- to get it in anyway.
-
-Daniel Stenberg (11 Aug 2009)
-- Peter Sylvester made the HTTPS test server use specific certificates for
- each test, so that the test suite can now be used to actually test the
- verification of cert names etc. This made an error show up in the OpenSSL-
- specific code where it would attempt to match the CN field even if a
- subjectAltName exists that doesn't match. This is now fixed and verified
- in test 311.
-
-- Benbuck Nason posted the bug report #2835196
- (http://curl.haxx.se/bug/view.cgi?id=2835196), fixing a few compiler
- warnings when mixing ints and bools.
-
-Daniel Fandrich (10 Aug 2009)
-- Fixed a memory leak in the FTP code and an off-by-one heap buffer overflow.
-
-Daniel Fandrich (9 Aug 2009)
-- Fixed some memory leaks in the command-line tool that caused most of the
- torture tests to fail.
-
-Daniel Stenberg (2 Aug 2009)
-- Curt Bogmine reported a problem with SNI enabled on a particular server. We
- should introduce an option to disable SNI, but as we're in feature freeze
- now I've addressed the obvious bug here (pointed out by Peter Sylvester): we
- shouldn't try to enable SNI when SSLv2 or SSLv3 is explicitly selected.
- Code for OpenSSL and GnuTLS was fixed. NSS doesn't seem to have a particular
- option for SNI, or are we simply not using it?
-
-Daniel Stenberg (1 Aug 2009)
-- Scott Cantor posted the bug report #2829955
- (http://curl.haxx.se/bug/view.cgi?id=2829955) mentioning the recent SSL cert
- verification flaw found and exploited by Moxie Marlinspike. The presentation
- he did at Black Hat is available here:
- https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike
-
- Apparently at least one CA allowed a subjectAltName or CN that contain a
- zero byte, and thus clients that assumed they would never have zero bytes
- were exploited to OK a certificate that didn't actually match the site. Like
- if the name in the cert was "example.com\0theatualsite.com", libcurl would
- happily verify that cert for example.com.
-
- libcurl now better uses the length of the extracted name, not using the zero
- termination for getting the string length.
-
- This fixing only made and needed in OpenSSL interfacing code.
-
-- Tanguy Fautre pointed out that OpenSSL's function RAND_screen() (present
- only in some OpenSSL installs - like on Windows) isn't thread-safe and we
- agreed that moving it to the global_init() function is a decent way to deal
- with this situation.
-
-- Alexander Beedie provided the patch for a noproxy problem: If I have set
- CURLOPT_NOPROXY to "*", or to a host that should not use a proxy, I actually
- could still end up using a proxy if a proxy environment variable was set.
-
-Daniel Stenberg (27 Jul 2009)
-- All the quote options (CURLOPT_QUOTE, CURLOPT_POSTQUOTE and
- CURLOPT_PREQUOTE) now accept a preceeding asterisk before the command to
- send when using FTP, as a sign that libcurl shall simply ignore the response
- from the server instead of treating it as an error. Not treating a 400+ FTP
- response code as an error means that failed commands will not abort the
- chain of commands, nor will they cause the connection to get disconnected.
-
-Daniel Stenberg (26 Jul 2009)
-- Johan van Selst posted bug report #2825989
- (http://curl.haxx.se/bug/view.cgi?id=2825989) pointing out that
- OpenSSL-powered libcurl didn't support the SHA-2 digest algorithm, and
- provided the solution too: to use OpenSSL_add_all_algorithms() in addition
- to the older SSLeay_* alternative. OpenSSL_add_all_algorithms was added in
- OpenSSL 0.9.5
-
-Daniel Stenberg (23 Jul 2009)
-- Added CURLOPT_SSH_KNOWNHOSTS, CURLOPT_SSH_KEYFUNCTION, CURLOPT_SSH_KEYDATA.
- They introduce known_host support for SSH keys to libcurl. See docs for
- details. Note that this feature depends on a new enough libssh2 version, to
- be supported in libssh2 1.2 and later (or current git repo at this time).
-
-Michal Marek (22 Jul 2009)
-- David Binderman found a memory and fd leak in lib/gtls.c:load_file()
- (https://bugzilla.novell.com/523919). When looking at the code, I found that
- also the ptr pointer can leak.
-
-Kamil Dudka (20 Jul 2009)
-- Claes Jakobsson improved the support for client certificates handling in
- NSS-powered libcurl. Now the client certificates can be selected
- automatically by a NSS built-in hook. Additionally pre-login to all PKCS11
- slots is no more performed. It used to cause problems with HW tokens.
-
-- Fixed reference counting for NSS client certificates. Now the PEM reader
- module should be always properly unloaded on Curl_nss_cleanup(). If the
- unload fails though, libcurl will try to reuse the already loaded instance.
-
-Daniel Fandrich (15 Jul 2009)
-- Added nonblock.c to the non-automake makefiles (note that the dependencies
- in the Watcom makefiles aren't quite correct).
-
-Michal Marek (15 Jul 2009)
-- Changed the description of CURLINFO_OS_ERRNO to make it clear that the
- errno is not reset on success.
-
-Guenter Knauf (14 Jul 2009)
-- renamed generated config.h to curl_config.h to avoid any future clashes
- with config.h from other projects.
-
-Daniel Stenberg (9 Jul 2009)
-- Eric Wong introduced curlx_nonblock() that the curl tool now (re-)uses for
- setting a file descriptor non-blocking. Used by the functionality Eric
- himself brough on June 15th.
-
-Daniel Stenberg (8 Jul 2009)
-- Constantine Sapuntzakis posted bug report #2813123
- (http://curl.haxx.se/bug/view.cgi?id=2813123) and an a patch that fixes the
- problem:
-
- Url A is accessed using auth. Url A redirects to Url B (on a different
- server0. Url B reuses a persistent connection. Url B has auth, even though
- it's on a different server.
-
- Note: if Url B does not reuse a persistent connection, auth is not sent.
-
- reason:
-
- data->state.first_host is not initialized becuase Curl_http_connect is not
- called when a connection is reused.
-
- Solution:
-
- move initialization of data->state.first_host to Curl_http. No code before
- Curl_http uses data->state.first_host anyway.
-
-Guenter Knauf (4 Jul 2009)
-- Markus Koetter provided a patch to avoid getnameinfo() usage which broke a
- couple of both IPv4 and IPv6 autobuilds.
-
-Daniel Stenberg (29 Jun 2009)
-- Markus Koetter made CURLOPT_FTPPORT (and curl's -P/--ftpport) support a port
- range if given colon-separated after the host name/address part. Like
- "192.168.0.1:2000-10000"
-
-- Modified the separators used for CURLOPT_CERTINFO in multi-part outputs. I
- don't know how they got wrong in the first place, but using this output
- format makes it possible to quite easily separate the string into an array
- of multiple items.
-
-Daniel Fandrich (16 June 2009)
-- Added a few more compiler warning options for gcc.
-
-Daniel Stenberg (16 Jun 2009)
-- Reuven Wachtfogel made curl -o - properly produce a binary output on windows
- (no newline translations). Use -B/--use-ascii if you rather get the ascii
- approach.
-
-Michal Marek (16 Jun 2009)
-- When doing non-anonymous ftp via http proxies and the password is not
- provided in the url, add it there (squid needs this).
-
-Daniel Stenberg (15 Jun 2009)
-- Eric Wong's patch:
-
- This allows curl(1) to be used as a client-side tunnel for arbitrary stream
- protocols by abusing chunked transfer encoding in both the HTTP request and
- HTTP response. This requires server support for sending a response while a
- request is still being read, of course.
-
- If attempting to read from stdin returns EAGAIN, then we pause our sender.
- This leaves curl to attempt to read from the socket while reading from stdin
- (and thus sending) is paused.
-
- This change was needed to allow successfully tunneling the git protocol over
- HTTP (--no-buffer is needed, as well).
-
-Patrick Monnerat (15 Jun 2009)
-- Replaced use of standard C library rand()/srand() by our own pseudo-random
- number generator.
-
-Yang Tse (11 Jun 2009)
-- I adapted testcurl script to allow building test harness programs when
- cross-compiling for a *-*-mingw* host.
-
-Daniel Stenberg (10 Jun 2009)
-- Fabian Keil ran clang on the (lib)curl code, found a bunch of warnings and
- contributed a range of patches to fix them.
-
-Yang Tse (10 Jun 2009)
-- I introduced configure script option --enable-curldebug which now allows
- the decoupled enabling or disabling of the curl debug memory tracking
- feature from the --enable-debug option which no longer controls this.
-
- curl --version will list 'Debug' feature for debug enabled builds, and
- will list 'TrackMemory' feature for curl debug memory tracking capable
- builds. These features are independent and can be controlled when running
- the configure script. When --enable-debug is given both features will be
- enabled, unless some restriction prevents memory tracking from being used.
-
- Internally, definition of preprocessor symbol DEBUGBUILD restricts code
- which is only compiled for debug enabled builds. And symbol CURLDEBUG is
- used to differentiate code which is _only_ used for memory tracking.
-
-Yang Tse (9 Jun 2009)
-- Daniel Steinberg pointed out that Curl_FormInit() in formdata.c was not
- initializing the fread callback pointer and this triggered a compiler
- warning, also provided a friendly suggestion on how to fix it.
-
-Daniel Stenberg (8 Jun 2009)
-- Claes Jakobsson provided a patch for libcurl-NSS that fixed a bad refcount
- issue with client certs that caused issues like segfaults.
- http://curl.haxx.se/mail/lib-2009-05/0316.html
-
-- Triggered by bug report #2798852 and the patch in there, I fixed configure
- to detect gnutls build options with pkg-config only and not libgnutls-config
- anymore since GnuTLS has stopped distributing that tool. If an explicit path
- is given to configure, we will instead guess on how to link and use that
- lib. I did not use the patch from the bug report.
-
-Yang Tse (8 Jun 2009)
-- Igor Novoseltsev adjusted Makefile.vxworks to get sources and headers
- included from Makefile.inc, and provided docs\INSTALL VxWorks section.
-
-- I removed buildconf.bat from release and daily snapshot archives. This
- file is only for CVS tree checkout builds.
-
-Daniel Stenberg (8 Jun 2009)
-- Eric Wong fixed --no-buffer to actually switch off output buffering. Been
- broken since 7.19.0
-
-Bill Hoffman (6 Jun 2009)
-- Added some cmake docs and fixed socklen_t in the build.
-
-Yang Tse (5 Jun 2009)
-- John E. Malmberg provided VMS specific patch: "This fixes an existing bug
- in urlglob.c where it was not converting the Curl Unix exit code to a VMS
- DCL compatible exit code. This fix required the enhancement described next.
- This also adds an enhancement to main.c so that when curl is run under a
- Unix shell like Bash on VMS, it will return the standard Unix exit codes
- and messages." And another patch for docs/examples.
-
- I introduced os-specific.c and os-specific.h for use in curl tool code
- and adjusted John E. Malmberg's patch placement to use these new files
- as an effort to prevent main.c from growing ad infinitum. Code already
- existing in main.c which is OS specific should be moved into these files.
-
-Daniel Stenberg (4 June 2009)
-- Setting the Content-Length: header from your app when you do a POST or PUT
- is almost always a VERY BAD IDEA. Yet there are still apps out there doing
- this, and now recently it triggered a bug/side-effect in libcurl as when
- libcurl sends a POST or PUT with NTLM, it sends an empty post first when it
- knows it will just get a 401/407 back. If the app then replaced the
- Content-Length header, it caused the server to wait for input that libcurl
- wouldn't send. Aaron Oneal reported this problem in bug report #2799008
- (http://curl.haxx.se/bug/view.cgi?id=2799008) and helped us verify the fix.
-
-Yang Tse (4 Jun 2009)
-- Igor Novoseltsev provided patches and information, that after some
- adjustments to better fit curl's way of doing things, have resulted
- in the posibility of building libcurl for VxWorks.
-
-Daniel Fandrich (2 June 2009)
-- Checked in a Google Android make file. To use it, you must first
- create a config.h file by running configure in the Android environment,
- which doesn't seem to be easy to do. If no easy way can be found, a
- static config-android.h may need to be created and checked in to the
- libcurl source tree.
-
-Daniel Stenberg (1 June 2009)
-- Claes Jakobsson fixed the configure script to better find and use NSS
- without pkg-config.
-
-Yang Tse (1 Jun 2009)
-- John E. Malmberg provided a VMS specific clean-up for curl.h, and pointed
- out that the configure script was failing to detect the timeval struct on
- VMS when building with _XOPEN_SOURCE_EXTENDED undefined due to definition
- taking place in socket.h instead of time.h. I have adjusted configure
- script to also include this header when checking struct timeval.
-
-Daniel Stenberg (27 May 2009)
-- Frank McGeough provided a small OpenSSL #include fix to make libcurl compile
- fine with Nokia 5th edition 1.0 SDK for Symbian.
-
-- Andre Guibert de Bruet found a call to a OpenSSL function that didn't check
- for a failure properly.
-
-- Mike Crowe pointed out that setting CURLOPT_USERPWD to NULL used to clear
- the auth credentials back in 7.19.0 and earlier while now you have to set ""
- to get the same effect. His patch brings back the ability to use NULL.
-
-- Claes Jakobsson fixed libcurl-NSS to build fine even without the
- PK11_CreateGenericObject() function.
-
-Daniel Stenberg (25 May 2009)
-- bug report #2796358 (http://curl.haxx.se/bug/view.cgi?id=2796358) pointed
- out that the cookie parser would leak memory when it parses cookies that are
- received with domain, path etc set multiple times in the same header. While
- such a cookie is questionable, they occur in the wild and libcurl no longer
- leaks memory for them. I added such a header to test case 8.
-
-Daniel Fandrich (22 May 2009)
-- Removed some obsolete digest code that caused a valgrind error in test 551.
-
-Daniel Fandrich (20 May 2009)
-- Added "non-existing host" test keywords to make it easy to skip those
- tests on machines that have broken DNS configurations (such as
- those configured to use OpenDNS).
-
-Daniel Stenberg (19 May 2009)
-- Kamil Dudka brought the patch from the Redhat bug entry
- https://bugzilla.redhat.com/show_bug.cgi?id=427966 which was libcurl closing
- a bad file descriptor when closing down the FTP data connection. Caolan
- McNamara seems to be the original author of it.
-
-Version 7.19.5 (18 May 2009)
-
-Daniel Stenberg (17 May 2009)
-- James Bursa posted a patch to the mailing list that fixed a problem with
- no_proxy which made it not skip the proxy if the URL entered contained a
- user name. I added test case 1101 to verify.
-
-Daniel Stenberg (11 May 2009)
-- Balint Szilakszi reported a memory leak when libcurl did gzip decompression
- of streams that had some parts (legitimately) missing. We now provide and use
- a proper cleanup function for the content encoding submodule.
- http://curl.haxx.se/mail/lib-2009-05/0092.html
-
-- Kamil Dudka provided a fix for libcurl-NSS reported by Michael Cronenworth
- at https://bugzilla.redhat.com/show_bug.cgi?id=453612#c12
-
- If an incorrect password is given while loading a private key, libcurl ends
- up in an infinite loop consuming memory. The bug is critical.
-
-- I fixed the problem with doing NTLM, POST and then following a 302 redirect,
- as reported by Ebenezer Ikonne (on curl-users) and Laurent Rabret (on
- curl-library). The transfer was mistakenly marked to get more data to send
- but since it didn't actually have that, it just hung there...
-
-Daniel Stenberg (10 May 2009)
-- Andre Guibert de Bruet correctly pointed out an over-alloc with one wasted
- byte in the digest code.
-
-Yang Tse (9 May 2009)
-- Removed DOS and TPF package's subdirectory Makefile.am, it was only used
- to include some files in the distribution tarball serving no other purpose.
- Files from the DOS and TPF subdirectories are now included in the EXTRA_DIST
- of the Makefile in the parent subdirectory.
-
-Yang Tse (8 May 2009)
-- Changed host name literal in several tests to one under the haxx.se domain.
-
-- Renamed vc6 workspace and project files to avoid filename clash when used
- for conversion to later VS versions.
-
-Daniel Stenberg (8 May 2009)
-- Constantine Sapuntzakis fixed bug report #2784055
- (http://curl.haxx.se/bug/view.cgi?id=2784055) identifying a problem to
- connect to SOCKS proxies when using the multi interface. It turned out to
- almost not work at all previously. We need to wait for the TCP connect to
- be properly verified before doing the SOCKS magic.
-
- There's still a flaw in the FTP code for this.
-
-Daniel Stenberg (7 May 2009)
-- Made the SO_SNDBUF setting for the data connection socket for ftp uploads as
- well. See change 28 Apr 2009.
-
-Yang Tse (7 May 2009)
-- Fixed an issue affecting FTP transfers, introduced with the transfer.c
- patch committed May 4.
-
-Daniel Stenberg (7 May 2009)
-- Man page *roff problems fixed thanks to input from Colin Watson. Problems
- reported in the Debian package.
-
-- Vijay G filed bug report #2723236
- (http://curl.haxx.se/bug/view.cgi?id=2723236) identifying a problem with
- libcurl's TFTP code and its lack of dealing with the OACK packet.
-
-Yang Tse (5 May 2009)
-- Fixed the --ftp-port address of test #251 to the CLIENTIP address, and
- reverted the change affecting test suite harness committed 4 May.
-
-Daniel Stenberg (5 May 2009)
-- Inspired by Michael Smith's session id fix for OpenSSL, I did the
- corresponding fix in the GnuTLS code: make sure to store the new session id
- in case the previous re-used one is rejected.
-
-Daniel Stenberg (4 May 2009)
-- Michael Smith posted bug report #2786255
- (http://curl.haxx.se/bug/view.cgi?id=2786255) with a patch, identifying how
- libcurl did not deal with SSL session ids properly if the server rejected a
- re-use of one. Starting now, it will forget the rejected one and remember
- the new. This change was for OpenSSL only, it is likely that other SSL lib
- code needs similar fixes.
-
-Yang Tse (4 May 2009)
-- Applied David McCreedy's "transfer.c fixes for CURL_DO_LINEEND_CONV and
- non-ASCII platform HTTP requests" patch addressing two HTTP PUT problems:
- 1) On non-ASCII platforms not all of the protocol portions of the PUT are
- being translated to ASCII. 2) On all platforms the line endings of part of
- the protocol portions are mangled from CRLF to CRCRLF if data->set.crlf or
- data->set.prefer_ascii are set (depending on CURL_DO_LINEEND_CONV).
-
-- Applied David McCreedy's patch to fix test suite harness to allow test FTP
- server and client on different machines, providing FTP client address when
- running the FTP test server.
-
-Daniel Fandrich (3 May 2009)
-- Added and disabled test case 563 which shows KNOWN_BUGS #59. The bug
- report failed to mention that a proxy must be used to reproduce it.
-
-Yang Tse (2 May 2009)
-- Use a build-time configured curl_socklen_t data type instead of socklen_t.
-
-Yang Tse (1 May 2009)
-- Applied David McCreedy's patches "TPF-platform specific changes to various
- files" and "http.c fix to Curl_proxyCONNECT for non-ASCII platforms", the
- former with minor edits.
-
-Daniel Stenberg (30 Apr 2009)
-- I was going to fix issue #59 in KNOWN_BUGS
-
- If the CURLOPT_PORT option is used on an FTP URL like
- "ftp://example.com/file;type=A" the ";type=A" is stripped off.
-
- I added test case 562 to verify, only to find out that I couldn't repeat
- this bug so I hereby consider it not a bug anymore!
-
-Daniel Stenberg (29 Apr 2009)
-- Based on bug report #2723219 (http://curl.haxx.se/bug/view.cgi?id=2723219)
- I've now made TFTP "connections" not being kept for re-use within libcurl.
- TFTP is UDP-based so the benefit was really low (if even existing) to begin
- with so instead of tracking down to fix this problem we instead removed the
- re-use. I also enabled test case 1099 that I wrote a few days ago to verify
- that this change fixes the reported problem.
-
-Daniel Stenberg (28 Apr 2009)
-- Constantine Sapuntzakis filed bug report #2783090
- (http://curl.haxx.se/bug/view.cgi?id=2783090) pointing out that on windows
- we need to grow the SO_SNDBUF buffer somewhat to get really good upload
- speeds. http://support.microsoft.com/kb/823764 has the details. Friends
- confirmed that simply adding 32 to CURL_MAX_WRITE_SIZE is enough.
-
-- Bug report #2709004 (http://curl.haxx.se/bug/view.cgi?id=2709004) by Tim
- Chen pointed out how curl couldn't upload with resume when reading from a
- pipe.
-
- This ended up with the introduction of a new return code for the
- CURLOPT_SEEKFUNCTION callback that basically says that the seek failed but
- that libcurl may try to resolve the situation anyway. In our case this means
- libcurl will attempt to instead read that much data from the stream instead
- of seeking and that way curl can now upload with resume when data is read
- from a stream!
-
-Daniel Stenberg (26 Apr 2009)
-- Bug report #2779733 (http://curl.haxx.se/bug/view.cgi?id=2779733) by Sven
- Wegener pointed out that CURLINFO_APPCONNECT_TIME didn't work with the multi
- interface and provided a patch that fixed the problem!
-
-Daniel Stenberg (24 Apr 2009)
-- Kamil Dudka fixed another NSS-related leak when client certs were used.
-
-- Bug report #2779245 (http://curl.haxx.se/bug/view.cgi?id=2779245) by Rainer
- Koenig pointed out that the man page didn't tell that the *_proxy
- environment variables can be specified lower case or UPPER CASE and the
- lower case takes precedence,
-
-Daniel Fandrich (21 Apr 2009)
-- Added new libcurl source files to Amiga, RiscOS and VC6 build files.
-
-Yang Tse (21 Apr 2009)
-- Moved potential inclusion of system's malloc.h and memory.h header files to
- setup_once.h. Inclusion of each header file is based on the definition of
- NEED_MALLOC_H and NEED_MEMORY_H respectively.
-
- Renamed libcurl's memory.h to curl_memory.h
-
-Daniel Stenberg (20 Apr 2009)
-- Leanic Lefever reported a crash and did some detailed research on why and
- how it occurs (http://curl.haxx.se/mail/lib-2009-04/0289.html). The
- conclusion was that if an error is detected and Curl_done() is called for
- the connection, ftp_done() could at times return another error code that
- then would take precedence and that new code confused existing logic that
- works for the first error code (CURLE_SEND_ERROR) only.
-
-- Gisle Vanem noticed that --libtool would produce bogus strings at times for
- OBJECTPOINT options. Now we've introduced a new function - my_setopt_str -
- within the app for setting plain string options to avoid the risk of this
- mistake happening.
-
-Daniel Stenberg (17 Apr 2009)
-- Pramod Sharma reported and tracked down a bug when doing FTP over a HTTP
- proxy. libcurl would then wrongly close the connection after each
- request. In his case it had the weird side-effect that it killed NTLM auth
- for the proxy causing an inifinite loop!
-
- I added test case 1098 to verify this fix. The test case does however not
- properly verify that the transfers are done persistently - as I couldn't
- think of a clever way to achieve it right now - but you need to read the
- stderr output after a test run to see that it truly did the right thing.
-
-Daniel Stenberg (13 Apr 2009)
-- bug report #2727981 (http://curl.haxx.se/bug/view.cgi?id=2727981) by Martin
- Storsjö pointed out how setting CURLOPT_NOBODY to 0 could be downright
- confusing as it set the method to either GET or HEAD. The example he showed
- looked like:
-
- curl_easy_setopt(curl, CURLOPT_PUT, 1);
- curl_easy_setopt(curl, CURLOPT_NOBODY, 0);
-
- The new way doesn't alter the method until the request is about to start. If
- CURLOPT_NOBODY is then 1 the HTTP request will be HEAD. If CURLOPT_NOBODY is
- 0 and the request happens to have been set to HEAD, it will then instead be
- set to GET. I believe this will be less surprising to users, and hopefully
- not hit any existing users badly.
-
-- Toshio Kuratomi reported a memory leak problem with libcurl+NSS that turned
- out to be leaking cacerts. Kamil Dudka helped me complete the fix. The issue
- is found in Redhat's bug tracker:
- https://bugzilla.redhat.com/show_bug.cgi?id=453612
-
- There are still memory leaks present, but they seem to have other reasons.
-
-Daniel Fandrich (11 Apr 2009)
-- Added new libcurl source files to Symbian OS build files.
-- Improved Symbian support for SSL.
-
-Yang Tse (10 Apr 2009)
-- Daniel Johnson improved the MacOSX-Framework shell script to now perform all
- the steps required to build a Mac OS X four way fat ppc/i386/ppc64/x86_64
- libcurl.framework. Four way fat framework requires OS X 10.5 SDK or later.
-
-Yang Tse (8 Apr 2009)
-- Removed Sun compilers preprocessor block from curlbuild.h.dist, this also
- removes it from the curlbuild.h file originally distributed by the cURL
- project as this file is intended for systems not capable of running the
- configure script. For those who have been building curl out of the source
- code curl distribution tarball provided by curl.haxx.se the change implies
- nothing. Previous change in this area committed 2 Apr becomes irrelevant.
-
-Daniel Stenberg (6 Apr 2009)
-- I clarified in the docs that CURLOPT_SEEKFUNCTION should return 0 on success
- and 1 on fatal errors. Previously it only mentioned non-zero on fatal
- errors. This is a slight change in meaning, but it follows what we've done
- elsewhere before and it opens up for LOTS of more useful return codes
- whenever we can think of them...
-
-Yang Tse (2 Apr 2009)
-- Fix curl_off_t definition for builds done using Sun compilers and a
- non-configured libcurl. In this case curl_off_t data type was gated
- to the off_t data type which depends on the _FILE_OFFSET_BITS. This
- configuration is exactly the unwanted configuration for our curl_off_t
- data type which must not depend on such setting. This breaks ABI for
- libcurl libraries built with Sun compilers which were built without
- having run the configure script with _FILE_OFFSET_BITS different than
- 64 and using the ILP32 data model.
-
-Daniel Stenberg (1 Apr 2009)
-- Andre Guibert de Bruet fixed a NULL pointer use in an infof() call if a
- strdup() call failed.
-
-Daniel Fandrich (31 Mar 2009)
-- Properly return an error code in curl_easy_recv (reported by Jim Freeman).
-
-Daniel Stenberg (18 Mar 2009)
-- Kamil Dudka brought a patch that enables 6 additional crypto algorithms when
- NSS is used. These ciphers were added in NSS 3.4 and require to be enabled
- explicitly.
-
-Daniel Stenberg (13 Mar 2009)
-- Use libssh2_version() to present the libssh2 version in case the libssh2
- library is found to support it.
-
-Yang Tse (12 Mar 2009)
-- Added missing Curl_read() return code checking in TELNET transfers.
-
-- Pierre Brico found and fixed TELNET transfers not being aborted upon
- a write callback failure.
-
-Daniel Stenberg (11 Mar 2009)
-- Kamil Dudka made the curl tool properly call curl_global_init() before any
- other libcurl function.
-
-Yang Tse (11 Mar 2009)
-- Added missing TELNET timeout support for Windows builds. This issue was
- reported by Pierre Brico.
-
-Daniel Stenberg (9 Mar 2009)
-- Frank Hempel found out a bug and provided the fix:
-
- curl_easy_duphandle did not necessarily duplicate the CURLOPT_COOKIEFILE
- option. It only enabled the cookie engine in the destination handle if
- data->cookies is not NULL (where data is the source handle). In case of a
- newly initialized handle which just had the cookie support enabled by a
- curl_easy_setopt(handle, CURL_COOKIEFILE, "")-call, handle->cookies was
- still NULL because the setopt-call only appends the value to
- data->change.cookielist, hence duplicating this handle would not have the
- cookie engine switched on.
-
- We also concluded that the slist-functionality would be suitable for being
- put in its own module rather than simply hanging out in lib/sendf.c so I
- created lib/slist.[ch] for them.
-
-- Andreas Farber made the 'buildconf' script check for the presence of m4
- scripts to make it detect a bad checkout earlier. People with older
- checkouts who don't do cvs update with the -d option won't get the new dirs
- and then will get funny outputs that can be a bit hard to understand and
- fix.
-
-Daniel Stenberg (8 Mar 2009)
-- Andre Guibert de Bruet found and fixed a code segment in ssluse.c where the
- allocation of the memory BIO was not being properly checked.
-
-- Andre Guibert de Bruet fixed the gnutls-using code: There are a few places
- in the gnutls code where we were checking for negative values for errors,
- when the man pages state that GNUTLS_E_SUCCESS is returned on success and
- other values indicate error conditions.
-
-- Bill Egert pointed out (http://curl.haxx.se/bug/view.cgi?id=2671602) that
- curl didn't use sprintf() in a way that is documented to work in POSIX but
- since we use our own printf() code (from libcurl) that shouldn't be a
- problem. Nonetheless I modified the code to not rely on such particular
- features and to not cause further raised eyebrowse with no good reason.
-
-Daniel Fandrich (5 Mar 2009)
-- Expanded the security section of the libcurl-tutorial man page to cover
- more issues for authors to consider when writing robust libcurl-using
- applications.
-
-Yang Tse (5 Mar 2009)
-- Fixed NTLM authentication memory leak on SSPI enabled Windows builds. This
- issue was noticed by Chris Deidun.
-
-Daniel Fandrich (4 Mar 2009)
-- Fixed a problem with m4 quoting in the OpenSSL configure check reported
- by Daniel Johnson.
-
-Daniel Stenberg (3 Mar 2009)
-- David James brought a patch that make libcurl close (all) dead connections
- whenever you attempt to open a new connection.
-
- 1. After cleaning up a dead connection, "continue" instead of
- returning FALSE. This ensures that we clean up all dead connections,
- rather than just cleaning up the first dead connection.
- 2. Move up the cleanup for dead connections so that it occurs for
- all connections, rather than just the connections which have the same
- preferences as our current new connection.
-
-Version 7.19.4 (3 March 2009)
-
-Daniel Stenberg (3 Mar 2009)
-- David Kierznowski notified us about a security flaw
- (http://curl.haxx.se/docs/adv_20090303.html also known as CVE-2009-0037) in
- which previous libcurl versions (by design) can be tricked to access an
- arbitrary local/different file instead of a remote one when
- CURLOPT_FOLLOWLOCATION is enabled. This flaw is now fixed in this release
- together this the addition of two new setopt options for controlling this
- new behavior:
-
- o CURLOPT_REDIR_PROTOCOLS controls what protocols libcurl is allowed to
- follow to when CURLOPT_FOLLOWLOCATION is enabled. By default, this option
- excludes the FILE and SCP protocols and thus you nee to explicitly allow
- them in your app if you really want that behavior.
-
- o CURLOPT_PROTOCOLS controls what protocol(s) libcurl is allowed to fetch
- using the primary URL option. This is useful if you want to allow a user or
- other outsiders control what URL to pass to libcurl and yet not allow all
- protocols libcurl may have been built to support.
-
-Daniel Stenberg (27 Feb 2009)
-- Senthil Raja Velu reported a problem when CURLOPT_INTERFACE and
- CURLOPT_LOCALPORT were used together (the local port bind failed), and
- Markus Koetter provided the fix!
-
-Daniel Stenberg (25 Feb 2009)
-- As Daniel Fandrich figured out, we must do the GnuTLS initing in the
- curl_global_init() function to properly maintain the performing functions
- thread-safe. We've previously (28 April 2007) moved the init to a later time
- just to avoid it to fail very early when libgcrypt dislikes the situation,
- but that move was bad and the fix should rather be in libgcrypt or
- elsewhere.
-
-Daniel Stenberg (24 Feb 2009)
-- Brian J. Murrell found out that Negotiate proxy authentication didn't work.
- It happened because the code used the struct for server-based auth all the
- time for both proxy and server auth which of course was wrong.
-
-Daniel Stenberg (23 Feb 2009)
-- After a bug reported by James Cheng I've made curl_easy_getinfo() for
- CURLINFO_CONTENT_LENGTH_DOWNLOAD and CURLINFO_CONTENT_LENGTH_UPLOAD return
- -1 if the sizes aren't know. Previously these returned 0, make it impossible
- to detect the difference between actually zero and unknown.
-
-Yang Tse (23 Feb 2009)
-- Daniel Johnson provided a shell script that will perform all the steps needed
- to build a Mac OS X fat ppc/i386 or ppc64/x86_64 libcurl.framework
-
-Daniel Stenberg (23 Feb 2009)
-- I renamed everything in the windows builds files that used the name 'curllib'
- to the proper 'libcurl' as clearly this caused confusion.
-
-Yang Tse (20 Feb 2009)
-- Do not halt compilation when using VS2008 to build a Windows 2000 target.
-
-Daniel Stenberg (20 Feb 2009)
-- Linus Nielsen Feltzing reported and helped me repeat and fix a problem with
- FTP with the multi interface: when a transfer fails, like when aborted by a
- write callback, the control connection was wrongly closed and thus not
- re-used properly.
-
- This change is also an attempt to cleanup the code somewhat in this area, as
- now the FTP code attempts to keep (better) track on pending responses
- necessary to get read in ftp_done().
-
-Daniel Stenberg (19 Feb 2009)
-- Patrik Thunstrom reported a problem and helped me repeat it. It turned out
- libcurl did a superfluous 1000ms wait when doing SFTP downloads!
-
- We read data with libssh2 while doing the "DO" operation for SFTP and then
- when we were about to start getting data for the actual file part, the
- "TRANSFER" part, we waited for socket action (in 1000ms) before doing a
- libssh2-read. But in this case libssh2 had already read and buffered the
- data so we ended up always just waiting 1000ms before we get working on the
- data!
-
-Patrick Monnerat (18 Feb 2009)
-- FTP downloads (i.e.: RETR) ending with code 550 now return error
- CURLE_REMOTE_FILE_NOT_FOUND instead of CURLE_FTP_COULDNT_RETR_FILE.
-
-Daniel Stenberg (17 Feb 2009)
-- Kamil Dudka made NSS-powered builds compile and run again!
-
-- A second follow-up change by Andre Guibert de Bruet to fix a related memory
- leak like that fixed on the 14th. When zlib returns failure, we need to
- cleanup properly before returning error.
-
-- CURLOPT_FTP_CREATE_MISSING_DIRS can now be set to 2 in addition to 1 for
- plain FTP connections, and it will then allow MKD to fail once and retry the
- CWD afterwards. This is especially useful if you're doing many simultanoes
- connections against the same server and they all have this option enabled,
- as then CWD may first fail but then another connection does MKD before this
- connection and thus MKD fails but trying CWD works! The numbers can
- (should?) now be set with the convenience enums now called
- CURLFTP_CREATE_DIR and CURLFTP_CREATE_DIR_RETRY.
-
- Tests has proven that if you're making an application that uploads a set of
- files to an ftp server, you will get a noticable gain in speed if you're
- using multiple connections and this option will be then be very useful.
-
-Daniel Stenberg (14 Feb 2009)
-- Andre Guibert de Bruet found and fixed a memory leak in the content encoding
- code, which could happen on libz errors.
-
-Daniel Fandrich (12 Feb 2009)
-- Added support for Digest and NTLM authentication using GnuTLS.
-
-Daniel Stenberg (11 Feb 2009)
-- CURLINFO_CONDITION_UNMET was added to allow an application to get to know if
- the condition in the previous request was unmet. This is typically a time
- condition set with CURLOPT_TIMECONDITION and was previously not possible to
- reliably figure out. From bug report #2565128
- (http://curl.haxx.se/bug/view.cgi?id=2565128) filed by Jocelyn Jaubert.
-
-Daniel Fandrich (4 Feb 2009)
-- Don't add the standard /usr/lib or /usr/include paths to LDFLAGS and CPPFLAGS
- (respectively) when --with-ssl=/usr is used (patch based on FreeBSD).
-
-- Added an explicit buffer limit check in msdosify() (patch based on FreeBSD).
- This couldn't ever overflow in curl, but might if the code were used
- elsewhere or under different conditions.
-
-Daniel Stenberg (3 Feb 2009)
-- Hidemoto Nakada provided a small fix that makes it possible to get the
- CURLINFO_CONTENT_LENGTH_DOWNLOAD size from file:// "transfers" with
- CURLOPT_NOBODY set true.
-
-Daniel Stenberg (2 Feb 2009)
-- Patrick Scott found a rather large memory leak when using the multi
- interface and setting CURLMOPT_MAXCONNECTS to something less than the number
- of handles you add to the multi handle. All the connections that didn't fit
- in the cache would not be properly disconnected nor freed!
-
-- Craig A West brought us: libcurl now defaults to do CONNECT with HTTP
- version 1.1 instead of 1.0 like before. This change also introduces the new
- proxy type for libcurl called 'CURLPROXY_HTTP_1_0' that then allows apps to
- switch (back) to CONNECT 1.0 requests. The curl tool also got a --proxy1.0
- option that works exactly like --proxy but sets CURLPROXY_HTTP_1_0.
-
- I updated all test cases cases that use CONNECT and I tried to do some using
- --proxy1.0 and some updated to do CONNECT 1.1 to get both versions run.
-
-Daniel Stenberg (31 Jan 2009)
-- When building with c-ares 1.6.1 (not yet released) or later and IPv6 support
- enabled, we can now take advantage of its brand new AF_UNSPEC support in
- ares_gethostbyname(). This makes test case 241 finally run fine for me with
- this setup since it now parses the "::1 ip6-localhost" line fine in my
- /etc/hosts file!
-
-Daniel Stenberg (30 Jan 2009)
-- Scott Cantor filed bug report #2550061
- (http://curl.haxx.se/bug/view.cgi?id=2550061) mentioning that I failed to
- properly make sure that the VC9 makefiles got included in the latest
- release. I've now fixed the release script and verified it so next release
- will hopefully include them properly!
-
-Daniel Fandrich (30 Jan 2009)
-- Fixed --disable-proxy for FTP and SOCKS. Thanks to Daniel Egger for
- reporting.
-
-Yang Tse (29 Jan 2009)
-- Introduced curl_sspi.c and curl_sspi.h for the implementation of functions
- Curl_sspi_global_init() and Curl_sspi_global_cleanup() which previously were
- named Curl_ntlm_global_init() and Curl_ntlm_global_cleanup() in http_ntlm.c
- Also adjusted socks_sspi.c to remove the link-time dependency on the Windows
- SSPI library using it now in the same way as it was done in http_ntlm.c.
-
-Daniel Stenberg (28 Jan 2009)
-- Markus Moeller introduced two new options to libcurl:
- CURLOPT_SOCKS5_GSSAPI_SERVICE and CURLOPT_SOCKS5_GSSAPI_NEC to allow libcurl
- to do GSS-style authentication with SOCKS5 proxies. The curl tool got the
- options called --socks5-gssapi-service and --socks5-gssapi-nec to enable
- these.
-
-Daniel Stenberg (26 Jan 2009)
-- Chad Monroe provided the new CURLOPT_TFTP_BLKSIZE option that allows an app
- to set desired block size to use for TFTP transfers instead of the default
- 512 bytes.
-
-- The "-no_ticket" option was introduced in Openssl0.9.8j. It's a flag to
- disable "rfc4507bis session ticket support". rfc4507bis was later turned
- into the proper RFC5077 it seems: http://tools.ietf.org/html/rfc5077
-
- The enabled extension concerns the session management. I wonder how often
- libcurl stops a connection and then resumes a TLS session. also, sending the
- session data is some overhead. .I suggest that you just use your proposed
- patch (which explicitly disables TICKET).
-
- If someone writes an application with libcurl and openssl who wants to
- enable the feature, one can do this in the SSL callback.
-
- Sharad Gupta brought this to my attention. Peter Sylvester helped me decide
- on the proper action.
-
-- Alexey Borzov filed bug report #2535504
- (http://curl.haxx.se/bug/view.cgi?id=2535504) pointing out that realms with
- quoted quotation marks in HTTP Digest headers didn't work. I've now added
- test case 1095 that verifies my fix.
-
-- Craig A West brought CURLOPT_NOPROXY and the corresponding --noproxy option.
- They basically offer the same thing the NO_PROXY environment variable only
- offered previously: list a set of host names that shall not use the proxy
- even if one is specified.
-
-Daniel Fandrich (20 Jan 2009)
-- Call setlocale() for libtest tests to test the effects of locale-induced
- libc changes on libcurl.
-
-- Fixed a couple more locale-dependent toupper conversions, mainly for
- clarity. This does fix one problem that causes ;type=i FTP URLs
- to fail in the Turkish locale when CURLOPT_PROXY_TRANSFER_MODE is
- used (test case 561)
-
-- Added tests 561 and 1091 through 1094 to test various combinations
- of ;type= and ;mode= URLs that could potentially fail in the Turkish
- locale.
-
-Daniel Stenberg (20 Jan 2009)
-- Lisa Xu pointed out that the ssh.obj file was missing from the
- lib/Makefile.vc6 file (and thus from the vc8 and vc9 ones too).
-
-Version 7.19.3 (19 January 2009)
-
-Daniel Stenberg (16 Jan 2009)
-- Andrew de los Reyes fixed curlbuild.h for "generic" gcc builds on PPC, both
- 32 bit and 64 bit.
-
-Daniel Stenberg (15 Jan 2009)
-- Tim Ansell fixed a compiler warning in lib/cookie.c
-
-Daniel Stenberg (14 Jan 2009)
-- Grant Erickson fixed timeouts for TFTP such that specifying a
- connect-timeout, a max-time or both options work correctly and as expected
- by passing the correct boolean value to Curl_timeleft via the
- 'duringconnect' parameter.
-
- With this small change, curl TFTP now behaves as expected (and likely as
- originally-designed):
-
- 1) For non-existent or unreachable dotted IP addresses:
-
- a) With no options, follows the default curl 300s timeout...
- b) With --connect-timeout only, follows that value...
- c) With --max-time only, follows that value...
- d) With both --connect-timeout and --max-time, follows the smaller value...
-
- and times out with a "curl: (7) Couldn't connect to server" error.
-
- 2) For transfers to/from a valid host:
-
- a) With no options, follows default curl 300s timeout for the
- first XRQ/DATA/ACK transaction and the default TFTP 3600s
- timeout for the remainder of the transfer...
-
- b) With --connect-time only, follows that value for the
- first XRQ/DATA/ACK transaction and the default TFTP 3600s
- timeout for the remainder of the transfer...
-
- c) With --max-time only, follows that value for the first
- XRQ/DATA/ACK transaction and for the remainder of the
- transfer...
-
- d) With both --connect-timeout and --max-time, follows the former
- for the first XRQ/DATA/ACK transaction and the latter for the
- remainder of the transfer...
-
- and times out with a "curl: (28) Timeout was reached" error as
- appropriate.
-
-Daniel Stenberg (13 Jan 2009)
-- Michael Wallner fixed a NULL pointer deref when calling
- curl_easy_setup(curl, CURLOPT_COOKIELIST, "SESS") on a CURL handle with no
- cookies data.
-
-- Stefan Teleman brought a patch to fix the default curlbuild.h file for the
- SunPro compilers.
-
-Daniel Stenberg (12 Jan 2009)
-- Based on bug report #2498665 (http://curl.haxx.se/bug/view.cgi?id=2498665)
- by Daniel Black, I've now added magic to the configure script that makes it
- use pkg-config to detect gnutls details as well if the existing method
- (using libgnutls-config) fails. While doing this, I cleaned up and unified
- the pkg-config usage when detecting openssl and nss as well.
-
-Daniel Stenberg (11 Jan 2009)
-- Karl Moerder brought the patch that creates vc9 Makefiles, and I made
- 'maketgz' now use the actual makefile targets to do the VC8 and VC9
- makefiles.
-
-Daniel Stenberg (10 Jan 2009)
-- Emil Romanus fixed:
-
- When using the multi interface over HTTP and the server returns a Location
- header, the running easy handle will get stuck in the CURLM_STATE_PERFORM
- state, leaving the external event loop stuck waiting for data from the
- ingoing socket (when using the curl_multi_socket_action stuff). While this
- bug was pretty hard to find, it seems to require only a one-line fix. The
- break statement on line 1374 in multi.c caused the function to skip the call
- to multistate().
-
- How to reproduce this bug? Well, that's another question. evhiperfifo.c in
- the examples directory chokes on this bug only _sometimes_, probably
- depending on how fast the URLs are added. One way of testing the bug out is
- writing to hiper.fifo from more than one source at the same time.
-
-Daniel Fandrich (7 Jan 2009)
-- Unified much of the SessionHandle initialization done in Curl_open() and
- curl_easy_reset() by creating Curl_init_userdefined(). This had the side
- effect of fixing curl_easy_reset() so it now also resets
- CURLOPT_FTP_FILEMETHOD and CURLOPT_SSL_SESSIONID_CACHE
-
-Daniel Stenberg (7 Jan 2009)
-- Rob Crittenden did once again provide an NSS update:
-
- I have to jump through a few hoops now with the NSS library initialization
- since another part of an application may have already initialized NSS by the
- time Curl gets invoked. This patch is more careful to only shutdown the NSS
- library if Curl did the initialization.
-
- It also adds in a bit of code to set the default ciphers if the app that
- call NSS_Init* did not call NSS_SetDomesticPolicy() or set specific
- ciphers. One might argue that this lets other application developers get
- lazy and/or they aren't using the NSS API correctly, and you'd be right.
- But still, this will avoid terribly difficult-to-trace crashes and is
- generally helpful.
-
-Daniel Stenberg (1 Jan 2009)
-- 'reconf' is removed since we rather have users use 'buildconf'
-
-Daniel Stenberg (31 Dec 2008)
-- Bas Mevissen reported http://curl.haxx.se/bug/view.cgi?id=2479030 pointing
- out that 'reconf' didn't properly point out the m4 subdirectory when running
- aclocal.
-
-Daniel Stenberg (29 Dec 2008)
- - Phil Lisiecki filed bug report #2413067
- (http://curl.haxx.se/bug/view.cgi?id=2413067) that identified a problem that
- would cause libcurl to mark a DNS cache entry "in use" eternally if the
- subsequence TCP connect failed. It would thus never get pruned and refreshed
- as it should've been.
-
- Phil provided his own patch to this problem that while it seemed to work
- wasn't complete and thus I wrote my own fix to the problem.
-
-Daniel Stenberg (28 Dec 2008)
-- Peter Korsgaard fixed building libcurl with "configure --with-ssl
- --disable-verbose".
-
-- Anthony Bryan fixed more language and spelling flaws in man pages.
-
-Daniel Stenberg (22 Dec 2008)
-- Given a recent enough libssh2, libcurl can now seek/resume with SFTP even
- on file indexes beyond 2 or 4GB.
-
-- Anthony Bryan provided a set of patches that cleaned up manual language,
- corrected spellings and more.
-
-Daniel Stenberg (20 Dec 2008)
-- Igor Novoseltsev fixed a bad situation for the multi_socket() API when doing
- pipelining, as libcurl could then easily get confused and A) work on the
- handle that was not "first in queue" on a pipeline, or even B) tell the app
- to REMOVE a socket while it was in use by a second handle in a pipeline. Both
- errors caused hanging or stalling applications.
-
-Daniel Stenberg (19 Dec 2008)
-- curl_multi_timeout() could return a timeout value of 0 even though nothing
- was actually ready to get done, as the internal time resolution is higher
- than the returned millisecond timer. Therefore it could cause applications
- running on fast processors to do short bursts of busy-loops.
- curl_multi_timeout() will now only return 0 if the timeout is actually
- alreay triggered.
-
-- Using the libssh2 0.19 function libssh2_session_block_directions(), libcurl
- now has an improved ability to do right when the multi interface (both
- "regular" and multi_socket) is used for SCP and SFTP transfers. This should
- result in (much) less busy-loop situations and thus less CPU usage with no
- speed loss.
-
-Daniel Stenberg (17 Dec 2008)
-- SCP and SFTP with the multi interface had the same flaw: the 'DONE'
- operation didn't complete properly if the EAGAIN equivalent was returned but
- libcurl would simply continue with a half-completed close operation
- performed. This ruined persistent connection re-use and cause some
- SSH-protocol errors in general. The correction is unfortunately adding a
- blocking function - doing it entirely non-blocking should be considered for
- a better fix.
-
-Gisle Vanem (16 Dec 2008)
-- Added the possibility to use the Watt-32 tcp/ip stack under Windows.
- The change simply involved adding a USE_WATT32 section in the
- config-win32.h files (under ./lib and ./src). This section disables
- the use of any Winsock headers.
-
-Daniel Stenberg (16 Dec 2008)
-- libssh2_sftp_last_error() was wrongly used at some places in libcurl which
- made libcurl sometimes not properly abort problematic SFTP transfers.
-
-Daniel Stenberg (12 Dec 2008)
-- More work with Igor Novoseltsev to first fix the remaining stuff for
- removing easy handles from multi handles when the easy handle is/was within
- a HTTP pipeline. His bug report #2351653
- (http://curl.haxx.se/bug/view.cgi?id=2351653) was also related and was
- eventually fixed by a patch by Igor himself.
-
-Yang Tse (12 Dec 2008)
-- Patrick Monnerat fixed a build regression, introduced in 7.19.2, affecting
- OS/400 compilations with IPv6 enabled.
-
-Daniel Stenberg (12 Dec 2008)
-- Mark Karpeles filed bug report #2416182 titled "crash in ConnectionExists
- when using duphandle+curl_mutli"
- (http://curl.haxx.se/bug/view.cgi?id=2416182) which showed that
- curl_easy_duphandle() wrongly also copied the pointer to the connection
- cache, which was plain wrong and caused a segfault if the handle would be
- used in a different multi handle than the handle it was duplicated from.
-
-Daniel Stenberg (11 Dec 2008)
-- Keshav Krity found out that libcurl failed to deal with dotted IPv6
- addresses if they were very long (>39 letters) due to a too strict address
- validity parser. It now accepts addresses up to 45 bytes long.
-
-Daniel Stenberg (11 Dec 2008)
-- Internet Explorer had a broken HTTP digest authentication before v7 and
- there are servers "out there" that relies on the client doing this broken
- Digest authentication. Apache even comes with an option to work with such
- broken clients.
-
- The difference is only for URLs that contain a query-part (a '?'-letter and
- text to the right of it).
-
- libcurl now supports this quirk, and you enable it by setting the
- CURLAUTH_DIGEST_IE bit in the bitmask you pass to the CURLOPT_HTTPAUTH or
- CURLOPT_PROXYAUTH options. They are thus individually controlled to server
- and proxy.
-
- (note that there's no way to activate this with the curl tool yet)
-
-Daniel Fandrich (9 Dec 2008)
-- Added test cases 1089 and 1090 to test --write-out after a redirect to
- test a report that the size didn't work, but these test cases pass.
-
-- Documented CURLOPT_CONNECT_ONLY as being useful only on HTTP URLs.
-
-Daniel Stenberg (9 Dec 2008)
-- Ken Hirsch simplified how libcurl does FTPS: now it doesn't assume any
- particular state for the control connection like it did before for implicit
- FTPS (libcurl assumed such control connections to be encrypted while some
- FTPS servers such as FileZilla assumes such connections to be clear
- mode). Use the CURLOPT_USE_SSL option to set your desired level.
-
-Daniel Stenberg (8 Dec 2008)
-- Fred Machado posted about a weird FTP problem on the curl-users list and when
- researching it, it turned out he got a 550 response back from a SIZE command
- and then I fell over the text in RFC3659 that says:
-
- The presence of the 550 error response to a SIZE command MUST NOT be taken
- by the client as an indication that the file cannot be transferred in the
- current MODE and TYPE.
-
- In other words: the change I did on September 30th 2008 and that has been
- included in the last two releases were a regression and a bad idea. We MUST
- NOT take a 550 response from SIZE as a hint that the file doesn't exist.
-
-- Christian Krause filed bug #2221237
- (http://curl.haxx.se/bug/view.cgi?id=2221237) that identified an infinite
- loop during GSS authentication given some specific conditions. With his
- patience and great feedback I managed to narrow down the problem and
- eventually fix it although I can't test any of this myself!
-
-Daniel Fandrich (3 Dec 2008)
-- Fixed the getifaddrs version of Curl_if2ip to work on systems without IPv6
- support (e.g. Minix)
-
-Daniel Stenberg (3 Dec 2008)
-- Igor Novoseltsev filed bug #2351645
- (http://curl.haxx.se/bug/view.cgi?id=2351645) that identified a problem with
- the multi interface that occured if you removed an easy handle while in
- progress and the handle was used in a HTTP pipeline.
-
-- Pawel Kierski pointed out a mistake in the cookie code that could lead to a
- bad fclose() after a fatal error had occured.
- (http://curl.haxx.se/bug/view.cgi?id=2382219)
-
-Daniel Fandrich (25 Nov 2008)
-- If a HTTP request is Basic and num is already >=1000, the HTTP test
- server adds 1 to num to get the data section to return. This allows
- testing authentication negotiations using the Basic authentication
- method.
-
-- Added tests 1087 and 1088 to test Basic authentication on a redirect
- with and without --location-trusted
-
-Daniel Stenberg (24 Nov 2008)
-- Based on a patch by Vlad Grachov, libcurl now uses a new libssh2 0.19
- function when built to support SCP and SFTP that helps the library to know
- in which direction a particular libssh2 operation would return EAGAIN so
- that libcurl knows what socket conditions to wait for before trying the
- function call again. Previously (and still when using libssh2 0.18 or
- earlier), libcurl will busy-loop in this situation when the easy interface
- is used!
-
-Daniel Fandrich (20 Nov 2008)
-- Automatically detect OpenBSD's CA cert bundle.
-
-Daniel Stenberg (19 Nov 2008)
-- I removed the default use of "Pragma: no-cache" from libcurl when a proxy is
- used. It has been used since forever but it was never a good idea to use
- unless explicitly asked for.
-
-- Josef Wolf's extension that allows a $TESTDIR/gdbinit$testnum file that when
- you use runtests.pl -g, will be sourced by gdb to allow additional fancy or
- whatever you see fit
-
-- Christian Krause reported and fixed a memory leak that would occur with HTTP
- GSS/kerberos authentication (http://curl.haxx.se/bug/view.cgi?id=2284386)
-
-- Andreas Wurf and Markus Koetter helped me analyze a problem that Andreas got
- when uploading files to a single FTP server using multiple easy handle
- handles with the multi interface. Occasionally a handle would stall in
- mysterious ways.
-
- The problem turned out to be a side-effect of the ConnectionExists()
- function's eagerness to re-use a handle for HTTP pipelining so it would
- select it even if already being in use, due to an inadequate check for its
- chances of being used for pipelnining.
-
-Daniel Fandrich (17 Nov 2008)
-- Added more compiler warning options for gcc 4.3
-
-Yang Tse (17 Nov 2008)
-- Fix a remaining problem in the inet_pton() runtime configure check. And
- fix internal Curl_inet_pton() failures to reject certain malformed literals.
-
-- Make configure script check if ioctl with the SIOCGIFADDR command can be
- used, and define HAVE_IOCTL_SIOCGIFADDR if appropriate.
-
-Daniel Stenberg (16 Nov 2008)
-- Christian Krause fixed a build failure when building with gss support
- enabled and FTP disabled.
-
-- Added check for NULL returns from strdup() in src/main.c and lib/formdata.c
- - reported by Jim Meyering also prevent buffer overflow on MSDOS when you do
- for example -O on a url with a file name part longer than PATH_MAX letters
-
-- lib/nss.c fixes based on the report by Jim Meyering: I went over and added
- checks for return codes for all calls to malloc and strdup that were
- missing. I also changed a few malloc(13) to use arrays on the stack and a
- few malloc(PATH_MAX) to instead use aprintf() to lower memory use.
-
-- I fixed a memory leak in Curl_nss_connect() when CURLOPT_ISSUERCERT is
- in use.
-
-Daniel Fandrich (14 Nov 2008)
-- Added .xml as one of the few common file extensions known by the multipart
- form generator.
-
-- Added some #ifdefs around header files and change the EAGAIN test to
- fix compilation on Cell (reported by Jeff Curley).
-
-Yang Tse (14 Nov 2008)
-- Fixed several configure script issues affecting checks for inet_ntoa_r(),
- inet_ntop(), inet_pton(), getifaddrs(), fcntl() and getaddrinfo().
-
-Yang Tse (13 Nov 2008)
-- Refactored configure script detection of functions used to set sockets into
- non-blocking mode, and decouple function detection from function capability.
+- http2: bump the h2 buffer to 8K
+
+- http2: Curl_read should not use the single buffer
+
+ ... as it does for pipelining when we're multiplexing, as we need the
+ different buffers to store incoming data correctly for all streams.
+
+- http2: more debug outputs
+
+- http2: leave WAITPERFORM when conn is multiplexed
+
+ No need to wait for our "spot" like for pipelining
+
+- http2: force "drainage" of streams
+
+ ... which is necessary since the socket won't be readable but there is
+ data waiting in the buffer.
+
+- http2: move the mem+len pair to the stream struct
+
+- http2: more stream-oriented data, stream ID 0 is for connections
+
+- http2: move lots of state data to the 'stream' struct
+
+ ... from the connection struct. The stream one being the 'struct HTTP'
+ which is kept in the SessionHandle struct (easy handle).
+
+ lookup streams for incoming frames in the stream hash, hashing is based
+ on the stream id and we get the SessionHandle for the incoming stream
+ that way.
+
+- HTTP: partial start at fixing up hash-lookups on http2 frame receival
+
+- http: a stream hash for h2 multiplexing
+
+- http: a stream hash for h2 multiplexing
+
+- http2: debug log when receiving unexpected stream_id
+
+- http2: move stream_id to the HTTP struct (per-stream)
+
+- Curl_http2_setup: only do it once and enable multiplex on the server
+
+ Once we know we are HTTP/2 enabled we know the server can multiplex.
+
+- http: switch on "pipelining" (multiplexing) for HTTP/2 servers
+
+ ... and do not blacklist any.
+
+- README.pipelining: removed
+
+ All the details mentioned here are better documented in man pages
+
+Dan Fandrich (14 May 2015)
+- build: removed bundles.c from make files
+
+ This file was removed in commit fd137786
+
+Daniel Stenberg (14 May 2015)
+- Curl_conncache_add_conn: fix memory leak on OOM
+
+- CURLMOPT_MAX_HOST_CONNECTIONS: host = host name + port number
+
+- conncache: keep bundles on host+port bases, not only host names
+
+ Previously we counted all connections to a specific host name and that
+ would be used for the CURLMOPT_MAX_HOST_CONNECTIONS check for example,
+ while servers on different port numbers are normally considered
+ different "origins" on the web and should thus be considered different
+ hosts.
+
+- bundles: merged into conncache.c
+
+ All the existing Curl_bundle* functions were only ever used from within
+ the conncache.c file, so I moved them over and made them static (and
+ removed the Curl_ prefix).
+
+- hostcache: made all host caches use structs, not pointers
+
+ This avoids unnecessary dynamic allocs and as this also removed the last
+ users of *hash_alloc() and *hash_destroy(), those two functions are now
+ removed.
+
+- multi: converted socket hash into non-allocated struct
+
+ avoids extra dynamic allocation
+
+- connection cache: avoid Curl_hash_alloc()
+
+ ... by using plain structs instead of pointers for the connection cache,
+ we can avoid several dynamic allocations that weren't necessary.
+
+- proxy: add newline to info message
+
+Patrick Monnerat (8 May 2015)
+- FTP: fix dangling conn->ip_addr dereference on verbose EPSV.
+
+- FTP: Make EPSV use the control IP address rather than the original host.
+ This ensures an alternate address is not used.
+ Does not apply to proxy tunnel.
+
+Daniel Stenberg (8 May 2015)
+- [Alessandro Ghedini brought this change]
+
+ tool_help: fix formatting for --next option
+
+- [Egon Eckert brought this change]
+
+ opts: improved the TCP keepalive examples
+
+Jay Satiro (8 May 2015)
+- winbuild: Document the option used to statically link the CRT
+
+ - Document option RTLIBCFG (runtime library configuration).
+
+ Bug: https://github.com/bagder/curl/issues/254
+ Reported-by: Bert Huijben
+
+- [Orgad Shaneh brought this change]
+
+ netrc: Read in text mode when cygwin
+
+ Use text mode when cygwin to eliminate trailing carriage returns.
+
+ Bug: https://github.com/bagder/curl/pull/258
+
+Patrick Monnerat (5 May 2015)
+- OS400: Add SPNEGO service name options to ILE/RPG binding.
+Daniel Stenberg (4 May 2015)
+- curl_multi_info_read.3: fix typo
+
+ Reported-by: Liviu Chircu
+
+- MANUAL: language fix
+
+ Reported-by: Fred Stluka
+ Bug: https://github.com/bagder/curl/issues/255
+
+- [Alessandro Ghedini brought this change]
+
+ gtls: properly retrieve certificate status
+
+ Also print the revocation reason if appropriate.
+
+- OpenSSL: conditional check for SSL3_RT_HEADER
+
+ The symbol is fairly new.
+
+ Reported-by: Kamil Dudka
+
+- openssl: skip trace outputs for ssl_ver == 0
+
+ The OpenSSL trace callback is wonderfully undocumented but given a
+ journey in the source code, it seems the cases were ssl_ver is zero
+ doesn't follow the same pattern and thus turned out confusing and
+ misleading. For now, we skip doing any CURLINFO_TEXT logging on those
+ but keep sending them as CURLINFO_SSL_DATA_OUT/IN.
+
+ Also, I added direction to the text info and I edited some functions
+ slightly.
+
+ Bug: https://github.com/bagder/curl/issues/219
+ Reported-by: Jay Satiro, Ashish Shukla
+
+Marc Hoersken (2 May 2015)
+- schannel.c: Small changes
+
+- schannel.c: Improve code path and readability
+
+- schannel.c: Improve error and return code handling upon aa99a63f03
+
+- [Chris Araman brought this change]
+
+ schannel: fix regression in schannel_recv
+
+ https://github.com/bagder/curl/issues/244
+
+ Commit 145c263 changed the behavior when Curl_read_plain returns
+ CURLE_AGAIN. We now handle CURLE_AGAIN and SEC_I_CONTEXT_EXPIRED
+ correctly.
+
+- Bug born in changes made several days ago 9a91e80.
+
+ Commit: https://github.com/bagder/curl/commit/926cb9f
+ Reported-by: Ray Satiro
+
+Daniel Stenberg (30 Apr 2015)
+- [Michael Osipov brought this change]
+
+ configure: remove missing and make it autogenerate
+
+ The missing file has not been autogenerated because a temporary fix was
+ employed in acinclude.m4 which blocked update. Removed that fix and a recent
+ version of missing is copied to build root.
+
+- [Michael Osipov brought this change]
+
+ acinclude.m4: fix test for default CA cert bundle/path
+
+ test(1) on HP-UX requires a single equals sign and fails with two.
+ Let's use one and make every OS happy.
+
+- CONTRIBUTING.md: remove the sourceforge mention
+
+ Reported-By: Michael Osipov
+
+Dan Fandrich (30 Apr 2015)
+- http_negotiate_sspi: added missing data variable
+
+Daniel Stenberg (30 Apr 2015)
+- [Michael Osipov brought this change]
+
+ configure: remove --automake from libtoolize call
+
+ That option is not mentioned in the man page of libtoolize 2.4.4.19-fda4.
+ Moveover, a comment in line 2623 says "--automake is for 1.5 compatibility".
+
+ This option is redundant now.
+
+- [Viktor Szakats brought this change]
+
+ build: update depedency versions, urls, example makefiles
+
+ - update default versions of dependencies (except for rare/old platforms)
+ - update urls
+ - sync examples makefiles with main ones
+ - remove line ending space
+
+- [Michael Osipov brought this change]
+
+ configure: remove autogenerated files by autoconf
+
+ * install-sh is always regenerated
+ * mkinstalldirs was already redudant years ago. Automake uses install for
+ that. See: http://lists.gnu.org/archive/html/automake/2007-03/msg00015.html
+
+- [Anders Bakken brought this change]
+
+ curl_multi_add_handle: next is already NULL
+
+Jay Satiro (30 Apr 2015)
+- schannel: Fix out of bounds array
+
+ Bug born in changes made several days ago 9a91e80.
+
+ Bug: http://curl.haxx.se/mail/lib-2015-04/0199.html
+ Reported-by: Brian Chrisman
+
+- docs/libcurl: gitignore libcurl-symbols.3
+
+ Bug: http://curl.haxx.se/mail/lib-2015-04/0191.html
+ Reported-by: Michael Osipov
+
+- [Viktor Szakats brought this change]
+
+ lib/makefile.m32: add arch -m32/-m64 to LDFLAGS
+
+ This fixes using a multi-target mingw distro to build curl .dll for the
+ non-default target.
+ (mirroring the same patch present in src/makefile.m32)
+
+Daniel Stenberg (29 Apr 2015)
+- RELEASE-NOTES: synced with cd39b944afc
+
+ I've not mentioned the bug fixes that were shipped in 7.42.1 from the
+ 7_42 branch.
+
+- THANKS: merged from the 7.42.1 release
+
+- CURLOPT_HEADEROPT: default to separate
+
+ Make the HTTP headers separated by default for improved security and
+ reduced risk for information leakage.
+
+ Bug: http://curl.haxx.se/docs/adv_20150429.html
+ Reported-by: Yehezkel Horowitz, Oren Souroujon