Changelog
-Version 7.48.0 (23 Mar 2016)
+Version 7.59.0 (13 Mar 2018)
-Daniel Stenberg (23 Mar 2016)
-- RELEASE-NOTES: curl 7.48.0
+Daniel Stenberg (13 Mar 2018)
+- release: 7.59.0
-- THANKS: 15 new contributors from 7.48.0 release
+Kamil Dudka (13 Mar 2018)
+- tests/.../spnego.py: fix identifier typo
+
+ Detected by Coverity Analysis:
+
+ Error: IDENTIFIER_TYPO:
+ curl-7.58.0/tests/python_dependencies/impacket/spnego.py:229: identifier_typo: Using "SuportedMech" appears to be a typo:
+ * Identifier "SuportedMech" is only known to be referenced here, or in copies of this code.
+ * Identifier "SupportedMech" is referenced elsewhere at least 4 times.
+ curl-7.58.0/tests/python_dependencies/impacket/smbserver.py:2651: identifier_use: Example 1: Using identifier "SupportedMech".
+ curl-7.58.0/tests/python_dependencies/impacket/smbserver.py:2308: identifier_use: Example 2: Using identifier "SupportedMech".
+ curl-7.58.0/tests/python_dependencies/impacket/spnego.py:252: identifier_use: Example 3: Using identifier "SupportedMech" (2 total uses in this function).
+ curl-7.58.0/tests/python_dependencies/impacket/spnego.py:229: remediation: Should identifier "SuportedMech" be replaced by "SupportedMech"?
+
+ Closes #2379
-Jay Satiro (23 Mar 2016)
-- CURLINFO_TLS_SSL_PTR.3: Warn about limitations
+Daniel Stenberg (13 Mar 2018)
+- CURLOPT_COOKIEFILE.3: "-" as file name means stdin
+
+ Reported-by: Aron Bergman
+ Bug: https://curl.haxx.se/mail/lib-2018-03/0049.html
- Bug: https://github.com/curl/curl/issues/685
+ [ci skip]
-Daniel Stenberg (22 Mar 2016)
-- Revert "sshserver: remove use of AuthorizedKeysFile2"
+- Revert "hostip: fix compiler warning: 'variable set but not used'"
- It seems we may have some autobuild problems after this commit went
- in. Trying to see if a revert helps to get them back.
+ This reverts commit a577059f92fc65bd6b81717f0737f897a5b34248.
- This reverts commit 2716350d1f3edc8e929f6ceeee05051090f6d642.
+ The assignment really needs to be there or we risk working with an
+ uninitialized pointer.
-- maketgz: add -j to make dist
+Michael Kaufmann (12 Mar 2018)
+- limit-rate: fix compiler warning
- ... makes it a lot faster
+ follow-up to 72a0f62
-- libcurl-thread.3: minor nroff format fix
+Viktor Szakats (12 Mar 2018)
+- checksrc.pl: add -i and -m options
+
+ To sync it with changes made for the libssh2 project.
+ Also cleanup some whitespace.
-- CURLINFO_TLS_SSL_PTR.3: minor nroff format fix
+- curl-openssl.m4: fix spelling [ci skip]
-- CODE_STYLE: indend example code
-
- ... to make it look nicer in markdown outputa
+- FAQ: fix a broken URL [ci skip]
-Jay Satiro (22 Mar 2016)
-- build-wolfssl: Update VS properties for wolfSSL v3.9.0
+Daniel Stenberg (12 Mar 2018)
+- http2: mark the connection for close on GOAWAY
- - Do not use wolfSSL's sample user-setting files.
+ ... don't consider it an error!
+
+ Assisted-by: Jay Satiro
+ Reported-by: Łukasz Domeradzki
+ Fixes #2365
+ Closes #2375
+
+- credits: Viktor prefers without accent
+
+- openldap: white space changes, fixed up the copyright years
+
+- openldap: check ldap_get_attribute_ber() results for NULL before using
- wolfSSL starting in v3.9.0 has added their own sample user settings that
- are applied by default, but we don't use them because we have our own
- settings.
+ CVE-2018-1000121
+ Reported-by: Dario Weisser
+ Bug: https://curl.haxx.se/docs/adv_2018-97a2.html
+
+- FTP: reject path components with control codes
- - Do not use wolfSSL's Visual Studio Unicode character setting.
+ Refuse to operate when given path components featuring byte values lower
+ than 32.
- wolfSSL Visual Studio projects use the Unicode character set however our
- settings and options imitate mingw build which does not use the Unicode
- character set. This does not appear to have any effect at the moment but
- better safe than sorry.
+ Previously, inserting a %00 sequence early in the directory part when
+ using the 'singlecwd' ftp method could make curl write a zero byte
+ outside of the allocated buffer.
+ Test case 340 verifies.
- These changes are backwards compatible with earlier versions.
+ CVE-2018-1000120
+ Reported-by: Duy Phan Thanh
+ Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html
-Steve Holme (22 Mar 2016)
-- hostip6: Fixed compilation warnings when verbose strings disabled
+- readwrite: make sure excess reads don't go beyond buffer end
- warning C4189: 'data': local variable is initialized but not referenced
+ CVE-2018-1000122
+ Bug: https://curl.haxx.se/docs/adv_2018-b047.html
- ...and some minor formatting/spacing changes.
+ Detected by OSS-fuzz
+
+- BUGS: updated link to security process
-Daniel Stenberg (21 Mar 2016)
-- sshserver: remove use of AuthorizedKeysFile2
+- limit-rate: kick in even before "limit" data has been received
- Support for the (undocumented) AuthorizedKeysFile2 was removed in
- OpenSSH 5.9, released in September 2011
+ ... and make sure to avoid integer overflows with really large values.
- Closes #715
+ Reported-by: 刘佩东
+ Fixes #2371
+ Closes #2373
-Steve Holme (20 Mar 2016)
-- connect/ntlm/http: Fixed compilation warnings when verbose strings disabled
-
- warning C4189: 'data': local variable is initialized but not referenced
+- docs/SECURITY.md -> docs/SECURITY-PROCESS.md
-- openssl: Fixed compilation warning when /Wall enabled
-
- warning C4706: assignment within conditional expression
+- SECURITY.md: call it the security process
-- CODE_STYLE: Use boolean conditions
+Michael Kaufmann (11 Mar 2018)
+- Curl_range: fix FTP-only and FILE-only builds
- Rather than use TRUE, FALSE, NULL, 0 or != 0 in if/while conditions.
+ follow-up to e04417d
+
+- hostip: fix compiler warning: 'variable set but not used'
+
+Daniel Stenberg (11 Mar 2018)
+- HTTP: allow "header;" to replace an internal header with a blank one
- Additionally, corrected some example code to adhere to the recommended
- coding style.
+ Reported-by: Michael Kaufmann
+ Fixes #2357
+ Closes #2362
-- inet_pton.c: Fixed compilation warnings
+- http2: verbose output new MAX_CONCURRENT_STREAMS values
- warning: conversion to 'unsigned char' from 'int' may alter its value
+ ... as it is interesting for many users.
-Daniel Stenberg (19 Mar 2016)
-- RELEASE-NOTES: synced with 80851028efc2fa9
+- SECURITY: distros' max embargo time is 14 days now
-- mbedtls: fix compiler warning
-
- vtls/mbedtls.h:67:36: warning: implicit declaration of function
- ‘mbedtls_sha256’ [-Wimplicit-function-declaration]
+Patrick Monnerat (8 Mar 2018)
+- curl tool: accept --compressed also if Brotli is enabled and zlib is not.
-Steve Holme (19 Mar 2016)
-- easy: Minor coding standard and style updates
-
- Following commit c5744340db. Additionally removes the need for a second
- 'result code' variable as well.
+Daniel Stenberg (5 Mar 2018)
+- THANKS + mailmap: remove duplicates, fixup full names
-Jay Satiro (19 Mar 2016)
-- easy: Remove poll failure check in easy_transfer
-
- .. because curl_multi_wait can no longer signal poll failure.
-
- follow-up to 77e1726
+- [sergii.kavunenko brought this change]
+
+ WolfSSL: adding TLSv1.3
- Bug: https://github.com/curl/curl/issues/707
+ Closes #2349
+
+- RELEASE-NOTES/THANKS: synced with cc1d4c505
-Steve Holme (19 Mar 2016)
-- build: Added missing Visual Studio filter files for VC10 onwards
+- [Richard Alcock brought this change]
+
+ winbuild: prefer documented zlib library names
- As these files don't need to contain references to the source files,
- although typically do, added basic files which only include three
- filters and don't require the project file generator to be modified.
+ Check for existence of import and static libraries with documented names
+ and use them if they do. Fallback to previous names.
- These files allow the source code to be viewed in the Solution Explorer
- in versions of Visual Studio from 2010 onwards in the same manner as
- previous versions did rather than one large view of files.
-
-- ftp/imap/pop3/smtp: Fixed compilation warning when /Wall enabled
+ According to
+ https://github.com/madler/zlib/blob/master/win32/README-WIN32.txt on
+ Windows, the names of the import library is "zdll.lib" and static
+ library is "zlib.lib".
- warning C4706: assignment within conditional expression
+ closes #2354
-- config-w32.h: Fixed compilation warning when /Wall enabled
+Marcel Raad (4 Mar 2018)
+- krb5: use nondeprecated functions
- warning C4668: 'USE_IPV6' is not defined as a preprocessor macro,
- replacing with '0' for '#if/#elif'
-
-- imap.c: Fixed compilation warning with /Wall enabled
+ gss_seal/gss_unseal have been deprecated in favor of
+ gss_wrap/gss_unwrap with GSS-API v2 from January 1997 [1]. The first
+ version of "The Kerberos Version 5 GSS-API Mechanism" [2] from June
+ 1996 already says "GSS_Wrap() (formerly GSS_Seal())" and
+ "GSS_Unwrap() (formerly GSS_Unseal())".
- warning C4701: potentially uninitialized local variable 'size' used
+ Use the nondeprecated functions to avoid deprecation warnings.
- Technically this can't happen, as the usage of 'size' is protected by
- 'if(parsed)' and 'parsed' is only set after 'size' has been parsed.
+ [1] https://tools.ietf.org/html/rfc2078
+ [2] https://tools.ietf.org/html/rfc1964
- Anyway, lets keep the compiler happy.
+ Closes https://github.com/curl/curl/pull/2356
-- KNOWN_BUGS: #93 Issue with CURLFORM_CONTENTLEN in arrays on 32-bit platforms
+Daniel Stenberg (4 Mar 2018)
+- curl.1: mention how to add numerical IP addresses in NO_PROXY
-Daniel Stenberg (18 Mar 2016)
-- bump: the coming release is 7.48.0
+- CURLOPT_NOPROXY.3: mention how to list numerical IPv6 addresses
-- configure: use cpp -P when needed
+- NO_PROXY: fix for IPv6 numericals in the URL
- Since gcc 5, the processor output can get split up on multiple lines
- that made the configure script fail to figure out values from
- definitions. The fix is to use cpp -P, and this fix now first checks if
- cpp -P is necessary and then if cpp -P works before it uses that to
- extract defined values.
+ Added test 1265 that verifies.
- Fixes #719
+ Reported-by: steelman on github
+ Fixes #2353
+ Closes #2355
-Steve Holme (18 Mar 2016)
-- formdata.c: Fixed compilation warning
+- build: get CFLAGS (including -werror) used for examples and tests
- formdata.c:390: warning: cast from pointer to integer of different size
+ ... so that the CI and more detects compiler warnings/errors properly!
- Introduced in commit ca5f9341ef this happens because a char*, which is
- 32-bits wide in 32-bit land, is being cast to a curl_off_t which is
- 64-bits wide where 64-bit integers are supported by the compiler.
+ Closes #2337
+
+Marcel Raad (3 Mar 2018)
+- curl_ctype: fix macro redefinition warnings
- This doesn't happen in 64-bit land as a pointer is the same size as a
- curl_off_t.
+ On MinGW and Cygwin, GCC and clang have been complaining about macro
+ redefinitions since 4272a0b0fc49a1ac0ceab5c4a365c9f6ab8bf8e2. Fix this
+ by undefining the macros before redefining them as suggested in
+ https://github.com/curl/curl/pull/2269.
- This fix doesn't address the fact that a 64-bit value cannot be used
- for CURLFORM_CONTENTLEN when set in a form array and compiled on a
- 32-bit platforms, it does at least suppress the compilation warning.
+ Suggested-by: Daniel Stenberg
-Daniel Stenberg (18 Mar 2016)
-- FAQ: 2.5 Install libcurl for both 32bit and 64bit?
+Dan Fandrich (2 Mar 2018)
+- unit1307: proper cleanup on OOM to fix torture tests
-- [Gisle Vanem brought this change]
+Marcel Raad (28 Feb 2018)
+- unit1309: fix warning on Windows x64
+
+ When targeting x64, MinGW-w64 complains about conversions between
+ 32-bit long and 64-bit pointers. Fix this by reusing the
+ GNUTLS_POINTER_TO_SOCKET_CAST / GNUTLS_SOCKET_TO_POINTER_CAST logic
+ from gtls.c, moving it to warnless.h as CURLX_POINTER_TO_INTEGER_CAST /
+ CURLX_INTEGER_TO_POINTER_CAST.
+
+ Closes https://github.com/curl/curl/pull/2341
- openssl: adapt to API breakage in ERR_remove_thread_state()
+- travis: update compiler versions
- The OpenSSL API change that broke this is "Convert ERR_STATE to new
- multi-threading API": openssl commit 8509dcc.
+ Update clang to version 3.9 and GCC to version 6.
- Closes #713
+ Closes https://github.com/curl/curl/pull/2345
-- version: init moved to private name space, added protos
+Daniel Stenberg (26 Feb 2018)
+- docs/MANUAL: formfind.pl is not accessible on the site anymore
- follow-up to 80015cdd52145
+ Fixes #2342
-- openssl: verbose: show matching SAN pattern
+Jay Satiro (24 Feb 2018)
+- curl-openssl.m4: Fix version check for OpenSSL 1.1.1
- ... to allow users to see which specfic wildcard that matched when such
- is used.
+ - Add OpenSSL 1.1.1 to the header/library version lists.
- Also minor logic cleanup to simplify the code, and I removed all tabs
- from verbose strings.
-
-Jay Satiro (16 Mar 2016)
-- version: thread safety
-
-Steve Holme (16 Mar 2016)
-- transfer: Removed redundant HTTP authentication include files
+ - Detect OpenSSL 1.1.1 library using its function ERR_clear_last_mark,
+ which was added in that version.
- It would also seem that share.h is not required here either as there
- are no references to the Curl_share structure or functions.
+ Prior to this change an erroneous header/library mismatch was caused by
+ lack of OpenSSL 1.1.1 detection. I tested using openssl-1.1.1-pre1.
-- easy: Removed redundant HTTP authentication include files
+Viktor Szakats (23 Feb 2018)
+- lib655: silence compiler warning
+
+ Closes https://github.com/curl/curl/pull/2335
-Jay Satiro (15 Mar 2016)
-- CURLOPT_SSLENGINE.3: Only for OpenSSL built with engine support
+- spelling fixes
- Bug: https://curl.haxx.se/mail/lib-2016-03/0150.html
- Reported-by: Oliver Graute
+ Detected using the `codespell` tool.
+
+ Also contains one URL protocol upgrade.
+
+ Closes https://github.com/curl/curl/pull/2334
-Steve Holme (15 Mar 2016)
-- curl_sasl: Minor code indent fixes
+Daniel Stenberg (24 Feb 2018)
+- projects/README: remove reference to dead IDN link/package
+
+ Reported-by: Stefan Kanthak and Rod Widdowson
+
+ Fixes #2325
-Daniel Stenberg (14 Mar 2016)
-- runtests: mention when run event-based
+Jay Satiro (23 Feb 2018)
+- [Rod Widdowson brought this change]
-- easy: add check to malloc() when running event-based
+ winbuild: Use macros for the names of some build utilities
- ... to allow torture tests then too.
+ - Add macros to the top of the makefile for rc and mt utilities so that
+ it is easier to change their locations.
+
+ Bug: https://curl.haxx.se/mail/lib-2018-02/0075.html
+ Reported-by: Stefan Kanthak
+
+ Closes https://github.com/curl/curl/issues/2329
-- memdebug: skip logging the limit countdown, fflush when reached
+Daniel Stenberg (23 Feb 2018)
+- TODO: remove "sha-256 digest", added in 2b5b37cb9109e7c2
-- CODE_STYLE: Space around operators
-
- As just discussed on the mailing list, also document how we prefer
- spacing in expressions.
+- curl_share_setopt.3: connection cache is shared within multi handles
+
+Jay Satiro (22 Feb 2018)
+- [Rod Widdowson brought this change]
-- curl: glob_range: no need to check unsigned variable for negative
+ winbuild: Use CALL to run batch scripts
- cppcheck warned:
+ Co-authored-by: Stefan Kanthak
- [src/tool_urlglob.c:283]: (style) Checking if unsigned variable 'step_n'
- is less than zero.
+ Closes https://github.com/curl/curl/issues/2330
+ Closes https://github.com/curl/curl/pull/2331
-- CODE_STYLE: add example for indent style as well
+Patrick Monnerat (22 Feb 2018)
+- os400: add curl_resolver_start_callback type to ILE/RPG binding
-- CODE_STYLE: mention braces for functions too
+Daniel Stenberg (22 Feb 2018)
+- form.d: rephrased somewhat, added two example command lines
-- docs/Makefile.am: include CODE_STYLE in tarball too
+Jay Satiro (21 Feb 2018)
+- [Francisco Sedano brought this change]
-- CONTRIBUTE: moved out code style to a separate document
-
-- CODE_STYLE: initial version
+ url: Add option CURLOPT_RESOLVER_START_FUNCTION
- Ripped out from CONTRIBUTE into its own document, but also extended from
- there.
-
-- curl_sasl.c: minor code indent fixes
+ - Add new option CURLOPT_RESOLVER_START_FUNCTION to set a callback that
+ will be called every time before a new resolve request is started
+ (ie before a host is resolved) with a pointer to backend-specific
+ resolver data. Currently this is only useful for ares.
+
+ - Add new option CURLOPT_RESOLVER_START_DATA to set a user pointer to
+ pass to the resolver start callback.
+
+ Closes https://github.com/curl/curl/pull/2311
-- multi: simplified singlesocket
+- lib: CURLOPT_HAPPY_EYEBALLS_TIMEOUT => CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS
+
+ - In keeping with the naming of our other connect timeout options rename
+ CURLOPT_HAPPY_EYEBALLS_TIMEOUT to CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS.
+
+ This change adds the _MS suffix since the option expects milliseconds.
+ This is more intuitive for our users since other connect timeout options
+ that expect milliseconds use _MS such as CURLOPT_TIMEOUT_MS,
+ CURLOPT_CONNECTTIMEOUT_MS, CURLOPT_ACCEPTTIMEOUT_MS.
+
+ The tool option already uses an -ms suffix, --happy-eyeballs-timeout-ms.
+
+ Follow-up to 2427d94 which added the lib and tool option yesterday.
- Since sh_getentry() now checks for invalid sockets itself and by
- narrowing the scope of the remove_sock_from_hash variable.
+ Ref: https://github.com/curl/curl/pull/2260
-- multi: introduce sh_getentry() for looking up sockets in the sockhash
+Patrick Monnerat (21 Feb 2018)
+- sasl: prefer PLAIN mechanism over LOGIN
- Simplify the code by using a single entry that looks for a socket in the
- socket hash. As indicated in #712, the code looked for CURL_SOCKET_BAD
- at some point and that is ineffective/wrong and this makes it easier to
- avoid that.
+ SASL PLAIN is a standard, LOGIN only a draft. The LOGIN draft says
+ PLAIN should be used instead if available.
-- [Jaime Fullaondo brought this change]
+Daniel Stenberg (21 Feb 2018)
+- RELEASE-NOTES: synced with 2427d94c6
- multi hash: ensure modulo performed on curl_socket_t
-
- Closes #712
+Jay Satiro (20 Feb 2018)
+- [Anders Bakken brought this change]
-Steve Holme (13 Mar 2016)
-- base64: Minor coding standard and style updates
+ url: Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT
+
+ - Add new option CURLOPT_HAPPY_EYEBALLS_TIMEOUT to set libcurl's happy
+ eyeball timeout value.
+
+ - Add new optval macro CURL_HET_DEFAULT to represent the default happy
+ eyeballs timeout value (currently 200 ms).
+
+ - Add new tool option --happy-eyeballs-timeout-ms to expose
+ CURLOPT_HAPPY_EYEBALLS_TIMEOUT. The -ms suffix is used because the
+ other -timeout options in the tool expect seconds not milliseconds.
+
+ Closes https://github.com/curl/curl/pull/2260
-- base64: Use 'CURLcode result' for curl result codes
+- hostip: fix 'potentially uninitialized variable' warning
+
+ Follow-up to 50d1b33.
+
+ Caught by AppVeyor.
-- negotiate: Use 'CURLcode result' for curl result codes
+Daniel Stenberg (20 Feb 2018)
+- TODO: warning if curl version is not in sync with libcurl version
-Daniel Stenberg (13 Mar 2016)
-- [Maksim Kuzevanov brought this change]
+Jay Satiro (20 Feb 2018)
+- [Anders Bakken brought this change]
- multi_runsingle: avoid loop in CURLM_STATE_WAITPROXYCONNECT
+ CURLOPT_RESOLVE: Add support for multiple IP addresses per entry
- Closes #703
-
-- TODO: Use the RFC6265 test suite
+ This enables users to preresolve but still take advantage of happy
+ eyeballs and trying multiple addresses if some are not connecting.
+
+ Ref: https://github.com/curl/curl/pull/2260
-Steve Holme (13 Mar 2016)
-- checksrc.bat: Added the ability to scan src and lib source independently
+Daniel Stenberg (20 Feb 2018)
+- [Sergio Borghese brought this change]
-- digest: Use boolean based success code for Curl_sasl_digest_get_pair()
+ examples/sftpuploadresume: resume upload via CURLOPT_APPEND
- Rather than use a 0 and 1 integer base result code use a TRUE / FALSE
- based success code.
+ URL: https://curl.haxx.se/mail/lib-2018-02/0072.html
-- digest: Corrected some typos in comments
+- curl --version: show PSL if the run-time lib has it enabled
+
+ ... not of the #define was set at build-time!
-- krb5: Corrected some typos in function descriptions
+- TODO: "Support in-memory certs/ca certs/keys"
+
+ removed SSLKEYLOGFILE support (fixed)
+
+ removed "consider SSL patches" (outdated)
+
+ Closes #2310
-- ntlm: Corrected some typos in function descriptions
+- CURLOPT_HEADER.3: clarify problems with different data sizes
-- url: Corrected indentation when calling idna_to_ascii_lz()
+- test1556: verify >16KB headers to the header callback
-- idn_win32: Use boolean based success codes
+- header callback: don't chop headers into smaller pieces
- Rather than use 0 and 1 integer base result codes use a FALSE / TRUE
- based success code.
+ Reported-by: Guido Berhoerster
+ Fixes #2314
+ Closes #2316
-Daniel Stenberg (10 Mar 2016)
-- idn_win32.c: warning: Trailing whitespace
+- test1154: verify that long HTTP headers get rejected
-Steve Holme (10 Mar 2016)
-- idn_win32.c: Fixed compilation warning from commit 9e7fcd4291
+- http: fix the max header length detection logic
+
+ Previously, it would only check for max length if the existing alloc
+ buffer was to small to fit it, which often would make the header still
+ get used.
- warning C4267: 'function': conversion from 'size_t' to 'int',
- possible loss of data
+ Reported-by: Guido Berhoerster
+ Bug: https://curl.haxx.se/mail/lib-2018-02/0056.html
+
+ Closes #2315
-Daniel Stenberg (10 Mar 2016)
-- THANKS-filter: unify Michael König
+- CURLOPT_HEADERFUNCTION.3: fix typo from d939226813
+
+ Reported-by: Erik Johansson
+ Bug: https://github.com/curl/curl/commit/d9392268131c1b8d18dec3fa30e0bded833a5db7#commitcomment-27607495
-- RELEASE-NOTES: synced with 863c5766dd
+- CURLOPT_HEADERFUNCTION.3: mention folded headers
-- ftp: remove a check for NULL(!)
+- TODO: 1.1 Option to refuse usernames in URLs
- ... as it implies we need to check for that on all the other variable
- references as well (as Coverity otherwise warns us for missing NULL
- checks), and we're alredy making sure that the pointer is never NULL.
+ Also expanded the CURL_REFUSE_CLEARTEXT section with more ideas.
-- cookies: first n/v pair in Set-Cookie: is the cookie, then parameters
+- TODO: 1.7 Support HTTP/2 for HTTP(S) proxies
+
+- ssh: add two missing state names
- RFC 6265 section 4.1.1 spells out that the first name/value pair in the
- header is the actual cookie name and content, while the following are
- the parameters.
+ The list of state names (used in debug builds) was out of sync in
+ relation to the list of states (used in all builds).
- libcurl previously had a more liberal approach which causes significant
- problems when introducing new cookie parameters, like the suggested new
- cookie priority draft.
+ I now added an assert to make sure the sizes of the two lists match, to
+ aid in detecting this mistake better in the future.
- The previous logic read all n/v pairs from left-to-right and the first
- name used that wassn't a known parameter name would be used as the
- cookie name, thus accepting "Set-Cookie: Max-Age=2; person=daniel" to be
- a cookie named 'person' while an RFC 6265 compliant parser should
- consider that to be a cookie named 'Max-Age' with an (unknown) parameter
- 'person'.
+ Regression since c92d2e14cf, shipped in 7.58.0.
- Fixes #709
-
-- krb5: improved type handling to avoid clang compiler warnings
-
-- url.c: fix clang warning: no newline at end of file
+ Reported-by: Somnath Kundu
+
+ Fixes #2312
+ Closes #2313
-- curl_multi_wait: never return -1 in 'numfds'
+- Revert "KNOWN_BUGS: 2.5 curl should not offer "ALPN: h2" when using https-proxy"
- Such a return value isn't documented but could still happen, and the
- curl tool code checks for it. It would happen when the underlying
- Curl_poll() function returns an error. Starting now we mask that error
- as a user of curl_multi_wait() would have no way to handle it anyway.
+ This reverts commit de9fac00c40db321d44fa6fbab6eb62ec4c83998.
Reported-by: Jay Satiro
- Closes #707
-- HTTP2.md: add CURL_HTTP_VERSION_2TLS and updated alt-svc link
+Jay Satiro (15 Feb 2018)
+- non-ascii: fix implicit declaration warning
+
+ Follow-up to b46cfbc.
+
+ Caught by Travis CI.
-- curl_multi_wait.3: add example
+Daniel Stenberg (15 Feb 2018)
+- travis: add build with iconv enabled
+
+ ... to verify it builds and works fine.
+
+ Ref: https://curl.haxx.se/mail/lib-2017-09/0031.html
+
+ Closes #1872
-Steve Holme (8 Mar 2016)
-- imap/pop3/smtp: Fixed connections upgraded with TLS are not reused
+- TODO: 18.18 retry on network is unreachable
- Regression since commit 710f14edba.
+ Closes #1603
+
+- KNOWN_BUGS: 2.5 curl should not offer "ALPN: h2" when using https-proxy
- Bug: https://github.com/curl/curl/issues/422
- Reported-by: Justin Ehlert
+ Closes #1254
-Jay Satiro (8 Mar 2016)
-- opt-docs: fix heading macros
+Kamil Dudka (15 Feb 2018)
+- nss: use PK11_CreateManagedGenericObject() if available
- ..SH should be .SH
+ ... so that the memory allocated by applications using libcurl does not
+ grow per each TLS connection.
- Bug: https://github.com/curl/curl/issues/705
- Reported-by: Eric S. Raymond
+ Bug: https://bugzilla.redhat.com/1510247
+
+ Closes #2297
-Kamil Dudka (8 Mar 2016)
-- [Tim Rühsen brought this change]
+Daniel Stenberg (15 Feb 2018)
+- [Björn Stenberg brought this change]
- cookie: do not refuse cookies for localhost
+ TODO fixed: Detect when called from within callbacks
- Closes #658
+ Closes #2302
-Daniel Stenberg (8 Mar 2016)
-- ftp_done: clear tunnel_state when secondary socket closes
-
- Introducing a function for closing the secondary connection to make this
- bug less likely to happen again.
+- BINDINGS: fix curb link (and remove ruby-curl-multi)
- Reported-by: daboul
- Closes #701
+ Reported-by: Klaus Stein
-- [Gisle Vanem brought this change]
+- curl_gssapi: make sure this file too uses our *printf()
- openssl: use the correct OpenSSL/BoringSSL/LibreSSL in messages
+- libcurl-security.3: separate file:// section
+
+ ... just to make it more apparent. Even if it repeats
+ some pieces of information.
-- HTTP2.md: HTTP/2 by default for curl's HTTPS connections
+- libcurl-security.3: the http://192.168.0.1/my_router_config case
+
+ Mentioned-By: Rich Moore
-- [Anders Bakken brought this change]
+- libcurl-security.3: mention the URL standards problems too
- pipeline: Sanity check pipeline pointer before accessing it.
+- libcurl-security.3: split out from libcurl-tutorial.3
- I got a crash with this stack:
+ To make more accessible.
- curl/lib/url.c:2873 (Curl_removeHandleFromPipeline)
- curl/lib/url.c:2919 (Curl_getoff_all_pipelines)
- curl/lib/multi.c:561 (curl_multi_remove_handle)
- curl/lib/url.c:415 (Curl_close)
- curl/lib/easy.c:859 (curl_easy_cleanup)
+ Merged in some new language from "URLs are dangerous things" as discussed on
+ the mailing list a few days ago:
- Closes #704
+ Bug: https://curl.haxx.se/mail/lib-2018-02/0013.html
-- HTTP2.md: mention the disable ALPN and NPN options
+- RELEASE-NOTES: synced with e551910f8
-- TODO: 17.12 keep running, read instructions from pipe/socket
+Patrick Monnerat (13 Feb 2018)
+- tests: new tests for http raw mode
- And delete trailing whitespace
- And rename section 17 to "command line tool" from "client"
+ Test 319 checks proper raw mode data with non-chunked gzip
+ transfer-encoded server data.
+ Test 326 checks raw mode with chunked server data.
- Closes #702
+ Bug: #2303
+ Closes #2308
-- README.md: linkified
+Kamil Dudka (12 Feb 2018)
+- tlsauthtype.d: works only if libcurl is built with TLS-SRP support
- It also makes it less readable as plain text, so let's keep this
- primarily for github use.
+ Bug: https://bugzilla.redhat.com/1542256
- Removed the top ascii art logo, as it looks weird when markdownified.
+ Closes #2306
-- README.md: markdown version of README
+Patrick Monnerat (12 Feb 2018)
+- smtp: fix processing of initial dot in data
- Attempt to make it look more appealing on github
-
-Jay Satiro (6 Mar 2016)
-- mprintf: update trio project link
+ RFC 5321 4.1.1.4 specifies the CRLF terminating the DATA command
+ should be taken into account when chasing the <CRLF>.<CRLF> end marker.
+ Thus a leading dot character in data is also subject to escaping.
+
+ Tests 911 and test server are adapted to this situation.
+ New tests 951 and 952 check proper handling of initial dot in data.
+
+ Closes #2304
-Daniel Stenberg (6 Mar 2016)
-- CURLOPT_ACCEPTTIMEOUT_MS.3: added example
+Daniel Stenberg (12 Feb 2018)
+- sha256: avoid redefine
-- CURLOPT_ACCEPT_ENCODING.3: added example
+- [Douglas Mencken brought this change]
-- CURLOPT_APPEND.3: added example
+ sha256: build with OpenSSL < 0.9.8 too
+
+ support for SHA-2 was introduced in OpenSSL 0.9.8
+
+ Closes #2305
-- CURLOPT_NOPROGRESS.3: added example, conform to stardard style
+- [Bruno Grasselli brought this change]
-Steve Holme (6 Mar 2016)
-- build-openssl/checksrc.bat: Fixed prepend vs append of Perl path
+ README: language fix
+
+ s/off/from
- Fixed inconsistency from commit 1eae114065 and 0ad6c72227 of the order
- in which Perl was added to the PATH.
+ Closes #2300
-Daniel Stenberg (6 Mar 2016)
-- opts: added two examples
+Patrick Monnerat (12 Feb 2018)
+- http_chunks: don't write chunks twice with CURLOPT_HTTP_TRANSFER_DECODING on
+
+ Bug: #2303
+ Reported-By: Henry Roeland
-- CURLOPT_SSL_CTX_FUNCTION.3: use .NF for example
+Daniel Stenberg (9 Feb 2018)
+- get_posix_time: only check for overflows if they can happen!
-- CURLOPT_SSL_CTX_FUNCTION.3: added example
-
- and removed erroneous reference to test case lib509
+Michael Kaufmann (9 Feb 2018)
+- schannel: fix "no previous prototype" compiler warning
-- curlx.c: use more curl style code
+Jay Satiro (9 Feb 2018)
+- [Mohammad AlSaleh brought this change]
-- test46: change cookie expiry date
+ content_encoding: Add "none" alias to "identity"
- Since two of the cookies would now otherwise expire and cause the test
- to fail after commit 20de9b4f09
+ Some servers return a "content-encoding" header with a non-standard
+ "none" value.
- Discussed in #697
-
-Jay Satiro (5 Mar 2016)
-- [Viktor Szakats brought this change]
-
- makefile.m32: add missing libs for static -winssl-ssh2 builds
+ Add "none" as an alias to "identity" as a work-around, to avoid
+ unrecognised content encoding type errors.
- Bug: https://github.com/curl/curl/pull/693
-
-- mbedtls: fix user-specified SSL protocol version
+ Signed-off-by: Mohammad AlSaleh <CE.Mohammad.AlSaleh@gmail.com>
- Prior to this change when a single protocol CURL_SSLVERSION_ was
- specified by the user that version was set only as the minimum version
- but not as the maximum version as well.
+ Closes https://github.com/curl/curl/pull/2298
-Steve Holme (5 Mar 2016)
-- .gitignore: Added *.VC.opendb and *.vcxproj.user files for VC14
+Steve Holme (8 Feb 2018)
+- build-openssl.bat: Follow up to 648679ab8e to suppress copy/move output
-- build-openssl.bat: Fixed cannot find perl if installed but not in path
+- build-openssl.bat: Fixed incorrect move if destination build folder exists
-- checksrc.bat: Fixed cannot find perl if installed but not in path
-
-Jay Satiro (5 Mar 2016)
-- [Viktor Szakats brought this change]
-
- makefile.m32: fix to allow -ssh2-winssl combination
+Michael Kaufmann (8 Feb 2018)
+- schannel: fix compiler warnings
- In makefile.m32, option -ssh2 (libssh2) automatically implied -ssl
- (OpenSSL) option, with no way to override it with -winssl. Since both
- libssh2 and curl support using Windows's built-in SSL backend, modify
- the logic to allow that combination.
+ Closes #2296
-- cookie: Don't expire session cookies in remove_expired
+Steve Holme (7 Feb 2018)
+- curl_addrinfo.c: Allow Unix Domain Sockets to compile under Windows
- Prior to this change cookies with an expiry date that failed parsing
- and were converted to session cookies could be purged in remove_expired.
+ Windows 10.0.17061 SDK introduces support for Unix Domain Sockets.
+ Added the necessary include file to curl_addrinfo.c.
- Bug: https://github.com/curl/curl/issues/697
- Reported-by: Seth Mos
+ Note: The SDK (which is considered beta) has to be installed, VS 2017
+ project file has to be re-targeted for Windows 10.0.17061 and #define
+ enabled in config-win32.h.
-Daniel Stenberg (3 Mar 2016)
-- cookie: remove redundant check
-
- ... as it was already checked previously within the function.
+Patrick Monnerat (7 Feb 2018)
+- fnmatch: optimize processing of consecutive *s and ?s pattern characters
- Reported-by: Dmitry-Me
- Closes #695
+ Reported-By: Daniel Stenberg
+ Fixes #2291
+ Closes #2293
-Jay Satiro (1 Mar 2016)
-- [Anders Bakken brought this change]
-
- url: if Curl_done is premature then pipeline not in use
+Steve Holme (6 Feb 2018)
+- build-openssl.bat/build-wolfssl.bat: Build platform is optional
- Prevent a crash if 2 (or more) requests are made to the same host and
- pipelining is enabled and the connection does not complete.
+ Whilst the compiler parameter is mandatory, platform is optional as it
+ is automatically calculated by the :configure section.
- Bug: https://github.com/curl/curl/pull/690
+ This partially reverts commit 6d62d2c55d.
-- [Viktor Szakats brought this change]
+Daniel Stenberg (6 Feb 2018)
+- [Patrick Schlangen brought this change]
- makefile.m32: allow to pass .dll/.exe-specific LDFLAGS
-
- using envvars `CURL_LDFLAG_EXTRAS_DLL` and
- `CURL_LDFLAG_EXTRAS_EXE` respectively. This
- is useful f.e. to pass ASLR-related extra
- options, that are required to make this
- feature work when using the mingw toolchain.
+ openssl: Don't add verify locations when verifypeer==0
- Ref: https://github.com/curl/curl/pull/670#issuecomment-190863985
+ When peer verification is disabled, calling
+ SSL_CTX_load_verify_locations is not necessary. Only call it when
+ verification is enabled to save resources and increase performance.
- Closes https://github.com/curl/curl/pull/689
+ Closes #2290
-Daniel Stenberg (29 Feb 2016)
-- formpost: fix memory leaks in AddFormData error branches
+Steve Holme (5 Feb 2018)
+- build-wolfssl.bat: Extend VC15 support to include Enterprise and Professional
- Reported-by: Dmitry-Me
- Fixes #688
+ ...and not just the Community Edition.
-Jay Satiro (28 Feb 2016)
-- getinfo: Fix syntax error when mbedTLS
+- build-openssl.bat: Extend VC15 support to include Enterprise and Professional
- The assignment of the mbedTLS TLS session info in the parent commit was
- incorrect. Change the assignment to a pointer to the session structure.
+ ...and not just the Community Edition.
-- getinfo: Add support for mbedTLS TLS session info
+Michael Kaufmann (5 Feb 2018)
+- time-cond: fix reading the file modification time on Windows
- .. and preprocessor check TLS session info is defined for all backends.
-
-Daniel Stenberg (26 Feb 2016)
-- ROADMAP: clarify on the TLS proxy, mention HTTP cookies to work on
+ On Windows, stat() may adjust the unix file time by a daylight saving time
+ offset. Avoid this by calling GetFileTime() instead.
+
+ Fixes #2164
+ Closes #2204
-- file: try reading from files with no size
+Daniel Stenberg (5 Feb 2018)
+- formdata: use the mime-content type function
- Some systems have special files that report as 0 bytes big, but still
- contain data that can be read (for example /proc/cpuinfo on
- Linux). Starting now, a zero byte size is considered "unknown" size and
- will be read as far as possible anyway.
+ Reduce code duplication by making Curl_mime_contenttype available and
+ used by the formdata function. This also makes the formdata function
+ recognize a set of more file extensions by default.
- Reported-by: Jesse Tan
+ PR #2280 brought this to my attention.
- Closes #681
+ Closes #2282
-Jay Satiro (25 Feb 2016)
-- configure: warn on invalid ca bundle or path
-
- - Warn if --with-ca-bundle file does not exist.
-
- - Warn if --with-ca-path directory does not contain certificates.
+- getdate: return -1 for out of range
- - Improve help messages for both.
+ ...as that's how the function is documented to work.
- Example configure output:
+ Reported-by: Michael Kaufmann
+ Bug found in an autobuild with 32 bit time_t
- ca cert bundle: /some/file (warning: certs not found)
- ca cert path: /some/dir (warning: certs not found)
+ Closes #2278
+
+- [Ben Greear brought this change]
+
+ build: fix termios issue on android cross-compile
- Bug: https://github.com/curl/curl/issues/404
- Reported-by: Jeffrey Walton
+ Bug: https://curl.haxx.se/mail/lib-2018-01/0122.html
+ Signed-off-by: Ben Greear <greearb@candelatech.com>
-Daniel Stenberg (24 Feb 2016)
-- Curl_read: check for activated HTTP/1 pipelining, not only requested
+- time_t-fixes: remove typecasts to 'long' for info.filetime
- ... as when pipelining is used, we read things into a unified buffer and
- we don't do that with HTTP/2. This could then easily make programs that
- set CURLMOPT_PIPELINING = CURLPIPE_HTTP1|CURLPIPE_MULTIPLEX to get data
- intermixed or plain broken between HTTP/2 streams.
+ They're now wrong.
- Reported-by: Anders Bakken
-
-Patrick Monnerat (24 Feb 2016)
-- os400: Fix ILE/RPG definition of CURLOPT_TFTP_NO_OPTIONS
-
-Jay Satiro (23 Feb 2016)
-- getinfo: CURLINFO_TLS_SSL_PTR supersedes CURLINFO_TLS_SESSION
+ Reported-by: Michael Kaufmann
- The two options are almost the same, except in the case of OpenSSL:
+ Closes #2277
+
+- curl_setup: move the precautionary define of SIZEOF_TIME_T
- CURLINFO_TLS_SESSION OpenSSL session internals is SSL_CTX *.
+ ... up to before it may be used for the TIME_T_MAX/MIN logic.
- CURLINFO_TLS_SSL_PTR OpenSSL session internals is SSL *.
+ Reported-by: Michael Kaufmann
+
+- parsedate: s/#if/#ifdef
- For backwards compatibility we couldn't modify CURLINFO_TLS_SESSION to
- return an SSL pointer for OpenSSL.
+ Reported-by: Michael Kaufmann
+ Bug: https://github.com/curl/curl/commit/1c39128d974666107fc6d9ea15f294036851f224#commitcomment-27246479
+
+Patrick Monnerat (31 Jan 2018)
+- fnmatch: pattern syntax can no longer fail
- Also, add support for the 'internals' member to point to SSL object for
- the other backends axTLS, PolarSSL, Secure Channel, Secure Transport and
- wolfSSL.
+ Whenever an expected pattern syntax rule cannot be matched, the
+ character starting the rule loses its special meaning and the parsing
+ is resumed:
+ - backslash at the end of pattern string matches itself.
+ - Error in [:keyword:] results in set containing :\[dekorwy.
- Bug: https://github.com/curl/curl/issues/234
- Reported-by: dkjjr89@users.noreply.github.com
+ Unit test 1307 updated for this new situation.
- Bug: https://curl.haxx.se/mail/lib-2015-09/0127.html
- Reported-by: Michael König
+ Closes #2273
-Daniel Stenberg (23 Feb 2016)
-- multi_remove_handle: keep the timeout list until after disconnect
+- fnmatch: accept an alphanum to be followed by a non-alphanum in char set
- The internal Curl_done() function uses Curl_expire() at times and that
- uses the timeout list. Better clean up the list once we're done using
- it. This caused a segfault.
+ Also be more tolerant about set pattern syntax.
+ Update unit test 1307 accordingly.
- Reported-by: 蔡文凱
- Bug: https://curl.haxx.se/mail/lib-2016-02/0097.html
+ Bug: https://curl.haxx.se/mail/lib-2018-01/0114.html
-Kamil Dudka (23 Feb 2016)
-- tests/sshserver.pl: use RSA instead of DSA for host auth
-
- DSA is no longer supported by OpenSSH 7.0, which causes all SCP/SFTP
- test cases to be skipped. Using RSA for host authentication works with
- both old and new versions of OpenSSH.
+- fnmatch: do not match the empty string with a character set
+
+Jay Satiro (30 Jan 2018)
+- build: fix windows build methods for curl_ctype.c
- Reported-by: Karlson2k
+ - Fix winbuild and the VS project generator to treat curl_ctype.{c,h} as
+ curlx files since they are required by both src and lib.
- Closes #676
+ Follow-up to 4272a0b which added curl_ctype.
-Jay Satiro (23 Feb 2016)
-- TFTP: add option to suppress TFTP option requests (Part 2)
+Daniel Stenberg (30 Jan 2018)
+- progress-bar.d: update to match implementation
- - Add tests.
+ ... since commit 993dd5651a6
- - Add an example to CURLOPT_TFTP_NO_OPTIONS.3.
+ Reported-by: Martin Dreher
+ Bug: https://github.com/curl/curl/pull/2242#issuecomment-361059228
- - Add --tftp-no-options to expose CURLOPT_TFTP_NO_OPTIONS.
+ Closes #2271
+
+- http2: set DEBUG_HTTP2 to enable more HTTP/2 logging
- Bug: https://github.com/curl/curl/issues/481
+ ... instead of doing it unconditionally in debug builds. It cluttered up
+ the output a little too much.
-- [Michael Koenig brought this change]
+- [Max Dymond brought this change]
- TFTP: add option to suppress TFTP option requests (Part 1)
-
- Some TFTP server implementations ignore the "TFTP Option extension"
- (RFC 1782-1784, 2347-2349), or implement it in a flawed way, causing
- problems with libcurl. Another switch for curl_easy_setopt
- "CURLOPT_TFTP_NO_OPTIONS" is introduced which prevents libcurl from
- sending TFTP option requests to a server, avoiding many problems caused
- by faulty implementations.
-
- Bug: https://github.com/curl/curl/issues/481
+ file: Check the return code from Curl_range and bail out on error
-Daniel Stenberg (22 Feb 2016)
-- [Karlson2k brought this change]
+- [Max Dymond brought this change]
- runtests: Fixed usage of %PWD on MinGW64
+ Curl_range: add check to ensure "from <= to"
+
+- [Max Dymond brought this change]
+
+ Curl_range: commonize FTP and FILE range handling
- Closes #672
+ Closes #2205
-Jay Satiro (20 Feb 2016)
-- CURLOPT_DEBUGFUNCTION.3: Fix example
+- RELEASE-NOTES: synced with 811beab9f
-- [Viktor Szakats brought this change]
+- curlver: next release will be 7.59.0
+
+- [Michał Janiszewski brought this change]
- src/Makefile.m32: add CURL_{LD,C}FLAGS_EXTRAS support
+ curl/curl.h: fix comment typo for CURLOPT_DNS_LOCAL_IP6
- Sync with lib/Makefile.m32 which already uses those variables.
+ Closes #2275
+
+- time: support > year 2038 time stamps for system with 32bit long
+
+ ... with the introduction of CURLOPT_TIMEVALUE_LARGE and
+ CURLINFO_FILETIME_T.
- Bug: https://github.com/curl/curl/pull/670
+ Fixes #2238
+ Closes #2264
-Dan Fandrich (20 Feb 2016)
-- Enabled test 1437 after the bug fix in commit 3fa220a6
+- curl_easy_reset: clear digest auth state
+
+ Bug: https://curl.haxx.se/mail/lib-2018-01/0074.html
+ Reported-by: Ruurd Beerstra
+ Fixes #2255
+ Closes #2272
-Jay Satiro (19 Feb 2016)
-- [Emil Lerner brought this change]
+- [Adam Marcionek brought this change]
- curl_sasl: Fix memory leak in digest parser
+ winbuild: make linker generate proper PDB
- If any parameter in a HTTP DIGEST challenge message is present multiple
- times, memory allocated for all but the last entry should be freed.
+ Link.exe requires /DEBUG to properly generate a full pdb file on release
+ builds.
- Bug: https://github.com/curl/curl/pull/667
+ Closes #2274
-Dan Fandrich (19 Feb 2016)
-- Added test 1437 to verify a memory leak
+- curl: add --proxy-pinnedpubkey
- Reported-by: neex@users.noreply.github.com
-
-Jay Satiro (18 Feb 2016)
-- CURLOPT_COOKIEFILE.3: HTTP headers must be Set-Cookie style
+ To verify a proxy's public key. For when using HTTPS proxies.
- Bug: https://github.com/curl/curl/issues/666
- Reported-by: baumanj@users.noreply.github.com
+ Fixes #2192
+ Closes #2268
-- curl.1: HTTP headers for --cookie must be Set-Cookie style
+- configure: set PATH_SEPARATOR to colon for PATH w/o separator
- Bug: https://github.com/curl/curl/issues/666
- Reported-by: baumanj@users.noreply.github.com
-
-Daniel Stenberg (18 Feb 2016)
-- curl.1: add a missing dash
-
-- CONTRIBUTING.md: fix links
-
-- ISSUE_TEMPLATE: github issue template
+ The logic tries to figure out what the path separator in the $PATH
+ variable is, but if there's only one directory in the $PATH it
+ fails. This change make configure *guess* on colon instead of erroring
+ out, simply because that is probably the more common character.
+
+ PATH_SEPARATOR can always be set by the user to override the guessing.
- First version, try this out!
+ (tricky bug to reproduce, as in my case for example the configure script
+ requires binaries in more than one directory so passing in a PATH with a
+ single dir fails.)
+
+ Reported-by: Earnestly on github
+ Fixes #2202
+ Closes #2265
-- CONTRIBUTING.md: move into .github
+- curl_ctype: private is*() type macros and functions
+
+ ... since the libc provided one are locale dependent in a way we don't
+ want. Also, the "native" isalnum() (for example) works differently on
+ different platforms which caused test 1307 failures on macos only.
- To hide github specific files somewhat from the rest.
+ Closes #2269
-- opts: add references
+Marcel Raad (29 Jan 2018)
+- build: open VC15 projects with VS 2017
+
+ Previously, they were opened with Visual Studio 2015 by default, which
+ cannot build them.
-- examples/make: add 'checksrc' target
+Daniel Stenberg (29 Jan 2018)
+- RELEASE-NOTES: synced with 094647fca
-- 10-at-a-time: typecast the argument passed to sleep()
+- TODO: UTF-8 filenames in Content-Disposition
+
+ Closes #1888
-- externalsocket.c: fix compiler warning for fwrite return type
+- KNOWN_BUGS: DICT responses show the underlying protocol
+
+ Closes #1809
-- anyauthput.c: fix compiler warnings
+Jay Satiro (27 Jan 2018)
+- [Alessandro Ghedini brought this change]
-- simplessl.c: warning: while with space
+ docs: fix typos in man pages
+
+ Closes https://github.com/curl/curl/pull/2266
-- curlx.c: i2s_ASN1_IA5STRING() clashes with an openssl function
+Patrick Monnerat (26 Jan 2018)
+- lib555: drop text conversion and encode data as ascii codes
- Reported-By: Gisle Vanem
+ If CURL_DOES_CONVERSION is enabled, uploaded LFs are mapped to CRLFs,
+ giving a result that is different from what is expected.
+ This commit avoids using CURLOPT_TRANSFERTEXT and directly encodes data
+ to upload in ascii.
+
+ Bug: https://github.com/curl/curl/pull/1872
-- http2: don't decompress gzip decoding automatically
+Daniel Stenberg (26 Jan 2018)
+- lib517: make variable static to avoid compiler warning
- At one point during the development of HTTP/2, the commit 133cdd29ea0
- introduced automatic decompression of Content-Encoding as that was what
- the spec said then. Now however, HTTP/2 should work the same way as
- HTTP/1 in this regard.
+ ... with clang on macos
+
+Patrick Monnerat (26 Jan 2018)
+- lib544: sync ascii code data with textual data
- Reported-by: Kazuho Oku
+ Data mismatch caused test 545 to fail when character encoding
+ conversion is enabled.
- Closes #661
+ Bug: https://github.com/curl/curl/pull/1872
-Jay Satiro (16 Feb 2016)
-- [Tatsuhiro Tsujikawa brought this change]
+Daniel Stenberg (25 Jan 2018)
+- [Travis Burtrum brought this change]
- http: Don't break the header into chunks if HTTP/2
+ GSKit: restore pinnedpubkey functionality
- nghttp2 callback deals with TLS layer and therefore the header does not
- need to be broken into chunks.
+ inadvertently removed in 283babfaf8d8f3bab9d3c63cea94eb0b84e79c37
- Bug: https://github.com/curl/curl/issues/659
- Reported-by: Kazuho Oku
+ Closes #2263
-Daniel Stenberg (16 Feb 2016)
-- [Viktor Szakats brought this change]
+- [Dair Grant brought this change]
- openssl: use macro to guard the opaque EVP_PKEY branch
+ darwinssl: Don't import client certificates into Keychain on macOS
+
+ Closes #2085
-- [Viktor Szakats brought this change]
+- configure: fix the check for unsigned time_t
+
+ Assign the time_t variable negative value and then check if it is
+ greater than zero, which will evaluate true for unsigned time_t but
+ false for signed time_t.
- openssl: avoid direct PKEY access with OpenSSL 1.1.0
+- parsedate: fix date parsing for systems with 32 bit long
- by using API instead of accessing an internal structure.
- This is required starting OpenSSL 1.1.0-pre3.
+ Make curl_getdate() handle dates before 1970 as well (returning negative
+ values).
- Closes #650
-
-- RELEASE-NOTES: synced with ede0bfc079da
+ Make test 517 test dates for 64 bit time_t.
+
+ This fixes bug (3) mentioned in #2238
+
+ Closes #2250
-- [Clint Clayton brought this change]
+- [McDonough, Tim brought this change]
- CURLOPT_CONNECTTIMEOUT_MS.3: Fix example to use milliseconds option
+ openssl: fix pinned public key build error in FIPS mode
+
+ Here is a version that should work with all versions of openssl 0.9.7
+ through 1.1.0.
+
+ Links to the docs:
+ https://www.openssl.org/docs/man1.0.2/crypto/EVP_DigestInit.html
+ https://www.openssl.org/docs/man1.1.0/crypto/EVP_DigestInit.html
+
+ At the very bottom of the 1.1.0 documentation there is a history section
+ that states, " stack allocated EVP_MD_CTXs are no longer supported."
- Change the example in the docs for CURLOPT_CONNECTTIMEOUT_MS to use
- CURLOPT_CONNECTTIMEOUT_MS instead of CURLOPT_CONNECTTIMEOUT.
+ If EVP_MD_CTX_create and EVP_MD_CTX_destroy are not defined, then a
+ simple mapping can be used as described here:
+ https://wiki.openssl.org/index.php/Talk:OpenSSL_1.1.0_Changes
- Closes #653
+ Closes #2258
-- opt-docs: add more references
+- [Travis Burtrum brought this change]
-- [David Byron brought this change]
+ SChannel/WinSSL: Replace Curl_none_md5sum with Curl_schannel_md5sum
- SCP: use libssh2_scp_recv2 to support > 2GB files on windows
-
- libssh2_scp_recv2 is introduced in libssh2 1.7.0 - to be released "any
- day now.
+- [Travis Burtrum brought this change]
+
+ SChannel/WinSSL: Implement public key pinning
- Closes #451
+ Closes #1429
-Jay Satiro (13 Feb 2016)
-- [Shine Fan brought this change]
+- bump: towards 7.58.1
- gtls: fix for builds lacking encrypted key file support
+- cookies: remove verbose "cookie size:" output
- Bug: https://github.com/curl/curl/pull/651
+ It was once used for some debugging/verifying logic but should never have
+ ended up in git!
-Dan Fandrich (13 Feb 2016)
-- test1604: Add to Makefile.inc so it gets run
+- TODO: hardcode the "localhost" addresses
-Jay Satiro (12 Feb 2016)
-- generate.bat: Fix comment bug by removing old comments
+- TODO: CURL_REFUSE_CLEARTEXT
- Remove NOTES section, it's no longer needed since we aren't setting the
- errorlevel and more importantly the recently updated URL in the comments
- is causing some unusual behavior that breaks the script.
-
- Closes https://github.com/curl/curl/issues/649
+ An idea that popped up in discussions on twitter.
-Kamil Dudka (12 Feb 2016)
-- curl.1: --disable-{eprt,epsv} are ignored for IPv6 hosts
-
- The behavior has been clarified in CURLOPT_FTP_USE_{EPRT,EPSV}.3 man
- pages since curl-7_12_3~131. This patch makes it clear in the curl.1
- man page, too.
+- progress-bar: don't use stderr explicitly, use bar->out
- Bug: https://bugzilla.redhat.com/1305970
+ Reported-By: Gisle Vanem
+ Bug: https://github.com/curl/curl/commit/993dd5651a6c853bfe3870f6a69c7b329fa4e8ce#commitcomment-27070080
-Daniel Stenberg (12 Feb 2016)
-- dist: ship buildconf.bat too
-
- As the winbuild/* stuff uses it!
+GitHub (24 Jan 2018)
+- [Gisle Vanem brought this change]
-- curlx_tvdiff: handle 32bit time_t overflows
+ Fixes for MSDOS etc.
- On 32bit systems, make sure we don't overflow and return funky values
- for very large time differences.
+ djgpp do have 'mkdir(dir, mode)'. Other DOS-compilers does not
+ But djgpp seems the only choice for MSDOS anyway.
- Reported-by: Anders Bakken
+ PellesC do have a 'F_OK' defined in it's <unistd.h>.
- Closes #646
+ Update year in Copyright.
+
+- [Gisle Vanem brought this change]
+
+ Fix small typo.
+
+Version 7.58.0 (23 Jan 2018)
+
+Daniel Stenberg (23 Jan 2018)
+- RELEASE: 7.58.0
-- examples: fix some compiler warnings
+- [Gisle Vanem brought this change]
+
+ progress-bar: get screen width on windows
-- simplessl.c: fix my breakage
+- test1454: --connect-to with IPv6 address w/o IPv6 support!
-- examples: adhere to curl code style
+- CONNECT_TO: fail attempt to set an IPv6 numerical without IPv6 support
- All plain C examples now (mostly) adhere to the curl code style. While
- they are only examples, they had diverted so much and contained all
- sorts of different mixed code styles by now. Having them use a unified
- style helps users and readability. Also, as they get copy-and-pasted
- widely by users, making sure they're clean and nice is a good idea.
+ Bug: https://curl.haxx.se/mail/lib-2018-01/0087.html
+ Reported-by: John Hascall
- 573 checksrc warnings were addressed.
+ Closes #2257
-- examples/cookie_interface.c: add cleanup call
+- docs: fix man page syntax to make test 1140 OK again
+
+- http: prevent custom Authorization headers in redirects
- cleaning up handles is a good idea as we leak memory otherwise
+ ... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how
+ curl already handles Authorization headers created internally.
- Also, line wrapped before 80 columns.
-
-Kamil Dudka (10 Feb 2016)
-- nss: search slash in forward direction in dup_nickname()
+ Note: this changes behavior slightly, for the sake of reducing mistakes.
- It is wasteful to search it backwards if we look for _any_ slash.
+ Added test 317 and 318 to verify.
+
+ Reported-by: Craig de Stigter
+ Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html
-- nss: do not count enabled cipher-suites
+- curl: progress bar refresh, get width using ioctl()
+
+ Get screen width from the environment variable COLUMNS first, if set. If
+ not, use ioctl(). If nether works, assume 79.
+
+ Closes #2242
+
+ The "refresh" is for the -# output when no total transfer size is
+ known. It will now only use a single updated line even for this case:
- We only care if at least one cipher-suite is enabled, so it does
- not make any sense to iterate till the end and count all enabled
- cipher-suites.
+ The "-=O=-" ship moves when data is transferred. The four flying
+ "hashes" move (on a sine wave) on each refresh, independent of data.
-Daniel Stenberg (10 Feb 2016)
-- contributors.sh: make 79 the max column width (from 80)
+- RELEASE-NOTES: synced with bb0ffcc36
-- RELEASE-NOTES: synced with c276aefee3995
+- libcurl-env.3: first take
-- mbedtls.c: re-indent to better match curl standards
+- TODO: two possible name resolver improvements
-- [Rafael Antonio brought this change]
+- [Kartik Mahajan brought this change]
- mbedtls: fix memory leak when destroying SSL connection data
+ http2: don't close connection when single transfer is stopped
- Closes #626
+ Fixes #2237
+ Closes #2249
-- mbedtls: fix ALPN usage segfault
+- test558: fix for multissl builds
- Since we didn't keep the input argument around after having called
- mbedtls, it could end up accessing the wrong memory when figuring out
- the ALPN protocols.
-
- Closes #642
-
-Jay Satiro (9 Feb 2016)
-- [Timotej Lazar brought this change]
+ vtls.c:multissl_init() might do a curl_free() call so strip that out to
+ make this work with more builds. We just want to verify that
+ memorytracking works so skipping one line is no harm.
- opts: update references to renamed options
+- examples/url2file.c: add missing curl_global_cleanup() call
+
+ Reported-by: XhstormR on github
+ Fixes #2245
-- KNOWN_BUGS: Update #92 - Windows device prefix
+- [Michael Gmelin brought this change]
-- tool_doswin: Support for literal path prefix \\?\
+ SSH: Fix state machine for ssh-agent authentication
- For example something like --output \\?\C:\foo
-
-Daniel Stenberg (9 Feb 2016)
-- configure: state "BoringSSL" in summary when that was detected
+ In case an identity didn't match[0], the state machine would fail in
+ state SSH_AUTH_AGENT instead of progressing to the next identity in
+ ssh-agent. As a result, ssh-agent authentication only worked if the
+ identity required happened to be the first added to ssh-agent.
+
+ This was introduced as part of commit c4eb10e2f06fbd6cc904f1d78e4, which
+ stated that the "else" statement was required to prevent getting stuck
+ in state SSH_AUTH_AGENT. Given the state machine's logic and libssh2's
+ interface I couldn't see how this could happen or reproduce it and I
+ also couldn't find a more detailed description of the problem which
+ would explain a test case to reproduce the problem this was supposed to
+ fix.
+
+ [0] libssh2_agent_userauth returning LIBSSH2_ERROR_AUTHENTICATION_FAILED
+
+ Closes #2248
-- [David Benjamin brought this change]
+- openssl: fix potential memory leak in SSLKEYLOGFILE logic
+
+ Coverity CID 1427646.
- openssl: remove most BoringSSL #ifdefs.
+- openssl: fix the libressl build again
- As of https://boringssl-review.googlesource.com/#/c/6980/, almost all of
- BoringSSL #ifdefs in cURL should be unnecessary:
+ Follow-up to 84fcaa2e7. libressl does not have the API even if it says it is
+ late OpenSSL version...
- - BoringSSL provides no-op stubs for compatibility which replaces most
- #ifdefs.
+ Fixes #2246
+ Closes #2247
- - DES_set_odd_parity has been in BoringSSL for nearly a year now. Remove
- the compatibility codepath.
+ Reported-by: jungle-boogie on github
+
+- unit1307: test many wildcards too
+
+- curl_fnmatch: only allow 5 '*' sections in a single pattern
- - With a small tweak to an extend_key_56_to_64 call, the NTLM code
- builds fine.
+ ... to avoid excessive recursive calls. The number 5 is totally
+ arbitrary and could be modified if someone has a good motivation.
+
+- ftp-wildcard: fix matching an empty string with "*[^a]"
- - Switch OCSP-related #ifdefs to the more generally useful
- OPENSSL_NO_OCSP.
+ .... and avoid advancing the pointer to trigger an out of buffer read.
- The only #ifdefs which remain are Curl_ossl_version and the #undefs to
- work around OpenSSL and wincrypt.h name conflicts. (BoringSSL leaves
- that to the consumer. The in-header workaround makes things sensitive to
- include order.)
+ Detected by OSS-fuzz
+ Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5251
+ Assisted-by: Max Dymond
+
+- SMB: fix numeric constant suffix and variable types
- This change errs on the side of removing conditionals despite many of
- the restored codepaths being no-ops. (BoringSSL generally adds no-op
- compatibility stubs when possible. OPENSSL_VERSION_NUMBER #ifdefs are
- bad enough!)
+ 1. don't use "ULL" suffix since unsupported in older MSVC
+ 2. use curl_off_t instead of custom long long ifdefs
+ 3. make get_posix_time() not do unaligned data access
- Closes #640
+ Fixes #2211
+ Closes #2240
+ Reported-by: Chester Liu
-Jay Satiro (8 Feb 2016)
-- KNOWN_BUGS: Windows device prefix is required for devices
+- [rouzier brought this change]
-- tool_urlglob: Allow reserved dos device names (Windows)
+ CURLOPT_TCP_NODELAY.3: fix typo
- Allow --output to reserved dos device names without the device prefix
- for backwards compatibility.
+ Closes #2239
+
+- smtp/pop3/imap_get_message: decrease the data length too...
- Example: --output NUL can be used instead of --output \\.\NUL
+ Follow-up commit to 615edc1f73 which was incomplete.
- Bug: https://github.com/curl/curl/commit/4520534#commitcomment-15954863
- Reported-by: Gisle Vanem
+ Assisted-by: Max Dymond
+ Detected by OSS-fuzz
+ Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5206
-Daniel Stenberg (8 Feb 2016)
-- cookies: allow spaces in cookie names, cut of trailing spaces
+- openssl: enable SSLKEYLOGFILE support by default
+
+ Fixes #2210
+ Closes #2236
+
+Patrick Monnerat (14 Jan 2018)
+- mime: clone mime tree upon easy handle duplication.
+
+ A mime tree attached to an easy handle using CURLOPT_MIMEPOST is
+ strongly bound to the handle: there is a pointer to the easy handle in
+ each item of the mime tree and following the parent pointer list
+ of mime items ends in a dummy part stored within the handle.
+
+ Because of this binding, a mime tree cannot be shared between different
+ easy handles, thus it needs to be cloned upon easy handle duplication.
- It turns out Firefox and Chrome both allow spaces in cookie names and
- there are sites out there using that.
+ There is no way for the caller to get the duplicated mime tree
+ handle: it is then set to be automatically destroyed upon freeing the
+ new easy handle.
- Turned out the code meant to strip off trailing space from cookie names
- didn't work. Fixed now.
+ New test 654 checks proper mime structure duplication/release.
- Test case 8 modified to verify both these changes.
+ Add a warning note in curl_mime_data_cb() documentation about sharing
+ user data between duplicated handles.
- Closes #639
+ Closes #2235
-Patrick Monnerat (8 Feb 2016)
-- Merge branch 'master' of github.com:curl/curl
+- docs: comment about CURLE_READ_ERROR returned by curl_mime_filedata
-- os400: sync ILE/RPG definitions with latest public header files.
+Daniel Stenberg (13 Jan 2018)
+- test395: HTTP with overflow Content-Length value
-Daniel Stenberg (8 Feb 2016)
-- [Ludwig Nussel brought this change]
+- test394: verify abort of rubbish in Content-Length: value
- SSLCERTS: update wrt SSL CA certificate store
+- test393: verify --max-filesize with excessive Content-Length
-- [Ludwig Nussel brought this change]
+- HTTP: bail out on negative Content-Length: values
+
+ ... and make the max filesize check trigger if the value is too big.
+
+ Updates test 178.
+
+ Reported-by: Brad Spencer
+ Fixes #2212
+ Closes #2223
+
+Marcel Raad (13 Jan 2018)
+- [Dan Johnson brought this change]
- configure: --with-ca-fallback: use built-in TLS CA fallback
+ configure.ac: append extra linker flags instead of prepending them.
- When trying to verify a peer without having any root CA certificates
- set, this makes libcurl use the TLS library's built in default as
- fallback.
+ Link order should list libraries after the libraries that use them,
+ so when we're guessing that we might also need to add -ldl in order
+ to use -lssl, we should add -ldl after -lssl.
- Closes #569
+ Closes https://github.com/curl/curl/pull/2234
-- Proxy-Connection: stop sending this header by default
+Daniel Stenberg (13 Jan 2018)
+- RELEASE-NOTES: synced with 6fa10c8fa
+
+Jay Satiro (13 Jan 2018)
+- setopt: fix SSLVERSION to allow CURL_SSLVERSION_MAX_ values
- RFC 7230 says we should stop. Firefox already stopped.
+ Broken since f121575 (precedes 7.56.1).
- Bug: https://github.com/curl/curl/issues/633
- Reported-By: Brad Fitzpatrick
+ Bug: https://github.com/curl/curl/issues/2225
+ Reported-by: cmfrolick@users.noreply.github.com
- Closes #633
+ Closes https://github.com/curl/curl/pull/2227
-- bump: work toward the next release
+Patrick Monnerat (13 Jan 2018)
+- setopt: reintroduce non-static Curl_vsetopt() for OS400 support
+
+ This also upgrades ILE/RPG bindings with latest setopt options.
+
+ Reported-By: jonrumsey on github
+ Fixes #2230
+ Closes #2233
-- THANKS: 2 contributors from the 7.47.1 release
+Jay Satiro (11 Jan 2018)
+- [Zhouyihai Ding brought this change]
-- RELEASE-PROCEDURE: remove the github upload part
+ http2: fix incorrect trailer buffer size
- ... as we're HTTPS on the main site now, there's no point in that
- extra step
-
-Version 7.47.1 (8 Feb 2016)
+ Prior to this change the stored byte count of each trailer was
+ miscalculated and 1 less than required. It appears any trailer
+ after the first that was passed to Curl_client_write would be truncated
+ or corrupted as well as the size. Potentially the size of some
+ subsequent trailer could be erroneously extracted from the contents of
+ that trailer, and since that size is used by client write an
+ out-of-bounds read could occur and cause a crash or be otherwise
+ processed by client write.
+
+ The bug appears to have been born in 0761a51 (precedes 7.49.0).
+
+ Closes https://github.com/curl/curl/pull/2231
-Daniel Stenberg (8 Feb 2016)
-- RELEASE-NOTES: curl 7.47.1 time!
+- [Basuke Suzuki brought this change]
-Jay Satiro (8 Feb 2016)
-- tool_operhlp: Check for backslashes in get_url_file_name
+ easy: fix connection ownership in curl_easy_pause
- Extract the filename from the last slash or backslash. Prior to this
- change backslashes could be part of the filename.
+ Before calling Curl_client_chop_write(), change the owner of connection
+ to the current Curl_easy handle. This will fix the issue #2217.
- This change needed for the curl tool built for Cygwin. Refer to the
- CYGWIN addendum in advisory 20160127B.
-
- Bug: https://curl.haxx.se/docs/adv_20160127B.html
+ Fixes https://github.com/curl/curl/issues/2217
+ Closes https://github.com/curl/curl/pull/2221
-Daniel Stenberg (7 Feb 2016)
-- RELEASE-NOTES: synced with d6a8869ea34
+Daniel Stenberg (9 Jan 2018)
+- [Dimitrios Apostolou brought this change]
-Jay Satiro (6 Feb 2016)
-- openssl: Fix signed/unsigned mismatch warning in X509V3_ext
+ system.h: Additionally check __LONG_MAX__ for defining curl_off_t
- sk_X509_EXTENSION_num may return an unsigned integer, however the value
- will fit in an int.
+ __SIZEOF_LONG__ was introduced in GCC 4.4, __LONG_MAX__ was introduced
+ in GCC 3.3.
- Bug: https://github.com/curl/curl/commit/dd1b44c#commitcomment-15913896
- Reported-by: Gisle Vanem
+ Closes #2216
-Daniel Stenberg (7 Feb 2016)
-- TODO: 17.11 -w output to stderr
+- COPYING: it's 2018!
-Jay Satiro (6 Feb 2016)
-- [Michael Kaufmann brought this change]
+- progress: calculate transfer speed on milliseconds if possible
+
+ to increase accuracy for quick transfers
+
+ Fixes #2200
+ Closes #2206
- idn_win32: Better error checking
+Jay Satiro (7 Jan 2018)
+- scripts: allow all perl scripts to be run directly
- .. also fix a conversion bug in the unused function
- curl_win32_ascii_to_idn().
+ - Enable execute permission (chmod +x)
- And remove wprintfs on error (Jay).
+ - Change interpreter to /usr/bin/env perl
- Bug: https://github.com/curl/curl/pull/637
+ Closes https://github.com/curl/curl/pull/2222
-- [Gisle Vanem brought this change]
+- mail-rcpt.d: fix short-text description
- examples/asiohiper: Avoid function name collision on Windows
+- build: remove HAVE_LIMITS_H check
- closesocket => close_socket
- Winsock already has the former.
+ .. because limits.h presence isn't optional, it's required by C89.
- Bug: https://curl.haxx.se/mail/lib-2016-02/0016.html
-
-- [Gisle Vanem brought this change]
+ Ref: http://port70.net/~nsz/c/c89/c89-draft.html#2.2.4.2
+
+ Closes https://github.com/curl/curl/pull/2215
- examples/htmltitle: Use _stricmp on Windows
+- openssl: fix memory leak of SSLKEYLOGFILE filename
+
+ - Free the copy of SSLKEYLOGFILE env returned by curl_getenv during ossl
+ initialization.
- Bug: https://curl.haxx.se/mail/lib-2016-02/0017.html
+ Caught by ASAN.
-Daniel Stenberg (6 Feb 2016)
-- COPYING: clarify that Daniel is not the sole author
+- Revert "curl/system.h: fix compilation with gcc on AIX PPC and IA64 HP-UX"
- ... done on request and as it is a fair point.
+ This reverts commit c97648b55080343bb371522bf4233e94a2a13a99.
+
+ SIZEOF_LONG should not be checked in system.h since that macro is only
+ defined when building libcurl.
+
+ Ref: https://github.com/curl/curl/pull/2186#issuecomment-354767080
+ Ref: https://gcc.gnu.org/onlinedocs/cpp/Common-Predefined-Macros.html
-Jay Satiro (5 Feb 2016)
-- unit1604: Fix unit setup return code
+Michael Kaufmann (30 Dec 2017)
+- test1554: improve the error handling
-- tool_doswin: Use type SANITIZEcode in sanitize_file_name
+- test1554: add global initialization and cleanup
-- tool_doswin: Improve sanitization processing
+Daniel Stenberg (29 Dec 2017)
+- curl_version_info.3: call the argument 'age'
- - Add unit test 1604 to test the sanitize_file_name function.
-
- - Use -DCURL_STATICLIB when building libcurltool for unit testing.
+ Reported-by: Pete Lomax
+ Bug: https://curl.haxx.se/mail/lib-2017-12/0074.html
+
+Patrick Monnerat (27 Dec 2017)
+- [Mikalai Ananenka brought this change]
+
+ brotli: data at the end of content can be lost
- - Better detection of reserved DOS device names.
+ Decoding loop implementation did not concern the case when all
+ received data is consumed by Brotli decoder and the size of decoded
+ data internally hold by Brotli decoder is greater than CURL_MAX_WRITE_SIZE.
+ For content with unencoded length greater than CURL_MAX_WRITE_SIZE this
+ can result in the loss of data at the end of content.
- - New flags to modify sanitize behavior:
+ Closes #2194
+
+Jay Satiro (26 Dec 2017)
+- examples/cacertinmem: ignore cert-already-exists error
- SANITIZE_ALLOW_COLONS: Allow colons
- SANITIZE_ALLOW_PATH: Allow path separators and colons
- SANITIZE_ALLOW_RESERVED: Allow reserved device names
- SANITIZE_ALLOW_TRUNCATE: Allow truncating a long filename
+ - Ignore X509_R_CERT_ALREADY_IN_HASH_TABLE errors in the CTX callback
+ since it's possible the cert may have already been loaded by libcurl.
- - Restore sanitization of banned characters from user-specified outfile.
+ - Remove the EXAMPLE code in the CURLOPT_SSL_CTX_FUNCTION.3 doc.
+ Instead have it direct the reader to this cacertinmem.c example.
- Prior to this commit sanitization of a user-specified outfile was
- temporarily disabled in 2b6dadc because there was no way to allow path
- separators and colons through while replacing other banned characters.
- Now in such a case we call the sanitize function with
- SANITIZE_ALLOW_PATH which allows path separators and colons to pass
- through.
+ - Fix the CA certificate to use the right CA for example.com, Digicert.
+ Bug: https://curl.haxx.se/mail/lib-2017-12/0057.html
+ Reported-by: Thomas van Hesteren
- Closes https://github.com/curl/curl/issues/624
- Reported-by: Octavio Schroeder
-
-- [Viktor Szakats brought this change]
+ Closes https://github.com/curl/curl/pull/2182
- URLs: change more http to https
+- [Gisle Vanem brought this change]
-- sasl_sspi: Fix memory leak in domain populate
+ tool_getparam: Support size modifiers for --max-filesize
- Free an existing domain before replacing it.
+ - Move the size modifier detection code from limit-rate to its own
+ function so that it can also be used with max-filesize.
- Bug: https://github.com/curl/curl/issues/635
- Reported-by: silveja1@users.noreply.github.com
-
-Daniel Stenberg (4 Feb 2016)
-- [Viktor Szakats brought this change]
-
- URLs: follow GitHub project rename (also Travis CI)
+ Size modifiers are the suffixes such as G (gigabyte), M (megabyte) etc.
- Closes #632
-
-- CHANGES.o: fix references to curl.haxx.nu
+ For example --max-filesize 1G
+
+ Ref: https://curl.haxx.se/mail/archive-2017-12/0000.html
- I removed the scheme prefix from the URLs references this host name, as
- we don't own/run that anymore but the name is kept for historic reasons.
+ Closes https://github.com/curl/curl/pull/2179
-- HISTORY: add some info about when we used which host names
+Steve Holme (22 Dec 2017)
+- build: Fixed incorrect script termination from commit ad1dc10e61
-Jay Satiro (2 Feb 2016)
-- [Viktor Szakats brought this change]
+- Makefile.vc: Added our standard copyright header
- URLs: change more http to https
+- winbuild: Added support for VC15
-Dan Fandrich (3 Feb 2016)
-- URLs: Change more haxx.se URLs from http: to https:
+- build: Added Visual Studio 2017 project files
-Daniel Stenberg (3 Feb 2016)
-- RELEASE-NOTES: synced with 4af40b364
+- build-wolfssl.bat: Added support for VC15
-- URLs: change all http:// URLs to https://
+- build-openssl.bat: Added support for VC15
-- configure: update the copyright year range in output
+Jay Satiro (22 Dec 2017)
+- [Dimitrios Apostolou brought this change]
-- dotdot: allow an empty input string too
-
- It isn't used by the code in current conditions but for safety it seems
- sensible to at least not crash on such input.
+ curl/system.h: fix compilation with gcc on AIX PPC and IA64 HP-UX
- Extended unit test 1395 to verify this too as well as a plain "/" input.
+ Closes https://github.com/curl/curl/pull/2186
-- HTTPS: update a bunch of URLs from HTTP to HTTPS
+- [Mattias Fornander brought this change]
-- [Sergei Nikulov brought this change]
-
- AppVeyor: updated to handle OpenSSL/WinSSL builds
+ examples/rtsp: fix error handling macros
- Closes #621
+ Closes https://github.com/curl/curl/pull/2185
-Jay Satiro (1 Feb 2016)
-- tool_operate: Don't sanitize --output path (Windows)
+Patrick Monnerat (20 Dec 2017)
+- curl_easy_reset: release mime-related data.
- Due to path separators being incorrectly sanitized in --output
- pathnames, eg -o c:\foo => c__foo
+ Move curl_mime_initpart() and curl_mime_cleanpart() calls to lower-level
+ functions dealing with UserDefined structure contents.
+ This avoids memory leakages on curl-generated part mime headers.
+ New test 2073 checks this using the cli tool --next option: it
+ triggers a valgrind error if bug is present.
- This is a partial revert of 3017d8a until I write a proper fix. The
- remote-name will continue to be sanitized, but if the user specified an
- --output with string replacement (#1, #2, etc) that data is unsanitized
- until I finish a fix.
-
- Bug: https://github.com/bagder/curl/issues/624
- Reported-by: Octavio Schroeder
+ Bug: https://curl.haxx.se/mail/lib-2017-12/0060.html
+ Reported-by: Martin Galvan
-- curl.1: Explain remote-name behavior if file already exists
+- content_encoding: rework zlib_inflate
- .. also warn about letting the server pick the filename.
-
-- [Gisle Vanem brought this change]
-
- urldata: Error on missing SSL backend-specific connect info
+ - When zlib version is < 1.2.0.4, process gzip trailer before considering
+ extra data as an error.
+ - Inflate with Z_BLOCK instead of Z_SYNC_FLUSH to maximize correct data
+ and minimize corrupt data output.
+ - Do not try to restart deflate decompression in raw mode if output has
+ started or if the leading data is not available anymore.
+ - New test 232 checks inflating raw-deflated content.
+
+ Closes #2068
-Daniel Stenberg (28 Jan 2016)
-- bump: towards the next (7.47.1 ?)
+- brotli: allow compiling with version 0.6.0.
+
+ Some error codes were not yet defined in brotli 0.6.0: do not issue code
+ for them in this case.
-- [Sergei Nikulov brought this change]
+Daniel Stenberg (13 Dec 2017)
+- CURLOPT_READFUNCTION.3: refer to argument with correct name
+
+ Bug: #2175
+
+ [ci skip]
- cmake: fixed when OpenSSL enabled on Windows and schannel detected
+- rand: add a clang-analyzer work-around
- Closes #617
+ scan-build would warn on a potential access of an uninitialized
+ buffer. I deem it a false positive and had to add this somewhat ugly
+ work-around to silence it.
-Jay Satiro (28 Jan 2016)
-- [Sergei Nikulov brought this change]
+- krb5: fix a potential access of uninitialized memory
+
+ A scan-build warning.
- urldata: moved common variable out of ifdef
+- conncache: fix a return code [regression]
- Closes https://github.com/bagder/curl/pull/618
+ This broke in 07cb27c98e. Make sure to return 'result' properly. Pointed
+ out by scan-build!
-- [Viktor Szakats brought this change]
+- curl: support >256 bytes warning messsages
+
+ Bug: #2174
- tool_doswin: silence unused function warning
+Michael Kaufmann (12 Dec 2017)
+- libssh: fix a syntax error in configure.ac
- tool_doswin.c:185:14: warning: 'msdosify' defined but not used
- [-Wunused-function]
+ Follow-up to c92d2e1
- Closes https://github.com/bagder/curl/pull/616
+ Closes #2172
-Daniel Stenberg (27 Jan 2016)
-- getredirect.c: fix variable name
+Daniel Stenberg (12 Dec 2017)
+- examples/smtp-mail.c: use separate defines for options and mail
- Reported-by: Bernard Spil
-
-Version 7.47.0 (27 Jan 2016)
-
-Daniel Stenberg (27 Jan 2016)
-- examples/Makefile.inc: specify programs without .c!
+ ... to make it clearer that the options want address-only, while the
+ headers in an email can also have the real name.
+
+ Assisted-by: Sean MacLennan
-- THANKS: 6 new contributors from 7.47.0 release notes
+- THANKS: added missing names
+
+ ... as I reran the contrithanks script after the mailmap name fixups.
-- [Isaac Boukris brought this change]
+- mailmap: added/clarified several names
- NTLM: Fix ConnectionExists to compare Proxy credentials
-
- Proxy NTLM authentication should compare credentials when
- re-using a connection similar to host authentication, as it
- authenticate the connection.
+- setopt: less *or equal* than INT_MAX/1000 should be fine
- Example:
- curl -v -x http://proxy:port http://host/ -U good_user:good_pwd
- --proxy-ntlm --next -x http://proxy:port http://host/
- [-U fake_user:fake_pwd --proxy-ntlm]
+ ... for the CURLOPT_TIMEOUT, CURLOPT_CONNECTTIMEOUT and
+ CURLOPT_SERVER_RESPONSE_TIMEOUT range checks.
- CVE-2016-0755
+ Reported-by: Dominik Hölzl
+ Bug: https://curl.haxx.se/mail/lib-2017-12/0037.html
- Bug: http://curl.haxx.se/docs/adv_20160127A.html
+ Closes #2173
-- [Ray Satiro brought this change]
+- [Dmitry Kostjuchenko brought this change]
- curl: avoid local drive traversal when saving file (Windows)
+ vtls: replaced getenv() with curl_getenv()
- curl does not sanitize colons in a remote file name that is used as the
- local file name. This may lead to a vulnerability on systems where the
- colon is a special path character. Currently Windows/DOS is the only OS
- where this vulnerability applies.
+ Fixed undefined symbol of getenv() which does not exist when compiling
+ for Windows 10 App (CURL_WINDOWS_APP). Replaced getenv() with
+ curl_getenv() which is aware of getenv() absence when CURL_WINDOWS_APP
+ is defined.
+
+ Closes #2171
+
+- RELEASE-NOTES: synced with 3b9ea70ee
+
+- TODO: Expose tried IP addresses that failed
- CVE-2016-0754
+ Suggested-by: Rainer Canavan
- Bug: http://curl.haxx.se/docs/adv_20160127B.html
+ Closes #2126
-- RELEASE-NOTES: 7.47.0
+- curl.1: mention http:// and https:// as valid proxy prefixes
-- FAQ: language fix in 4.19
+- curl.1: documented two missing valid exit codes
-- [paulehoffman brought this change]
+- CURLOPT_DNS_LOCAL_IP4.3: fixed the seel also to not self-reference
- FAQ: Update to point to GitHub
-
- Current FAQ didn't make it clear where the main repo is.
+- Revert "curl: don't set CURLOPT_INTERLEAVEDATA"
- Closes #612
-
-- maketgz: generate date stamp with LC_TIME=C
+ This reverts commit 9ffad8eb1329bb35c8988115ac7ed85cf91ef955.
- bug: http://curl.haxx.se/mail/lib-2016-01/0123.html
-
-- curl_multi_socket_action.3: line wrap
+ It was actually added rather recently in 8e8afa82cbb629 due to a crash
+ that would otherwise happen in the RTSP code. As I don't think we've
+ fixed that behavior yet, we better keep this work-around until we have
+ fixed it better.
-- RELEASE-NOTES: synced with d58ba66eeceb
+Michael Kaufmann (10 Dec 2017)
+- tests: mark data files as non-executable in git
-Steve Holme (21 Jan 2016)
-- TODO: "Create remote directories" for SMB
+- tests: update .gitignore for libtests
-Jay Satiro (18 Jan 2016)
-- mbedtls: Fix pinned key return value on fail
+Daniel Stenberg (10 Dec 2017)
+- multi_done: prune DNS cache
- - Switch from verifying a pinned public key in a callback during the
- certificate verification to inline after the certificate verification.
+ Prune the DNS cache immediately after the dns entry is unlocked in
+ multi_done. Timed out entries will then get discarded in a more orderly
+ fashion.
- The callback method had three problems:
+ Test506 is updated
- 1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH
- was not returned.
+ Reported-by: Oleg Pudeyev
- 2. If peer certificate verification was disabled the pinned key
- verification did not take place as it should.
-
- 3. (related to #2) If there was no certificate of depth 0 the callback
- would not have checked the pinned public key.
+ Fixes #2169
+ Closes #2170
+
+- mailmap: fixup two old git Author "aliases"
+
+Jay Satiro (10 Dec 2017)
+- openssl: Disable file buffering for Win32 SSLKEYLOGFILE
- Though all those problems could have been fixed it would have made the
- code more complex. Instead we now verify inline after the certificate
- verification in mbedtls_connect_step2.
+ Prior to this change SSLKEYLOGFILE used line buffering on WIN32 just
+ like it does for other platforms. However, the Windows CRT does not
+ actually support line buffering (_IOLBF) and will use full buffering
+ (_IOFBF) instead. We can't use full buffering because multiple processes
+ may be writing to the file and that could lead to corruption, and since
+ full buffering is the only buffering available this commit disables
+ buffering for Windows SSLKEYLOGFILE entirely (_IONBF).
- Ref: http://curl.haxx.se/mail/lib-2016-01/0047.html
- Ref: https://github.com/bagder/curl/pull/601
+ Ref: https://github.com/curl/curl/pull/1346#issuecomment-350530901
-- tests: Add a test for pinnedpubkey fail even when insecure
+Daniel Stenberg (10 Dec 2017)
+- RESOLVE: output verbose text when trying to set a duplicate name
- Because disabling the peer verification (--insecure) must not disable
- the public key pinning check (--pinnedpubkey).
+ ... to help users understand what is or isn't done!
-- [Daniel Schauenberg brought this change]
+- CURLOPT_DNS_CACHE_TIMEOUT.3: see also CURLOPT_RESOLVE
- CURLINFO_RESPONSE_CODE.3: add example
+- [John DeHelian brought this change]
-Kamil Dudka (15 Jan 2016)
-- ssh: make CURLOPT_SSH_PUBLIC_KEYFILE treat "" as NULL
-
- The CURLOPT_SSH_PUBLIC_KEYFILE option has been documented to handle
- empty strings specially since curl-7_25_0-31-g05a443a but the behavior
- was unintentionally removed in curl-7_38_0-47-gfa7d04f.
+ sftp: allow quoted commands to use relative paths
- This commit restores the original behavior and clarifies it in the
- documentation that NULL and "" have both the same meaning when passed
- to CURLOPT_SSH_PUBLIC_KEYFILE.
-
- Bug: http://curl.haxx.se/mail/lib-2016-01/0072.html
+ Closes #1900
-Daniel Stenberg (14 Jan 2016)
-- RELEASE-NOTES: synced with 35083ca60ed035a
+Jay Satiro (8 Dec 2017)
+- [Richard Alcock brought this change]
-- openssl: improved error detection/reporting
+ CURLOPT_PRIVATE.3: fix grammar
- ... by extracting the LIB + REASON from the OpenSSL error code. OpenSSL
- 1.1.0+ returned a new func number of another cerfificate fail so this
- required a fix and this is the better way to catch this error anyway.
-
-- openssl: for 1.1.0+ they now provide a SSLeay() macro of their own
+ - Change "never does nothing" double-negative to "never does anything".
+
+ Closes https://github.com/curl/curl/pull/2168
-- CURLOPT_RESOLVE.3: minor language polish
+Daniel Stenberg (8 Dec 2017)
+- curl: remove __EMX__ #ifdefs
+
+ These are OS/2-specific things added to the code in the year 2000. They
+ were always ugly. If there's any user left, they still don't need it
+ done this way.
+
+ Closes #2166
-- configure: assume IPv6 works when cross-compiled
+Jay Satiro (8 Dec 2017)
+- openssl: improve data-pending check for https proxy
- The configure test uses AC_TRY_RUN to figure out if an ipv6 socket
- works, and testing like that doesn't work for cross-compiles. These days
- IPv6 support is widespread so a blind guess is probably more likely to
- be 'yes' than 'no' now.
+ - Allow proxy_ssl to be checked for pending data even when connssl does
+ not yet have an SSL handle.
- Further: anyone who cross-compiles can use configure's --disable-ipv6 to
- explicitly disable IPv6 and that also works for cross-compiles.
+ This change is for posterity. Currently there doesn't seem to be a code
+ path that will cause a pending data check when proxyssl could have
+ pending data and the connssl handle doesn't yet exist [1].
- Made happen after discussions in issue #594
-
-- TODO: "Try to URL encode given URL"
+ [1]: Recall that an https proxy connection starts out in connssl but if
+ the destination is also https then the proxy SSL backend data is moved
+ from connssl to proxyssl, which means connssl handle is temporarily
+ empty until an SSL handle for the destination can be created.
- Closes #514
+ Ref: https://github.com/curl/curl/commit/f4a6238#commitcomment-24396542
+
+ Closes https://github.com/curl/curl/pull/1916
-- ConnectionExists: only do pipelining/multiplexing when asked
+Daniel Stenberg (8 Dec 2017)
+- curl: don't set CURLOPT_INTERLEAVEDATA
- When an HTTP/2 upgrade request fails (no protocol switch), it would
- previously detect that as still possible to pipeline on (which is
- acorrect) and do that when PIPEWAIT was enabled even if pipelining was
- not explictily enabled.
+ That data is only ever used by the CURLOPT_INTERLEAVEFUNCTION callback
+ and that option isn't set or used by the curl tool!
- It should only pipelined if explicitly asked to.
+ Updates the 9 tests that verify --libcurl
- Closes #584
+ Closes #2167
-- [Mohammad AlSaleh brought this change]
+- curl.h: remove incorrect comment about ERRORBUFFER
+
+ ... error messages are _not_ sent to stderr if this is not set.
+
+- [Michael Felt brought this change]
+
+ configure: add AX_CODE_COVERAGE only if using gcc
+
+ Fixes #2076
+ Closes #2125
- lib: Prefix URLs with lower-case protocol names/schemes
+- curl: limit -# update frequency for unknown total size
- Before this patch, if a URL does not start with the protocol
- name/scheme, effective URLs would be prefixed with upper-case protocol
- names/schemes. This behavior might not be expected by library users or
- end users.
+ Make it use a max 10Hz update frequency for this case as well. Return
+ early if the "point" hasn't moved since last invoke.
- For example, if `CURLOPT_DEFAULT_PROTOCOL` is set to "https". And the
- URL is "hostname/path". The effective URL would be
- "HTTPS://hostname/path" instead of "https://hostname/path".
+ Reported-by: Elliot Saba
- After this patch, effective URLs would be prefixed with a lower-case
- protocol name/scheme.
+ Fixes #2158
+ Closes #2163
+
+- BINDINGS: another PostgreSQL client
- Closes #597
+ ...the former link is dead.
- Signed-off-by: Mohammad AlSaleh <CE.Mohammad.AlSaleh@gmail.com>
+ Reported-by: Frank Gevaerts
-- [Alessandro Ghedini brought this change]
+- [Zachary Seguin brought this change]
- scripts: don't generate and install zsh completion when cross-compiling
+ CONNECT: keep close connection flag in http_connect_state struct
+
+ Fixes #2088
+ Closes #2157
-- [Alessandro Ghedini brought this change]
+- [Per Malmberg brought this change]
- scripts: fix zsh completion generation
+ include: get netinet/in.h before linux/tcp.h
+
+ ... to allow build on older Linux dists (specifically CentOS 4.8 on gcc
+ 4.8.5)
- The script should use the just-built curl, not the system one. This fixes
- zsh completion generation when no system curl is installed.
+ Closes #2160
-- [Alessandro Ghedini brought this change]
+- openldap: fix checksrc nits
- zsh.pl: fail if no curl is found
-
- Instead of generation a broken completion file.
+- [Stepan Broz brought this change]
-- [Michael Kaufmann brought this change]
+ openldap: add commented out debug possibilities
+
+ ... to aid debugging openldap library using its built-in debug messages.
+
+ Closes #2159
- IDN host names: Remove the port number before converting to ACE
+- examples: move threaded-shared-conn.c to the "complicated" ones
- Closes #596
+ ... due it relying on pthreads to link.
-Jay Satiro (10 Jan 2016)
-- runtests: Add mbedTLS to the SSL backends
+- RELEASE-NOTES: synced with b261c44e8
- .. and enable SSLpinning tests for mbedTLS, BoringSSL and LibreSSL.
+ ... and bump next release version to 7.58.0
-Daniel Stenberg (10 Jan 2016)
-- [Thomas Glanzmann brought this change]
+- [Jan Ehrhardt brought this change]
- mbedtls: implement CURLOPT_PINNEDPUBLICKEY
+ URL: tolerate backslash after drive letter for FILE:
+
+ ... as in "file://c:\some\path\curl.out"
+
+ Reviewed-by: Matthew Kerwin
+ Closes #2154
-Jay Satiro (9 Jan 2016)
-- [Tatsuhiro Tsujikawa brought this change]
+- [Randall S. Becker brought this change]
- url: Fix compile error with --enable-werror
+ tests: added netinet/in6.h includes in test servers
-- [Tatsuhiro Tsujikawa brought this change]
+- [Randall S. Becker brought this change]
- http2: Ensure that http2_handle_stream_close is called
+ configure: check for netinet/in6.h
- Previously, when HTTP/2 is enabled and used, and stream has content
- length known, Curl_read was not called when there was no bytes left to
- read. Because of this, we could not make sure that
- http2_handle_stream_close was called for every stream. Since we use
- http2_handle_stream_close to emit trailer fields, they were
- effectively ignored. This commit changes the code so that Curl_read is
- called even if no bytes left to read, to ensure that
- http2_handle_stream_close is called for every stream.
+ Needed by HPE NonStop NSE and NSX systems
- Discussed in https://github.com/bagder/curl/pull/564
+ Fixes #2146
+ Closes #2155
-Daniel Stenberg (8 Jan 2016)
-- http2: handle the received SETTINGS frame
+- curl-config: add --ssl-backends
- This regression landed in 5778e6f5 and made libcurl not act on received
- settings and instead stayed with its internal defaults.
+ Lists all SSL backends that were enabled at build-time.
- Bug: http://curl.haxx.se/mail/lib-2016-01/0031.html
- Reported-by: Bankde
+ Suggested-by: Oleg Pudeyev
+ Fixes #2128
-- Revert "multiplex: allow only once HTTP/2 is actually used"
+- conncache: only allow multiplexing within same multi handle
- This reverts commit 46cb70e9fa81c9a56de484cdd7c5d9d0d9fbec36.
+ Connections that are used for HTTP/1.1 Pipelining or HTTP/2 multiplexing
+ only get additional transfers added to them if the existing connection
+ is held by the same multi or easy handle. libcurl does not support doing
+ HTTP/2 streams in different threads using a shared connection.
- Bug: http://curl.haxx.se/mail/lib-2016-01/0031.html
-
-Jay Satiro (8 Jan 2016)
-- [Tatsuhiro Tsujikawa brought this change]
+ Closes #2152
- http2: Fix PUSH_PROMISE headers being treated as trailers
-
- Discussed in https://github.com/bagder/curl/pull/564
+- threaded-shared-conn.c: fixed typo in commenta
-Daniel Stenberg (8 Jan 2016)
-- [Michael Kaufmann brought this change]
+- threaded-shared-conn.c: new example
- connection reuse: IDN host names fixed
+- conncache: fix several lock issues
- Use the ACE form of IDN hostnames as key in the connection cache. Add
- new tests.
+ If the lock is released before the dealings with the bundle is over, it may
+ have changed by another thread in the mean time.
- Closes #592
+ Fixes #2132
+ Fixes #2151
+ Closes #2139
-- tests: mark IPv6 FTP and FTPS tests with the FTP keyword
+- libssh: remove dead code in sftp_qoute
+
+ ... by removing a superfluous NULL pointer check that also confuses
+ Coverity.
+
+ Fixes #2143
+ Closes #2153
-Jay Satiro (7 Jan 2016)
-- mbedtls: Fix ALPN support
+- sasl_getmesssage: make sure we have a long enough string to pass
+
+ For pop3/imap/smtp, added test 891 to somewhat verify the pop3
+ case.
+
+ For this, I enhanced the pingpong test server to be able to send back
+ responses with LF-only instead of always using CRLF.
- - Fix ALPN reply detection.
+ Closes #2150
+
+- libssh2: remove dead code from SSH_SFTP_QUOTE
- - Wrap nghttp2 code in ifdef USE_NGHTTP2.
+ Figured out while reviewing code in the libssh backend. The pointer was
+ checked for NULL after having been dereferenced, so we know it would
+ always equal true or it would've crashed.
+ Pointed-out-by: Nikos Mavrogiannopoulos
- Prior to this change ALPN and HTTP/2 did not work properly in mbedTLS.
+ Bug #2143
+ Closes #2148
+
+- ssh-libssh.c: please checksrc
-- http2: Fix client write for trailers on stream close
+Nikos Mavrogiannopoulos (4 Dec 2017)
+- libssh: fixed dereference in statvfs access
- Check that the trailer buffer exists before attempting a client write
- for trailers on stream close.
+ The behavior is now equivalent to ssh.c when SSH_SFTP_QUOTE_STATVFS
+ handling fails.
- Refer to comments in https://github.com/bagder/curl/pull/564
+ Fixes #2142
-Daniel Stenberg (7 Jan 2016)
-- COPYING: update general copyright year range
+Daniel Stenberg (4 Dec 2017)
+- [Guitared brought this change]
-- ConnectionExists: add missing newline in infof() call
+ RESOURCES: update spec names
- Mistake from commit a464f33843ee1
+ Closes #2145
-- multiplex: allow only once HTTP/2 is actually used
+Nikos Mavrogiannopoulos (3 Dec 2017)
+- libssh: corrected use of sftp_statvfs() in SSH_SFTP_QUOTE_STATVFS
- To make sure curl doesn't allow multiplexing before a connection is
- upgraded to HTTP/2 (like when Upgrade: h2c fails), we must make sure the
- connection uses HTTP/2 as well and not only check what's wanted.
+ The previous code was incorrectly following the libssh2 error detection
+ for libssh2_sftp_statvfs, which is not correct for libssh's sftp_statvfs.
- Closes #584
+ Fixes #2142
- Patch-by: c0ff
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-Jay Satiro (4 Jan 2016)
-- curl_global_init.3: Add Windows-specific info for init via DLL
+- libssh: no need to call sftp_get_error as ssh_get_error is sufficient
- - Add to both curl_global_init.3 and libcurl.3 the caveat for Windows
- that initializing libcurl via a DLL's DllMain or static initializer
- could cause a deadlock.
+ Fixes #2141
- Bug: https://github.com/bagder/curl/issues/586
- Reported-by: marc-groundctl@users.noreply.github.com
-
-Daniel Stenberg (4 Jan 2016)
-- FAQ: clarify who to mail about ECCN clarifications
-
-- progressfunc.c: spellfix description
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-- docs/examples/multi-app.c: fix bad desc formatting
-
-- examples: added descriptions
-
-- example/simple.c: add description
-
-- getredirect.c: a new example
-
-Marc Hoersken (27 Dec 2015)
-- RELEASE-NOTES: add 5e0e81a9c4e35f04ca
-
-Daniel Stenberg (26 Dec 2015)
-- RELEASE-NOTES: synced with 2aec4359db1088b10d
-
-Marc Hoersken (26 Dec 2015)
-- test 1515: add data check
-
-- test 1515: add MSYS support by passing a relative path
+Daniel Stenberg (2 Dec 2017)
+- libssh: fix minor static code analyzer nits
- MSYS would otherwise turn a /-style path into a C:\-style path.
-
-- test 539: use datacheck mode text for ASCII-mode LISTings
+ - remove superfluous NULL check which otherwise tricks the static code
+ analyzers to assume NULL pointer dereferences.
- While still using datacheck mode binary for the inline reply data.
-
-- runtests.pl: check up to 5 data parts with different text modes
+ - fix fallthrough in switch()
- Move the text-mode conversion for reply/replycheck from the verify
- section into the load section and add support for 4 more check parts.
+ - indent mistake
-Daniel Stenberg (24 Dec 2015)
-- CURLOPT_RANGE: for HTTP servers, range support is optional
+- openssl: pkcs12 is supported by boringssl
+
+ Removes another #ifdef for BoringSSL
+
+ Pointed-out-by: David Benjamin
+
+ Closes #2134
-Marc Hoersken (24 Dec 2015)
-- tests 1048 and 1050: use datacheck mode text for ASCII-mode LISTings
+- [Jay Satiro brought this change]
-- tests 706 and 707: use datacheck mode text for ASCII-mode LISTings
+ travis: use pip2 instead of pip
+
+ .. since now mac osx image expects pip2 or pip3, and doesn't know pip:
+
+ 0.01s$ pip install --user cpp-coveralls
+ /Users/travis/.travis/job_stages: line 57: pip: command not found
+
+ Ref: https://github.com/travis-ci/travis-ci/issues/8829
+
+ Closes https://github.com/curl/curl/pull/2133
-- tests 400,403,406: use datacheck mode text for ASCII-mode LISTings
+- [Nikos Mavrogiannopoulos brought this change]
-- sockfilt.c: fix calculation of sleep timeout on Windows
+ lib582: do not verify host for SFTP
- Not converting to double caused small timeouts to be skipped.
-
-- tests first.c: fix calculation of sleep timeout on Windows
+ This SFTP test fails with libssh back-end due to failure to verify
+ the peer. Disable peer verification in the test as there seems to
+ be the intention of the test.
- Not converting to double caused small timeouts to be skipped.
+ Note that the libssh back-end automatically verifies the peer's
+ host using the default known_hosts file.
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-- test 573: add more debug output
+- [Nikos Mavrogiannopoulos brought this change]
-- ftplistparser.c: fix handling of file LISTings using Windows EOL
+ libssh: added SFTP support
- Previously file.txt[CR][LF] would have been returned as file.tx
- (without the last t) if filetype is symlink. Now the t is
- included and the internal item_length includes the zero byte.
+ The SFTP back-end supports asynchronous reading only, limited
+ to 32-bit file length. Writing is synchronous with no other
+ limitations.
- Spotted using test 576 on Windows.
-
-- test 16: fix on Linux (and Windows) by using plain ASCII characters
+ This also brings keyboard-interactive authentication.
- Follow up on b064ff0c351bb287557228575ef4c1d079b866fb, thanks Daniel.
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-- tftpd server: add Windows support by writing files in binary mode
+- [Nikos Mavrogiannopoulos brought this change]
-- tests 252-255: use datacheck mode text for ASCII-mode LISTings
+ symbols-in-versions: added new symbols with 7.56.3 version
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-- test 16: fix on Windows by converting data file from ANSI to UTF-8
+- [Nikos Mavrogiannopoulos brought this change]
-Daniel Stenberg (23 Dec 2015)
-- Makefile.inc: s/curl_SOURCES/CURL_FILES
-
- This allows the root Makefile.am to include the Makefile.inc without
- causing automake to warn on it (variables named *_SOURCES are
- magic). curl_SOURCES is then instead assigned properly in
- src/Makefile.am only.
+ .travis.yml: added build --with-libssh
- Closes #577
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-- [Anders Bakken brought this change]
+- [Nikos Mavrogiannopoulos brought this change]
- ConnectionExists: with *PIPEWAIT, wait for connections
+ libssh2: return CURLE_UPLOAD_FAILED on failure to upload
- Try harder to prevent libcurl from opening up an additional socket when
- CURLOPT_PIPEWAIT is set. Accomplished by letting ongoing TCP and TLS
- handshakes complete first before the decision is made.
+ This brings its in sync with the error code returned by the
+ libssh backend.
- Closes #575
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-- [Anders Bakken brought this change]
+- [Nikos Mavrogiannopoulos brought this change]
- Add .dir-locals and set c-basic-offset to 2.
+ libssh2: send the correct CURLE error code on scp file not found
- This makes it easier for emacs users to automatically get the right
- 2-space indentation when they edit curl source files.
+ That also updates tests to expect the right error code
- c++-mode is in there as well because Emacs can't easily know if
- something is a C or C++ header.
+ libssh2 back-end returns CURLE_SSH error if the remote file
+ is not found. Expect instead CURLE_REMOTE_FILE_NOT_FOUND
+ which is sent by the libssh backend.
- Closes #574
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-- [Johannes Schindelin brought this change]
-
- configure: detect IPv6 support on Windows
-
- This patch was "nicked" from the MINGW-packages project by Daniel.
-
- https://github.com/Alexpux/MINGW-packages/commit/9253d0bf58a1486e91f7efb5316e7fdb48fa4007
- Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+- [Nikos Mavrogiannopoulos brought this change]
-- configure: allow static builds on mingw
+ Added support for libssh SSH SCP back-end
- This patch is adopted from the MINGW-packages project. It makes it
- possible to build curl both shared and static again.
+ libssh is an alternative library to libssh2.
+ https://www.libssh.org/
- URL: https://github.com/Alexpux/MINGW-packages/tree/master/mingw-w64-curl
-
-Marc Hoersken (17 Dec 2015)
-- test 1326: fix file check since curl is outputting binary data
-
-- test 1326: fix getting stuck on Windows due to incomplete request
+ That patch set also introduces support for ECDSA
+ ed25519 keys, as well as gssapi authentication.
- The request needs to be read and send in binary mode in order to use
- CRLF instead of LF. Adding --upload-file - causes curl to read stdin
- in binary mode.
-
-Daniel Stenberg (17 Dec 2015)
-- RELEASE-NOTES: command line option recount
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-Dan Fandrich (16 Dec 2015)
-- scripts/Makefile: build zsh script even in an out-of-tree build
+- RELEASE-NOTES: synced with af8cc7a69
-Marc Hoersken (16 Dec 2015)
-- sockfilt.c: added some debug output to select_ws
+- curlver: towards 7.57.1
-- sockfilt.c: keep lines shorter than 80 chars
+- [W. Mark Kubacki brought this change]
-- sockfilt.c: do not wait on unreliable file or pipe handle
+ lib: don't export all symbols, just everything curl_*
- The previous implementation caused issues on modern MSYS2 runtimes.
-
-Daniel Stenberg (16 Dec 2015)
-- cyassl: deal with lack of *get_peer_certificate
+ Absent any 'symbol map' or script to limit what gets exported, static
+ linking of libraries previously resulted in a libcurl with curl's and
+ those other symbols being (re-)exported.
- The function is only present in wolfssl/cyassl if it was built with
- --enable-opensslextra. With these checks added, pinning support is disabled
- unless the TLS lib has that function available.
+ This did not happen if 'versioned symbols' were enabled (which is not
+ the default) because then a version script is employed.
- Also fix the mistake in configure that checks for the wrong lib name.
+ This limits exports to everything starting in 'curl_*'., which is
+ what "libcurl.vers" exports.
- Closes #566
-
-- wolfssl: handle builds without SSLv3 support
+ This avoids strange side-effects such as with mixing methods
+ from system libraries and those erroneously offered by libcurl.
+
+ Closes #2127
-- [Tatsuhiro Tsujikawa brought this change]
+- [Johannes Schindelin brought this change]
- http2: Support trailer fields
+ SSL: Avoid magic allocation of SSL backend specific data
- This commit adds trailer support in HTTP/2. In HTTP/1.1, chunked
- encoding must be used to send trialer fields. HTTP/2 deprecated any
- trandfer-encoding, including chunked. But trailer fields are now
- always available.
+ Originally, my idea was to allocate the two structures (or more
+ precisely, the connectdata structure and the four SSL backend-specific
+ strucutres required for ssl[0..1] and proxy_ssl[0..1]) in one go, so
+ that they all could be free()d together.
- Since trailer fields are relatively rare these days (gRPC uses them
- extensively though), allocating buffer for trailer fields is done when
- we detect that HEADERS frame containing trailer fields is started. We
- use Curl_add_buffer_* functions to buffer all trailers, just like we
- do for regular header fields. And then deliver them when stream is
- closed. We have to be careful here so that all data are delivered to
- upper layer before sending trailers to the application.
+ However, getting the alignment right is tricky. Too tricky.
- We can deliver trailer field one by one using NGHTTP2_ERR_PAUSE
- mechanism, but current method is far more simple.
+ So let's just bite the bullet and allocate the SSL backend-specific
+ data separately.
- Another possibility is use chunked encoding internally for HTTP/2
- traffic. I have not tested it, but it could add another overhead.
+ As a consequence, we now have to be very careful to release the memory
+ allocated for the SSL backend-specific data whenever we release any
+ connectdata.
- Closes #564
-
-- RELEASE-NOTES: synced with 6c2c019654e658a
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+ Closes #2119
-Jay Satiro (15 Dec 2015)
-- x509asn1: Fix host altname verification
+- examples/xmlstream.c: don't switch off CURL_GLOBAL_SSL
- - In Curl_verifyhost check all altnames in the certificate.
+ Reported-by: Dima Tisnek
+
+- travis: add boringssl build
- Prior to this change only the first altname was checked. Only the GSKit
- SSL backend was affected by this bug.
+ Uses a separate build without --enable-debug and no valgrind.
- Bug: http://curl.haxx.se/mail/lib-2015-12/0062.html
- Reported-by: John Kohl
-
-Daniel Stenberg (15 Dec 2015)
-- curl --expect100-timeout: added
+ The debug option causes far too many warnings in boringssl's headers
+ (C++ comments, trailing commas etc). Valgrind triggers some false
+ positive errors in thread-local data used by boringssl.
- This is the new command line option to set the value for the existing
- libcurl option CURLOPT_EXPECT_100_TIMEOUT_MS
+ Closes #2118
-- cyassl: fix compiler warning on type conversion
+Version 7.57.0 (29 Nov 2017)
-- curlver: the pending release will become 7.47.0
+Daniel Stenberg (29 Nov 2017)
+- RELEASE-NOTES: curl 7.57.0
-- [Anders Bakken brought this change]
+- THANKS: added contributors from 7.57.0 release
- setstropt: const-correctness
+- openssl: fix boringssl build again
- Closes #565
-
-- ROADMAP: implemented HTTP2 for HTTPS-only
+ commit d3ab7c5a21e broke the boringssl build since it doesn't have
+ RSA_flags(), so we disable that code block for boringssl builds.
+
+ Reported-by: W. Mark Kubacki
+ Fixes #2117
-- HTTP2.md: spell fix and remove TODO now implemented
+- curl_ntlm_core.c: use the limits.h's SIZE_T_MAX if provided
-- libressl: the latest openssl x509 funcs are not in libressl
+- libcurl-share.3: the connection cache is shareable now
-- curl: use 2TLS by default
+- global_init: ignore CURL_GLOBAL_SSL's absense
- Make this the default for the curl tool (if built with HTTP/2 powers
- enabled) unless a specific HTTP version is requested on the command
- line.
+ This bit is no longer used. It is not clear what it meant for users to
+ "init the TLS" in a world with different TLS backends and since the
+ introduction of multissl, libcurl didn't properly work if inited without
+ this bit set.
- This should allow more users to get HTTP/2 powers without having to
- change anything.
-
-- http: add libcurl option to allow HTTP/2 for HTTPS only
+ Not a single user responded to the call for users of it:
+ https://curl.haxx.se/mail/lib-2017-11/0072.html
- ... and stick to 1.1 for HTTP. This is in line with what browsers do and
- should have very little risk.
-
-- openssl: adapt to openssl >= 1.1.0 X509 opaque structs
+ Reported-by: Evgeny Grin
+ Assisted-by: Jay Satiro
- Closes #491
-
-- openssl: avoid BIO_reset() warnings since it returns a value
-
-- openssl: adapt to 1.1.0+ name changes
+ Fixes #2089
+ Fixes #2083
+ Closes #2107
-- scripts/makefile: add standard header
-
-- scripts/Makefile: fix GNUism and survive no perl
+- ntlm: avoid integer overflow for malloc size
+
+ Reported-by: Alex Nichols
+ Assisted-by: Kamil Dudka and Max Dymond
- Closes #555
+ CVE-2017-8816
- Reported-by: Thomas Klausner
+ Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
-- fix b6d5cb40d7038fe
+- wildcardmatch: fix heap buffer overflow in setcharset
+
+ The code would previous read beyond the end of the pattern string if the
+ match pattern ends with an open bracket when the default pattern
+ matching function is used.
+
+ Detected by OSS-Fuzz:
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161
+
+ CVE-2017-8817
+
+ Bug: https://curl.haxx.se/docs/adv_2017-ae72.html
-- [Tatsuhiro Tsujikawa brought this change]
+- [Jay Satiro brought this change]
- http2: Fix hanging paused stream
+ url: fix alignment of ssl_backend_data struct
- When NGHTTP2_ERR_PAUSE is returned from data_source_read_callback, we
- might not process DATA frame fully. Calling nghttp2_session_mem_recv()
- again will continue to process DATA frame, but if there is no incoming
- frames, then we have to call it again with 0-length data. Without this,
- on_stream_close callback will not be called, and stream could be hanged.
+ - Align the array of ssl_backend_data on a max 32 byte boundary.
- Bug: http://curl.haxx.se/mail/lib-2015-11/0103.html
- Reported-by: Francisco Moraes
-
-- [Christian Stewart brought this change]
+ 8 is likely to be ok but I went with 32 for posterity should one of
+ the ssl_backend_data structs change to contain a larger sized variable
+ in the future.
+
+ Prior to this change (since dev 70f1db3, release 7.56) the connectdata
+ structure was undersized by 4 bytes in 32-bit builds with ssl enabled
+ because long long * was mistakenly used for alignment instead of
+ long long, with the intention being an 8 byte boundary. Also long long
+ may not be an available type.
+
+ The undersized connectdata could lead to oob read/write past the end in
+ what was expected to be the last 4 bytes of the connection's secondary
+ socket https proxy ssl_backend_data struct (the secondary socket in a
+ connection is used by ftp, others?).
+
+ Closes https://github.com/curl/curl/issues/2093
+
+ CVE-2017-8818
+
+ Bug: https://curl.haxx.se/docs/adv_2017-af0a.html
- build: fix compilation error with CURL_DISABLE_VERBOSE_STRINGS
+- ssh: remove check for a NULL pointer (!)
- With curl disable verbose strings in http.c the compilation fails due to
- the data variable being undefined later on in the function.
+ With this check present, scan-build warns that we might dereference this
+ point in other places where it isn't first checked for NULL. Thus, if it
+ *can* be NULL we have a problem on a few places. However, this pointer
+ should not be possible to be NULL here so I remove the check and thus
+ also three different scan-build warnings.
- Closes #558
+ Closes #2111
-Jay Satiro (7 Dec 2015)
-- [Gisle Vanem brought this change]
+- [Matthew Kerwin brought this change]
- config-win32: Fix warning HAVE_WINSOCK2_H undefined
+ test: add test for bad UNC/SMB path in file: URL
-- [Gisle Vanem brought this change]
+- [Matthew Kerwin brought this change]
- openssl: BoringSSL doesn't have CONF_modules_free
+ test: add tests to ensure basic file: URLs
-- [Gisle Vanem brought this change]
+- [Matthew Kerwin brought this change]
- lwip: Fix compatibility issues with later versions
+ URL: update "file:" URL handling
- The name of the header guard in lwIP's <lwip/opt.h> has changed from
- '__LWIP_OPT_H__' to 'LWIP_HDR_OPT_H' (bug #35874 in May 2015).
+ * LOTS of comment updates
+ * explicit error for SMB shares (e.g. "file:////share/path/file")
+ * more strict handling of authority (i.e. "//localhost/")
+ * now accepts dodgy old "C:|" drive letters
+ * more precise handling of drive letters in and out of Windows
+ (especially recognising both "file:c:/" and "file:/c:/")
- Other fixes:
+ Closes #2110
+
+- metalink: fix memory-leak and NULL pointer dereference
- - In curl_setup.h, the problem with an old PSDK doesn't apply if lwIP is
- used.
+ Reported by scan-build
- - In memdebug.h, the 'socket' should be undefined first due to lwIP's
- lwip_socket() macro.
+ Closes #2109
+
+- [Alessandro Ghedini brought this change]
+
+ connect: add support for new TCP Fast Open API on Linux
- - In curl_addrinfo.c lwIP's getaddrinfo() + freeaddrinfo() macros need
- special handling because they were undef'ed in memdebug.h.
+ The new API added in Linux 4.11 only requires setting a socket option
+ before connecting, without the whole sento() machinery.
- - In select.c we can't use preprocessor conditionals inside select if
- MSVC and select is a macro, as it is with lwIP.
+ Notably, this makes it possible to use TFO with SSL connections on Linux
+ as well, without the need to mess around with OpenSSL (or whatever other
+ SSL library) internals.
- http://curl.haxx.se/mail/lib-2015-12/0023.html
- http://curl.haxx.se/mail/lib-2015-12/0024.html
+ Closes #2056
-Patrick Monnerat (7 Dec 2015)
-- os400: define CURL_VERSION_PSL in ILE/RPG binding
-
-Jay Satiro (7 Dec 2015)
-- [Gisle Vanem brought this change]
+- make: fix "make distclean"
+
+ Fixes #2097
+ Closes #2108
- version: Add flag CURL_VERSION_PSL for libpsl
+- RELEASE-NOTES: synced with 31f18d272
-- formdata: Check if length is too large for memory
+Jay Satiro (23 Nov 2017)
+- connect: improve the bind error message
- - If the size of the length type (curl_off_t) is greater than the size
- of the size_t type then check before allocating memory to make sure the
- value of length will fit in a size_t without overflow. If it doesn't
- then return CURLE_BAD_FUNCTION_ARGUMENT.
+ eg consider a non-existent interface eth8, curl --interface eth8
- Bug: https://github.com/bagder/curl/issues/425#issuecomment-154518679
- Reported-by: Steve Holme
-
-Steve Holme (3 Dec 2015)
-- tests: Corrected copy and pasted comments from commit e643c5c908
+ Before: curl: (45) Could not resolve host: eth8
+ After: curl: (45) Couldn't bind to 'eth8'
+
+ Bug: https://github.com/curl/curl/issues/2104
+ Reported-by: Alfonso Martone
-Daniel Stenberg (3 Dec 2015)
-- curl: remove keepalive #ifdef checks done on libcurl's behalf
+Daniel Stenberg (23 Nov 2017)
+- examples/rtsp: clear RANGE again after use
- They didn't match the ifdef logic used within libcurl anyway so they
- could indeed warn for the wrong case - plus the tool cannot know how the
- lib actually performs at that level.
+ Fixes #2106
+ Reported-by: youngchopin on github
+
+- [Michael Kaufmann brought this change]
-Steve Holme (2 Dec 2015)
-- test947: Corrected typo in test name
+ test1264: verify URL with space in host name being rejected
-- tests: Disable the OAUTHBEARER tests when using a non-default port number
+- url: reject ASCII control characters and space in host names
- Tests 842, 843, 844, 845, 887, 888, 889, 890, 946, 947, 948 and 949 fail
- if a custom port number is specified via the -b option of runtests.pl.
+ Host names like "127.0.0.1 moo" would otherwise be accepted by some
+ getaddrinfo() implementations.
- Suggested by: Kamil Dudka
- Bug: http://curl.haxx.se/mail/lib-2015-12/0003.html
-
-Daniel Stenberg (2 Dec 2015)
-- bump: towards next release
+ Updated test 1034 and 1035 accordingly.
- for all we know now, it might be called 7.46.1
+ Fixes #2073
+ Closes #2092
-Version 7.46.0 (1 Dec 2015)
-
-Daniel Stenberg (1 Dec 2015)
-- RELEASE-NOTES: updated contributor count for 7.46.0
+- Curl_open: fix OOM return error correctly
+
+ Closes #2098
-- THANKS: new contributors from the 7.46.0 release
+- http2: fix "Value stored to 'end' is never read" scan-build error
-- THANKS-filter: single Tim Rühsen spelling
+- http2: fix "Value stored to 'hdbuf' is never read" scan-build error
-- docs/examples: gitignore some more built examples
+- openssl: fix "Value stored to 'rc' is never read" scan-build error
-- RELEASE-NOTES; this bug was never released
+- mime: fix "Value stored to 'sz' is never read" scan-build error
-- RELEASE-NOTES: synced with e55f15454efacb0
+- Curl_llist_remove: fix potential NULL pointer deref
+
+ Fixes a scan-build warning.
-- [Flavio Medeiros brought this change]
+- ntlm: remove unnecessary NULL-check to please scan-build
- Curl_read_plain: clean up ifdefs that break statements
-
- Closes #546
+- BUGS: spellchecked
-- http2: convert some verbose output into debug-only output
+Jay Satiro (18 Nov 2017)
+- [fmmedeiros brought this change]
-- http2 push: add missing inits of new stream
+ examples/curlx: Fix code style
- - set the correct stream_id for pushed streams
- - init maxdownload and size properly
-
-- http2 push: set weight for new stream
+ - Add braces around multi-line if statement.
- give the new stream the old one's stream_weight internally to avoid
- sending a PRIORITY frame unless asked for it
+ Closes https://github.com/curl/curl/pull/2096
-- curl_setup.h: undef freeaddrinfo in c-ares block to fix build
+Daniel Stenberg (17 Nov 2017)
+- resolve: allow IP address within [] brackets
- Fixes warnings 78c25c854a added.
-
-- nonblock: fix setting non-blocking mode for Amiga
+ ... so that IPv6 addresses can be passed like they can for connect-to
+ and how they're used in URLs.
- IoctlSocket() apparently wants a pointer to a long, passed as a char *
- in its third parameter. This bug was introduced already back in commit
- c5fdeef41d from October 1 2001!
+ Added test 1324 to verify
+ Reported-by: Alex Malinovich
- Bug: http://curl.haxx.se/mail/lib-2015-11/0088.html
- Reported-by: Norbert Kett
+ Fixes #2087
+ Closes #2091
-- zsh install: fix DESTDIR support
+- [Pavol Markovic brought this change]
+
+ macOS: Fix missing connectx function with Xcode version older than 9.0
+
+ The previous fix https://github.com/curl/curl/pull/1788 worked just for
+ Xcode 9. This commit extends the fix to older Xcode versions effectively
+ by not using connectx function.
- Reported-by: Mohammad AlSaleh
+ Fixes https://github.com/curl/curl/issues/1330
+ Fixes https://github.com/curl/curl/issues/2080
+ Closes https://github.com/curl/curl/pull/1336
+ Closes #2082
-Dan Fandrich (27 Nov 2015)
-- lib: Only define curl_dofreeaddrinfo if struct addrinfo is available
+- [Dirk Feytons brought this change]
-Steve Holme (27 Nov 2015)
-- tool_paramhlp: Fixed display of URL index in password prompt for --next
+ openssl: fix too broad use of HAVE_OPAQUE_EVP_PKEY
- Commit f3bae6ed73 added the URL index to the password prompt when using
- --next. Unfortunately, because the size_t specifier (%zu) is not
- supported by all sprintf() implementations we use the curl_off_t format
- specifier instead. The display of an incorrect value arises on platforms
- where size_t and curl_off_t are of a different size.
+ Fixes #2079
+ Closes #2081
-Daniel Stenberg (25 Nov 2015)
-- timecond: do not add if-modified-since without timecondition
+- TODO: ignore private IP addresses in PASV response
- The RTSP code path didn't skip adding the if-modified-since for certain
- RTSP code paths, even if CURLOPT_TIMECONDITION was set to
- CURL_TIMECOND_NONE.
+ Closes #1455
+
+- RELEASE-NOTES: synced with ae7369b6d
+
+Michael Kaufmann (14 Nov 2017)
+- URL: return error on malformed URLs with junk after IPv6 bracket
- Also, an unknown non-zero CURLOPT_TIMECONDITION value no longer equals
- CURL_TIMECOND_IFMODSINCE.
+ Follow-up to aadb7c7. Verified by new test 1263.
- Bug: http://stackoverflow.com/questions/33903982/curl-timecond-none-doesnt-work-how-to-remove-if-modified-since-header
+ Closes #2072
-- RELEASE-NOTES: synced with 99d17a5e2ba77e58
+Daniel Stenberg (14 Nov 2017)
+- INTERNALS: we may use libidn2 now, not libidn
-- examples/README: cut out the incomplete list
+Patrick Monnerat (13 Nov 2017)
+- zlib/brotli: only include header files in modules needing them
- ... and add a generic explanation for them instead. Each example file
- should contain its own description these days.
+ There is a conflict on symbol 'free_func' between openssl/crypto.h and
+ zlib.h on AIX. This is an attempt to resolve it.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-11/0032.html
+ Reported-By: Michael Felt
-- test1513: make sure the callback is only called once
+Daniel Stenberg (13 Nov 2017)
+- SMB: fix uninitialized local variable
+
+ Reported-by: Brian Carpenter
-- [Daniel Shahaf brought this change]
+- [Orgad Shaneh brought this change]
- build: Install zsh completion
+ connect.c: remove executable bit on file
- Fixes #534
- Closes #537
+ Closes #2071
-- done: make sure the final progress update is made
-
- It would previously be skipped if an existing error was returned, but
- would lead to a previous value being left there and later used.
- CURLINFO_TOTAL_TIME for example.
-
- Still it avoids that final progress update if we reached DONE as the
- result of a callback abort to avoid another callback to be called after
- an abort-by-callback.
-
- Reported-by: Lukas Ruzicka
-
- Closes #538
+- [hsiao yi brought this change]
-- curl: expanded the -XHEAD warning text
+ README.md: fixed layout
- ... to also mention the specific options used.
+ Closes #2069
-- Revert "cleanup: general removal of TODO (and similar) comments"
+- setopt: split out curl_easy_setopt() to its own file
- This reverts commit 64e959ffe37c436503f9fed1ce2d6ee6ae50bd9a.
+ ... to make url.c smaller.
- Feedback-by: Dan Fandrich
- URL: http://curl.haxx.se/mail/lib-2015-11/0062.html
+ Closes #1944
+
+Jay Satiro (10 Nov 2017)
+- [John Starks brought this change]
-- CURLOPT_HEADERFUNCTION.3: fix typo
+ cmake: Add missing setmode check
- Refer to _HEADERDATA not _WRITEDATA.
+ Ensure HAVE_SETMODE is set to 1 on OSes that have setmode. Without this,
+ curl will corrupt binary files when writing them to stdout on Windows.
- Reported-by: Michał Piechowski
+ Closes https://github.com/curl/curl/pull/2067
-- TODO: TCP Fast Open
-
-Steve Holme (22 Nov 2015)
-- examples: Added website parse-able descriptions to the e-mail examples
+Daniel Stenberg (10 Nov 2017)
+- curl_share_setopt: va_end was not called if conncache errors
+
+ CID 984459, detected by Coverity
-- TODO: Added another 'multi-interface' idea
+Sergei Nikulov (10 Nov 2017)
+- [John Starks brought this change]
-- smb.c: Fixed compilation warnings
+ cmake: Correctly include curl.rc in Windows builds (#2064)
- smb.c:134:3: warning: conversion to 'short unsigned int' from 'int' may
- alter its value
- smb.c:146:42: warning: conversion to 'unsigned int' from 'long long
- unsigned int' may alter its value
- smb.c:146:65: warning: conversion to 'unsigned int' from 'long long
- unsigned int' may alter its value
+ Update CMakeLists.txt to add curl.rc to the correct list.
-- schannel: Corrected copy/paste error in commit 8d17117683
+Daniel Stenberg (9 Nov 2017)
+- RELEASE-NOTES: synced with 32828cc4f
-- schannel: Use GetVersionEx() when VerifyVersionInfo() isn't available
-
- Regression from commit 7a8e861a5 as highlighted in the msys autobuilds.
+- [Luca Boccassi brought this change]
-- examples: Fixed compilation warnings
+ --interface: add support for Linux VRF
- pop3-multi.c:96:5: warning: implicit declaration of function 'memset'
- imap-multi.c:96:5: warning: implicit declaration of function 'memset'
- http2-download.c:226:5: warning: implicit declaration of function 'memset'
- http2-upload.c:290:5: warning: implicit declaration of function 'memset'
- http2-upload.c:290:5: warning: implicit declaration of function 'memset'
-
-- Makefile.inc: Fixed test run error
+ The --interface command (CURLOPT_INTERFACE option) already uses
+ SO_BINDTODEVICE on Linux, but it tries to parse it as an interface or IP
+ address first, which fails in case the user passes a VRF.
- test845 not present in tests/data/Makefile.inc
-
-Daniel Stenberg (20 Nov 2015)
-- TODO: remove duplicated title
-
-- TODO: added two more libcurl ideas
+ Try to use the socket option immediately and parse it as a fallback
+ instead. Update the documentation to mention this feature, and that it
+ requires the binary to be ran by root or with CAP_NET_RAW capabilities
+ for this to work.
- Moved some ideas from "next major" to just ordinary ideas since we can
- always add new things while keeping the old without doing a "next
- major".
+ Closes #2024
-Steve Holme (20 Nov 2015)
-- tests: Re-enabled tests 889 and 890 following POP3 fix
+- curl_share_setopt.3: document CURL_LOCK_DATA_CONNECT
+
+ Closes #2043
-- pop3: Differentiate between success and continuation responses
+- examples: add shared-connection-cache
-- pop3: Added clarity on some server response codes
+- test1554: verify connection cache sharing
-Daniel Stenberg (20 Nov 2015)
-- [Daniel Shahaf brought this change]
+- share: add support for sharing the connection cache
- build: Fix theoretical infinite loops
+- imap: deal with commands case insensitively
- Add error-checking to 'cd' in a few cases where omitting the checks
- might result in an infinite loop.
+ As documented in RFC 3501 section 9:
+ https://tools.ietf.org/html/rfc3501#section-9
- Closes #535
-
-Patrick Monnerat (19 Nov 2015)
-- curl.h: s/#defien/#define/
+ Closes #2061
-- os400: synchronize ILE/RPG header file
-
-- os400: Provide options for libssh2 use in compile scripts. Adjust README.
+- connect: store IPv6 connection status after valid connection
+
+ ... previously it would store it already in the happy eyeballs stage
+ which could lead to the IPv6 bit being set for an IPv4 connection,
+ leading to curl not wanting to do EPSV=>PASV for FTP transfers.
+
+ Closes #2053
-Daniel Stenberg (19 Nov 2015)
-- [danielsh@apache.org brought this change]
+- curl_multi_fdset.3: emphasize curl_multi_timeout
+
+ ... even when there's no socket to wait for, the timeout can still be
+ very short.
- zsh completion: Preserve single quotes in output
+Jay Satiro (9 Nov 2017)
+- content_encoding: fix inflate_stream for no bytes available
+
+ - Don't call zlib's inflate() when avail_in stream bytes is 0.
+
+ This is a follow up to the parent commit 19e66e5. Prior to that change
+ libcurl's inflate_stream could call zlib's inflate even when no bytes
+ were available, causing inflate to return Z_BUF_ERROR, and then
+ inflate_stream would treat that as a hard error and return
+ CURLE_BAD_CONTENT_ENCODING.
- When an option's help string contains literal single quotes, those
- single quotes would be stripped from the option's description in the
- completion output (unless the zsh RC_QUOTES option were set while the
- completion function was being sourced, which is not the default). This
- patch makes the completion output contain single quotes where the --help
- output does.
+ According to the zlib FAQ, Z_BUF_ERROR is not fatal.
- Closes #532
+ This bug would happen randomly since packet sizes are arbitrary. A test
+ of 10,000 transfers had 55 fail (ie 0.55%).
+
+ Ref: https://zlib.net/zlib_faq.html#faq05
+
+ Closes https://github.com/curl/curl/pull/2060
-Jay Satiro (18 Nov 2015)
-- [MaxGiting brought this change]
+Patrick Monnerat (7 Nov 2017)
+- content_encoding: do not write 0 length data
- FAQ: Grammar changes
+Daniel Stenberg (6 Nov 2017)
+- fnmatch: remove dead code
- Closes https://github.com/bagder/curl/pull/533
+ There was a duplicate check for backslashes in the setcharset()
+ function.
+
+ Coverity CID 1420611
-Daniel Stenberg (17 Nov 2015)
-- http2: http_done: don't free already-freed push headers
+- url: remove unncessary NULL-check
- The push headers are freed after the push callback has been invoked,
- meaning this code should only free the headers if the callback was never
- invoked and thus the headers weren't freed at that time.
+ Since 'conn' won't be NULL in there and we also access the pointer in
+ there without the check.
- Reported-by: Davey Shafik
-
-- [Anders Bakken brought this change]
+ Coverity CID 1420610
- getconnectinfo: Don't call recv(2) if socket == -1
+Viktor Szakats (6 Nov 2017)
+- src/Makefile.m32: fix typo in brotli lib customization
- Closes #528
+ Ref cc1f4436099decb9d1a7034b2bb773a9f8379d31
-- CURLMOPT_PUSHFUNCTION.3: *_byname() returns only the first header
+- Makefile.m32: allow to customize brotli libs
+
+ It adds the ability to link against static brotli libs.
- ... if there are more than one using the same name
+ Also fix brotli include path.
-- http2: minor comment typo
+Patrick Monnerat (5 Nov 2017)
+- travis: add a job with brotli enabled
-- sasl; fix checksrc warnings
+- [Viktor Szakats brought this change]
-Steve Holme (15 Nov 2015)
-- RELEASE-NOTES: Adjusted for the recent OAuth 2.0 activity
+ Makefile.m32: add brotli support
-- tests: Disabled 889 and 890 until we support POP3 continuation responses
+- HTTP: implement Brotli content encoding
- As POP3 final and continuation responses both begin with a + character,
- and both the finalcode and contcode variables in SASLprotoc are set as
- such, we cannot tell the difference between them when we are expecting
- an optional continuation from the server such as the following:
+ This uses the brotli external library (https://github.com/google/brotli).
+ Brotli becomes a feature: additional curl_version_info() bit and
+ structure fields are provided for it and CURLVERSION_NOW bumped.
- + something else from the server
- +OK final response
+ Tests 314 and 315 check Brotli content unencoding with correct and
+ erroneous data.
- Disabled these tests until such a time we can tell the responses apart.
-
-- tests: Corrected typos from commit ba4d8f7eba
+ Some tests are updated to accomodate with the now configuration dependent
+ parameters of the Accept-Encoding header.
-- tests: Added OAUTHBEARER failure response tests
-
-- oauth2: Support OAUTHBEARER failures sent as continuation responses
+- HTTP: support multiple Content-Encodings
- According to RFC7628 a failure message may be sent by the server in a
- base64 encoded JSON string as a continuation response.
+ This is implemented as an output streaming stack of unencoders, the last
+ calling the client write procedure.
- Currently only implemented for OAUTHBEARER and not XAUTH2.
-
-Daniel Stenberg (15 Nov 2015)
-- RELEASE-NOTES: synced with 808a17ee675
-
-Steve Holme (14 Nov 2015)
-- tests: Renamed existing OAuth 2.0 (XOAUTH) tests
-
-- tests: Added OAuth 2.0 (OAUTHBEARER) tests
-
-- oauth2: Added support for OAUTHBEARER SASL mechanism to IMAP, POP3 and SNMP
+ New test 230 checks this feature.
- OAUTHBEARER is now the official "registered" SASL mechanism name for
- OAuth 2.0. However, we don't want to drop support for XOAUTH2 as some
- servers won't support the new mechanism yet.
-
-Daniel Stenberg (13 Nov 2015)
-- RELEASE-NOTES: recounted curl_easy_setopt() options
+ Bug: https://github.com/curl/curl/pull/2002
+ Reported-By: Daniel Bankhead
-- typecheck-gcc.h: add missing slist-using options
+Jay Satiro (4 Nov 2017)
+- url: remove arg value check from CURLOPT_SSH_AUTH_TYPES
- CURLOPT_RESOLVE and CURLOPT_PROXYHEADER were missing
+ Since CURLSSH_AUTH_ANY (aka CURLSSH_AUTH_DEFAULT) is ~0 an arg value
+ check on this option is incorrect; we have to accept any value.
- Also sorted the list.
-
-- typecheck-gcc.h: added CURLOPT_CLOSESOCKETDATA
+ Prior to this change since f121575 (7.56.1+) CURLOPT_SSH_AUTH_TYPES
+ erroneously rejected CURLSSH_AUTH_ANY with CURLE_BAD_FUNCTION_ARGUMENT.
- ... and sorted curl_is_cb_data_option alphabetically
-
-Jay Satiro (13 Nov 2015)
-- [Sebastian Pohlschmidt brought this change]
+ Bug: https://github.com/curl/curl/commit/f121575#commitcomment-25347120
- openssl: Free modules on cleanup
+Daniel Stenberg (4 Nov 2017)
+- ntlm: avoid malloc(0) for zero length passwords
- Curl_ossl_init calls OPENSSL_load_builtin_modules() but
- Curl_ossl_cleanup doesn't make a call to free these modules.
+ It triggers an assert() when built with memdebug since malloc(0) may
+ return NULL *or* a valid pointer.
- Bug: https://github.com/bagder/curl/issues/526
-
-Steve Holme (13 Nov 2015)
-- symbols-in-versions: Added new CURLOPTTYPE_STRINGPOINT alias
+ Detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4054
- ...following commit aba281e762 to fix test 1119.
+ Assisted-by: Max Dymond
+ Closes #2054
-Daniel Stenberg (13 Nov 2015)
-- curl: mark two more options strings for --libcurl output
+- RELEASE-NOTES: synced with ee8016b3d
-- typecheck-gcc.h: add some missing string types
+- curl: speed up handling of many URLs
- Also sorted that list alphabetically
-
-- curl.h: introducing the STRINGPOINT alias
+ By properly keeping track of the last entry in the list of URLs/uploads
+ to handle, curl now avoids many meaningless traverses of the list which
+ speeds up many-URL handling *MASSIVELY* (several magnitudes on 100K
+ URLs).
- As an alias for OBJECTPOINT. Provided to allow us to grep for all string
- options easier.
-
-- cleanup: general removal of TODO (and similar) comments
+ Added test 1291, to verify that it doesn't take ages - but we don't have
+ any detection of "too slow" command in the test suite.
- They tend to never get updated anyway so they're frequently inaccurate
- and we never go back to revisit them anyway. We document issues to work
- on properly in KNOWN_BUGS and TODO instead.
-
-- ftplistparser: remove empty function
+ Reported-by: arainchik on github
+ Fixes #1959
+ Closes #2052
-- openssl: remove #if check for 0.9.7 for ENGINE_load_private_key
-
-- openssl: all supported versions have X509_STORE_set_flags
+- curl: pass through [] in URLs instead of calling globbing error
- Simplify by removing #ifdefs and macros
-
-- openssl: remove 0.9.3 check
+ Assisted-by: Per Lundberg
+ Fixes #2044
+ Closes #2046
+ Closes #2048
-- openssl: remove #ifdefs for < 0.9.5 support
+- CURLOPT_INFILESIZE: accept -1
- We only support >= 0.9.7
-
-- lib/vtls/openssl: remove unused traces of yassl ifdefs
-
-Dan Fandrich (12 Nov 2015)
-- [dfandrich brought this change]
-
- unit1603: Demote hash mismatch failure to a warning
+ Regression since f121575
- The hashes can vary between architectures (e.g. Sparc differs from x86_64).
- This is not a fatal problem but just reduces the coverage of these white-box
- tests, as the assumptions about into which hash bucket each key falls are no
- longer valid.
-
-- [dfandrich brought this change]
+ Reported-by: Petr Voytsik
+ Fixes #2047
- unit1603: Added unit tests for hash functions
+Jay Satiro (2 Nov 2017)
+- url: fix CURLOPT_DNS_CACHE_TIMEOUT arg value check to allow -1
+
+ Prior to this change since f121575 (7.56.1+) CURLOPT_DNS_CACHE_TIMEOUT
+ erroneously rejected -1 with CURLE_BAD_FUNCTION_ARGUMENT.
-- [dfandrich brought this change]
+Dan Fandrich (1 Nov 2017)
+- http2: Fixed OOM handling in upgrade request
+
+ This caused the torture tests on test 1800 to fail.
- unit1602: Fixed failure in torture test
+- tests: Fixed torture tests on tests 556 and 650
+
+ Test cleanup after OOM wasn't being consistently performed.
-Steve Holme (12 Nov 2015)
-- sasl: Re-introduced XOAUTH2 in the default enabled authentication mechanism
+Daniel Stenberg (1 Nov 2017)
+- CURLOPT_MAXREDIRS: allow -1 as a value
- Following the fix in commit d6d58dd558 it is necessary to re-introduce
- XOAUTH2 in the default enabled authentication mechanism, which was
- removed in commit 7b2012f262, otherwise users will have to specify
- AUTH=XOAUTH2 in the URL.
+ ... which is valid according to documentation. Regression since
+ f121575c0b5f.
- Note: OAuth 2.0 will only be used when the bearer is specified.
-
-- [Stefan Bühler brought this change]
-
- sasl_sspi: fix identity memory leak in digest authentication
-
-- [Stefan Bühler brought this change]
-
- sasl_sspi: fixed unicode build for digest authentication
+ Verified now in test 501.
- Closes #525
+ Reported-by: cbartl on github
+ Fixes #2038
+ Closes #2039
-- oauth2: Re-factored OAuth 2.0 state variable
+- include: remove conncache.h inclusion from where its not needed
-- sasl: Don't choose OAuth 2.0 if mechanism not advertised
+Jay Satiro (1 Nov 2017)
+- url: fix CURLOPT_POSTFIELDSIZE arg value check to allow -1
- Regression from commit 9e8ced9890 which meant if --oauth2-bearer was
- specified but the SASL mechanism wasn't supported by the server then
- the mechanism would be chosen.
-
-Daniel Stenberg (12 Nov 2015)
-- runtests: more compact "System characteristics" output
+ .. also add same arg value check to CURLOPT_POSTFIELDSIZE_LARGE.
- - no point in repeating curl features that is already listed as features
- from the curl -V output
+ Prior to this change since f121575 (7.56.1+) CURLOPT_POSTFIELDSIZE
+ erroneously rejected -1 value with CURLE_BAD_FUNCTION_ARGUMENT.
- - remove the port numbers/unix domain path from the output unless
- verbose is used, as that is rarely interesting to users.
+ Bug: https://curl.haxx.se/mail/lib-2017-11/0000.html
+ Reported-by: Andrew Lambert
-- runtests: rename conditional curl-features to $has_[name]
-
-Steve Holme (11 Nov 2015)
-- oauth2: Introduced support for host and port details
+Daniel Stenberg (31 Oct 2017)
+- cookie: avoid NULL dereference
- Added support to the OAuth 2.0 message function for host and port, in
- order to accommodate the official OAUTHBEARER SASL mechanism which is
- to be added shortly.
-
-- curl_setup.h: Removed duplicate CURL_DISABLE_RTSP when HTTP_ONLY defined
+ ... when expiring old cookies.
+
+ Reported-by: Pavel Gushchin
+ Fixes #2032
+ Closes #2035
-- cmake: Add missing feature macros in config header (Part 2)
+Marcel Raad (30 Oct 2017)
+- memdebug: use send/recv signature for curl_dosend/curl_dorecv
+
+ This avoids build errors and warnings caused by implicit casts.
- In addition to commit a215381c94 added the RTSP, RTMP and SMB protocols.
+ Closes https://github.com/curl/curl/pull/2031
-Daniel Stenberg (10 Nov 2015)
-- [Douglas Creager brought this change]
+Daniel Stenberg (30 Oct 2017)
+- [Juro Bystricky brought this change]
- cmake: Add missing feature macros in config header
+ mkhelp.pl: support reproducible build
+
+ Do not generate line with the current date, such as:
+
+ * Generation time: Tue Oct-24 18:01:41 2017
- The curl_config.h file can be generated either from curl_config.h.cmake
- or curl_config.h.in, depending on whether you're building using CMake or
- the autotools. The CMake template header doesn't include entries for
- all of the protocols that you can disable, which (I think) means that
- you can't actually disable those protocols when building via CMake.
+ This will improve reproducibility. The generated string is only
+ part of a comment, so there should be no adverse consequences.
- Closes #523
+ Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
+
+ closes #2026
-- [Douglas Creager brought this change]
+Dan Fandrich (30 Oct 2017)
+- runtests.pl: Fixed typo in message
- BoringSSL: Work with stricter BIO_get_mem_data()
-
- BoringSSL implements `BIO_get_mem_data` as a function, instead of a
- macro, and expects the output pointer to be a `char **`. We have to add
- an explicit cast to grab the pointer as a `const char **`.
+Daniel Stenberg (30 Oct 2017)
+- curlx: the timeval functions are no longer provided as curlx_*
- Closes #524
+ Pointed-out-by: Dmitri Tikhonov
+ Bug: #2034
-- http2: rectify the http2 version #if check
+- select: update comments
- We need 1.0.0 or later. Also verified by configure.
+ s/curlx_tvnow/Curl_now
-Steve Holme (9 Nov 2015)
-- oauth2: Don't use XAUTH2 in OAuth 2.0 function name
+- INTERNALS: remove curlx_tv* functions no longer provided
-- oauth2: Don't use XOAUTH2 in OAuth 2.0 variables
+- [Dmitri Tikhonov brought this change]
-- oauth2: Use OAuth 2.0 rather than XOAUTH2 in comments
+ timeval: use mach time on MacOS
- When referring to OAuth 2.0 we should use the official name rather the
- SASL mechanism name.
+ If clock_gettime() is not supported, use mach_absolute_time() on MacOS.
+
+ closes #2033
+
+monnerat (29 Oct 2017)
+- [Patrick Monnerat brought this change]
-Daniel Stenberg (9 Nov 2015)
-- imap: avoid freeing constant string
+ cli tool: improve ";type=" handling in -F option arguments
+
+- [Patrick Monnerat brought this change]
+
+ cli tool: in -F option arg, comma is a delimiter for files only
- The fix in 1a614c6c3 was wrong and would leed to free() of a fixed
- string.
+ Also upgrade test 1133 to cover this case and clarify man page about
+ form data quoting.
- Pointed-out-by: Kamil Dudka
+ Bug: https://github.com/curl/curl/issues/2022
+ Reported-By: omau on github
-- ROADMAP: remove two items already done
+Daniel Stenberg (29 Oct 2017)
+- timeleft: made two more users of Curl_timeleft use timediff_t
-- RELEASE-NOTES: synced with 2200bf62054
-
-Jay Satiro (9 Nov 2015)
-- acinclude: Remove check for 16-bit curl_off_t
+Jakub Zakrzewski (28 Oct 2017)
+- cmake: Export libcurl and curl targets to use by other cmake projects
- Because it's illogical to check for a 16-bit curl_off_t.
+ The config files define curl and libcurl targets as imported targets
+ CURL::curl and CURL::libcurl. For backward compatibility with CMake-
+ provided find-module the CURL_INCLUDE_DIRS and CURL_LIBRARIES are
+ also set.
- Ref: https://github.com/bagder/curl/issues/425#issuecomment-154964205
+ Closes #1879
-Dan Fandrich (8 Nov 2015)
-- tool: Fixed a memory leak on OOM introduced in 19cb0c4a
+Daniel Stenberg (28 Oct 2017)
+- RELEASE-NOTES: synced with f20cbac97
-Steve Holme (8 Nov 2015)
-- [Justin Ehlert brought this change]
+- [Florin Petriuc brought this change]
- imap: Don't check for continuation when executing a CUSTOMREQUEST
+ auth: Added test cases for RFC7616
+
+ Updated docs to include support for RFC7616
- Bug: https://github.com/bagder/curl/issues/486
- Closes https://github.com/bagder/curl/pull/487
+ Signed-off-by: Florin <petriuc.florin@gmail.com>
+
+ Closes #1934
-Daniel Stenberg (7 Nov 2015)
-- imap: checksrc: remove space after while before paren
+- [Florin Petriuc brought this change]
-- checksrc.whitelist: "missing space after close paren"
+ auth: add support for RFC7616 - HTTP Digest access authentication
- ... when it was within a string!
+ Signed-off-by: Florin <petriuc.florin@gmail.com>
-Steve Holme (7 Nov 2015)
-- opts: Corrected TLS protocols list to include POP3S rather than POP3
+- [Daniel Bankhead brought this change]
-- imap: Quote other 'atom-specials' and not just the space character
+ TODO: support multiple Content-Encodings
- Closes #517
-
-- imap: Fixed double quote in LIST command when mailbox contains spaces
+ Closes #2002
-Daniel Stenberg (6 Nov 2015)
-- imap: fix compiler warning
+- ROADMAP: cleanup
- imap.c:657:13: error: assignment discards 'const' qualifier from pointer
- target type [-Werror=discarded-qualifiers]
+ Removed done stuff. Removed entries no longer considered for the near
+ term.
-Steve Holme (6 Nov 2015)
-- imap: Don't call imap_atom() when no mailbox specified in LIST command
+- [Magicansk brought this change]
-Daniel Stenberg (6 Nov 2015)
-- curl.1: remove the overlap --range example
+ ROADMAP.md: spelling fixes
- ... it is just weird to include by default even if it still works.
+ Closes #2028
-- tftp tests: verify sent options too
+- Curl_timeleft: change return type to timediff_t
- The tftpd test server now logs all received options and thus all TFTP
- test cases need to match them exactly.
+ returning 'time_t' is problematic when that type is unsigned and we
+ return values less than zero to signal "already expired", used in
+ several places in the code.
- Extended test 283 to use and verify --tftp-blksize.
+ Closes #2021
-Jay Satiro (6 Nov 2015)
-- getinfo: CURLINFO_ACTIVESOCKET: fix bad socket value
+- appveyor: add a win32 build
+
+- setopt: fix CURLOPT_SSH_AUTH_TYPES option read
- - Set user info param to the socket returned by Curl_getconnectinfo,
- regardless of if the socket is bad. Effectively this means the user info
- param now will receive CURL_SOCKET_BAD instead of -1 on bad socket.
+ Regression since f121575c0b5f
- - Remove incorrect comments.
+ Reported-by: Rob Cotrone
+
+Marcel Raad (27 Oct 2017)
+- resolvers: only include anything if needed
- CURLINFO_ACTIVESOCKET is documented to write CURL_SOCKET_BAD to user
- info param but prior to this change it wrote -1.
+ This avoids warnings about unused stuff.
- Bug: https://github.com/bagder/curl/pull/518
- Reported-by: Marcel Raad
+ Closes https://github.com/curl/curl/pull/2023
-Patrick Monnerat (5 Nov 2015)
-- curl_ntlm_core: fix 2 curl_off_t constant overflows.
+Daniel Stenberg (27 Oct 2017)
+- HELP-US: rename the subtitle too since the label is changed
+
+ "PR-welcome" was the former name.
-- os400: adjust specific code to support new options.
+- curl_setup.h: oops, shorten the too long line
-Daniel Stenberg (2 Nov 2015)
-- [Lauri Kasanen brought this change]
+- [Martin Storsjo brought this change]
- rawstr: Speed up Curl_raw_toupper by 40%
+ curl_setup: Improve detection of CURL_WINDOWS_APP
- Rationale: when starting up a curl-using app, all cookies from the jar
- are checked against each other. This was causing a startup delay in the
- Fifth browser.
+ If WINAPI_FAMILY is defined, it should be safe to try to include
+ winapifamily.h to check what the define evaluates to.
- All tests pass.
+ This should fix detection of CURL_WINDOWS_APP if building with
+ _WIN32_WINNT set to 0x0600.
- Signed-off-by: Lauri Kasanen <cand@gmx.com>
+ Closes #2025
-- http redirects: %-encode bytes outside of ascii range
+Jay Satiro (26 Oct 2017)
+- transfer: Fix chunked-encoding upload bug
- Apparently there are sites out there that do redirects to URLs they
- provide in plain UTF-8 or similar. Browsers and wget %-encode such
- headers when doing a subsequent request. Now libcurl does too.
+ - When uploading via chunked-encoding don't compare file size to bytes
+ sent to determine whether the upload has finished.
- Added test 1138 to verify.
+ Chunked-encoding adds its own overhead which why the bytes sent is not
+ equal to the file size. Prior to this change if a file was uploaded in
+ chunked-encoding and its size was known it was possible that the upload
+ could end prematurely without sending the final few chunks. That would
+ result in a server hang waiting for the remaining data, likely followed
+ by a disconnect.
- Closes #473
-
-- RELEASE-NOTES: synced with cba5bc585410
-
-- symbols-in-version: add all CURL_HTTPPOST_* symbols
-
-- formadd: support >2GB files on windows
+ The scope of this bug is limited to some arbitrary file sizes which have
+ not been determined. One size that triggers the bug is 475020.
+
+ Bug: https://github.com/curl/curl/issues/2001
+ Reported-by: moohoorama@users.noreply.github.com
- Closes #425
+ Closes https://github.com/curl/curl/pull/2010
-- curl.h: s/HTTPPOST_/CURL_HTTPOST_
+Daniel Stenberg (26 Oct 2017)
+- timeval: make timediff_t also work on 32bit windows
- Fixes a name space pollution at the cost of programs using one of these
- defines will no longer compile. However, the vast majority of libcurl
- programs that do multipart formposts use curl_formadd() to build this
- list.
+ ... by using curl_off_t for the typedef if time_t is larger than 4
+ bytes.
- Closes #506
+ Reported-by: Gisle Vanem
+ Bug: https://github.com/curl/curl/commit/b9d25f9a6b3ca791385b80a6a3c3fa5ae113e1e0#co
+ mmitcomment-25205058
+ Closes #2019
-- mbedtls: fix "Structurally dead code"
+- curl_fnmatch: return error on illegal wildcard pattern
- CID 1332129
-
-- mbedtls: fix "Logically dead code"
+ ... instead of doing an infinite loop!
- CID 1332128
+ Added test 1162 to verify.
+
+ Reported-by: Max Dymond
+ Fixes #2015
+ Closes #2017
+
+- [Max Dymond brought this change]
-- Revert "openssl: engine: remove double-free"
+ wildcards: don't use with non-supported protocols
- This reverts commit 370ee919b37cc9a46c36428b2bb1527eae5db2bd.
+ Fixes timeouts in the fuzzing tests for non-FTP protocols.
- Issue #509 has all the details but it was confirmed that the crash was
- not due to this, so the previous commit was wrong.
+ Closes #2016
-- curl.1: -E: s/private certificate/client certificate
+- [Max Dymond brought this change]
+
+ multi: allow table handle sizes to be overridden
- ... as the certificate is strictly speaking not private.
+ Allow users to specify their own hash define for
+ CURL_CONNECTION_HASH_SIZE so that both values can be overridden.
- Reported-by: John Levon
+ Closes #1982
-- openssl: engine: remove double-free
+- time: rename Curl_tvnow to Curl_now
- After a successful call to SSL_CTX_use_PrivateKey(), we must not call
- EVP_PKEY_free() on the key.
+ ... since the 'tv' stood for timeval and this function does not return a
+ timeval struct anymore.
- Reported-by: nased0
- Closes #509
-
-Jay Satiro (27 Oct 2015)
-- socks: Fix incorrect port numbers in failed connect messages
-
-Daniel Stenberg (26 Oct 2015)
-- DISTRO-DILEMMA: removed
+ Also, cleaned up the Curl_timediff*() functions to avoid typecasts and
+ clean up the descriptive comments.
- Out of date and not kept accurate. It was sort of a problem of the past
- anyway.
+ Closes #2011
-- [xiangbin li brought this change]
+- ftplistparser: follow-up cleanup to remove PL_ERROR()
- MacOSX-Framework: sdk regex fix for sdk 10.10 and later
-
- closes #507
+- [Max Dymond brought this change]
-Jay Satiro (24 Oct 2015)
-- build: Fix support for PKG_CONFIG
+ ftplistparser: free off temporary memory always
- - Allow the user to use PKG_CONFIG but not PKGCONFIG.
+ When using the FTP list parser, ensure that the memory that's
+ allocated is always freed.
- Background:
+ Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3682
+ Closes #2013
+
+- timediff: return timediff_t from the time diff functions
- Last week in 14d5a86 a change was made to allow the user to set the
- PKGCONFIG variable. Today in 72d99f2 I supplemented that to allow the
- more common PKG_CONFIG as an alternative if PKGCONFIG is not set.
+ ... to cater for systems with unsigned time_t variables.
- Neither of those changes worked as expected because PKGCONFIG is
- occasionally reset in configure and by the CURL_CHECK_PKGCONFIG macro.
- Instead in this commit I take the approach that the user may set
- PKG_CONFIG only.
-
-- build: Fix mingw ssl gdi32 order
+ - Renamed the functions to curlx_timediff and Curl_timediff_us.
- - If mingw ssl make sure -lgdi32 comes after ssl libs
+ - Added overflow protection for both of them in either direction for
+ both 32 bit and 64 bit time_ts
- - Allow PKG_CONFIG to set pkg-config location and options
+ - Reprefixed the curlx_time functions to use Curl_*
- Bug: https://github.com/bagder/curl/pull/501
- Reported-by: Kang Lin
+ Reported-by: Peter Piekarski
+ Fixes #2004
+ Closes #2005
-Daniel Stenberg (23 Oct 2015)
-- RELEASE-NOTES: synced with 03b6e078163f
+- [Paul Howarth brought this change]
-- polarssl/mbedtls: fix name space pollution
+ libtest: Add required test libraries for lib1552 and lib1553
+
+ They use $(TESTUTIL) and thus should use $(TESTUTIL_LIBS) too.
- Global private symbols MUST start with Curl_!
+ This fixes build failures on Fedora 13.
+
+ Closes #2006
-- [Dmitry S. Baikov brought this change]
+- [Alessandro Ghedini brought this change]
- mbedTLS: THREADING_SUPPORT compilation fix
+ libcurl-tutorial.3: fix typo
- Closes #505
+ closes #2008
-- test1137: verify --ignore-content-length for FTP
+Alessandro Ghedini (23 Oct 2017)
+- curl_mime_filedata.3: fix typos
-- curl.1: --ignore-content-length now works for FTP too
+Daniel Stenberg (23 Oct 2017)
+- RELEASE-NOTES: clean slate towards 7.57.0
-- [Kurt Fankhauser brought this change]
+- [Max Dymond brought this change]
- ftp: allow CURLOPT_IGNORE_CONTENT_LENGTH to ignore size
+ travis: exit if any steps fail
- This allows FTP transfers with growing (or shrinking) files without
- causing a transfer error.
+ We don't expect any steps to fail in travis. Exit the script if they do.
- Closes #480
+ Closes #1966
+
+Version 7.56.1 (23 Oct 2017)
+
+Daniel Stenberg (23 Oct 2017)
+- RELEASE-NOTES: 7.56.1
+
+- THANKS: update at 7.56.1 release time
+
+- [Jon DeVree brought this change]
-- CURLOPT_STREAM_WEIGHT.3: call argument 'weight' too
+ mk-ca-bundle: Remove URL for aurora
- ... and add a little example of what the weight actually means. "Relative
- proportion of bandwidth".
+ Aurora is no longer used by Mozilla
+ https://hacks.mozilla.org/2017/04/simplifying-firefox-release-channels/
-- http2: add stream options to dist and curl_easy_setopt.3
+- [Jon DeVree brought this change]
-- http2: s/priority/weight
+ mk-ca-bundle: Fix URL for NSS
+
+ The 'tip' is the most recent branch committed to, this should be
+ 'default' like the URLs for the browser are.
+
+ Closes #1998
-- http2: on_frame_recv: trust the conn/data input
+- imap: if a FETCH response has no size, don't call write callback
- Removed wrong assert()s
+ CVE-2017-1000257
- The 'conn' passed in as userdata can be used and there can be other
- sessionhandles ('data') than the single one this checked for.
+ Reported-by: Brian Carpenter and 0xd34db347
+ Also detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3586
-- http2: added three stream prio/deps options
+- ftp: reject illegal IP/port in PASV 227 response
- CURLOPT_STREAM_DEPENDS
+ ... by using range checks. Among other things, this avoids an undefined
+ behavior for a left shift that could happen on negative or very large
+ values.
- CURLOPT_STREAM_DEPENDS_E
+ Closes #1997
- CURLOPT_STREAM_PRIORITY
-
-- RELEASE-NOTES: synced with ace68fdc0cfed83d
+ Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3694
-- [m-gardet brought this change]
+Patrick Monnerat (20 Oct 2017)
+- test653: check reuse of easy handle after mime data change
+
+ See issue #1999
- mbedtls:new profile with RSA min key len = 1024.
+- mime: do not reuse previously computed multipart size
+
+ The contents might have changed: size must be recomputed.
- Closes #502
+ Reported-by: moteus on github
+ Fixes #1999
-- checksrc: add crude // detection
+- test308: disable if MultiSSL feature enabled
+
+ Even if OpenSSL is enabled, it might not be the default backend when
+ multi-ssl is enabled, causing the test to fail.
-Jay Satiro (21 Oct 2015)
-- [Gisle Vanem brought this change]
+- runtests: support MultiSSL client feature
- build: fix for MSDOS/djgpp
+- vtls: change struct Curl_ssl `close' field name to `close_one'.
- - Add a VPATH-statement for the vtls/*.c files.
+ On OS/400, `close' is an ASCII system macro that corrupts the code if
+ not used in a context not targetting the close() system API.
+
+- os400: add missing symbols in config file.
- - Due to 'vtls/*.c', remove that subdir part from $(OBJECTS).
+ Also adjust makefile to renamed files and warn about installation dirs mix-up.
-Daniel Stenberg (20 Oct 2015)
-- copyrights: update Gisle Vanem's email
+- test652: curl_mime_data + base64 encoder with large contents
-- vtls: fix compiler warning for TLS backends without sha256
-
- ... noticed with mbedTLS.
+- mime: limit bas64-encoded lines length to 76 characters
-- [Jonas Minnberg brought this change]
+Daniel Stenberg (16 Oct 2017)
+- RELEASE-NOTES: synced with f121575c0
- vtls: added support for mbedTLS
+- setopt: range check most long options
- closes #496
+ ... filter early instead of risking "funny values" having to be dealt
+ with elsewhere.
-Jay Satiro (19 Oct 2015)
-- [Javier G. Sogo brought this change]
-
- cmake: Fix for add_subdirectory(curl) use-case
+- setopt: avoid integer overflows when setting millsecond values
+
+ ... that are multiplied by 1000 when stored.
- - Use CURL_BINARY_DIR instead of CMAKE_BINARY_DIR.
+ For 32 bit long systems, the max value accepted (2147483 seconds) is >
+ 596 hours which is unlikely to ever be set by a legitimate application -
+ and previously it didn't work either, it just caused undefined behavior.
- When including CURL using add_subdirectory the variables
- CMAKE_BINARY_DIR and CURL_BINARY_DIR hold different paths.
+ Also updated the man pages for these timeout options to mention the
+ return code.
- Closes https://github.com/bagder/curl/pull/488
- Closes https://github.com/bagder/curl/pull/498
+ Closes #1938
-Daniel Stenberg (18 Oct 2015)
-- RELEASE-NOTES: synced with 4c773bcb474e
+Viktor Szakats (15 Oct 2017)
+- makefile.m32: allow to override gcc, ar and ranlib
+
+ Allow to ovverride certain build tools, making it possible to
+ use LLVM/Clang to build curl. The default behavior is unchanged.
+ To build with clang (as offered by MSYS2), these settings can
+ be used:
+
+ CURL_CC=clang
+ CURL_AR=llvm-ar
+ CURL_RANLIB=llvm-ranlib
+
+ Closes https://github.com/curl/curl/pull/1993
-- tests/FILEFORMAT: mention PSL as a valid feture to check for
+- ldap: silence clang warning
+
+ Use memset() to initialize a structure to avoid LLVM/Clang warning:
+ ldap.c:193:39: warning: missing field 'UserLength' initializer [-Wmissing-field-initializers]
- For example in test 1136
+ Closes https://github.com/curl/curl/pull/1992
-- teste1136: only run when PSL is enabled
+Daniel Stenberg (14 Oct 2017)
+- runtests: use valgrind for torture as well
+
+ NOTE: it makes them terribly slow. I recommend only using valgrind for
+ specific torture tests or using lots of patience.
-- curl: slist_wc: remove curl_memory.h inclusion
+- memdebug: trace send, recv and socket
+
+ ... to allow them to be included in torture tests too.
- ... that's for the library only.
+ closes #1980
-- configure: add PSL to the list of features
+- configure: remove the C++ compiler check
- ... to make test 1014 work again after e77b5b7453.
+ ... we used it only for the fuzzer, which we now have in a separate git
+ repo.
+
+ Closes #1990
+
+Patrick Monnerat (13 Oct 2017)
+- mime: do not call failf() if easy handle is NULL.
-- [Daniel Hwang brought this change]
+Daniel Stenberg (13 Oct 2017)
+- test651: curl_formadd with huge COPYCONTENTS
- tool: Generate easysrc with last cache linked-list
+- mime: fix the content reader to handle >16K data properly
- Using a last cache linked-list improves the performance of easysrc
- generation.
+ Reported-by: Jeroen Ooms
+ Closes #1988
+
+Patrick Monnerat (12 Oct 2017)
+- mime: keep "text/plain" content type if user-specified.
- Bug: https://github.com/bagder/curl/issues/444
- Ref: https://github.com/bagder/curl/issues/429
+ Include test cases in 554, 587, 650.
- Closes #452
+ Fixes https://github.com/curl/curl/issues/1986
-- [Tim Rühsen brought this change]
+- cli tool: use file2memory() to buffer stdin in -F option.
+
+ Closes PR https://github.com/curl/curl/pull/1985
- cookies: Add support for Mozilla's Publix Suffix List
+- cli tool: reimplement stdin buffering in -F option.
- Use libpsl to check the domain value of Set-Cookie headers (and cookie
- jar entries) for not being a Publix Suffix.
+ If stdin is not a regular file, its content is memory-buffered to enable
+ a possible data "rewind".
+ In all cases, stdin data size is determined before real use to avoid
+ having an unknown part's size.
- The configure script checks for "libpsl" by default. Disable the check
- with --without-libpsl.
+ --libcurl generated code is left as an unbuffered stdin fread/fseek callback
+ part with unknown data size.
- Ref: https://publicsuffix.org/
- Ref: https://github.com/publicsuffix/list
- Ref: https://github.com/rockdaboot/libpsl
-
-- [Richard Hosking brought this change]
-
- curlbuild.h: Fix non-configure compiling to mips and sh4 targets
+ Buffering is not supported in deprecated curl_formadd() API.
-- [Anders Bakken brought this change]
+Daniel Stenberg (12 Oct 2017)
+- winbuild/BUILD.WINDOWS.txt: mention WITH_NGHTTP2
- http2: Don't pass unitialized name+len pairs to nghttp2_submit_request
-
- bug introduced by 18691642931e5c7ac8af83ac3a84fbcb36000f96.
+- HELP-US: the label "PR-welcome" is now renamed to "help wanted"
- Closes #493
+ following the new github "standard"
-Dan Fandrich (16 Oct 2015)
-- test1601: fix compilation with --enable-debug and --disable-crypto-auth
+- RELEASE-NOTES: synced with 5505df7d2
-Daniel Stenberg (16 Oct 2015)
-- multi: fix off-by-one finit[] array size
-
- introduced in c6aedf680f6. It needs to be CURLM_STATE_LAST big since it
- must hande the range 0 .. CURLM_STATE_MSGSENT (18) and CURLM_STATE_LAST
- is 19 right now.
-
- Reported-by: Dan Fandrich
- Bug: http://curl.haxx.se/mail/lib-2015-10/0069.html
+Jay Satiro (11 Oct 2017)
+- [Artak Galoyan brought this change]
-- fread_func: move callback pointer from set to state struct
+ url: Update current connection SSL verify params in setopt
- ... and assign it from the set.fread_func_set pointer in the
- Curl_init_CONNECT function. This A) avoids that we have code that
- assigns fields in the 'set' struct (which we always knew was bad) and
- more importantly B) it makes it impossibly to accidentally leave the
- wrong value for when the handle is re-used etc.
+ Now VERIFYHOST, VERIFYPEER and VERIFYSTATUS options change during active
+ connection updates the current connection's (i.e.'connectdata'
+ structure) appropriate ssl_config (and ssl_proxy_config) structures
+ variables, making these options effective for ongoing connection.
- Introducing a state-init functionality in multi.c, so that we can set a
- specific function to get called when we enter a state. The
- Curl_init_CONNECT is thus called when switching to the CONNECT state.
+ This functionality was available before and was broken by the
+ following change:
+ "proxy: Support HTTPS proxy and SOCKS+HTTP(s)"
+ CommitId: cb4e2be7c6d42ca0780f8e0a747cecf9ba45f151.
- Bug: https://github.com/bagder/curl/issues/346
+ Bug: https://github.com/curl/curl/issues/1941
- Closes #346
+ Closes https://github.com/curl/curl/pull/1951
-Dan Fandrich (14 Oct 2015)
-- test1531: case the size to fix the test on non-largefile builds
+Daniel Stenberg (11 Oct 2017)
+- [David Benjamin brought this change]
-Daniel Stenberg (13 Oct 2015)
-- acinclude: remove PKGCONFIG override
+ openssl: don't use old BORINGSSL_YYYYMM macros
- ... and allow it to get set by a caller easier.
+ Those were temporary things we'd add and remove for our own convenience
+ long ago. The last few stayed around for too long as an oversight but
+ have since been removed. These days we have a running
+ BORINGSSL_API_VERSION counter which is bumped when we find it
+ convenient, but 2015-11-19 was quite some time ago, so just check
+ OPENSSL_IS_BORINGSSL.
- Reported-by: Rainer Jung
- Bug: http://curl.haxx.se/mail/lib-2015-10/0035.html
+ Closes #1979
-Dan Fandrich (12 Oct 2015)
-- docs/INSTALL: Updated example minimal binary sizes
+- test950; verify SMTP with custom request
-Daniel Stenberg (11 Oct 2015)
-- [Erik Johansson brought this change]
+- ftpserver: support case insensitive commands
- openssl: Fix set up of pkcs12 certificate verification chain
+- smtp_done: free data before returning (on send failure)
- sk_X509_pop will decrease the size of the stack which means that the loop would
- end after having added only half of the certificates.
+ ... as otherwise it could leak that memory.
- Also make sure that the X509 certificate is freed in case
- SSL_CTX_add_extra_chain_cert fails.
-
-- ntlm: error out without 64bit support as the code needs it
+ Detected by OSS-fuzz:
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3600
- It makes it a clearer message for developers reaching that point without
- the necessary support.
+ Assisted-by: Max Dymond
+ Closes #1977
+
+- FTP: URL decode path for dir listing in nocwd mode
- Thanks-by: Jay Satiro
+ Reported-by: Zenju on github
- Closes #78
+ Test 244 added to verify
+ Fixes #1974
+ Closes #1976
-- curl_global_init: set the memory function pointers correct
+- test298: verify --ftp-method nowcwd with URL encoded path
- follow-up from 6f8ecea0
+ Ref: #1974
-- curl_global_init_mem: set function pointers before doing init
-
- ... as in the polarssl TLS backend for example it uses memory functions.
+- CURLOPT_XFERINFODATA.3: fix duplicate see also
-Jay Satiro (9 Oct 2015)
-- http2: Fix http2_recv to return -1 if recv returned -1
-
- If the underlying recv called by http2_recv returns -1 then that is the
- value http2_recv returns to the caller.
+- CURLOPT_NOPROGRESS.3: also refer to xferinfofunction
-Daniel Stenberg (8 Oct 2015)
-- [Svyatoslav Mishyn brought this change]
+- FAQ: s/CURLOPT_PROGRESSFUNCTION/CURLOPT_XFERINFOFUNCTION
- curl_easy_recv.3: CURLINFO_LASTSOCKET => CURLINFO_ACTIVESOCKET
+- openssl: enable PKCS12 support for !BoringSSL
- Closes #479
-
-- [Svyatoslav Mishyn brought this change]
-
- curl_easy_send.3: CURLINFO_LASTSOCKET => CURLINFO_ACTIVESOCKET
-
-- [Svyatoslav Mishyn brought this change]
-
- CURLOPT_CONNECT_ONLY.3: CURLINFO_LASTSOCKET => CURLINFO_ACTIVESOCKET
+ Enable PKCS12 for all non-boringssl builds without relying on configure
+ or cmake checks.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-10/0007.html
+ Reported-by: Christian Schmitz
+ Closes #1948
-- CURLOPT_CERTINFO.3: fix reference to CURLINFO_CERTINFO
+- [Kristiyan Tsaklev brought this change]
-- ntlm: get rid of unconditional use of long long
+ curl: don't pass semicolons when parsing Content-Disposition
- ... since some compilers don't have it and instead use other types, such
- as __int64.
+ Test 1422 updated to verify.
- Reported by: gkinseyhpw
- Closes #478
-
-Jay Satiro (8 Oct 2015)
-- [Anders Bakken brought this change]
+ Closes #1964
- des: Fix header conditional for Curl_des_set_odd_parity
+Patrick Monnerat (9 Oct 2017)
+- mime: properly unbind mime structure in curl_mime_free().
- Follow up to 613e502.
-
-Daniel Stenberg (7 Oct 2015)
-- configure: build silently by default
+ This allows freeing a mime structure bound to the easy handle before
+ curl_easy_cleanup().
- 'make V=1' will make the build verbose like before
-
-- bump: start climbing toward 7.46.0
-
-- RELEASE-PROCEDURE: add the github HTTPS download step
+ Fixes #1970.
-Version 7.45.0 (7 Oct 2015)
-
-Daniel Stenberg (7 Oct 2015)
-- THANKS: 19 new contributors from the 7.45.0 announcement
-
-- RELEASE-NOTES: synced with 69ea57970080
-
-Jay Satiro (4 Oct 2015)
-- getinfo: Fix return code for unknown CURLINFO options
+Daniel Stenberg (9 Oct 2017)
+- RTSP: avoid integer overflow on funny RTSP response
- - If a CURLINFO option is unknown return CURLE_UNKNOWN_OPTION.
+ ... like a very large non-existing RTSP version number.
- Prior to this change CURLE_BAD_FUNCTION_ARGUMENT was returned on
- unknown. That return value is contradicted by the CURLINFO option
- documentation which specifies a return of CURLE_UNKNOWN_OPTION on
- unknown.
-
-- [rouzier brought this change]
-
- hiperfifo: fix the pointer passed to WRITEDATA
+ Added test 577 to verify.
- Closes https://github.com/bagder/curl/pull/471
-
-- [Maksim Stsepanenka brought this change]
+ Detected by OSS-fuzz.
+ Closes #1969
- tool_setopt: fix c_escape truncated octal
-
- Closes https://github.com/bagder/curl/pull/469
+Patrick Monnerat (8 Oct 2017)
+- ftpserver: properly reset $ftptargetdir.
-Daniel Stenberg (1 Oct 2015)
-- [Orange Tsai brought this change]
+- test643: verify curl_mime_subparts() rejects cyclic additions.
- gopher: don't send NUL byte
+- mime: refuse to add subparts to one of their own descendants.
- Closes #466
+ Reported-by: Alexey Melnichuk
+ Fixes #1962
+
+- mime: avoid resetting a part's encoder when part's contents change.
-Jay Satiro (29 Sep 2015)
-- runtests: Fix pid check in checkdied
+- mime: improve unbinding top multipart from easy handle.
- Because the 'not' operator has a very low precedence and as a result the
- entire statement was erroneously negated and could never be true.
+ Also avoid dangling pointers in referencing parts.
-Daniel Stenberg (30 Sep 2015)
-- [Thorsten Schöning brought this change]
+Daniel Stenberg (8 Oct 2017)
+- RELEASE-NOTES: synced with a4c1c75da30af1
- win32: make recent Borland compilers use long long
+- curlver.h: next expected release is 7.57.0
-- RELEASE-NOTES: synced with 69b89050d4
+Patrick Monnerat (8 Oct 2017)
+- mime: be tolerant about setting twice the same header list in a part.
-Jay Satiro (28 Sep 2015)
-- [Michael Kalinin brought this change]
+- docs: clarify form/mime usage of non-regular data files.
- openssl: Fix algorithm init
+Daniel Stenberg (8 Oct 2017)
+- Revert "multi_done: wait for name resolve to finish if still ongoing"
- - Change algorithm init to happen after OpenSSL config load.
+ This reverts commit f3e03f6c0ac52a1bf396e03f7d7e9b5b3b7165fe.
- Additional algorithms may be available due to the user's config so we
- initialize the algorithms after the user's config is loaded.
+ Caused memory leaks in the fuzzer, needs to be done differently.
- Bug: https://github.com/bagder/curl/issues/447
- Reported-by: Denis Feklushkin
+ Disable test 1553 for now too, as it causes memory leaks without this
+ commit!
-- [Svyatoslav Mishyn brought this change]
-
- docs: fix unescaped '\n' in man pages
+- remove_handle: call multi_done() first, then clear dns cache pointer
- Closes https://github.com/bagder/curl/pull/459
+ Closes #1960
-Daniel Stenberg (27 Sep 2015)
-- http2: set TCP_NODELAY unconditionally
+- multi_done: wait for name resolve to finish if still ongoing
- For a single-stream download from localhost, we managed to increase
- transfer speed from 1.6MB/sec to around 400MB/sec, mostly because of
- this single fix.
+ ... as we must clean up memory.
-- http2: avoid superfluous Curl_expire() calls
+- pingpong: return error when trying to send without connection
- ... only call it when there is data arriving for another handle than the
- one that is currently driving it.
+ When imap_done() got called before a connection is setup, it would try
+ to "finish up" and dereffed a NULL pointer.
- Improves single-stream download performance quite a lot.
+ Test case 1553 managed to reproduce. I had to actually use a host name
+ to try to resolve to slow it down, as using the normal local server IP
+ will make libcurl get a connection in the first curl_multi_perform()
+ loop and then the bug doesn't trigger.
- Thanks-to: Tatsuhiro Tsujikawa
- Bug: http://curl.haxx.se/mail/lib-2015-09/0097.html
+ Fixes #1953
+ Assisted-by: Max Dymond
-- readwrite_data: set a max number of loops
+Dan Fandrich (6 Oct 2017)
+- tests: added flaky keyword to tests 587 and 644
- ... as otherwise a really fast pipe can "lock" one transfer for some
- protocols, like with HTTP/2.
-
-- [Sergei Nikulov brought this change]
+ These are around 5% flaky in my Linux x86 autobuilds.
- CI: Added AppVeyor-CI for curl
+Marcel Raad (6 Oct 2017)
+- vtls: fix warnings with --disable-crypto-auth
- Closes #439
+ When CURL_DISABLE_CRYPTO_AUTH is defined, Curl_none_md5sum's parameters
+ are not used.
-- FTP: fix uploading ASCII with unknown size
+Daniel Stenberg (6 Oct 2017)
+- multi_cleanup: call DONE on handles that never got that
- ... don't try to increase the supposed file size on newlines if we don't
- know what file size it is!
+ ... fixes a memory leak with at least IMAP when remove_handle is never
+ called and the transfer is abruptly just abandoned early.
- Patch-by: lzsiga
-
-- [Tatsuhiro Tsujikawa brought this change]
-
- build: fix failures with -Wcast-align and -Werror
+ Test 1552 added to verify
- Closes #457
+ Detected by OSS-fuzz
+ Assisted-by: Max Dymond
+ Closes #1954
-- [Tatsuhiro Tsujikawa brought this change]
+- [Benbuck Nason brought this change]
- curl-confopts.m4: Add missing ')'
+ strtoofft: Remove extraneous null check
- ... for CURL_CHECK_OPTION_RT
+ Fixes #1950: curlx_strtoofft() doesn't fully protect against null 'str'
+ argument.
- Closes #456
-
-Jay Satiro (25 Sep 2015)
-- curl_easy_getinfo.3: Add brief description for each CURLINFO
+ Closes #1952
-Daniel Stenberg (23 Sep 2015)
-- [Jakub Zakrzewski brought this change]
+- openssl: fix build without HAVE_OPAQUE_EVP_PKEY
+
+ Reported-by: Javier Sixto
+ Fixes #1955
+ Closes #1956
- CMake: Ensure discovered include dirs are considered
+Viktor Szakats (6 Oct 2017)
+- lib/config-win32.h: let SMB/SMBS be enabled with OpenSSL/NSS
- ...during header checks. Otherwise some following header tests
- (incorrectly) fail.
+ The source code is now prepared to handle the case when both
+ Win32 Crypto and OpenSSL/NSS crypto backends are enabled
+ at the same time, making it now possible to enable `USE_WIN32_CRYPTO`
+ whenever the targeted Windows version supports it. Since this
+ matches the minimum Windows version supported by curl
+ (Windows 2000), enable it unconditionally for the Win32 platform.
- Closes #436
-
-- [Jakub Zakrzewski brought this change]
-
- CMake: Put "winsock2.h" before "windows.h" during configure checks
+ This in turn enables SMB (and SMBS) protocol support whenever
+ Win32 Crypto is available, regardless of what other crypto backends
+ are enabled.
+
+ Ref: https://github.com/curl/curl/pull/1840#issuecomment-325682052
- "windows.h" includes "winsock.h" what causes many redefinition errors
- if "winsock2.h" is included afterwards and can cause build to fail.
+ Closes https://github.com/curl/curl/pull/1943
-- tests: disable 1510 due to CI-problems on github
+Daniel Stenberg (5 Oct 2017)
+- build: fix --disable-crypto-auth
+
+ Reported-by: Wyatt O'Day
+ Fixes #1945
+ Closes #1947
-- [Mike Crowe brought this change]
+Jay Satiro (5 Oct 2017)
+- [Nick Zitzmann brought this change]
- gnutls: Report actual GnuTLS error message for certificate errors
-
- If GnuTLS fails to read the certificate then include whatever reason it
- provides in the failure message reported to the client.
+ darwinssl: add support for TLSv1.3
- Signed-off-by: Mike Crowe <mac@mcrowe.com>
+ Closes https://github.com/curl/curl/pull/1794
-- RELEASE-NOTES: synced with 6b56901b56e
+Daniel Stenberg (4 Oct 2017)
+- [Felix Kaiser brought this change]
-- [Mike Crowe brought this change]
-
- gnutls: Support CURLOPT_KEYPASSWD
+ docs: fix typo in curl_mime_data_cb man page
- The gnutls vtls back-end was previously ignoring any password set via
- CURLOPT_KEYPASSWD. Presumably this was because
- gnutls_certificate_set_x509_key_file did not support encrypted keys.
+ Closes #1946
+
+Viktor Szakats (4 Oct 2017)
+- lib/Makefile.m32: allow customizing dll suffixes
- gnutls now has a gnutls_certificate_set_x509_key_file2 function that
- does support encrypted keys. Let's determine at compile time whether the
- available gnutls supports this new function. If it does then use it to
- pass the password. If it does not then emit a helpful diagnostic if a
- password is set. This is preferable to the previous behaviour of just
- failing to read the certificate without giving a reason in that case.
+ - New `CURL_DLL_SUFFIX` envvar will add a suffix to the generated
+ libcurl dll name. Useful to add `-x64` to 64-bit builds so that
+ it can live in the same directory as the 32-bit one. By default
+ this is empty.
- Signed-off-by: Mike Crowe <mac@mcrowe.com>
-
-- CURLINFO_TLS_SESSION: always return backend info
+ - New `CURL_DLL_A_SUFFIX` envvar to customize the suffix of the
+ generated import library (implib) for libcurl .dll. It defaults
+ to `dll`, and it's useful to modify that to `.dll` to have the
+ standard naming scheme for mingw-built .dlls, i.e. `libcurl.dll.a`.
- ... even for those that don't support providing anything in the
- 'internals' struct member since it offers a convenient way for
- applications to figure this out.
+ Closes https://github.com/curl/curl/pull/1942
-- [Daniel Hwang brought this change]
+Daniel Stenberg (4 Oct 2017)
+- [Max Dymond brought this change]
- tool: remove redundant libcurl check
-
- The easysrc generation is run only when --libcurl is initialized.
+ fuzzer: move to using external curl-fuzzer
- Ref: https://github.com/bagder/curl/issues/429
+ Use the external curl-fuzzer repository for fuzzing.
- Closes #448
+ Closes #1923
-- [Richard van den Berg brought this change]
-
- CURLOPT_PROXY.3: A proxy given as env variable gets no special treatment
+- failf: skip the sprintf() if there are no consumers
- Closes #449
+ Closes #1936
-- TODO: 5.7 More compressions
+- ftp: UBsan fixup 'pointer index expression overflowed'
- Like for example brotli, as being implemented in Firefox now.
+ Closes #1939
-Jay Satiro (21 Sep 2015)
-- tool_operate: Don't call easysrc cleanup unless --libcurl
-
- - Review of 4d95491.
-
- The author changed it so easysrc only initializes when --libcurl but did
- not do the same for the call to easysrc cleanup.
-
- Ref: https://github.com/bagder/curl/issues/429
+- RELEASE-PROCEDURE: update the release schedule
-Daniel Stenberg (20 Sep 2015)
-- [Viktor Szakats brought this change]
+Version 7.56.0 (4 Oct 2017)
- CURLOPT_PINNEDPUBLICKEY.3: replace test.com with example.com
-
- closes #443
+Daniel Stenberg (4 Oct 2017)
+- RELEASE-NOTES: curl 7.56.0
-- KNOWN_BUGS: 91 "curl_easy_perform hangs with imap and PolarSSL"
+- THANKS: added new 7.56.0 contributors
+
+Jay Satiro (4 Oct 2017)
+- build-openssl.bat: Warn OpenSSL 1.1.0 not yet supported
- Closes #334
+ Ref: https://github.com/curl/curl/issues/1002
-- KNOWN_BUGS: add link to #85
+Michael Kaufmann (3 Oct 2017)
+- idn: fix source code comment
-- tests: disable 1801 until fixed
+- vtls: compare and clone ssl configs properly
- It is unreliable and causes CI problems on github
+ Compare these settings in Curl_ssl_config_matches():
+ - verifystatus (CURLOPT_SSL_VERIFYSTATUS)
+ - random_file (CURLOPT_RANDOM_FILE)
+ - egdsocket (CURLOPT_EGDSOCKET)
- Closes #380
-
-- RELEASE-NOTES: synced with 4d95491636ee
-
-- [Daniel Lee Hwang brought this change]
-
- tool: generate easysrc only on --libcurl
+ Also copy the setting "verifystatus" in Curl_clone_primary_ssl_config(),
+ and copy the setting "sessionid" unconditionally.
- Code should only be generated when --libcurl is used.
+ This means that reusing connections that are secured with a client
+ certificate is now possible, and the statement "TLS session resumption
+ is disabled when a client certificate is used" in the old advisory at
+ https://curl.haxx.se/docs/adv_20170419.html is obsolete.
- Bug: https://github.com/bagder/curl/issues/429
- Reported-by: @greafhe, Jay Satiro
+ Reviewed-by: Daniel Stenberg
- Closes #429
- Closes #442
+ Closes #1917
-Jay Satiro (19 Sep 2015)
-- vtls: Change designator name for server's pubkey hash
+- proxy: read the "no_proxy" variable only if necessary
- - Change the designator name we use to show the base64 encoded sha256
- hash of the server's public key from 'pinnedpubkey' to
- 'public key hash'.
+ Reviewed-by: Daniel Stenberg
- Though the server's public key hash is only shown when comparing pinned
- public key hashes, the server's hash may not match one of the pinned.
+ Closes #1919
-Daniel Stenberg (19 Sep 2015)
-- [Isaac Boukris brought this change]
+Patrick Monnerat (3 Oct 2017)
+- libcurl-tutorial: add casts in example to avoid compilation warnings.
- NTLM: Reset auth-done when using a fresh connection
+Daniel Stenberg (3 Oct 2017)
+- examples: bring back curl_formadd-using examples
- With NTLM a new connection will always require authentication.
- Fixes #435
+ ... now with a -formadd suffix. While the new mime API is introduced in
+ 7.56.0 we must acknowledge that lots of users can't upgrade their curl
+ versions immediately.
-- [Daniel Hwang brought this change]
+- test1153: verify quoted double-qoutes in PWD response
- ssl: add server cert's "sha256//" hash to verbose
+- FTP: zero terminate the entry path even on bad input
- Add a "pinnedpubkey" section to the "Server Certificate" verbose
+ ... a single double quote could leave the entry path buffer without a zero
+ terminating byte. CVE-2017-1000254
- Bug: https://github.com/bagder/curl/issues/410
- Reported-by: W. Mark Kubacki
+ Test 1152 added to verify.
- Closes #430
- Closes #410
+ Reported-by: Max Dymond
+ Bug: https://curl.haxx.se/docs/adv_20171004.html
-- [Jakub Zakrzewski brought this change]
+Jay Satiro (2 Oct 2017)
+- [Sergei Nikulov brought this change]
- openldap: only part of LDAP query results received
+ cmake: disable tests and man generation if perl/nroff not found
- Introduced with commit 65d141e6da5c6003a1592bbc87ee550b0ad75c2f
+ Fixes https://github.com/curl/curl/issues/1500
+ Reported-by: Jay Satiro
- Closes #440
-
-- [Alessandro Ghedini brought this change]
+ Fixes https://github.com/curl/curl/pull/1662
+ Assisted-by: Tom Seddon
+ Assisted-by: dpull@users.noreply.github.com
+ Assisted-by: elelel@users.noreply.github.com
+
+ Closes https://github.com/curl/curl/pull/1924
- openssl: don't output certinfo data
+Patrick Monnerat (2 Oct 2017)
+- libcurl-tutorial: fix two typos.
-- [Alessandro Ghedini brought this change]
+- TODO: remove deprecated form API items.
- openssl: refactor certificate parsing to use OpenSSL memory BIO
+- libcurl-tutorial: describe MIME API and deprecate form API.
- Fixes #427
+ Include a guide to form/mime API conversion.
-Kamil Dudka (18 Sep 2015)
-- nss: prevent NSS from incorrectly re-using a session
+Daniel Stenberg (30 Sep 2017)
+- cookie: fix memory leak if path was set twice in header
- Without this workaround, NSS re-uses a session cache entry despite the
- server name does not match. This causes SNI host name to differ from
- the actual host name. Consequently, certain servers (e.g. github.com)
- respond by 400 to such requests.
+ ... this will let the second occurance override the first.
- Bug: https://bugzilla.mozilla.org/1202264
-
-- nss: check return values of NSS functions
-
-Daniel Stenberg (17 Sep 2015)
-- CURLOPT_PINNEDPUBLICKEY.3: mention error code
+ Added test 1161 to verify.
+
+ Reported-by: Max Dymond
+ Fixes #1932
+ Closes #1933
-- openssl: build with < 0.9.8
+Dan Fandrich (30 Sep 2017)
+- test650: Use variable replacement to set the host address and port
- ... without sha256 support and no define saying so.
+ Otherwise, the test fails when the -b test option is used to set a
+ different test port range.
+
+- Set and use more necessary options when some protocols are disabled
- Reported-by: Rajkumar Mandal
+ When curl and libcurl are built with some protocols disabled, they stop
+ setting and receiving some options that don't make sense with those
+ protocols. In particular, when HTTP is disabled many options aren't set
+ that are used only by HTTP. However, some options that appear to be
+ HTTP-only are actually used by other protocols as well (some despite
+ having HTTP in the name) and should be set, but weren't. This change now
+ causes some of these options to be set and used for more (or for all)
+ protocols. In particular, this fixes tests 646 through 649 in an
+ HTTP-disabled build, which use the MIME API in the mail protocols.
-- libcurl-errors.3: add two missing error codes
+Daniel Stenberg (29 Sep 2017)
+- test1160: verifies cookie leak for large cookies
- CURLE_SSL_PINNEDPUBKEYNOTMATCH and CURLE_SSL_INVALIDCERTSTATUS
+ The fix done in 20ea22ff735
-Jay Satiro (14 Sep 2015)
-- CURLOPT_PINNEDPUBLICKEY.3: Improve pubkey extraction example
+- cookie: fix memory leak on oversized rejection
- - Show how a certificate can be obtained using OpenSSL.
+ Regression brought by 2bc230de63b
- Bug: https://github.com/bagder/curl/pull/430
- Reported-by: Daniel Hwang
-
-Daniel Stenberg (13 Sep 2015)
-- http2: removed unused function
-
-- CURLINFO_ACTIVESOCKET.3: mention it replaces *LASTSOCKET
+ Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3513
+ Assisted-by: Max Dymond
+
+ Closes #1930
-- opts: add CURLINFO_* man pages to dist
+- [Anders Bakken brought this change]
-- opts: 19 more CURLINFO_* options made into stand-alone man pages
+ connect: fix race condition with happy eyeballs timeout
+
+ The timer should be started after conn->connecttime is set. Otherwise
+ the timer could expire without this condition being true:
+
+ /* should we try another protocol family? */
+ if(i == 0 && conn->tempaddr[1] == NULL &&
+ curlx_tvdiff(now, conn->connecttime) >= HAPPY_EYEBALLS_TIMEOUT) {
+
+ Ref: #1928
-- RELEASE-NOTES: synced with fad9604613
+Michael Kaufmann (28 Sep 2017)
+- docs: link CURLOPT_CONNECTTIMEOUT and CURLOPT_CONNECTTIMEOUT_MS
+
+ Closes #1922
-- curl: customrequest_helper: deal with NULL custom method
+- docs: clarify the use of environment variables for proxy
+
+ Closes #1921
-- [Svyatoslav Mishyn brought this change]
+- http: add custom empty headers to repeated requests
+
+ Closes #1920
- CURLOPT_FNMATCH_FUNCTION.3: fix typo
+- reuse_conn: don't copy flags that are known to be equal
- s => is
+ A connection can only be reused if the flags "conn_to_host" and
+ "conn_to_port" match. Therefore it is not necessary to copy these flags
+ in reuse_conn().
- Closes #428
+ Closes #1918
-- curl: point out unnecessary uses of -X in verbose mode
+Daniel Stenberg (27 Sep 2017)
+- curl.h: include <sys/select.h> on cygwin too
- It uses 'Note:' as a prefix as opposed to the common 'Warning:' to take
- down the tone a bit.
+ When building with -std=c++14 on cygwin, this header won't be
+ automatically included as it otherwise is.
- It adds a warning for using -XHEAD on other methods becasue that may
- lead to a hanging connection.
-
-Jay Satiro (10 Sep 2015)
-- curl_sspi: fix possibly undefined CRYPT_E_REVOKED
+ The <sys/select.h> include decision should ideally be reversed and be
+ avoided where that header file doesn't exist.
- Bug: https://github.com/bagder/curl/pull/411
- Reported-by: Viktor Szakats
+ Reported-by: Ian Fette
+ Fixes #1925
-- buildconf.bat: fix syntax error
+- RELEASE-NOTES: synced with d8ab5dc50
-- [Benjamin Kircher brought this change]
+Michael Kaufmann (24 Sep 2017)
+- tests: adjust .gitignore for new tests
- winbuild: run buildconf.bat if necessary
-
-- [Svyatoslav Mishyn brought this change]
+Jay Satiro (23 Sep 2017)
+- ntlm: move NTLM_NEEDS_NSS_INIT define into core NTLM header
+
+ .. and include the core NTLM header in all NTLM-related source files.
+
+ Follow up to 6f86022. Since then http_ntlm checks NTLM_NEEDS_NSS_INIT
+ but did not include vtls.h where it was defined.
+
+ Closes https://github.com/curl/curl/pull/1911
- docs: fix argument type for CURLINFO_SPEED_*, CURLINFO_SIZE_*
+Daniel Stenberg (23 Sep 2017)
+- file_range: avoid integer overflow when figuring out byte range
+
+ When trying to bump the value with one and the value is already at max,
+ it causes an integer overflow.
+
+ Closes #1908
+ Detected by oss-fuzz:
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3465
- long => double
+ Assisted-by: Max Dymond
-Daniel Stenberg (8 Sep 2015)
-- [Sergei Nikulov brought this change]
+Michael Kaufmann (23 Sep 2017)
+- tests: fix a compiler warning in test 643
- cmake: IPv6 : disable Unix header check on Windows platform
+Jay Satiro (23 Sep 2017)
+- symbols-in-versions: fix CURLSSLSET_NO_BACKENDS entry
- Closes #409
-
-- parse_proxy: reject illegal port numbers
+ - Use spaces instead of tabs as the delimiter.
- If the port number in the proxy string ended weirdly or the number is
- too large, skip it. Mostly as a means to bail out early if a "bare" IPv6
- numerical address is used without enclosing brackets.
+ Follow up to 7c52b12 which added the entry. The entry had used tabs but
+ the symbol-scan parser doesn't recognize tabs and would fail the symbol.
+
+Viktor Szakats (22 Sep 2017)
+- metalink: fix NSS issue in MultiSSL builds
- Also mention the bracket requirement for IPv6 numerical addresses to the
- man page for CURLOPT_PROXY.
+ In MultiSSL mode (i.e. when more than one SSL backend is compiled
+ in), we cannot use the compile time flag `USE_NSS` as indicator that
+ the NSS backend is in use. As far as Metalink is concerned, the SSL
+ backend is only used for MD5, SHA-1 and SHA-256 calculations,
+ therefore one of the available SSL backends is selected at compile
+ time, in a strict order of preference.
- Closes #415
+ Let's introduce a new `HAVE_NSS_CONTEXT` constant that can be used
+ to determine whether the SSL backend used for Metalink is the NSS
+ backend, and use that to guard the code that wants to de-initialize
+ the NSS-specific data structure.
- Reported-by: Marcel Raad
+ Ref: https://github.com/curl/curl/pull/1848
-- FTP: do_more: add check for wait_data_conn in upload case
+- ntlm: use strict order for SSL backend #if branches
- In some timing-dependnt cases when a 4xx response immediately followed
- after a 150 when a STOR was issued, this function would wrongly return
- 'complete == true' while 'wait_data_conn' was still set.
+ With the recently introduced MultiSSL support multiple SSL backends
+ can be compiled into cURL That means that now the order of the SSL
- Closes #405
+ One option would be to use the same SSL backend as was configured
+ via `curl_global_sslset()`, however, NTLMv2 support would appear
+ to be available only with some SSL backends. For example, when
+ eb88d778e (ntlm: Use Windows Crypt API, 2014-12-02) introduced
+ support for NTLMv1 using Windows' Crypt API, it specifically did
+ *not* introduce NTLMv2 support using Crypt API at the same time.
- Reported-by: Patricia Muscalu
-
-- [Svyatoslav Mishyn brought this change]
-
- CURLOPT_TLSAUTH_TYPE.3: update description
+ So let's select one specific SSL backend for NTLM support when
+ compiled with multiple SSL backends, using a priority order such
+ that we support NTLMv2 even if only one compiled-in SSL backend can
+ be used for that.
- Closes #414
- Closes #413
+ Ref: https://github.com/curl/curl/pull/1848
-- [Svyatoslav Mishyn brought this change]
+Daniel Stenberg (22 Sep 2017)
+- symbols-in-versions: add CURLSSLSET_NO_BACKENDS
+
+ ...fixup from b8e0fe19ec
- CURLOPT_PATH_AS_IS.3: fix typo
+- imap: quote atoms properly when escaping characters
- leavit => leaveit
+ Updates test 800 to verify
- closes #412
+ Fixes #1902
+ Closes #1903
-- [Svyatoslav Mishyn brought this change]
+- tests: make the imap server not verify user+password
+
+ ... as the test cases themselves do that and it makes it easier to add
+ crazy test cases.
+
+ Test 800 updated to use user name + password that need quoting.
+
+ Test 856 updated to trigger an auth fail differently.
+
+ Ref: #1902
- CURLINFO_SSL_VERIFYRESULT.3: add short description
+- vtls: provide curl_global_sslset() even in non-SSL builds
+
+ ... it just returns error:
+
+ Bug: https://github.com/curl/curl/commit/1328f69d53f2f2e937696ea954c480412b018451#commitcomment-24470367
+ Reported-by: Marcel Raad
+
+ Closes #1906
-- [Svyatoslav Mishyn brought this change]
+Patrick Monnerat (22 Sep 2017)
+- form/mime: field names are not allowed to contain zero-valued bytes.
+
+ Also suppress length argument of curl_mime_name() (names are always
+ zero-terminated).
- CURLINFO_SSL_ENGINES.3: add short description
+Daniel Stenberg (21 Sep 2017)
+- [Dirk Feytons brought this change]
-- [Svyatoslav Mishyn brought this change]
+ openssl: only verify RSA private key if supported
+
+ In some cases the RSA key does not support verifying it because it's
+ located on a smart card, an engine wants to hide it, ...
+ Check the flags on the key before trying to verify it.
+ OpenSSL does the same thing internally; see ssl/ssl_rsa.c
+
+ Closes #1904
- CURLINFO_CONTENT_LENGTH_UPLOAD.3: replace "receive" with "get" for consistency
+Marcel Raad (21 Sep 2017)
+- examples/post-callback: use long for CURLOPT_POSTFIELDSIZE
+
+ Otherwise, typecheck-gcc.h warns on MinGW-w64.
-- [Svyatoslav Mishyn brought this change]
+Patrick Monnerat (20 Sep 2017)
+- mime: rephrase the multipart output state machine (#1898) ...
+
+ ... in hope coverity will like it much.
- CURLINFO_REDIRECT_TIME.3: remove redundant '!'
+- mime: fix an explicit null dereference (#1899)
-Kamil Dudka (4 Sep 2015)
-- Revert "has: generate the curl/has.h header"
+Daniel Stenberg (20 Sep 2017)
+- curl: check fseek() return code and bail on error
- This reverts commit a60bde79f9adeb135d5c642a07f0d783fbfbbc25 I have
- pushed by mistake. Apologies for my incompetent use of the git repo!
+ Detected by coverity. CID 1418137.
-- nss: do not directly access SSL_ImplementedCiphers[]
+- smtp: fix memory leak in OOM
- It causes dynamic linking issues at run-time after an update of NSS.
+ Regression since ce0881edee
- Bug: https://lists.fedoraproject.org/pipermail/devel/2015-September/214117.html
+ Coverity CID 1418139 and CID 1418136 found it, but it was also seen in
+ torture testing.
-- [Daniel Stenberg brought this change]
+- RELEASE-NOTES: synced with 5fe85587c
- has: generate the curl/has.h header
-
- changed macro name, moved and renamed script to become docs/libcurl/has.pl,
- generate code that is checksrc compliant
+- [Pavel Pavlov brought this change]
-Daniel Stenberg (3 Sep 2015)
-- gitignore: ignore more generated VC Makefiles
+ cookies: use lock when using CURLINFO_COOKIELIST
+
+ Closes #1896
-- projects/Windows/.gitignore: ignore generated files for release
+- [Max Dymond brought this change]
-- http2: don't pass on Connection: headers
+ ossfuzz: changes before merging the generated corpora
- RFC 7540 section 8.1.2.2 states: "An endpoint MUST NOT generate an
- HTTP/2 message containing connection-specific header fields; any message
- containing connection-specific header fields MUST be treated as
- malformed"
+ Before merging in the oss-fuzz corpora from Google, there are some changes
+ to the fuzzer.
+ - Add a read corpus script, to display corpus files nicely.
+ - Change the behaviour of the fuzzer so that TLV parse failures all now
+ go down the same execution paths, which should reduce the size of the
+ corpora.
+ - Make unknown TLVs a failure to parse, which should decrease the size
+ of the corpora as well.
- Closes #401
-
-- curl.1: update RFC references
+ Closes #1881
-- CURLOPT_POSTREDIR.3: update RFC number and section
-
-- CURLOPT_FOLLOWLOCATION.3: mention methods for redirects
+- mime:escape_string minor clarification change
+
+ ... as it also removes a warning with old gcc versions.
- and some general cleaning up
+ Bug: https://curl.haxx.se/mail/lib-2017-09/0049.html
+ Reported-by: Ben Greear
-- [Marcel Raad brought this change]
+- [Max Dymond brought this change]
- inet_pton.c: Fix MSVC run-time check failure (2)
+ ossfuzz: don't write out to stdout
- This fixes another run-time check failure because of a narrowing cast on
- Visual C++.
+ Don't make the fuzzer write out to stdout - instead write some of the
+ contents to a memory block so we exercise the data output code but
+ quietly.
- Closes #408
+ Closes #1885
-Jay Satiro (3 Sep 2015)
-- docs: Warn about any-domain cookies and multiple transfers
+- cookies: reject oversized cookies
- - Warn that cookies without a domain are sent to any domain:
- CURLOPT_COOKIELIST, CURLOPT_COOKIEFILE, --cookie
+ ... instead of truncating them.
- - Note that imported Set-Cookie cookies without a domain are no longer
- exported:
- CURLINFO_COOKIELIST, CURLOPT_COOKIEJAR, --cookie-jar
-
-Steve Holme (2 Sep 2015)
-- tool_sdecls.h: Fixed compilation warning from commit 4a889441d3
+ There's no fixed limit for acceptable cookie names in RFC 6265, but the
+ entire cookie is said to be less than 4096 bytes (section 6.1). This is
+ also what browsers seem to implement.
+
+ We now allow max 5000 bytes cookie header. Max 4095 bytes length per
+ cookie name and value. Name + value together may not exceed 4096 bytes.
- tool_sdecls.h:139 warning: comma at end of enumerator list
+ Added test 1151 to verify
+
+ Bug: https://curl.haxx.se/mail/lib-2017-09/0062.html
+ Reported-by: Kevin Smith
+
+ Closes #1894
-Daniel Stenberg (2 Sep 2015)
-- opts: 8 more CURLINFO* options as stand-alone man pages
+- travis: on mac, don't install openssl or libidn
+
+ - openssl is already installed and causes warnings when trying to
+ install again
+
+ - libidn isn't used these days, and homebrew doesn't seem to have a
+ libidn2 package to replace with easily
+
+ Closes #1895
-- RELEASE-NOTES: synced with c764cb4add1a8
+- curl: make str2udouble not return values on error
+
+ ... previously it would store a return value even when it returned
+ error, which could make the value get used anyway!
+
+ Reported-by: Brian Carpenter
+ Closes #1893
-- man-pages: more SEE ALSO links
+Jay Satiro (18 Sep 2017)
+- socks: fix incorrect port number in SOCKS4 error message
+
+ Prior to this change it appears the SOCKS5 port parsing was erroneously
+ used for the SOCKS4 error message, and as a result an incorrect port
+ would be shown in the error message.
+
+ Bug: https://github.com/curl/curl/issues/1892
+ Reported-by: Jackarain@users.noreply.github.com
-- opts: more CURLINFO_* options as stand-alone man pages
+- [Marc Aldorasi brought this change]
-Steve Holme (31 Aug 2015)
-- sasl: Only define Curl_sasl_digest_get_pair() when CRYPTO_AUTH enabled
+ schannel: Support partial send for when data is too large
- Introduced in commit 59f3f92ba6 this function is only implemented when
- CURL_DISABLE_CRYPTO_AUTH is not defined. As such we shouldn't define
- the function in the header file either.
-
-- sasl: Updated SPN variables and comments for consistency
+ Schannel can only encrypt a certain amount of data at once. Instead of
+ failing when too much data is to be sent at once, send as much data as
+ we can and let the caller send the remaining data by calling send again.
- In places the "host name" and "realm" variable was referred to as
- "instance" whilst in others it was referred to as "host".
-
-Daniel Stenberg (30 Aug 2015)
-- configure: check for HMAC_Update in openssl
+ Bug: https://curl.haxx.se/mail/lib-2014-07/0033.html
- Turns out HMAC_Init is now deprecated in openssl master (and I spelled
- HMAC_Init_ex wrong in previous commit)
+ Closes https://github.com/curl/curl/pull/1890
-Steve Holme (30 Aug 2015)
-- win32: Use DES_set_odd_parity() from OpenSSL/BoringSSL by default
-
- Set HAVE_DES_SET_ODD_PARITY when using OpenSSL/BoringSSL as native
- Windows builds don't use the autoconf tools.
+- [David Benjamin brought this change]
-- des: Fixed compilation warning from commit 613e5022fe
+ openssl: add missing includes
+
+ lib/vtls/openssl.c uses OpenSSL APIs from BUF_MEM and BIO APIs. Include
+ their headers directly rather than relying on other OpenSSL headers
+ including things.
- curl_ntlm_core.c:150: warning 'Curl_des_set_odd_parity' undefined;
- assuming extern returning int
+ Closes https://github.com/curl/curl/pull/1891
-- buildconf.bat: Fixed double blank line in 'curl manual' warning output
+Daniel Stenberg (15 Sep 2017)
+- conversions: fix several compiler warnings
-- makefiles: Added our standard copyright header
-
- But kept the original author, when they were specified in a comment, as
- the initial copyright holder.
+- server/getpart: provide dummy function to build conversion enabled
-Jay Satiro (29 Aug 2015)
-- CURLOPT_FILETIME.3: CURLINFO_FILETIME has its own manpage now
+- non-ascii: use iconv() with 'char **' argument
+
+ Bug: https://curl.haxx.se/mail/lib-2017-09/0031.html
-Daniel Stenberg (29 Aug 2015)
-- CURLINFO_RESPONSE_CODE.3: added short description
+- escape.c: error: pointer targets differ in signedness
-- opts: 7 initial CURLINFO_* options as stand-alone man pages
+- docs: clarify the CURLOPT_INTERLEAVE* options behavior
-- [Nikolai Kondrashov brought this change]
+- [Max Dymond brought this change]
- libcurl.m4: Put braces around empty if body
+ rtsp: Segfault in rtsp.c when using WRITEDATA
- Put braces around empty "if" body in libcurl.m4 check to avoid warning:
+ If the INTERLEAVEFUNCTION is defined, then use that plus the
+ INTERLEAVEDATA information when writing RTP. Otherwise, use
+ WRITEFUNCTION and WRITEDATA.
- suggest braces around empty body in an 'if' statement
-
- and make it work with -Werror builds.
-
- Closes #402
+ Fixes #1880
+ Closes #1884
-- [Svyatoslav Mishyn brought this change]
+Marcel Raad (15 Sep 2017)
+- [Isaac Boukris brought this change]
- curl_easy_escape.3: escape '\n'
+ tests: enable gssapi in travis-ci linux build
- Closes #398
+ Closes https://github.com/curl/curl/pull/1687
-- [Svyatoslav Mishyn brought this change]
+- [Isaac Boukris brought this change]
- curl_easy_{escape,setopt}.3: fix example
+ tests: add initial gssapi test using stub implementation
- remove redundant '}'
+ The stub implementation is pre-loaded using LD_PRELOAD
+ and emulates common gssapi uses (only builds if curl is
+ initially built with gssapi support).
+
+ The initial tests are currently disabled for debug builds
+ as LD_PRELOAD is not used then.
+
+ Ref: https://github.com/curl/curl/pull/1687
-- [Sergei Nikulov brought this change]
+Daniel Stenberg (15 Sep 2017)
+- test1150: verify same host fetch using different ports over proxy
+
+ Closes #1889
- cmake: added Windows SSL support
+- URL: on connection re-use, still pick the new remote port
- Closes #399
+ ... as when a proxy connection is being re-used, it can still get a
+ different remote port.
+
+ Fixes #1887
+ Reported-by: Oli Kingshott
+
+- RELEASE-NOTES: synced with 87501e57f
-- curl: point out the conflicting HTTP methods if used
+- code style: remove wrong uses of multiple spaces
- It isn't always clear to the user which options that cause the HTTP
- methods to conflict so by spelling them out it should hopefully be
- easier to understand why curl complains.
+ Closes #1878
-- curl: clarify that users can only specify one _METHOD_
+- checksrc: detect and warn for multiple spaces
-- [Svyatoslav Mishyn brought this change]
+- code style: use space after semicolon
- curl_easy_{escape,unescape}.3: "char *" vs. "const char *"
-
- Closes #395
+- checksrc: verify space after semicolons
-Patrick Monnerat (24 Aug 2015)
-- os400: include new options in wrappers and update ILE/RPG binding.
+- code style: use spaces around pluses
-Daniel Stenberg (24 Aug 2015)
-- KNOWN_BUGS: #2, not reading a HEAD response-body is not a bug
-
- ... since HTTP is forbidden to return any such.
+- checksrc: detect and warn for lack of spaces next to plus signs
-- KNOWN_BUGS: #78 zero-length files is already fixed!
+- code style: use spaces around equals signs
-- [Razvan Cojocaru brought this change]
+- checksrc: verify spaces around equals signs
+
+ ... as the code style mandates.
- getinfo: added CURLINFO_ACTIVESOCKET
+- Curl_checkheaders: make it available for IMAP and SMTP too
- This patch addresses known bug #76, where on 64-bit Windows SOCKET is 64
- bits wide, but long is only 32, making CURLINFO_LASTSOCKET unreliable.
+ ... not only HTTP uses this now.
- Signed-off-by: Razvan Cojocaru <rcojocaru@bitdefender.com>
+ Closes #1875
+
+- travis: add build without HTTP/SMTP/IMAP
-- http2: remove dead code
+Jay Satiro (10 Sep 2017)
+- mbedtls: enable CA path processing
- Leftovers from when we removed the private socket hash.
+ CA path processing was implemented when mbedtls.c was added to libcurl
+ in fe7590f, but it was never enabled.
- Coverity CID 1317365, "Logically dead code"
+ Bug: https://github.com/curl/curl/issues/1877
+ Reported-by: SBKarr@users.noreply.github.com
-- ntlm: mark deliberate switch case fall-through
+Daniel Stenberg (8 Sep 2017)
+- rtsp: do not call fwrite() with NULL pointer FILE *
- Coverity CID 1317367, "Missing break in switch"
-
-- http2: on_frame_recv: get a proper 'conn' for the debug logging
+ If the default write callback is used and no destination has been set, a
+ NULL pointer would be passed to fwrite()'s 4th argument.
- "Explicit null dereferenced (FORWARD_NULL)"
+ OSS-fuzz bug https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3327
+ (not publicly open yet)
- Coverity CID 1317366
+ Detected by OSS-fuzz
+ Closes #1874
-- RELEASE-NOTES: synced with 2acaf3c804
+- configure: use -Wno-varargs on clang 3.9[.X] debug builds
+
+ ... to avoid a clang bug
-Dan Fandrich (23 Aug 2015)
-- tool: fix memory leak with --proto-default option
+- [Max Dymond brought this change]
-Jay Satiro (22 Aug 2015)
-- [Nathaniel Waisbrot brought this change]
+ ossfuzz: add some more handled CURL options
+
+ Add support for HEADER, COOKIE, RANGE, CUSTOMREQUEST, MAIL_RECIPIENT,
+ MAIL_FROM and uploading data.
- CURLOPT_DEFAULT_PROTOCOL: added
+- configure: check for C++ compiler after C, to make it non-fatal
+
+ The tests for object file/executable file extensions are presumably only
+ done for the first of these macros in the configure file.
- - Add new option CURLOPT_DEFAULT_PROTOCOL to allow specifying a default
- protocol for schemeless URLs.
+ Bug: https://github.com/curl/curl/pull/1851#issuecomment-327597515
+ Reported-by: Marcel Raad
+ Closes #1873
+
+Patrick Monnerat (7 Sep 2017)
+- form API: add new test 650.
- - Add new tool option --proto-default to expose
- CURLOPT_DEFAULT_PROTOCOL.
+ Now that the form API is deprecated and not used anymore in curl tool,
+ a lot of its features left untested. Test 650 attempts to check all these
+ features not tested elsewhere.
+
+Jay Satiro (7 Sep 2017)
+- configure: fix curl_off_t check's include order
- In the case of schemeless URLs libcurl will behave in this way:
+ - Prepend srcdir include path instead of append.
- When the option is used libcurl will use the supplied default.
+ Prior to this change it was possible that during the check for the size
+ of curl_off_t the include path of a user's already installed curl could
+ come before the include path of the to-be-built curl, resulting in the
+ system.h of the former being incorrectly included for that check.
- When the option is not used, libcurl will follow its usual plan of
- guessing from the hostname and falling back to 'http'.
+ Closes https://github.com/curl/curl/pull/1870
-- runtests: Allow for spaces in server-verify curl custom path
+Daniel Stenberg (7 Sep 2017)
+- [Jakub Zakrzewski brought this change]
-Daniel Stenberg (22 Aug 2015)
-- NTLM: recent boringssl brought DES_set_odd_parity back
+ KNOWN_BUGS: Remove CMake symbol hiding issue
- ... so improve the #ifdefs for using our local implementation.
+ It has already been fixed in 6140dfc
-- configure: detect latest boringssl
+- http-proxy: when not doing CONNECT, that phase is done immediately
- Since boringssl brought back DES_set_odd_parity again, it cannot be used
- to differentiate from boringssl. Using the OPENSSL_IS_BORINGSSL define
- seems better anyway.
+ `conn->connect_state` is NULL when doing a regular non-CONNECT request
+ over the proxy and should therefor be considered complete at once.
- URL: https://android.googlesource.com/platform/external/curl/+/f551028d5caab29d4b4a4ae8c159c76c3cfd4887%5E!/
- Original-patch-by: Bertrand Simonnet
-
- Closes #393
+ Fixes #1853
+ Closes #1862
+ Reported-by: Lawrence Wagerfield
+
+- [Johannes Schindelin brought this change]
-- configure: change functions to detect openssl (clones)
+ OpenSSL: fix yet another mistake while encapsulating SSL backend data
+
+ Another mistake in my manual fixups of the largely mechanical
+ search-and-replace ("connssl->" -> "BACKEND->"), just like the previous
+ commit concerning HTTPS proxies (and hence not caught during my
+ earlier testing).
- ... since boringssl moved the former ones and the check started to fail.
+ Fixes #1855
+ Closes #1871
- URL: https://android.googlesource.com/platform/external/curl/+/f551028d5caab29d4b4a4ae8c159c76c3cfd4887%5E!/
- Original-patch-by: Bertrand Simonnet
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Alessandro Ghedini brought this change]
+- [Johannes Schindelin brought this change]
- openssl: handle lack of server cert when strict checking disabled
+ OpenSSL: fix erroneous SSL backend encapsulation
- If strict certificate checking is disabled (CURLOPT_SSL_VERIFYPEER
- and CURLOPT_SSL_VERIFYHOST are disabled) do not fail if the server
- doesn't present a certificate at all.
+ In d65e6cc4f (vtls: prepare the SSL backends for encapsulated private
+ data, 2017-06-21), this developer prepared for a separation of the
+ private data of the SSL backends from the general connection data.
- Closes #392
-
-- ftp: clear the do_more bit when the server has connected
+ This conversion was partially automated (search-and-replace) and
+ partially manual (e.g. proxy_ssl's backend data).
- The multi state machine would otherwise go into the DO_MORE state after
- DO, even for the case when the FTP state machine had already performed
- those duties, which caused libcurl to get stuck in that state and fail
- miserably. This occured for for active ftp uploads.
+ Sadly, there was a crucial error in the manual part, where the wrong
+ handle was used: rather than connecting ssl[sockindex]' BIO to the
+ proxy_ssl[sockindex]', we reconnected proxy_ssl[sockindex]. The reason
+ was an incorrect location to paste "BACKEND->"... d'oh.
- Reported-by: Patricia Muscalu
-
-- [Jactry Zeng brought this change]
-
- travis.yml: Add OS X testbot.
+ Reported by Jay Satiro in https://github.com/curl/curl/issues/1855.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Rémy Léone brought this change]
+- [Jay Satiro brought this change]
- travis: Upgrading to container based build
+ vtls: fix memory corruption
- http://docs.travis-ci.com/user/migrating-from-legacy
+ Ever since 70f1db321 (vtls: encapsulate SSL backend-specific data,
+ 2017-07-28), the code handling HTTPS proxies was broken because the
+ pointer to the SSL backend data was not swapped between
+ conn->ssl[sockindex] and conn->proxy_ssl[sockindex] as intended, but
+ instead set to NULL (causing segmentation faults).
- Closes #388
-
-- RELEASE-NOTES: synced with 14ff86256b13e
+ [jes: provided the commit message, tested and verified the patch]
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Erik Janssen brought this change]
+- vtls: switch to CURL_SHA256_DIGEST_LENGTH define
+
+ ... instead of the prefix-less version since WolfSSL 3.12 now uses an
+ enum with that name that causes build failures for us.
+
+ Fixes #1865
+ Closes #1867
+ Reported-by: Gisle Vanem
- rtsp: stop reading empty DESCRIBE responses
+- travis: add c-ares enabled builds linux + osx
- Based-on-patch-by: Jim Hollinger
+ Closes #1868
-- [Erik Janssen brought this change]
+- HISTORY: added some recent items
- rtsp: support basic/digest authentication
+Jay Satiro (6 Sep 2017)
+- SSL: fix unused parameter warnings
-- [Sam Roth brought this change]
+Patrick Monnerat (6 Sep 2017)
+- mime: drop internal FILE * support.
+
+ - The part kind MIMEKIND_FILE and associated code are suppressed.
+ - Seek data origin offset not used anymore: suppressed.
+ - MIMEKIND_NAMEDFILE renamed MIMEKIND_FILE; associated fields/functions
+ renamed accordingly.
+ - Curl_getformdata() processes stdin via a callback.
- CURLMOPT_PUSHFUNCTION.3: fix argument types
+Daniel Stenberg (6 Sep 2017)
+- configure: remove --enable-soname-bump and SONAME_BUMP
+
+ Back in 2008, (and commit 3f3d6ebe665f3) we changed the logic in how we
+ determine the native type for `curl_off_t`. To really make sure we
+ didn't break ABI without bumping SONAME, we introduced logic that
+ attempted to detect that it would use a different size and thus not be
+ compatible. We also provided a manual switch that allowed users to tell
+ configure to bump SONAME by force.
+
+ Today, we know of no one who ever got a SONAME bump auto-detected and we
+ don't know of anyone who's using the manual bump feature. The auto-
+ detection is also no longer working since we introduced defining
+ curl_off_t in system.h (7.55.0).
- Closes #389
- Closes #386
+ Finally, this bumping logic is not present in the cmake build.
+
+ Closes #1861
-- [Marcel Raad brought this change]
+Jay Satiro (6 Sep 2017)
+- [Gisle Vanem brought this change]
- inet_pton.c: Fix MSVC run-time check failure
+ vtls: select ssl backend case-insensitive (follow-up)
- Visual Studio complains with a message box:
+ - Do a case-insensitive comparison of CURL_SSL_BACKEND env as well.
- "Run-Time Check Failure #1 - A cast to a smaller data type has caused a
- loss of data. If this was intentional, you should mask the source of
- the cast with the appropriate bitmask.
+ - Change Curl_strcasecompare calls to strcasecompare
+ (maps to the former but shorter).
- For example:
- char c = (i & 0xFF);
+ Follow-up to c290b8f.
- Changing the code in this way will not affect the quality of the
- resulting optimized code."
+ Bug: https://github.com/curl/curl/commit/c290b8f#commitcomment-24094313
- This is because only 'val' is cast to unsigned char, so the "& 0xff" has
- no effect.
-
- Closes #387
+ Co-authored-by: Jay Satiro
-Jay Satiro (18 Aug 2015)
-- docs: Update the redirect protocols disabled by default
+- openssl: Integrate Peter Wu's SSLKEYLOGFILE implementation
- - Clarify that FILE and SCP are disabled by default since 7.19.4
- - Add that SMB and SMBS are disabled by default since 7.40.0
- - Add CURLPROTO_SMBS to the list of protocols
-
-- gitignore: Sort for readability
+ This is an adaptation of 2 of Peter Wu's SSLKEYLOGFILE implementations.
- find . -name .gitignore -print0 | xargs -i -0 sort -o '{}' '{}'
-
-Daniel Stenberg (15 Aug 2015)
-- curl_easy_getinfo.3: fix superfluous space
+ The first one, written for old OpenSSL versions:
+ https://git.lekensteyn.nl/peter/wireshark-notes/tree/src/sslkeylog.c
- ... and changed "oriented" to "related"
+ The second one, written for BoringSSL and new OpenSSL versions:
+ https://github.com/curl/curl/pull/1346
- Closes #378
-
-- CURLOPT_HTTP_VERSION.3: connection re-use goes before version
-
-- [Daniel Kahn Gillmor brought this change]
-
- curl.1: Document weaknesses in SSLv2 and SSLv3
+ Note the first one is GPL licensed but the author gave permission to
+ waive that license for libcurl.
- Acknowledge that SSLv3 is also widely considered to be insecure.
+ As of right now this feature is disabled by default, and does not have
+ a configure option to enable it. To enable this feature define
+ ENABLE_SSLKEYLOGFILE when building libcurl and set environment
+ variable SSLKEYLOGFILE to a pathname that will receive the keys.
- Also, provide references for people who want to know more about why it's
- insecure.
-
-Steve Holme (14 Aug 2015)
-- generate.bat: Added support for generating only the prerequisite files
-
-- generate.bat: Only call buildconf.bat if it exists
-
-- generate.bat: Fixed issues when ran in directories with special chars
-
-Daniel Stenberg (14 Aug 2015)
-- [Brad King brought this change]
-
- cmake: Fix CurlTests check for gethostbyname_r with 5 arguments
+ And in Wireshark change your preferences to point to that key file:
+ Edit > Preferences > Protocols > SSL > Master-Secret
- Fix the check code to pass 5 arguments instead of 6. This typo was
- introduced by commit aebfd4cfbf (cmake: fix gethostby{addr,name}_r in
- CurlTests, 2014-10-31).
-
-Steve Holme (14 Aug 2015)
-- * buildconf.bat: Fixed issues when ran in directories with special chars
+ Co-authored-by: Peter Wu
- Bug: https://github.com/bagder/curl/pull/379
- Reported-by: Daniel Seither
-
-Jay Satiro (13 Aug 2015)
-- curl_global_init_mem.3: Stronger thread safety warning
+ Ref: https://github.com/curl/curl/pull/1030
+ Ref: https://github.com/curl/curl/pull/1346
- Bug: http://curl.haxx.se/mail/lib-2015-08/0016.html
- Reported-by: Eric Ridge
+ Closes https://github.com/curl/curl/pull/1866
-Daniel Stenberg (12 Aug 2015)
-- [Svyatoslav Mishyn brought this change]
+Patrick Monnerat (5 Sep 2017)
+- mime: fix a trivial warning.
- curl_multi_add_handle.3: fix a typo
-
- "can not" => "cannot"
+- mime: replace 'struct Curl_mimepart' by 'curl_mimepart' in encoder code.
- closes #377
+ mime_state is now a typedef.
-- [Alessandro Ghedini brought this change]
-
- docs: fix typos
+- mime: implement encoders.
- closes #376
+ curl_mime_encoder() is operational and documented.
+ curl tool -F option is extended with ";encoder=".
+ curl tool --libcurl option generates calls to curl_mime_encoder().
+ New encoder tests 648 & 649.
+ Test 1404 extended with an encoder specification.
-- bump: start working toward 7.45.0
+- runtests.pl: support attribute "nonewline" in part verify/upload.
-- THANKS: remove duplicate name
+- [Daniel Stenberg brought this change]
-- THANKS-filter: merge Todd's names
+ fixup data/test1135
-- THANKS: 13 new contributors from the 7.44.0 RELEASE-NOTES
+- [Daniel Stenberg brought this change]
-Version 7.44.0 (11 Aug 2015)
+ mime: unified to use the typedef'd mime structs everywhere
+
+ ... and slightly edited to follow our code style better.
-Daniel Stenberg (11 Aug 2015)
-- RELEASE-NOTES: synced with c75a1e775061
+- [Daniel Stenberg brought this change]
-- [Svyatoslav Mishyn brought this change]
+ curl.h: use lower case curl_mime* as for all public symbols
- curl_formget.3: correct return code
-
- Closes #375
+- [Daniel Stenberg brought this change]
-- [Svyatoslav Mishyn brought this change]
+ docs/curl_mime_*.3: use correct variable types in examples
- libcurl-tutorial.3: fix formatting
+Kamil Dudka (5 Sep 2017)
+- openssl: use OpenSSL's default ciphers by default
- Closes #374
-
-- [Svyatoslav Mishyn brought this change]
+ Up2date versions of OpenSSL maintain the default reasonably secure
+ without breaking compatibility, so it is better not to override the
+ default by curl. Suggested at https://bugzilla.redhat.com/1483972
+
+ Closes #1846
- curl_easy_recv.3: fix formatting
+Viktor Szakats (5 Sep 2017)
+- examples/mime: minor example code fixes
-- [Anders Bakken brought this change]
+Daniel Stenberg (5 Sep 2017)
+- docs/curl_mime_*.3: added examples
- http2: discard frames with no SessionHandle
+- configure: add MultiSSL to FEATURES when enabled
- Return 0 instead of NGHTTP2_ERR_CALLBACK_FAILURE if we can't locate the
- SessionHandle. Apparently mod_h2 will sometimes send a frame for a
- stream_id we're finished with.
+ ...for curl-config and its corresponding test 1014
+
+- http-proxy: treat all 2xx as CONNECT success
- Use nghttp2_session_get_stream_user_data and
- nghttp2_session_set_stream_user_data to identify SessionHandles instead
- of a hash.
+ Added test 1904 to verify.
- Closes #372
+ Reported-by: Lawrence Wagerfield
+ Fixes #1859
+ Closes #1860
-- RELEASE-NOTES: synced with 9ee40ce2aba
+- MAIL-ETIQUETTE: added "1.9 Your emails are public"
-- [Viktor Szakats brought this change]
+- curl.h: fix "unused checksrc ignore", remove dangling reference
+
+ ... to a README file that doesn't exist anymore
- build: refer to fixed libidn versions
+Viktor Szakats (4 Sep 2017)
+- docs: Update to secure URL versions
+
+- mime: use CURL_ZERO_TERMINATED in examples
- closes #371
+ and some minor whitespace fixes
-- Revert "configure: disable libidn by default"
+Daniel Stenberg (4 Sep 2017)
+- schannel: return CURLE_SSL_CACERT on failed verification
- This reverts commit e6749055d65398315fd77f5b5b8234c5552ac2d3.
+ ... not *CACERT_BADFILE as it isn't really because of a bad file.
- ... since libidn has since been fixed.
+ Bug: https://curl.haxx.se/mail/lib-2017-09/0002.html
+ Closes #1858
-- [Jakub Zakrzewski brought this change]
+- test1135: fixed after bd8070085f9
- CMake: s/HAVE_GSS_API/HAVE_GSSAPI/ to match header define
+- examples/post-callback: stop returning one byte at a time
- Otherwise the build only pretended to use GSS-API
+ ... since people copy and paste code from this example and thus they get
+ an inefficient POST operation without a good reason and sometimes
+ without understanding why.
- Closes #370
+ Instead this now returns as much data as possible.
-- SFTP: fix range request off-by-one in size check
-
- Reported-by: Tim Stack
-
- Closes #359
+- RELEASE-NOTES: fixed the function counter script
-- test46: update cookie expire time
+- curl.h: make the curl_strequal() protos use the same style
- ... since it went old and thus was expired and caused the test to fail!
+ ... as the other functions. Makes it easier to machine-parse!
-Steve Holme (9 Aug 2015)
-- generate.bat: Use buildconf.bat for prerequisite file generation
+- docs: curl_mime_*.3 man page formatting edits
-- buildconf.bat: Tidy up of comments after recent commits
+- RELEASE-NOTES: synced with 1ab9e9b50
-- buildconf.bat: Added full generation of src\tool_hugehelp.c
-
- Added support for generating the full man page based on code from
- generate.bat.
+Patrick Monnerat (4 Sep 2017)
+- lib: bump version info (soname). Adapt and reenable test 1135.
-- buildconf.bat: Added detection of groff, nroff, perl and gzip
+Daniel Stenberg (3 Sep 2017)
+- headers: move the global_sslset() proto from multi.h to curl.h
- To allow for the full generation of tool_hugehelp.c added detection of
- the required programs - based on code from generate.bat.
+ As it was added to multi.h simply to not break test 1135, which now has
+ been disabled due to the mime API addition anyway and su we can now move
+ the sslset stuff to where the other curl_global_* prototypes are.
-- buildconf.bat: Move DOS variable clean-up code to separate function
+Patrick Monnerat (3 Sep 2017)
+- mime: fix signed/unsigned conversions.
- Rather than duplicate future variables, during clean-up of both success
- and error conditions, use a common function that can be called by both.
-
-- RELEASE-NOTES: Synced with 39dcf352d2
+ Use and generate CURL_ZERO_TERMINATED in curl tool and tests.
-- buildconf.bat: Added error messages on failure
+Jay Satiro (3 Sep 2017)
+- tool_formparse: fix some trivial warnings
-- buildconf.bat: Generate and clean files in the same order
-
-- buildconf.bat: Maintain compatibility with DOS based systems
+Patrick Monnerat (3 Sep 2017)
+- mime: use size_t instead of ssize_t in public API interface.
- Commit f08e30d7bc broke compatibility with DOS and non Windows NT based
- versions of Windows due to the use of the setlocal command.
-
-Jay Satiro (9 Aug 2015)
-- CURLOPT_RESOLVE.3: Note removal support was added in 7.42
+ To support telling a string is nul-terminated, symbol CURL_ZERO_TERMINATED
+ has been introduced.
- Bug: http://curl.haxx.se/mail/lib-2015-08/0019.html
- Reported-by: Inca R
-
-Steve Holme (8 Aug 2015)
-- checksrc.bat: Fixed error when missing *.c and *.h files
+ Documentation updated accordingly.
- File Not Found
-
-- checksrc.bat: Fixed incorrect 'lib\vtls' path check in commit 333c36b276
+ symbols in versions updated. Added form API symbols deprecation info.
-- checksrc.bat: Fixed error when [directory] isn't a curl source directory
+- mime: remove support "-" stdin pseudo-file name in curl_mime_filedata().
- The system cannot find the file specified.
-
-- checksrc.bat: Added check for unknown arguments
+ This feature is badly supported in Windows: as a replacement, a caller has
+ to use curl_mime_data_cb() with fread, fseek and possibly fclose
+ callbacks to process opened files.
+
+ The cli tool and documentation are updated accordingly.
+
+ The feature is however kept internally for form API compatibility, with
+ the known caveats it always had.
+
+ As a side effect, stdin size is not determined by the cli tool even if
+ possible and this results in a chunked transfer encoding. Test 173 is
+ updated accordingly.
-- scripts: Added missing comments
+- mime: fix some implicit curl_off_t --> size_t conversion warnings.
-- scripts: Always perform setlocal and endlocal calls in pairs
+- mime: tests and examples.
- Ensure that there isn't a mismatch between setlocal and endlocal calls,
- which could have happened due to setlocal being called after certain
- error conditions were checked for.
+ Additional mime-specific tests.
+ Existing tests updated to reflect small differences (Expect: 100-continue,
+ data size change due to empty lines, etc).
+ Option -F headers= keyword added to tests.
+ test1135 disabled until the entry point order change is resolved.
+ New example smtp-mime.
+ Examples postit2 and multi-post converted from form API to mime API.
-- scripts: Allow -help to be specified in any argument
+- mime: use in curl cli tool instead of form API.
- Allow the -help command line argument to be specified in any argument
- and not just as the first.
+ Extended -F option syntax to support multipart mail messages.
+ -F keyword headers= added to include custom headers in parts.
+ Documentation upgraded.
-Daniel Stenberg (6 Aug 2015)
-- [juef brought this change]
-
- curl_multi_remove_handle.3: fix formatting
+- mime: new MIME API.
- closes #366
+ Available in HTTP, SMTP and IMAP.
+ Deprecates the FORM API.
+ See CURLOPT_MIMEPOST.
+ Lib code and associated documentation.
-Steve Holme (6 Aug 2015)
-- README: Added notes about 'Running DLL based configurations'
+- test564: Add a warning comment about shell profile output.
- ...as well as a TODO for a future enhancement to the project files.
+ Shell profile output makes the SSH server failing and this problem reason
+ is not easy to find when no hint is given.
+
+- checksrc: disable SPACEBEFOREPAREN for case statement.
- Thanks-to: Jay Satiro
+ The case keyword may be followed by a constant expression and thus should
+ allow it to start with an open parenthesis.
-- RELEASE-NOTES: Synced with cf8975387f
+- runtests.pl: allow <file[1-4]> tags in client section.
+
+ This enables tests to create more than one file on the client side.
-- buildconf.bat: Synchronise no repository error with generate.bat
+- runtests.pl: Apply strippart to upload too.
+
+ This will allow substitution of boundaries in mail messages.
-- generate.bat: Added a check for the presence of a git repository
+- Curl_base64_encode: always call with a real data handle.
+
+ Some calls in different modules were setting the data handle to NULL, causing
+ segmentation faults when using builds that enable character code conversions.
-- [Jay Satiro brought this change]
+- non-ascii: allow conversion functions to be called with a NULL data handle.
- build: Added wolfSSL configurations to VC10+ project files
-
- URL: https://github.com/bagder/curl/pull/174
+- http: fix a memory leakage in checkrtspprefix().
-- [Jay Satiro brought this change]
+Daniel Stenberg (2 Sep 2017)
+- [Max Dymond brought this change]
- build: Added wolfSSL build script for Visual Studio projects
+ ossfuzz: Move to C++ for curl_fuzzer.
- Added the wolfSSL build script, based on build-openssl.bat, as well as
- the property sheet and header file required for the upcoming additions
- to the Visual Studio project files.
+ Automake gets confused if you want to use C++ static libraries with C
+ code - basically we need to involve the clang++ linker. The easiest way
+ of achieving this is to rename the C code as C++ code. This gets us a
+ bit further along the path and ought to be compatible with Google's
+ version of clang.
-Daniel Stenberg (6 Aug 2015)
-- CHANGES: refer to the online changelog
+- curl_global_sslset: select backend by name case insensitively
- Suggested-by: mc0e
+ Closes #1849
-- [Isaac Boukris brought this change]
+- [Max Dymond brought this change]
- NTLM: handle auth for only a single request
+ ossfuzz: additional seed corpora
- Currently when the server responds with 401 on NTLM authenticated
- connection (re-used) we consider it to have failed. However this is
- legitimate and may happen when for example IIS is set configured to
- 'authPersistSingleRequest' or when the request goes thru a proxy (with
- 'via' header).
+ Create simple seed corpora for:
+ - FTP
+ - telnet
+ - dict
+ - tftp
+ - imap
+ - pop3
- Implemented by imploying an additional state once a connection is
- re-used to indicate that if we receive 401 we need to restart
- authentication.
+ based off the tests of the same number.
- Closes #363
-
-Steve Holme (5 Aug 2015)
-- RELEASE-NOTES: Synced with 473807b95f
-
-- generate.bat: Use buildconf.bat for prerequisite file clean-up
-
-- buildconf.bat: Added support for file clean-up via -clean
+ Closes #1842
-- buildconf.bat: Added progress output
+- [Max Dymond brought this change]
-- buildconf.bat: Avoid using goto for file not in repository
-
-Daniel Stenberg (5 Aug 2015)
-- curl_slist_append.3: add error checking to the example
-
-Steve Holme (5 Aug 2015)
-- buildconf.bat: Added display of usage text with -help
-
-- buildconf.bat: Added exit codes for error handling
-
-- buildconf.bat: Added our standard copyright header
-
-- buildconf.bat: Use lower-case for commands and reserved keywords
-
-- generate.bat: Only clean prerequisite files when in ALL mode
+ ossfuzz: moving towards the ideal integration
+
+ - Start with the basic code from the ossfuzz project.
+ - Rewrite fuzz corpora to be binary files full of Type-Length-Value
+ data, and write a glue layer in the fuzzing function to convert
+ corpora into CURL options.
+ - Have supporting functions to generate corpora from existing tests
+ - Integrate with Makefile.am
-- generate.bat: Moved error messages out of sub-routines
+- strcase: corrected comment header for Curl_strcasecompare()
-- generate.bat: More use of lower-case for commands and reserved keywords
+- unit1301: fix error message on first test
-Daniel Stenberg (3 Aug 2015)
-- libcurl.3: fix a single typo
+- curl_global_sslset.3: show the struct and enum too
- Closes #361
-
-- RELEASE-NOTES: synced with c4eb10e2f06f
+ ... so that users can actually write code based on the man page alone,
+ not having to read the header file.
-- SSH: three state machine fixups
+Jay Satiro (31 Aug 2017)
+- darwinssl: handle long strings in TLS certs (follow-up)
- The SSH state machine didn't clear the 'rc' variable appropriately in a
- two places which prevented it from looping the way it should. And it
- lacked an 'else' statement that made it possible to erroneously get
- stuck in the SSH_AUTH_AGENT state.
+ - Fix handling certificate subjects that are already UTF-8 encoded.
- Reported-by: Tim Stack
+ Follow-up to b3b75d1 from two days ago. Since then a copy would be
+ skipped if the subject was already UTF-8, possibly resulting in a NULL
+ deref later on.
- Closes #357
-
-- curl_gssapi: remove 'const' to fix compiler warnings
+ Ref: https://github.com/curl/curl/issues/1823
+ Ref: https://github.com/curl/curl/pull/1831
- initialization discards 'const' qualifier from pointer target type
+ Closes https://github.com/curl/curl/pull/1836
-- docs: formpost needs the full size at start of upload
+Daniel Stenberg (31 Aug 2017)
+- cyassl: call it the "WolfSSL" backend
- Closes #360
-
-Steve Holme (1 Aug 2015)
-- sspi: Fix typo from left over from old code which referenced NTLM
+ ... instead of cyassl, as this is the current name for it.
- References to NTLM in the identity generation should have been removed
- in commit c469941293 but not all were.
+ Closes #1844
-- win32: Fix compilation warnings from commit 40c921f8b8
+- polarssl: fix multissl breakage
- connect.c:953:5: warning: initializer element is not computable at load
- time
- connect.c:953:5: warning: missing initializer for field 'dwMinorVersion'
- of 'OSVERSIONINFOEX'
- curl_sspi.c:97:5: warning: initializer element is not computable at load
- time
- curl_sspi.c:97:5: warning: missing initializer for field 'szCSDVersion'
- of 'OSVERSIONINFOEX'
+ Reported-by: Dan Fandrich
+ Bug: https://curl.haxx.se/mail/lib-2017-08/0121.html
+ Closes #1843
-- schannel: Fix compilation warning from commit 7a8e861a56
+- configure: remove the leading comma from the backends list
- schannel.c:1125:5: warning: missing initializer for field 'dwMinorVersion'
- of 'OSVERSIONINFOEX' [-Wmissing-field-initializers
-
-Daniel Stenberg (31 Jul 2015)
-- libcurl-thread.3: minor reformatting
-
-Jay Satiro (31 Jul 2015)
-- curl_global_init_mem.3: Warn threaded resolver needs thread safe funcs
+ ... when darwinssl is used.
- Bug: http://curl.haxx.se/mail/lib-2015-07/0149.html
- Reported-by: Eric Ridge
-
-- libcurl-thread.3: Warn memory functions must be thread safe
+ Reported-by: Viktor Szakats
+ Bug: https://github.com/curl/curl/commit/b0989cd3abaff4f9a0717b4875022fa79e33b481#commitcomment-23943493
- Bug: http://curl.haxx.se/mail/lib-2015-07/0149.html
- Reported-by: Eric Ridge
-
-Steve Holme (31 Jul 2015)
-- RELEASE-NOTES: Synced with 8b1d00ac1a
+ Closes #1845
-- INSTALL: Minor formatting correction in 'Legacy Windows and SSL' section
+Kamil Dudka (30 Aug 2017)
+- examples/sslbackend.c: fix failure of 'make checksrc'
- ...as well as some rewording.
+ ./sslbackend.c:58:3: warning: else after closing brace on same line (BRACEELSE)
+ } else if(isdigit(*name)) {
+ ^
+ ./sslbackend.c:62:3: warning: else after closing brace on same line (BRACEELSE)
+ } else
+ ^
-Kamil Dudka (30 Jul 2015)
-- http: move HTTP/2 cleanup code off http_disconnect()
+Viktor Szakats (30 Aug 2017)
+- makefile.m32: add multissl support
- Otherwise it would never be called for an HTTP/2 connection, which has
- its own disconnect handler.
-
- I spotted this while debugging <https://bugzilla.redhat.com/1248389>
- where the http_disconnect() handler was called on an FTP session handle
- causing 'dnf' to crash. conn->data->req.protop of type (struct FTP *)
- was reinterpreted as type (struct HTTP *) which resulted in SIGSEGV in
- Curl_add_buffer_free() after printing the "Connection cache is full,
- closing the oldest one." message.
+ Closes https://github.com/curl/curl/pull/1840
+
+Daniel Stenberg (30 Aug 2017)
+- curl.h: CURLSSLBACKEND_WOLFSSL used wrong value
- A previously working version of libcurl started to crash after it was
- recompiled with the HTTP/2 support despite the HTTP/2 protocol was not
- actually used. This commit makes it work again although I suspect the
- root cause (reinterpreting session handle data of incompatible protocol)
- still has to be fixed. Otherwise the same will happen when mixing FTP
- and HTTP/2 connections and exceeding the connection cache limit.
+ The CURLSSLBACKEND_WOLFSSL is supposed to be an alias for
+ CURLSSLBACKEND_CYASSL, but used an erronous value. To reduce the risk
+ for a similar mistake, define the backend aliases to use the enum values
+ instead.
- Reported-by: Tomas Tomecek
- Bug: https://bugzilla.redhat.com/1248389
-
-Daniel Stenberg (30 Jul 2015)
-- [Viktor Szakats brought this change]
-
- ABI doc: use secure URL
+ Reported-by: Gisle Vanem
+ Bug: https://curl.haxx.se/mail/lib-2017-08/0120.html
-- ABI: remove the ascii logo
+- curl_global_sslset.3: clarify
- and made the indent level to 1
-
-- libcurl-multi.3: mention curl_multi_wait
+ it is a one time *set*, not necessarily a one time use... it can be
+ called again if the first call failed or just listed the alternatives.
- ... and some general rewordings to improve this docs.
+ clarify that the available backends are the ones this build supports
- Reported-by: Tim Stack
+ plus add some formatting
- Closes #356
+ Reported-by: Rich Gray
+ Bug: https://curl.haxx.se/mail/lib-2017-08/0119.html
-Steve Holme (30 Jul 2015)
-- maketgz: Fixed some VC makefiles missing from the release tarball
+- curl/multi.h: remove duplicated closing c++ brace
- VC7, VC11, VC12 and VC14 makefiles were missing from the release
- tarball.
+ Regression since 1328f69d53f2f2e93
+
+ Fixes #1841
+ Reported-by: Andrei Karas
-- RELEASE-NOTES: Synced with 2d7e165761
+- RELEASE-NOTES: synced with 8c33c963a
-- build: Added VC14 project files to Makefile.am
+- HELP-US.md: spelling
-- build: Added VC14 project files
+- HELP-US.md: "How to get started helping out in the curl project"
- Updates to Makefile.am for the generation of the project files in
- the tarball to follow.
+ Closes #1837
-Jay Satiro (29 Jul 2015)
-- libcurl-thread.3: Clarify CURLOPT_NOSIGNAL takes long value 1L
-
-Steve Holme (28 Jul 2015)
-- generate.bat: Use lower-case for commands and reserved keywords
+Dan Fandrich (29 Aug 2017)
+- asyn-thread: Fixed cleanup after OOM
- Whilst there are no coding standards for the batch files used in curl,
- most tend to use lower-case for keywords and upper-case for variables.
+ destroy_async_data() assumes that if the flag "done" is not set yet, the
+ thread itself will clean up once the request is complete. But if an
+ error (generally OOM) occurs before the thread even has a chance to
+ start, it will never get a chance to clean up and memory will be leaked.
+ By clearing "done" only just before starting the thread, the correct
+ cleanup sequence will happen in all cases.
-- build: Added initial VC14 support to generate.bat
-
- Visual Studio project files and updates to makefile.am to follow.
+Daniel Stenberg (28 Aug 2017)
+- curl_global_init.3: mention curl_global_sslset(3)
-- build: Fixed missing .opensdf files from VC10+ .gitignore files
+Dan Fandrich (28 Aug 2017)
+- unit1606: Fixed shadowed variable warning
-- build: Use $(ProjectName) macro for curl.exe and curld.exe filenames
-
- This wasn't possible with the old curlsrc project filenames, but like
- commit 2a615a2b64 and 11397eb6dd for libcurl use the built in Visual
- Studio macros for the output filenames.
+- asyn-thread: Improved cleanup after OOM situations
-- build: Renamed curl src Visual Studio project files
+- asyn-thread: Set errno to the proper value ENOMEM in OOM situation
- Following commit 957fcd9049 and in preparation for adding the VC14
- project files renamed the curl source project files.
+ This used to be set in some configurations to EAI_MEMORY which is not a
+ valid value for errno and caused Curl_strerror to fail an assertion.
-Daniel Stenberg (28 Jul 2015)
-- [Jay Satiro brought this change]
+Daniel Stenberg (28 Aug 2017)
+- [Johannes Schindelin brought this change]
- libcurl-thread.3: Revert to stricter handle wording
+ configure: Handle "MultiSSL" specially When versioning symbols
- .. also update formatting and add WinSSL and wolfSSL to the SSL/TLS
- handlers list.
-
-- [Jay Satiro brought this change]
+ There is a mode in which libcurl is compiled with versioned symbols,
+ depending on the active SSL backend.
+
+ When multiple SSL backends are active, it does not make sense to favor
+ one over the others, so let's not: introduce a new prefix for the case
+ where multiple SSL backends are compiled into cURL.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ configure: allow setting the default SSL backend
+
+ Previously, we used as default SSL backend whatever was first in the
+ `available_backends` array.
+
+ However, some users may want to override that default without patching
+ the source code.
+
+ Now they can: with the --with-default-ssl-backend=<backend> option of
+ the ./configure script.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: use Curl_ssl_multi pseudo backend only when needed
+
+ When only one SSL backend is configured, it is totally unnecessary to
+ let multissl_init() configure the backend at runtime, we can select the
+ correct backend at build time already.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ version: if built with more than one SSL backend, report all of them
+
+ To discern the active one from the inactive ones, put the latter into
+ parentheses.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ version: add the CURL_VERSION_MULTI_SSL feature flag
+
+ This new feature flag reports When cURL was built with multiple SSL
+ backends.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ metalink: allow compiling with multiple SSL backends
+
+ Previously, the code assumed that at most one of the SSL backends would
+ be compiled in, emulating OpenSSL's functions if the configured backend
+ was not OpenSSL itself.
+
+ However, now we allow building with multiple SSL backends and choosing
+ one at runtime. Therefore, metalink needs to be adjusted to handle this
+ scenario, too.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ docs/examples: demonstrate how to select SSL backends
+
+ The newly-introduced curl_global_sslset() function deserves to be
+ show-cased.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ Add a man page for curl_global_sslset()
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: introduce curl_global_sslset()
+
+ Let's add a compile time safe API to select an SSL backend. This
+ function needs to be called *before* curl_global_init(), and can be
+ called only once.
+
+ Side note: we do not explicitly test that it is called before
+ curl_global_init(), but we do verify that it is not called multiple times
+ (even implicitly).
+
+ If SSL is used before the function was called, it will use whatever the
+ CURL_SSL_BACKEND environment variable says (or default to the first
+ available SSL backend), and if a subsequent call to
+ curl_global_sslset() disagrees with the previous choice, it will fail
+ with CURLSSLSET_TOO_LATE.
+
+ The function also accepts an "avail" parameter to point to a (read-only)
+ NULL-terminated list of available backends. This comes in real handy if
+ an application wants to let the user choose between whatever SSL backends
+ the currently available libcurl has to offer: simply call
+
+ curl_global_sslset(-1, NULL, &avail);
+
+ which will return CURLSSLSET_UNKNOWN_BACKEND and populate the avail
+ variable to point to the relevant information to present to the user.
+
+ Just like with the HTTP/2 push functions, we have to add the function
+ declaration of curl_global_sslset() function to the header file
+ *multi.h* because VMS and OS/400 require a stable order of functions
+ declared in include/curl/*.h (where the header files are sorted
+ alphabetically). This looks a bit funny, but it cannot be helped.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: refactor out essential information about the SSL backends
+
+ There is information about the compiled-in SSL backends that is really
+ no concern of any code other than the SSL backend itself, such as which
+ function (if any) implements SHA-256 summing.
+
+ And there is information that is really interesting to the user, such as
+ the name, or the curl_sslbackend value.
+
+ Let's factor out the latter into a publicly visible struct. This
+ information will be used in the upcoming API to set the SSL backend
+ globally.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: allow selecting which SSL backend to use at runtime
+
+ When building software for the masses, it is sometimes not possible to
+ decide for all users which SSL backend is appropriate.
+
+ Git for Windows, for example, uses cURL to perform clones, fetches and
+ pushes via HTTPS, and some users strongly prefer OpenSSL, while other
+ users really need to use Secure Channel because it offers
+ enterprise-ready tools to manage credentials via Windows' Credential
+ Store.
+
+ The current Git for Windows versions use the ugly work-around of
+ building libcurl once with OpenSSL support and once with Secure Channel
+ support, and switching out the binaries in the installer depending on
+ the user's choice.
+
+ Needless to say, this is a super ugly workaround that actually only
+ works in some cases: Git for Windows also comes in a portable form, and
+ in a form intended for third-party applications requiring Git
+ functionality, in which cases this "swap out libcurl-4.dll" simply is
+ not an option.
+
+ Therefore, the Git for Windows project has a vested interest in teaching
+ cURL to make the SSL backend a *runtime* option.
+
+ This patch makes that possible.
+
+ By running ./configure with multiple --with-<backend> options, cURL will
+ be built with multiple backends.
+
+ For the moment, the backend can be configured using the environment
+ variable CURL_SSL_BACKEND (valid values are e.g. "openssl" and
+ "schannel").
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: fold the backend ID into the Curl_ssl structure
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ curl_ntlm_core: don't complain but #include OpenSSL header if needed
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: encapsulate SSL backend-specific data
+
+ So far, all of the SSL backends' private data has been declared as
+ part of the ssl_connect_data struct, in one big #if .. #elif .. #endif
+ block.
+
+ This can only work as long as the SSL backend is a compile-time option,
+ something we want to change in the next commits.
+
+ Therefore, let's encapsulate the exact data needed by each SSL backend
+ into a private struct, and let's avoid bleeding any SSL backend-specific
+ information into urldata.h. This is also necessary to allow multiple SSL
+ backends to be compiled in at the same time, as e.g. OpenSSL's and
+ CyaSSL's headers cannot be included in the same .c file.
+
+ To avoid too many malloc() calls, we simply append the private structs
+ to the connectdata struct in allocate_conn().
+
+ This requires us to take extra care of alignment issues: struct fields
+ often need to be aligned on certain boundaries e.g. 32-bit values need to
+ be stored at addresses that divide evenly by 4 (= 32 bit / 8
+ bit-per-byte).
+
+ We do that by assuming that no SSL backend's private data contains any
+ fields that need to be aligned on boundaries larger than `long long`
+ (typically 64-bit) would need. Under this assumption, we simply add a
+ dummy field of type `long long` to the `struct connectdata` struct. This
+ field will never be accessed but acts as a placeholder for the four
+ instances of ssl_backend_data instead. the size of each ssl_backend_data
+ struct is stored in the SSL backend-specific metadata, to allow
+ allocate_conn() to know how much extra space to allocate, and how to
+ initialize the ssl[sockindex]->backend and proxy_ssl[sockindex]->backend
+ pointers.
+
+ This would appear to be a little complicated at first, but is really
+ necessary to encapsulate the private data of each SSL backend correctly.
+ And we need to encapsulate thusly if we ever want to allow selecting
+ CyaSSL and OpenSSL at runtime, as their headers cannot be included within
+ the same .c file (there are just too many conflicting definitions and
+ declarations for that).
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: prepare the SSL backends for encapsulated private data
+
+ At the moment, cURL's SSL backend needs to be configured at build time.
+ As such, it is totally okay for them to hard-code their backend-specific
+ data in the ssl_connect_data struct.
+
+ In preparation for making the SSL backend a runtime option, let's make
+ the access of said private data a bit more abstract so that it can be
+ adjusted later in an easy manner.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ urldata.h: move SSPI-specific #include to correct location
+
+ In 86b889485 (sasl_gssapi: Added GSS-API based Kerberos V5 variables,
+ 2014-12-03), an SSPI-specific field was added to the kerberos5data
+ struct without moving the #include "curl_sspi.h" later in the same file.
+
+ This broke the build when SSPI was enabled, unless Secure Channel was
+ used as SSL backend, because it just so happens that Secure Channel also
+ requires "curl_sspi.h" to be #included.
+
+ In f4739f639 (urldata: include curl_sspi.h when Windows SSPI is enabled,
+ 2017-02-21), this bug was fixed incorrectly: Instead of moving the
+ appropriate conditional #include, the Secure Channel-conditional part
+ was now also SSPI-conditional.
+
+ Fix this problem by moving the correct #include instead.
+
+ This is also required for an upcoming patch that moves all the Secure
+ Channel-specific stuff out of urldata.h and encapsulates it properly in
+ vtls/schannel.c instead.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ urldata.h: remove support for obsolete PolarSSL version
+
+ Since 5017d5ada (polarssl: now require 1.3.0+, 2014-03-17), we require
+ a newer PolarSSL version. No need to keep code trying to support any
+ older version.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ getinfo: access SSL internals via Curl_ssl
+
+ In the ongoing endeavor to abstract out all SSL backend-specific
+ functionality, this is the next step: Instead of hard-coding how the
+ different SSL backends access their internal data in getinfo.c, let's
+ implement backend-specific functions to do that task.
+
+ This will also allow for switching SSL backends as a runtime option.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
- libcurl-thread.3: Consolidate thread safety info
+ vtls: move SSL backends' private constants out of their header files
- This is a new document to consolidate our thread safety information from
- several documents (curl-www:features, libcurl.3, libcurl-tutorial.3).
- Each document's section on multi-threading will now point to this one.
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ axtls: use Curl_none_* versions of init() and cleanup()
+
+ There are convenient no-op versions of the init/cleanup functions now,
+ no need to define private ones for axTLS.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: remove obsolete declarations of SSL backend functionality
+
+ These functions are all available via the Curl_ssl struct now, no need
+ to declare them separately anymore.
+
+ As the global declarations are removed, the corresponding function
+ definitions are marked as file-local. The only two exceptions here are
+ Curl_mbedtls_shutdown() and Curl_polarssl_shutdown(): only the
+ declarations were removed, there are no function definitions to mark
+ file-local.
+
+ Please note that Curl_nss_force_init() is *still* declared globally, as
+ the only SSL backend-specific function, because it was introduced
+ specifically for the use case where cURL was compiled with
+ `--without-ssl --with-nss`. For details, see f3b77e561 (http_ntlm: add
+ support for NSS, 2010-06-27).
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ schannel: reorder functions topologically
+
+ The _shutdown() function calls the _session_free() function; While this
+ is not a problem now (because schannel.h declares both functions), a
+ patch looming in the immediate future with make all of these functions
+ file-local.
+
+ So let's just move the _session_free() function's definition before it
+ is called.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ axtls: reorder functions topologically
+
+ The connect_finish() function (like many other functions after it) calls
+ the Curl_axtls_close() function; While this is not a problem now
+ (because axtls.h declares the latter function), a patch looming in the
+ immediate future with make all of these functions file-local.
+
+ So let's just move the Curl_axtls_close() function's definition before
+ it is called.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: move the SUPPORT_HTTPS_PROXY flag into the Curl_ssl struct
+
+ That will allow us to choose the SSL backend at runtime.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: convert the have_curlssl_* constants to runtime flags
+
+ The entire idea of introducing the Curl_ssl struct to describe SSL
+ backends is to prepare for choosing the SSL backend at runtime.
+
+ To that end, convert all the #ifdef have_curlssl_* style conditionals
+ to use bit flags instead.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: move sha256sum into the Curl_ssl struct
+
+ The SHA-256 checksumming is also an SSL backend-specific function.
+ Let's include it in the struct declaring the functionality of SSL
+ backends.
+
+ In contrast to MD5, there is no fall-back code. To indicate this, the
+ respective entries are NULL for those backends that offer no support for
+ SHA-256 checksumming.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: move md5sum into the Curl_ssl struct
+
+ The MD5 summing is also an SSL backend-specific function. So let's
+ include it, offering the previous fall-back code as a separate function
+ now: Curl_none_md5sum(). To allow for that, the signature had to be
+ changed so that an error could be returned from the implementation
+ (Curl_none_md5sum() can run out of memory).
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
-Steve Holme (27 Jul 2015)
-- README: Corrected formatting for 'Legacy Windows and SSL' section
+ vtls: use the Curl_ssl struct to access all SSL backends' functionality
+
+ This is the first step to unify the SSL backend handling. Now all the
+ SSL backend-specific functionality is accessed via a global instance of
+ the Curl_ssl struct.
- ...as well as some wording.
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
-- build-openssl.bat: Added support for VC14
+ vtls: declare Curl_ssl structs for every SSL backend
+
+ The idea of introducing the Curl_ssl struct was to unify how the SSL
+ backends are declared and called. To this end, we now provide an
+ instance of the Curl_ssl struct for each and every SSL backend.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Daniel Stenberg (26 Jul 2015)
-- RELEASE-NOTES: synced with 0f645adc95390e8
+- [Johannes Schindelin brought this change]
-- test1902: attempt to make the test more reliable
+ vtls: introduce a new struct for SSL backends
+
+ This new struct is similar in nature to Curl_handler: it will define the
+ functions and capabilities of all the SSL backends (where Curl_handler
+ defines the functions and capabilities of protocol handlers).
- Closes #355
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
-- comment: fix comment about adding new option support
+ vtls: make sure every _sha256sum()'s first arg is const
+
+ This patch makes the signature of the _sha256sum() functions consistent
+ among the SSL backends, in preparation for unifying the way all SSL
+ backends are accessed.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Jay Satiro (25 Jul 2015)
-- build-openssl.bat: Show syntax if required args are missing
+- [Johannes Schindelin brought this change]
-Daniel Stenberg (26 Jul 2015)
-- TODO: improve how curl works in a windows console window
+ vtls: make sure all _data_pending() functions return bool
+
+ This patch makes the signature of the _data_pending() functions
+ consistent among the SSL backends, in preparation for unifying the way
+ all SSL backends are accessed.
- Closes #322 for now
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
-- 1.11 minimize dependencies with dynamicly loaded modules
+ vtls: make sure all _cleanup() functions return void
+
+ This patch makes the signature of the _cleanup() functions consistent
+ among the SSL backends, in preparation for unifying the way all SSL
+ backends are accessed.
- Closes #349 for now
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
-Jay Satiro (25 Jul 2015)
-- tool_operate: Fix CURLOPT_SSL_OPTIONS for builds without HTTPS
+ vtls: use consistent signature for _random() implementations
+
+ This will make the upcoming multissl backend much easier to implement.
- - Set CURLOPT_SSL_OPTIONS only if the tool enabled an SSL option.
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- strtooff: fix build for systems with long long but no strtoll option
- Broken by me several days ago in 172b2be.
- https://github.com/bagder/curl/commit/172b2be#diff-70b44ee478e58d4e1ddcf9c9a73d257b
+ Closes #1829
- Bug: http://curl.haxx.se/mail/lib-2015-07/0119.html
Reported-by: Dan Fandrich
+ Bug: https://github.com/curl/curl/pull/1758#issuecomment-324861615
-Daniel Stenberg (25 Jul 2015)
-- configure: check if OpenSSL linking wants -ldl
+- darwinssl: handle long strings in TLS certs
- To make it easier to link with static versions of OpenSSL, the configure
- script now checks if -ldl is needed for linking.
+ ... as the previous fixed length 128 bytes buffer was sometimes too
+ small.
- Help-by: TJ Saunders
+ Fixes #1823
+ Closes #1831
+
+ Reported-by: Benjamin Sergeant
+ Assisted-by: Bill Pyne, Ray Satiro, Nick Zitzmann
-- [Michael Kaufmann brought this change]
+- system.h: include sys/poll.h for AIX
+
+ ... to get the event/revent defines that might be used for the poll
+ struct.
+
+ Reported-by: Michael Smith
+ Fixes #1828
+ Closes #1833
+
+Dan Fandrich (26 Aug 2017)
+- tests: Make sure libtests & unittests call curl_global_cleanup()
+
+ These were missed in commit c468c27b.
+
+Jay Satiro (26 Aug 2017)
+- [theantigod brought this change]
+
+ winbuild: fix embedded manifest option
+
+ Embedded manifest option didn't work due to incorrect path.
+
+ Fixes https://github.com/curl/curl/issues/1832
+
+Daniel Stenberg (25 Aug 2017)
+- fuzz/Makefile.am: remove curlbuild.h leftovers
+
+- examples/threaded-ssl: mention that this is for openssl before 1.1
+
+- imap: use defined names for response codes
+
+ When working on this code I found the previous setup a bit weird while
+ using proper defines increases readability.
+
+ Closes #1824
+
+- CURLOPT_USERPWD.3: see also CURLOPT_PROXYUSERPWD
+
+- imap: support PREAUTH
+
+ It is a defined possible greeting at server startup that means the
+ connection is already authenticated. See
+ https://tools.ietf.org/html/rfc3501#section-7.1.4
+
+ Test 846 added to verify.
+
+ Fixes #1818
+ Closes #1820
+
+Jay Satiro (23 Aug 2017)
+- config-tpf: define SIZEOF_LONG
+
+ Recent changes that replaced CURL_SIZEOF_LONG in the source with
+ SIZEOF_LONG broke builds that use the premade configuration files and
+ don't have SIZEOF_LONG defined.
+
+ Bug: https://github.com/curl/curl/issues/1816
+
+Dan Fandrich (23 Aug 2017)
+- test1453: Fixed <features>
+
+Daniel Stenberg (22 Aug 2017)
+- [Gisle Vanem brought this change]
+
+ config-dos: add missing defines, SIZEOF_* and two others
+
+ Bug: #1816
+
+- curl: shorten and clean up CA cert verification error message
+
+ The previous message was just too long for ordinary people and it was
+ encouraging users to use `--insecure` a little too easy.
+
+ Based-on-work-by: Frank Denis
+
+ Closes #1810
+ Closes #1817
+
+- request-target.d: mention added in 7.55.0
+
+Marcel Raad (22 Aug 2017)
+- tool_main: turn off MinGW CRT's globbing
+
+ By default, the MinGW CRT globs command-line arguments. This prevents
+ getting a single asterisk into an argument as test 1299 does. Turn off
+ globbing by setting the global variable _CRT_glob to 0 for MinGW.
+
+ Fixes https://github.com/curl/curl/issues/1751
+ Closes https://github.com/curl/curl/pull/1813
+
+Viktor Szakats (22 Aug 2017)
+- makefile.m32: add support for libidn2
+
+ libidn was replaced with libidn2 last year in configure.
+ Caveat: libidn2 may depend on a list of further libs.
+ These can be manually specified via CURL_LDFLAG_EXTRAS.
+
+ Closes https://github.com/curl/curl/pull/1815
+
+Jay Satiro (22 Aug 2017)
+- [Viktor Szakats brought this change]
+
+ config-win32: define SIZEOF_LONG
+
+ Recent changes that replaced CURL_SIZEOF_LONG in the source with
+ SIZEOF_LONG broke builds that use the premade configuration files and
+ don't have SIZEOF_LONG defined.
+
+ Closes https://github.com/curl/curl/pull/1814
- HTTP: ignore "Content-Encoding: compress"
+Daniel Stenberg (20 Aug 2017)
+- cmake: enable picky compiler options with clang and gcc
+
+ closes #1799
+
+- curl/system.h: fix build for hppa
+
+ Reported-by: John David Anglin
+ Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872502#10
+
+- [Even Rouault brought this change]
+
+ tftp: fix memory leak on too long filename
+
+ Fixes
+
+ $ valgrind --leak-check=full ~/install-curl-git/bin/curl tftp://localhost/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaz
+
+ ==9752== Memcheck, a memory error detector
+ ==9752== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
+ ==9752== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
+ ==9752== Command: /home/even/install-curl-git/bin/curl tftp://localhost/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaz
+ ==9752==
+ curl: (71) TFTP file name too long
+
+ ==9752==
+ ==9752== HEAP SUMMARY:
+ ==9752== 505 bytes in 1 blocks are definitely lost in loss record 11 of 11
+ ==9752== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==9752== by 0x4E61CED: Curl_urldecode (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x4E75868: tftp_state_machine (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x4E761B6: tftp_do (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x4E711B6: multi_runsingle (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x4E71D00: curl_multi_perform (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x4E6950D: curl_easy_perform (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x40E0B7: operate_do (in /home/even/install-curl-git/bin/curl)
+ ==9752== by 0x40E849: operate (in /home/even/install-curl-git/bin/curl)
+ ==9752== by 0x402693: main (in /home/even/install-curl-git/bin/curl)
+
+ Fixes https://oss-fuzz.com/v2/testcase-detail/5232311106797568
+ Credit to OSS Fuzz
+
+ Closes #1808
+
+Dan Fandrich (19 Aug 2017)
+- runtests: fixed case insensitive matching of keywords
+
+ Commit 5c2aac71 didn't work in the case of mixed-case keywords given on
+ the command-line.
+
+- tests: Make sure libtests call curl_global_cleanup()
+
+ This ensures that global data allocations are freed so Valgrind stays
+ happy. This was a problem with at least PolarSSL and mbedTLS.
+
+Daniel Stenberg (18 Aug 2017)
+- RELEASE-NOTES: synced with 8baead425
+
+- scripts/contri*sh: use "git log --use-mailmap"
+
+- mailmap: de-duplify some git authors
+
+- http2_recv: return error better on fatal h2 errors
+
+ Ref #1012
+ Figured-out-by: Tatsuhiro Tsujikawa
+
+- KNOWN_BUGS: HTTP test server 'connection-monitor' problems
+
+ Closes #868
+
+- curl/system.h: check for __ppc__ as well
+
+ ... regression since issue #1774 (commit 10b3df10596a) since obviously
+ some older gcc doesn't know __powerpc__ while some newer doesn't know
+ __ppc__ ...
+
+ Fixes #1797
+ Closes #1798
+ Reported-by: Ryan Schmidt
+
+- [Jan Alexander Steffens (heftig) brought this change]
+
+ http: Don't wait on CONNECT when there is no proxy
+
+ Since curl 7.55.0, NetworkManager almost always failed its connectivity
+ check by timeout. I bisected this to 5113ad04 (http-proxy: do the HTTP
+ CONNECT process entirely non-blocking).
+
+ This patch replaces !Curl_connect_complete with Curl_connect_ongoing,
+ which returns false if the CONNECT state was left uninitialized and lets
+ the connection continue.
+
+ Closes #1803
+ Fixes #1804
+
+ Also-fixed-by: Gergely Nagy
+
+- [Johannes Schindelin brought this change]
+
+ metalink: adjust source code style
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- CURL_SIZEOF_LONG: removed, use only SIZEOF_LONG
+
+- lib557: no longer use CURL_SIZEOF_* defines
+
+- config-win32: define SIZEOF_CURL_OFF_T
+
+- cmake: sizeof curl_off_t, remove unused detections
+
+- system.h: remove all CURL_SIZEOF_* defines
+
+ ... as they're not used externally and internally we check for the sizes
+ already in configure etc.
+
+ Closes #1767
+
+- ftp: fix CWD when doing multicwd then nocwd on same connection
+
+ Fixes #1782
+ Closes #1787
+ Reported-by: Peter Lamare
+
+- CURLOPT_SSH_COMPRESSION.3: enable with 1L
+
+ (leaves other values reserved for the future)
+
+- compressed-ssh.d: "Added: 7.56.0"
+
+- curl/system.h: checksrc compliance
+
+Jay Satiro (17 Aug 2017)
+- [Viktor Szakats brought this change]
+
+ ssh: add the ability to enable compression (for SCP/SFTP)
+
+ The required low-level logic was already available as part of
+ `libssh2` (via `LIBSSH2_FLAG_COMPRESS` `libssh2_session_flag()`[1]
+ option.)
+
+ This patch adds the new `libcurl` option `CURLOPT_SSH_COMPRESSION`
+ (boolean) and the new `curl` command-line option `--compressed-ssh`
+ to request this `libssh2` feature. To have compression enabled, it
+ is required that the SSH server supports a (zlib) compatible
+ compression method and that `libssh2` was built with `zlib` support
+ enabled.
+
+ [1] https://www.libssh2.org/libssh2_session_flag.html
+
+ Ref: https://github.com/curl/curl/issues/1732
+ Closes https://github.com/curl/curl/pull/1735
+
+- examples/ftpuploadresume: checksrc compliance
+
+- [Maksim Stsepanenka brought this change]
+
+ http_proxy: fix build error for CURL_DOES_CONVERSIONS
+
+ Closes https://github.com/curl/curl/pull/1793
+
+GitHub (16 Aug 2017)
+- [Nick Zitzmann brought this change]
+
+ configure: check for __builtin_available() availability (#1788)
+
+ This change does two things:
+ 1. It un-breaks the build in Xcode 9.0. (Xcode 9.0 is currently
+ failing trying to compile connectx() in lib/connect.c.)
+ 2. It finally weak-links the connectx() function, and falls back on
+ connect() when run on older operating systems.
+
+Daniel Stenberg (16 Aug 2017)
+- travis: add metalink to some osx builds
+
+ Closes #1790
+
+- [Max Dymond brought this change]
+
+ coverage: Use two coveralls commands to get lib/vtls results
+
+ closes #1747
+
+- darwinssi: fix error: variable length array used
+
+- m4/curl-compilers.m4: use proper quotes around string, not backticks
+
+ ... when setting clang version to assume 3.7
+
+ Caused a lot of "integer expression expected" warnings by configure.
+
+- [Benbuck Nason brought this change]
+
+ cmake: remove dead code for DISABLED_THREADSAFE
+
+ Closes #1786
+
+Jay Satiro (15 Aug 2017)
+- [Jakub Zakrzewski brought this change]
+
+ curl-confopts.m4: fix --disable-threaded-resolver
+
+ Closes https://github.com/curl/curl/issues/1784
+
+Daniel Stenberg (15 Aug 2017)
+- [Ryan Winograd brought this change]
+
+ progress: Track total times following redirects
+
+ Update the progress timers `t_nslookup`, `t_connect`, `t_appconnect`,
+ `t_pretransfer`, and `t_starttransfer` to track the total times for
+ these activities when a redirect is followed. Previously, only the times
+ for the most recent request would be tracked.
+
+ Related changes:
+
+ - Rename `Curl_pgrsResetTimesSizes` to `Curl_pgrsResetTransferSizes`
+ now that the function only resets transfer sizes and no longer
+ modifies any of the progress timers.
+
+ - Add a bool to the `Progress` struct that is used to prevent
+ double-counting `t_starttransfer` times.
+
+ Added test case 1399.
+
+ Fixes #522 and Known Bug 1.8
+ Closes #1602
+ Reported-by: joshhe on github
+
+- [Benbuck Nason brought this change]
+
+ cmake: remove dead code for CURL_DISABLE_RTMP
+
+ Closes #1785
+
+Kamil Dudka (15 Aug 2017)
+- zsh.pl: produce a working completion script again
+
+ Commit curl-7_54_0-118-g8b2f22e changed the output format of curl --help
+ to use <file> and <dir> instead of FILE and DIR, which caused zsh.pl to
+ produce a broken completion script:
+
+ % curl --<TAB>
+ _curl:10: no such file or directory: seconds
+
+ Closes #1779
+
+Daniel Stenberg (15 Aug 2017)
+- curlver: toward 7.56.0?
+
+- RELEASE-NOTES: synced with 91c46dc44
+
+- test1449: FTP download range with an too large size
+
+- strtoofft: reduce integer overflow risks globally
+
+ ... make sure we bail out on overflows.
+
+ Reported-by: Brian Carpenter
+ Closes #1758
+
+- travis: build the examples too
+
+ to make sure they keep building warning-free
+
+ Closes #1777
+
+- runtests: match keywords case insensitively
+
+- examples/ftpuploadresume.c: use portable code
+
+ ... converted from the MS specific _snscanf()
+
+Version 7.55.1 (13 Aug 2017)
+
+Daniel Stenberg (13 Aug 2017)
+- RELEASE-NOTES/THANKS: curl 7.55.1 release time
+
+- gitignore: ignore .xz now instead of .lzma
+
+- [Sergei Nikulov brought this change]
+
+ cmake: Threads detection update. ref: #1702
+
+ Closes #1719
+
+- ipv6_scope: support unique local addresses
+
+ Fixes #1764
+ Closes #1773
+ Reported-by: James Slaughter
+
+- [Alex Potapenko brought this change]
+
+ curl/system.h: GCC doesn't define __ppc__ on PowerPC, uses __powerpc__
+
+ Closes #1774
+
+- test1448: verify redirect to IDN using URL
+
+ Closes #1772
+
+- [Salah-Eddin Shaban brought this change]
+
+ redirect: skip URL encoding for host names
+
+ This fixes redirects to IDN URLs
+
+ Fixes #1441
+ Closes #1762
+ Reported by: David Lord
+
+- test2032: mark as flaky (again)
+
+- travis: test cmake build on tarball too
+
+ Could've prevented #1755
+
+- [Simon Warta brought this change]
+
+ cmake: allow user to override CMAKE_DEBUG_POSTFIX
+
+ Closes #1763
+
+- connect-to.d: better language
+
+- connect-to.d: clarified
+
+- bagder/Curl_tvdiff_us: fix the math
+
+ Regression since adef394ac5 (released in 7.55.0)
+
+ Reported-by: Han Qiao
+ Fixes #1769
+ Closes #1771
+
+- curl/system.h: add Oracle Solaris Studio
+
+ Fixes #1752
+
+- [Alessandro Ghedini brought this change]
+
+ docs: fix typo funtion -> function
+
+ Closes #1770
+
+Alessandro Ghedini (12 Aug 2017)
+- docs: fix grammar in CURL_SSLVERSION_MAX_DEFAULT description
+
+- docs: fix typo stuct -> struct
+
+Dan Fandrich (12 Aug 2017)
+- test1447: require a curl with http support
+
+Daniel Stenberg (11 Aug 2017)
+- [Thomas Petazzoni brought this change]
+
+ curl/system.h: support more architectures
+
+ The long list of architectures in include/curl/system.h is annoying to
+ maintain, and needs to be extended for each and every architecture to
+ support.
+
+ Instead, let's rely on the __SIZEOF_LONG__ define of the gcc compiler
+ (we are in the GNUC condition anyway), which tells us if long is 4
+ bytes or 8 bytes.
+
+ This fixes the build of libcurl 7.55.0 on architectures such as
+ OpenRISC or ARC.
+
+ Closes #1766
+
+ Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+
+- test2033: this went flaky again
+
+ Suspicion: when we enabled the threaded resolver by default.
+
+- test1447: verifies the parse proxy fix in 6e0e152ce5c
+
+- [Even Rouault brought this change]
+
+ parse_proxy(): fix memory leak in case of invalid proxy server name
+
+ Fixes the below leak:
+
+ $ valgrind --leak-check=full ~/install-curl-git/bin/curl --proxy "http://a:b@/x" http://127.0.0.1
+ curl: (5) Couldn't resolve proxy name
+ ==5048==
+ ==5048== HEAP SUMMARY:
+ ==5048== in use at exit: 532 bytes in 12 blocks
+ ==5048== total heap usage: 5,288 allocs, 5,276 frees, 445,271 bytes allocated
+ ==5048==
+ ==5048== 2 bytes in 1 blocks are definitely lost in loss record 1 of 12
+ ==5048== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5048== by 0x4E6CB79: parse_login_details (url.c:5614)
+ ==5048== by 0x4E6BA82: parse_proxy (url.c:5091)
+ ==5048== by 0x4E6C46D: create_conn_helper_init_proxy (url.c:5346)
+ ==5048== by 0x4E6EA18: create_conn (url.c:6498)
+ ==5048== by 0x4E6F9B4: Curl_connect (url.c:6967)
+ ==5048== by 0x4E86D05: multi_runsingle (multi.c:1436)
+ ==5048== by 0x4E88432: curl_multi_perform (multi.c:2160)
+ ==5048== by 0x4E7C515: easy_transfer (easy.c:708)
+ ==5048== by 0x4E7C74A: easy_perform (easy.c:794)
+ ==5048== by 0x4E7C7B1: curl_easy_perform (easy.c:813)
+ ==5048== by 0x414025: operate_do (tool_operate.c:1563)
+ ==5048==
+ ==5048== 2 bytes in 1 blocks are definitely lost in loss record 2 of 12
+ ==5048== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5048== by 0x4E6CBB6: parse_login_details (url.c:5621)
+ ==5048== by 0x4E6BA82: parse_proxy (url.c:5091)
+ ==5048== by 0x4E6C46D: create_conn_helper_init_proxy (url.c:5346)
+ ==5048== by 0x4E6EA18: create_conn (url.c:6498)
+ ==5048== by 0x4E6F9B4: Curl_connect (url.c:6967)
+ ==5048== by 0x4E86D05: multi_runsingle (multi.c:1436)
+ ==5048== by 0x4E88432: curl_multi_perform (multi.c:2160)
+ ==5048== by 0x4E7C515: easy_transfer (easy.c:708)
+ ==5048== by 0x4E7C74A: easy_perform (easy.c:794)
+ ==5048== by 0x4E7C7B1: curl_easy_perform (easy.c:813)
+ ==5048== by 0x414025: operate_do (tool_operate.c:1563)
+
+ Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2984
+ Credit to OSS Fuzz for discovery
+
+ Closes #1761
+
+- RELEASE-NOTES: synced with 37f2195a9
+
+- curlver: bump to 7.55.1
+
+- openssl: fix "error: this statement may fall through"
+
+ A gcc7 warning.
+
+- [David Benjamin brought this change]
+
+ openssl: remove CONST_ASN1_BIT_STRING.
+
+ Just making the pointer as const works for the pre-1.1.0 path too.
+
+ Closes #1759
+
+- maketgz: remove old *.dist files before making the tarball
+
+ To avoid "old crap" unintentionally getting shipped.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-08/0050.html
+ Reported-by: Christian Weisgerber
+
+Jay Satiro (10 Aug 2017)
+- mkhelp.pl: allow executing this script directly
+
+ - Enable execute permission (chmod +x)
+
+ - Change interpreter to /usr/bin/env perl
+
+ Ref: https://github.com/curl/curl/issues/1743
+
+Daniel Stenberg (10 Aug 2017)
+- configure: use the threaded resolver backend by default if possible
+
+ Closes #1647
+
+- cmake: move cmake_uninstall.cmake to CMake/
+
+ Closes #1756
+
+- metalink: fix error: ‘*’ in boolean context, suggest ‘&&’ instead
+
+- dist: fix the cmake build by shipping cmake_uninstall.cmake.in too
+
+ Fixes #1755
+
+- travis: verify "make install"
+
+ Help-by: Jay Satiro
+ Closes #1753
+
+Marcel Raad (10 Aug 2017)
+- build: check out *.sln files with Windows line endings
+
+ Visual Studio doesn't like LF line endings in solution files and always
+ converts them to CRLF when doing changes to the solution. Notably, this
+ affects the solutions in the release archive.
+
+ Closes https://github.com/curl/curl/pull/1746
+
+- gitignore: ignore top-level .vs folder
+
+ This folder is generated when using the CMake build system from within
+ Visual Studio.
+
+ Closes https://github.com/curl/curl/pull/1746
+
+Jay Satiro (10 Aug 2017)
+- digest_sspi: Don't reuse context if the user/passwd has changed
+
+ Bug: https://github.com/curl/curl/issues/1685
+ Reported-by: paulharris@users.noreply.github.com
+
+ Assisted-by: Isaac Boukris
+
+ Closes https://github.com/curl/curl/pull/1742
+
+Daniel Stenberg (9 Aug 2017)
+- [Adam Sampson brought this change]
+
+ dist: Add dictserver.py/negtelnetserver.py to EXTRA_DIST
+
+ These weren't included in the 7.55.0 release, but are required in order
+ to run the full test suite.
+
+ Closes #1744
+
+- [Adam Sampson brought this change]
+
+ curl: do bounds check using a double comparison
+
+ The fix for this in 8661a0aacc01492e0436275ff36a21734f2541bb wasn't
+ complete: if the parsed number in num is larger than will fit in a long,
+ the conversion is undefined behaviour (causing test1427 to fail for me
+ on IA32 with GCC 7.1, although it passes on AMD64 and ARMv7). Getting
+ rid of the cast means the comparison will be done using doubles.
+
+ It might make more sense for the max argument to also be a double...
+
+ Fixes #1750
+ Closes #1749
+
+- make install: add 8 missing man pages to the installation
+
+- build: fix 'make install' with configure, install docs/libcurl/* too
+
+ Broken since d24838d4da9faa
+
+ Reported-by: Bernard Spil
+
+Version 7.55.0 (9 Aug 2017)
+
+Daniel Stenberg (9 Aug 2017)
+- RELEASE-NOTES: curl 7.55.0
+
+- THANKS: 20 new contributors in 7.55.0
+
+- [Viktor Szakats brought this change]
+
+ docs/comments: Update to secure URL versions
+
+ Closes #1741
+
+- configure: fix recv/send/select detection on Android
+
+ ... since they now provide several functions as
+ __attribute__((overloadable)), the argument detection logic need
+ updates.
+
+ Patched-by: destman at github
+
+ Fixes #1738
+ Closes #1739
+
+Marcel Raad (8 Aug 2017)
+- ax_code_coverage.m4: update to latest version
+
+ This updates the script to aad5ad5fedb306b39f901a899b7bd305b66c418d
+ from August 01, 2017. Notably, this removes the lconv version whitelist.
+
+ Closes https://github.com/curl/curl/pull/1716
+
+Daniel Stenberg (7 Aug 2017)
+- test1427: verify command line parser integer overflow detection
+
+- curl: detect and bail out early on parameter integer overflows
+
+ Make the number parser aware of the maximum limit curl accepts for a
+ value and return an error immediately if larger, instead of running an
+ integer overflow later.
+
+ Fixes #1730
+ Closes #1736
+
+- glob: do not continue parsing after a strtoul() overflow range
+
+ Added test 1289 to verify.
+
+ CVE-2017-1000101
+
+ Bug: https://curl.haxx.se/docs/adv_20170809A.html
+ Reported-by: Brian Carpenter
+
+- tftp: reject file name lengths that don't fit
+
+ ... and thereby avoid telling send() to send off more bytes than the
+ size of the buffer!
+
+ CVE-2017-1000100
+
+ Bug: https://curl.haxx.se/docs/adv_20170809B.html
+ Reported-by: Even Rouault
+
+ Credit to OSS-Fuzz for the discovery
+
+- [Even Rouault brought this change]
+
+ file: output the correct buffer to the user
+
+ Regression brought by 7c312f84ea930d8 (April 2017)
+
+ CVE-2017-1000099
+
+ Bug: https://curl.haxx.se/docs/adv_20170809C.html
+
+ Credit to OSS-Fuzz for the discovery
+
+- easy_events: make event data static
+
+ First: this function is only used in debug-builds and not in
+ release/real builds. It is used to drive tests using the event-based
+ API.
+
+ A pointer to the local struct is passed to CURLMOPT_TIMERDATA, but the
+ CURLMOPT_TIMERFUNCTION calback can in fact be called even after this
+ funtion returns, namely when curl_multi_remove_handle() is called.
+
+ Reported-by: Brian Carpenter
+
+- getparameter: avoid returning uninitialized 'usedarg'
+
+ Fixes #1728
+
+Marcel Raad (5 Aug 2017)
+- [Isaac Boukris brought this change]
+
+ gssapi: fix memory leak of output token in multi round context
+
+ When multiple rounds are needed to establish a security context
+ (usually ntlm), we overwrite old token with a new one without free.
+ Found by proposed gss tests using stub a gss implementation (by
+ valgrind error), though I have confirmed the leak with a real
+ gssapi implementation as well.
+
+ Closes https://github.com/curl/curl/pull/1733
+
+- darwinssl: fix compiler warning
+
+ clang complains:
+ vtls/darwinssl.c:40:8: error: extra tokens at end of #endif directive
+ [-Werror,-Wextra-tokens]
+
+ This breaks the darwinssl build on Travis. Fix it by making this token
+ a comment.
+
+ Closes https://github.com/curl/curl/pull/1734
+
+- CMake: fix CURL_WERROR for MSVC
+
+ When using CURL_WERROR in MSVC builds, the debug flags were overridden
+ by the release flags and /WX got added twice in debug mode.
+
+ Closes https://github.com/curl/curl/pull/1715
+
+Daniel Stenberg (4 Aug 2017)
+- RELEASE-NOTES: synced with 561e9217c
+
+- test1010: verify that #1718 is fixed
+
+ ... by doing two transfers in nocwd mode and check that there's no
+ superfluous CWD command.
+
+- FTP: skip unnecessary CWD when in nocwd mode
+
+ ... when reusing a connection. If it didn't do any CWD previously.
+
+ Fixes #1718
+
+Marcel Raad (4 Aug 2017)
+- travis: explicitly specify dist
+
+ This makes the builds more reproducible as travis is currently rolling
+ out trusty as default dist [1]. Specifically, this avoids coverage
+ check failures when trusty is used as seen in [2] until we figure out
+ what's wrong.
+
+ [1] https://blog.travis-ci.com/2017-07-11-trusty-as-default-linux-is-coming
+ [2] https://github.com/curl/curl/pull/1692
+
+ Closes https://github.com/curl/curl/pull/1725
+
+Daniel Stenberg (4 Aug 2017)
+- travis: BUILD_TYPE => T
+
+ (to make the full line appear nicer on travis web UI)
+
+- travis: add osx build with darwinssl
+
+ Closes #1706
+
+- darwin: silence compiler warnings
+
+ With a clang pragma and three type fixes
+
+ Fixes #1722
+
+- BUILD.WINDOWS: mention buildconf.bat for builds off git
+
+- darwinssl: fix curlssl_sha256sum() compiler warnings on first argument
+
+- test130: verify comments in .netrc
+
+- [Gisle Vanem brought this change]
+
+ netrc: skip lines starting with '#'
+
+ Bug: https://curl.haxx.se/mail/lib-2017-08/0008.html
+
+Marcel Raad (3 Aug 2017)
+- CMake: set MSVC warning level to 4
+
+ The MSVC warning level defaults to 3 in CMake. Change it to 4, which is
+ consistent with the Visual Studio and NMake builds. Disable level 4
+ warning C4127 for the library and additionally C4306 for the test
+ servers to get a clean CURL_WERROR build as that warning is raised in
+ some macros in older Visual Studio versions.
+
+ Ref: https://github.com/curl/curl/pull/1667#issuecomment-314082794
+ Closes https://github.com/curl/curl/pull/1711
+
+Daniel Stenberg (2 Aug 2017)
+- CURLOPT_NETRC.3: fix typo in 7e48aa386156f9c2
+
+ Reported-by: Viktor Szakats
+
+- CURLOPT_NETRC.3: mention the file name on windows
+
+ ... and CURLOPT_NETRC_FILE(3).
+
+- travis: build osx with libressl too
+
+- travis: build osx with openssl too
+
+- tests/server/util: fix curltime mistake from 4dee50b9c80f9
+
+Marcel Raad (1 Aug 2017)
+- curl_threads: fix MSVC compiler warning
+
+ Use LongToHandle to convert from long to HANDLE in the Win32
+ implementation.
+ This should fix the following warning when compiling with
+ MSVC 11 (2012) in 64-bit mode:
+ lib\curl_threads.c(113): warning C4306:
+ 'type cast' : conversion from 'long' to 'HANDLE' of greater size
+
+ Closes https://github.com/curl/curl/pull/1717
+
+Daniel Stenberg (1 Aug 2017)
+- BUGS: improved phrasing about security bugs
+
+ Reported-by: Max Dymond
+
+- BUGS: clarify how to report security related bugs
+
+- [Brad Spencer brought this change]
+
+ multi: fix request timer management
+
+ There are some bugs in how timers are managed for a single easy handle
+ that causes the wrong "next timeout" value to be reported to the
+ application when a new minimum needs to be recomputed and that new
+ minimum should be an existing timer that isn't currently set for the
+ easy handle. When the application drives a set of easy handles via the
+ `curl_multi_socket_action()` API (for example), it gets told to wait the
+ wrong amount of time before the next call, which causes requests to
+ linger for a long time (or, it is my guess, possibly forever).
+
+ Bug: https://curl.haxx.se/mail/lib-2017-07/0033.html
+
+Jay Satiro (1 Aug 2017)
+- curl_setup: Define CURL_NO_OLDIES for building libcurl
+
+ .. to catch accidental use of deprecated error codes.
+
+ Ref: https://github.com/curl/curl/issues/1688#issuecomment-316764237
+
+Daniel Stenberg (1 Aug 2017)
+- [Jeremy Tan brought this change]
+
+ configure: fix the check for IdnToUnicode
+
+ Fixes #1669
+ Closes #1713
+
+- http: fix response code parser to avoid integer overflow
+
+ test 1429 and 1433 were updated to work with the stricter HTTP status line
+ parser.
+
+ Closes #1714
+ Reported-by: Brian Carpenter
+
+Jay Satiro (31 Jul 2017)
+- [Dwarakanath Yadavalli brought this change]
+
+ libcurl: Stop using error codes defined under CURL_NO_OLDIES
+
+ Fixes https://github.com/curl/curl/issues/1688
+ Closes https://github.com/curl/curl/pull/1712
+
+- include.d: clarify --include is only for response headers
+
+ Follow-up to 171f8de and de6de94.
+
+ Bug: https://github.com/curl/curl/commit/de6de94#commitcomment-23370851
+ Reported-by: Daniel Stenberg
+
+Daniel Stenberg (30 Jul 2017)
+- [Jason Juang brought this change]
+
+ cmake: support make uninstall
+
+ Closes #1674
+
+- RELEASE-NOTES: synced with 001701c47
+
+Marcel Raad (29 Jul 2017)
+- AppVeyor: now really use CURL_WERROR
+
+ It was misspelled as CURL_ERROR in commit
+ 2d86e8d1286e0fbe3d811e2e87fa0b5e53722db4.
+
+ Closes https://github.com/curl/curl/pull/1686
+
+Jay Satiro (29 Jul 2017)
+- tool_help: clarify --include is only for response headers
+
+ Follow-up to 171f8de.
+
+ Ref: https://github.com/curl/curl/issues/1704
+
+- splay: fix signed/unsigned mismatch warning
+
+ Follow-up to 4dee50b.
+
+ Ref: https://github.com/curl/curl/pull/1693
+
+Daniel Stenberg (28 Jul 2017)
+- include.d: clarify that it concerns the response headers
+
+ Reported-by: olesteban at github
+ Fixes #1704
+
+- [Johannes Schindelin brought this change]
+
+ curl_rtmp: fix a compiler warning
+
+ The headers of librtmp declare the socket as `int`, and on Windows, that
+ disagrees with curl_socket_t.
+
+ Bug: #1652
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- test1323: verify curlx_tvdiff
+
+- timeval: struct curltime is a struct timeval replacement
+
+ ... to make all libcurl internals able to use the same data types for
+ the struct members. The timeval struct differs subtly on several
+ platforms so it makes it cumbersome to use everywhere.
+
+ Ref: #1652
+ Closes #1693
+
+- darwinssl: fix variable type mistake (regression)
+
+ ... which made --tlsv1.2 not work because it would blank the max tls
+ version variable.
- Currently, libcurl rejects responses with "Content-Encoding: compress"
- when CURLOPT_ACCEPT_ENCODING is set to "". I think that libcurl should
- treat the Content-Encoding "compress" the same as other
- Content-Encodings that it does not support, e.g. "bzip2". That means
- just ignoring it.
+ Reported-by: Nick Miyake
+ Bug: #1703
-- [Marcel Raad brought this change]
-
- openssl: work around MSVC warning
+- multi: mention integer overflow risk if using > 500 million sockets
- MSVC 12 complains:
+ Reported-by: ovidiu-benea@users.noreply.github.com
- lib\vtls\openssl.c(1554): warning C4701: potentially uninitialized local
- variable 'verstr' used It's a false positive, but as it's normally not,
- I have enabled warning-as-error for that warning.
+ Closes #1675
+ Closes #1683
-- [Michał Fita brought this change]
+- checksrc: escape open brace in regex
+
+ ... to silence warning.
- configure: add --disable-rt option
+Kamil Dudka (20 Jul 2017)
+- nss: fix a possible use-after-free in SelectClientCert()
- This option disables any attempts in configure to create dependency on
- stuff requiring linking to librt.so and libpthread.so, in this case this
- means clock_gettime(CLOCK_MONOTONIC, &mt).
+ ... causing a SIGSEGV in showit() in case the handle used to initiate
+ the connection has already been freed.
- We were in need to build curl which doesn't link libpthread.so to avoid
- the following bug:
- https://sourceware.org/bugzilla/show_bug.cgi?id=16628.
-
-Kamil Dudka (23 Jul 2015)
-- http2: verify success of strchr() in http2_send()
+ This commit fixes a bug introduced in curl-7_19_5-204-g5f0cae803.
- Detected by Coverity.
+ Reported-by: Rob Sanders
+ Bug: https://bugzilla.redhat.com/1436158
+
+- nss: unify the coding style of nss_send() and nss_recv()
- Error: NULL_RETURNS:
- lib/http2.c:1301: returned_null: "strchr" returns null (checked 103 out of 109 times).
- lib/http2.c:1301: var_assigned: Assigning: "hdbuf" = null return value from "strchr".
- lib/http2.c:1302: dereference: Incrementing a pointer which might be null: "hdbuf".
- 1300|
- 1301| hdbuf = strchr(hdbuf, 0x0a);
- 1302|-> ++hdbuf;
- 1303|
- 1304| authority_idx = 0;
+ No changes in behavior intended by this commit.
-Jay Satiro (22 Jul 2015)
-- Windows: Fix VerifyVersionInfo calls
+Marcel Raad (18 Jul 2017)
+- tests/server/resolve.c: fix deprecation warning
- - Fix the VerifyVersionInfo calls, which we use to test for the OS major
- version, to also test for the minor version as well as the service pack
- major and minor versions.
+ MSVC warns that gethostbyname is deprecated. Always use getaddrinfo
+ instead to fix this when IPv6 is enabled, also for IPv4 resolves. This
+ is also consistent with what libcurl does.
- MSDN: "If you are testing the major version, you must also test the
- minor version and the service pack major and minor versions."
+ Closes https://github.com/curl/curl/pull/1682
+
+Jay Satiro (17 Jul 2017)
+- darwinssl: fix pinnedpubkey build error
- https://msdn.microsoft.com/en-us/library/windows/desktop/ms725492.aspx
+ - s/SessionHandle/Curl_easy/
- Bug: https://github.com/bagder/curl/pull/353#issuecomment-123493098
- Reported-by: Marcel Raad <MarcelRaad@users.noreply.github.com>
-
-- [Marcel Raad brought this change]
+ Bug: https://github.com/curl/curl/commit/eb16305#commitcomment-23035670
+ Reported-by: Gisle Vanem
- schannel: Replace deprecated GetVersion with VerifyVersionInfo
+Marcel Raad (16 Jul 2017)
+- rtspd: fix GCC warning after MSVC warning fix
+
+ Older GCC warns:
+ /tests/server/rtspd.c:1194:10: warning: missing braces around
+ initializer [-Wmissing-braces]
+
+ Fix this by using memset instead of an initializer.
-Steve Holme (21 Jul 2015)
-- makefile: Added support for VC14
+- libtest: fix MSVC warning C4706
+
+ With warning level 4, MSVC warns about assignments within conditional
+ expressions. Change the while loop to a do-while loop to fix this. This
+ change is also consistent with CODE_STYLE.md.
-Patrick Monnerat (21 Jul 2015)
-- os400: ebcdic wrappers for new functions. Upgrade ILE/RPG bindings.
+- sockfilt: suppress conversion warning with explicit cast
+
+ MSVC warns when implicitly casting -1 to unsigned long.
-- libcurl: VERSIONINFO update
- Addition of new procedures curl_pushheader_bynum and curl_pushheader_byname
- requires VERSIONINFO updating.
+- rtspd: fix MSVC level 4 warning
+
+ warning C4701: potentially uninitialized local variable 'req' used
-- http2: satisfy external references even if http2 is not compiled in.
+- winbuild: re-enable warning C4127 for curl tool
+
+ Disabled in cda19a345f6970e22fe8b7a808aeb8f086a21eac. It only needs to
+ be disabled for libcurl.
-Daniel Stenberg (20 Jul 2015)
-- http2: add stream != NULL checks for reliability
+- winbuild: build with warning level 4
+
+ This is consistent with 7bc64561a2e63ca93e4b0b31d350773ba80955c2, which
+ changed the warning level from 3 to 4 for the Visual Studio project
+ files. But disable the level 4 warning C4127 "conditional expression is
+ constant", as that one is issued by older versions of the Windows SDK
+ as well as curl itself under some circumstances.
- They should not trigger, but in case of internal problems we at least
- avoid crashes this way.
+ Closes https://github.com/curl/curl/pull/1667
-Jay Satiro (18 Jul 2015)
-- symbols-in-versions: Add new CURLSSLOPT_NO_REVOKE symbol
+Jay Satiro (12 Jul 2017)
+- [Max Dymond brought this change]
-- SSL: Add an option to disable certificate revocation checks
+ travis: install libidn2
- New tool option --ssl-no-revoke.
- New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS.
+ Install libidn2 to increase test coverage (IDN tests)
- Currently this option applies only to WinSSL where we have automatic
- certificate revocation checking by default. According to the
- ssl-compared chart there are other backends that have automatic checking
- (NSS, wolfSSL and DarwinSSL) so we could possibly accommodate them at
- some later point.
-
- Bug: https://github.com/bagder/curl/issues/264
- Reported-by: zenden2k <zenden2k@gmail.com>
+ Closes https://github.com/curl/curl/pull/1673
-- runtests: Allow for spaces in curl custom path
+Marcel Raad (12 Jul 2017)
+- travis: enable warnings also in release mode
+
+ ... to get warnings also on Linux/GCC and OSX/clang.
- .. also fix some typos in test's FILEFORMAT spec.
+ Closes https://github.com/curl/curl/pull/1666
-- [David Woodhouse brought this change]
+Daniel Stenberg (12 Jul 2017)
+- [Max Dymond brought this change]
- ntlm_wb: Fix theoretical memory leak
+ travis: install libssh2
- Static analysis indicated that my commit 9008f3d564 ("ntlm_wb: Fix
- hard-coded limit on NTLM auth packet size") introduced a potential
- memory leak on an error path, because we forget to free the buffer
- before returning an error.
+ Install libssh2 to increase test coverage (SFTP, SCP)
+
+Marcel Raad (12 Jul 2017)
+- system.h: include winsock2.h before windows.h
- Fix this.
+ ... to avoid compiler warnings if the user doesn't want
+ WIN32_LEAN_AND_MEAN.
+
+- build: remove WIN32_LEAN_AND_MEAN from individual build systems
- Although actually, it never happens in practice because we never *get*
- here with state == NTLMSTATE_TYPE1. The state is always zero. That
- might want cleaning up in a separate patch.
+ It's defined for all build systems in curl_setup.h since commit
+ beb08481d01a07a8b10938b1078a5e298b1c2912. This caused macro
+ redefinition warnings in the configure builds.
- Reported-by: Terri Oda
+ Closes https://github.com/curl/curl/pull/1677
-- strerror: Add CRYPT_E_REVOKED to SSPI error strings
+Jay Satiro (11 Jul 2017)
+- ISSUE_TEMPLATE: Add a comment not to file security issues on github
-Kamil Dudka (14 Jul 2015)
-- libtest: call PR_Cleanup() on exit if NSPR is used
+Marcel Raad (11 Jul 2017)
+- curl_setup: always define WIN32_LEAN_AND_MEAN on Windows
- This prevents valgrind from reporting possibly lost memory that NSPR
- uses for file descriptor cache and other globally allocated internal
- data structures.
+ Make sure to always define WIN32_LEAN_AND_MEAN before including any
+ Windows headers to avoid pulling in unnecessary headers. This avoids
+ unnecessary macro clashes and compiler warnings.
- Reported-by: Štefan Kremeň
+ Ref: https://github.com/curl/curl/issues/1562
+ Closes https://github.com/curl/curl/pull/1672
-Jay Satiro (14 Jul 2015)
-- [John Malmberg brought this change]
-
- openssl: VMS support for SHA256
-
- setup-vms.h: More symbols for SHA256, hacks for older VAX
+Jay Satiro (11 Jul 2017)
+- strerror: Preserve Windows error code in some functions
- openssl.h: Use OpenSSL OPENSSL_NO_SHA256 macro to allow building on VAX.
+ This is a follow-up to af02162 which removed (SET_)ERRNO macros. That
+ commit was an earlier draft that I committed by mistake, which was then
+ remedied by a5834e5 and e909de6, and now this commit. With this commit
+ there is now no difference between the current code and the changes that
+ were approved in the final draft.
- openssl.c: Use OpenSSL version checks and OPENSSL_NO_SHA256 macro to
- allow building on VAX and 64 bit VMS.
-
-- examples: Fix typo in multi-single.c
-
-Daniel Stenberg (7 Jul 2015)
-- [Tatsuhiro Tsujikawa brought this change]
-
- http2: Fix memory leak in push header array
-
-Dan Fandrich (2 Jul 2015)
-- test2041: fixed line endings in protocol part
+ Thanks-to: Max Dymond, Marcel Raad, Daniel Stenberg, Gisle Vanem
+ Ref: https://github.com/curl/curl/pull/1589
-- cyassl: fixed mismatched sha256sum function prototype
+Marcel Raad (10 Jul 2017)
+- [Max Dymond brought this change]
-Daniel Stenberg (1 Jul 2015)
-- [moparisthebest brought this change]
+ tests: Fix up issues with errno in test files
+
+ Closes https://github.com/curl/curl/pull/1671
- SSL: Pinned public key hash support
+Daniel Stenberg (10 Jul 2017)
+- errno: fix non-windows builds after af0216251b94e7
-- examples: provide <DESC> sections
+- [Ryan Winograd brought this change]
-- [John Malmberg brought this change]
+ make: fix docs build on OpenBSD
+
+ Ref: #1591
- OpenVMS: VMS Software, Inc now the supplier.
+Marcel Raad (10 Jul 2017)
+- ldap: fix MinGW compiler warning
- setup-vms.h: Symbol case fixups submitted by Michael Steve
+ ldap_bind_s is marked as deprecated in w32api's winldap.h shipping with
+ the latest original MinGW, resulting in compiler warnings since commit
+ f0fe66f13c93d3d0af45d9fb1231c9164e0f9dc8. Fix this for the non-SSPI
+ case by using ldap_simple_bind_s again instead of ldap_bind_s with
+ LDAP_AUTH_SIMPLE.
- build_gnv_curl_pcsi_desc.com: VSI aka as VMS Software, is now the
- supplier of new versions of VMS. The install kit needs to accept
- VSI as a producer.
+ Closes https://github.com/curl/curl/pull/1664
-Jay Satiro (30 Jun 2015)
-- multi: Move http2 push function declarations to header end
+- curl-compilers.m4: disable warning spam with Cygwin's clang
- This change necessary for binary compatibility.
+ When building with Cygwin or MinGW, libtool uses a wrapper executable
+ instead of a wrapper script [1], which is written in C and throws
+ missing-variable-declarations warnings. Don't enable these warnings on
+ Cygwin and MinGW in order to avoid warnings for every executable built,
+ which spams the test suite output when using Cygwin's clang.
- Prior to this change test 1135 failed due to the order of functions.
-
-- symbols-in-versions: Add new http2 push symbols
+ [1] https://www.gnu.org/software/libtool/manual/html_node/Wrapper-executables.html
- Prior to this change test 1119 failed due to the missing symbols.
-
-Daniel Stenberg (30 Jun 2015)
-- RELEASE-NOTES: synced with e6749055d653
+ Closes https://github.com/curl/curl/pull/1665
-- configure: disable libidn by default
+Jay Satiro (10 Jul 2017)
+- curl_setup_once: Remove ERRNO/SET_ERRNO macros
- For security reasons, until there is a fix.
+ Prior to this change (SET_)ERRNO mapped to GetLastError/SetLastError
+ for Win32 and regular errno otherwise.
- Bug: http://curl.haxx.se/mail/lib-2015-06/0143.html
- Reported-by: Gustavo Grieco, Feist Josselin
+ I reviewed the code and found no justifiable reason for conflating errno
+ on WIN32 with GetLastError/SetLastError. All Win32 CRTs support errno,
+ and any Win32 multithreaded CRT supports thread-local errno.
+
+ Fixes https://github.com/curl/curl/issues/895
+ Closes https://github.com/curl/curl/pull/1589
-- SSL-PROBLEMS: mention WinSSL problems in WinXP
+- tool_getparam: fix potentially uninitialized err
-- CODE_OF_CONDUCT.md: added
+Marcel Raad (9 Jul 2017)
+- smb: rename variable to fix shadowing warning
- Just to underscore how we treat each other in this project. Nothing new
- really, but could be useful for newcomers and outsiders to see our
- values.
+ GCC 4.6.3 on travis complains:
+ smb.c: In function ‘get_posix_time’:
+ smb.c:725:13: error: declaration of ‘time’ shadows a global declaration
+ [-Werror=shadow]
+
+ Fix this by renaming the variable.
-- tool_header_cb: fflush the header stream
+- tool_cb_wrt: fix variable shadowing warning
+
+ GCC 4.4 complains:
+ tool_cb_wrt.c:81: error: declaration of ‘isatty’ shadows a global
+ declaration
+ /usr/include/unistd.h:782: error: shadowed declaration is here
- Flush the header stream when -D is used so that they are sent off
- earlier.
+ Fix this by renaming the variable.
- Bug: https://github.com/bagder/curl/issues/324
- Reported-by: Cédric Connes
+ Closes https://github.com/curl/curl/pull/1661
-- [Roger Leigh brought this change]
+Daniel Stenberg (8 Jul 2017)
+- RELEASE-NOTES: synced with be2c999b8
- tests: Distribute CMakeLists.txt files in subdirectories
+- travis: install stunnel
-- CURLOPT_FAILONERROR.3: mention that it closes the connection
+- valgrind.supp: supress OpenSSL false positive seen on travis
+
+- travis: detect and use valgrind for normal builds
- Reported-by: bemoody
- Bug: https://github.com/bagder/curl/issues/325
+ Closes #1653
-- curl_multi_setopt.3: alpha sort the options
+- travis: add SMB, DICT, TELNET torture to coverage test
-- curl_multi_setopt.3: add the new push options
+- [Paul Harris brought this change]
-- [Tatsuhiro Tsujikawa brought this change]
+ cmake: offer CMAKE_DEBUG_POSTFIX when building with MSVC
+
+ Removes BUILD_RELEASE_DEBUG_DIRS since it wasn't used anywhere.
+
+ Closes #1649
- http2: Use nghttp2 library error code for error return value
+- CURLOPT_POSTFIELDS.3: explain the 100-continue magic better
-- [Tatsuhiro Tsujikawa brought this change]
+- [Max Dymond brought this change]
- http2: Harden header validation for curl_pushheader_byname
+ test1452: add telnet negotiation
+
+ Add a basic telnet server for negotiating some telnet options before
+ echoing back any data that's sent to it.
- Since we do prefix match using given header by application code
- against header name pair in format "NAME:VALUE", and VALUE part can
- contain ":", we have to careful about existence of ":" in header
- parameter. ":" should be allowed to match HTTP/2 pseudo-header field,
- and other use of ":" in header must be treated as error, and
- curl_pushheader_byname should return NULL. This commit implements
- this behaviour.
+ Closes #1645
-- [Tatsuhiro Tsujikawa brought this change]
+- travis: do more tests in the coverage run
+
+ I added a selection of torture and event tests that run "fast enough"
- CURLMOPT_PUSHFUNCTION.3: Remove unused variable
+- curl_easy_escape.3: mention the (lack of) encoding
+
+ Fixes #1612
+ Reported-by: Jeroen Ooms
-- CURLMOPT_PUSHFUNCTION.3: added example
+- [Gisle Vanem brought this change]
-- http2: curl_pushheader_byname now takes a const char *
+ memdebug: don't setbuf() if the file open failed
+
+ Bug: https://github.com/curl/curl/issues/828#issuecomment-313475151
-- http2-serverpush.c: example code
+- appveyor: enable CURL_WERROR on all builds
-- http2: free all header memory after the push callback
+- cmake: add CURL_WERROR for enabling "warning as errors"
-- http2: init the pushed transfer properly
+- [Hannes Magnusson brought this change]
-- http2: fixed the header accessor functions for the push callback
+ cmake: remove spurious "-l" from linker flags
+
+ Fixes #1552
-- http2: setup the new pushed stream properly
+- test506: skip if threaded-resolver
-- http2: initial implementation of the push callback
+- runtests: support "threaded-resolver" as a feature
+
+ ... to let tests require it or skip if present
-- http2: initial HTTP/2 server push types/docs
+- asyn-thread.c: fix unused variable warnings on macOS
-- test1531: verify POSTFIELDSIZE set after add_handle
+- http: s/TINY_INITIAL_POST_SIZE/EXPECT_100_THRESHOLD
- Following the fix made in 903b6e05565bf.
+ Make the name reflect its use better, and add a short comment describing
+ what it's for.
-- pretransfer: init state.infilesize here, not in add_handle
+- cmake: if inet_pton is used, bump _WIN32_WINNT
- ... to properly support that options are set to the handle after it is
- added to the multi handle.
+ ... and make sure inet_pton is always checked for when *not* using Windows,
+ which is a regression from 4fc6ebe18.
- Bug: http://curl.haxx.se/mail/lib-2015-06/0122.html
- Reported-by: Stefan Bühler
+ Idea-by: Sergei Nikulov
-Jay Satiro (21 Jun 2015)
-- [Lior Kaplan brought this change]
-
- tool_help: fix --tlsv1 help text to use >= for TLSv1
+- select.h: avoid macro redefinition harder
+
+ ... by checking the POLLIN define, as the header file checks don't work
+ on Windows.
-- INSTALL: Advise use of non-native SSL for Windows <= XP
+- inet_pton: fix include on windows to get prototype
- Advise that WinSSL in versions <= XP will not be able to connect to
- servers that no longer support the legacy handshakes and algorithms used
- by those versions, and to use an alternate backend like OpenSSL instead.
+ inet_pton() exists on Windows and gets used by our cmake builds. Make
+ sure the correct header file is included to avoid compiler warnings.
- Bug: https://github.com/bagder/curl/issues/253
- Reported-by: zenden2k <zenden2k@gmail.com>
+ Closes #1639
-Kamil Dudka (19 Jun 2015)
-- curl_easy_setopt.3: restore contents removed by mistake
+- TODO: 1.10 auto-detect proxy
- ... in commit curl-7_43_0-18-g570076e
+ Closes #1572
-Daniel Stenberg (19 Jun 2015)
-- curl_easy_setopt.3: mention CURLOPT_PIPEWAIT
+- TODO: HTTP proxy CONNECT is non-blocking now
-Jay Satiro (18 Jun 2015)
-- cookie: Fix bug in export if any-domain cookie is present
+- cmake: fix send/recv argument scanner for windows
- In 3013bb6 I had changed cookie export to ignore any-domain cookies,
- however the logic I used to do so was incorrect, and would lead to a
- busy loop in the case of exporting a cookie list that contained
- any-domain cookies. The result of that is worse though, because in that
- case the other cookies would not be written resulting in an empty file
- once the application is terminated to stop the busy loop.
-
-Dan Fandrich (18 Jun 2015)
-- FTP: fixed compiling with --disable-proxy, broken in b88f980a
-
-Daniel Stenberg (18 Jun 2015)
-- tool: always provide negotiate/kerberos options
+ ... by simply trying the Windows argument types first.
- libcurl can still be built with it, even if the tool is not. Maintain
- independence!
+ Fixes #1640
-- TODO: Support IDNA2008
+- RELEASE-NOTES: synced with 596cfb6c0
-- [Viktor Szakats brought this change]
+- [Gisle Vanem brought this change]
- Makefile.m32: add support for CURL_LDFLAG_EXTRAS
+ smb: add support for CURLOPT_FILETIME
- It is similar to existing CURL_CFLAG_EXTRAS, but for
- extra linker option.
-
-- RTSP: removed another piece of dead code
+ Bug: https://curl.haxx.se/mail/lib-2017-07/0005.html
- Coverity CID 1306668
+ Closes #1643
-- openssl: fix use of uninitialized buffer
-
- Make sure that the error buffer is always initialized and simplify the
- use of it to make the logic easier.
+- travis: install nghttp2 on linux builds
- Bug: https://github.com/bagder/curl/issues/318
- Reported-by: sneis
+ Closes #1642
-- examples: more descriptions
+- [Gisle Vanem brought this change]
-- examples: add descriptions with <DESC>
+ smb: fix build for djgpp/MSDOS
- Using this fixed format for example descriptions, we can generate a
- better list on the web site.
-
-- libcurl-errors.3: fix typo
+ bug: https://curl.haxx.se/mail/lib-2017-07/0005.html
-- curl_easy_setopt.3: option order doesn't matter
-
-- openssl: fix build with BoringSSL
+- configure: try ldap/lber in reversed order first
- OPENSSL_load_builtin_modules does not exist in BoringSSL. Regression
- from cae43a1
-
-- [Paul Howarth brought this change]
-
- openssl: Fix build with openssl < ~ 0.9.8f
+ When scanning for which LDAP libraries to use, try the -lldap -llber
+ combination before the reversed order since it has a greater chance of
+ working when linking with libcurl statically.
- The symbol SSL3_MT_NEWSESSION_TICKET appears to have been introduced at
- around openssl 0.9.8f, and the use of it in lib/vtls/openssl.c breaks
- builds with older openssls (certainly with 0.9.8b, which is the latest
- older version I have to try with).
+ Fixes #1619
+ Closes #1634
+ Reported-by: David E. Narváez
-- FTP: do the HTTP CONNECT for data connection blocking
+- configure: remove checks for 5 functions never used
- ** WORK-AROUND **
+ fork, getprotobyname, inet_addr, perror, uname
- The introduced non-blocking general behaviour for Curl_proxyCONNECT()
- didn't work for the data connection establishment unless it was very
- fast. The newly introduced function argument makes it operate in a more
- blocking manner, more like it used to work in the past. This blocking
- approach is only used when the FTP data connecting through HTTP proxy.
-
- Blocking like this is bad. A better fix would make it work more
- asynchronously.
-
- Bug: https://github.com/bagder/curl/issues/278
-
-- bump: start the journey toward 7.44.0
-
-Jay Satiro (17 Jun 2015)
-- CURLOPT_ERRORBUFFER.3: Fix example, escape backslashes
+ closes #1638
-- CURLOPT_ERRORBUFFER.3: Improve example
+- dist: add SMB python deps into the tarball
-Version 7.43.0 (17 Jun 2015)
+- [Max Dymond brought this change]
-Daniel Stenberg (17 Jun 2015)
-- RELEASE-NOTES: 7.43.0 release
-
-- THANKS: updated with 7.43.0 names
-
-- [Kamil Dudka brought this change]
-
- http: do not leak basic auth credentials on re-used connections
-
- CVE-2015-3236
+ test1451: add SMB support to the testbed
- This partially reverts commit curl-7_39_0-237-g87c4abb
+ Add test 1451 which does some very basic SMB testing using the impacket
+ SMB server.
- Reported-by: Tomas Tomecek, Kamil Dudka
- Bug: http://curl.haxx.se/docs/adv_20150617A.html
+ Closes #1630
-- [Kamil Dudka brought this change]
+- [Max Dymond brought this change]
- test2040: verify basic auth on re-used connections
-
-- SMB: rangecheck values read off incoming packet
-
- CVE-2015-3237
+ test: add impacket for SMB testing
- Detected by Coverity. CID 1299430.
+ Import impacket 0.9.15 for use in SMB testing. This was generated by
+ doing "pip2.7 install -t . impacket"
- Bug: http://curl.haxx.se/docs/adv_20150617B.html
+ Unnecessary files for current testing were deleted.
-Jay Satiro (17 Jun 2015)
-- schannel: schannel_recv overhaul
+- travis.yml: use --enable-werror on debug builds
- This commit is several drafts squashed together. The changes from each
- draft are noted below. If any changes are similar and possibly
- contradictory the change in the latest draft takes precedence.
+ ... to better detect and fault on compiler warnings/errors
- Bug: https://github.com/bagder/curl/issues/244
- Reported-by: Chris Araman
+ Closes #1637
+
+- tool_sleep: typecast to avoid macos compiler warning
- %%
- %% Draft 1
- %%
- - return 0 if len == 0. that will have to be documented.
- - continue on and process the caches regardless of raw recv
- - if decrypted data will be returned then set the error code to CURLE_OK
- and return its count
- - if decrypted data will not be returned and the connection has closed
- (eg nread == 0) then return 0 and CURLE_OK
- - if decrypted data will not be returned and the connection *hasn't*
- closed then set the error code to CURLE_AGAIN --only if an error code
- isn't already set-- and return -1
- - narrow the Win2k workaround to only Win2k
+ tool_sleep.c:54:24: error: implicit conversion loses integer precision:
+ 'long' to '__darwin_suseconds_t' (aka 'int')
+ [-Werror,-Wshorten-64-to-32]
+
+- [Martin Kepplinger brought this change]
+
+ timeval.c: Use long long constant type for timeval assignment
- %%
- %% Draft 2
- %%
- - Trying out a change in flow to handle corner cases.
+ On a 64 bit host, sparse says:
- %%
- %% Draft 3
- %%
- - Back out the lazier decryption change made in draft2.
+ timeval.c:148:15: warning: constant 0x7fffffffffffffff is so big it is long
+ timeval.c:149:12: warning: constant 0x7fffffffffffffff is so big it is long
- %%
- %% Draft 4
- %%
- - Some formatting and branching changes
- - Decrypt all encrypted cached data when len == 0
- - Save connection closed state
- - Change special Win2k check to use connection closed state
+ so let's use long long constant types in order to prevent undesired overflow
+ failures.
- %%
- %% Draft 5
- %%
- - Default to CURLE_AGAIN in cleanup if an error code wasn't set and the
- connection isn't closed.
+ Bug: https://curl.haxx.se/mail/lib-2017-07/0003.html
- %%
- %% Draft 6
- %%
- - Save the last error only if it is an unrecoverable error.
+ Closes #1636
- Prior to this I saved the last error state in all cases; unfortunately
- the logic to cover that in all cases would lead to some muddle and I'm
- concerned that could then lead to a bug in the future so I've replaced
- it by only recording an unrecoverable error and that state will persist.
+ Signed-off-by: Martin Kepplinger <martink@posteo.de>
+
+- url: make the original string get used on subsequent transfers
- - Do not recurse on renegotiation.
+ ... since CURLOPT_URL should follow the same rules as other options:
+ they remain set until changed or cleared.
- Instead we'll continue on to process any trailing encrypted data
- received during the renegotiation only.
+ Added test 1551 to verify.
- - Move the err checks in cleanup after the check for decrypted data.
+ Fixes #1631
+ Closes #1632
+ Reported-by: Pavel Rochnyak
+
+- [Johannes Schindelin brought this change]
+
+ gtls: fix build when sizeof(long) < sizeof(void *)
- In either case decrypted data is always returned but I think it's easier
- to understand when those err checks come after the decrypted data check.
+ - Change gnutls pointer/int macros to pointer/curl_socket_t.
+ Prior to this change they used long type as well.
- %%
- %% Draft 7
- %%
- - Regardless of len value go directly to cleanup if there is an
- unrecoverable error or a close_notify was already received. Prior to
- this change we only acknowledged those two states if len != 0.
+ The size of the `long` data type can be shorter than that of pointer
+ types. This is the case most notably on Windows.
- - Fix a bug in connection closed behavior: Set the error state in the
- cleanup, because we don't know for sure it's an error until that time.
+ If C99 were acceptable, we could simply use `intptr_t` here. But we
+ want to retain C89 compatibility.
- - (Related to above) In the case the connection is closed go "greedy"
- with the decryption to make sure all remaining encrypted data has been
- decrypted even if it is not needed at that time by the caller. This is
- necessary because we can only tell if the connection closed gracefully
- (close_notify) once all encrypted data has been decrypted.
+ Simply use the trick of performing pointer arithmetic with the NULL
+ pointer: to convert an integer `i` to a pointer, simply take the
+ address of the `i`th element of a hypothetical character array
+ starting at address NULL. To convert back, simply cast the pointer
+ difference.
- - Do not renegotiate when an unrecoverable error is pending.
+ Thanks to Jay Satiro for the initial modification to use curl_socket_t
+ instead of int/long.
- %%
- %% Draft 8
- %%
- - Don't show 'server closed the connection' info message twice.
+ Closes #1617
- - Show an info message if server closed abruptly (missing close_notify).
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Daniel Stenberg (16 Jun 2015)
-- [Paul Oliver brought this change]
+- [Ryan Winograd brought this change]
- Fix typo in docs
+ unit1399: fix integer overflow
- s/curret/current/
-
-- [Viktor Szakats brought this change]
-
- docs: update URLs
-
-- RELEASE-NOTES: synced with f29f2cbd00dbe5f
-
-- [Viktor Szakats brought this change]
+ Bug: #1616
+ Closes #1633
- README: use secure protocol for Git repository
+- [Per Malmberg brought this change]
-- [Viktor Szakats brought this change]
-
- HTTP2.md: use SSL/TLS IETF URLs
-
-- [Viktor Szakats brought this change]
-
- LICENSE-MIXING: update URLs
+ cmake: Added compatibility options for older Windows versions
- * use SSL/TLS where available
- * follow permanent redirects
-
-- LICENSE-MIXING: refreshed
-
-- curl_easy_duphandle: see also *reset
+ CURL_STATIC_CRT and ENABLE_INET_PTON
+
+ Closes #1621
-- rtsp_do: fix DEAD CODE
+- unit1399: add logging to time comparison
- "At condition p_request, the value of p_request cannot be NULL."
+ ... to enable tracking down why autobuilds fail on this
- Coverity CID 1306668.
+ Bug: #1616
-- security:choose_mech fix DEAD CODE warning
+- make: build the docs subdir only from within src
- ... by removing the "do {} while (0)" block.
+ ... and don't build at all in include
- Coverity CID 1306669
+ Prompted-by-work-by: Simon Warta
+ Ref: #1590
+ Closes #1591
-- curl.1: netrc is in man section 5
+- [Max Dymond brought this change]
-- curl.1: small format fix
+ test1450: fix up DICT server in torture mode
- use \fI-style instead of .BR for references
-
-- urldata: store POST size in state.infilesize too
-
- ... to simplify checking when PUT _or_ POST have completed.
+ As per https://github.com/curl/curl/pull/1615, the DICT server is a
+ little spammy in torture mode due to the sockets being torn down
+ unexpectedly. Fix this by adding some error handling to the handling
+ function.
- Reported-by: Frank Meier
- Bug: http://curl.haxx.se/mail/lib-2015-06/0019.html
-
-Dan Fandrich (14 Jun 2015)
-- test1530: added http to required features
-
-Jay Satiro (14 Jun 2015)
-- [Drake Arconis brought this change]
+ Closes #1629
- build: Fix typo from OpenSSL 1.0.2 version detection fix
+- [Max Dymond brought this change]
-- [Drake Arconis brought this change]
-
- build: Properly detect OpenSSL 1.0.2 when using configure
-
-- curl_multi_info_read.3: fix example formatting
+ test1450: add simple testing for DICT
+
+ Add a new server which provides a DICT interface. This is intended to
+ begin coverage testing for lib/dict.c
+
+ Closes #1615
-Daniel Stenberg (13 Jun 2015)
-- BINDINGS: there's a new R binding in town!
+- [Dan Fandrich brought this change]
-- BINDINGS: added the Xojo binding
+ test1521: fix out-of-tree builds, broken with 467da3af
+
+ The test.h file is no longer in the same directory as the source file,
+ so that directory needs to be added to the include path.
+
+ Fixes #1627
+ Closes #1628
-Jay Satiro (11 Jun 2015)
-- [Joel Depooter brought this change]
+- [Max Dymond brought this change]
- schannel: Add support for optional client certificates
+ http2: handle PING frames
- Some servers will request a client certificate, but not require one.
- This change allows libcurl to connect to such servers when using
- schannel as its ssl/tls backend. When a server requests a client
- certificate, libcurl will now continue the handshake without one,
- rather than terminating the handshake. The server can then decide
- if that is acceptable or not. Prior to this change, libcurl would
- terminate the handshake, reporting a SEC_I_INCOMPLETE_CREDENTIALS
- error.
+ Add a connection check function to HTTP2 based off RTSP. This causes
+ PINGs to be handled the next time the connection is reused.
+
+ Closes #1521
-Daniel Stenberg (11 Jun 2015)
-- curl_easy_cleanup.3: provide more SEE ALSO
+- [Max Dymond brought this change]
-- debug: remove http2 debug leftovers
+ handler: refactor connection checking
+
+ Add a new type of callback to Curl_handler which performs checks on
+ the connection. Alter RTSP so that it uses this callback to do its
+ own check on connection health.
-- VERSIONS: now using markdown
+- [Dmitry Kostjuchenko brought this change]
-- RELEASE-PROCEDURE: remove ascii logo at the top of file
+ openssl: improve fallback seed of PRNG with a time based hash
+
+ Fixes #1620
-- INTERNALS: absorbed docs/LIBCURL-STRUCTS
+- [Ryan Winograd brought this change]
-- INTERNALS: cat lib/README* >> INTERNALS
+ progress: prevent resetting t_starttransfer
- and a conversion to markdown. Removed the lib/README.* files. The idea
- being to move toward having INTERNALS as the one and only "book" of
- internals documentation.
+ Prevent `Curl_pgrsTime` from modifying `t_starttransfer` when invoked
+ with `TIMER_STARTTRANSFER` more than once during a single request.
- Added a TOC to top of the document.
-
-Jay Satiro (8 Jun 2015)
-- openssl: LibreSSL and BoringSSL do not use TLS_client_method
+ When a redirect occurs, this is considered a new request and
+ `t_starttransfer` can be updated to reflect the `t_starttransfer` time
+ of the redirect request.
- Although OpenSSL 1.1.0+ deprecated SSLv23_client_method in favor of
- TLS_client_method LibreSSL and BoringSSL didn't and still use
- SSLv23_client_method.
+ Closes #1616
- Bug: https://github.com/bagder/curl/commit/49a6642#commitcomment-11578009
- Reported-by: asavah@users.noreply.github.com
+ Bug: https://github.com/curl/curl/pull/1602#issuecomment-310267370
-Daniel Stenberg (9 Jun 2015)
-- RELEASE-NOTES: synced with 20ac3458068
-
-- CURLOPT_OPENSOCKETFUNCTION: return error at once
+- curl_strequal.3: fix typo in SYNOPSIS
- When CURL_SOCKET_BAD is returned in the callback, it should be treated
- as an error (CURLE_COULDNT_CONNECT) if no other socket is subsequently
- created when trying to connect to a server.
+ Reported-by: Jesse Chisholm
- Bug: http://curl.haxx.se/mail/lib-2015-06/0047.html
-
-- fopen.c: fix a few compiler warnings
+ Fixes #1623
-- [Ville Skyttä brought this change]
+- RELEASE-NOTES: synced with ce2c3ebda
- docs: Spelling fixes
-
-- [Ville Skyttä brought this change]
+Kamil Dudka (28 Jun 2017)
+- curl --socks5-{basic,gssapi}: control socks5 auth
+
+ Closes https://github.com/curl/curl/pull/1454
- docs: man page indentation and syntax fixes
+- CURLOPT_SOCKS5_AUTH: allowed methods for SOCKS5 proxy auth
+
+ If libcurl was built with GSS-API support, it unconditionally advertised
+ GSS-API authentication while connecting to a SOCKS5 proxy. This caused
+ problems in environments with improperly configured Kerberos: a stock
+ libcurl failed to connect, despite libcurl built without GSS-API
+ connected fine using username and password.
+
+ This commit introduces the CURLOPT_SOCKS5_AUTH option to control the
+ allowed methods for SOCKS5 authentication at run time.
+
+ Note that a new option was preferred over reusing CURLOPT_PROXYAUTH
+ for compatibility reasons because the set of authentication methods
+ allowed by default was different for HTTP and SOCKS5 proxies.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-01/0005.html
+ Closes https://github.com/curl/curl/pull/1454
-Linus Nielsen (8 Jun 2015)
-- help: Add --proxy-service-name and --service-name to the --help output
+- socks: deduplicate the code for auth request
-Jay Satiro (7 Jun 2015)
-- openssl: Fix verification of server-sent legacy intermediates
+- socks: use proxy_user instead of proxy_name
- - Try building a chain using issuers in the trusted store first to avoid
- problems with server-sent legacy intermediates.
+ ... to make it obvious what the data is used for
+
+Daniel Stenberg (27 Jun 2017)
+- libtest/make: generate lib1521.c
- Prior to this change server-sent legacy intermediates with missing
- legacy issuers would cause verification to fail even if the client's CA
- bundle contained a valid replacement for the intermediate and an
- alternate chain could be constructed that would verify successfully.
+ ... instead of having the generated code checked in. This saves space in
+ the tarball but primarily automatically adapts to newly added options.
- https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
+ Closes #1614
-Daniel Stenberg (5 Jun 2015)
-- BINDINGS: update several URLs
+Jay Satiro (26 Jun 2017)
+- tool_getparam: fix memory leak on test 1147 OOM (torture tests)
- Stop linking to the curl.haxx.se anchor pages, they are usually only
- themselves pointers to the real page so better point there directly
- instead.
+ Bug: https://github.com/curl/curl/pull/1486#issuecomment-310926872
+ Reported-by: Dan Fandrich
-- BINDINGS: the curl-rust binding
+Dan Fandrich (25 Jun 2017)
+- test1537: fixed memory leak on OOM
-- curl.h: add CURL_HTTP_VERSION_2
+Marcel Raad (25 Jun 2017)
+- test1521: fix compiler warnings
- The protocol is named "HTTP/2" after all. It is an alias for the
- existing CURL_HTTP_VERSION_2_0 enum.
-
-- openssl: removed error string #ifdef
+ The integer literal 3123123123 doesn't fit into a 32-bit signed
+ integer, so GCC with 32-bit long warns in C90 mode:
+ this decimal constant is unsigned only in ISO C90 [enabled by default]
+ Fix this by using ULONG_MAX, which should fit in any curl_off_t and has
+ the correct suffix to not issue any warnings.
+ Also adds the missing CURLOPT_REQUEST_TARGET from commit
+ 9b167fd090f596eac828817d48c247eeae53407f.
- ERR_error_string_n() was introduced in 0.9.6, no need to #ifdef anymore
+ Closes https://github.com/curl/curl/pull/1611
-- openssl: removed USERDATA_IN_PWD_CALLBACK kludge
+Daniel Stenberg (24 Jun 2017)
+- curl/system.h: add check for XTENSA for 32bit gcc
- Code for OpenSSL 0.9.4 serves no purpose anymore!
+ Reported-by: Neil Kolban
+ Fixes: 1598
-- openssl: remove SSL_get_session()-using code
-
- It was present for OpenSSL 0.9.5 code but we only support 0.9.7 or
- later.
+- [Henrik S. Gaßmann brought this change]
-- openssl: remove dummy callback use from SSL_CTX_set_verify()
+ winbuild: fix boringssl build
+
+ Compile with `WIN32_LEAN_AND_MEAN` which prevents `windows.h` from
+ including too much clutter including `wincrypt.h` which in turn contains
+ some preprocessor macros that clash with boringssl symbols.
- The existing callback served no purpose.
+ Detect boringssl by checking the existance of `is_boringssl.h` and set
+ the corresponding `HAVE_BORINGSSL` for compilation which is used in
+ `ldap.c` to undefine the evil macros.
+
+ Closes #1610
-- LIBCURL-STRUCTS: clarify for multiplexing
+- progress: progress.timespent needs to be us
+
+ follow-up to 64ed44a815e4e to fix test 500 failures
-Jay Satiro (3 Jun 2015)
-- cookie: Stop exporting any-domain cookies
+Marcel Raad (24 Jun 2017)
+- curl-compilers.m4: fix unknown-warning-option on Apple clang
- Prior to this change any-domain cookies (cookies without a domain that
- are sent to any domain) were exported with domain name "unknown".
+ Since 5598b0bd63f690c151074494ce47ef872f004ab4, clang -v is used to
+ detect the clang version. The version number was expected to come after
+ the word "version". For Apple clang, this doesn't work as it has its
+ own versioning scheme.
+ The version number is now first searched after the string
+ "based on LLVM". This works for Apple clang before version 7, and also
+ for e.g. Ubuntu's clang up to version 3.7. If it's not found and the
+ version string contains "Apple LLVM version", clang version 3.7 is
+ assumed, which is the version that comes with Xcode 7. Otherwise, the
+ version number is still expected after the word "version", which works
+ for very old Apple clang versions.
- Bug: https://github.com/bagder/curl/issues/292
+ Ref: https://trac.macports.org/wiki/XcodeVersionInfo
+ Fixes https://github.com/curl/curl/issues/1606
+ Closes https://github.com/curl/curl/pull/1607
-Daniel Stenberg (3 Jun 2015)
-- RELEASE-PROCEDURE: refreshed 'coming dates'
+Daniel Stenberg (24 Jun 2017)
+- progress: fix "time spent", broke in adef394ac
-Jay Satiro (2 Jun 2015)
-- curl_setup: Change fopen text macros to use 't' for MSDOS
+- CURLINFO_REDIRECT_URL.3: mention the CURLOPT_MAXREDIRS case
- Bug: https://github.com/bagder/curl/pull/258#issuecomment-107915198
- Reported-by: Gisle Vanem
+ ... supported since 7.54.1
-Daniel Stenberg (2 Jun 2015)
-- curl_multi_timeout.3: added example
+- maketgz: switch to -6e for xz
+
+ To reduce the memory requirement for decompress, and still do almost as
+ good compression as with -9e.
+
+ Pointed-out-by: Dan Fandrich
-- curl_multi_perform.3: added example
+- libtest/Makefile: remove unused lib1541 variables
-- curl_multi_info_read.3: added example
+- CONTRIBUTE.md: mention the out-of-tree build test too
-- checksrc: detect fopen() for text without the FOPEN_* macros
+- maketgz: switch to xz instead of lzma
- Follow-up to e8423f9ce150 with discussionis in
- https://github.com/bagder/curl/pull/258
+ The compressed output size seems to be a tad bit smaller, but generally
+ xz seems more preferred these days and is used directly by for example
+ gentoo instead of bz2.
- This check scans for fopen() with a mode string without 'b' present, as
- it may indicate that an FOPEN_* define should rather be used.
-
-- curl_getdate.3: update RFC reference
+ "Users of LZMA Utils should move to XZ Utils" =>
+ https://tukaani.org/lzma/
+
+ Closes #1604
-Jay Satiro (1 Jun 2015)
-- curl_setup: Add macros for FOPEN_READTEXT, FOPEN_WRITETEXT
+- --request-target: instead of --strip-path-slash
- - Change fopen calls to use FOPEN_READTEXT instead of "r" or "rt"
- - Change fopen calls to use FOPEN_WRITETEXT instead of "w" or "wt"
+ ... and CURLOPT_REQUEST_TARGET instead of CURLOPT_STRIP_PATH_SLASH.
- This change is to explicitly specify when we need to read/write text.
- Unfortunately 't' is not part of POSIX fopen so we can't specify it
- directly. Instead we now have FOPEN_READTEXT, FOPEN_WRITETEXT.
+ This option instead provides the full "alternative" target to use in the
+ request, instead of extracting the path from the URL.
- Prior to this change we had an issue on Windows if an application that
- uses libcurl overrides the default file mode to binary. The default file
- mode in Windows is normally text mode (translation mode) and that's what
- libcurl expects.
+ Test 1298 and 1299 updated accordingly.
- Bug: https://github.com/bagder/curl/pull/258#issuecomment-107093055
- Reported-by: Orgad Shaneh
-
-Daniel Stenberg (1 Jun 2015)
-- http2-upload.c: use PIPEWAIT for playing HTTP/2 better
-
-- http2-download: check for CURLPIPE_MULTIPLEX properly
+ Idea-by: Evert Pot
+ Suggestion: https://daniel.haxx.se/blog/2017/06/19/options-with-curl/comment-page-1/#comment-18373
- Bug: http://curl.haxx.se/mail/lib-2015-06/0001.html
- Reported-by: Rafayel Mkrtchyan
-
-- [Isaac Boukris brought this change]
+ Closes #1593
- HTTP-NTLM: fail auth on connection close instead of looping
+Marcel Raad (21 Jun 2017)
+- lib1521: fix missing-variable-declarations clang warnings
- Bug: https://github.com/bagder/curl/issues/256
-
-- 5.6 Refuse "downgrade" redirects
+ Declare TU-local variables static.
-- README.pingpong: removed
-
-- ROADMAP: remove HTTP/2 multiplexing - its here now
-
-- HTTP2.md: formatted properly
-
-- HTTP2: moved docs into docs/ and make it markdown
-
-- README.http2: refreshed and added multiplexing info
+- travis: enable typecheck-gcc warnings
+
+ - switch debug and release configurations so that we get an optimized
+ build with GCC 4.3+ as required by typecheck-gcc
+ - enable warnings-as-errors for release builds
+ (which have warnings disabled)
+
+ Closes https://github.com/curl/curl/pull/1595
-- dist: add the http2 examples
+- typecheck-gcc: add support for CURLINFO_OFF_T
+
+ typecheck-gcc expected curl_socket_t instead of curl_off_t arguments
+ for CURLINFO_OFF_T. Detected by test1521, unfortunately only when run
+ locally.
+
+ Closes https://github.com/curl/curl/pull/1592
-- http2 examples: clean up some comments
+Daniel Stenberg (21 Jun 2017)
+- [Simon Warta brought this change]
-- examples: added two programs doing multiplexed HTTP/2
+ ci: whitelist branches to avoid testing feature branches twice
-- scripts: moved contributors.sh and contrithanks.sh into subdir
+- [Gisle Vanem brought this change]
-- RELEASE-NOTES: synced with c005790ff1c0a
+ lib: fix the djgpp build
+
+ Bug: https://github.com/curl/curl/commit/73a2fcea0b4adea6ba342cd7ed1149782c214ae3#commitcomment-22655993
-- [Daniel Melani brought this change]
+Marcel Raad (20 Jun 2017)
+- if2ip: fix compiler warning in ISO C90 mode
+
+ remote_scope_id is only used when both HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID
+ and ENABLE_IPV6 are defined instead of only one of them.
- openssl: typo in comment
+Daniel Stenberg (20 Jun 2017)
+- travis: do the distcheck test build out-of-tree as well
-Jay Satiro (27 May 2015)
-- openssl: Use TLS_client_method for OpenSSL 1.1.0+
+- http: add --strip-path-slash and CURLOPT_STRIP_PATH_SLASH
- SSLv23_client_method is deprecated starting in OpenSSL 1.1.0. The
- equivalent is TLS_client_method.
+ ... to enable sending "OPTIONS *" which wasn't possible previously.
- https://github.com/openssl/openssl/commit/13c9bb3#diff-708d3ae0f2c2973b272b811315381557
-
-Daniel Stenberg (26 May 2015)
-- FAQ: How do I port libcurl to my OS?
-
-Jay Satiro (25 May 2015)
-- CURLOPT_COOKIELIST.3: Explain Set-Cookie without a domain
+ This option currently only works for HTTP.
- Document that if Set-Cookie is used without a domain then the cookie is
- sent for any domain and will not be modified.
+ Added test cases 1298 + 1299 to verify
- Bug: http://curl.haxx.se/mail/lib-2015-05/0137.html
- Reported-by: Alexander Dyagilev
-
-Daniel Stenberg (25 May 2015)
-- [Tatsuhiro Tsujikawa brought this change]
+ Fixes #1280
+ Closes #1462
- http2: Copy data passed in Curl_http2_switched into HTTP/2 connection buffer
+- test1521: test getinfo's OFF_T types too
- Previously, after seeing upgrade to HTTP/2, we feed data followed by
- upgrade response headers directly to nghttp2_session_mem_recv() in
- Curl_http2_switched(). But it turns out that passed buffer, mem, is
- part of stream->mem, and callbacks called by
- nghttp2_session_mem_recv() will write stream specific data into
- stream->mem, overwriting input data. This will corrupt input, and
- most likely frame length error is detected by nghttp2 library. The
- fix is first copy the passed data to HTTP/2 connection buffer,
- httpc->inbuf, and call nghttp2_session_mem_recv().
+ Closes #1588
-Jay Satiro (24 May 2015)
-- CURLOPT_COOKIE.3: Explain that the cookies won't be modified
+- lib1521: add curl_easy_getinfo calls to the test set
- The CURLOPT_COOKIE doc says it "sets the cookie header explicitly in the
- outgoing request(s)." However there seems to be some user confusion
- about cookie modification. Document that the cookies set by this option
- are not modified by the cookie engine.
-
- Bug: http://curl.haxx.se/mail/lib-2015-05/0115.html
- Reported-by: Alexander Dyagilev
+ Also added return value checks to make sure no unexpected return codes
+ are used.
-- CURLOPT_COOKIELIST.3: Add example
+- [Simon Warta brought this change]
-Dan Fandrich (24 May 2015)
-- testcurl.pl: use rel2abs to make the source directory absolute
+ automake: use $(MKHELP) variable instead if constant mkhelp.pl
- This function makes a platform-specific absolute path which uses
- backslashes on Windows. This form works when passing it on the
- command-line, as well as if the source is on another drive.
-
-- conncache: fixed memory leak on OOM (torture tests)
+ this improves symmetry with the rule above
-Daniel Stenberg (24 May 2015)
-- perl: remove subdir, not touched in 9 years
+- [Simon Warta brought this change]
-- log2changes.pl: moved to scripts/
+ mkhelp.pl: fix script name in usage text
-- [Alessandro Ghedini brought this change]
-
- scripts: add zsh.pl for generating zsh completion
+- RELEASE-NOTES: synced with 3b80d3ca4
-Dan Fandrich (23 May 2015)
-- test1510: another flaky test
-
-Daniel Stenberg (22 May 2015)
-- security: fix "Unchecked return value" from sscanf()
+- getinfo: return sizes as curl_off_t
+
+ This change introduces new alternatives for the existing six
+ curl_easy_getinfo() options that return sizes or speeds as doubles. The
+ new versions are named like the old ones but with an appended '_T':
- By (void) prefixing it and adding a comment. Did some minor related
- cleanups.
+ CURLINFO_CONTENT_LENGTH_DOWNLOAD_T
+ CURLINFO_CONTENT_LENGTH_UPLOAD_T
+ CURLINFO_SIZE_DOWNLOAD_T
+ CURLINFO_SIZE_UPLOAD_T
+ CURLINFO_SPEED_DOWNLOAD_T
+ CURLINFO_SPEED_UPLOAD_T
- Coverity CID 1299423.
+ Closes #1511
-- security: simplify choose_mech
+- PIPELINING_SERVER_BL: cleanup the internal list use
- Coverity CID 1299424 identified dead code because of checks that could
- never equal true (if the mechanism's name was NULL).
+ The list was freed incorrectly since the llist refactor of
+ cbae73e1dd959. Added test 1550 to verify that it works and avoid future
+ regressions.
- Simplified the function by removing a level of pointers and removing the
- loop and array that weren't used.
-
-- RTSP: catch attempted unsupported requests better
+ Reported-by: Pascal Terjan
- Replace use of assert with code that properly catches bad input at
- run-time even in non-debug builds.
+ Fixes #1584
+ Closes #1585
+
+- http2: fix OOM crash
- This flaw was sort of detected by Coverity CID 1299425 which claimed the
- "case RTSPREQ_NONE" was dead code.
+ torture mode with test 1021 found it
-- share_init: fix OOM crash
+- CURLOPT_PREQUOTE.3: spellfix man page reference
+
+Marcel Raad (18 Jun 2017)
+- http_proxy: fix build with http and proxy
- A failed calloc() would lead to NULL pointer use.
+ After deff7de0eb0e22d2d142b96b9cc84cd8db5d2a48, the build without
+ CURL_DISABLE_PROXY and CURL_DISABLE_HTTP was failing because of missing
+ includes.
+
+- http_proxy: fix compiler warning
- Coverity CID 1299427.
+ With CURL_DISABLE_PROXY or CURL_DISABLE_HTTP, GCC complained about a
+ missing prototype for Curl_connect_free.
-- parse_proxy: switch off tunneling if non-HTTP proxy
+Daniel Stenberg (18 Jun 2017)
+- TODO: update the TOC too
+
+- TODO: implement support for CURLOPT_PREQUOTE with SFTP
- non-HTTP proxy implies not using CURLOPT_HTTPPROXYTUNNEL
+ ... also updated the CURLOPT_PREQUOTE.3 man page to mention the correct
+ protocol support.
- Bug: http://curl.haxx.se/mail/lib-2015-05/0056.html
- Reported-by: Sean Boudreau
+ Closes #1514
-- curl: fix potential NULL dereference
+- tool_wrte_cb: remove check for config == NULL
- Coverity CID 1299428: Dereference after null check (FORWARD_NULL)
-
-- http2: on_frame_recv: return early on stream 0
+ ... as it really cannot have reached this far with config being NULL,
+ thus this is unnecesary and misleading.
- Coverity CID 1299426 warned about possible NULL dereference otherwise,
- but that would only ever happen if we get invalid HTTP/2 data with
- frames for stream 0. Avoid this risk by returning early when stream 0 is
- used.
+ Bug: https://news.ycombinator.com/item?id=14577585 and
+ https://daniel.haxx.se/blog/2017/06/17/curl-doesnt-spew-binary-anymore/comment-page-1/#comment-18356
+
+ Forwarded-to-us-by: Jakub Wilk
-- http: removed self assignment
+- curl: prevent binary output spewed to terminal
- Follow-up fix from b0143a2a33f0
+ ... unless "--output -" is used. Binary detection is done by simply
+ checking for a binary zero in early data.
- Detected by coverity. CID 1299429
-
-- [Tatsuhiro Tsujikawa brought this change]
-
- http2: Make HTTP Upgrade work
+ Added test 1425 1426 to verify.
- This commit just add implicitly opened stream 1 to streams hash.
+ Closes #1512
-Jay Satiro (22 May 2015)
-- strerror: Change SEC_E_ILLEGAL_MESSAGE description
+Marcel Raad (16 Jun 2017)
+- Makefile.m32: enable -W for MinGW32 build
- Prior to this change the description for SEC_E_ILLEGAL_MESSAGE was OS
- and language specific, and invariably translated to something not very
- helpful like: "The message received was unexpected or badly formatted."
+ The configure-based build also has this in addition to -Wall.
- Bug: https://github.com/bagder/curl/issues/267
- Reported-by: Michael Osipov
+ Closes https://github.com/curl/curl/pull/1578
-- telnet: Fix read-callback change for Windows builds
+- curl-compilers.m4: enable comma clang warning
- Refer to b0143a2 for more information on the read-callback change.
-
-Daniel Stenberg (21 May 2015)
-- CURLOPT_HTTPPROXYTUNNEL.3: only works with a HTTP proxy!
-
-Dan Fandrich (21 May 2015)
-- testcurl.pl: allow source to be in an arbitrary directory
+ It usually warns when using commas instead of semicolons or other
+ operators by accident.
- This way, the build directory can be located on an entirely different
- filesystem from the source code (e.g. a tmpfs).
+ Closes https://github.com/curl/curl/pull/1578
-Daniel Stenberg (20 May 2015)
-- read_callback: move to SessionHandle from connectdata
+- curl-compilers.m4: enable missing-variable-declarations clang warning
- With many easy handles using the same connection for multiplexing, it is
- important we store and keep the transfer-oriented stuff in the
- SessionHandle so that callbacks and callback data work fine even when
- many easy handles share the same physical connection.
-
-- http2: show stream IDs in decimal
+ It usually warns when forgetting to declare TU-local variables static.
- It makes them easier to match output from the nghttpd test server.
+ Closes https://github.com/curl/curl/pull/1578
-- [Tatsuhiro Tsujikawa brought this change]
-
- http2: Faster http2 upload
+- curl-compilers.m4: enable double-promotion warning
- Previously, when we send all given buffer in data_source_callback, we
- return NGHTTP2_ERR_DEFERRED, and nghttp2 library removes this stream
- temporarily for writing. This itself is good. If this is the sole
- stream in the session, nghttp2_session_want_write() returns zero,
- which means that libcurl does not check writeability of the underlying
- socket. This leads to very slow upload, because it seems curl only
- upload 16k something per 1 second. To fix this, if we still have data
- to send, call nghttp2_session_resume_data after nghttp2_session_send.
- This makes nghttp2_session_want_write() returns nonzero (if connection
- window still opens), and as a result, socket writeability is checked,
- and upload speed becomes normal.
-
-- [Dmitry Eremin-Solenikov brought this change]
-
- gtls: don't fail on non-fatal alerts during handshake
+ Enable -Wdouble-promotion for both GCC and clang. It warns on implicit
+ promotion from float to double.
- Stop curl from failing when non-fatal alert is received during
- handshake. This e.g. fixes lots of problems when working with https
- sites through proxies.
+ Closes https://github.com/curl/curl/pull/1578
-- curl_easy_unescape.3: update RFC reference
+- curl-compilers.m4: enable vla warning for clang
+
+ Previously, that warning was only implicitly active in C90 mode.
+ Enable it unconditionally as already done for GCC.
- Reported-by: bsammon
- Bug: https://github.com/bagder/curl/issues/282
+ Closes https://github.com/curl/curl/pull/1578
-Jay Satiro (20 May 2015)
-- CURLOPT_POSTFIELDS.3: Mention curl_easy_escape
+Daniel Stenberg (16 Jun 2017)
+- http-proxy: fix chunked-encoded CONNECT responses
- .. also correct some variable naming in curl_easy_escape.3
+ Regression since 5113ad0424.
- Bug: https://github.com/bagder/curl/issues/281
- Reported-by: bsammon@users.noreply.github.com
-
-Daniel Stenberg (19 May 2015)
-- [Brian Prodoehl brought this change]
+ ... and remove 'flaky' from test 1061 again
+
+ Closes #1579
- openssl: Use SSL_CTX_set_msg_callback and SSL_CTX_set_msg_callback_arg
+- http-proxy: deal with EAGAIN
- BoringSSL removed support for direct callers of SSL_CTX_callback_ctrl
- and SSL_CTX_ctrl, so move to a way that should work on BoringSSL and
- OpenSSL.
+ ... the previous code would reset the header length wrongly (since
+ 5113ad0424). This makes test 1060 reliable again.
- re #275
+ Also: make sws send even smaller chunks of data to increase the
+ likeliness of this happening.
-Jay Satiro (19 May 2015)
-- curl.1: fix missing space in section --data
+- libtest/libntlmconnect: fix compiler warnings from f94fcdb
-Daniel Stenberg (19 May 2015)
-- transfer: remove erroneous and misleading comment
+- [Jay Satiro brought this change]
-Kamil Dudka (19 May 2015)
-- http: silence compile-time warnings without USE_NGHTTP2
+ HTTPS-Proxy: don't offer h2 for https proxy connections
- Error: CLANG_WARNING:
- lib/http.c:173:16: warning: Value stored to 'http' during its initialization is never read
+ Bug: https://github.com/curl/curl/issues/1254
- Error: COMPILER_WARNING:
- lib/http.c: scope_hint: In function ‘http_disconnect’
- lib/http.c:173:16: warning: unused variable ‘http’ [-Wunused-variable]
+ Closes #1546
-Jay Satiro (19 May 2015)
-- transfer: Replace __func__ instances with function name
+- tests: stabilize test 2032 and 2033
- .. also make __func__ replacement in multi.
+ Both these tests run the same underlying test code: libntlmconnect.c -
+ this test code made some assumptions about socket ordering when it used
+ curl_easy_fdset() and when we changed timing or got accidental changes
+ in libcurl the tests would fail.
- Prior to this change debug builds would fail to build if the compiler
- was building pre-c99 and didn't support __func__.
-
-Daniel Stenberg (19 May 2015)
-- [Viktor Szakats brought this change]
-
- build: bump version in default nghttp2 paths
-
-- INTERNALS: we require nghttp2 1.0.0+ now
-
-Jay Satiro (18 May 2015)
-- http: Add some include guards for the new HTTP/2 stuff
-
-Daniel Stenberg (18 May 2015)
-- http2: store upload state per stream
+ The tests verify that the different transfers keep using the same
+ connections, which I now instead made sure by adding the number of bytes
+ each transfer gets and then verifies that they always get the same
+ amount as when these tests worked.
- Use a curl_off_t for upload left
-
-- http2: fix build when NOT h2-enabled
+ Closes #1576
-- http2: switch to use Curl_hash_destroy()
+- test1148: verify the -# progressbar
- as after 4883f7019d3, the *_clean() function only flushes the hash.
+ Closes #1569
-- curlver: restore LIBCURL_VERSION_NUM defined as a full number
+- test1061: mark as flaky
- As it breaks configure, curl-config and test 1023 if not.
+ Fails intermittently on travis builds since a few days. Likely due to
+ 5113ad0424.
-- [Anthony Avina brought this change]
-
- hostip: fix unintended destruction of hash table
+Jay Satiro (16 Jun 2017)
+- url: refactor the check for Windows drive letter in path
- .. and added unit1602 for hash.c
-
-- curlver: introducing new version number (checking) macros
-
-- runtests.pl: use 'h2c' now, no -14 anymore
-
-- [Tatsuhiro Tsujikawa brought this change]
-
- http2: Ignore if we have stream ID not in hash in on_stream_close
+ - Move the logic to detect a Windows drive letter prefix
+ (eg c: in c:foo) into a function-like macro.
- We could get stream ID not in the hash in on_stream_close. For
- example, if we decided to reject stream (e.g., PUSH_PROMISE), then we
- don't create stream and store it in hash with its stream ID.
-
-- [Tatsuhiro Tsujikawa brought this change]
+ Closes https://github.com/curl/curl/pull/1571
- Require nghttp2 v1.0.0
+- mk-ca-bundle.pl: Check curl's exit code after certdata download
- This commit requires nghttp2 v1.0.0 to compile, and migrate to v1.0.0,
- and utilize recent version of nghttp2 to simplify the code,
+ - No longer allow partial downloads of certdata.
- First we use nghttp2_option_set_no_recv_client_magic function to
- detect nghttp2 v1.0.0. That function only exists since v1.0.0.
+ Prior to this change partial downloads were (erroneously?) allowed since
+ only the server code was checked to be 200.
- Since nghttp2 v0.7.5, nghttp2 ensures header field ordering, and
- validates received header field. If it found error, RST_STREAM with
- PROTOCOL_ERROR is issued. Since we require v1.0.0, we can utilize
- this feature to simplify libcurl code. This commit does this.
-
- Migration from 0.7 series are done based on nghttp2 migration
- document. For libcurl, we removed the code sending first 24 bytes
- client magic. It is now done by nghttp2 library.
- on_invalid_frame_recv callback signature changed, and is updated
- accordingly.
-
-- http2: infof length in on_frame_send()
+ Bug: https://github.com/curl/curl/pull/1577
+ Reported-by: Matteo B.
-- pipeline: switch some code over to functions
-
- ... to "compartmentalize" a bit and make it easier to change behavior
- when multiplexing is used instead of good old pipelining.
+Daniel Stenberg (16 Jun 2017)
+- dist: add the fuzz dir to the tarball
-- symbols-in-versions: add CURLOPT_PIPEWAIT
+- configure: disable nghttp2 too if HTTP has been disabled
-- CURLOPT_PIPEWAIT: added
+- http-proxy: fix build with --disable-proxy or --disable-http
- By setting this option to 1 libcurl will wait for a connection to reveal
- if it is possible to pipeline/multiplex on before it continues.
-
-- Curl_http_readwrite_headers: minor code simplification
-
-- IsPipeliningPossible: fixed for http2
-
-- http2: bump the h2 buffer size to 32K for speed
+ Reported-by: Dan Fandrich
-- http2: remove the stream from the hash in stream_close callback
+- fuzz/README: document how to build
- ... and suddenly things work much better!
-
-- http2: if there is paused data, do not clear the drain field
+ Fixes #1476
-- http2: rename s/data/pausedata
+- [Frederik B brought this change]
-- http2: "stream %x" in all outputs to make it easier to search for
+ fuzz: corpora file structure, initial commit
-- http2: Curl_expire() all handles with incoming traffic
-
- ... so that they'll get handled next in the multi loop.
-
-- http2: don't signal settings change for same values
+- [Frederik B brought this change]
-- http2: set default concurrency, fix ConnectionExists for multiplex
+ fuzz: bring oss-fuzz initial code converted to C89
-- bundles: store no/default/pipeline/multiplex
+- http-proxy: only attempt FTP over HTTP proxy
- to allow code to act differently on the situation.
+ ... all other non-HTTP protocol schemes are now defaulting to "tunnel
+ trough" mode if a HTTP proxy is specified. In reality there are no HTTP
+ proxies out there that allow those other schemes.
- Also added some more info message for the connection re-use function to
- make it clearer when connections are not re-used.
-
-- http2: lazy init header_recvbuf
+ Assisted-by: Ray Satiro, Michael Kaufmann
- It makes us use less memory when not doing HTTP/2 and subsequently also
- makes us not have to cleanup HTTP/2 related data when not using HTTP/2!
-
-- http2: separate multiplex/pipelining + cleanup memory leaks
+ Closes #1505
-- CURLMOPT_PIPELINE: bit 1 is for multiplexing
-
-- [Tatsuhiro Tsujikawa brought this change]
-
- http2: Fix bug that data to be drained are overwritten by pending "paused" data
-
-- [Tatsuhiro Tsujikawa brought this change]
-
- http2: Don't call nghttp2_session_mem_recv while it is paused by a stream
-
-- [Tatsuhiro Tsujikawa brought this change]
-
- http2: Read data left in connection buffer after pause
+- TODO: the generated include file is gone
- Previously when we do pause because of out of buffer, we just throw
- away unread data in connection buffer. This just broke protocol
- framing, and I saw occasional FRAME_SIZE_ERROR. This commit fix this
- issue by remembering how much data read, and in the next iteration, we
- process remaining data.
+ ... since commit 73a2fcea0b
-- [Tatsuhiro Tsujikawa brought this change]
-
- http2: Fix streams get stuck
+- curl_setup.h: error out on CURL_WANTS_CA_BUNDLE_ENV use
- This commit fixes the bug that streams get stuck if stream gets some
- DATA, and stream->closed becomes true at the same time. Previously,
- in this condition, after we processed DATA, we are going to try to
- read data from underlying transport, but there is no data, and gets
- EAGAIN. There was no code path to evaludate stream->closed.
-
-- http2: store incoming h2 SETTINGS
-
-- pipeline: move function to pipeline.c and make static
+ ... to make it really apparent if there's any user using this on purpose.
- ... as it was only used from there.
-
-- IsPipeliningPossible: http2 can always "pipeline" (multiplex)
-
-- http2: remove debug logging from on_frame_recv
-
-- http2: remove the closed check in http2_recv
+ Suggested-by: Jay Satiro
- With the "drained" functionality we can get here slightly asynchronously
- so the stream have have been closed but there is pending data left to
- read.
+ Closes #1542
-- http2: bump the h2 buffer to 8K
-
-- http2: Curl_read should not use the single buffer
+- lib/curl_setup.h: remove CURL_WANTS_CA_BUNDLE_ENV
- ... as it does for pipelining when we're multiplexing, as we need the
- different buffers to store incoming data correctly for all streams.
-
-- http2: more debug outputs
-
-- http2: leave WAITPERFORM when conn is multiplexed
+ When this define was set, libcurl would check the environment variable
+ named CURL_CA_BUNDLE at run-time and use that CA cert bundle. This
+ feature was only defined by the watcom and m32 makefiles and caused
+ inconsistent behaviours among libcurls built on different platforms.
- No need to wait for our "spot" like for pipelining
-
-- http2: force "drainage" of streams
+ The curl tool does already feature its own similar logic and the library
+ does not really need it, and it isn't documented libcurl behavior. So
+ this change removes it.
- ... which is necessary since the socket won't be readable but there is
- data waiting in the buffer.
+ Ref: #1538
-- http2: move the mem+len pair to the stream struct
+- test1147: verify -H on a file
-- http2: more stream-oriented data, stream ID 0 is for connections
-
-- http2: move lots of state data to the 'stream' struct
+- curl: allow --header and --proxy-header read from file
- ... from the connection struct. The stream one being the 'struct HTTP'
- which is kept in the SessionHandle struct (easy handle).
+ So many headers can be provided as @filename.
- lookup streams for incoming frames in the stream hash, hashing is based
- on the stream id and we get the SessionHandle for the incoming stream
- that way.
-
-- HTTP: partial start at fixing up hash-lookups on http2 frame receival
-
-- http: a stream hash for h2 multiplexing
-
-- http: a stream hash for h2 multiplexing
+ Suggested-by: Timothe Litt
+
+ Closes #1486
-- http2: debug log when receiving unexpected stream_id
+- RELEASE-NOTES: synced with 2ad80eec5
-- http2: move stream_id to the HTTP struct (per-stream)
+- curl/curlver.h: start working on 7.55.0
-- Curl_http2_setup: only do it once and enable multiplex on the server
+- http-proxy: do the HTTP CONNECT process entirely non-blocking
- Once we know we are HTTP/2 enabled we know the server can multiplex.
-
-- http: switch on "pipelining" (multiplexing) for HTTP/2 servers
+ Mentioned as a problem since 2007 (8f87c15bdac63) and of course it
+ existed even before that.
- ... and do not blacklist any.
+ Closes #1547
-- README.pipelining: removed
+- progress: let "current speed" be UL + DL speeds combined
- All the details mentioned here are better documented in man pages
+ Bug #1556
+ Reported-by: Paul Harris
+ Closes #1559
-Dan Fandrich (14 May 2015)
-- build: removed bundles.c from make files
+Marcel Raad (14 Jun 2017)
+- system.h: fix MinGW build
- This file was removed in commit fd137786
-
-Daniel Stenberg (14 May 2015)
-- Curl_conncache_add_conn: fix memory leak on OOM
-
-- CURLMOPT_MAX_HOST_CONNECTIONS: host = host name + port number
+ CURLSYS_PULL_WS2TCPIP_H got renamed to CURL_PULL_WS2TCPIP_H in commit
+ 73a2fcea0b4adea6ba342cd7ed1149782c214ae3.
-- conncache: keep bundles on host+port bases, not only host names
+Daniel Stenberg (14 Jun 2017)
+- timers: store internal time stamps as time_t instead of doubles
- Previously we counted all connections to a specific host name and that
- would be used for the CURLMOPT_MAX_HOST_CONNECTIONS check for example,
- while servers on different port numbers are normally considered
- different "origins" on the web and should thus be considered different
- hosts.
-
-- bundles: merged into conncache.c
+ This gives us accurate precision and it allows us to avoid storing "no
+ time" for systems with too low timer resolution as we then bump the time
+ up to 1 microsecond. Should fix test 573 on windows.
- All the existing Curl_bundle* functions were only ever used from within
- the conncache.c file, so I moved them over and made them static (and
- removed the Curl_ prefix).
-
-- hostcache: made all host caches use structs, not pointers
+ Remove the now unused curlx_tvdiff_secs() function.
- This avoids unnecessary dynamic allocs and as this also removed the last
- users of *hash_alloc() and *hash_destroy(), those two functions are now
- removed.
-
-- multi: converted socket hash into non-allocated struct
+ Maintains the external getinfo() API with using doubles.
- avoids extra dynamic allocation
+ Fixes #1531
-- connection cache: avoid Curl_hash_alloc()
+- dist: make the hugehelp.c not get regenerated unnecessarily
- ... by using plain structs instead of pointers for the connection cache,
- we can avoid several dynamic allocations that weren't necessary.
-
-- proxy: add newline to info message
-
-Patrick Monnerat (8 May 2015)
-- FTP: fix dangling conn->ip_addr dereference on verbose EPSV.
+ The maketgz script now makes sure the generated hugehelp.c file in the
+ tarball is newer than the generated curl.1 man page, so that it doesn't
+ have to get unnecessarily rebuilt first thing in a typical build. It
+ thus also removes the need for perl to build off a plain release
+ tarball.
+
+ Fixes #1565
-- FTP: Make EPSV use the control IP address rather than the original host.
- This ensures an alternate address is not used.
- Does not apply to proxy tunnel.
+- includes: remove curl/curlbuild.h and curl/curlrules.h
+
+ Rely entirely on curl/system.h now.
+
+ Introduced in Aug 2008 with commit 14240e9e109f. Now gone.
+
+ Fixes #1456
-Daniel Stenberg (8 May 2015)
-- [Alessandro Ghedini brought this change]
+Version 7.54.1 (14 Jun 2017)
- tool_help: fix formatting for --next option
+Daniel Stenberg (14 Jun 2017)
+- release: 7.54.1
-- [Egon Eckert brought this change]
+Dan Fandrich (13 Jun 2017)
+- mk-lib1521.pl: updated to match the test changes in 916ec30a
- opts: improved the TCP keepalive examples
+Daniel Stenberg (13 Jun 2017)
+- [Stuart Henderson brought this change]
-Jay Satiro (8 May 2015)
-- winbuild: Document the option used to statically link the CRT
+ libressl: OCSP and intermediate certs workaround no longer needed
- - Document option RTLIBCFG (runtime library configuration).
+ lib/vtls/openssl.c has a workaround for a bug with OCSP responses signed
+ by intermediate certs, this was fixed in LibreSSL in
+ https://github.com/libressl-portable/openbsd/commit/912c64f68f7ac4f225b7d1fdc8fbd43168912ba0
- Bug: https://github.com/bagder/curl/issues/254
- Reported-by: Bert Huijben
-
-- [Orgad Shaneh brought this change]
+ Bug: https://curl.haxx.se/mail/lib-2017-06/0038.html
- netrc: Read in text mode when cygwin
+- url: fix buffer overwrite with file protocol (CVE-2017-9502)
- Use text mode when cygwin to eliminate trailing carriage returns.
+ Bug: https://github.com/curl/curl/issues/1540
+ Advisory: https://curl.haxx.se/docs/adv_20170614.html
- Bug: https://github.com/bagder/curl/pull/258
-
-Patrick Monnerat (5 May 2015)
-- OS400: Add SPNEGO service name options to ILE/RPG binding.
+ Assisted-by: Ray Satiro
+ Reported-by: Marcel Raad
-Daniel Stenberg (4 May 2015)
-- curl_multi_info_read.3: fix typo
+- urlglob: fix division by zero
- Reported-by: Liviu Chircu
-
-- MANUAL: language fix
+ The multiply() function that is used to avoid integer overflows, was
+ itself reason for a possible division by zero error when passed a
+ specially formatted glob.
- Reported-by: Fred Stluka
- Bug: https://github.com/bagder/curl/issues/255
+ Reported-by: GwanYeong Kim
-- [Alessandro Ghedini brought this change]
+- configure: update the copyright year in the output
- gtls: properly retrieve certificate status
-
- Also print the revocation reason if appropriate.
+- [ygrek brought this change]
-- OpenSSL: conditional check for SSL3_RT_HEADER
-
- The symbol is fairly new.
-
- Reported-by: Kamil Dudka
+ BINDINGS: update SP-Forth and OCaml urls
-- openssl: skip trace outputs for ssl_ver == 0
+Michael Kaufmann (11 Jun 2017)
+- FindWin32CACert: Use a temporary buffer on the stack
- The OpenSSL trace callback is wonderfully undocumented but given a
- journey in the source code, it seems the cases were ssl_ver is zero
- doesn't follow the same pattern and thus turned out confusing and
- misleading. For now, we skip doing any CURLINFO_TEXT logging on those
- but keep sending them as CURLINFO_SSL_DATA_OUT/IN.
+ Don't malloc() the temporary buffer, and use the correct type:
+ SearchPath() works with TCHAR, but SearchPathA() works with char.
+ Set the buffer size to MAX_PATH, because the terminating null byte
+ is already included in MAX_PATH.
- Also, I added direction to the text info and I edited some functions
- slightly.
+ Reviewed-by: Daniel Stenberg
+ Reviewed-by: Marcel Raad
- Bug: https://github.com/bagder/curl/issues/219
- Reported-by: Jay Satiro, Ashish Shukla
+ Closes #1548
-Marc Hoersken (2 May 2015)
-- schannel.c: Small changes
+Dan Fandrich (11 Jun 2017)
+- test1521: fixed OOM handling
-- schannel.c: Improve code path and readability
+Daniel Stenberg (9 Jun 2017)
+- RELEASE-PROCEDURE: updated future release dates
-- schannel.c: Improve error and return code handling upon aa99a63f03
+- [Paul Harris brought this change]
-- [Chris Araman brought this change]
-
- schannel: fix regression in schannel_recv
+ gitignore: ignore all vim swap files
- https://github.com/bagder/curl/issues/244
+ Closes #1561
+
+- lib1521: fix compiler warnings on the use of bad 'long' values
- Commit 145c263 changed the behavior when Curl_read_plain returns
- CURLE_AGAIN. We now handle CURLE_AGAIN and SEC_I_CONTEXT_EXPIRED
- correctly.
+ Reported-by: Marcel Raad
+ Bug: https://github.com/curl/curl/commit/cccac4fb2b20d6ed87da7978408c3ecacc464fe4#commitcomment-22453387
-- Bug born in changes made several days ago 9a91e80.
+- setopt: check CURLOPT_ADDRESS_SCOPE option range
- Commit: https://github.com/bagder/curl/commit/926cb9f
- Reported-by: Ray Satiro
+ ... and return error instead of triggering an assert() when being way
+ out of range.
-Daniel Stenberg (30 Apr 2015)
-- [Michael Osipov brought this change]
+Jay Satiro (8 Jun 2017)
+- [TheAssassin brought this change]
- configure: remove missing and make it autogenerate
+ cmake: Fix inconsistency regarding mbed TLS include directory
+
+ Previously, one had to set MBEDTLS_INCLUDE_DIR to make CMake find the
+ headers, but the system complained that mbed TLS wasn't found due to
+ MBEDTLS_INCLUDE_DIRS (note the trailing s) was not set. This commit
+ attempts to fix that.
- The missing file has not been autogenerated because a temporary fix was
- employed in acinclude.m4 which blocked update. Removed that fix and a recent
- version of missing is copied to build root.
+ Closes https://github.com/curl/curl/pull/1541
-- [Michael Osipov brought this change]
+Daniel Stenberg (8 Jun 2017)
+- [Ryuichi KAWAMATA brought this change]
- acinclude.m4: fix test for default CA cert bundle/path
+ examples/multi-uv.c: fix deprecated symbol
- test(1) on HP-UX requires a single equals sign and fails with two.
- Let's use one and make every OS happy.
+ Closes #1557
-- CONTRIBUTING.md: remove the sourceforge mention
+- asyn-ares: s/Curl_expire_latest/Curl_expire
+
+- expire: remove Curl_expire_latest()
+
+ With the introduction of expire IDs and the fact that existing timers
+ can be removed now and thus never expire, the concept with adding a
+ "latest" timer is not working anymore as it risks to not expire at all.
+
+ So, to be certain the timers actually are in line and will expire, the
+ plain Curl_expire() needs to be used. The _latest() function was added
+ as a sort of shortcut in the past that's quite simply not necessary
+ anymore.
+
+ Follow-up to 31b39c40cf90
- Reported-By: Michael Osipov
+ Reported-by: Paul Harris
+
+ Closes #1555
-Dan Fandrich (30 Apr 2015)
-- http_negotiate_sspi: added missing data variable
+- [Chris Carlmar brought this change]
-Daniel Stenberg (30 Apr 2015)
-- [Michael Osipov brought this change]
+ configure: fix link with librtmp when specifying path
+
+ Bug: https://curl.haxx.se/mail/lib-2017-06/0017.html
- configure: remove --automake from libtoolize call
+- file: make speedcheck use current time for checks
- That option is not mentioned in the man page of libtoolize 2.4.4.19-fda4.
- Moveover, a comment in line 2623 says "--automake is for 1.5 compatibility".
+ ... as it would previously just get the "now" timestamp before the
+ transfer starts and then not update it again.
- This option is redundant now.
+ Closes #1550
-- [Viktor Szakats brought this change]
+- metalink: remove unused printf() argument
- build: update depedency versions, urls, example makefiles
+- travis: let some builds *not* use --enable-debug
+
+ typecheck-gcc and other things require optimized builds
- - update default versions of dependencies (except for rare/old platforms)
- - update urls
- - sync examples makefiles with main ones
- - remove line ending space
+ Closes #1544
-- [Michael Osipov brought this change]
+- README.md: show the coverall coverage on github
- configure: remove autogenerated files by autoconf
-
- * install-sh is always regenerated
- * mkinstalldirs was already redudant years ago. Automake uses install for
- that. See: http://lists.gnu.org/archive/html/automake/2007-03/msg00015.html
+- lib1521: fix compiler warnings
-- [Anders Bakken brought this change]
+- test1521: make the code < 80 columns wide
- curl_multi_add_handle: next is already NULL
+- test1121: use stricter types to work with typcheck-gcc
-Jay Satiro (30 Apr 2015)
-- schannel: Fix out of bounds array
+- typecheck-gcc: allow CURLOPT_STDERR to be NULL too
+
+- test1521: test *all* curl_easy_setopt options
- Bug born in changes made several days ago 9a91e80.
+ mk-lib1521.pl generates a test program (lib1521.c) that calls
+ curl_easy_setopt() for every known option with a few typical values to
+ make sure they work (ignoring the return codes).
- Bug: http://curl.haxx.se/mail/lib-2015-04/0199.html
- Reported-by: Brian Chrisman
-
-- docs/libcurl: gitignore libcurl-symbols.3
+ Some small changes were necessary to avoid asserts and NULL accesses
+ when doing this.
- Bug: http://curl.haxx.se/mail/lib-2015-04/0191.html
- Reported-by: Michael Osipov
-
-- [Viktor Szakats brought this change]
-
- lib/makefile.m32: add arch -m32/-m64 to LDFLAGS
+ The perl script needs to be manually rerun when we add new options.
- This fixes using a multi-target mingw distro to build curl .dll for the
- non-default target.
- (mirroring the same patch present in src/makefile.m32)
+ Closes #1543
-Daniel Stenberg (29 Apr 2015)
-- RELEASE-NOTES: synced with cd39b944afc
+Dan Fandrich (5 Jun 2017)
+- test1538: added "verbose logs" keyword
- I've not mentioned the bug fixes that were shipped in 7.42.1 from the
- 7_42 branch.
+ These error messages are not displayed with --disable-verbose
-- THANKS: merged from the 7.42.1 release
+Daniel Stenberg (5 Jun 2017)
+- test1262: verify ftp download with -z for "if older than this"
-- CURLOPT_HEADEROPT: default to separate
+Marcel Raad (5 Jun 2017)
+- curl_ntlm_core: use Curl_raw_toupper instead of toupper
- Make the HTTP headers separated by default for improved security and
- reduced risk for information leakage.
+ This was the only remaining use of toupper in the entire source code.
- Bug: http://curl.haxx.se/docs/adv_20150429.html
- Reported-by: Yehezkel Horowitz, Oren Souroujon
+ Suggested-by: Daniel Stenberg
+
+Daniel Stenberg (4 Jun 2017)
+- RELEASE-NOTES: synced with 65ba92650