Changelog
-Version 7.40.0 (7 Jan 2015)
+Version 7.59.0 (13 Mar 2018)
-Daniel Stenberg (7 Jan 2015)
-- RELEASE-NOTES: version 7.40.0
+Daniel Stenberg (13 Mar 2018)
+- release: 7.59.0
-- darwinssl: fix session ID keys to only reuse identical sessions
+Kamil Dudka (13 Mar 2018)
+- tests/.../spnego.py: fix identifier typo
- ...to avoid a session ID getting cached without certificate checking and
- then after a subsequent _enabling_ of the check libcurl could still
- re-use the session done without cert checks.
+ Detected by Coverity Analysis:
- Bug: http://curl.haxx.se/docs/adv_20150108A.html
- Reported-by: Marc Hesse
-
-- tests: make sure CRLFs can't be used in URLs passed to proxy
+ Error: IDENTIFIER_TYPO:
+ curl-7.58.0/tests/python_dependencies/impacket/spnego.py:229: identifier_typo: Using "SuportedMech" appears to be a typo:
+ * Identifier "SuportedMech" is only known to be referenced here, or in copies of this code.
+ * Identifier "SupportedMech" is referenced elsewhere at least 4 times.
+ curl-7.58.0/tests/python_dependencies/impacket/smbserver.py:2651: identifier_use: Example 1: Using identifier "SupportedMech".
+ curl-7.58.0/tests/python_dependencies/impacket/smbserver.py:2308: identifier_use: Example 2: Using identifier "SupportedMech".
+ curl-7.58.0/tests/python_dependencies/impacket/spnego.py:252: identifier_use: Example 3: Using identifier "SupportedMech" (2 total uses in this function).
+ curl-7.58.0/tests/python_dependencies/impacket/spnego.py:229: remediation: Should identifier "SuportedMech" be replaced by "SupportedMech"?
- Bug: http://curl.haxx.se/docs/adv_20150108B.html
+ Closes #2379
-- url-parsing: reject CRLFs within URLs
+Daniel Stenberg (13 Mar 2018)
+- CURLOPT_COOKIEFILE.3: "-" as file name means stdin
- Bug: http://curl.haxx.se/docs/adv_20150108B.html
- Reported-by: Andrey Labunets
-
-Steve Holme (7 Jan 2015)
-- ldap: Convert attribute output to UTF-8 when Unicode
-
-- ldap: Convert DN output to UTF-8 when Unicode
+ Reported-by: Aron Bergman
+ Bug: https://curl.haxx.se/mail/lib-2018-03/0049.html
+
+ [ci skip]
-Daniel Stenberg (7 Jan 2015)
-- hostip: remove 'stale' argument from Curl_fetch_addr proto
+- Revert "hostip: fix compiler warning: 'variable set but not used'"
- Also, remove the log output of the resolved name is NOT in the cache in
- the spirit of only telling when something is actually happening.
+ This reverts commit a577059f92fc65bd6b81717f0737f897a5b34248.
+
+ The assignment really needs to be there or we risk working with an
+ uninitialized pointer.
-Steve Holme (7 Jan 2015)
-- ldap/imap: Fixed spelling mistake in comments and variable names
+Michael Kaufmann (12 Mar 2018)
+- limit-rate: fix compiler warning
- Reported-by: Michael Osipov
+ follow-up to 72a0f62
-Daniel Stenberg (7 Jan 2015)
-- RELEASE-NOTES: updated with ./contributors.sh output
+Viktor Szakats (12 Mar 2018)
+- checksrc.pl: add -i and -m options
+
+ To sync it with changes made for the libssh2 project.
+ Also cleanup some whitespace.
-Dan Fandrich (5 Jan 2015)
-- curl_multibyte.h: Eliminated some trailing whitespace
+- curl-openssl.m4: fix spelling [ci skip]
-Steve Holme (4 Jan 2015)
-- RELEASE-NOTES: Synced with ea93252ef1
+- FAQ: fix a broken URL [ci skip]
-- ldap: Fixed Unicode usage for all Win32 builds
+Daniel Stenberg (12 Mar 2018)
+- http2: mark the connection for close on GOAWAY
- Otherwise, the fixes in the previous commits would only be applicable
- to IDN and SSPI based builds and not others such as OpenSSL with LDAP
- enabled.
+ ... don't consider it an error!
+
+ Assisted-by: Jay Satiro
+ Reported-by: Łukasz Domeradzki
+ Fixes #2365
+ Closes #2375
-- ldap: Fixed memory leak from commit efb64fdf80
+- credits: Viktor prefers without accent
-- ldap: Fix memory leak from commit 3a805c5cc1
+- openldap: white space changes, fixed up the copyright years
-- ldap: Fixed attribute variable warnings when Unicode is enabled
+- openldap: check ldap_get_attribute_ber() results for NULL before using
- Use 'TCHAR *' for local attribute variable rather than 'char *'.
+ CVE-2018-1000121
+ Reported-by: Dario Weisser
+ Bug: https://curl.haxx.se/docs/adv_2018-97a2.html
-- ldap: Fixed DN variable warnings when Unicode is enabled
+- FTP: reject path components with control codes
- Use 'TCHAR *' for local DN variable rather than 'char *'.
-
-- ldap: Remove the unescape_elements() function
+ Refuse to operate when given path components featuring byte values lower
+ than 32.
+
+ Previously, inserting a %00 sequence early in the directory part when
+ using the 'singlecwd' ftp method could make curl write a zero byte
+ outside of the allocated buffer.
- Due to the recent modifications this function is no longer used.
+ Test case 340 verifies.
+
+ CVE-2018-1000120
+ Reported-by: Duy Phan Thanh
+ Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html
-- ldap.c: Fixed compilation warning
+- readwrite: make sure excess reads don't go beyond buffer end
+
+ CVE-2018-1000122
+ Bug: https://curl.haxx.se/docs/adv_2018-b047.html
- ldap.c:98: warning: extra tokens at end of #endif directive
+ Detected by OSS-fuzz
-- ldap: Fixed support for Unicode filter in Win32 search call
+- BUGS: updated link to security process
-- ldap.c: Fixed compilation warning
+- limit-rate: kick in even before "limit" data has been received
- ldap.c:802: warning: comparison between signed and unsigned integer
- expressions
+ ... and make sure to avoid integer overflows with really large values.
+
+ Reported-by: 刘佩东
+ Fixes #2371
+ Closes #2373
+
+- docs/SECURITY.md -> docs/SECURITY-PROCESS.md
-- ldap: Fixed support for Unicode attributes in Win32 search call
+- SECURITY.md: call it the security process
-- ldap: Fixed memory leak from commit efb64fdf80
+Michael Kaufmann (11 Mar 2018)
+- Curl_range: fix FTP-only and FILE-only builds
- The unescapped DN was not freed after a successful character conversion.
+ follow-up to e04417d
-- ldap.c: Fixed compilation error
+- hostip: fix compiler warning: 'variable set but not used'
+
+Daniel Stenberg (11 Mar 2018)
+- HTTP: allow "header;" to replace an internal header with a blank one
- ldap.c:738: error: macro "LDAP_TRACE" passed 2 arguments, but takes
- just 1
+ Reported-by: Michael Kaufmann
+ Fixes #2357
+ Closes #2362
-- ldap.c: Fixed compilation warning
+- http2: verbose output new MAX_CONCURRENT_STREAMS values
- ldap.c:89: warning: extra tokens at end of #endif directive
+ ... as it is interesting for many users.
+
+- SECURITY: distros' max embargo time is 14 days now
-- ldap: Fixed support for Unicode DN in Win32 search call
+Patrick Monnerat (8 Mar 2018)
+- curl tool: accept --compressed also if Brotli is enabled and zlib is not.
-- ldap: Fixed Unicode user and password in Win32 bind calls
+Daniel Stenberg (5 Mar 2018)
+- THANKS + mailmap: remove duplicates, fixup full names
-- ldap: Fixed Unicode host name in Win32 initialisation calls
+- [sergii.kavunenko brought this change]
-- ldap: Use host.dispname for infof() connection failure messages
+ WolfSSL: adding TLSv1.3
- As host.name may be encoded use dispname for infof() failure messages.
+ Closes #2349
-- ldap: Prefer 'CURLcode result' for curl result codes
+- RELEASE-NOTES/THANKS: synced with cc1d4c505
-- ldap: Pass write length in all Curl_client_write() calls
-
- As we get the length for the DN and attribute variables, and we know
- the length for the line terminator, pass the length values rather than
- zero as this will save Curl_client_write() from having to perform an
- additional strlen() call.
+- [Richard Alcock brought this change]
-- ldap: Fixed attribute memory leaks on failed client write
+ winbuild: prefer documented zlib library names
- Fixed memory leaks from commit 086ad79970 as was noted in the commit
- comments.
-
-- ldap: Fixed DN memory leaks on failed client write
+ Check for existence of import and static libraries with documented names
+ and use them if they do. Fallback to previous names.
- Fixed memory leaks from commit 086ad79970 as was noted in the commit
- comments.
-
-- curl_ntlm_core.c: Fixed compilation warning from commit 1cb17b2a5d
+ According to
+ https://github.com/madler/zlib/blob/master/win32/README-WIN32.txt on
+ Windows, the names of the import library is "zdll.lib" and static
+ library is "zlib.lib".
- curl_ntlm_core.c:146: warning: passing 'DES_cblock' (aka 'unsigned char
- [8]') to parameter of type 'char *' converts
- between pointers to integer types with different
- sign
+ closes #2354
-- ntlm: Use extend_key_56_to_64() for all cryptography engines
+Marcel Raad (4 Mar 2018)
+- krb5: use nondeprecated functions
- Rather than duplicate the code in setup_des_key() for OpenSSL and in
- extend_key_56_to_64() for non-OpenSSL based crypto engines, as it is
- the same, use extend_key_56_to_64() for all engines.
-
-- RELEASE-NOTES: Synced with 34f0bd110f
-
-- curl_ntlm_core.c: Fixed compilation warning
+ gss_seal/gss_unseal have been deprecated in favor of
+ gss_wrap/gss_unwrap with GSS-API v2 from January 1997 [1]. The first
+ version of "The Kerberos Version 5 GSS-API Mechanism" [2] from June
+ 1996 already says "GSS_Wrap() (formerly GSS_Seal())" and
+ "GSS_Unwrap() (formerly GSS_Unseal())".
- curl_ntlm_core.c:458: warning: 'ascii_uppercase_to_unicode_le' defined
- but not used
-
-- endian: Fixed bit-shift in 64-bit integer read functions
+ Use the nondeprecated functions to avoid deprecation warnings.
- From commit 43792592ca and 4bb5a351b2.
+ [1] https://tools.ietf.org/html/rfc2078
+ [2] https://tools.ietf.org/html/rfc1964
- Reported-by: Michael Osipov
-
-- smb: Use endian functions for reading NBT and message size values
-
-- endian: Added big endian read functions
+ Closes https://github.com/curl/curl/pull/2356
-- endian: Added 64-bit integer read function
+Daniel Stenberg (4 Mar 2018)
+- curl.1: mention how to add numerical IP addresses in NO_PROXY
-- COPYING: Bumped copyright year to 2015
+- CURLOPT_NOPROXY.3: mention how to list numerical IPv6 addresses
-- version: Bump copyright year to 2015
-
-- smb.c: Fixed compilation warnings
+- NO_PROXY: fix for IPv6 numericals in the URL
- smb.c:780: warning: passing 'char *' to parameter of type 'unsigned
- char *' converts between pointers to integer types with
- different sign
- smb.c:781: warning: passing 'char *' to parameter of type 'unsigned
- char *' converts between pointers to integer types with
- different sign
- smb.c:804: warning: passing 'char *' to parameter of type 'unsigned
- char *' converts between pointers to integer types with
- different sign
-
-- smb: Use endian functions for reading length and offset values
-
-- endian: Added 16-bit integer write function
-
-- endian: Fixed Linux compilation issues
+ Added test 1265 that verifies.
- Having files named endian.[c|h] seemed to cause issues under Linux so
- renamed them both to have the curl_ prefix in the filenames.
+ Reported-by: steelman on github
+ Fixes #2353
+ Closes #2355
-- [Julien Nabet brought this change]
-
- lib1900.c: Fixed cppcheck error
+- build: get CFLAGS (including -werror) used for examples and tests
- lib1900.c:182: (style) Array index 'handlenum' is used before limits
- check
+ ... so that the CI and more detects compiler warnings/errors properly!
- Bug: https://github.com/bagder/curl/pull/133
-
-- endian: Added standard function descriptions
-
-- endian: Renamed functions for curl API naming convention
-
-- endian: Moved write functions to new module
+ Closes #2337
-- endian: Moved read functions to new module
-
-- endian: Introduced endian module
+Marcel Raad (3 Mar 2018)
+- curl_ctype: fix macro redefinition warnings
- To allow the little endian functions, currently used in two of the NTLM
- source files, to be used by other modules such as the SMB module.
-
-- sepheaders.c: Applied curl oding standards
-
-- [Julien Nabet brought this change]
+ On MinGW and Cygwin, GCC and clang have been complaining about macro
+ redefinitions since 4272a0b0fc49a1ac0ceab5c4a365c9f6ab8bf8e2. Fix this
+ by undefining the macros before redefining them as suggested in
+ https://github.com/curl/curl/pull/2269.
+
+ Suggested-by: Daniel Stenberg
- sepheaders.c: Fixed resource leak on failure
+Dan Fandrich (2 Mar 2018)
+- unit1307: proper cleanup on OOM to fix torture tests
-- vtls: Use '(void) arg' for unused parameters
+Marcel Raad (28 Feb 2018)
+- unit1309: fix warning on Windows x64
- Prefer void for unused parameters, rather than assigning an argument to
- itself as a) unintelligent compilers won't optimize it out, b) it can't
- be used for const parameters, c) it will cause compilation warnings for
- clang with -Wself-assign and d) is inconsistent with other areas of the
- curl source code.
-
-- smb.c: Fixed compilation warning
+ When targeting x64, MinGW-w64 complains about conversions between
+ 32-bit long and 64-bit pointers. Fix this by reusing the
+ GNUTLS_POINTER_TO_SOCKET_CAST / GNUTLS_SOCKET_TO_POINTER_CAST logic
+ from gtls.c, moving it to warnless.h as CURLX_POINTER_TO_INTEGER_CAST /
+ CURLX_INTEGER_TO_POINTER_CAST.
- smb.c:586: warning: conversion to 'short unsigned int' from 'int' may
- alter its value
-
-- [Bill Nagel brought this change]
+ Closes https://github.com/curl/curl/pull/2341
- smb: Use the connection's upload buffer
+- travis: update compiler versions
- Use the connection's upload buffer instead of allocating our own send
- buffer.
-
-- RELEASE-NOTES: Synced with 1933f9d33c
-
-- schannel: Moved the ISC return flag definitions to the SSPI module
+ Update clang to version 3.9 and GCC to version 6.
- Moved our Initialize Security Context return attribute definitions to
- the SSPI module, as a) these can be used by other SSPI based providers
- and b) the ISC required attributes are defined there.
+ Closes https://github.com/curl/curl/pull/2345
-- [Bill Nagel brought this change]
-
- smb: Close the connection after a failed client write
-
-- darwinssl: Fixed compilation warning
+Daniel Stenberg (26 Feb 2018)
+- docs/MANUAL: formfind.pl is not accessible on the site anymore
- vtls.c:683:43: warning: unused parameter 'data'
+ Fixes #2342
-- sockfilt.c: Fixed compilation warnings
+Jay Satiro (24 Feb 2018)
+- curl-openssl.m4: Fix version check for OpenSSL 1.1.1
- sockfilt.c:288: warning: conversion to 'DWORD' from 'size_t' may alter
- its value
- sockfilt.c:291: warning: conversion to 'DWORD' from 'size_t' may alter
- its value
- sockfilt.c:323: warning: conversion to 'DWORD' from 'size_t' may alter
- its value
- sockfilt.c:326: warning: conversion to 'DWORD' from 'size_t' may alter
- its value
-
-- test1509: Fixed compilation warning
+ - Add OpenSSL 1.1.1 to the header/library version lists.
- lib1509.c:93:18: warning: conversion to 'long int' from 'size_t' may
- alter its value
-
-- test556: Fixed compilation warning
+ - Detect OpenSSL 1.1.1 library using its function ERR_clear_last_mark,
+ which was added in that version.
- lib556.c:90: warning: conversion to 'unsigned int' from 'size_t' may
- alter its value
+ Prior to this change an erroneous header/library mismatch was caused by
+ lack of OpenSSL 1.1.1 detection. I tested using openssl-1.1.1-pre1.
-- sasl_gssapi: Fixed use of dummy username with real username
+Viktor Szakats (23 Feb 2018)
+- lib655: silence compiler warning
+
+ Closes https://github.com/curl/curl/pull/2335
-- vtls: Fixed compilation warning and an ignored return code
+- spelling fixes
+
+ Detected using the `codespell` tool.
- curl_schannel.h:123: warning: right-hand operand of comma expression
- has no effect
+ Also contains one URL protocol upgrade.
- Some instances of the curlssl_close_all() function were declared with a
- void return type whilst others as int. The schannel version returned
- CURLE_NOT_BUILT_IN and others simply returned zero, but in all cases the
- return code was ignored by the calling function Curl_ssl_close_all().
+ Closes https://github.com/curl/curl/pull/2334
+
+Daniel Stenberg (24 Feb 2018)
+- projects/README: remove reference to dead IDN link/package
- For the time being and to keep the internal API consistent, changed all
- declarations to use a void return type.
+ Reported-by: Stefan Kanthak and Rod Widdowson
- To reduce code we might want to consider removing the unimplemented
- versions and use a void #define like schannel does.
+ Fixes #2325
-Daniel Stenberg (28 Dec 2014)
-- TODO: 2.3 Better support for same name resolves
+Jay Satiro (23 Feb 2018)
+- [Rod Widdowson brought this change]
-Steve Holme (28 Dec 2014)
-- test1520: Fixed initial teething problems
+ winbuild: Use macros for the names of some build utilities
- * Missing initialisation of upload status caused a seg fault
- * Missing data termination caused corrupt data to be uploaded
- * Data verification should be performed in <upload> element
- * Added missing recipient list cleanup
-
-- test1520: Fixed compilation errors
+ - Add macros to the top of the makefile for rc and mt utilities so that
+ it is easier to change their locations.
+
+ Bug: https://curl.haxx.se/mail/lib-2018-02/0075.html
+ Reported-by: Stefan Kanthak
+
+ Closes https://github.com/curl/curl/issues/2329
-- tests: Added test for bug #1456
+Daniel Stenberg (23 Feb 2018)
+- TODO: remove "sha-256 digest", added in 2b5b37cb9109e7c2
-- checksrc.bat: Fixed a problem opening files with spaces in the filename
+- curl_share_setopt.3: connection cache is shared within multi handles
-- openldap: Prefer use of 'CURLcode result'
+Jay Satiro (22 Feb 2018)
+- [Rod Widdowson brought this change]
-- openldap: Use 'LDAPMessage *msg' for messages
+ winbuild: Use CALL to run batch scripts
- This frees up the 'result' variable for CURLcode based result codes.
-
-- nss: Don't ignore Curl_extract_certinfo() OOM failure
-
-- nss: Don't ignore Curl_ssl_init_certinfo() OOM failure
-
-- nss: Use 'CURLcode result' for curl result codes
+ Co-authored-by: Stefan Kanthak
- ...and don't use CURLE_OK in failure/success comparisons.
-
-- getinfo: Code style policing
+ Closes https://github.com/curl/curl/issues/2330
+ Closes https://github.com/curl/curl/pull/2331
-- getinfo: Use 'CURLcode result' for curl result codes
+Patrick Monnerat (22 Feb 2018)
+- os400: add curl_resolver_start_callback type to ILE/RPG binding
-- darwinssl: Use 'CURLcode result' for curl result codes
+Daniel Stenberg (22 Feb 2018)
+- form.d: rephrased somewhat, added two example command lines
-- polarssl: Use 'CURLcode result' for curl result codes
+Jay Satiro (21 Feb 2018)
+- [Francisco Sedano brought this change]
-- docs: Updated following the addition of SASL GSSAPI via GSS-API libraries
+ url: Add option CURLOPT_RESOLVER_START_FUNCTION
- As this feature has been implemented for 7.40.0.
-
-- asiohiper.cpp: No need to initialise members of ConnInfo
+ - Add new option CURLOPT_RESOLVER_START_FUNCTION to set a callback that
+ will be called every time before a new resolve request is started
+ (ie before a host is resolved) with a pointer to backend-specific
+ resolver data. Currently this is only useful for ares.
- ...as calloc() automatically clears the area of memory with zeros.
-
-- asiohiper.cpp: Updated for curl coding standards
+ - Add new option CURLOPT_RESOLVER_START_DATA to set a user pointer to
+ pass to the resolver start callback.
- ...with the exception of the start of block statement curly brackets.
+ Closes https://github.com/curl/curl/pull/2311
-- code/docs: Use correct case for IPv4 and IPv6
+- lib: CURLOPT_HAPPY_EYEBALLS_TIMEOUT => CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS
- For consistency, as we seem to have a bit of a mixed bag, changed all
- instances of ipv4 and ipv6 in comments and documentations to use the
- correct case.
-
-- runtests: Fixed detection of Unix Sockets feature
+ - In keeping with the naming of our other connect timeout options rename
+ CURLOPT_HAPPY_EYEBALLS_TIMEOUT to CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS.
- ...following change in curl --version output.
-
-- code/docs: Use Unix rather than UNIX to avoid use of the trademark
+ This change adds the _MS suffix since the option expects milliseconds.
+ This is more intuitive for our users since other connect timeout options
+ that expect milliseconds use _MS such as CURLOPT_TIMEOUT_MS,
+ CURLOPT_CONNECTTIMEOUT_MS, CURLOPT_ACCEPTTIMEOUT_MS.
- Use Unix when generically writing about Unix based systems as UNIX is
- the trademark and should only be used in a particular product's name.
-
-- ip2ip.c: Fixed compilation warning when IPv6 Scope ID not supported
+ The tool option already uses an -ms suffix, --happy-eyeballs-timeout-ms.
- if2ip.c:119: warning: unused parameter 'remote_scope_id'
+ Follow-up to 2427d94 which added the lib and tool option yesterday.
- ...and some minor code style policing in the same function.
+ Ref: https://github.com/curl/curl/pull/2260
-- vtls: Don't set cert info count until memory allocation is successful
+Patrick Monnerat (21 Feb 2018)
+- sasl: prefer PLAIN mechanism over LOGIN
- Otherwise Curl_ssl_init_certinfo() can fail and set the num_of_certs
- member variable to the requested count, which could then be used
- incorrectly as libcurl closes down.
+ SASL PLAIN is a standard, LOGIN only a draft. The LOGIN draft says
+ PLAIN should be used instead if available.
-- vtls: Use CURLcode for Curl_ssl_init_certinfo() return type
-
- The return type for this function was 0 on success and 1 on error. This
- was then examined by the calling functions and, in most cases, used to
- return CURLE_OUT_OF_MEMORY.
-
- Instead use CURLcode for the return type and return the out of memory
- error directly, propagating it up the call stack.
+Daniel Stenberg (21 Feb 2018)
+- RELEASE-NOTES: synced with 2427d94c6
-- configure: Use camel case for UNIX sockets feature output
-
- To match the curl --version output.
+Jay Satiro (20 Feb 2018)
+- [Anders Bakken brought this change]
-Marc Hoersken (26 Dec 2014)
-- sockfilt.c: Reduce the number of individual memory allocations
+ url: Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT
- Merge multiple internal arrays into one, even if some variables
- will not not be used. They are all created with the number of
- file descriptors as their size.
-
- Also fix possible thread handle leak in CloseHandle-loop.
-
-- sockfilt.c: Replace 100ms sleep with thread throttle
+ - Add new option CURLOPT_HAPPY_EYEBALLS_TIMEOUT to set libcurl's happy
+ eyeball timeout value.
- Improves performance of test cases 574 and 575 by 50%.
+ - Add new optval macro CURL_HET_DEFAULT to represent the default happy
+ eyeballs timeout value (currently 200 ms).
- A value of zero causes the thread to relinquish the remainder
- of its time slice to any other thread of equal priority that is
- ready to run. If there are no other threads of equal priority
- ready to run, the function returns immediately, and the thread
- continues execution.
+ - Add new tool option --happy-eyeballs-timeout-ms to expose
+ CURLOPT_HAPPY_EYEBALLS_TIMEOUT. The -ms suffix is used because the
+ other -timeout options in the tool expect seconds not milliseconds.
- http://msdn.microsoft.com/library/windows/desktop/ms686307.aspx
+ Closes https://github.com/curl/curl/pull/2260
-Steve Holme (25 Dec 2014)
-- tool_help: Use camel case for UNIX sockets feature output
+- hostip: fix 'potentially uninitialized variable' warning
- In line with the other features listed in the --version output,
- capitalise the UNIX socket feature.
-
-- vtls: Use bool for Curl_ssl_getsessionid() return type
+ Follow-up to 50d1b33.
- The return type of this function is a boolean value, and even uses a
- bool internally, so use bool in the function declaration as well as
- the variables that store the return value, to avoid any confusion.
-
-- schannel: Minor code style policing for casts
+ Caught by AppVeyor.
-- schannel: Prefer 'CURLcode result' for curl result codes
+Daniel Stenberg (20 Feb 2018)
+- TODO: warning if curl version is not in sync with libcurl version
-- cyassl: Prefer 'CURLcode result' for curl result codes
+Jay Satiro (20 Feb 2018)
+- [Anders Bakken brought this change]
-- tool_xattr: Use 'CURLcode result' for curl result codes
-
-- curl_ntlm_core.c: Fixed compilation warnings
+ CURLOPT_RESOLVE: Add support for multiple IP addresses per entry
- curl_ntlm_core.c:301: warning: pointer targets in passing argument 2 of
- 'CryptImportKey' differ in signedness
- curl_ntlm_core.c:310: warning: passing argument 6 of 'CryptEncrypt' from
- incompatible pointer type
- curl_ntlm_core.c:540: warning: passing argument 4 of 'CryptGetHashParam'
- from incompatible pointer type
-
-- RELEASE-NOTES: Synced with 8830df8b66
-
-- gtls: Use preferred 'CURLcode result'
-
-- openldap: Use standard naming for setup connection function
+ This enables users to preresolve but still take advantage of happy
+ eyeballs and trying multiple addresses if some are not connecting.
- Renamed ldap_setup() to ldap_setup_connection() to follow more widely
- used function naming.
+ Ref: https://github.com/curl/curl/pull/2260
-- rtmp: Use standard naming for setup connection function
-
- Renamed rtmp_setup() to rtmp_setup_connection() to follow more widely
- used function naming.
+Daniel Stenberg (20 Feb 2018)
+- [Sergio Borghese brought this change]
-- smb: Use standard naming for setup connection function
+ examples/sftpuploadresume: resume upload via CURLOPT_APPEND
- Renamed smb_setup() to smb_setup_connection() to follow more widely
- used function naming.
-
-- config-win32.h: Fixed line length > 79 columns
+ URL: https://curl.haxx.se/mail/lib-2018-02/0072.html
-- openssl: Prefer we don't use NULL in comparisons
-
-- build: Removed WIN32 definition from the Visual Studio projects
+- curl --version: show PSL if the run-time lib has it enabled
- As this pre-processor definition is defined in curl_setup.h there is no
- need to include it in the Visual Studio project files.
+ ... not of the #define was set at build-time!
-- build: Removed WIN64 definition from the libcurl Visual Studio projects
-
- Removed the WIN64 pre-processor definition from the libcurl project
- files as:
-
- * WIN64 is not used in our source code
- * The curl projects files don't define it
- * It isn't required by or used in the platform SDK
- * For backwards compatability curl_setup.h defines WIN32
- * The compiler automatically defines _WIN64 for x64 builds
-
- Historically Visual Studio projects have defined WIN32, in addition to
- the compiler defined _WIN32 definition, and I had incorrectly changed
- that to WIN64 for the x64 libcurl builds but not in the curl projects.
+- TODO: "Support in-memory certs/ca certs/keys"
- As such, it is questionable whether this should be defined or not. For
- more information see the following cache of a discussion that took
- place on the microsoft.public.vc.mfc newsgroup:
+ removed SSLKEYLOGFILE support (fixed)
- http://www.tech-archive.net/Archive/VC/microsoft.public.vc.mfc/2008-06/msg00074.html
-
-- openssl.c Fix for compilation errors with older versions of OpenSSL
+ removed "consider SSL patches" (outdated)
- openssl.c:1408: error: 'TLS1_1_VERSION' undeclared
- openssl.c:1411: error: 'TLS1_2_VERSION' undeclared
+ Closes #2310
-Daniel Stenberg (22 Dec 2014)
-- [John Malmberg brought this change]
+- CURLOPT_HEADER.3: clarify problems with different data sizes
- Fix comment edit in vms/backup_gnv_curl_src.com
-
- packages/vms/backup_gnv_curl_src.com: Originally copied from Bash port.
+- test1556: verify >16KB headers to the header callback
-- curl: show size of inhibited data when using -v
+- header callback: don't chop headers into smaller pieces
- To offer some more info and yet it doesn't use more lines.
-
-- openssl: fix SSL/TLS versions in verbose output
-
-- openssl: make it compile against openssl 1.1.0-DEV master branch
+ Reported-by: Guido Berhoerster
+ Fixes #2314
+ Closes #2316
-Marc Hoersken (22 Dec 2014)
-- sshserver.pl: clarify and streamline variable names
+- test1154: verify that long HTTP headers get rejected
-Daniel Stenberg (21 Dec 2014)
-- openssl: warn for SRP set if SSLv3 is used, not for TLS version
+- http: fix the max header length detection logic
- ... as it requires TLS and it was was left to warn on the default from
- when default was SSL...
-
-- smb: use memcpy() instead of strncpy()
+ Previously, it would only check for max length if the existing alloc
+ buffer was to small to fit it, which often would make the header still
+ get used.
- ... as it never copies the trailing zero anyway and always just the four
- bytes so let's not mislead anyone into thinking it is actually treated
- as a string.
+ Reported-by: Guido Berhoerster
+ Bug: https://curl.haxx.se/mail/lib-2018-02/0056.html
- Coverity CID: 1260214
-
-- [John E. Malmberg brought this change]
+ Closes #2315
- VMS: Updates for 0740-0D1220
+- CURLOPT_HEADERFUNCTION.3: fix typo from d939226813
- lib/setup-vms.h : VAX HP OpenSSL port is ancient, needs help.
- More defines to set symbols to uppercase.
-
- src/tool_main.c : Fix parameter to vms_special_exit() call.
+ Reported-by: Erik Johansson
+ Bug: https://github.com/curl/curl/commit/d9392268131c1b8d18dec3fa30e0bded833a5db7#commitcomment-27607495
+
+- CURLOPT_HEADERFUNCTION.3: mention folded headers
+
+- TODO: 1.1 Option to refuse usernames in URLs
- packages/vms/ :
- backup_gnv_curl_src.com : Fix the error message to have the correct package.
+ Also expanded the CURL_REFUSE_CLEARTEXT section with more ideas.
+
+- TODO: 1.7 Support HTTP/2 for HTTP(S) proxies
+
+- ssh: add two missing state names
- build_curl-config_script.com : Rewrite to be more accurate.
+ The list of state names (used in debug builds) was out of sync in
+ relation to the list of states (used in all builds).
- build_libcurl_pc.com : Use tool_version.h now.
+ I now added an assert to make sure the sizes of the two lists match, to
+ aid in detecting this mistake better in the future.
- build_vms.com : Fix to handle lib/vtls directory.
+ Regression since c92d2e14cf, shipped in 7.58.0.
- curl_gnv_build_steps.txt : Updated build procedure documentation.
+ Reported-by: Somnath Kundu
- generate_config_vms_h_curl.com :
- * VAX does not support 64 bit ints, so no NTLM support for now.
- * VAX HP SSL port is ancient, needs some help.
- * Disable NGHTTP2 for now, not ported to VMS.
- * Disable UNIX_SOCKETS, not available on VMS yet.
- * HP GSSAPI port does not have gss_nt_service_name.
+ Fixes #2312
+ Closes #2313
+
+- Revert "KNOWN_BUGS: 2.5 curl should not offer "ALPN: h2" when using https-proxy"
- gnv_link_curl.com : Update for new curl structure.
+ This reverts commit de9fac00c40db321d44fa6fbab6eb62ec4c83998.
- pcsi_product_gnv_curl.com : Set up to optionally do a complete build.
+ Reported-by: Jay Satiro
-Marc Hoersken (21 Dec 2014)
-- sockfilt.c: use non-Ex functions that are available before WinXP
+Jay Satiro (15 Feb 2018)
+- non-ascii: fix implicit declaration warning
- It was initially reported by Guenter that GetFileSizeEx
- requires (_WIN32_WINNT >= 0x0500) to be true.
+ Follow-up to b46cfbc.
+
+ Caught by Travis CI.
-- tests: use Cygwin-style paths in SSH, SSHD and SFTP config files
+Daniel Stenberg (15 Feb 2018)
+- travis: add build with iconv enabled
- Second patch to enable Windows support using Cygwin-based OpenSSH.
+ ... to verify it builds and works fine.
- Tested with CopSSH 5.0.0 free edition using an msys shell on Windows 7.
-
-- tests: support spaces in paths to SSH, SSHD and SFTP binaries
+ Ref: https://curl.haxx.se/mail/lib-2017-09/0031.html
- First patch to enable Windows support using Cygwin-based OpenSSH.
+ Closes #1872
-Steve Holme (20 Dec 2014)
-- non-ascii: Reduce variable usage
+- TODO: 18.18 retry on network is unreachable
- Removed 'next' variable in Curl_convert_form(). Rather than setting it
- from 'form->next' and using that to set 'form' after the conversion
- just use 'form = form->next' instead.
+ Closes #1603
-- non-ascii: Prefer while loop rather than a do loop
+- KNOWN_BUGS: 2.5 curl should not offer "ALPN: h2" when using https-proxy
- This also removes the need to check that the 'form' argument is valid.
+ Closes #1254
-- non-ascii: Reduce variable scope
+Kamil Dudka (15 Feb 2018)
+- nss: use PK11_CreateManagedGenericObject() if available
- As 'result' isn't used out side the conversion callback code and
- previously caused variable shadowing in the libiconv based code.
-
-- non-ascii: We prefer 'CURLcode result'
+ ... so that the memory allocated by applications using libcurl does not
+ grow per each TLS connection.
- This also fixes a variable shadowing issue when HAVE_ICONV is defined
- as rc was declared for the result code of libiconv based functions.
-
-Marc Hoersken (19 Dec 2014)
-- secureserver.pl: clean up formatting of config and fix verbose output
+ Bug: https://bugzilla.redhat.com/1510247
- Verbose output was not matching the actual configuration file,
- because FIPS and Windows conditions were ignored.
+ Closes #2297
-- secureserver.pl: update Windows detection and fix path conversion
+Daniel Stenberg (15 Feb 2018)
+- [Björn Stenberg brought this change]
-- secureserver.pl: make OpenSSL CApath and cert absolute path values
+ TODO fixed: Detect when called from within callbacks
- Recent stunnel versions (5.08) seem to have trouble with relative
- paths on Windows. This turns the relative paths into absolute ones.
+ Closes #2302
-Patrick Monnerat (18 Dec 2014)
-- if2ip: dummy scope parameter for Curl_if2ip() call in SIOCGIFADDR-enabled code.
-
-- [Kyle J. McKay brought this change]
-
- parseurlandfillconn(): fix improper non-numeric scope_id stripping.
- Fixes SF bug 1149: http://sourceforge.net/p/curl/bugs/1449/
-
-- IPV6: address scope != scope id
- There was a confusion between these: this commit tries to disambiguate them.
- - Scope can be computed from the address itself.
- - Scope id is scope dependent: it is currently defined as 1-based local
- interface index for link-local scoped addresses, and as a site index(?) for
- (obsolete) site-local addresses. Linux only supports it for link-local
- addresses.
- The URL parser properly parses a scope id as an interface index, but stores it
- in a field named "scope": confusion. The field has been renamed into "scope_id".
- Curl_if2ip() used the scope id as it was a scope. This caused failures
- to bind to an interface.
- Scope is now computed from the addresses and Curl_if2ip() matches them.
- If redundantly specified in the URL, scope id is check for mismatch with
- the interface index.
+- BINDINGS: fix curb link (and remove ruby-curl-multi)
- This commit should fix SF bug #1451.
+ Reported-by: Klaus Stein
-- connect: singleipconnect(): properly try other address families after failure
+- curl_gssapi: make sure this file too uses our *printf()
-Daniel Stenberg (16 Dec 2014)
-- SFTP: work-around servers that return zero size on STAT
+- libcurl-security.3: separate file:// section
- Bug: http://curl.haxx.se/mail/lib-2014-12/0103.html
- Pathed-by: Marc Renault
+ ... just to make it more apparent. Even if it repeats
+ some pieces of information.
-- glob_next_url: make the loop count upwards
+- libcurl-security.3: the http://192.168.0.1/my_router_config case
- As the former contruct apparently caused a compiler warning, mentioned
- in d8efde07e556c.
+ Mentioned-By: Rich Moore
-- tool_operate: we prefer 'CURLcode result'
+- libcurl-security.3: mention the URL standards problems too
-- tool_urlglob: unify return codes to use CURLcode
+- libcurl-security.3: split out from libcurl-tutorial.3
- There was a mix of GlobCode, CURLcode and ints and they were mostly
- passing around CURLcode errors. This change makes the functions use only
- CURLcode and removes the GlobCode type completely.
-
-- tool_urlglob.c: partly reverse dc19789444
+ To make more accessible.
- The loop in glob_next_url() needs to be done backwards to maintain the
- logic. dc19789444 caused test 1235 to fail.
-
-- KNOWN_BUGS: the SFTP code doesn't support CURLINFO_FILETIME
+ Merged in some new language from "URLs are dangerous things" as discussed on
+ the mailing list a few days ago:
+
+ Bug: https://curl.haxx.se/mail/lib-2018-02/0013.html
-- [Jay Satiro brought this change]
+- RELEASE-NOTES: synced with e551910f8
- opts: Warn CURLOPT_TIMEOUT overrides when set after CURLOPT_TIMEOUT_MS
+Patrick Monnerat (13 Feb 2018)
+- tests: new tests for http raw mode
- Change CURLOPT_TIMEOUT doc to warn that if CURLOPT_TIMEOUT and
- CURLOPT_TIMEOUT_MS are both set whichever one is set last is the one
- that will be used.
+ Test 319 checks proper raw mode data with non-chunked gzip
+ transfer-encoded server data.
+ Test 326 checks raw mode with chunked server data.
- Prior to this change that behavior was only noted in the
- CURLOPT_TIMEOUT_MS doc.
+ Bug: #2303
+ Closes #2308
-Nick Zitzmann (15 Dec 2014)
-- darwinssl: fix incorrect usage of aprintf()
+Kamil Dudka (12 Feb 2018)
+- tlsauthtype.d: works only if libcurl is built with TLS-SRP support
- Commit b13923f changed an snprintf() to use aprintf(), but the API usage
- wasn't correct, and was causing a crash to occur. This fixes it.
-
-Steve Holme (14 Dec 2014)
-- copyright: Updated the copyright year following recent updates
-
-Daniel Stenberg (14 Dec 2014)
-- tool_urlglob.c: reverse two loops
+ Bug: https://bugzilla.redhat.com/1542256
- By counting from 0 and up instead of backwards like before, we remove
- the need for the "funny" check of the unsigned variable when decreased
- passed zero. Easier to read and less risk for compiler warnings.
-
-Marc Hoersken (14 Dec 2014)
-- tool_urlglob.c: Added braces to clarify the conditions
+ Closes #2306
-- tool_urlglob.c: Silence warning C6293: Ill-defined for-loop
+Patrick Monnerat (12 Feb 2018)
+- smtp: fix processing of initial dot in data
- The >= 0 is actually not required, since i underflows and
- the for-loop is stopped using the < condition, but this
- makes the VS2012 compiler and code analysis happy.
-
-- tool_binmode.c: Explicitly ignore the return code of setmode
+ RFC 5321 4.1.1.4 specifies the CRLF terminating the DATA command
+ should be taken into account when chasing the <CRLF>.<CRLF> end marker.
+ Thus a leading dot character in data is also subject to escaping.
- Fixes code analysis warning C6031:
- return value ignored: <function> could return unexpected value
-
-- lib: Fixed multiple code analysis warnings if SAL are available
+ Tests 911 and test server are adapted to this situation.
+ New tests 951 and 952 check proper handling of initial dot in data.
- warning C28252: Inconsistent annotation for function:
- parameter has another annotation on this instance
+ Closes #2304
-Steve Holme (14 Dec 2014)
-- smb.c: Fixed code analysis warning
-
- smb.c:320: warning C6297: Arithmetic overflow: 32-bit value is shifted,
- then cast to 64-bit value. Result may not be an expected
- value
+Daniel Stenberg (12 Feb 2018)
+- sha256: avoid redefine
-Marc Hoersken (14 Dec 2014)
-- tool_util.c: Use GetTickCount64 if it is available
+- [Douglas Mencken brought this change]
-Steve Holme (14 Dec 2014)
-- smb: Use HAVE_PROCESS_H for process.h inclusion
+ sha256: build with OpenSSL < 0.9.8 too
- Rather than testing against _WIN32 use the preferred HAVE_PROCESS_H
- pre-processor define when including process.h.
-
-Daniel Stenberg (14 Dec 2014)
-- darwinssl: aprintf() to allocate the session key
+ support for SHA-2 was introduced in OpenSSL 0.9.8
- ... to avoid using a fixed memory size that risks being too large or too
- small.
+ Closes #2305
+
+- [Bruno Grasselli brought this change]
-Marc Hoersken (14 Dec 2014)
-- curl_schannel: Improvements to memory re-allocation strategy
+ README: language fix
- - do not grow memory by doubling its size
- - do not leak previously allocated memory if reallocation fails
- - replace while-loop with a single check to make sure
- that the requested amount of data fits into the buffer
+ s/off/from
- Bug: http://curl.haxx.se/bug/view.cgi?id=1450
- Reported-by: Warren Menzer
+ Closes #2300
-Steve Holme (14 Dec 2014)
-- asyn-ares: We prefer use of 'CURLcode result'
+Patrick Monnerat (12 Feb 2018)
+- http_chunks: don't write chunks twice with CURLOPT_HTTP_TRANSFER_DECODING on
+
+ Bug: #2303
+ Reported-By: Henry Roeland
-Marc Hoersken (14 Dec 2014)
-- curl_schannel.c: Data may be available before connection shutdown
+Daniel Stenberg (9 Feb 2018)
+- get_posix_time: only check for overflows if they can happen!
-Steve Holme (14 Dec 2014)
-- http2: Use 'CURLcode result' for curl result codes
+Michael Kaufmann (9 Feb 2018)
+- schannel: fix "no previous prototype" compiler warning
-- asyn-thread: We prefer 'CURLcode result'
+Jay Satiro (9 Feb 2018)
+- [Mohammad AlSaleh brought this change]
-- smb: Fixed unnecessary initialisation of struct member variables
+ content_encoding: Add "none" alias to "identity"
- There is no need to set the 'state' and 'result' member variables to
- SMB_REQUESTING (0) and CURLE_OK (0) after the allocation via calloc()
- as calloc() initialises the contents to zero.
-
-- ntlm: Fixed return code for bad type-2 Target Info
+ Some servers return a "content-encoding" header with a non-standard
+ "none" value.
- Use CURLE_BAD_CONTENT_ENCODING for bad type-2 Target Info security
- buffers just like we do for bad decodes.
-
-- ntlm: Remove unnecessary casts in readshort_le()
+ Add "none" as an alias to "identity" as a work-around, to avoid
+ unrecognised content encoding type errors.
- I don't think both of my fix ups from yesterday were needed to fix the
- compilation warning, so remove the one that I think is unnecessary and
- let the next Android autobuild prove/disprove it.
-
-- curl_ntlm_msgs.c: Another attempt to fix compilation warning
+ Signed-off-by: Mohammad AlSaleh <CE.Mohammad.AlSaleh@gmail.com>
- curl_ntlm_msgs.c:170: warning: conversion to 'short unsigned int' from
- 'int' may alter its value
+ Closes https://github.com/curl/curl/pull/2298
-Guenter Knauf (13 Dec 2014)
-- synctime.c: added own user-agent string.
+Steve Holme (8 Feb 2018)
+- build-openssl.bat: Follow up to 648679ab8e to suppress copy/move output
-Steve Holme (13 Dec 2014)
-- smb.c: Fixed line longer than 79 columns
+- build-openssl.bat: Fixed incorrect move if destination build folder exists
-- curl_ntlm_msgs.c: Fixed compilation warning from commit 783b5c3b11
+Michael Kaufmann (8 Feb 2018)
+- schannel: fix compiler warnings
- curl_ntlm_msgs.c:169: warning: conversion to 'short unsigned int' from
- 'int' may alter its value
+ Closes #2296
-Guenter Knauf (13 Dec 2014)
-- mk-ca-bundle.pl: restored forced run again.
-
-- synctime.c: removed another timeserver URL.
+Steve Holme (7 Feb 2018)
+- curl_addrinfo.c: Allow Unix Domain Sockets to compile under Windows
- worldtimeserver.com seems also no longer available.
-
-- synctime.c: fixed timeserver URLs.
+ Windows 10.0.17061 SDK introduces support for Unix Domain Sockets.
+ Added the necessary include file to curl_addrinfo.c.
- For getting the date header its not necessary to access special
- pages or even CGI scripts - all pages including the main index
- reply with the date header, therefore shortened URLs to domain.
- Removed worldtime.com; added pool.ntp.org.
+ Note: The SDK (which is considered beta) has to be installed, VS 2017
+ project file has to be re-targeted for Windows 10.0.17061 and #define
+ enabled in config-win32.h.
-Steve Holme (13 Dec 2014)
-- ftp.c: Fixed compilation warning when no verbose string support
+Patrick Monnerat (7 Feb 2018)
+- fnmatch: optimize processing of consecutive *s and ?s pattern characters
- ftp.c:819: warning: unused parameter 'lineno'
+ Reported-By: Daniel Stenberg
+ Fixes #2291
+ Closes #2293
-- smb: Added state change functions to assist with debugging
+Steve Holme (6 Feb 2018)
+- build-openssl.bat/build-wolfssl.bat: Build platform is optional
- For debugging purposes, and as per other protocols within curl, added
- state change functions rather than changing the states directly.
-
-- ntlm: Use short integer when decoding 16-bit values
+ Whilst the compiler parameter is mandatory, platform is optional as it
+ is automatically calculated by the :configure section.
+
+ This partially reverts commit 6d62d2c55d.
-- RELEASE-NOTES: Synced with 6291a16b20
+Daniel Stenberg (6 Feb 2018)
+- [Patrick Schlangen brought this change]
-- smtp.c: Fixed compilation warnings
+ openssl: Don't add verify locations when verifypeer==0
- smtp.c:2357 warning: adding 'size_t' (aka 'unsigned long') to a string
- does not append to the string
- smtp.c:2375 warning: adding 'size_t' (aka 'unsigned long') to a string
- does not append to the string
- smtp.c:2386 warning: adding 'size_t' (aka 'unsigned long') to a string
- does not append to the string
+ When peer verification is disabled, calling
+ SSL_CTX_load_verify_locations is not necessary. Only call it when
+ verification is enabled to save resources and increase performance.
- Used array index notation instead.
+ Closes #2290
-- smb: Disable SMB when 64-bit integers are not supported
+Steve Holme (5 Feb 2018)
+- build-wolfssl.bat: Extend VC15 support to include Enterprise and Professional
- This fixes compilation issues with compilers that don't support 64-bit
- integers through long long or __int64.
+ ...and not just the Community Edition.
-- ntlm: Disable NTLM v2 when 64-bit integers are not supported
+- build-openssl.bat: Extend VC15 support to include Enterprise and Professional
- This fixes compilation issues with compilers that don't support 64-bit
- integers through long long or __int64 which was introduced in commit
- 07b66cbfa4.
+ ...and not just the Community Edition.
-- ntlm: Allow NTLM2Session messages when USE_NTRESPONSES manually defined
+Michael Kaufmann (5 Feb 2018)
+- time-cond: fix reading the file modification time on Windows
- Previously USE_NTLM2SESSION would only be defined automatically when
- USE_NTRESPONSES wasn't already defined. Separated the two definitions
- so that the user can manually set USE_NTRESPONSES themselves but
- USE_NTLM2SESSION is defined automatically if they don't define it.
-
-- smtp.c: Fixed line longer than 79 columns
-
-- config-win32.h: Don't enable Windows Crypt API if using OpenSSL
+ On Windows, stat() may adjust the unix file time by a daylight saving time
+ offset. Avoid this by calling GetFileTime() instead.
- As the OpenSSL and NSS Crypto engines are prefered by the core NTLM
- routines, to the Windows Crypt API, don't define USE_WIN32_CRYPT
- automatically when either OpenSSL or NSS are in use - doing so would
- disable NTLM2Session responses in NTLM type-3 messages.
+ Fixes #2164
+ Closes #2204
-- smtp: Fixed inappropriate free of the scratch buffer
+Daniel Stenberg (5 Feb 2018)
+- formdata: use the mime-content type function
- If the scratch buffer was allocated in a previous call to
- Curl_smtp_escape_eob(), a new buffer not allocated in the subsequent
- call and no action taken by that call, then an attempt would be made to
- try and free the buffer which, by now, would be part of the data->state
- structure.
+ Reduce code duplication by making Curl_mime_contenttype available and
+ used by the formdata function. This also makes the formdata function
+ recognize a set of more file extensions by default.
- This bug was introduced in commit 4bd860a001.
+ PR #2280 brought this to my attention.
+
+ Closes #2282
-- smtp: Fixed dot stuffing when EOL characters were at end of input buffers
+- getdate: return -1 for out of range
- Fixed a problem with the CRLF. detection when multiple buffers were
- used to upload an email to libcurl and the line ending character(s)
- appeared at the end of each buffer. This meant any lines which started
- with . would not be escaped into .. and could be interpreted as the end
- of transmission string instead.
+ ...as that's how the function is documented to work.
- This only affected libcurl based applications that used a read function
- and wasn't reproducible with the curl command-line tool.
+ Reported-by: Michael Kaufmann
+ Bug found in an autobuild with 32 bit time_t
- Bug: http://curl.haxx.se/bug/view.cgi?id=1456
- Assisted-by: Patrick Monnerat
+ Closes #2278
-Daniel Stenberg (11 Dec 2014)
-- telnet: fix "cast increases required alignment of target type"
+- [Ben Greear brought this change]
-- ntlm_wb_response: fix "statement not reached"
-
- ... and I could use a break instead of a goto to end the loop.
+ build: fix termios issue on android cross-compile
- Bug: http://curl.haxx.se/mail/lib-2014-12/0089.html
- Reported-by: Tor Arntsen
+ Bug: https://curl.haxx.se/mail/lib-2018-01/0122.html
+ Signed-off-by: Ben Greear <greearb@candelatech.com>
-Steve Holme (10 Dec 2014)
-- RELEASE-NOTES: Synced with 1cc5194337
+- time_t-fixes: remove typecasts to 'long' for info.filetime
- Added some bug fixes that I had missed in previous synchronisations.
+ They're now wrong.
+
+ Reported-by: Michael Kaufmann
+
+ Closes #2277
-Daniel Stenberg (10 Dec 2014)
-- Curl_unix2addr: avoid using the variable name 'sun'
+- curl_setup: move the precautionary define of SIZEOF_TIME_T
- I suspect this causes compile failures on Solaris:
+ ... up to before it may be used for the TIME_T_MAX/MIN logic.
- Bug: http://curl.haxx.se/mail/lib-2014-12/0081.html
+ Reported-by: Michael Kaufmann
-Steve Holme (10 Dec 2014)
-- url.c: Fixed compilation warning when USE_NTLM is not defined
+- parsedate: s/#if/#ifdef
- url.c:3078: warning: variable 'credentialsMatch' set but not used
+ Reported-by: Michael Kaufmann
+ Bug: https://github.com/curl/curl/commit/1c39128d974666107fc6d9ea15f294036851f224#commitcomment-27246479
-- parsedate.c: Fixed compilation warning
+Patrick Monnerat (31 Jan 2018)
+- fnmatch: pattern syntax can no longer fail
- parsedate.c:548: warning: 'parsed' may be used uninitialized in this
- function
+ Whenever an expected pattern syntax rule cannot be matched, the
+ character starting the rule loses its special meaning and the parsing
+ is resumed:
+ - backslash at the end of pattern string matches itself.
+ - Error in [:keyword:] results in set containing :\[dekorwy.
- As curl_getdate() returns -1 when parsedate() fails we can initialise
- parsed to -1.
-
-Daniel Stenberg (10 Dec 2014)
-- TODO: Cache negative name resolves
+ Unit test 1307 updated for this new situation.
- Worth exploring
+ Closes #2273
-- ldap: check Curl_client_write() return codes
+- fnmatch: accept an alphanum to be followed by a non-alphanum in char set
+
+ Also be more tolerant about set pattern syntax.
+ Update unit test 1307 accordingly.
- There might be one or two memory leaks left in the error paths.
+ Bug: https://curl.haxx.se/mail/lib-2018-01/0114.html
-- ldap: rename variables to comply to curl standards
+- fnmatch: do not match the empty string with a character set
-Dan Fandrich (10 Dec 2014)
-- sws.c: Fixed 'rc' may be used uninitialized warning
+Jay Satiro (30 Jan 2018)
+- build: fix windows build methods for curl_ctype.c
+
+ - Fix winbuild and the VS project generator to treat curl_ctype.{c,h} as
+ curlx files since they are required by both src and lib.
+
+ Follow-up to 4272a0b which added curl_ctype.
-- cookies: Improved OOM handling in cookies
+Daniel Stenberg (30 Jan 2018)
+- progress-bar.d: update to match implementation
+
+ ... since commit 993dd5651a6
+
+ Reported-by: Martin Dreher
+ Bug: https://github.com/curl/curl/pull/2242#issuecomment-361059228
- This fixes the test 506 torture test. The internal cookie API really
- ought to be improved to separate cookie parsing errors (which may be
- ignored) with OOM errors (which should be fatal).
+ Closes #2271
-Guenter Knauf (9 Dec 2014)
-- synctime.c: fixed user-agent setting.
+- http2: set DEBUG_HTTP2 to enable more HTTP/2 logging
- Some websites meanwhile refuse to reply to requests from ancient
- browsers like IE6, therefore I've comment out this setting, but
- also fixed the string to now fake IE8 if someone enables it.
+ ... instead of doing it unconditionally in debug builds. It cluttered up
+ the output a little too much.
-Daniel Stenberg (9 Dec 2014)
-- smb: fix unused return code warning
+- [Max Dymond brought this change]
-Patrick Monnerat (9 Dec 2014)
-- Curl_client_write() & al.: chop long data, convert data only once.
+ file: Check the return code from Curl_range and bail out on error
-Guenter Knauf (9 Dec 2014)
-- VC build: added sspi define for winssl-zlib builds.
+- [Max Dymond brought this change]
-Daniel Stenberg (9 Dec 2014)
-- schannel_recv: return the correct code
+ Curl_range: add check to ensure "from <= to"
+
+- [Max Dymond brought this change]
+
+ Curl_range: commonize FTP and FILE range handling
- Bug: http://curl.haxx.se/bug/view.cgi?id=1462
- Reported-by: Tae Hyoung Ahn
+ Closes #2205
-- http2: avoid logging neg "failure" if h2 was not requested
+- RELEASE-NOTES: synced with 811beab9f
-- openldap: do not ignore Curl_client_write() return codes
+- curlver: next release will be 7.59.0
-- compile: warn on unused return code from Curl_client_write()
+- [Michał Janiszewski brought this change]
-Patrick Monnerat (8 Dec 2014)
-- SMB: Fix a data size mismatch that broke SMB on big-endian platforms
+ curl/curl.h: fix comment typo for CURLOPT_DNS_LOCAL_IP6
+
+ Closes #2275
-Steve Holme (7 Dec 2014)
-- smb: Fixed Windows autoconf builds following commit eb88d778e7
+- time: support > year 2038 time stamps for system with 32bit long
- As Windows based autoconf builds don't yet define USE_WIN32_CRYPTO
- either explicitly through --enable-win32-cypto or automatically on
- _WIN32 based platforms, subsequent builds broke with the following
- error message:
+ ... with the introduction of CURLOPT_TIMEVALUE_LARGE and
+ CURLINFO_FILETIME_T.
- "Can't compile NTLM support without a crypto library."
-
-- RELEASE-NOTES: Synced with 526603ff05
+ Fixes #2238
+ Closes #2264
-- [Bill Nagel brought this change]
-
- smb: Build with SSPI enabled
+- curl_easy_reset: clear digest auth state
- Build SMB/CIFS protocol support when SSPI is enabled.
+ Bug: https://curl.haxx.se/mail/lib-2018-01/0074.html
+ Reported-by: Ruurd Beerstra
+ Fixes #2255
+ Closes #2272
-- [Bill Nagel brought this change]
+- [Adam Marcionek brought this change]
- ntlm: Use Windows Crypt API
+ winbuild: make linker generate proper PDB
- Allow the use of the Windows Crypt API for NTLMv1 functions.
-
-Dan Fandrich (7 Dec 2014)
-- cookie.c: Refactored cleanup code to simplify
+ Link.exe requires /DEBUG to properly generate a full pdb file on release
+ builds.
- Also, fixed the outdated comments on the cookie API.
+ Closes #2274
-- get_url_file_name: Fixed crash on OOM on debug build
+- curl: add --proxy-pinnedpubkey
- This caused a null-pointer dereference which caused a few dozen
- torture tests to fail.
-
-Steve Holme (6 Dec 2014)
-- sws.c: Fixed compilation warning
+ To verify a proxy's public key. For when using HTTPS proxies.
- sws.c:2191 warning: 'rc' may be used uninitialized in this function
+ Fixes #2192
+ Closes #2268
-- ftp.c: Fixed compilation warnings when proxy support disabled
+- configure: set PATH_SEPARATOR to colon for PATH w/o separator
+
+ The logic tries to figure out what the path separator in the $PATH
+ variable is, but if there's only one directory in the $PATH it
+ fails. This change make configure *guess* on colon instead of erroring
+ out, simply because that is probably the more common character.
- ftp.c:1827 warning: unused parameter 'newhost'
- ftp.c:1827 warning: unused parameter 'newport'
+ PATH_SEPARATOR can always be set by the user to override the guessing.
+
+ (tricky bug to reproduce, as in my case for example the configure script
+ requires binaries in more than one directory so passing in a PATH with a
+ single dir fails.)
+
+ Reported-by: Earnestly on github
+ Fixes #2202
+ Closes #2265
-- smb: Fixed a problem with large file transfers
+- curl_ctype: private is*() type macros and functions
- Fixed an issue with the message size calculation where the raw bytes
- from the buffer were interpreted as signed values rather than unsigned
- values.
+ ... since the libc provided one are locale dependent in a way we don't
+ want. Also, the "native" isalnum() (for example) works differently on
+ different platforms which caused test 1307 failures on macos only.
- Reported-by: Gisle Vanem
- Assisted-by: Bill Nagel
+ Closes #2269
-- smb: Moved the URL decoding into a separate function
+Marcel Raad (29 Jan 2018)
+- build: open VC15 projects with VS 2017
+
+ Previously, they were opened with Visual Studio 2015 by default, which
+ cannot build them.
-- smb: Fixed URL encoded URLs not working
+Daniel Stenberg (29 Jan 2018)
+- RELEASE-NOTES: synced with 094647fca
-- Makefile.inc: Added our standard header and updated file formatting
+- TODO: UTF-8 filenames in Content-Disposition
+
+ Closes #1888
-- Makefile.inc: Updated file formatting
+- KNOWN_BUGS: DICT responses show the underlying protocol
- Aligned continuation character and used space as the separator
- character as per other makefile files.
+ Closes #1809
+
+Jay Satiro (27 Jan 2018)
+- [Alessandro Ghedini brought this change]
-- curl_md4.h: Updated copyright year following recent edit
+ docs: fix typos in man pages
- ...and minor layout adjustment.
+ Closes https://github.com/curl/curl/pull/2266
-Patrick Monnerat (5 Dec 2014)
-- SMB: Fix big endian problems. Make it OS/400 aware.
+Patrick Monnerat (26 Jan 2018)
+- lib555: drop text conversion and encode data as ascii codes
+
+ If CURL_DOES_CONVERSION is enabled, uploaded LFs are mapped to CRLFs,
+ giving a result that is different from what is expected.
+ This commit avoids using CURLOPT_TRANSFERTEXT and directly encodes data
+ to upload in ascii.
+
+ Bug: https://github.com/curl/curl/pull/1872
-- OS400: enable NTLM authentication
+Daniel Stenberg (26 Jan 2018)
+- lib517: make variable static to avoid compiler warning
+
+ ... with clang on macos
-Steve Holme (5 Dec 2014)
-- multi.c: Fixed compilation warning
+Patrick Monnerat (26 Jan 2018)
+- lib544: sync ascii code data with textual data
+
+ Data mismatch caused test 545 to fail when character encoding
+ conversion is enabled.
- multi.c:2695: warning: declaration of `exp' shadows a global declaration
+ Bug: https://github.com/curl/curl/pull/1872
-Guenter Knauf (5 Dec 2014)
-- build: updated dependencies in makefiles.
+Daniel Stenberg (25 Jan 2018)
+- [Travis Burtrum brought this change]
-Steve Holme (5 Dec 2014)
-- sasl: Corrected formatting of function descriptions
+ GSKit: restore pinnedpubkey functionality
+
+ inadvertently removed in 283babfaf8d8f3bab9d3c63cea94eb0b84e79c37
+
+ Closes #2263
-- sasl_gssapi: Added missing function description
+- [Dair Grant brought this change]
-- RELEASE-NOTES: Provided better descriptions
+ darwinssl: Don't import client certificates into Keychain on macOS
- As it is often difficult to choose the best description for a single
- feature when it spans many commits, updated the descriptions for the
- recent SMB/CIFS protocol and GSS-API additions.
+ Closes #2085
-- sasl_sspi: Corrected some typos
+- configure: fix the check for unsigned time_t
+
+ Assign the time_t variable negative value and then check if it is
+ greater than zero, which will evaluate true for unsigned time_t but
+ false for signed time_t.
-- sasl_sspi: Don't use hard coded sizes in Kerberos V5 security data
+- parsedate: fix date parsing for systems with 32 bit long
+
+ Make curl_getdate() handle dates before 1970 as well (returning negative
+ values).
- Don't use a hard coded size of 4 for the security layer and buffer size
- in Curl_sasl_create_gssapi_security_message(), instead, use sizeof() as
- we have done in the sasl_gssapi module.
+ Make test 517 test dates for 64 bit time_t.
+
+ This fixes bug (3) mentioned in #2238
+
+ Closes #2250
-- sasl_sspi: Free the Kerberos V5 challenge as soon as we're done with it
+- [McDonough, Tim brought this change]
+
+ openssl: fix pinned public key build error in FIPS mode
+
+ Here is a version that should work with all versions of openssl 0.9.7
+ through 1.1.0.
- Reduced the amount of free's required for the decoded challenge message
- in Curl_sasl_create_gssapi_security_message() as a result of coding it
- differently in the sasl_gssapi module.
+ Links to the docs:
+ https://www.openssl.org/docs/man1.0.2/crypto/EVP_DigestInit.html
+ https://www.openssl.org/docs/man1.1.0/crypto/EVP_DigestInit.html
+
+ At the very bottom of the 1.1.0 documentation there is a history section
+ that states, " stack allocated EVP_MD_CTXs are no longer supported."
+
+ If EVP_MD_CTX_create and EVP_MD_CTX_destroy are not defined, then a
+ simple mapping can be used as described here:
+ https://wiki.openssl.org/index.php/Talk:OpenSSL_1.1.0_Changes
+
+ Closes #2258
-- gssapi: Corrected typo in comments
+- [Travis Burtrum brought this change]
-- sasl_gssapi: Added body to Curl_sasl_create_gssapi_security_message()
+ SChannel/WinSSL: Replace Curl_none_md5sum with Curl_schannel_md5sum
-Daniel Stenberg (4 Dec 2014)
-- [Stefan Bühler brought this change]
+- [Travis Burtrum brought this change]
- http_perhapsrewind: don't abort CONNECT requests
+ SChannel/WinSSL: Implement public key pinning
- ...they never have a body
+ Closes #1429
-- [Stefan Bühler brought this change]
+- bump: towards 7.58.1
- HTTP: Free (proxy)userpwd for NTLM/Negotiate after sending a request
+- cookies: remove verbose "cookie size:" output
- Sending NTLM/Negotiate header again after successful authentication
- breaks the connection with certain Proxies and request types (POST to MS
- Forefront).
+ It was once used for some debugging/verifying logic but should never have
+ ended up in git!
+
+- TODO: hardcode the "localhost" addresses
-- [Stefan Bühler brought this change]
+- TODO: CURL_REFUSE_CLEARTEXT
+
+ An idea that popped up in discussions on twitter.
- HTTP: don't abort connections with pending Negotiate authentication
+- progress-bar: don't use stderr explicitly, use bar->out
- ... similarly to how NTLM works as Negotiate is in fact often NTLM with
- another name.
+ Reported-By: Gisle Vanem
+ Bug: https://github.com/curl/curl/commit/993dd5651a6c853bfe3870f6a69c7b329fa4e8ce#commitcomment-27070080
-- [Stefan Bühler brought this change]
+GitHub (24 Jan 2018)
+- [Gisle Vanem brought this change]
- fix gdb libtool invocation path
+ Fixes for MSDOS etc.
+
+ djgpp do have 'mkdir(dir, mode)'. Other DOS-compilers does not
+ But djgpp seems the only choice for MSDOS anyway.
+
+ PellesC do have a 'F_OK' defined in it's <unistd.h>.
+
+ Update year in Copyright.
-Steve Holme (4 Dec 2014)
-- sasl_gssapi: Fixed missing include from commit d3cca934ee
+- [Gisle Vanem brought this change]
-Daniel Stenberg (4 Dec 2014)
-- [Jay Satiro brought this change]
+ Fix small typo.
- examples: remove sony.com from 10-at-a-time
-
- Prior to this change the 10-at-a-time example showed CURLE_RECV_ERROR
- for the sony website because it ends the connection when the request is
- missing a user agent.
+Version 7.58.0 (23 Jan 2018)
-Steve Holme (4 Dec 2014)
-- sasl_gssapi: Fixed missing decoding debug failure message
+Daniel Stenberg (23 Jan 2018)
+- RELEASE: 7.58.0
-- sasl_gssapi: Fixed honouring of no mutual authentication
+- [Gisle Vanem brought this change]
-- sasl_sspi: Added more Kerberos V5 decoding debug failure messages
+ progress-bar: get screen width on windows
-Daniel Stenberg (4 Dec 2014)
-- [Anthon Pang brought this change]
+- test1454: --connect-to with IPv6 address w/o IPv6 support!
- docs: Fix FAILONERROR typos
+- CONNECT_TO: fail attempt to set an IPv6 numerical without IPv6 support
- It returns error for >= 400 HTTP responses.
+ Bug: https://curl.haxx.se/mail/lib-2018-01/0087.html
+ Reported-by: John Hascall
- Bug: https://github.com/bagder/curl/pull/129
+ Closes #2257
-- [Peter Wu brought this change]
+- docs: fix man page syntax to make test 1140 OK again
- tool: fix CURLOPT_UNIX_SOCKET_PATH in --libcurl output
+- http: prevent custom Authorization headers in redirects
- Mark CURLOPT_UNIX_SOCKET_PATH as string to ensure that it ends up as
- option in the file generated by --libcurl.
+ ... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how
+ curl already handles Authorization headers created internally.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
-
-- [Peter Wu brought this change]
+ Note: this changes behavior slightly, for the sake of reducing mistakes.
+
+ Added test 317 and 318 to verify.
+
+ Reported-by: Craig de Stigter
+ Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html
- opts: fix CURLOPT_UNIX_SOCKET_PATH formatting
+- curl: progress bar refresh, get width using ioctl()
- Add .nf and .fi such that the code gets wrapped in a pre on the web.
- Fixed grammar, fixed formatting of the "See also" items.
+ Get screen width from the environment variable COLUMNS first, if set. If
+ not, use ioctl(). If nether works, assume 79.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Closes #2242
+
+ The "refresh" is for the -# output when no total transfer size is
+ known. It will now only use a single updated line even for this case:
+
+ The "-=O=-" ship moves when data is transferred. The four flying
+ "hashes" move (on a sine wave) on each refresh, independent of data.
-Patrick Monnerat (4 Dec 2014)
-- OS400: enable Unix sockets.
+- RELEASE-NOTES: synced with bb0ffcc36
-Daniel Stenberg (3 Dec 2014)
-- RELEASE-NOTES: synced with b216427e73b5e9
+- libcurl-env.3: first take
-- opts: added CURLOPT_UNIX_SOCKET_PATH to Makefile.am
+- TODO: two possible name resolver improvements
-- updateconninfo: clear destination struct before getsockname()
-
- Otherwise we may read uninitialized bytes later in the unix-domain
- sockets case.
+- [Kartik Mahajan brought this change]
-- curl.1: added --unix-socket
+ http2: don't close connection when single transfer is stopped
+
+ Fixes #2237
+ Closes #2249
-- [Peter Wu brought this change]
+- test558: fix for multissl builds
+
+ vtls.c:multissl_init() might do a curl_free() call so strip that out to
+ make this work with more builds. We just want to verify that
+ memorytracking works so skipping one line is no harm.
- tool: add --unix-socket option
+- examples/url2file.c: add missing curl_global_cleanup() call
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Reported-by: XhstormR on github
+ Fixes #2245
-- [Peter Wu brought this change]
+- [Michael Gmelin brought this change]
- libcurl: add UNIX domain sockets support
+ SSH: Fix state machine for ssh-agent authentication
+
+ In case an identity didn't match[0], the state machine would fail in
+ state SSH_AUTH_AGENT instead of progressing to the next identity in
+ ssh-agent. As a result, ssh-agent authentication only worked if the
+ identity required happened to be the first added to ssh-agent.
- The ability to do HTTP requests over a UNIX domain socket has been
- requested before, in Apr 2008 [0][1] and Sep 2010 [2]. While a
- discussion happened, no patch seems to get through. I decided to give it
- a go since I need to test a nginx HTTP server which listens on a UNIX
- domain socket.
+ This was introduced as part of commit c4eb10e2f06fbd6cc904f1d78e4, which
+ stated that the "else" statement was required to prevent getting stuck
+ in state SSH_AUTH_AGENT. Given the state machine's logic and libssh2's
+ interface I couldn't see how this could happen or reproduce it and I
+ also couldn't find a more detailed description of the problem which
+ would explain a test case to reproduce the problem this was supposed to
+ fix.
- One patch [3] seems to make it possible to use the
- CURLOPT_OPENSOCKETFUNCTION function to gain a UNIX domain socket.
- Another person wrote a Go program which can do HTTP over a UNIX socket
- for Docker[4] which uses a special URL scheme (though the name contains
- cURL, it has no relation to the cURL library).
+ [0] libssh2_agent_userauth returning LIBSSH2_ERROR_AUTHENTICATION_FAILED
- This patch considers support for UNIX domain sockets at the same level
- as HTTP proxies / IPv6, it acts as an intermediate socket provider and
- not as a separate protocol. Since this feature affects network
- operations, a new feature flag was added ("unix-sockets") with a
- corresponding CURL_VERSION_UNIX_SOCKETS macro.
+ Closes #2248
+
+- openssl: fix potential memory leak in SSLKEYLOGFILE logic
- A new CURLOPT_UNIX_SOCKET_PATH option is added and documented. This
- option enables UNIX domain sockets support for all requests on the
- handle (replacing IP sockets and skipping proxies).
+ Coverity CID 1427646.
+
+- openssl: fix the libressl build again
- A new configure option (--enable-unix-sockets) and CMake option
- (ENABLE_UNIX_SOCKETS) can disable this optional feature. Note that I
- deliberately did not mark this feature as advanced, this is a
- feature/component that should easily be available.
+ Follow-up to 84fcaa2e7. libressl does not have the API even if it says it is
+ late OpenSSL version...
- [0]: http://curl.haxx.se/mail/lib-2008-04/0279.html
- [1]: http://daniel.haxx.se/blog/2008/04/14/http-over-unix-domain-sockets/
- [2]: http://sourceforge.net/p/curl/feature-requests/53/
- [3]: http://curl.haxx.se/mail/lib-2008-04/0361.html
- [4]: https://github.com/Soulou/curl-unix-socket
+ Fixes #2246
+ Closes #2247
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Reported-by: jungle-boogie on github
-- [Peter Wu brought this change]
+- unit1307: test many wildcards too
- tests: add two HTTP over UNIX socket tests
+- curl_fnmatch: only allow 5 '*' sections in a single pattern
- test1435: a simple test that checks whether a HTTP request can be
- performed over the UNIX socket. The hostname/port are interpreted
- by sws and should be ignored by cURL.
+ ... to avoid excessive recursive calls. The number 5 is totally
+ arbitrary and could be modified if someone has a good motivation.
+
+- ftp-wildcard: fix matching an empty string with "*[^a]"
- test1436: test for the ability to do two requests to the same host,
- interleaved with one to a different hostname.
+ .... and avoid advancing the pointer to trigger an out of buffer read.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
-
-- [Peter Wu brought this change]
+ Detected by OSS-fuzz
+ Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5251
+ Assisted-by: Max Dymond
- tests: add HTTP UNIX socket server testing support
+- SMB: fix numeric constant suffix and variable types
- The variable `$ipvnum` can now contain "unix" besides the integers 4
- and 6 since the variable. Functions which receive this parameter
- have their `$port` parameter renamed to `$port_or_path` to support a
- path to the UNIX domain socket (as a "port" is only meaningful for TCP).
+ 1. don't use "ULL" suffix since unsupported in older MSVC
+ 2. use curl_off_t instead of custom long long ifdefs
+ 3. make get_posix_time() not do unaligned data access
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Fixes #2211
+ Closes #2240
+ Reported-by: Chester Liu
-- [Peter Wu brought this change]
+- [rouzier brought this change]
+
+ CURLOPT_TCP_NODELAY.3: fix typo
+
+ Closes #2239
- sws: try to remove socket and retry bind
+- smtp/pop3/imap_get_message: decrease the data length too...
- If sws is killed it might leave a stale socket file on the filesystem
- which would cause an EADDRINUSE error. After this patch, it is checked
- whether the socket is really stale and if so, the socket file gets
- removed and another bind is executed.
+ Follow-up commit to 615edc1f73 which was incomplete.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Assisted-by: Max Dymond
+ Detected by OSS-fuzz
+ Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5206
-- [Peter Wu brought this change]
+- openssl: enable SSLKEYLOGFILE support by default
+
+ Fixes #2210
+ Closes #2236
- sws: add UNIX domain socket support
+Patrick Monnerat (14 Jan 2018)
+- mime: clone mime tree upon easy handle duplication.
- This extends sws with a --unix-socket option which causes the port to
- be ignored (as the server now listens on the path specified by
- --unix-socket). This feature will be available in the following patch
- that enables checking for UNIX domain socket support.
+ A mime tree attached to an easy handle using CURLOPT_MIMEPOST is
+ strongly bound to the handle: there is a pointer to the easy handle in
+ each item of the mime tree and following the parent pointer list
+ of mime items ends in a dummy part stored within the handle.
- Proxy support (CONNECT) is not considered nor tested. It does not make
- sense anyway, first connecting through a TCP proxy, then let that TCP
- proxy connect to a UNIX socket.
+ Because of this binding, a mime tree cannot be shared between different
+ easy handles, thus it needs to be cloned upon easy handle duplication.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
-
-- [Peter Wu brought this change]
-
- sws: restrict TCP_NODELAY to IP sockets
+ There is no way for the caller to get the duplicated mime tree
+ handle: it is then set to be automatically destroyed upon freeing the
+ new easy handle.
+
+ New test 654 checks proper mime structure duplication/release.
- TCP_NODELAY does not make sense for Unix sockets, so enable it only if
- the socket is using IP.
+ Add a warning note in curl_mime_data_cb() documentation about sharing
+ user data between duplicated handles.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Closes #2235
-Dan Fandrich (3 Dec 2014)
-- [Dave Reisner brought this change]
+- docs: comment about CURLE_READ_ERROR returned by curl_mime_filedata
- curl.1: fix trivial typo
+Daniel Stenberg (13 Jan 2018)
+- test395: HTTP with overflow Content-Length value
-Steve Holme (3 Dec 2014)
-- sasl_gssapi: Added body to Curl_sasl_create_gssapi_user_message()
+- test394: verify abort of rubbish in Content-Length: value
-- sasl_gssapi: Added body to Curl_sasl_gssapi_cleanup()
+- test393: verify --max-filesize with excessive Content-Length
-- sasl_gssapi: Added Curl_sasl_build_gssapi_spn() function
+- HTTP: bail out on negative Content-Length: values
- Added helper function for returning a GSS-API compatible SPN.
-
-Daniel Stenberg (3 Dec 2014)
-- NSS: enable the CAPATH option
+ ... and make the max filesize check trigger if the value is too big.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1457
- Patch-by: Tomasz Kojm
-
-Steve Holme (3 Dec 2014)
-- sasl_gssapi: Enable USE_KERBEROS5 for GSS-API based builds
+ Updates test 178.
+
+ Reported-by: Brad Spencer
+ Fixes #2212
+ Closes #2223
-- sasl_gssapi: Added GSS-API based Kerberos V5 variables
+Marcel Raad (13 Jan 2018)
+- [Dan Johnson brought this change]
-- sws.c: Fixed compilation warning when IPv6 is disabled
+ configure.ac: append extra linker flags instead of prepending them.
- sws.c:69: warning: comma at end of enumerator list
-
-- sasl_gssapi: Made log_gss_error() a common GSS-API function
+ Link order should list libraries after the libraries that use them,
+ so when we're guessing that we might also need to add -ldl in order
+ to use -lssl, we should add -ldl after -lssl.
- Made log_gss_error() a common function so that it can be used in both
- the http_negotiate code as well as the curl_sasl_gssapi code.
+ Closes https://github.com/curl/curl/pull/2234
-- sasl_gssapi: Introduced GSS-API based SASL module
-
- Added the initial version of curl_sasl_gssapi.c and updated the project
- files in preparation for adding GSS-API based Kerberos V5 support.
+Daniel Stenberg (13 Jan 2018)
+- RELEASE-NOTES: synced with 6fa10c8fa
-- smb: Don't try to connect with empty credentials
+Jay Satiro (13 Jan 2018)
+- setopt: fix SSLVERSION to allow CURL_SSLVERSION_MAX_ values
- On some platforms curl would crash if no credentials were used. As such
- added detection of such a use case to prevent this from happening.
+ Broken since f121575 (precedes 7.56.1).
- Reported-by: Gisle Vanem
-
-- smb.c: Coding policing of pointer usage
-
-- configure: Fixed inclusion of SMB when no crypto engines available
-
-Guenter Knauf (1 Dec 2014)
-- build: in Makefile.m32 simplified autodetection.
-
-Daniel Stenberg (30 Nov 2014)
-- [Peter Wu brought this change]
-
- sws: move away from IPv4/IPv4-only assumption
+ Bug: https://github.com/curl/curl/issues/2225
+ Reported-by: cmfrolick@users.noreply.github.com
- Instead of depending the socket domain type on use_ipv6, specify the
- domain type (AF_INET / AF_INET6) as variable. An enum is used here with
- switch to avoid compiler warnings in connect_to, complaining that rc
- is possibly undefined (which is not possible as socket_domain is
- always set).
+ Closes https://github.com/curl/curl/pull/2227
+
+Patrick Monnerat (13 Jan 2018)
+- setopt: reintroduce non-static Curl_vsetopt() for OS400 support
- Besides abstracting the socket type, make the debugging messages be
- independent on IP (introduce location_str which points to "port XXXXX").
- Rename "ipv_inuse" to "socket_type" and tighten the scope (main).
+ This also upgrades ILE/RPG bindings with latest setopt options.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Reported-By: jonrumsey on github
+ Fixes #2230
+ Closes #2233
-- [Peter Wu brought this change]
+Jay Satiro (11 Jan 2018)
+- [Zhouyihai Ding brought this change]
- lib/connect: restrict IP/TCP options to said sockets
+ http2: fix incorrect trailer buffer size
- This patch prepares for adding UNIX domain sockets support.
+ Prior to this change the stored byte count of each trailer was
+ miscalculated and 1 less than required. It appears any trailer
+ after the first that was passed to Curl_client_write would be truncated
+ or corrupted as well as the size. Potentially the size of some
+ subsequent trailer could be erroneously extracted from the contents of
+ that trailer, and since that size is used by client write an
+ out-of-bounds read could occur and cause a crash or be otherwise
+ processed by client write.
- TCP_NODELAY and TCP_KEEPALIVE are specific to TCP/IP sockets, so do not
- apply these to other socket types. bindlocal only works for IP sockets
- (independent of TCP/UDP), so filter that out too for other types.
+ The bug appears to have been born in 0761a51 (precedes 7.49.0).
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Closes https://github.com/curl/curl/pull/2231
-- smb.c: use size_t as input argument types for msg sizes
-
- This fixes warnings about conversions to int
+- [Basuke Suzuki brought this change]
-Steve Holme (30 Nov 2014)
-- version: The next release will become 7.40.0
+ easy: fix connection ownership in curl_easy_pause
+
+ Before calling Curl_client_chop_write(), change the owner of connection
+ to the current Curl_easy handle. This will fix the issue #2217.
+
+ Fixes https://github.com/curl/curl/issues/2217
+ Closes https://github.com/curl/curl/pull/2221
-- [Bill Nagel brought this change]
+Daniel Stenberg (9 Jan 2018)
+- [Dimitrios Apostolou brought this change]
- docs: Updated for the SMB protocol
+ system.h: Additionally check __LONG_MAX__ for defining curl_off_t
- This patch updates the documentation for the SMB/CIFS protocol.
-
-- curl tool: Exclude SMB from the protocol redirect
+ __SIZEOF_LONG__ was introduced in GCC 4.4, __LONG_MAX__ was introduced
+ in GCC 3.3.
- As local files could be accessed through \\localhost\c$.
+ Closes #2216
-- [Bill Nagel brought this change]
+- COPYING: it's 2018!
- curl tool: Enable support for the SMB protocol
+- progress: calculate transfer speed on milliseconds if possible
- This patch enables SMB/CIFS support in the curl command-line tool.
-
-- smb.c: Fixed compilation warnings
+ to increase accuracy for quick transfers
- smb.c:398: warning: comparison of integers of different signs:
- 'ssize_t' (aka 'long') and 'unsigned long'
- smb.c:443: warning: comparison of integers of different signs:
- 'ssize_t' (aka 'long') and 'unsigned long'
+ Fixes #2200
+ Closes #2206
-- libcurl: Exclude SMB from the protocol redirect
+Jay Satiro (7 Jan 2018)
+- scripts: allow all perl scripts to be run directly
+
+ - Enable execute permission (chmod +x)
- As local files could be accessed through \\localhost\c$.
+ - Change interpreter to /usr/bin/env perl
+
+ Closes https://github.com/curl/curl/pull/2222
-- [Bill Nagel brought this change]
+- mail-rcpt.d: fix short-text description
- libcurl: Enable support for the SMB protocol
+- build: remove HAVE_LIMITS_H check
- This patch enables SMB/CIFS support in libcurl.
-
-- smb.c: Fixed compilation warnings
+ .. because limits.h presence isn't optional, it's required by C89.
- smb.c:322: warning: conversion to 'short unsigned int' from 'unsigned
- int' may alter its value
- smb.c:323: warning: conversion to 'short unsigned int' from 'unsigned
- int' may alter its value
- smb.c:482: warning: conversion to 'short unsigned int' from 'int' may
- alter its value
- smb.c:521: warning: conversion to 'unsigned int' from 'curl_off_t' may
- alter its value
- smb.c:549: warning: conversion to 'unsigned int' from 'curl_off_t' may
- alter its value
- smb.c:550: warning: conversion to 'short unsigned int' from 'int' may
- alter its value
-
-- smb.c: Renamed SMB command message variables to avoid compiler warnings
+ Ref: http://port70.net/~nsz/c/c89/c89-draft.html#2.2.4.2
- smb.c:489: warning: declaration of 'close' shadows a global declaration
- smb.c:511: warning: declaration of 'read' shadows a global declaration
- smb.c:528: warning: declaration of 'write' shadows a global declaration
+ Closes https://github.com/curl/curl/pull/2215
-- smb.c: Fixed compilation warnings
+- openssl: fix memory leak of SSLKEYLOGFILE filename
- smb.c:212: warning: unused parameter 'done'
- smb.c:380: warning: ISO C does not allow extra ';' outside of a function
- smb.c:812: warning: unused parameter 'premature'
- smb.c:822: warning: unused parameter 'dead'
-
-- smb.c: Fixed compilation warnings
+ - Free the copy of SSLKEYLOGFILE env returned by curl_getenv during ossl
+ initialization.
- smb.c:311: warning: conversion from 'unsigned __int64' to 'u_short',
- possible loss of data
- smb.c:425: warning: conversion from '__int64' to 'unsigned short',
- possible loss of data
- smb.c:452: warning: conversion from '__int64' to 'unsigned short',
- possible loss of data
+ Caught by ASAN.
-- smb.c: Fixed compilation warnings
+- Revert "curl/system.h: fix compilation with gcc on AIX PPC and IA64 HP-UX"
+
+ This reverts commit c97648b55080343bb371522bf4233e94a2a13a99.
+
+ SIZEOF_LONG should not be checked in system.h since that macro is only
+ defined when building libcurl.
- smb.c:162: error: comma at end of enumerator list
- smb.c:469: warning: conversion from 'size_t' to 'unsigned short',
- possible loss of data
- smb.c:517: warning: conversion from 'curl_off_t' to 'unsigned int',
- possible loss of data
- smb.c:545: warning: conversion from 'curl_off_t' to 'unsigned int',
- possible loss of data
+ Ref: https://github.com/curl/curl/pull/2186#issuecomment-354767080
+ Ref: https://gcc.gnu.org/onlinedocs/cpp/Common-Predefined-Macros.html
-- [Bill Nagel brought this change]
+Michael Kaufmann (30 Dec 2017)
+- test1554: improve the error handling
- smb: Added initial SMB functionality
+- test1554: add global initialization and cleanup
+
+Daniel Stenberg (29 Dec 2017)
+- curl_version_info.3: call the argument 'age'
- Initial implementation of the SMB/CIFS protocol.
+ Reported-by: Pete Lomax
+ Bug: https://curl.haxx.se/mail/lib-2017-12/0074.html
-- [Bill Nagel brought this change]
+Patrick Monnerat (27 Dec 2017)
+- [Mikalai Ananenka brought this change]
- smb: Added SMB handler interfaces
+ brotli: data at the end of content can be lost
- Added the SMB and SMBS handler interface structures and associated
- functions required for SMB/CIFS operation.
-
-- transfer: Code style policing
+ Decoding loop implementation did not concern the case when all
+ received data is consumed by Brotli decoder and the size of decoded
+ data internally hold by Brotli decoder is greater than CURL_MAX_WRITE_SIZE.
+ For content with unencoded length greater than CURL_MAX_WRITE_SIZE this
+ can result in the loss of data at the end of content.
- Prefer ! rather than NULL in if statements, added comments and updated
- function spacing, argument spacing and line spacing to be more readble.
+ Closes #2194
-- transfer: Fixed existing scratch buffer being checked for NULL twice
+Jay Satiro (26 Dec 2017)
+- examples/cacertinmem: ignore cert-already-exists error
- If the scratch buffer already existed when the CRLF conversion was
- performed then the buffer pointer would be checked twice for NULL. This
- second check is only necessary if the call to malloc() was performed by
- the first check.
-
-- smtp: Fixed dot stuffing being performed when no new data read
+ - Ignore X509_R_CERT_ALREADY_IN_HASH_TABLE errors in the CTX callback
+ since it's possible the cert may have already been loaded by libcurl.
- Whilst I had moved the dot stuffing code from being performed before
- CRLF conversion takes place to after it, in commit 4bd860a001, I had
- moved it outside the 'when something read' block of code when meant
- it could perform the dot stuffing twice on partial send if nread
- happened to contain the right values. It also meant the function could
- potentially read past the end of buffer. This was highlighted by the
- following warning:
+ - Remove the EXAMPLE code in the CURLOPT_SSL_CTX_FUNCTION.3 doc.
+ Instead have it direct the reader to this cacertinmem.c example.
- warning: `nread' might be used uninitialized in this function
-
-Daniel Stenberg (29 Nov 2014)
-- smb.h: fixed picky compiler warning
+ - Fix the CA certificate to use the right CA for example.com, Digicert.
- smb.h:30:16: error: comma at end of enumerator list [-Werror=pedantic]
-
-Steve Holme (29 Nov 2014)
-- tests: Disable test 1013 until SMB is fully added
-
-- [Bill Nagel brought this change]
-
- smb: Added SMB protocol and port definitions
+ Bug: https://curl.haxx.se/mail/lib-2017-12/0057.html
+ Reported-by: Thomas van Hesteren
- Added the necessary protocol and port definitions in order to support
- SMB/CIFS.
+ Closes https://github.com/curl/curl/pull/2182
-- [Bill Nagel brought this change]
+- [Gisle Vanem brought this change]
- smb: Added internal SMB definitions and structures
+ tool_getparam: Support size modifiers for --max-filesize
- Added the internal definitions and structures necessary for SMB/CIFS
- support.
+ - Move the size modifier detection code from limit-rate to its own
+ function so that it can also be used with max-filesize.
+
+ Size modifiers are the suffixes such as G (gigabyte), M (megabyte) etc.
+
+ For example --max-filesize 1G
+
+ Ref: https://curl.haxx.se/mail/archive-2017-12/0000.html
+
+ Closes https://github.com/curl/curl/pull/2179
-- [Bill Nagel brought this change]
+Steve Holme (22 Dec 2017)
+- build: Fixed incorrect script termination from commit ad1dc10e61
- smb: Added SMB connection structure
-
- Added the connection structure that will be required in urldata.h for
- SMB/CIFS based connections.
+- Makefile.vc: Added our standard copyright header
-- [Bill Nagel brought this change]
+- winbuild: Added support for VC15
- smb: Added initial source files for SMB
-
- Added the initial source files and updated the relevant project files in
- order to support SMB/CIFS.
+- build: Added Visual Studio 2017 project files
-- [Bill Nagel brought this change]
+- build-wolfssl.bat: Added support for VC15
- smb: Added configuration options for SMB
-
- Added --enable-smb and --disable-smb configuration options for the
- upcoming SMB/CIFS protocol support.
+- build-openssl.bat: Added support for VC15
-Daniel Stenberg (28 Nov 2014)
-- [Peter Wu brought this change]
+Jay Satiro (22 Dec 2017)
+- [Dimitrios Apostolou brought this change]
- runtests.pl: fix startup of IPv6 servers
+ curl/system.h: fix compilation with gcc on AIX PPC and IA64 HP-UX
- Commit curl-7_23_1-143-g8218064 changed the parameter of
- responsive_http_server to accept types other than IPv6 (converting
- from a boolean to a string), but only considered the lower-case "ipv6"
- and not the "IPv6" variant. This caused all servers to start in IPv4
- mode instead.
-
- This patch converts the remaining cases to "ipv6". While not strictly
- necessary for the run*server variants, these got also converted for
- consistency and to prevent future errors.
-
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Closes https://github.com/curl/curl/pull/2186
-- [Peter Wu brought this change]
+- [Mattias Fornander brought this change]
- runtests.pl: fix warning message, remove duplicate value
+ examples/rtsp: fix error handling macros
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Closes https://github.com/curl/curl/pull/2185
-Steve Holme (27 Nov 2014)
-- http.c: Fixed compilation warnings from features being disabled
+Patrick Monnerat (20 Dec 2017)
+- curl_easy_reset: release mime-related data.
- warning: unused variable 'data'
- warning: variable 'addcookies' set but not used
+ Move curl_mime_initpart() and curl_mime_cleanpart() calls to lower-level
+ functions dealing with UserDefined structure contents.
+ This avoids memory leakages on curl-generated part mime headers.
+ New test 2073 checks this using the cli tool --next option: it
+ triggers a valgrind error if bug is present.
- ...and some very minor coding style policing.
-
-- RELEASE-NOTES: Synced with c5399c827d
-
-- tests: Added SMTP with --crlf test case
+ Bug: https://curl.haxx.se/mail/lib-2017-12/0060.html
+ Reported-by: Martin Galvan
-- docs: Updated for commit 4bd860a001 and SMTP Unix line ending conversion
+- content_encoding: rework zlib_inflate
+
+ - When zlib version is < 1.2.0.4, process gzip trailer before considering
+ extra data as an error.
+ - Inflate with Z_BLOCK instead of Z_SYNC_FLUSH to maximize correct data
+ and minimize corrupt data output.
+ - Do not try to restart deflate decompression in raw mode if output has
+ started or if the leading data is not available anymore.
+ - New test 232 checks inflating raw-deflated content.
+
+ Closes #2068
-- smtp: Fixed const'ness of nread parameter in Curl_smtp_escape_eob()
+- brotli: allow compiling with version 0.6.0.
- ...and some comment typos!
+ Some error codes were not yet defined in brotli 0.6.0: do not issue code
+ for them in this case.
-- smtp: Added support for the conversion of Unix newlines during mail send
+Daniel Stenberg (13 Dec 2017)
+- CURLOPT_READFUNCTION.3: refer to argument with correct name
- Added support for the automatic conversion of Unix newlines to CRLF
- during mail uploads.
+ Bug: #2175
- Feature: http://curl.haxx.se/bug/view.cgi?id=1456
+ [ci skip]
-- CURLOPT_CRLF.3: Fixed inclusion of SMTP in listed protocols
-
-Daniel Stenberg (25 Nov 2014)
-- curl*3: added small examples
+- rand: add a clang-analyzer work-around
- and some minor edits
+ scan-build would warn on a potential access of an uninitialized
+ buffer. I deem it a false positive and had to add this somewhat ugly
+ work-around to silence it.
-- libcurl.3: fix formatting
+- krb5: fix a potential access of uninitialized memory
- refer to functions with the man page section properly
-
-- man pages: SEE ALSO curl_multi_wait
+ A scan-build warning.
-- curl_multi_wait.3: clarify numfds being used if not NULL
-
-- multi-single.c: switch to use curl_multi_wait
+- conncache: fix a return code [regression]
- Makes the example much easier and straight-forward!
+ This broke in 07cb27c98e. Make sure to return 'result' properly. Pointed
+ out by scan-build!
-- testcurl: bump the version of this script!
+- curl: support >256 bytes warning messsages
+
+ Bug: #2174
-- testcurl: skip reading the setup file if given enough cmdline info
+Michael Kaufmann (12 Dec 2017)
+- libssh: fix a syntax error in configure.ac
- This makes it much easier to run multiple tests in the same directory,
- just altering the command lines used.
+ Follow-up to c92d2e1
+
+ Closes #2172
-- select.c: fix compilation for VxWorks
+Daniel Stenberg (12 Dec 2017)
+- examples/smtp-mail.c: use separate defines for options and mail
+
+ ... to make it clearer that the options want address-only, while the
+ headers in an email can also have the real name.
- Reported-by: Brian
- Bug: http://curl.haxx.se/bug/view.cgi?id=1455
+ Assisted-by: Sean MacLennan
-Patrick Monnerat (24 Nov 2014)
-- [moparisthebest brought this change]
+- THANKS: added missing names
+
+ ... as I reran the contrithanks script after the mailmap name fixups.
- SSL: Add PEM format support for public key pinning
+- mailmap: added/clarified several names
-Kamil Dudka (24 Nov 2014)
-- Revert "repository: ignore patch files generated by git"
+- setopt: less *or equal* than INT_MAX/1000 should be fine
- This reverts commit 217024a687ce86eb6d2317822ed81c7e5abc4b61.
+ ... for the CURLOPT_TIMEOUT, CURLOPT_CONNECTTIMEOUT and
+ CURLOPT_SERVER_RESPONSE_TIMEOUT range checks.
- Bug: https://github.com/bagder/curl/commit/217024a6#commitcomment-8693738
-
-Steve Holme (23 Nov 2014)
-- multi.c: Fixed compilation warnings when no verbose string support
+ Reported-by: Dominik Hölzl
+ Bug: https://curl.haxx.se/mail/lib-2017-12/0037.html
- warning: variable 'connection_id' set but not used
- warning: unused parameter 'lineno'
+ Closes #2173
-- RELEASE-NOTES: Synced with 1450712e76
+- [Dmitry Kostjuchenko brought this change]
-- sasl: Tidied up some parameter comments
-
-- sasl: Reduced the need for two sets of NTLM functions
+ vtls: replaced getenv() with curl_getenv()
+
+ Fixed undefined symbol of getenv() which does not exist when compiling
+ for Windows 10 App (CURL_WINDOWS_APP). Replaced getenv() with
+ curl_getenv() which is aware of getenv() absence when CURL_WINDOWS_APP
+ is defined.
+
+ Closes #2171
-- ntlm: Moved NSS initialisation to base decode function
+- RELEASE-NOTES: synced with 3b9ea70ee
-- http_ntlm: Fixed additional NSS initialisation call when decoding type-2
+- TODO: Expose tried IP addresses that failed
+
+ Suggested-by: Rainer Canavan
- After commit 48d19acb7c the HTTP code would call Curl_nss_force_init()
- twice when decoding a NTLM type-2 message, once directly and the other
- through the call to Curl_sasl_decode_ntlm_type2_message().
+ Closes #2126
-- ntlm: Fixed static'ness of local decode function
+- curl.1: mention http:// and https:// as valid proxy prefixes
-- ntlm: Corrected some parameter names and comments
+- curl.1: documented two missing valid exit codes
-- runtests.pl: Re-aligned feature support comments
+- CURLOPT_DNS_LOCAL_IP4.3: fixed the seel also to not self-reference
-- runtests.pl: Use Kerberos and SPNEGO as proxies for the crypto feature
+- Revert "curl: don't set CURLOPT_INTERLEAVEDATA"
- In addition to NTLM, use Kerberos and SPNEGO as proxies to the crypto
- feature.
+ This reverts commit 9ffad8eb1329bb35c8988115ac7ed85cf91ef955.
- ...and converted tab characters, from commit 4b4e8a5853, to spaces.
+ It was actually added rather recently in 8e8afa82cbb629 due to a crash
+ that would otherwise happen in the RTSP code. As I don't think we've
+ fixed that behavior yet, we better keep this work-around until we have
+ fixed it better.
-- runtests.pl: Added support for SPNEGO
+Michael Kaufmann (10 Dec 2017)
+- tests: mark data files as non-executable in git
-- runtests.pl: Added Kerberos detection
+- tests: update .gitignore for libtests
-- runtests.pl: Added GSS-API detection
+Daniel Stenberg (10 Dec 2017)
+- multi_done: prune DNS cache
+
+ Prune the DNS cache immediately after the dns entry is unlocked in
+ multi_done. Timed out entries will then get discarded in a more orderly
+ fashion.
+
+ Test506 is updated
+
+ Reported-by: Oleg Pudeyev
+
+ Fixes #2169
+ Closes #2170
-- FILEFORMAT: Added SSPI, GSS-API and Kerberos to the features list
+- mailmap: fixup two old git Author "aliases"
-- FILEFORMAT: Added test requires feature not present information
+Jay Satiro (10 Dec 2017)
+- openssl: Disable file buffering for Win32 SSLKEYLOGFILE
- Such as !SSPI as we do for the NTLM and Digest tests.
-
-Daniel Stenberg (20 Nov 2014)
-- http.c: log if it notices HTTP 1.1 after a upgrade to http2
+ Prior to this change SSLKEYLOGFILE used line buffering on WIN32 just
+ like it does for other platforms. However, the Windows CRT does not
+ actually support line buffering (_IOLBF) and will use full buffering
+ (_IOFBF) instead. We can't use full buffering because multiple processes
+ may be writing to the file and that could lead to corruption, and since
+ full buffering is the only buffering available this commit disables
+ buffering for Windows SSLKEYLOGFILE entirely (_IONBF).
+
+ Ref: https://github.com/curl/curl/pull/1346#issuecomment-350530901
-- test1801: first real http2 test case
+Daniel Stenberg (10 Dec 2017)
+- RESOLVE: output verbose text when trying to set a duplicate name
+
+ ... to help users understand what is or isn't done!
-- sws: initial tiny steps toward http2 support
+- CURLOPT_DNS_CACHE_TIMEOUT.3: see also CURLOPT_RESOLVE
-- FILEFORMAT: mention the new upgrade support
+- [John DeHelian brought this change]
-- test1800: first plain-text http2 test case
+ sftp: allow quoted commands to use relative paths
- Verifies the upgrade request, but gets a plain 1.1 response
+ Closes #1900
-- [Tatsuhiro Tsujikawa brought this change]
+Jay Satiro (8 Dec 2017)
+- [Richard Alcock brought this change]
- http: Disable pipelining for HTTP/2 and upgraded connections
+ CURLOPT_PRIVATE.3: fix grammar
+
+ - Change "never does nothing" double-negative to "never does anything".
- This commit disables pipelining for HTTP/2 or upgraded connections. For
- HTTP/2, we do not support multiplexing. In general, requests cannot be
- pipelined in an upgraded connection, since it is now different protocol.
+ Closes https://github.com/curl/curl/pull/2168
-- [Brad Harder brought this change]
+Daniel Stenberg (8 Dec 2017)
+- curl: remove __EMX__ #ifdefs
+
+ These are OS/2-specific things added to the code in the year 2000. They
+ were always ugly. If there's any user left, they still don't need it
+ done this way.
+
+ Closes #2166
- CURLOPT_POSTFIELDS.3: mention the COPYPOSTFIELDS option
+Jay Satiro (8 Dec 2017)
+- openssl: improve data-pending check for https proxy
+
+ - Allow proxy_ssl to be checked for pending data even when connssl does
+ not yet have an SSL handle.
+
+ This change is for posterity. Currently there doesn't seem to be a code
+ path that will cause a pending data check when proxyssl could have
+ pending data and the connssl handle doesn't yet exist [1].
+
+ [1]: Recall that an https proxy connection starts out in connssl but if
+ the destination is also https then the proxy SSL backend data is moved
+ from connssl to proxyssl, which means connssl handle is temporarily
+ empty until an SSL handle for the destination can be created.
+
+ Ref: https://github.com/curl/curl/commit/f4a6238#commitcomment-24396542
+
+ Closes https://github.com/curl/curl/pull/1916
+
+Daniel Stenberg (8 Dec 2017)
+- curl: don't set CURLOPT_INTERLEAVEDATA
+
+ That data is only ever used by the CURLOPT_INTERLEAVEFUNCTION callback
+ and that option isn't set or used by the curl tool!
+
+ Updates the 9 tests that verify --libcurl
+
+ Closes #2167
-Steve Holme (19 Nov 2014)
-- multi-uv.c: Updated for curl coding standards
+- curl.h: remove incorrect comment about ERRORBUFFER
+
+ ... error messages are _not_ sent to stderr if this is not set.
-- conncache: Fixed specifiers in infof() for long and size_t variables
+- [Michael Felt brought this change]
-- [Peter Wu brought this change]
+ configure: add AX_CODE_COVERAGE only if using gcc
+
+ Fixes #2076
+ Closes #2125
- cmake: add Kerberos to the supported features
+- curl: limit -# update frequency for unknown total size
- Updated following commit eda919f and a4b7f71.
+ Make it use a max 10Hz update frequency for this case as well. Return
+ early if the "point" hasn't moved since last invoke.
- Acked-by: Brad King <brad.king@kitware.com>
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
-
-- [Peter Wu brought this change]
+ Reported-by: Elliot Saba
+
+ Fixes #2158
+ Closes #2163
- cmake: fix NTLM detection when CURL_DISABLE_HTTP defined
+- BINDINGS: another PostgreSQL client
- Updated following changes in commit f0d860d.
+ ...the former link is dead.
- Acked-by: Brad King <brad.king@kitware.com>
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Reported-by: Frank Gevaerts
-Daniel Stenberg (19 Nov 2014)
-- RELEASE-NOTES: synced with cb13fad733e
+- [Zachary Seguin brought this change]
-- [Jay Satiro brought this change]
+ CONNECT: keep close connection flag in http_connect_state struct
+
+ Fixes #2088
+ Closes #2157
- examples: Wait recommended 100ms when no file descriptors are ready
+- [Per Malmberg brought this change]
+
+ include: get netinet/in.h before linux/tcp.h
- Prior to this change when no file descriptors were ready on platforms
- other than Windows the multi examples would sleep whatever was in
- timeout, which may or may not have been less than the minimum
- recommended value [1] of 100ms.
+ ... to allow build on older Linux dists (specifically CentOS 4.8 on gcc
+ 4.8.5)
- [1]: http://curl.haxx.se/libcurl/c/curl_multi_fdset.html
-
-- [Waldek Kozba brought this change]
+ Closes #2160
- multi-uv.c: close the file handle after download
+- openldap: fix checksrc nits
-- [Jon Spencer brought this change]
+- [Stepan Broz brought this change]
- multi: inform about closed sockets before they are closed
+ openldap: add commented out debug possibilities
- When the connection code decides to close a socket it informs the multi
- system via the Curl_multi_closed function. The multi system may, in
- turn, invoke the CURLMOPT_SOCKETFUNCTION function with
- CURL_POLL_REMOVE. This happens after the socket has already been
- closed. Reorder the code so that CURL_POLL_REMOVE is called before the
- socket is closed.
-
-Guenter Knauf (19 Nov 2014)
-- build: in Makefile.m32 moved target autodetection.
+ ... to aid debugging openldap library using its built-in debug messages.
- Moved target autodetection block after defining CC macro.
+ Closes #2159
-- build: in Makefile.m32 simplify platform flags.
+- examples: move threaded-shared-conn.c to the "complicated" ones
+
+ ... due it relying on pthreads to link.
-- build: in Makefile.m32 try to detect 64bit target.
+- RELEASE-NOTES: synced with b261c44e8
+
+ ... and bump next release version to 7.58.0
-Daniel Stenberg (19 Nov 2014)
-- [Brad King brought this change]
+- [Jan Ehrhardt brought this change]
- CMake: Simplify if() conditions on check result variables
-
- Remove use of an old hack that takes advantage of the auto-dereference
- behavior of the if() command to detect if a variable is defined. The
- hack has the form:
+ URL: tolerate backslash after drive letter for FILE:
- if("${VAR} MATCHES "^${VAR}$")
+ ... as in "file://c:\some\path\curl.out"
- where "${VAR}" is a macro argument reference. Use if(DEFINED) instead.
- This also avoids warnings for CMake Policy CMP0054 in CMake 3.1.
+ Reviewed-by: Matthew Kerwin
+ Closes #2154
-- TODO-RELEASE: removed
+- [Randall S. Becker brought this change]
-- [Carlo Wood brought this change]
+ tests: added netinet/in6.h includes in test servers
- debug: added new connection cache output, plus fixups
+- [Randall S. Becker brought this change]
+
+ configure: check for netinet/in6.h
- Debug output 'typo' fix.
+ Needed by HPE NonStop NSE and NSX systems
- Don't print an extra "0x" in
- * Pipe broke: handle 0x0x2546d88, url = /
+ Fixes #2146
+ Closes #2155
+
+- curl-config: add --ssl-backends
- Add debug output.
- Print the number of connections in the connection cache when
- adding one, and not only when one is removed.
+ Lists all SSL backends that were enabled at build-time.
- Fix typos in comments.
+ Suggested-by: Oleg Pudeyev
+ Fixes #2128
-- multi: move the ending condition into the loop as well
+- conncache: only allow multiplexing within same multi handle
- ... as it was before I changed the loop in commit e04ccbd50. It caused
- test 2030 and 2032 to fail.
+ Connections that are used for HTTP/1.1 Pipelining or HTTP/2 multiplexing
+ only get additional transfers added to them if the existing connection
+ is held by the same multi or easy handle. libcurl does not support doing
+ HTTP/2 streams in different threads using a shared connection.
+
+ Closes #2152
-Steve Holme (18 Nov 2014)
-- multi: Prefer we don't use CURLE_OK and NULL in comparisons
+- threaded-shared-conn.c: fixed typo in commenta
-Daniel Stenberg (18 Nov 2014)
-- multi_runsingle: use 'result' for local CURLcode storage
-
- ... and assign data->result only at the end. Makes the code more compact
- (easier to read) and more similar to other code.
+- threaded-shared-conn.c: new example
-- multi_runsingle: rename result to rc
+- conncache: fix several lock issues
- save 'result' for CURLcode types
-
-- multi: make multi_runsingle loop internally
+ If the lock is released before the dealings with the bundle is over, it may
+ have changed by another thread in the mean time.
- simplifies the use of this function at little cost.
-
-- [Carlo Wood brought this change]
+ Fixes #2132
+ Fixes #2151
+ Closes #2139
- multi: when leaving for timeout, close accordingly
+- libssh: remove dead code in sftp_qoute
- Fixes the problem when a transfer in a pipeline times out.
+ ... by removing a superfluous NULL pointer check that also confuses
+ Coverity.
+
+ Fixes #2143
+ Closes #2153
-Guenter Knauf (18 Nov 2014)
-- build: in Makefile.m32 add -m32 flag for 32bit.
+- sasl_getmesssage: make sure we have a long enough string to pass
+
+ For pop3/imap/smtp, added test 891 to somewhat verify the pop3
+ case.
+
+ For this, I enhanced the pingpong test server to be able to send back
+ responses with LF-only instead of always using CRLF.
+
+ Closes #2150
-- mk-ca-bundle.vbs: update copyright year.
+- libssh2: remove dead code from SSH_SFTP_QUOTE
+
+ Figured out while reviewing code in the libssh backend. The pointer was
+ checked for NULL after having been dereferenced, so we know it would
+ always equal true or it would've crashed.
+
+ Pointed-out-by: Nikos Mavrogiannopoulos
+
+ Bug #2143
+ Closes #2148
-- build: in Makefile.m32 pass -F flag to windres.
+- ssh-libssh.c: please checksrc
-Steve Holme (17 Nov 2014)
-- config-win32: Fixed build targets for the VS2012+ Windows XP toolset
+Nikos Mavrogiannopoulos (4 Dec 2017)
+- libssh: fixed dereference in statvfs access
+
+ The behavior is now equivalent to ssh.c when SSH_SFTP_QUOTE_STATVFS
+ handling fails.
- Even though commit 23e70e1cc6 mentioned the v110_xp toolset, I had
- forgotten to include the relevant pre-processor definitions.
+ Fixes #2142
-- sasl_sspi: Removed note about the NTLM functions being a wrapper
+Daniel Stenberg (4 Dec 2017)
+- [Guitared brought this change]
-- connect.c: Fixed compilation warning when no verbose string support
+ RESOURCES: update spec names
- warning: unused parameter 'reason'
+ Closes #2145
-- easy.c: Fixed compilation warning when no verbose string support
+Nikos Mavrogiannopoulos (3 Dec 2017)
+- libssh: corrected use of sftp_statvfs() in SSH_SFTP_QUOTE_STATVFS
- warning: unused parameter 'easy'
-
-- win32: Updated some legacy APIs to use the newer extended versions
+ The previous code was incorrectly following the libssh2 error detection
+ for libssh2_sftp_statvfs, which is not correct for libssh's sftp_statvfs.
- Updated the usage of some legacy APIs, that are preventing curl from
- compiling for Windows Store and Windows Phone build targets.
+ Fixes #2142
- Suggested-by: Stefan Neis
- Feature: http://sourceforge.net/p/curl/feature-requests/82/
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-- config-win32: Introduce build targets for VS2012+
+- libssh: no need to call sftp_get_error as ssh_get_error is sufficient
- Visual Studio 2012 introduced support for Windows Store apps as well as
- supporting Windows Phone 8. Introduced build targets that allow more
- modern APIs to be used as certain legacy ones are not available on these
- new platforms.
-
-- sasl_sspi: Fixed compilation warnings when no verbose string support
+ Fixes #2141
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-- sasl_sspi: Added base64 decoding debug failure messages
+Daniel Stenberg (2 Dec 2017)
+- libssh: fix minor static code analyzer nits
+
+ - remove superfluous NULL check which otherwise tricks the static code
+ analyzers to assume NULL pointer dereferences.
- Just like in the NTLM code, added infof() failure messages for
- DIGEST-MD5 and GSSAPI authentication when base64 decoding fails.
+ - fix fallthrough in switch()
+
+ - indent mistake
-- ntlm: Moved the SSPI based Type-3 message generation into the SASL module
+- openssl: pkcs12 is supported by boringssl
+
+ Removes another #ifdef for BoringSSL
+
+ Pointed-out-by: David Benjamin
+
+ Closes #2134
-- ntlm: Moved the SSPI based Type-2 message decoding into the SASL module
+- [Jay Satiro brought this change]
-- ntlm: Moved the SSPI based Type-1 message generation into the SASL module
+ travis: use pip2 instead of pip
+
+ .. since now mac osx image expects pip2 or pip3, and doesn't know pip:
+
+ 0.01s$ pip install --user cpp-coveralls
+ /Users/travis/.travis/job_stages: line 57: pip: command not found
+
+ Ref: https://github.com/travis-ci/travis-ci/issues/8829
+
+ Closes https://github.com/curl/curl/pull/2133
-- [Michael Osipov brought this change]
+- [Nikos Mavrogiannopoulos brought this change]
- kerberos: Use symbol qualified with _KERBEROS5
+ lib582: do not verify host for SFTP
+
+ This SFTP test fails with libssh back-end due to failure to verify
+ the peer. Disable peer verification in the test as there seems to
+ be the intention of the test.
- For consistency renamed USE_KRB5 to USE_KERBEROS5.
+ Note that the libssh back-end automatically verifies the peer's
+ host using the default known_hosts file.
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-Daniel Stenberg (15 Nov 2014)
-- [Jay Satiro brought this change]
+- [Nikos Mavrogiannopoulos brought this change]
- examples: Don't call select() to sleep on windows
+ libssh: added SFTP support
- Windows does not support using select() for sleeping without a dummy
- socket. Instead use Windows' Sleep() and sleep for 100ms which is the
- minimum suggested value in the curl_multi_fdset() doc.
+ The SFTP back-end supports asynchronous reading only, limited
+ to 32-bit file length. Writing is synchronous with no other
+ limitations.
- Prior to this change the multi examples would exit prematurely since
- select() would error instead of sleeping when called without an fd.
+ This also brings keyboard-interactive authentication.
- Reported-by: Johan Lantz
- Bug: http://curl.haxx.se/mail/lib-2014-11/0221.html
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-- [Tatsuhiro Tsujikawa brought this change]
+- [Nikos Mavrogiannopoulos brought this change]
- http2: Don't send Upgrade headers when we already do HTTP/2
-
-Steve Holme (15 Nov 2014)
-- sasl: Corrected Curl_sasl_build_spn() function description
+ symbols-in-versions: added new symbols with 7.56.3 version
- There was a mismatch in function parameter names.
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-- tool: Removed krb4 from the supported features
-
- Although libcurl would never return CURL_VERSION_KERBEROS4 after 7.33,
- so would not be output with --version, removed krb4 from the supported
- features output.
+- [Nikos Mavrogiannopoulos brought this change]
-- [Michael Osipov brought this change]
+ .travis.yml: added build --with-libssh
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
- tool: Use Kerberos for supported features
+- [Nikos Mavrogiannopoulos brought this change]
-- urldata: Don't define sec_complete when no GSS-API support present
+ libssh2: return CURLE_UPLOAD_FAILED on failure to upload
- This variable is only used with HAVE_GSSAPI is defined by the FTP code
- so let's place the definition with the other GSS-API based variables.
-
-- [Michael Osipov brought this change]
+ This brings its in sync with the error code returned by the
+ libssh backend.
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
- docs: Use consistent naming for Kerberos
+- [Nikos Mavrogiannopoulos brought this change]
-- TODO: Lets support QOP options in GSSAPI authentication
+ libssh2: send the correct CURLE error code on scp file not found
+
+ That also updates tests to expect the right error code
+
+ libssh2 back-end returns CURLE_SSH error if the remote file
+ is not found. Expect instead CURLE_REMOTE_FILE_NOT_FOUND
+ which is sent by the libssh backend.
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-- sasl_sspi: Corrected a couple of comment typos
+- [Nikos Mavrogiannopoulos brought this change]
-- sasl: Moved Curl_sasl_gssapi_cleanup() definition into header file
+ Added support for libssh SSH SCP back-end
- Rather than define the function as extern in the source files that use
- it, moved the function declaration into the SASL header file just like
- the Digest and NTLM clean-up functions.
+ libssh is an alternative library to libssh2.
+ https://www.libssh.org/
- Additionally, added a function description comment block.
-
-- sasl_sspi: Added missing RFC reference for HTTP Digest authentication
+ That patch set also introduces support for ECDSA
+ ed25519 keys, as well as gssapi authentication.
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-- ntlm: Clean-up and standardisation of base64 decoding
+- RELEASE-NOTES: synced with af8cc7a69
-- ntlm: We prefer 'CURLcode result'
+- curlver: towards 7.57.1
-Daniel Stenberg (13 Nov 2014)
-- [Brad King brought this change]
+- [W. Mark Kubacki brought this change]
- CMake: Restore order-dependent library checks
+ lib: don't export all symbols, just everything curl_*
+
+ Absent any 'symbol map' or script to limit what gets exported, static
+ linking of libraries previously resulted in a libcurl with curl's and
+ those other symbols being (re-)exported.
+
+ This did not happen if 'versioned symbols' were enabled (which is not
+ the default) because then a version script is employed.
- Revert commit 2257deb502 (Cmake: Avoid cycle directory dependencies,
- 2014-08-22) and add a comment explaining the purpose of the original
- code.
+ This limits exports to everything starting in 'curl_*'., which is
+ what "libcurl.vers" exports.
- The check_library_exists_concat macro is intended to be called multiple
- times on a sequence of possibly dependent libraries. Later libraries
- may depend on earlier libraries when they are static. They cannot be
- safely linked in reverse order on some platforms.
+ This avoids strange side-effects such as with mixing methods
+ from system libraries and those erroneously offered by libcurl.
- Signed-off-by: Brad King <brad.king@kitware.com>
+ Closes #2127
-- [Brad King brought this change]
+- [Johannes Schindelin brought this change]
- CMake: Restore order-dependent header checks
+ SSL: Avoid magic allocation of SSL backend specific data
- Revert commit 1269df2e3b (Cmake: Don't check for all headers each
- time, 2014-08-15) and add a comment explaining the purpose of the
- original code.
+ Originally, my idea was to allocate the two structures (or more
+ precisely, the connectdata structure and the four SSL backend-specific
+ strucutres required for ssl[0..1] and proxy_ssl[0..1]) in one go, so
+ that they all could be free()d together.
- The check_include_file_concat macro is intended to be called multiple
- times on a sequence of possibly dependent headers. Later headers
- may depend on earlier headers to provide declarations. They cannot
- be safely included independently on some platforms.
+ However, getting the alignment right is tricky. Too tricky.
- For example, many POSIX APIs document including sys/types.h before some
- other headers. Also on some OS X versions sys/socket.h must be included
- before net/if.h or the check for the latter will fail.
+ So let's just bite the bullet and allocate the SSL backend-specific
+ data separately.
- Signed-off-by: Brad King <brad.king@kitware.com>
+ As a consequence, we now have to be very careful to release the memory
+ allocated for the SSL backend-specific data whenever we release any
+ connectdata.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+ Closes #2119
-- [Peter Wu brought this change]
+- examples/xmlstream.c: don't switch off CURL_GLOBAL_SSL
+
+ Reported-by: Dima Tisnek
- test22: expand a backtick command
+- travis: add boringssl build
+
+ Uses a separate build without --enable-debug and no valgrind.
- This is the only user of the backtick operator in the command. As the
- commands will soon not be executed by a shell anymore (but by perl),
- replace the command with its output.
+ The debug option causes far too many warnings in boringssl's headers
+ (C++ comments, trailing commas etc). Valgrind triggers some false
+ positive errors in thread-local data used by boringssl.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Closes #2118
-- RELEASE-NOTES: synced with 2ee3c63b13
+Version 7.57.0 (29 Nov 2017)
-- http2: fix switched macro when http2 is not enabled
+Daniel Stenberg (29 Nov 2017)
+- RELEASE-NOTES: curl 7.57.0
-- [Tatsuhiro Tsujikawa brought this change]
+- THANKS: added contributors from 7.57.0 release
- http2: Deal with HTTP/2 data inside response header buffer
+- openssl: fix boringssl build again
- Previously if HTTP/2 traffic is appended to HTTP Upgrade response header
- (thus they are in the same buffer), the trailing HTTP/2 traffic is not
- processed and lost. The appended data is most likely SETTINGS frame.
- If it is lost, nghttp2 library complains server does not obey the HTTP/2
- protocol and issues GOAWAY frame and curl eventually drops connection.
- This commit fixes this problem and now trailing data is processed.
-
-Steve Holme (11 Nov 2014)
-- configure: Fixed inclusion of krb5 when CURL_DISABLE_CRYPTO_AUTH is defined
+ commit d3ab7c5a21e broke the boringssl build since it doesn't have
+ RSA_flags(), so we disable that code block for boringssl builds.
- Commit fe0f8967bf fixed a problem with krb5 not being defined as a
- supported feature when HAVE_GSSAPI is defined, however, it should
- only be included if CURL_DISABLE_CRYPTO_AUTH is not set, like when
- SPNEGO is listed as a feature.
+ Reported-by: W. Mark Kubacki
+ Fixes #2117
-Daniel Stenberg (10 Nov 2014)
-- multi: removed Curl_multi_set_easy_connection
-
- It isn't used anywhere!
-
- Reported-by: Carlo Wood
+- curl_ntlm_core.c: use the limits.h's SIZE_T_MAX if provided
-- [Peter Wu brought this change]
+- libcurl-share.3: the connection cache is shareable now
- symbol-scan.pl: do not require autotools
+- global_init: ignore CURL_GLOBAL_SSL's absense
+
+ This bit is no longer used. It is not clear what it meant for users to
+ "init the TLS" in a world with different TLS backends and since the
+ introduction of multissl, libcurl didn't properly work if inited without
+ this bit set.
- Makes test1119 pass when building with cmake.
+ Not a single user responded to the call for users of it:
+ https://curl.haxx.se/mail/lib-2017-11/0072.html
- configurehelp.pm is generated by configure (autotools). As cmake does
- not provide a separate variable for the C preprocessor, default to cpp.
- Before commit ef24ecde68a5f577a7f0f423a767620f09a0ab16 ("symbol-scan:
- use configure script knowledge about how to run the C preprocessor"),
- this tool would also use 'cpp'.
+ Reported-by: Evgeny Grin
+ Assisted-by: Jay Satiro
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Fixes #2089
+ Fixes #2083
+ Closes #2107
-- [Peter Wu brought this change]
+- ntlm: avoid integer overflow for malloc size
+
+ Reported-by: Alex Nichols
+ Assisted-by: Kamil Dudka and Max Dymond
+
+ CVE-2017-8816
+
+ Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
- cmake: add ENABLE_THREADED_RESOLVER, rename ARES
+- wildcardmatch: fix heap buffer overflow in setcharset
- Fix detection of the AsynchDNS feature which not just depends on
- pthreads support, but also on whether USE_POSIX_THREADS is set or not.
- Caught by test 1014.
+ The code would previous read beyond the end of the pattern string if the
+ match pattern ends with an open bracket when the default pattern
+ matching function is used.
- This patch adds a new ENABLE_THREADED_RESOLVER option (corresponding to
- --enable-threaded-resolver of autotools) which also needs a check for
- HAVE_PTHREAD_H.
+ Detected by OSS-Fuzz:
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161
- For symmetry with autotools, CURL_USE_ARES is renamed to ENABLE_ARES
- (--enable-ares). Checks that test for the availability actually use
- USE_ARES instead as that is the result of whether a-res is available or
- not (in practice this does not matter as CARES is marked as required
- package, but nevertheless it is better to write the intent).
+ CVE-2017-8817
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Bug: https://curl.haxx.se/docs/adv_2017-ae72.html
-- [Peter Wu brought this change]
+- [Jay Satiro brought this change]
- cmake: build libhostname for test suite
+ url: fix alignment of ssl_backend_data struct
- Used by some test cases via LD_PRELOAD in order to fake the host name.
+ - Align the array of ssl_backend_data on a max 32 byte boundary.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
-
-- [Peter Wu brought this change]
-
- cmake: fix HAVE_GETHOSTNAME definition
+ 8 is likely to be ok but I went with 32 for posterity should one of
+ the ssl_backend_data structs change to contain a larger sized variable
+ in the future.
- Otherwise Curl_gethostname always fails. Windows has gethostname
- since Vista according to
- http://msdn.microsoft.com/en-us/library/ms738527%28VS.85%29.aspx, but
- accordings to byte_bucket's VC 2005 documentation, it is available even
- in Windows 95. (possibly after installing a Platform SDK, the
- Windows Server 2003 SP1 Platform SDK should be sufficient).
+ Prior to this change (since dev 70f1db3, release 7.56) the connectdata
+ structure was undersized by 4 bytes in 32-bit builds with ssl enabled
+ because long long * was mistakenly used for alignment instead of
+ long long, with the intention being an 8 byte boundary. Also long long
+ may not be an available type.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
-
-- [Peter Wu brought this change]
-
- tests: fix libhostname visibility
+ The undersized connectdata could lead to oob read/write past the end in
+ what was expected to be the last 4 bytes of the connection's secondary
+ socket https proxy ssl_backend_data struct (the secondary socket in a
+ connection is used by ftp, others?).
- I noticed that a patched cmake build would pass tests with a fake local
- hostname, but the autotools build skips them:
+ Closes https://github.com/curl/curl/issues/2093
- got unexpected host name back, LD_PRELOAD failed
+ CVE-2017-8818
- It turns out that -fvisibility=hidden hides the symbol, and since the
- tests are not part of libcurl, it fails too. Just remove the LIBCURL
- guard.
+ Bug: https://curl.haxx.se/docs/adv_2017-af0a.html
+
+- ssh: remove check for a NULL pointer (!)
- Broken since cURL 7.30 (commit 83a42ee20ea7fc25abb61c0b7ef56ebe712d7093,
- "curl.h: stricter CURL_EXTERN linkage decorations logic").
+ With this check present, scan-build warns that we might dereference this
+ point in other places where it isn't first checked for NULL. Thus, if it
+ *can* be NULL we have a problem on a few places. However, this pointer
+ should not be possible to be NULL here so I remove the check and thus
+ also three different scan-build warnings.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Closes #2111
+
+- [Matthew Kerwin brought this change]
+
+ test: add test for bad UNC/SMB path in file: URL
+
+- [Matthew Kerwin brought this change]
-- [Peter Wu brought this change]
+ test: add tests to ensure basic file: URLs
- tests: fix memleak in server/resolve.c
+- [Matthew Kerwin brought this change]
+
+ URL: update "file:" URL handling
- This makes LeakSanitizer happy.
+ * LOTS of comment updates
+ * explicit error for SMB shares (e.g. "file:////share/path/file")
+ * more strict handling of authority (i.e. "//localhost/")
+ * now accepts dodgy old "C:|" drive letters
+ * more precise handling of drive letters in and out of Windows
+ (especially recognising both "file:c:/" and "file:/c:/")
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Closes #2110
-- configure: assume krb5 when gss-api works
+- metalink: fix memory-leak and NULL pointer dereference
- To please test 1014 while we work out if this is truly the a correct
- assumption.
-
-Steve Holme (9 Nov 2014)
-- vtls.h: Fixed compiler warning when compiled without SSL
+ Reported by scan-build
- vtls.c:185:46: warning: unused parameter 'data'
+ Closes #2109
-- RELEASE-NOTES: Synced with 2fbf23875f
+- [Alessandro Ghedini brought this change]
-- ntlm: Added separate SSPI based functions
+ connect: add support for new TCP Fast Open API on Linux
- In preparation for moving the NTLM message code into the SASL module,
- and separating the native code from the SSPI code, added functions that
- simply call the functions in curl_ntlm_msg.c.
-
-- http_ntlm: Use the SASL functions instead
+ The new API added in Linux 4.11 only requires setting a socket option
+ before connecting, without the whole sento() machinery.
- In preparation for moving the NTLM message code into the SASL module
- use the SASL functions in the HTTP code instead.
+ Notably, this makes it possible to use TFO with SSL connections on Linux
+ as well, without the need to mess around with OpenSSL (or whatever other
+ SSL library) internals.
+
+ Closes #2056
-Daniel Stenberg (9 Nov 2014)
-- libssh2: detect features based on version, not configure checks
+- make: fix "make distclean"
- ... so that non-configure builds get the correct functions too based on
- the libssh2 version used.
+ Fixes #2097
+ Closes #2108
-- [Nobuhiro Ban brought this change]
+- RELEASE-NOTES: synced with 31f18d272
- SSH: use the port number as well for known_known checks
+Jay Satiro (23 Nov 2017)
+- connect: improve the bind error message
+
+ eg consider a non-existent interface eth8, curl --interface eth8
- ... if the libssh2 version is new enough.
+ Before: curl: (45) Could not resolve host: eth8
+ After: curl: (45) Couldn't bind to 'eth8'
- Bug: http://curl.haxx.se/bug/view.cgi?id=1448
+ Bug: https://github.com/curl/curl/issues/2104
+ Reported-by: Alfonso Martone
-Steve Holme (9 Nov 2014)
-- INSTALL: Updated pre-processor references to the old VC6 project files
+Daniel Stenberg (23 Nov 2017)
+- examples/rtsp: clear RANGE again after use
- Reworked the two sections that discuss modifying the Visual Studio pre-
- processor settings, and vc6libcurl.dsw/vc6libcurl.dsp, to remove the
- project files references as they have been superseded by a more thorough
- set of project files for VC6 through VC12, but to also give the correct
- reference to this setting in later versions of Visual Studio.
+ Fixes #2106
+ Reported-by: youngchopin on github
-- INSTALL: Added email protocols to the "Disabling in Win32 builds" section
+- [Michael Kaufmann brought this change]
-- configure: Fixed NTLM missing from features when CURL_DISABLE_HTTP defined
+ test1264: verify URL with space in host name being rejected
-- build: Fixed no NTLM support for email when CURL_DISABLE_HTTP is defined
+- url: reject ASCII control characters and space in host names
- USE_NTLM would only be defined if: HTTP support was enabled, NTLM and
- cryptography weren't disabled, and either a supporting cryptography
- library or Windows SSPI was being compiled against.
+ Host names like "127.0.0.1 moo" would otherwise be accepted by some
+ getaddrinfo() implementations.
- This means it was not possible to build libcurl without HTTP support
- and use NTLM for other protocols such as IMAP, POP3 and SMTP. Rather
- than introduce a new SASL pre-processor definition, removed the HTTP
- prerequisite just like USE_SPNEGO and USE_KRB5.
+ Updated test 1034 and 1035 accordingly.
- Note: Winbind support still needs to be dependent on CURL_DISABLE_HTTP
- as it is only available to HTTP at present.
-
- This bug dates back to August 2011 when I started to add support for
- NTLM to SMTP.
+ Fixes #2073
+ Closes #2092
-- ntlm: Removed an unnecessary free of native Target Info
+- Curl_open: fix OOM return error correctly
- Due to commit 40ee1ba0dc the free in Curl_ntlm_decode_type2_target() is
- longer required.
-
-- ntlm: Moved the native Target Info clean-up from HTTP specific function
+ Closes #2098
-- ntlm: Moved SSPI clean-up code into SASL module
+- http2: fix "Value stored to 'end' is never read" scan-build error
-- Makefile.dist: Added support for WinIDN
+- http2: fix "Value stored to 'hdbuf' is never read" scan-build error
-- Makefile.vc6: Added support for WinIDN
+- openssl: fix "Value stored to 'rc' is never read" scan-build error
-- Makefile.dist: Added some missing SSPI configurations
+- mime: fix "Value stored to 'sz' is never read" scan-build error
-- Makefile.dist: Separated the groups of SSL configurations from each other
-
-- Makefile.dist: Grouped the x64 configurations next to their x86 counterparts
-
-- curl.h: Tidy up of CURL_VERSION_* flags
+- Curl_llist_remove: fix potential NULL pointer deref
- As the list has gotten a little messy and hard to read, especially with
- the introduction of deprecated items, aligned the values and comments
- into clean columns and reworked some of the comments in the process.
+ Fixes a scan-build warning.
-- curl_tool: Added krb5 to the supported features
+- ntlm: remove unnecessary NULL-check to please scan-build
-- configure: Added krb5 to the supported features
+- BUGS: spellchecked
-- version info: Added Kerberos V5 to the supported features
+Jay Satiro (18 Nov 2017)
+- [fmmedeiros brought this change]
-Guenter Knauf (7 Nov 2014)
-- mk-ca-bundle.vbs: switch to new certdata.txt url.
-
-Steve Holme (7 Nov 2014)
-- RELEASE-NOTES: Synced with dcad09e125
+ examples/curlx: Fix code style
+
+ - Add braces around multi-line if statement.
+
+ Closes https://github.com/curl/curl/pull/2096
-- http_digest: Fixed some memory leaks introduced in commit 6f8d8131b1
+Daniel Stenberg (17 Nov 2017)
+- resolve: allow IP address within [] brackets
+
+ ... so that IPv6 addresses can be passed like they can for connect-to
+ and how they're used in URLs.
- Fixed a couple of memory leaks as a result of moving code that used to
- populate allocuserpwd and relied on it's clean up.
+ Added test 1324 to verify
+ Reported-by: Alex Malinovich
+
+ Fixes #2087
+ Closes #2091
-- docs: Updated following the addition of SSPI based HTTP digest auth
+- [Pavol Markovic brought this change]
-- sasl_sspi: Tidy up of the existing digest code
+ macOS: Fix missing connectx function with Xcode version older than 9.0
- Following the addition of SSPI support for HTTP digest, synchronised
- elements of the email digest code with that of the new HTTP code.
-
-- http_digest: Post SSPI support tidy up
+ The previous fix https://github.com/curl/curl/pull/1788 worked just for
+ Xcode 9. This commit extends the fix to older Xcode versions effectively
+ by not using connectx function.
- Post tidy up to ensure commonality of code style and variable names.
+ Fixes https://github.com/curl/curl/issues/1330
+ Fixes https://github.com/curl/curl/issues/2080
+ Closes https://github.com/curl/curl/pull/1336
+ Closes #2082
-Dan Fandrich (6 Nov 2014)
-- test552: Don't run HTTP digest tests for SSPI based builds
-
- Technical difficulties prevented this from going into the
- previous commit.
+- [Dirk Feytons brought this change]
-Steve Holme (6 Nov 2014)
-- tests: Don't run HTTP digest tests for SSPI based builds
+ openssl: fix too broad use of HAVE_OPAQUE_EVP_PKEY
- Added !SSPI to the features list of the HTTP digest tests, as SSPI
- based builds now use the Windows SSPI messaging API rather than the
- internal functions, and we can't control the random numbers that get
- used as part of the digest.
+ Fixes #2079
+ Closes #2081
-Daniel Stenberg (6 Nov 2014)
-- curl.1: show zone index use in a URL
+- TODO: ignore private IP addresses in PASV response
+
+ Closes #1455
-Steve Holme (6 Nov 2014)
-- http_digest: Fixed auth retry loop when SSPI based authentication fails
+- RELEASE-NOTES: synced with ae7369b6d
-- http_digest: Reworked the SSPI based input token storage
+Michael Kaufmann (14 Nov 2017)
+- URL: return error on malformed URLs with junk after IPv6 bracket
- Reworked the input token (challenge message) storage as what is passed
- to the buf and desc in the response generation are typically blobs of
- data rather than strings, so this is more in keeping with other areas
- of the SSPI code, such as the NTLM message functions.
-
-- sasl_sspi: Fixed compilation warning from commit 2d2a62e3d9
+ Follow-up to aadb7c7. Verified by new test 1263.
- Added void reference to unused 'data' parameter back to fix compilation
- warning.
+ Closes #2072
-- sspi: Align definition values to even columns as we use 2 char spacing
+Daniel Stenberg (14 Nov 2017)
+- INTERNALS: we may use libidn2 now, not libidn
-- sspi: Fixed missing definition of ISC_REQ_USE_HTTP_STYLE
+Patrick Monnerat (13 Nov 2017)
+- zlib/brotli: only include header files in modules needing them
- Some versions of Microsoft's sspi.h don't define this.
-
-- sasl: Removed non-SSPI Digest functions and defines from SSPI based builds
+ There is a conflict on symbol 'free_func' between openssl/crypto.h and
+ zlib.h on AIX. This is an attempt to resolve it.
- Introduced in commit 7e6d51a73c these functions and definitions are only
- required by the internal challenge-response functions now.
+ Bug: https://curl.haxx.se/mail/lib-2017-11/0032.html
+ Reported-By: Michael Felt
-- sasl_sspi: Added HTTP digest response generation code
-
-- http_digest: Added SSPI based challenge decoding code
+Daniel Stenberg (13 Nov 2017)
+- SMB: fix uninitialized local variable
+
+ Reported-by: Brian Carpenter
-- http_digest: Added SSPI based clean-up code
+- [Orgad Shaneh brought this change]
-- http_digest: Added SSPI based authentication functions
+ connect.c: remove executable bit on file
- This temporarily breaks HTTP digest authentication in SSPI based builds,
- causing CURLE_NOT_BUILT_IN to be returned. A follow up commit will
- resume normal operation.
+ Closes #2071
-- http_digest: Added required SSPI based variables to digest structure
+- [hsiao yi brought this change]
-Daniel Stenberg (6 Nov 2014)
-- [Frank Gevaerts brought this change]
+ README.md: fixed layout
+
+ Closes #2069
- contributors.sh: --releasenotes reads in names from RELEASE-NOTES
+- setopt: split out curl_easy_setopt() to its own file
+
+ ... to make url.c smaller.
- This is very handy when updating the RELEASE-NOTES as then we sometimes
- have names added manually in the existing list and we use this script to
- update the set.
+ Closes #1944
-- RELEASE-NOTES: synced with 68542e72a9
+Jay Satiro (10 Nov 2017)
+- [John Starks brought this change]
-- curl_easy_setopt.3: add CURLOPT_PINNEDPUBLICKEY
+ cmake: Add missing setmode check
- Reported-by: Christian Hägele
- Bug: http://curl.haxx.se/mail/lib-2014-11/0078.html
-
-Steve Holme (5 Nov 2014)
-- build: Fixed Visual Studio project file generation of strdup.[c|h]
+ Ensure HAVE_SETMODE is set to 1 on OSes that have setmode. Without this,
+ curl will corrupt binary files when writing them to stdout on Windows.
- As the curl command-line tool now includes it's own version of strdup(),
- for platforms that don't have it, fixed up the git respository Visual
- Studio project file generator to not include the version from lib in the
- tool project files, rather than having both lib\strdup.[c|h] and
- src\tool_strdup.[c|h] present.
+ Closes https://github.com/curl/curl/pull/2067
-Daniel Stenberg (5 Nov 2014)
-- tool_strdup.c: include the tool strdup.h
+Daniel Stenberg (10 Nov 2017)
+- curl_share_setopt: va_end was not called if conncache errors
- ... not the lib/ one that the tool no longer uses!
+ CID 984459, detected by Coverity
-- THANKS-filter: added another Michał Górny version we've used
+Sergei Nikulov (10 Nov 2017)
+- [John Starks brought this change]
-- contributors.sh: split lists using " and "
+ cmake: Correctly include curl.rc in Windows builds (#2064)
- ... and require the space after the filtering to make the filter able to
- remove names.
+ Update CMakeLists.txt to add curl.rc to the correct list.
-Steve Holme (5 Nov 2014)
-- http_digest: Fixed memory leaks from commit 6f8d8131b1
+Daniel Stenberg (9 Nov 2017)
+- RELEASE-NOTES: synced with 32828cc4f
-- sasl: Fixed compilation warning from commit 25264131e2
-
- Added forward declaration of digestdata to overcome the following
- compilation warning:
+- [Luca Boccassi brought this change]
+
+ --interface: add support for Linux VRF
- warning: 'struct digestdata' declared inside parameter list
+ The --interface command (CURLOPT_INTERFACE option) already uses
+ SO_BINDTODEVICE on Linux, but it tries to parse it as an interface or IP
+ address first, which fails in case the user passes a VRF.
- Additionally made the ntlmdata forward declaration dependent on
- USE_NTLM similar to how digestdata and kerberosdata are.
-
-- sasl: Fixed HTTP digest challenges with spaces between auth parameters
+ Try to use the socket option immediately and parse it as a fallback
+ instead. Update the documentation to mention this feature, and that it
+ requires the binary to be ran by root or with CAP_NET_RAW capabilities
+ for this to work.
- Broken as part of the rework, in commit 7e6d51a73c, to assist with the
- addition of HTTP digest via Windows SSPI.
+ Closes #2024
-- http_digest: Fixed compilation errors from commit 6f8d8131b1
+- curl_share_setopt.3: document CURL_LOCK_DATA_CONNECT
- error: invalid operands to binary
- warning: pointer targets in assignment differ in signedness
+ Closes #2043
-- http_digest: Moved response generation into SASL module
+- examples: add shared-connection-cache
-- http_digest: Moved challenge decoding into SASL module
+- test1554: verify connection cache sharing
-- http_digest: Moved clean-up function into SASL module
+- share: add support for sharing the connection cache
-- http_digest: Moved algorithm definitions to SASL module
-
-- [Gisle Vanem brought this change]
-
- ssh: Fixed build on platforms where R_OK is not defined
+- imap: deal with commands case insensitively
- Bug: http://curl.haxx.se/mail/lib-2014-11/0035.html
- Reported-by: Jan Ehrhardt
-
-- strdup: Removed irrelevant comment
+ As documented in RFC 3501 section 9:
+ https://tools.ietf.org/html/rfc3501#section-9
- ...as Curl_memdup() duplicates an area of fix size memory, that may be
- binary, and not a null terminated string.
+ Closes #2061
-- url.c: Fixed compilation warning
+- connect: store IPv6 connection status after valid connection
- conversion from 'curl_off_t' to 'size_t', possible loss of data
-
-- http_digest: Use CURLcode instead of CURLdigest
+ ... previously it would store it already in the happy eyeballs stage
+ which could lead to the IPv6 bit being set for an IPv4 connection,
+ leading to curl not wanting to do EPSV=>PASV for FTP transfers.
- To provide consistent behaviour between the various HTTP authentication
- functions use CURLcode based error codes for Curl_input_digest()
- especially as the calling code doesn't use the specific error code just
- that it failed.
+ Closes #2053
-Daniel Stenberg (5 Nov 2014)
-- contributors.sh: filter common alternative name spellings
+- curl_multi_fdset.3: emphasize curl_multi_timeout
- docs/THANKS-filter is a new filter file for converting contributor names
- we get or have recorded in alternative formats to the one we already use
- in THANKS. To help us show individual contributors using a single
- presentation of their names.
+ ... even when there's no socket to wait for, the timeout can still be
+ very short.
-- THANKS: added missing contributor from 2012
+Jay Satiro (9 Nov 2017)
+- content_encoding: fix inflate_stream for no bytes available
+
+ - Don't call zlib's inflate() when avail_in stream bytes is 0.
+
+ This is a follow up to the parent commit 19e66e5. Prior to that change
+ libcurl's inflate_stream could call zlib's inflate even when no bytes
+ were available, causing inflate to return Z_BUF_ERROR, and then
+ inflate_stream would treat that as a hard error and return
+ CURLE_BAD_CONTENT_ENCODING.
+
+ According to the zlib FAQ, Z_BUF_ERROR is not fatal.
+
+ This bug would happen randomly since packet sizes are arbitrary. A test
+ of 10,000 transfers had 55 fail (ie 0.55%).
+
+ Ref: https://zlib.net/zlib_faq.html#faq05
+
+ Closes https://github.com/curl/curl/pull/2060
-- [Frank Gevaerts brought this change]
+Patrick Monnerat (7 Nov 2017)
+- content_encoding: do not write 0 length data
- Remove duplicate names.
+Daniel Stenberg (6 Nov 2017)
+- fnmatch: remove dead code
+
+ There was a duplicate check for backslashes in the setcharset()
+ function.
- The removed names also appear as:
- Andrés García, François Charlier, Gökhan Şengün, Michał Górny, Sébastien
- Willemijns, Christopher Conroy, John E. Malmberg, Luca Altea, Peter Su,
- S. Moonesamy, Samuel Listopad, Yasuharu Yamada, Karl Moerder
+ Coverity CID 1420611
-Steve Holme (5 Nov 2014)
-- sspi: Define authentication package name constants
+- url: remove unncessary NULL-check
- These were previously hard coded, and whilst defined in security.h,
- they may or may not be present in old header files given that these
- defines were never used in the original code.
+ Since 'conn' won't be NULL in there and we also access the pointer in
+ there without the check.
- Not only that, but there appears to be some ambiguity between the ANSI
- and UNICODE NTLM definition name in security.h.
+ Coverity CID 1420610
-Patrick Monnerat (5 Nov 2014)
-- Adjust OS400-specific support to last release
+Viktor Szakats (6 Nov 2017)
+- src/Makefile.m32: fix typo in brotli lib customization
+
+ Ref cc1f4436099decb9d1a7034b2bb773a9f8379d31
-Daniel Stenberg (5 Nov 2014)
-- THANKS: added two missing names and removed a duplicate
+- Makefile.m32: allow to customize brotli libs
- ./contributors.sh found these extra ones that somehow had fallen
- through the cracks and never gotten added here.
+ It adds the ability to link against static brotli libs.
- Reported-by: Frank Gevaerts
-
-- bump: towards next release
+ Also fix brotli include path.
-- THANKS: added names from 7.39.0 release notes
+Patrick Monnerat (5 Nov 2017)
+- travis: add a job with brotli enabled
-Version 7.39.0 (5 Nov 2014)
+- [Viktor Szakats brought this change]
-Daniel Stenberg (5 Nov 2014)
-- RELEASE-NOTES: 7.39.0 release (commit b3875606925)
+ Makefile.m32: add brotli support
-- curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of bounds
+- HTTP: implement Brotli content encoding
- When duplicating a handle, the data to post was duplicated using
- strdup() when it could be binary and contain zeroes and it was not even
- zero terminated! This caused read out of bounds crashes/segfaults.
+ This uses the brotli external library (https://github.com/google/brotli).
+ Brotli becomes a feature: additional curl_version_info() bit and
+ structure fields are provided for it and CURLVERSION_NOW bumped.
- Since the lib/strdup.c file no longer is easily shared with the curl
- tool with this change, it now uses its own version instead.
+ Tests 314 and 315 check Brotli content unencoding with correct and
+ erroneous data.
- Bug: http://curl.haxx.se/docs/adv_20141105.html
- CVE: CVE-2014-3707
- Reported-By: Symeon Paraschoudis
+ Some tests are updated to accomodate with the now configuration dependent
+ parameters of the Accept-Encoding header.
-- lib544.c: use duphandle for test 545
+- HTTP: support multiple Content-Encodings
- To verify that curl_easy_duphandle() works fine on a handle that has
- gotten data stored with *_COPYPOSTFIELDS.
-
-- tests: add new feature 'SSLpinning'
+ This is implemented as an output streaming stack of unencoders, the last
+ calling the client write procedure.
- ... and make test 2034 and 2035 require it, and have it set when built
- with OpenSSL or GnuTLS.
-
-- buildconf: update copyright year
-
-Steve Holme (4 Nov 2014)
-- INSTALL: Consistent spacing in section headings, paragraphs and examples
-
-Daniel Stenberg (4 Nov 2014)
-- buildconf: stop checking for libtool
+ New test 230 checks this feature.
- As we only use libtoolize, only check for that!
+ Bug: https://github.com/curl/curl/pull/2002
+ Reported-By: Daniel Bankhead
-Steve Holme (4 Nov 2014)
-- INSTALL: Corrected MIT Kerberos and Heimdal package names
-
-- README: Corrected inconsistent use of --help
-
-- INSTALL: Use GSS-API rather than GSSAPI
+Jay Satiro (4 Nov 2017)
+- url: remove arg value check from CURLOPT_SSH_AUTH_TYPES
- As implementations are refereed to GSS-API libraries as per the RFC and
- GSSAPI typically refers to the SASL authentication mechanism.
+ Since CURLSSH_AUTH_ANY (aka CURLSSH_AUTH_DEFAULT) is ~0 an arg value
+ check on this option is incorrect; we have to accept any value.
- ...and minor rewording on the same paragraph.
-
-- README: Added note about using Visual Studio projects out of git repository
-
-Daniel Stenberg (4 Nov 2014)
-- [K. R. Walker brought this change]
+ Prior to this change since f121575 (7.56.1+) CURLOPT_SSH_AUTH_TYPES
+ erroneously rejected CURLSSH_AUTH_ANY with CURLE_BAD_FUNCTION_ARGUMENT.
+
+ Bug: https://github.com/curl/curl/commit/f121575#commitcomment-25347120
- cmake: fix ZLIB_INCLUDE_DIRS use
+Daniel Stenberg (4 Nov 2017)
+- ntlm: avoid malloc(0) for zero length passwords
- CMake 2.8's FindZLIB.cmake documents ZLIB_INCLUDE_DIRS, see
- http://www.cmake.org/cmake/help/v2.8.0/cmake.html#module:FindZLIB
+ It triggers an assert() when built with memdebug since malloc(0) may
+ return NULL *or* a valid pointer.
- Bug: https://github.com/bagder/curl/pull/123
-
-- [Jay Satiro brought this change]
-
- SSL: PolarSSL default min SSL version TLS 1.0
+ Detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4054
- - Prior to this change no SSL minimum version was set by default at
- runtime for PolarSSL. Therefore in most cases PolarSSL would probably
- have defaulted to a minimum version of SSLv3 which is no longer secure.
+ Assisted-by: Max Dymond
+ Closes #2054
-- opts-Makefile: put more man pages into dist and make hmtl+pdf
+- RELEASE-NOTES: synced with ee8016b3d
-- curl_multi_setopt.3: refer to stand-alone pages
+- curl: speed up handling of many URLs
- ... instead of duplicating info.
-
-- opts: more multi options as stand-alone man pages
-
-- Makefile.am: two cmake files are gone
+ By properly keeping track of the last entry in the list of URLs/uploads
+ to handle, curl now avoids many meaningless traverses of the list which
+ speeds up many-URL handling *MASSIVELY* (several magnitudes on 100K
+ URLs).
- 8cb010144 removed the CurlCheckCSourceCompiles.cmake and
- CurlCheckCSourceRuns.cmake files
+ Added test 1291, to verify that it doesn't take ages - but we don't have
+ any detection of "too slow" command in the test suite.
+
+ Reported-by: arainchik on github
+ Fixes #1959
+ Closes #2052
-- opts: made stand-alone man-pages for several multi options
+- curl: pass through [] in URLs instead of calling globbing error
+
+ Assisted-by: Per Lundberg
+ Fixes #2044
+ Closes #2046
+ Closes #2048
-- [Carlo Wood brought this change]
+- CURLOPT_INFILESIZE: accept -1
+
+ Regression since f121575
+
+ Reported-by: Petr Voytsik
+ Fixes #2047
- Curl_single_getsock: fix hold/pause sock handling
+Jay Satiro (2 Nov 2017)
+- url: fix CURLOPT_DNS_CACHE_TIMEOUT arg value check to allow -1
- The previous condition that checked if the socket was marked as readable
- when also adding a writable one, was incorrect and didn't take the pause
- bits properly into account.
+ Prior to this change since f121575 (7.56.1+) CURLOPT_DNS_CACHE_TIMEOUT
+ erroneously rejected -1 with CURLE_BAD_FUNCTION_ARGUMENT.
-- [Peter Wu brought this change]
+Dan Fandrich (1 Nov 2017)
+- http2: Fixed OOM handling in upgrade request
+
+ This caused the torture tests on test 1800 to fail.
- cmake: fix struct sockaddr_storage check
+- tests: Fixed torture tests on tests 556 and 650
- CHECK_TYPE_SIZE_PREINCLUDE is an internal, undocumented variable which
- was removed in cmake 2.8.1. According to the MSDN docs[1], inclusion
- of winsock2.h is sufficient. WIN32_LEAN_AND_MEAN does not really seem
- to affect the tests, so remove it too[2].
+ Test cleanup after OOM wasn't being consistently performed.
+
+Daniel Stenberg (1 Nov 2017)
+- CURLOPT_MAXREDIRS: allow -1 as a value
- For the non-windows case, remove inet headers as POSIX only requires
- sys/socket.h.
+ ... which is valid according to documentation. Regression since
+ f121575c0b5f.
- [1]: http://msdn.microsoft.com/en-us/library/windows/desktop/ms740504%28v=vs.85%29.aspx
- [2]: http://stackoverflow.com/questions/11040133/what-does-defining-win32-lean-and-mean-exclude-exactly
+ Verified now in test 501.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Reported-by: cbartl on github
+ Fixes #2038
+ Closes #2039
-- [Peter Wu brought this change]
+- include: remove conncache.h inclusion from where its not needed
- cmake: clean OtherTests, fixing -Werror
+Jay Satiro (1 Nov 2017)
+- url: fix CURLOPT_POSTFIELDSIZE arg value check to allow -1
- There were several -Wunused warnings and one duplicate macro definition.
- The EXTRA_DEFINES variable of the CurlCheckCSources macro was being
- abused ("__unused1\n#undef inline\n#define __unused2", seriously?) to
- insert extra C code. Avoid this broken abstraction and use cmake's
- check_c_source_compiles directly (works fine with CMake 2.8, maybe
- even cmake 2.6).
+ .. also add same arg value check to CURLOPT_POSTFIELDSIZE_LARGE.
- After cleaning up all related variables (EXTRA_DEFINES,
- HEADER_INCLUDES, auxiliary headers_hack), also remove a duplicate
- add_headers_include macro and remove duplicate header additions before
- the struct timeval check.
+ Prior to this change since f121575 (7.56.1+) CURLOPT_POSTFIELDSIZE
+ erroneously rejected -1 value with CURLE_BAD_FUNCTION_ARGUMENT.
- Oh, and now the code is converted to use CheckCSourceRuns and
- CheckCSourceCompiles, the two curl-specific helpers can be removed.
- Unfortunately, the cmake output is now slightly more verbose. Before:
-
- Performing Test int send(int, const void *, size_t, int) (curl_cv_func_send_test)
- Performing Test int send(int, const void *, size_t, int) (curl_cv_func_send_test) - Failed
+ Bug: https://curl.haxx.se/mail/lib-2017-11/0000.html
+ Reported-by: Andrew Lambert
+
+Daniel Stenberg (31 Oct 2017)
+- cookie: avoid NULL dereference
- Since check_c_source_compiles prints the varname, now you see:
+ ... when expiring old cookies.
- Performing Test curl_cv_func_send_test
- Performing Test curl_cv_func_send_test - Failed
- Tested: int send(int, const void *, size_t, int)
+ Reported-by: Pavel Gushchin
+ Fixes #2032
+ Closes #2035
+
+Marcel Raad (30 Oct 2017)
+- memdebug: use send/recv signature for curl_dosend/curl_dorecv
- Compared cmake output with each other using vimdiff, no functional
- differences were found. Tested with GCC 4.9.1 and Clang 3.5.0.
+ This avoids build errors and warnings caused by implicit casts.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Closes https://github.com/curl/curl/pull/2031
-- [Peter Wu brought this change]
+Daniel Stenberg (30 Oct 2017)
+- [Juro Bystricky brought this change]
- cmake: fix gethostby{addr,name}_r in CurlTests
-
- This patch cleans up the automatically-generated (?) code and fixes one
- case that will always fail due to syntax error.
+ mkhelp.pl: support reproducible build
- HAVE_GETHOSTBYADDR_R_5_REENTRANT always failed because of a trailing
- character ("int length;q"). Several parameter type and unused variable
- warnings popped up. This causes a detection failure with -Werror.
+ Do not generate line with the current date, such as:
- Observe that the REENTRANT cases are exactly the same as their
- non-REENTRANT cases except for a `_REENTRANT` macro definition.
- Merge all these pieces and build one big main function with different
- cases, but reusing variables where logical.
+ * Generation time: Tue Oct-24 18:01:41 2017
- For the cases where the parameters where NULL, I looked at
- lib/hostip4.c to get an idea of the parameters types.
+ This will improve reproducibility. The generated string is only
+ part of a comment, so there should be no adverse consequences.
- void-cast variables such as 'rc' to avoid -Wuninitialized errors.
+ Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ closes #2026
-- [Peter Wu brought this change]
+Dan Fandrich (30 Oct 2017)
+- runtests.pl: Fixed typo in message
- cmake: drop _BSD_SOURCE macro usage
+Daniel Stenberg (30 Oct 2017)
+- curlx: the timeval functions are no longer provided as curlx_*
- autotools does not use features.h nor _BSD_SOURCE. As this macro
- triggers warnings since glibc 2.20, remove it. It should not have
- functional differences.
-
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Pointed-out-by: Dmitri Tikhonov
+ Bug: #2034
-Steve Holme (2 Nov 2014)
-- RELEASE-NOTES: Synced with d71ea7c01e
+- select: update comments
- Additionally, updated "GSSAPI" to "GSS-API" for a Cmake related change
- as GSSAPI can be confused with the authentication mechanism rather than
- a GSS-API implementation library such as MIT or Heimdal.
+ s/curlx_tvnow/Curl_now
-- build: Added WinIDN build configuration options
-
- Added support for WinIDN build configurations to the VC6 project files.
+- INTERNALS: remove curlx_tv* functions no longer provided
-- build: Added WinIDN build configuration options
-
- Added support for WinIDN build configurations to the VC7 and VC7.1
- project files.
+- [Dmitri Tikhonov brought this change]
-- build: Fixed the pre-processor separator in Visual Studio project files
-
- A left over from the VC6 project files, so mainly cosmetic in Visual
- Studio .NET as it can handle both comma and semi-colon characters for
- separating multiple pre-processor definitions.
+ timeval: use mach time on MacOS
- However, the IDE uses semi-colons if the value is edited, and as such,
- this may cause problems in future for anyone updating the files or
- merging patches.
+ If clock_gettime() is not supported, use mach_absolute_time() on MacOS.
- Used the Visual Studio IDE to correct the separator character.
+ closes #2033
-- build: Added optional specific version generation of VC project files
-
- ..when working from the git repository. This is particularly useful
- for single development environments where the project files for all
- supported versions of Visual Studio may not be required.
+monnerat (29 Oct 2017)
+- [Patrick Monnerat brought this change]
-- [Jay Satiro brought this change]
+ cli tool: improve ";type=" handling in -F option arguments
- build-openssl.bat: Fix x64 release build
+- [Patrick Monnerat brought this change]
+
+ cli tool: in -F option arg, comma is a delimiter for files only
+
+ Also upgrade test 1133 to cover this case and clarify man page about
+ form data quoting.
- Prior to this change if x64 release was specified a failed attempt was
- made to build x86 release instead.
+ Bug: https://github.com/curl/curl/issues/2022
+ Reported-By: omau on github
-- CURLOPT_XOAUTH2_BEARER.3: Corrected the OAuth version number
+Daniel Stenberg (29 Oct 2017)
+- timeleft: made two more users of Curl_timeleft use timediff_t
-- CURLOPT_SASL_IR.3: Added supported mechanism information
+Jakub Zakrzewski (28 Oct 2017)
+- cmake: Export libcurl and curl targets to use by other cmake projects
- ...and removed duplication of what protocols are supported from the
- description text.
+ The config files define curl and libcurl targets as imported targets
+ CURL::curl and CURL::libcurl. For backward compatibility with CMake-
+ provided find-module the CURL_INCLUDE_DIRS and CURL_LIBRARIES are
+ also set.
+
+ Closes #1879
+
+Daniel Stenberg (28 Oct 2017)
+- RELEASE-NOTES: synced with f20cbac97
-- opts: Use common wording for MAIL related names
+- [Florin Petriuc brought this change]
-- opts: Use common wording for TLS user/password option names
+ auth: Added test cases for RFC7616
+
+ Updated docs to include support for RFC7616
+
+ Signed-off-by: Florin <petriuc.florin@gmail.com>
- ...and revised the proxy wording a little as well.
+ Closes #1934
-- CURLOPT_MAXCONNECTS.3: Reworked the description to be less confusing
+- [Florin Petriuc brought this change]
+
+ auth: add support for RFC7616 - HTTP Digest access authentication
- ...and corrected a related typo in curl_easy_setopt.3.
+ Signed-off-by: Florin <petriuc.florin@gmail.com>
-Guenter Knauf (2 Nov 2014)
-- RELEASE-NOTES: removed obsolete entry; fixed entry.
+- [Daniel Bankhead brought this change]
-Steve Holme (2 Nov 2014)
-- RELEASE-NOTES: Synced with e7da67f5d3
+ TODO: support multiple Content-Encodings
+
+ Closes #2002
-- docs: Added mention of Kerberos for CURL_VERSION_SSPI
+- ROADMAP: cleanup
- As this has been present for SOCKSv5 proxy since v7.19.4 and for IMAP,
- POP3 and SMTP authentication since v7.38.0.
+ Removed done stuff. Removed entries no longer considered for the near
+ term.
-- CURL_VERSION_KERBEROS4: Mark as deprecated
+- [Magicansk brought this change]
+
+ ROADMAP.md: spelling fixes
- Support for Kerberos V4 was removed in v7.33.0.
+ Closes #2028
-- sasl: Fixed Kerberos V5 inclusion when CURL_DISABLE_CRYPTO_AUTH is used
+- Curl_timeleft: change return type to timediff_t
- Typically the USE_WINDOWS_SSPI definition would not be used when the
- CURL_DISABLE_CRYPTO_AUTH define is, however, it is still a valid build
- configuration and, as such, the SASL Kerberos V5 (GSSAPI) authentication
- data structures and functions would incorrectly be used when they
- shouldn't be.
+ returning 'time_t' is problematic when that type is unsigned and we
+ return values less than zero to signal "already expired", used in
+ several places in the code.
- Introduced a new USE_KRB5 definition that takes into account the use of
- CURL_DISABLE_CRYPTO_AUTH like USE_SPNEGO and USE_NTLM do.
+ Closes #2021
-- openssl: Use 'CURLcode result'
-
- More CURLcode fixes.
+- appveyor: add a win32 build
-Daniel Stenberg (1 Nov 2014)
-- resume: consider a resume from [content-length] to be OK
+- setopt: fix CURLOPT_SSH_AUTH_TYPES option read
- Basically since servers often then don't respond well to this and
- instead send the full contents and then libcurl would instead error out
- with the assumption that the server doesn't support resume. As the data
- is then already transfered, this is now considered fine.
+ Regression since f121575c0b5f
- Test case 1434 added to verify this. Test case 1042 slightly modified.
-
- Reported-by: hugo
- Bug: http://curl.haxx.se/bug/view.cgi?id=1443
+ Reported-by: Rob Cotrone
-Steve Holme (1 Nov 2014)
-- openssl: Use 'CURLcode result'
+Marcel Raad (27 Oct 2017)
+- resolvers: only include anything if needed
+
+ This avoids warnings about unused stuff.
- More standardisation of CURLcode usage and coding style.
+ Closes https://github.com/curl/curl/pull/2023
-- openssl: Use 'CURLcode result'
+Daniel Stenberg (27 Oct 2017)
+- HELP-US: rename the subtitle too since the label is changed
- ...and some minor code style changes.
+ "PR-welcome" was the former name.
-- ftplistparser: We prefer 'CURLcode result'
+- curl_setup.h: oops, shorten the too long line
-- opts: Use common wording for user/password option names
+- [Martin Storsjo brought this change]
-- CURLOPT_CONNECT_ONLY.3: Removed "This option is implemented for..." text
+ curl_setup: Improve detection of CURL_WINDOWS_APP
- As this is covered by the PROTOCOLS section and saves having to update
- two parts of the document with the same information in future.
-
-- CURLOPT_GSSAPI_DELEGATION.3: Use GSS-API rather than GSSAPI
+ If WINAPI_FAMILY is defined, it should be safe to try to include
+ winapifamily.h to check what the define evaluates to.
- As implementations are refereed to GSS-API libraries as per the RFC and
- GSSAPI typically refers to an authentication mechanism.
-
-- CURLOPT_CONNECT_ONLY.3: Fixed incomplete protocol list
+ This should fix detection of CURL_WINDOWS_APP if building with
+ _WIN32_WINNT set to 0x0600.
- Added missing IMAP to the protocol list.
+ Closes #2025
-- code cleanup: Use 'CURLcode result'
-
-- curl_easy_setopt.3: Fixed lots of typos
+Jay Satiro (26 Oct 2017)
+- transfer: Fix chunked-encoding upload bug
+
+ - When uploading via chunked-encoding don't compare file size to bytes
+ sent to determine whether the upload has finished.
+
+ Chunked-encoding adds its own overhead which why the bytes sent is not
+ equal to the file size. Prior to this change if a file was uploaded in
+ chunked-encoding and its size was known it was possible that the upload
+ could end prematurely without sending the final few chunks. That would
+ result in a server hang waiting for the remaining data, likely followed
+ by a disconnect.
+
+ The scope of this bug is limited to some arbitrary file sizes which have
+ not been determined. One size that triggers the bug is 475020.
+
+ Bug: https://github.com/curl/curl/issues/2001
+ Reported-by: moohoorama@users.noreply.github.com
+
+ Closes https://github.com/curl/curl/pull/2010
-- curl_easy_setopt.3: Moved CURLOPT_DIRLISTONLY into PROTOCOL OPTIONS
+Daniel Stenberg (26 Oct 2017)
+- timeval: make timediff_t also work on 32bit windows
- ...as this option affects more that just FTP.
+ ... by using curl_off_t for the typedef if time_t is larger than 4
+ bytes.
+
+ Reported-by: Gisle Vanem
+ Bug: https://github.com/curl/curl/commit/b9d25f9a6b3ca791385b80a6a3c3fa5ae113e1e0#co
+ mmitcomment-25205058
+ Closes #2019
-Guenter Knauf (30 Oct 2014)
-- build: added Watcom support to build with WinSSL.
+- curl_fnmatch: return error on illegal wildcard pattern
+
+ ... instead of doing an infinite loop!
+
+ Added test 1162 to verify.
+
+ Reported-by: Max Dymond
+ Fixes #2015
+ Closes #2017
-Daniel Stenberg (30 Oct 2014)
-- CURLOPT_PINNEDPUBLICKEY.3: added details
+- [Max Dymond brought this change]
-Steve Holme (30 Oct 2014)
-- CURLOPT_CUSTOMREQUEST.3: Fixed incomplete protocol list
+ wildcards: don't use with non-supported protocols
+
+ Fixes timeouts in the fuzzing tests for non-FTP protocols.
- Whilst the description included information about SMTP, the protocol
- list only showed "TTP, FTP, IMAP, POP3".
+ Closes #2016
-- CURLOPT_DIRLISTONLY.3: Added information about the usage in POP3
+- [Max Dymond brought this change]
-Daniel Stenberg (29 Oct 2014)
-- openssl: enable NPN separately from ALPN
+ multi: allow table handle sizes to be overridden
- ... and allow building with nghttp2 but completely without NPN and ALPN,
- as nghttp2 can still be used for plain-text HTTP.
+ Allow users to specify their own hash define for
+ CURL_CONNECTION_HASH_SIZE so that both values can be overridden.
- Reported-by: Lucas Pardue
+ Closes #1982
-- configure.ac: remove checks for OpenSSL NPN/ALPN funcs again
+- time: rename Curl_tvnow to Curl_now
- ... since the conditional in the code are now based on OpenSSL versions
- instead to better support non-configure builds.
+ ... since the 'tv' stood for timeval and this function does not return a
+ timeval struct anymore.
+
+ Also, cleaned up the Curl_timediff*() functions to avoid typecasts and
+ clean up the descriptive comments.
+
+ Closes #2011
-- opts: added some "SEE ALSO" references
+- ftplistparser: follow-up cleanup to remove PL_ERROR()
-Steve Holme (29 Oct 2014)
-- RELEASE-NOTES: Synced with 32913182dc
+- [Max Dymond brought this change]
-- vtls.c: Fixed compilation warning
+ ftplistparser: free off temporary memory always
- conversion from 'size_t' to 'unsigned int', possible loss of data
-
-- sspi: Return CURLE_LOGIN_DENIED on AcquireCredentialsHandle() failure
+ When using the FTP list parser, ensure that the memory that's
+ allocated is always freed.
- Return a more appropriate error, rather than CURLE_OUT_OF_MEMORY when
- acquiring the credentials handle fails. This is then consistent with
- the code prior to commit f7e24683c4 when log-in credentials were empty.
+ Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3682
+ Closes #2013
-- sasl_sspi: Allow DIGEST-MD5 to use current windows credentials
+- timediff: return timediff_t from the time diff functions
- Fixed the ability to use the current log-in credentials with DIGEST-MD5.
- I had previously disabled this functionality in commit 607883f13c as I
- couldn't get this to work under Windows 8, however, from testing HTTP
- Digest authentication through Windows SSPI and then further testing of
- this code I have found it works in Windows 7.
+ ... to cater for systems with unsigned time_t variables.
- Some further investigation is required to see what the differences are
- between Windows 7 and 8, but for now enable this functionality as the
- code will return an error when AcquireCredentialsHandle() fails.
-
-Kamil Dudka (29 Oct 2014)
-- transfer: drop the code handling the ssl_connect_retry flag
+ - Renamed the functions to curlx_timediff and Curl_timediff_us.
- Its last use has been removed by the previous commit.
-
-- nss: drop the code for libcurl-level downgrade to SSLv3
+ - Added overflow protection for both of them in either direction for
+ both 32 bit and 64 bit time_ts
+
+ - Reprefixed the curlx_time functions to use Curl_*
- This code was already deactivated by commit
- ec783dc142129d3860e542b443caaa78a6172d56.
+ Reported-by: Peter Piekarski
+ Fixes #2004
+ Closes #2005
-- openssl: fix a line length warning
+- [Paul Howarth brought this change]
-Guenter Knauf (29 Oct 2014)
-- Added NetWare support to build with nghttp2.
+ libtest: Add required test libraries for lib1552 and lib1553
+
+ They use $(TESTUTIL) and thus should use $(TESTUTIL_LIBS) too.
+
+ This fixes build failures on Fedora 13.
+
+ Closes #2006
-- Fixed error message since we require ALPN support.
+- [Alessandro Ghedini brought this change]
-- Check for ALPN via OpenSSL version number.
+ libcurl-tutorial.3: fix typo
- This check works also with to non-configure platforms.
-
-Steve Holme (28 Oct 2014)
-- sasl_sspi: Fixed typo in comment
+ closes #2008
-- code cleanup: We prefer 'CURLcode result'
+Alessandro Ghedini (23 Oct 2017)
+- curl_mime_filedata.3: fix typos
-Daniel Stenberg (28 Oct 2014)
-- TODO: consider supporting STAT
+Daniel Stenberg (23 Oct 2017)
+- RELEASE-NOTES: clean slate towards 7.57.0
-- mk-ca-bundle: spell fix "version"
+- [Max Dymond brought this change]
-- HTTP: return larger than 3 digit response codes too
+ travis: exit if any steps fail
- HTTP 1.1 is clearly specified to only allow three digit response codes,
- and libcurl used sscanf("%3d") for that purpose. This made libcurl
- support smaller numbers but not larger. It does now, but we will not
- make any specific promises nor document this further since it is going
- outside of what HTTP is.
+ We don't expect any steps to fail in travis. Exit the script if they do.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1441
- Reported-by: Balaji
+ Closes #1966
-- src/: remove version.h.dist from gitignore
-
- It has not been used since commit f7bfdbab in 2011
+Version 7.56.1 (23 Oct 2017)
-Steve Holme (26 Oct 2014)
-- ntlm: We prefer 'CURLcode result'
-
- Continuing commit 0eb3d15ccb more return code variable name changes.
+Daniel Stenberg (23 Oct 2017)
+- RELEASE-NOTES: 7.56.1
-Guenter Knauf (26 Oct 2014)
-- Cosmetics: lowercase non-special subroutine names.
+- THANKS: update at 7.56.1 release time
-Steve Holme (26 Oct 2014)
-- RELEASE-NOTES: Synced with 07ac29a058
+- [Jon DeVree brought this change]
-- http_negotiate: We prefer 'CURLcode result'
+ mk-ca-bundle: Remove URL for aurora
- Continuing commit 0eb3d15ccb more return code variable name changes.
+ Aurora is no longer used by Mozilla
+ https://hacks.mozilla.org/2017/04/simplifying-firefox-release-channels/
-- http_negotiate: Fixed missing check for USE_SPNEGO
+- [Jon DeVree brought this change]
-- sspi: Synchronization of cleanup code between auth mechanisms
-
-- sspi: Renamed max token length variables
+ mk-ca-bundle: Fix URL for NSS
- Code cleanup to try and synchronise code between the different SSPI
- based authentication mechanisms.
-
-- sspi: Renamed expiry time stamp variables
+ The 'tip' is the most recent branch committed to, this should be
+ 'default' like the URLs for the browser are.
- Code cleanup to try and synchronise code between the different SSPI
- based authentication mechanisms.
+ Closes #1998
-- sspi: Only call CompleteAuthToken() when complete is needed
+- imap: if a FETCH response has no size, don't call write callback
- Don't call CompleteAuthToken() after InitializeSecurityContext() has
- returned SEC_I_CONTINUE_NEEDED as this return code only indicates the
- function should be called again after receiving a response back from
- the server.
+ CVE-2017-1000257
- This only affected the Digest and NTLM authentication code.
+ Reported-by: Brian Carpenter and 0xd34db347
+ Also detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3586
-Dan Fandrich (26 Oct 2014)
-- Added the "flaky" keyword to a number of tests
+- ftp: reject illegal IP/port in PASV 227 response
- Each shows evidence of flakiness on at least one platform on
- the autobuilds. Users can use this keyword to skip these tests
- if desired.
-
-Steve Holme (26 Oct 2014)
-- ntlm: Return all errors from Curl_ntlm_core_mk_nt_hash()
+ ... by using range checks. Among other things, this avoids an undefined
+ behavior for a left shift that could happen on negative or very large
+ values.
- For consistency with other areas of the NTLM code propagate all errors
- from Curl_ntlm_core_mk_nt_hash() up the call stack rather than just
- CURLE_OUT_OF_MEMORY.
-
-- ntlm: Return CURLcode from Curl_ntlm_core_mk_lm_hash()
-
-- ntlm: Use 'CURLcode result'
+ Closes #1997
- Continuing commit 0eb3d15ccb more return code variable name changes.
+ Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3694
-- ntlm: Only define ntlm data structure when USE_NTLM is defined
-
-- ntlm: Changed handles to be dynamic like other SSPI handles
+Patrick Monnerat (20 Oct 2017)
+- test653: check reuse of easy handle after mime data change
- Code cleanup to try and synchronise code between the different SSPI
- based authentication mechanisms.
+ See issue #1999
-- ntlm: Renamed handle variables to match other SSPI structures
+- mime: do not reuse previously computed multipart size
- Code cleanup to try and synchronise code between the different SSPI
- based authentication mechanisms.
-
-- ntlm: Renamed SSPI based input token variables
+ The contents might have changed: size must be recomputed.
- Code cleanup to try and synchronise code between the different SSPI
- based authentication mechanisms.
+ Reported-by: moteus on github
+ Fixes #1999
-- ntlm: We prefer 'CURLcode result'
+- test308: disable if MultiSSL feature enabled
- Continuing commit 0eb3d15ccb more return code variable name changes.
+ Even if OpenSSL is enabled, it might not be the default backend when
+ multi-ssl is enabled, causing the test to fail.
-- build: Added WinIDN build configuration options
-
- Added support for WinIDN build configurations to the VC8 and VC9
- project files.
+- runtests: support MultiSSL client feature
-Nick Zitzmann (24 Oct 2014)
-- darwinssl: detect possible future removal of SSLv3 from the framework
+- vtls: change struct Curl_ssl `close' field name to `close_one'.
- If Apple ever drops SSLv3 support from the Security framework, we'll fail with an error if the user insists on using SSLv3.
-
-Patrick Monnerat (24 Oct 2014)
-- gskit.c: remove SSLv3 from SSL default.
+ On OS/400, `close' is an ASCII system macro that corrupts the code if
+ not used in a context not targetting the close() system API.
-- gskit.c: use 'CURLcode result'
-
-Daniel Stenberg (24 Oct 2014)
-- [Jay Satiro brought this change]
-
- SSL: Remove SSLv3 from SSL default due to POODLE attack
-
- - Remove SSLv3 from SSL default in darwinssl, schannel, cyassl, nss,
- openssl effectively making the default TLS 1.x. axTLS is not affected
- since it supports only TLS, and gnutls is not affected since it already
- defaults to TLS 1.x.
+- os400: add missing symbols in config file.
- - Update CURLOPT_SSLVERSION doc
+ Also adjust makefile to renamed files and warn about installation dirs mix-up.
-- pipelining: only output "is not blacklisted" in debug builds
+- test652: curl_mime_data + base64 encoder with large contents
-- *.3: add/extend "SEE ALSO" sections
+- mime: limit bas64-encoded lines length to 76 characters
-- curl_easy_pause.3: minor wording edit
+Daniel Stenberg (16 Oct 2017)
+- RELEASE-NOTES: synced with f121575c0
-- curl_getdate.3: provide a "SEE ALSO" section
-
-- curl_global_init.3: minor formatting fix, add version info
-
-- url.c: use 'CURLcode result'
+- setopt: range check most long options
+
+ ... filter early instead of risking "funny values" having to be dealt
+ with elsewhere.
-- code cleanup: we prefer 'CURLcode result'
+- setopt: avoid integer overflows when setting millsecond values
+
+ ... that are multiplied by 1000 when stored.
- ... for the local variable name in functions holding the return
- code. Using the same name universally makes code easier to read and
- follow.
+ For 32 bit long systems, the max value accepted (2147483 seconds) is >
+ 596 hours which is unlikely to ever be set by a legitimate application -
+ and previously it didn't work either, it just caused undefined behavior.
- Also, unify code for checking for CURLcode errors with:
+ Also updated the man pages for these timeout options to mention the
+ return code.
- if(result) or if(!result)
+ Closes #1938
+
+Viktor Szakats (15 Oct 2017)
+- makefile.m32: allow to override gcc, ar and ranlib
+
+ Allow to ovverride certain build tools, making it possible to
+ use LLVM/Clang to build curl. The default behavior is unchanged.
+ To build with clang (as offered by MSYS2), these settings can
+ be used:
- instead of
+ CURL_CC=clang
+ CURL_AR=llvm-ar
+ CURL_RANLIB=llvm-ranlib
- if(result == CURLE_OK), if(CURLE_OK == result) or if(result != CURLE_OK)
+ Closes https://github.com/curl/curl/pull/1993
-- Curl_add_timecondition: skip superfluous varible assignment
+- ldap: silence clang warning
- Detected by cppcheck.
+ Use memset() to initialize a structure to avoid LLVM/Clang warning:
+ ldap.c:193:39: warning: missing field 'UserLength' initializer [-Wmissing-field-initializers]
+
+ Closes https://github.com/curl/curl/pull/1992
-- Curl_pp_flushsend: skip superfluous assignment
+Daniel Stenberg (14 Oct 2017)
+- runtests: use valgrind for torture as well
- Detected by cppcheck.
+ NOTE: it makes them terribly slow. I recommend only using valgrind for
+ specific torture tests or using lots of patience.
-- Curl_pp_readresp: remove superfluous assignment
+- memdebug: trace send, recv and socket
- Variable already assigned a few lines up.
+ ... to allow them to be included in torture tests too.
- Detected by cppcheck.
+ closes #1980
-- Curl_proxyCONNECT: remove superfluous statement
+- configure: remove the C++ compiler check
- The variable is already assigned, skip the duplicate assignment.
+ ... we used it only for the fuzzer, which we now have in a separate git
+ repo.
- Pointed out by cppcheck.
-
-Guenter Knauf (24 Oct 2014)
-- Added MinGW support to build with nghttp2.
+ Closes #1990
-- Added VC ssh2 target to main Makefile.
+Patrick Monnerat (13 Oct 2017)
+- mime: do not call failf() if easy handle is NULL.
-- Some cosmetics and simplifies.
+Daniel Stenberg (13 Oct 2017)
+- test651: curl_formadd with huge COPYCONTENTS
-- Remove dependency on openssl and cut.
+- mime: fix the content reader to handle >16K data properly
- Prefer usage of Perl modules for sha1 calculation since there
- might be systems where openssl is not installed or not in path.
- If openssl is used for sha1 calculation then dont rely on cut
- since it is usually not available on other systems than Linux.
+ Reported-by: Jeroen Ooms
+ Closes #1988
-Daniel Stenberg (23 Oct 2014)
-- RELEASE-NOTES: synced with e116d0a62
-
-- CURLOPT_RESOLVE.3: add an example
+Patrick Monnerat (12 Oct 2017)
+- mime: keep "text/plain" content type if user-specified.
+
+ Include test cases in 554, 587, 650.
+
+ Fixes https://github.com/curl/curl/issues/1986
-- gnutls: removed dead code
+- cli tool: use file2memory() to buffer stdin in -F option.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1437
- Reported-by: Julien
+ Closes PR https://github.com/curl/curl/pull/1985
-- Curl_rand: Uninitialized variable: r
+- cli tool: reimplement stdin buffering in -F option.
- This is not actually used uninitialized but we silence warnings.
+ If stdin is not a regular file, its content is memory-buffered to enable
+ a possible data "rewind".
+ In all cases, stdin data size is determined before real use to avoid
+ having an unknown part's size.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1437
- Reported-by: Julien
-
-- opts: provide more and updated examples
-
-- CURLOPT_RANGE.3: works for SFTP as well
+ --libcurl generated code is left as an unbuffered stdin fread/fseek callback
+ part with unknown data size.
- ... and added a small example
-
-- curl.1: edited for clarity
-
-- CURLOPT_SSLVERSION.3: provide an example
-
-- docs/libcurl/ABI: more markdown friendly
+ Buffering is not supported in deprecated curl_formadd() API.
-- docs: edited lots of libcurl docs for clarity
+Daniel Stenberg (12 Oct 2017)
+- winbuild/BUILD.WINDOWS.txt: mention WITH_NGHTTP2
-- opts: added examples
-
-- HISTORY: two glimpses in 2014
-
-Kamil Dudka (20 Oct 2014)
-- nss: reset SSL handshake state machine
+- HELP-US: the label "PR-welcome" is now renamed to "help wanted"
- ... when the handshake succeeds
-
- This fixes a connection failure when FTPS handle is reused.
+ following the new github "standard"
+
+- RELEASE-NOTES: synced with 5505df7d2
-Daniel Stenberg (20 Oct 2014)
-- [Peter Wu brought this change]
+Jay Satiro (11 Oct 2017)
+- [Artak Galoyan brought this change]
- cmake: generate pkg-config and curl-config
+ url: Update current connection SSL verify params in setopt
- Initial work to generate a pkg-config and curl-config script. Static
- linking (`curl-config --static-libs` and `pkg-config --shared --libs
- libcurl`) is broken and therefore disabled.
+ Now VERIFYHOST, VERIFYPEER and VERIFYSTATUS options change during active
+ connection updates the current connection's (i.e.'connectdata'
+ structure) appropriate ssl_config (and ssl_proxy_config) structures
+ variables, making these options effective for ongoing connection.
- CONFIGURE_OPTIONS does not make sense for CMake, use an empty string
- for now.
+ This functionality was available before and was broken by the
+ following change:
+ "proxy: Support HTTPS proxy and SOCKS+HTTP(s)"
+ CommitId: cb4e2be7c6d42ca0780f8e0a747cecf9ba45f151.
- At least `curl-config --features` and `curl-config --protocols` work
- which is needed by runtests.pl.
+ Bug: https://github.com/curl/curl/issues/1941
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Closes https://github.com/curl/curl/pull/1951
-- [Peter Wu brought this change]
+Daniel Stenberg (11 Oct 2017)
+- [David Benjamin brought this change]
- cmake: use LIBCURL_VERSION from curlver.h
+ openssl: don't use old BORINGSSL_YYYYMM macros
- This matches the behavior from autotools. The auxiliary major, minor
- and patch components are not needed anymore and therefore removed.
+ Those were temporary things we'd add and remove for our own convenience
+ long ago. The last few stayed around for too long as an oversight but
+ have since been removed. These days we have a running
+ BORINGSSL_API_VERSION counter which is bumped when we find it
+ convenient, but 2015-11-19 was quite some time ago, so just check
+ OPENSSL_IS_BORINGSSL.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Closes #1979
-- [Peter Wu brought this change]
+- test950; verify SMTP with custom request
- cmake: add SUPPORT_FEATURES and SUPPORT_PROTOCOLS
+- ftpserver: support case insensitive commands
+
+- smtp_done: free data before returning (on send failure)
- For compatibility with autoconf, it will be used later for curl-config
- and pkg-config. Not all features and or protocols can be enabled as
- these are missing additional checks (see new TODOs).
+ ... as otherwise it could leak that memory.
- SUPPORT_PROTOCOLS is partially scripted (grep for SUPPORT_PROTOCOLS=)
- and manually verified/modified. SUPPORT_FEATURES is manually added.
+ Detected by OSS-fuzz:
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3600
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
-
-- cmake: add CMake/Macros.cmake to the release tarball
+ Assisted-by: Max Dymond
+ Closes #1977
-- test545: make it not use a trailing zero
+- FTP: URL decode path for dir listing in nocwd mode
- CURLOPT_COPYPOSTFIELDS with a given CURLOPT_POSTFIELDSIZE does not
- require a trailing zero of the data and by making sure this test doesn't
- use one we know it works (combined with valgrind).
+ Reported-by: Zenju on github
+
+ Test 244 added to verify
+ Fixes #1974
+ Closes #1976
-Steve Holme (16 Oct 2014)
-- ntlm: Fixed empty type-2 decoded message info text
+- test298: verify --ftp-method nowcwd with URL encoded path
- Updated the info text when the base-64 decode of the type-2 message
- returns a null buffer to be more specific.
+ Ref: #1974
+
+- CURLOPT_XFERINFODATA.3: fix duplicate see also
-- ntlm: Fixed empty/bad base-64 decoded buffer return codes
+- CURLOPT_NOPROGRESS.3: also refer to xferinfofunction
-- ntlm: Avoid unnecessary buffer allocation for SSPI based type-2 token
+- FAQ: s/CURLOPT_PROGRESSFUNCTION/CURLOPT_XFERINFOFUNCTION
-Daniel Stenberg (16 Oct 2014)
-- httpcustomheader.c: make use of more CURLOPT_HTTPHEADER features
+- openssl: enable PKCS12 support for !BoringSSL
- ... and only do a single request for clarity.
+ Enable PKCS12 for all non-boringssl builds without relying on configure
+ or cmake checks.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-10/0007.html
+ Reported-by: Christian Schmitz
+ Closes #1948
-Steve Holme (15 Oct 2014)
-- sasl_sspi: Fixed some typos
+- [Kristiyan Tsaklev brought this change]
-- sasl_sspi: Fixed Kerberos response buffer not being allocated when using SSO
+ curl: don't pass semicolons when parsing Content-Disposition
+
+ Test 1422 updated to verify.
+
+ Closes #1964
-Daniel Stenberg (15 Oct 2014)
-- [Bruno Thomsen brought this change]
+Patrick Monnerat (9 Oct 2017)
+- mime: properly unbind mime structure in curl_mime_free().
+
+ This allows freeing a mime structure bound to the easy handle before
+ curl_easy_cleanup().
+
+ Fixes #1970.
- mk-ca-bundle: added SHA-384 signature algorithm
+Daniel Stenberg (9 Oct 2017)
+- RTSP: avoid integer overflow on funny RTSP response
- Certificates based on SHA-1 are being phased out[1].
- So we should expect a rise in certificates based on SHA-2.
- Adding SHA-384 as a valid signature algorithm.
+ ... like a very large non-existing RTSP version number.
- [1] https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/
+ Added test 577 to verify.
- Signed-off-by: Bruno Thomsen <bth@kamstrup.dk>
-
-Patrick Monnerat (14 Oct 2014)
-- OS400: fix bugs in curl_*escape_ccsid() and reduce variables scope
+ Detected by OSS-fuzz.
+ Closes #1969
-- Implement pinned public key in GSKit backend
+Patrick Monnerat (8 Oct 2017)
+- ftpserver: properly reset $ftptargetdir.
-Daniel Stenberg (14 Oct 2014)
-- CURLOPT_TLSAUTH_*.3: fix reference typos
-
-- cleanups: reduce variable scope
-
- cppcheck pointed these out.
+- test643: verify curl_mime_subparts() rejects cyclic additions.
-- singleipconnect: remove dead assignment never used
+- mime: refuse to add subparts to one of their own descendants.
- cppcheck pointed this out.
+ Reported-by: Alexey Melnichuk
+ Fixes #1962
-- pinning: minor code style policing
+- mime: avoid resetting a part's encoder when part's contents change.
-Patrick Monnerat (13 Oct 2014)
-- Factorize pinned public key code into generic file handling and backend specific
+- mime: improve unbinding top multipart from easy handle.
+
+ Also avoid dangling pointers in referencing parts.
-- vtls: remove QsoSSL
+Daniel Stenberg (8 Oct 2017)
+- RELEASE-NOTES: synced with a4c1c75da30af1
-- gskit: supply dummy randomization function
+- curlver.h: next expected release is 7.57.0
-- vtls/*: deprecate have_curlssl_md5sum and set-up default md5sum implementation
+Patrick Monnerat (8 Oct 2017)
+- mime: be tolerant about setting twice the same header list in a part.
-Daniel Stenberg (13 Oct 2014)
-- [Peter Wu brought this change]
+- docs: clarify form/mime usage of non-regular data files.
- tests: move TESTCASES to Makefile.inc, add show for cmake
+Daniel Stenberg (8 Oct 2017)
+- Revert "multi_done: wait for name resolve to finish if still ongoing"
- This change allows runtests.pl to be run from the CMake builddir:
+ This reverts commit f3e03f6c0ac52a1bf396e03f7d7e9b5b3b7165fe.
- export srcdir=/tmp/curl/tests;
- perl -I$srcdir $srcdir/runtests.pl -l
+ Caused memory leaks in the fuzzer, needs to be done differently.
- In order to make this possible, all test cases have been moved from
- Makefile.am to Makefile.inc.
+ Disable test 1553 for now too, as it causes memory leaks without this
+ commit!
+
+- remove_handle: call multi_done() first, then clear dns cache pointer
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Closes #1960
-- [Peter Wu brought this change]
+- multi_done: wait for name resolve to finish if still ongoing
+
+ ... as we must clean up memory.
- cmake: enable IPv6 by default if available
+- pingpong: return error when trying to send without connection
- ENABLE_IPV6 depends on HAVE_GETADDRINFO or you will get a
- Curl_getaddrinfo_ex error. Enable IPv6 by default, disabling it if
- struct sockaddr_in6 is not found in netinet/in.h.
+ When imap_done() got called before a connection is setup, it would try
+ to "finish up" and dereffed a NULL pointer.
- Note that HAVE_GETADDRINFO_THREADSAFE is still not set as it needs more
- platform checks even though POSIX requires a thread-safe getaddrinfo.
+ Test case 1553 managed to reproduce. I had to actually use a host name
+ to try to resolve to slow it down, as using the normal local server IP
+ will make libcurl get a connection in the first curl_multi_perform()
+ loop and then the bug doesn't trigger.
- Verified on Arch Linux x86_64 with glibc 2.20-2 and Linux 3.16-rc7.
+ Fixes #1953
+ Assisted-by: Max Dymond
+
+Dan Fandrich (6 Oct 2017)
+- tests: added flaky keyword to tests 587 and 644
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ These are around 5% flaky in my Linux x86 autobuilds.
-- [Peter Wu brought this change]
+Marcel Raad (6 Oct 2017)
+- vtls: fix warnings with --disable-crypto-auth
+
+ When CURL_DISABLE_CRYPTO_AUTH is defined, Curl_none_md5sum's parameters
+ are not used.
- cmake: build tool_hugehelp (ENABLE_MANUAL)
+Daniel Stenberg (6 Oct 2017)
+- multi_cleanup: call DONE on handles that never got that
+
+ ... fixes a memory leak with at least IMAP when remove_handle is never
+ called and the transfer is abruptly just abandoned early.
- Rather than always outputting an empty manual page for the '-M' option,
- generate a full manual page as done by autotools. For simplicity in
- CMake, always generate the gzipped page as it will not be used anyway
- when zlib is not available.
+ Test 1552 added to verify
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+ Detected by OSS-fuzz
+ Assisted-by: Max Dymond
+ Closes #1954
-- [Peter Wu brought this change]
+- [Benbuck Nason brought this change]
- tests/http_pipe.py: Python 3 support
+ strtoofft: Remove extraneous null check
- The 2to3 tool converted socketserver (which I manually fixed up with an
- import fallback) and the print(e) line. The xrange option was converted
- to range, but it seems better to use the '*' operator here for
- simplicity.
+ Fixes #1950: curlx_strtoofft() doesn't fully protect against null 'str'
+ argument.
- Signed-off-by: Peter Wu <peter@lekensteyn.nl>
-
-- SECURITY: slightly nicer markdown format
-
-- RELEASE-PROCEDURE: better markdown, more content
+ Closes #1952
-- RELEASE-NOTES: synced with 6637b237e6eb
+- openssl: fix build without HAVE_OPAQUE_EVP_PKEY
- ... and bumped the planned release version.
+ Reported-by: Javier Sixto
+ Fixes #1955
+ Closes #1956
-- vtls: have vtls.h include the backend header files
+Viktor Szakats (6 Oct 2017)
+- lib/config-win32.h: let SMB/SMBS be enabled with OpenSSL/NSS
- It turned out some features were not enabled in the build since for
- example url.c #ifdefs on features that are defined on a per-backend
- basis but vtls.h didn't include the backend headers.
+ The source code is now prepared to handle the case when both
+ Win32 Crypto and OpenSSL/NSS crypto backends are enabled
+ at the same time, making it now possible to enable `USE_WIN32_CRYPTO`
+ whenever the targeted Windows version supports it. Since this
+ matches the minimum Windows version supported by curl
+ (Windows 2000), enable it unconditionally for the Win32 platform.
- CURLOPT_CERTINFO was one such feature that was accidentally disabled.
+ This in turn enables SMB (and SMBS) protocol support whenever
+ Win32 Crypto is available, regardless of what other crypto backends
+ are enabled.
+
+ Ref: https://github.com/curl/curl/pull/1840#issuecomment-325682052
+
+ Closes https://github.com/curl/curl/pull/1943
-- test2036: verify -O with no slash at all in the URL
+Daniel Stenberg (5 Oct 2017)
+- build: fix --disable-crypto-auth
- Similar to test 76 but that test's URL has a slash just no file name
- part.
+ Reported-by: Wyatt O'Day
+ Fixes #1945
+ Closes #1947
-- get_url_file_name: make no slash equal empty string
+Jay Satiro (5 Oct 2017)
+- [Nick Zitzmann brought this change]
-- get_url_file_name: never return a NULL string *and* OK
-
- Change 987a4a73 assumes that as it simplifies life in the calling
- function.
+ darwinssl: add support for TLSv1.3
- Reported-by: Fabian Keil
+ Closes https://github.com/curl/curl/pull/1794
+Daniel Stenberg (4 Oct 2017)
+- [Felix Kaiser brought this change]
+
+ docs: fix typo in curl_mime_data_cb man page
+
+ Closes #1946
+
+Viktor Szakats (4 Oct 2017)
+- lib/Makefile.m32: allow customizing dll suffixes
+
+ - New `CURL_DLL_SUFFIX` envvar will add a suffix to the generated
+ libcurl dll name. Useful to add `-x64` to 64-bit builds so that
+ it can live in the same directory as the 32-bit one. By default
+ this is empty.
+
+ - New `CURL_DLL_A_SUFFIX` envvar to customize the suffix of the
+ generated import library (implib) for libcurl .dll. It defaults
+ to `dll`, and it's useful to modify that to `.dll` to have the
+ standard naming scheme for mingw-built .dlls, i.e. `libcurl.dll.a`.
+
+ Closes https://github.com/curl/curl/pull/1942
+
+Daniel Stenberg (4 Oct 2017)
+- [Max Dymond brought this change]
+
+ fuzzer: move to using external curl-fuzzer
+
+ Use the external curl-fuzzer repository for fuzzing.
+
+ Closes #1923
+
+- failf: skip the sprintf() if there are no consumers
+
+ Closes #1936
+
+- ftp: UBsan fixup 'pointer index expression overflowed'
+
+ Closes #1939
+
+- RELEASE-PROCEDURE: update the release schedule
+
+Version 7.56.0 (4 Oct 2017)
+
+Daniel Stenberg (4 Oct 2017)
+- RELEASE-NOTES: curl 7.56.0
+
+- THANKS: added new 7.56.0 contributors
+
+Jay Satiro (4 Oct 2017)
+- build-openssl.bat: Warn OpenSSL 1.1.0 not yet supported
+
+ Ref: https://github.com/curl/curl/issues/1002
+
+Michael Kaufmann (3 Oct 2017)
+- idn: fix source code comment
+
+- vtls: compare and clone ssl configs properly
+
+ Compare these settings in Curl_ssl_config_matches():
+ - verifystatus (CURLOPT_SSL_VERIFYSTATUS)
+ - random_file (CURLOPT_RANDOM_FILE)
+ - egdsocket (CURLOPT_EGDSOCKET)
+
+ Also copy the setting "verifystatus" in Curl_clone_primary_ssl_config(),
+ and copy the setting "sessionid" unconditionally.
+
+ This means that reusing connections that are secured with a client
+ certificate is now possible, and the statement "TLS session resumption
+ is disabled when a client certificate is used" in the old advisory at
+ https://curl.haxx.se/docs/adv_20170419.html is obsolete.
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #1917
+
+- proxy: read the "no_proxy" variable only if necessary
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #1919
+
+Patrick Monnerat (3 Oct 2017)
+- libcurl-tutorial: add casts in example to avoid compilation warnings.
+
+Daniel Stenberg (3 Oct 2017)
+- examples: bring back curl_formadd-using examples
+
+ ... now with a -formadd suffix. While the new mime API is introduced in
+ 7.56.0 we must acknowledge that lots of users can't upgrade their curl
+ versions immediately.
+
+- test1153: verify quoted double-qoutes in PWD response
+
+- FTP: zero terminate the entry path even on bad input
+
+ ... a single double quote could leave the entry path buffer without a zero
+ terminating byte. CVE-2017-1000254
+
+ Test 1152 added to verify.
+
+ Reported-by: Max Dymond
+ Bug: https://curl.haxx.se/docs/adv_20171004.html
+
+Jay Satiro (2 Oct 2017)
+- [Sergei Nikulov brought this change]
+
+ cmake: disable tests and man generation if perl/nroff not found
+
+ Fixes https://github.com/curl/curl/issues/1500
+ Reported-by: Jay Satiro
+
+ Fixes https://github.com/curl/curl/pull/1662
+ Assisted-by: Tom Seddon
+ Assisted-by: dpull@users.noreply.github.com
+ Assisted-by: elelel@users.noreply.github.com
+
+ Closes https://github.com/curl/curl/pull/1924
+
+Patrick Monnerat (2 Oct 2017)
+- libcurl-tutorial: fix two typos.
+
+- TODO: remove deprecated form API items.
+
+- libcurl-tutorial: describe MIME API and deprecate form API.
+
+ Include a guide to form/mime API conversion.
+
+Daniel Stenberg (30 Sep 2017)
+- cookie: fix memory leak if path was set twice in header
+
+ ... this will let the second occurance override the first.
+
+ Added test 1161 to verify.
+
+ Reported-by: Max Dymond
+ Fixes #1932
+ Closes #1933
+
+Dan Fandrich (30 Sep 2017)
+- test650: Use variable replacement to set the host address and port
+
+ Otherwise, the test fails when the -b test option is used to set a
+ different test port range.
+
+- Set and use more necessary options when some protocols are disabled
+
+ When curl and libcurl are built with some protocols disabled, they stop
+ setting and receiving some options that don't make sense with those
+ protocols. In particular, when HTTP is disabled many options aren't set
+ that are used only by HTTP. However, some options that appear to be
+ HTTP-only are actually used by other protocols as well (some despite
+ having HTTP in the name) and should be set, but weren't. This change now
+ causes some of these options to be set and used for more (or for all)
+ protocols. In particular, this fixes tests 646 through 649 in an
+ HTTP-disabled build, which use the MIME API in the mail protocols.
+
+Daniel Stenberg (29 Sep 2017)
+- test1160: verifies cookie leak for large cookies
+
+ The fix done in 20ea22ff735
+
+- cookie: fix memory leak on oversized rejection
+
+ Regression brought by 2bc230de63b
+
+ Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3513
+ Assisted-by: Max Dymond
+
+ Closes #1930
+
+- [Anders Bakken brought this change]
+
+ connect: fix race condition with happy eyeballs timeout
+
+ The timer should be started after conn->connecttime is set. Otherwise
+ the timer could expire without this condition being true:
+
+ /* should we try another protocol family? */
+ if(i == 0 && conn->tempaddr[1] == NULL &&
+ curlx_tvdiff(now, conn->connecttime) >= HAPPY_EYEBALLS_TIMEOUT) {
+
+ Ref: #1928
+
+Michael Kaufmann (28 Sep 2017)
+- docs: link CURLOPT_CONNECTTIMEOUT and CURLOPT_CONNECTTIMEOUT_MS
+
+ Closes #1922
+
+- docs: clarify the use of environment variables for proxy
+
+ Closes #1921
+
+- http: add custom empty headers to repeated requests
+
+ Closes #1920
+
+- reuse_conn: don't copy flags that are known to be equal
+
+ A connection can only be reused if the flags "conn_to_host" and
+ "conn_to_port" match. Therefore it is not necessary to copy these flags
+ in reuse_conn().
+
+ Closes #1918
+
+Daniel Stenberg (27 Sep 2017)
+- curl.h: include <sys/select.h> on cygwin too
+
+ When building with -std=c++14 on cygwin, this header won't be
+ automatically included as it otherwise is.
+
+ The <sys/select.h> include decision should ideally be reversed and be
+ avoided where that header file doesn't exist.
+
+ Reported-by: Ian Fette
+ Fixes #1925
+
+- RELEASE-NOTES: synced with d8ab5dc50
+
+Michael Kaufmann (24 Sep 2017)
+- tests: adjust .gitignore for new tests
+
+Jay Satiro (23 Sep 2017)
+- ntlm: move NTLM_NEEDS_NSS_INIT define into core NTLM header
+
+ .. and include the core NTLM header in all NTLM-related source files.
+
+ Follow up to 6f86022. Since then http_ntlm checks NTLM_NEEDS_NSS_INIT
+ but did not include vtls.h where it was defined.
+
+ Closes https://github.com/curl/curl/pull/1911
+
+Daniel Stenberg (23 Sep 2017)
+- file_range: avoid integer overflow when figuring out byte range
+
+ When trying to bump the value with one and the value is already at max,
+ it causes an integer overflow.
+
+ Closes #1908
+ Detected by oss-fuzz:
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3465
+
+ Assisted-by: Max Dymond
+
+Michael Kaufmann (23 Sep 2017)
+- tests: fix a compiler warning in test 643
+
+Jay Satiro (23 Sep 2017)
+- symbols-in-versions: fix CURLSSLSET_NO_BACKENDS entry
+
+ - Use spaces instead of tabs as the delimiter.
+
+ Follow up to 7c52b12 which added the entry. The entry had used tabs but
+ the symbol-scan parser doesn't recognize tabs and would fail the symbol.
+
+Viktor Szakats (22 Sep 2017)
+- metalink: fix NSS issue in MultiSSL builds
+
+ In MultiSSL mode (i.e. when more than one SSL backend is compiled
+ in), we cannot use the compile time flag `USE_NSS` as indicator that
+ the NSS backend is in use. As far as Metalink is concerned, the SSL
+ backend is only used for MD5, SHA-1 and SHA-256 calculations,
+ therefore one of the available SSL backends is selected at compile
+ time, in a strict order of preference.
+
+ Let's introduce a new `HAVE_NSS_CONTEXT` constant that can be used
+ to determine whether the SSL backend used for Metalink is the NSS
+ backend, and use that to guard the code that wants to de-initialize
+ the NSS-specific data structure.
+
+ Ref: https://github.com/curl/curl/pull/1848
+
+- ntlm: use strict order for SSL backend #if branches
+
+ With the recently introduced MultiSSL support multiple SSL backends
+ can be compiled into cURL That means that now the order of the SSL
+
+ One option would be to use the same SSL backend as was configured
+ via `curl_global_sslset()`, however, NTLMv2 support would appear
+ to be available only with some SSL backends. For example, when
+ eb88d778e (ntlm: Use Windows Crypt API, 2014-12-02) introduced
+ support for NTLMv1 using Windows' Crypt API, it specifically did
+ *not* introduce NTLMv2 support using Crypt API at the same time.
+
+ So let's select one specific SSL backend for NTLM support when
+ compiled with multiple SSL backends, using a priority order such
+ that we support NTLMv2 even if only one compiled-in SSL backend can
+ be used for that.
+
+ Ref: https://github.com/curl/curl/pull/1848
+
+Daniel Stenberg (22 Sep 2017)
+- symbols-in-versions: add CURLSSLSET_NO_BACKENDS
+
+ ...fixup from b8e0fe19ec
+
+- imap: quote atoms properly when escaping characters
+
+ Updates test 800 to verify
+
+ Fixes #1902
+ Closes #1903
+
+- tests: make the imap server not verify user+password
+
+ ... as the test cases themselves do that and it makes it easier to add
+ crazy test cases.
+
+ Test 800 updated to use user name + password that need quoting.
+
+ Test 856 updated to trigger an auth fail differently.
+
+ Ref: #1902
+
+- vtls: provide curl_global_sslset() even in non-SSL builds
+
+ ... it just returns error:
+
+ Bug: https://github.com/curl/curl/commit/1328f69d53f2f2e937696ea954c480412b018451#commitcomment-24470367
+ Reported-by: Marcel Raad
+
+ Closes #1906
+
+Patrick Monnerat (22 Sep 2017)
+- form/mime: field names are not allowed to contain zero-valued bytes.
+
+ Also suppress length argument of curl_mime_name() (names are always
+ zero-terminated).
+
+Daniel Stenberg (21 Sep 2017)
+- [Dirk Feytons brought this change]
+
+ openssl: only verify RSA private key if supported
+
+ In some cases the RSA key does not support verifying it because it's
+ located on a smart card, an engine wants to hide it, ...
+ Check the flags on the key before trying to verify it.
+ OpenSSL does the same thing internally; see ssl/ssl_rsa.c
+
+ Closes #1904
+
+Marcel Raad (21 Sep 2017)
+- examples/post-callback: use long for CURLOPT_POSTFIELDSIZE
+
+ Otherwise, typecheck-gcc.h warns on MinGW-w64.
+
+Patrick Monnerat (20 Sep 2017)
+- mime: rephrase the multipart output state machine (#1898) ...
+
+ ... in hope coverity will like it much.
+
+- mime: fix an explicit null dereference (#1899)
+
+Daniel Stenberg (20 Sep 2017)
+- curl: check fseek() return code and bail on error
+
+ Detected by coverity. CID 1418137.
+
+- smtp: fix memory leak in OOM
+
+ Regression since ce0881edee
+
+ Coverity CID 1418139 and CID 1418136 found it, but it was also seen in
+ torture testing.
+
+- RELEASE-NOTES: synced with 5fe85587c
+
+- [Pavel Pavlov brought this change]
+
+ cookies: use lock when using CURLINFO_COOKIELIST
+
+ Closes #1896
+
+- [Max Dymond brought this change]
+
+ ossfuzz: changes before merging the generated corpora
+
+ Before merging in the oss-fuzz corpora from Google, there are some changes
+ to the fuzzer.
+ - Add a read corpus script, to display corpus files nicely.
+ - Change the behaviour of the fuzzer so that TLV parse failures all now
+ go down the same execution paths, which should reduce the size of the
+ corpora.
+ - Make unknown TLVs a failure to parse, which should decrease the size
+ of the corpora as well.
+
+ Closes #1881
+
+- mime:escape_string minor clarification change
+
+ ... as it also removes a warning with old gcc versions.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-09/0049.html
+ Reported-by: Ben Greear
+
+- [Max Dymond brought this change]
+
+ ossfuzz: don't write out to stdout
+
+ Don't make the fuzzer write out to stdout - instead write some of the
+ contents to a memory block so we exercise the data output code but
+ quietly.
+
+ Closes #1885
+
+- cookies: reject oversized cookies
+
+ ... instead of truncating them.
+
+ There's no fixed limit for acceptable cookie names in RFC 6265, but the
+ entire cookie is said to be less than 4096 bytes (section 6.1). This is
+ also what browsers seem to implement.
+
+ We now allow max 5000 bytes cookie header. Max 4095 bytes length per
+ cookie name and value. Name + value together may not exceed 4096 bytes.
+
+ Added test 1151 to verify
+
+ Bug: https://curl.haxx.se/mail/lib-2017-09/0062.html
+ Reported-by: Kevin Smith
+
+ Closes #1894
+
+- travis: on mac, don't install openssl or libidn
+
+ - openssl is already installed and causes warnings when trying to
+ install again
+
+ - libidn isn't used these days, and homebrew doesn't seem to have a
+ libidn2 package to replace with easily
+
+ Closes #1895
+
+- curl: make str2udouble not return values on error
+
+ ... previously it would store a return value even when it returned
+ error, which could make the value get used anyway!
+
+ Reported-by: Brian Carpenter
+ Closes #1893
+
+Jay Satiro (18 Sep 2017)
+- socks: fix incorrect port number in SOCKS4 error message
+
+ Prior to this change it appears the SOCKS5 port parsing was erroneously
+ used for the SOCKS4 error message, and as a result an incorrect port
+ would be shown in the error message.
+
+ Bug: https://github.com/curl/curl/issues/1892
+ Reported-by: Jackarain@users.noreply.github.com
+
+- [Marc Aldorasi brought this change]
+
+ schannel: Support partial send for when data is too large
+
+ Schannel can only encrypt a certain amount of data at once. Instead of
+ failing when too much data is to be sent at once, send as much data as
+ we can and let the caller send the remaining data by calling send again.
+
+ Bug: https://curl.haxx.se/mail/lib-2014-07/0033.html
+
+ Closes https://github.com/curl/curl/pull/1890
+
+- [David Benjamin brought this change]
+
+ openssl: add missing includes
+
+ lib/vtls/openssl.c uses OpenSSL APIs from BUF_MEM and BIO APIs. Include
+ their headers directly rather than relying on other OpenSSL headers
+ including things.
+
+ Closes https://github.com/curl/curl/pull/1891
+
+Daniel Stenberg (15 Sep 2017)
+- conversions: fix several compiler warnings
+
+- server/getpart: provide dummy function to build conversion enabled
+
+- non-ascii: use iconv() with 'char **' argument
+
+ Bug: https://curl.haxx.se/mail/lib-2017-09/0031.html
+
+- escape.c: error: pointer targets differ in signedness
+
+- docs: clarify the CURLOPT_INTERLEAVE* options behavior
+
+- [Max Dymond brought this change]
+
+ rtsp: Segfault in rtsp.c when using WRITEDATA
+
+ If the INTERLEAVEFUNCTION is defined, then use that plus the
+ INTERLEAVEDATA information when writing RTP. Otherwise, use
+ WRITEFUNCTION and WRITEDATA.
+
+ Fixes #1880
+ Closes #1884
+
+Marcel Raad (15 Sep 2017)
+- [Isaac Boukris brought this change]
+
+ tests: enable gssapi in travis-ci linux build
+
+ Closes https://github.com/curl/curl/pull/1687
+
+- [Isaac Boukris brought this change]
+
+ tests: add initial gssapi test using stub implementation
+
+ The stub implementation is pre-loaded using LD_PRELOAD
+ and emulates common gssapi uses (only builds if curl is
+ initially built with gssapi support).
+
+ The initial tests are currently disabled for debug builds
+ as LD_PRELOAD is not used then.
+
+ Ref: https://github.com/curl/curl/pull/1687
+
+Daniel Stenberg (15 Sep 2017)
+- test1150: verify same host fetch using different ports over proxy
+
+ Closes #1889
+
+- URL: on connection re-use, still pick the new remote port
+
+ ... as when a proxy connection is being re-used, it can still get a
+ different remote port.
+
+ Fixes #1887
+ Reported-by: Oli Kingshott
+
+- RELEASE-NOTES: synced with 87501e57f
+
+- code style: remove wrong uses of multiple spaces
+
+ Closes #1878
+
+- checksrc: detect and warn for multiple spaces
+
+- code style: use space after semicolon
+
+- checksrc: verify space after semicolons
+
+- code style: use spaces around pluses
+
+- checksrc: detect and warn for lack of spaces next to plus signs
+
+- code style: use spaces around equals signs
+
+- checksrc: verify spaces around equals signs
+
+ ... as the code style mandates.
+
+- Curl_checkheaders: make it available for IMAP and SMTP too
+
+ ... not only HTTP uses this now.
+
+ Closes #1875
+
+- travis: add build without HTTP/SMTP/IMAP
+
+Jay Satiro (10 Sep 2017)
+- mbedtls: enable CA path processing
+
+ CA path processing was implemented when mbedtls.c was added to libcurl
+ in fe7590f, but it was never enabled.
+
+ Bug: https://github.com/curl/curl/issues/1877
+ Reported-by: SBKarr@users.noreply.github.com
+
+Daniel Stenberg (8 Sep 2017)
+- rtsp: do not call fwrite() with NULL pointer FILE *
+
+ If the default write callback is used and no destination has been set, a
+ NULL pointer would be passed to fwrite()'s 4th argument.
+
+ OSS-fuzz bug https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3327
+ (not publicly open yet)
+
+ Detected by OSS-fuzz
+ Closes #1874
+
+- configure: use -Wno-varargs on clang 3.9[.X] debug builds
+
+ ... to avoid a clang bug
+
+- [Max Dymond brought this change]
+
+ ossfuzz: add some more handled CURL options
+
+ Add support for HEADER, COOKIE, RANGE, CUSTOMREQUEST, MAIL_RECIPIENT,
+ MAIL_FROM and uploading data.
+
+- configure: check for C++ compiler after C, to make it non-fatal
+
+ The tests for object file/executable file extensions are presumably only
+ done for the first of these macros in the configure file.
+
+ Bug: https://github.com/curl/curl/pull/1851#issuecomment-327597515
+ Reported-by: Marcel Raad
+ Closes #1873
+
+Patrick Monnerat (7 Sep 2017)
+- form API: add new test 650.
+
+ Now that the form API is deprecated and not used anymore in curl tool,
+ a lot of its features left untested. Test 650 attempts to check all these
+ features not tested elsewhere.
+
+Jay Satiro (7 Sep 2017)
+- configure: fix curl_off_t check's include order
+
+ - Prepend srcdir include path instead of append.
+
+ Prior to this change it was possible that during the check for the size
+ of curl_off_t the include path of a user's already installed curl could
+ come before the include path of the to-be-built curl, resulting in the
+ system.h of the former being incorrectly included for that check.
+
+ Closes https://github.com/curl/curl/pull/1870
+
+Daniel Stenberg (7 Sep 2017)
- [Jakub Zakrzewski brought this change]
- Cmake: Build with GSSAPI (MIT or Heimdal)
+ KNOWN_BUGS: Remove CMake symbol hiding issue
+
+ It has already been fixed in 6140dfc
+
+- http-proxy: when not doing CONNECT, that phase is done immediately
+
+ `conn->connect_state` is NULL when doing a regular non-CONNECT request
+ over the proxy and should therefor be considered complete at once.
+
+ Fixes #1853
+ Closes #1862
+ Reported-by: Lawrence Wagerfield
+
+- [Johannes Schindelin brought this change]
+
+ OpenSSL: fix yet another mistake while encapsulating SSL backend data
+
+ Another mistake in my manual fixups of the largely mechanical
+ search-and-replace ("connssl->" -> "BACKEND->"), just like the previous
+ commit concerning HTTPS proxies (and hence not caught during my
+ earlier testing).
+
+ Fixes #1855
+ Closes #1871
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ OpenSSL: fix erroneous SSL backend encapsulation
+
+ In d65e6cc4f (vtls: prepare the SSL backends for encapsulated private
+ data, 2017-06-21), this developer prepared for a separation of the
+ private data of the SSL backends from the general connection data.
+
+ This conversion was partially automated (search-and-replace) and
+ partially manual (e.g. proxy_ssl's backend data).
+
+ Sadly, there was a crucial error in the manual part, where the wrong
+ handle was used: rather than connecting ssl[sockindex]' BIO to the
+ proxy_ssl[sockindex]', we reconnected proxy_ssl[sockindex]. The reason
+ was an incorrect location to paste "BACKEND->"... d'oh.
+
+ Reported by Jay Satiro in https://github.com/curl/curl/issues/1855.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Jay Satiro brought this change]
+
+ vtls: fix memory corruption
+
+ Ever since 70f1db321 (vtls: encapsulate SSL backend-specific data,
+ 2017-07-28), the code handling HTTPS proxies was broken because the
+ pointer to the SSL backend data was not swapped between
+ conn->ssl[sockindex] and conn->proxy_ssl[sockindex] as intended, but
+ instead set to NULL (causing segmentation faults).
+
+ [jes: provided the commit message, tested and verified the patch]
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- vtls: switch to CURL_SHA256_DIGEST_LENGTH define
+
+ ... instead of the prefix-less version since WolfSSL 3.12 now uses an
+ enum with that name that causes build failures for us.
+
+ Fixes #1865
+ Closes #1867
+ Reported-by: Gisle Vanem
+
+- travis: add c-ares enabled builds linux + osx
+
+ Closes #1868
+
+- HISTORY: added some recent items
+
+Jay Satiro (6 Sep 2017)
+- SSL: fix unused parameter warnings
+
+Patrick Monnerat (6 Sep 2017)
+- mime: drop internal FILE * support.
+
+ - The part kind MIMEKIND_FILE and associated code are suppressed.
+ - Seek data origin offset not used anymore: suppressed.
+ - MIMEKIND_NAMEDFILE renamed MIMEKIND_FILE; associated fields/functions
+ renamed accordingly.
+ - Curl_getformdata() processes stdin via a callback.
+
+Daniel Stenberg (6 Sep 2017)
+- configure: remove --enable-soname-bump and SONAME_BUMP
+
+ Back in 2008, (and commit 3f3d6ebe665f3) we changed the logic in how we
+ determine the native type for `curl_off_t`. To really make sure we
+ didn't break ABI without bumping SONAME, we introduced logic that
+ attempted to detect that it would use a different size and thus not be
+ compatible. We also provided a manual switch that allowed users to tell
+ configure to bump SONAME by force.
+
+ Today, we know of no one who ever got a SONAME bump auto-detected and we
+ don't know of anyone who's using the manual bump feature. The auto-
+ detection is also no longer working since we introduced defining
+ curl_off_t in system.h (7.55.0).
+
+ Finally, this bumping logic is not present in the cmake build.
+
+ Closes #1861
+
+Jay Satiro (6 Sep 2017)
+- [Gisle Vanem brought this change]
+
+ vtls: select ssl backend case-insensitive (follow-up)
+
+ - Do a case-insensitive comparison of CURL_SSL_BACKEND env as well.
+
+ - Change Curl_strcasecompare calls to strcasecompare
+ (maps to the former but shorter).
+
+ Follow-up to c290b8f.
+
+ Bug: https://github.com/curl/curl/commit/c290b8f#commitcomment-24094313
+
+ Co-authored-by: Jay Satiro
+
+- openssl: Integrate Peter Wu's SSLKEYLOGFILE implementation
+
+ This is an adaptation of 2 of Peter Wu's SSLKEYLOGFILE implementations.
+
+ The first one, written for old OpenSSL versions:
+ https://git.lekensteyn.nl/peter/wireshark-notes/tree/src/sslkeylog.c
+
+ The second one, written for BoringSSL and new OpenSSL versions:
+ https://github.com/curl/curl/pull/1346
+
+ Note the first one is GPL licensed but the author gave permission to
+ waive that license for libcurl.
+
+ As of right now this feature is disabled by default, and does not have
+ a configure option to enable it. To enable this feature define
+ ENABLE_SSLKEYLOGFILE when building libcurl and set environment
+ variable SSLKEYLOGFILE to a pathname that will receive the keys.
+
+ And in Wireshark change your preferences to point to that key file:
+ Edit > Preferences > Protocols > SSL > Master-Secret
+
+ Co-authored-by: Peter Wu
+
+ Ref: https://github.com/curl/curl/pull/1030
+ Ref: https://github.com/curl/curl/pull/1346
+
+ Closes https://github.com/curl/curl/pull/1866
+
+Patrick Monnerat (5 Sep 2017)
+- mime: fix a trivial warning.
+
+- mime: replace 'struct Curl_mimepart' by 'curl_mimepart' in encoder code.
+
+ mime_state is now a typedef.
+
+- mime: implement encoders.
+
+ curl_mime_encoder() is operational and documented.
+ curl tool -F option is extended with ";encoder=".
+ curl tool --libcurl option generates calls to curl_mime_encoder().
+ New encoder tests 648 & 649.
+ Test 1404 extended with an encoder specification.
+
+- runtests.pl: support attribute "nonewline" in part verify/upload.
+
+- [Daniel Stenberg brought this change]
+
+ fixup data/test1135
+
+- [Daniel Stenberg brought this change]
+
+ mime: unified to use the typedef'd mime structs everywhere
- It tries hard to recognise SDK's on different platforms. On windows MIT
- Kerberos installs SDK with other things and puts path into registry.
- Heimdal have separate zip archive. On linux pkg-config is tried, then
- krb5-config script and finally old-style libs and headers detection.
-
- Command line args:
- * CMAKE_USE_GSSAPI - enables GSSAPI detection
- * GSS_ROOT_DIR - if set, should point to the root of GSSAPI installation
- (the one with include and lib directories)
+ ... and slightly edited to follow our code style better.
-- [Jakub Zakrzewski brought this change]
+- [Daniel Stenberg brought this change]
- Cmake: Got rid of setup_curl_dependencies
-
- There is no need for such function. Include_directories propagate by
- themselves and having a function with one simple link statement makes
- little sense.
+ curl.h: use lower case curl_mime* as for all public symbols
-- [Jakub Zakrzewski brought this change]
+- [Daniel Stenberg brought this change]
- Cmake: Avoid cycle directory dependencies.
+ docs/curl_mime_*.3: use correct variable types in examples
+
+Kamil Dudka (5 Sep 2017)
+- openssl: use OpenSSL's default ciphers by default
+
+ Up2date versions of OpenSSL maintain the default reasonably secure
+ without breaking compatibility, so it is better not to override the
+ default by curl. Suggested at https://bugzilla.redhat.com/1483972
- Because we prepended libraries to list, CMake had troubles resolving
- link directory order as it detected some cycles. Appending to list ensures
- that dependencies will preceed dependees.
+ Closes #1846
-- [Jakub Zakrzewski brought this change]
+Viktor Szakats (5 Sep 2017)
+- examples/mime: minor example code fixes
+
+Daniel Stenberg (5 Sep 2017)
+- docs/curl_mime_*.3: added examples
- Cmake: Fix library list provided to cURL tests.
+- configure: add MultiSSL to FEATURES when enabled
- The list must be set after those nice CMake tests as we mess with
- CMAKE_REQUIRED_LIBRARIES there.
+ ...for curl-config and its corresponding test 1014
-- [Jakub Zakrzewski brought this change]
+- http-proxy: treat all 2xx as CONNECT success
+
+ Added test 1904 to verify.
+
+ Reported-by: Lawrence Wagerfield
+ Fixes #1859
+ Closes #1860
+
+- MAIL-ETIQUETTE: added "1.9 Your emails are public"
- Cmake: Check for OpenSSL before OpenLDAP.
+- curl.h: fix "unused checksrc ignore", remove dangling reference
- OpenLDAP might have been build with OpenSSL. Checking for OpenLDAP first
- may result in undefined symbols. Of course, the found OpenSSL libraries
- must also be linked whenever OpenLDAP is.
+ ... to a README file that doesn't exist anymore
-- curl_multi_fdset.3: improved the formatting slightly
+Viktor Szakats (4 Sep 2017)
+- docs: Update to secure URL versions
-- curl_multi_fdset: explain the fd_set arguments
+- mime: use CURL_ZERO_TERMINATED in examples
+
+ and some minor whitespace fixes
-Kamil Dudka (8 Oct 2014)
-- nss: do not fail if a CRL is already cached
+Daniel Stenberg (4 Sep 2017)
+- schannel: return CURLE_SSL_CACERT on failed verification
+
+ ... not *CACERT_BADFILE as it isn't really because of a bad file.
- This fixes a copy-paste mistake from commit 2968f957.
+ Bug: https://curl.haxx.se/mail/lib-2017-09/0002.html
+ Closes #1858
-Patrick Monnerat (8 Oct 2014)
-- OS400: upgrade interface for pinned public key (no implementation yet)
+- test1135: fixed after bd8070085f9
-Daniel Stenberg (8 Oct 2014)
-- FormAdd: precaution against memdup() of NULL pointer
+- examples/post-callback: stop returning one byte at a time
- Coverity CID 252518. This function is in general far too complicated for
- its own good and really should be broken down into several smaller
- funcitons instead - but I'm adding this protection here now since it
- seems there's a risk the code flow can end up here and dereference a
- NULL pointer.
+ ... since people copy and paste code from this example and thus they get
+ an inefficient POST operation without a good reason and sometimes
+ without understanding why.
+
+ Instead this now returns as much data as possible.
+
+- RELEASE-NOTES: fixed the function counter script
-- operate: avoid NULL dereference
+- curl.h: make the curl_strequal() protos use the same style
- Coverity CID 1241948. dumpeasysrc() would get called with
- config->current set to NULL which could be dereferenced by a warnf()
- call.
+ ... as the other functions. Makes it easier to machine-parse!
-- do_sec_send: remove dead code
+- docs: curl_mime_*.3 man page formatting edits
+
+- RELEASE-NOTES: synced with 1ab9e9b50
+
+Patrick Monnerat (4 Sep 2017)
+- lib: bump version info (soname). Adapt and reenable test 1135.
+
+Daniel Stenberg (3 Sep 2017)
+- headers: move the global_sslset() proto from multi.h to curl.h
- Coverity CID 1241951. The condition 'len >= 0' would always be true at
- that point and thus not necessary to check for.
+ As it was added to multi.h simply to not break test 1135, which now has
+ been disabled due to the mime API addition anyway and su we can now move
+ the sslset stuff to where the other curl_global_* prototypes are.
-- krb5_encode: remove unused argument
+Patrick Monnerat (3 Sep 2017)
+- mime: fix signed/unsigned conversions.
- Coverity CID 1241957. Removed the unused argument. As this struct and
- pointer now are used only for krb5, there's no need to keep unused
- function arguments around.
+ Use and generate CURL_ZERO_TERMINATED in curl tool and tests.
+
+Jay Satiro (3 Sep 2017)
+- tool_formparse: fix some trivial warnings
-- operate_do: skip superfluous check for NULL pointer
+Patrick Monnerat (3 Sep 2017)
+- mime: use size_t instead of ssize_t in public API interface.
- Coverity CID 1243583. get_url_file_name() cannot fail and return a NULL
- file name pointer so skip the check for that - it tricks coverity into
- believing it can happen and it then warns later on when we use 'outfile'
- without checking for NULL.
+ To support telling a string is nul-terminated, symbol CURL_ZERO_TERMINATED
+ has been introduced.
+
+ Documentation updated accordingly.
+
+ symbols in versions updated. Added form API symbols deprecation info.
-- curl_easy_getinfo.3: spell-fix
+- mime: remove support "-" stdin pseudo-file name in curl_mime_filedata().
+
+ This feature is badly supported in Windows: as a replacement, a caller has
+ to use curl_mime_data_cb() with fread, fseek and possibly fclose
+ callbacks to process opened files.
+
+ The cli tool and documentation are updated accordingly.
- Reported-By: Luan Cestari
+ The feature is however kept internally for form API compatibility, with
+ the known caveats it always had.
+
+ As a side effect, stdin size is not determined by the cli tool even if
+ possible and this results in a chunked transfer encoding. Test 173 is
+ updated accordingly.
-- [moparisthebest brought this change]
+- mime: fix some implicit curl_off_t --> size_t conversion warnings.
- GnuTLS: Implement public key pinning
+- mime: tests and examples.
+
+ Additional mime-specific tests.
+ Existing tests updated to reflect small differences (Expect: 100-continue,
+ data size change due to empty lines, etc).
+ Option -F headers= keyword added to tests.
+ test1135 disabled until the entry point order change is resolved.
+ New example smtp-mime.
+ Examples postit2 and multi-post converted from form API to mime API.
-- [moparisthebest brought this change]
+- mime: use in curl cli tool instead of form API.
+
+ Extended -F option syntax to support multipart mail messages.
+ -F keyword headers= added to include custom headers in parts.
+ Documentation upgraded.
- SSL: implement public key pinning
+- mime: new MIME API.
- Option --pinnedpubkey takes a path to a public key in DER format and
- only connect if it matches (currently only implemented with OpenSSL).
+ Available in HTTP, SMTP and IMAP.
+ Deprecates the FORM API.
+ See CURLOPT_MIMEPOST.
+ Lib code and associated documentation.
+
+- test564: Add a warning comment about shell profile output.
- Provides CURLOPT_PINNEDPUBLICKEY for curl_easy_setopt().
+ Shell profile output makes the SSH server failing and this problem reason
+ is not easy to find when no hint is given.
+
+- checksrc: disable SPACEBEFOREPAREN for case statement.
- Extract a public RSA key from a website like so:
- openssl s_client -connect google.com:443 2>&1 < /dev/null | \
- sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -pubkey \
- | openssl rsa -pubin -outform DER > google.com.der
+ The case keyword may be followed by a constant expression and thus should
+ allow it to start with an open parenthesis.
-- multi_runsingle: fix possible memory leak
+- runtests.pl: allow <file[1-4]> tags in client section.
- Coverity CID 1202837. 'newurl' can in fact be allocated even when
- Curl_retry_request() returns failure so free it if need be.
+ This enables tests to create more than one file on the client side.
-- ares::Curl_resolver_cancel: skip checking for NULL conn
+- runtests.pl: Apply strippart to upload too.
- Coverity CID 1243581. 'conn' will never be NULL here, and if it would be
- the subsequent statement would dereference it!
+ This will allow substitution of boundaries in mail messages.
-- parseconfig: skip a NULL check
+- Curl_base64_encode: always call with a real data handle.
- Coverity CID 1154198. This NULL check implies that the pointer _can_ be
- NULL at this point, which it can't. Thus it is dead code. It tricks
- static analyzers to warn about dereferencing the pointer since the code
- seems to imply it can be NULL.
+ Some calls in different modules were setting the data handle to NULL, causing
+ segmentation faults when using builds that enable character code conversions.
+
+- non-ascii: allow conversion functions to be called with a NULL data handle.
+
+- http: fix a memory leakage in checkrtspprefix().
+
+Daniel Stenberg (2 Sep 2017)
+- [Max Dymond brought this change]
-- [Waldek Kozba brought this change]
+ ossfuzz: Move to C++ for curl_fuzzer.
+
+ Automake gets confused if you want to use C++ static libraries with C
+ code - basically we need to involve the clang++ linker. The easiest way
+ of achieving this is to rename the C code as C++ code. This gets us a
+ bit further along the path and ought to be compatible with Google's
+ version of clang.
- multi-uv.c: call curl_multi_info_read() better
+- curl_global_sslset: select backend by name case insensitively
- Improves it for low-latency cases (like the communication with
- localhost)
+ Closes #1849
+
+- [Max Dymond brought this change]
-- tool_go_sleep: use (void) to spell out we ignore the return value
+ ossfuzz: additional seed corpora
+
+ Create simple seed corpora for:
+ - FTP
+ - telnet
+ - dict
+ - tftp
+ - imap
+ - pop3
+
+ based off the tests of the same number.
- Coverity CID 1222080.
+ Closes #1842
-- ssh_statemach_act: split out assignment from check
+- [Max Dymond brought this change]
+
+ ossfuzz: moving towards the ideal integration
- just a minor code style thing to make the code clearer
+ - Start with the basic code from the ossfuzz project.
+ - Rewrite fuzz corpora to be binary files full of Type-Length-Value
+ data, and write a glue layer in the fuzzing function to convert
+ corpora into CURL options.
+ - Have supporting functions to generate corpora from existing tests
+ - Integrate with Makefile.am
+
+- strcase: corrected comment header for Curl_strcasecompare()
-Marc Hoersken (4 Oct 2014)
-- curl_schannel.c: Fixed possible memory or handle leak
+- unit1301: fix error message on first test
+
+- curl_global_sslset.3: show the struct and enum too
- First try to fix possible memory leaks, in this case:
- Only connssl->ctxt xor onnssl->cred being initialized.
+ ... so that users can actually write code based on the man page alone,
+ not having to read the header file.
-Daniel Stenberg (4 Oct 2014)
-- getparameter: remove dead code
+Jay Satiro (31 Aug 2017)
+- darwinssl: handle long strings in TLS certs (follow-up)
+
+ - Fix handling certificate subjects that are already UTF-8 encoded.
- Coverity CID 1061126. 'parse' will always be non-NULL here.
+ Follow-up to b3b75d1 from two days ago. Since then a copy would be
+ skipped if the subject was already UTF-8, possibly resulting in a NULL
+ deref later on.
+
+ Ref: https://github.com/curl/curl/issues/1823
+ Ref: https://github.com/curl/curl/pull/1831
+
+ Closes https://github.com/curl/curl/pull/1836
-- getparameter: comment a switch FALLTHROUGH
+Daniel Stenberg (31 Aug 2017)
+- cyassl: call it the "WolfSSL" backend
- Coverity CID 1061118. Point out that it is on purpose.
+ ... instead of cyassl, as this is the current name for it.
+
+ Closes #1844
-- choose_mech: fix return code
+- polarssl: fix multissl breakage
- Coverity CID 1241950. The pointer is never NULL but it might point to
- NULL.
+ Reported-by: Dan Fandrich
+ Bug: https://curl.haxx.se/mail/lib-2017-08/0121.html
+ Closes #1843
-- Curl_sec_read_msg: spell out that we ignore return code
+- configure: remove the leading comma from the backends list
+
+ ... when darwinssl is used.
- Coverity CID 1241947. Since if sscanf() fails, the previously set value
- remains set.
+ Reported-by: Viktor Szakats
+ Bug: https://github.com/curl/curl/commit/b0989cd3abaff4f9a0717b4875022fa79e33b481#commitcomment-23943493
+
+ Closes #1845
-- nonblock: call with (void) to show we ignore the return code
+Kamil Dudka (30 Aug 2017)
+- examples/sslbackend.c: fix failure of 'make checksrc'
- Coverity pointed out several of these.
+ ./sslbackend.c:58:3: warning: else after closing brace on same line (BRACEELSE)
+ } else if(isdigit(*name)) {
+ ^
+ ./sslbackend.c:62:3: warning: else after closing brace on same line (BRACEELSE)
+ } else
+ ^
-- parse_proxy: remove dead code.
+Viktor Szakats (30 Aug 2017)
+- makefile.m32: add multissl support
- Coverity CID 982331.
+ Closes https://github.com/curl/curl/pull/1840
-- Curl_debug: document switch fallthroughs
+Daniel Stenberg (30 Aug 2017)
+- curl.h: CURLSSLBACKEND_WOLFSSL used wrong value
+
+ The CURLSSLBACKEND_WOLFSSL is supposed to be an alias for
+ CURLSSLBACKEND_CYASSL, but used an erronous value. To reduce the risk
+ for a similar mistake, define the backend aliases to use the enum values
+ instead.
+
+ Reported-by: Gisle Vanem
+ Bug: https://curl.haxx.se/mail/lib-2017-08/0120.html
-- curl_multi_remove_handle: remove dead code
+- curl_global_sslset.3: clarify
- Coverify CID 1157776. Removed a superfluous if() that always evaluated
- true (and an else clause that never ran), and then re-indented the
- function accordingly.
+ it is a one time *set*, not necessarily a one time use... it can be
+ called again if the first call failed or just listed the alternatives.
+
+ clarify that the available backends are the ones this build supports
+
+ plus add some formatting
+
+ Reported-by: Rich Gray
+ Bug: https://curl.haxx.se/mail/lib-2017-08/0119.html
-- Curl_pipeline_server_blacklisted: handle a NULL server name
+- curl/multi.h: remove duplicated closing c++ brace
+
+ Regression since 1328f69d53f2f2e93
- Coverity CID 1215284. The server name is extracted with
- Curl_copy_header_value() and passed in to this function, and
- copy_header_value can actually can fail and return NULL.
+ Fixes #1841
+ Reported-by: Andrei Karas
-- ssh: comment "fallthrough" in switch statement
+- RELEASE-NOTES: synced with 8c33c963a
-- [Jeremy Lin brought this change]
+- HELP-US.md: spelling
- ssh: improve key file search
+- HELP-US.md: "How to get started helping out in the curl project"
- For private keys, use the first match from: user-specified key file
- (if provided), ~/.ssh/id_rsa, ~/.ssh/id_dsa, ./id_rsa, ./id_dsa
-
- Note that the previous code only looked for id_dsa files. id_rsa is
- now generally preferred, as it supports larger key sizes.
+ Closes #1837
+
+Dan Fandrich (29 Aug 2017)
+- asyn-thread: Fixed cleanup after OOM
- For public keys, use the user-specified key file, if provided.
- Otherwise, try to extract the public key from the private key file.
- This means that passing --pubkey is typically no longer required,
- and makes the key-handling behavior more like OpenSSH.
+ destroy_async_data() assumes that if the flag "done" is not set yet, the
+ thread itself will clean up once the request is complete. But if an
+ error (generally OOM) occurs before the thread even has a chance to
+ start, it will never get a chance to clean up and memory will be leaked.
+ By clearing "done" only just before starting the thread, the correct
+ cleanup sequence will happen in all cases.
+
+Daniel Stenberg (28 Aug 2017)
+- curl_global_init.3: mention curl_global_sslset(3)
+
+Dan Fandrich (28 Aug 2017)
+- unit1606: Fixed shadowed variable warning
-- CURLOPT_HTTPHEADER.3: libcurl doesn't copy the whole list
+- asyn-thread: Improved cleanup after OOM situations
-- detect_proxy: fix possible single-byte memory leak
+- asyn-thread: Set errno to the proper value ENOMEM in OOM situation
- Coverity CID 1202836. If the proxy environment variable returned an empty
- string, it would be leaked. While an empty string is not really a proxy, other
- logic in this function already allows a blank string to be returned so allow
- that here to avoid the leak.
+ This used to be set in some configurations to EAI_MEMORY which is not a
+ valid value for errno and caused Curl_strerror to fail an assertion.
-- multi_runsingle: fix memory leak
+Daniel Stenberg (28 Aug 2017)
+- [Johannes Schindelin brought this change]
+
+ configure: Handle "MultiSSL" specially When versioning symbols
+
+ There is a mode in which libcurl is compiled with versioned symbols,
+ depending on the active SSL backend.
- Coverity CID 1202837. There's a potential risk that 'newurl' gets
- overwritten when it was already pointing to allocated memory.
+ When multiple SSL backends are active, it does not make sense to favor
+ one over the others, so let's not: introduce a new prefix for the case
+ where multiple SSL backends are compiled into cURL.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
-- pop3_perform_authentication: fix memory leak
+ configure: allow setting the default SSL backend
- Coverity CID 1215287. There's a potential risk for a memory leak in
- here, and moving the free call to be unconditional seems like a cheap
- price to remove the risk.
+ Previously, we used as default SSL backend whatever was first in the
+ `available_backends` array.
+
+ However, some users may want to override that default without patching
+ the source code.
+
+ Now they can: with the --with-default-ssl-backend=<backend> option of
+ the ./configure script.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
-- imap_perform_authentication: fix memory leak
+ vtls: use Curl_ssl_multi pseudo backend only when needed
- Coverity CID 1215296. There's a potential risk for a memory leak in
- here, and moving the free call to be unconditional seems like a cheap
- price to remove the risk.
+ When only one SSL backend is configured, it is totally unnecessary to
+ let multissl_init() configure the backend at runtime, we can select the
+ correct backend at build time already.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
-- wait_or_timeout: return failure when Curl_poll() fails
+ version: if built with more than one SSL backend, report all of them
- Coverity detected this. CID 1241954. When Curl_poll() returns a negative value
- 'mcode' was uninitialized. Pretty harmless since this is debug code only and
- would at worst cause an error to _not_ be returned...
+ To discern the active one from the inactive ones, put the latter into
+ parentheses.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
-- curl.1: mention quoting in the URL section
+ version: add the CURL_VERSION_MULTI_SSL feature flag
- and separate the example URLs with newlines
+ This new feature flag reports When cURL was built with multiple SSL
+ backends.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Steve Holme (30 Sep 2014)
-- [Bill Nagel brought this change]
+- [Johannes Schindelin brought this change]
- smtp: Fixed intermittent "SSL3_WRITE_PENDING: bad write retry" error
+ metalink: allow compiling with multiple SSL backends
+
+ Previously, the code assumed that at most one of the SSL backends would
+ be compiled in, emulating OpenSSL's functions if the configured backend
+ was not OpenSSL itself.
- This patch fixes the "SSL3_WRITE_PENDING: bad write retry" error that
- sometimes occurs when sending an email over SMTPS with OpenSSL. OpenSSL
- appears to require the same pointer on a write that follows a retry
- (CURLE_AGAIN) as discussed here:
+ However, now we allow building with multiple SSL backends and choosing
+ one at runtime. Therefore, metalink needs to be adjusted to handle this
+ scenario, too.
- http://stackoverflow.com/questions/2997218/why-am-i-getting-error1409f07fssl-routinesssl3-write-pending-bad-write-retr
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Daniel Stenberg (30 Sep 2014)
-- RELEASE-NOTES: synced with 53cbea22310f15
+- [Johannes Schindelin brought this change]
-- file: reject paths using embedded %00
+ docs/examples: demonstrate how to select SSL backends
- Mostly because we use C strings and they end at a binary zero so we know
- we can't open a file name using an embedded binary zero.
+ The newly-introduced curl_global_sslset() function deserves to be
+ show-cased.
- Reported-by: research@g0blin.co.uk
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Dan Fandrich (26 Sep 2014)
-- test506: Fixed a couple of memory leaks in test
+- [Johannes Schindelin brought this change]
-Daniel Stenberg (25 Sep 2014)
-- [Yousuke Kimoto brought this change]
+ Add a man page for curl_global_sslset()
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
- CURLOPT_COOKIELIST: Added "RELOAD" command
+- [Johannes Schindelin brought this change]
-- [Michael Wallner brought this change]
+ vtls: introduce curl_global_sslset()
+
+ Let's add a compile time safe API to select an SSL backend. This
+ function needs to be called *before* curl_global_init(), and can be
+ called only once.
+
+ Side note: we do not explicitly test that it is called before
+ curl_global_init(), but we do verify that it is not called multiple times
+ (even implicitly).
+
+ If SSL is used before the function was called, it will use whatever the
+ CURL_SSL_BACKEND environment variable says (or default to the first
+ available SSL backend), and if a subsequent call to
+ curl_global_sslset() disagrees with the previous choice, it will fail
+ with CURLSSLSET_TOO_LATE.
+
+ The function also accepts an "avail" parameter to point to a (read-only)
+ NULL-terminated list of available backends. This comes in real handy if
+ an application wants to let the user choose between whatever SSL backends
+ the currently available libcurl has to offer: simply call
+
+ curl_global_sslset(-1, NULL, &avail);
+
+ which will return CURLSSLSET_UNKNOWN_BACKEND and populate the avail
+ variable to point to the relevant information to present to the user.
+
+ Just like with the HTTP/2 push functions, we have to add the function
+ declaration of curl_global_sslset() function to the header file
+ *multi.h* because VMS and OS/400 require a stable order of functions
+ declared in include/curl/*.h (where the header files are sorted
+ alphabetically). This looks a bit funny, but it cannot be helped.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
- CURLOPT_POSTREDIR.3: Added availability for CURL_REDIR_POST_303
+- [Johannes Schindelin brought this change]
-- threaded-resolver: revert Curl_expire_latest() switch
+ vtls: refactor out essential information about the SSL backends
+
+ There is information about the compiled-in SSL backends that is really
+ no concern of any code other than the SSL backend itself, such as which
+ function (if any) implements SHA-256 summing.
- The switch to using Curl_expire_latest() in commit cacdc27f52b was a
- mistake and was against the advice even mentioned in that commit. The
- comparison in asyn-thread.c:Curl_resolver_is_resolved() makes
- Curl_expire() the suitable function to use.
+ And there is information that is really interesting to the user, such as
+ the name, or the curl_sslbackend value.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1426
- Reported-By: graysky
+ Let's factor out the latter into a publicly visible struct. This
+ information will be used in the upcoming API to set the SSL backend
+ globally.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- libcurl docs: improvements all over
+- [Johannes Schindelin brought this change]
-Steve Holme (19 Sep 2014)
-- build: Added WinIDN build configuration options
+ vtls: allow selecting which SSL backend to use at runtime
+
+ When building software for the masses, it is sometimes not possible to
+ decide for all users which SSL backend is appropriate.
+
+ Git for Windows, for example, uses cURL to perform clones, fetches and
+ pushes via HTTPS, and some users strongly prefer OpenSSL, while other
+ users really need to use Secure Channel because it offers
+ enterprise-ready tools to manage credentials via Windows' Credential
+ Store.
+
+ The current Git for Windows versions use the ugly work-around of
+ building libcurl once with OpenSSL support and once with Secure Channel
+ support, and switching out the binaries in the installer depending on
+ the user's choice.
+
+ Needless to say, this is a super ugly workaround that actually only
+ works in some cases: Git for Windows also comes in a portable form, and
+ in a form intended for third-party applications requiring Git
+ functionality, in which cases this "swap out libcurl-4.dll" simply is
+ not an option.
+
+ Therefore, the Git for Windows project has a vested interest in teaching
+ cURL to make the SSL backend a *runtime* option.
+
+ This patch makes that possible.
+
+ By running ./configure with multiple --with-<backend> options, cURL will
+ be built with multiple backends.
- Added initial support for WinIDN build configurations to the VC10+
- project files.
+ For the moment, the backend can be configured using the environment
+ variable CURL_SSL_BACKEND (valid values are e.g. "openssl" and
+ "schannel").
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Daniel Stenberg (19 Sep 2014)
-- tutorial: signals aren't used for the threaded resolver
+- [Johannes Schindelin brought this change]
-- FAQ: update the pronunciation section
+ vtls: fold the backend ID into the Curl_ssl structure
- As we weren't using the correct phonetic description and doing it correctly
- involves funny letters that I'm sure will cause problems for people in a text
- document so I instead rephrased it and link to a WAV file with a person
- actually saying 'curl'.
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ curl_ntlm_core: don't complain but #include OpenSSL header if needed
- Reported-By: Dimitar Boevski
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- CURLOPT_COOKIE*: added more cross-references
+- [Johannes Schindelin brought this change]
-- BINDINGS: add node-libcurl
+ vtls: encapsulate SSL backend-specific data
+
+ So far, all of the SSL backends' private data has been declared as
+ part of the ssl_connect_data struct, in one big #if .. #elif .. #endif
+ block.
+
+ This can only work as long as the SSL backend is a compile-time option,
+ something we want to change in the next commits.
+
+ Therefore, let's encapsulate the exact data needed by each SSL backend
+ into a private struct, and let's avoid bleeding any SSL backend-specific
+ information into urldata.h. This is also necessary to allow multiple SSL
+ backends to be compiled in at the same time, as e.g. OpenSSL's and
+ CyaSSL's headers cannot be included in the same .c file.
+
+ To avoid too many malloc() calls, we simply append the private structs
+ to the connectdata struct in allocate_conn().
+
+ This requires us to take extra care of alignment issues: struct fields
+ often need to be aligned on certain boundaries e.g. 32-bit values need to
+ be stored at addresses that divide evenly by 4 (= 32 bit / 8
+ bit-per-byte).
- Reported-By: Jonathan Cardoso Machado
- URL: http://curl.haxx.se/mail/lib-2014-09/0102.html
+ We do that by assuming that no SSL backend's private data contains any
+ fields that need to be aligned on boundaries larger than `long long`
+ (typically 64-bit) would need. Under this assumption, we simply add a
+ dummy field of type `long long` to the `struct connectdata` struct. This
+ field will never be accessed but acts as a placeholder for the four
+ instances of ssl_backend_data instead. the size of each ssl_backend_data
+ struct is stored in the SSL backend-specific metadata, to allow
+ allocate_conn() to know how much extra space to allocate, and how to
+ initialize the ssl[sockindex]->backend and proxy_ssl[sockindex]->backend
+ pointers.
+
+ This would appear to be a little complicated at first, but is really
+ necessary to encapsulate the private data of each SSL backend correctly.
+ And we need to encapsulate thusly if we ever want to allow selecting
+ CyaSSL and OpenSSL at runtime, as their headers cannot be included within
+ the same .c file (there are just too many conflicting definitions and
+ declarations for that).
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- README.http2: updated to reflect current status
+- [Johannes Schindelin brought this change]
-- formdata: removed unnecessary USE_SSLEAY use
+ vtls: prepare the SSL backends for encapsulated private data
+
+ At the moment, cURL's SSL backend needs to be configured at build time.
+ As such, it is totally okay for them to hard-code their backend-specific
+ data in the ssl_connect_data struct.
+
+ In preparation for making the SSL backend a runtime option, let's make
+ the access of said private data a bit more abstract so that it can be
+ adjusted later in an easy manner.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- curlssl: make tls backend symbols use curlssl in the name
+- [Johannes Schindelin brought this change]
-- url: let the backend decide CURLOPT_SSL_CTX_ support
+ urldata.h: move SSPI-specific #include to correct location
+
+ In 86b889485 (sasl_gssapi: Added GSS-API based Kerberos V5 variables,
+ 2014-12-03), an SSPI-specific field was added to the kerberos5data
+ struct without moving the #include "curl_sspi.h" later in the same file.
+
+ This broke the build when SSPI was enabled, unless Secure Channel was
+ used as SSL backend, because it just so happens that Secure Channel also
+ requires "curl_sspi.h" to be #included.
+
+ In f4739f639 (urldata: include curl_sspi.h when Windows SSPI is enabled,
+ 2017-02-21), this bug was fixed incorrectly: Instead of moving the
+ appropriate conditional #include, the Secure Channel-conditional part
+ was now also SSPI-conditional.
- ... to further remove specific TLS backend knowledge from url.c
+ Fix this problem by moving the correct #include instead.
+
+ This is also required for an upcoming patch that moves all the Secure
+ Channel-specific stuff out of urldata.h and encapsulates it properly in
+ vtls/schannel.c instead.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- vtls: have the backend tell if it supports CERTINFO
+- [Johannes Schindelin brought this change]
+
+ urldata.h: remove support for obsolete PolarSSL version
+
+ Since 5017d5ada (polarssl: now require 1.3.0+, 2014-03-17), we require
+ a newer PolarSSL version. No need to keep code trying to support any
+ older version.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Catalin Patulea brought this change]
+- [Johannes Schindelin brought this change]
- configure: allow --with-ca-path with PolarSSL too
+ getinfo: access SSL internals via Curl_ssl
+
+ In the ongoing endeavor to abstract out all SSL backend-specific
+ functionality, this is the next step: Instead of hard-coding how the
+ different SSL backends access their internal data in getinfo.c, let's
+ implement backend-specific functions to do that task.
- Missed this in af45542c.
+ This will also allow for switching SSL backends as a runtime option.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: move SSL backends' private constants out of their header files
- Signed-off-by: Catalin Patulea <cat@vv.carleton.ca>
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
-- CURLOPT_CAPATH: return failure if set without backend support
+ axtls: use Curl_none_* versions of init() and cleanup()
+
+ There are convenient no-op versions of the init/cleanup functions now,
+ no need to define private ones for axTLS.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Tatsuhiro Tsujikawa brought this change]
+- [Johannes Schindelin brought this change]
- http2: Fix busy loop when EOF is encountered
+ vtls: remove obsolete declarations of SSL backend functionality
- Previously we did not handle EOF from underlying transport socket and
- wrongly just returned error code CURL_AGAIN from http2_recv, which
- caused busy loop since socket has been closed. This patch adds the
- code to handle EOF situation and tells the upper layer that we got
- EOF.
+ These functions are all available via the Curl_ssl struct now, no need
+ to declare them separately anymore.
+
+ As the global declarations are removed, the corresponding function
+ definitions are marked as file-local. The only two exceptions here are
+ Curl_mbedtls_shutdown() and Curl_polarssl_shutdown(): only the
+ declarations were removed, there are no function definitions to mark
+ file-local.
+
+ Please note that Curl_nss_force_init() is *still* declared globally, as
+ the only SSL backend-specific function, because it was introduced
+ specifically for the use case where cURL was compiled with
+ `--without-ssl --with-nss`. For details, see f3b77e561 (http_ntlm: add
+ support for NSS, 2010-06-27).
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Steve Holme (13 Sep 2014)
-- build: Added batch wrapper to checksrc.pl
+- [Johannes Schindelin brought this change]
-- RELEASE-NOTES: Synced with bd3df5ec6d
+ schannel: reorder functions topologically
+
+ The _shutdown() function calls the _session_free() function; While this
+ is not a problem now (because schannel.h declares both functions), a
+ patch looming in the immediate future with make all of these functions
+ file-local.
+
+ So let's just move the _session_free() function's definition before it
+ is called.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- [Marcel Raad brought this change]
+- [Johannes Schindelin brought this change]
- sasl_sspi: Fixed Unicode build
+ axtls: reorder functions topologically
+
+ The connect_finish() function (like many other functions after it) calls
+ the Curl_axtls_close() function; While this is not a problem now
+ (because axtls.h declares the latter function), a patch looming in the
+ immediate future with make all of these functions file-local.
+
+ So let's just move the Curl_axtls_close() function's definition before
+ it is called.
- Bug: http://curl.haxx.se/bug/view.cgi?id=1422
- Verified-by: Steve Holme
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Daniel Stenberg (12 Sep 2014)
-- libcurl-tutorial.3: fix GnuTLS link to thread-safety guidelines
+- [Johannes Schindelin brought this change]
+
+ vtls: move the SUPPORT_HTTPS_PROXY flag into the Curl_ssl struct
- The former link was turned into a 404 at some point.
+ That will allow us to choose the SSL backend at runtime.
- Reported-By: Askar Safin
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
-- contributors.sh: split list of names at comma
+ vtls: convert the have_curlssl_* constants to runtime flags
+
+ The entire idea of introducing the Curl_ssl struct to describe SSL
+ backends is to prepare for choosing the SSL backend at runtime.
+
+ To that end, convert all the #ifdef have_curlssl_* style conditionals
+ to use bit flags instead.
- ... to support a list of names provided in a commit message.
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Steve Holme (12 Sep 2014)
-- [Ulrich Telle brought this change]
+- [Johannes Schindelin brought this change]
- ntlm: Fixed HTTP proxy authentication when using Windows SSPI
+ vtls: move sha256sum into the Curl_ssl struct
- Removed ISC_REQ_* flags from calls to InitializeSecurityContext to fix
- bug in NTLM handshake for HTTP proxy authentication.
+ The SHA-256 checksumming is also an SSL backend-specific function.
+ Let's include it in the struct declaring the functionality of SSL
+ backends.
- NTLM handshake for HTTP proxy authentication failed with error
- SEC_E_INVALID_TOKEN from InitializeSecurityContext for certain proxy
- servers on generating the NTLM Type-3 message.
+ In contrast to MD5, there is no fall-back code. To indicate this, the
+ respective entries are NULL for those backends that offer no support for
+ SHA-256 checksumming.
- The flag ISC_REQ_CONFIDENTIALITY seems to cause the problem according
- to the observations and suggestions made in a bug report for the
- QT project (https://bugreports.qt-project.org/browse/QTBUG-17322).
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: move md5sum into the Curl_ssl struct
- Removing all the flags solved the problem.
+ The MD5 summing is also an SSL backend-specific function. So let's
+ include it, offering the previous fall-back code as a separate function
+ now: Curl_none_md5sum(). To allow for that, the signature had to be
+ changed so that an error could be returned from the implementation
+ (Curl_none_md5sum() can run out of memory).
- Bug: http://curl.haxx.se/mail/lib-2014-08/0273.html
- Reported-by: Ulrich Telle
- Assisted-by: Steve Holme, Daniel Stenberg
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Daniel Stenberg (12 Sep 2014)
-- [Ray Satiro brought this change]
+- [Johannes Schindelin brought this change]
- newlines: fix mixed newlines to LF-only
+ vtls: use the Curl_ssl struct to access all SSL backends' functionality
- I use the curl repo mainly on Windows with the typical Windows git
- checkout which converts the LF line endings in the curl repo to CRLF
- automatically on checkout. The automatic conversion is not done on files
- in the repo with mixed line endings. I recently noticed some weird
- output with projects/build-openssl.bat that I traced back to mixed line
- endings, so I scanned the repo and there are files (excluding the
- test data) that have mixed line endings.
+ This is the first step to unify the SSL backend handling. Now all the
+ SSL backend-specific functionality is accessed via a global instance of
+ the Curl_ssl struct.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: declare Curl_ssl structs for every SSL backend
- I used this command below to do the scan. Unfortunately it's not as easy
- as git grep, at least not on Windows. This gets the names of all the
- files in the repo's HEAD, gets each of those files raw from HEAD, checks
- for mixed line endings of both LF and CRLF, and prints the name if
- mixed. I excluded path tests/data/test* because those can have mixed
- line endings if I understand correctly.
+ The idea of introducing the Curl_ssl struct was to unify how the SSL
+ backends are declared and called. To this end, we now provide an
+ instance of the Curl_ssl struct for each and every SSL backend.
- for f in `git ls-tree --name-only --full-tree -r HEAD`;
- do if [ -n "${f##tests/data/test*}" ];
- then git show "HEAD:$f" | \
- perl -0777 -ne 'exit 1 if /([^\r]\n.*\r\n)|(\r\n.*[^\r]\n)/';
- if [ $? -ne 0 ];
- then echo "$f";
- fi;
- fi;
- done
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
-- [Viktor Szakáts brought this change]
+ vtls: introduce a new struct for SSL backends
+
+ This new struct is similar in nature to Curl_handler: it will define the
+ functions and capabilities of all the SSL backends (where Curl_handler
+ defines the functions and capabilities of protocol handlers).
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
- mk-ca-bundle.pl: converted tabs to spaces, deleted trailing spaces
+- [Johannes Schindelin brought this change]
-- ROADMAP: markdown eats underscores
+ vtls: make sure every _sha256sum()'s first arg is const
- It interprets them as italic indictors unless we backtick the word.
+ This patch makes the signature of the _sha256sum() functions consistent
+ among the SSL backends, in preparation for unifying the way all SSL
+ backends are accessed.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- ROADMAP: tiny formatting edit for nicer web output
+- [Johannes Schindelin brought this change]
-Steve Holme (10 Sep 2014)
-- ROADMAP.md: Updated GSSAPI authentication following 7.38.0 additions
+ vtls: make sure all _data_pending() functions return bool
+
+ This patch makes the signature of the _data_pending() functions
+ consistent among the SSL backends, in preparation for unifying the way
+ all SSL backends are accessed.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- INTERNALS: Added email and updated Kerberos details
+- [Johannes Schindelin brought this change]
-- FEATURES: Updated Kerberos details
+ vtls: make sure all _cleanup() functions return void
- Added support for Kerberos 5 to the email protocols following the recent
- additions in 7.38.0.
+ This patch makes the signature of the _cleanup() functions consistent
+ among the SSL backends, in preparation for unifying the way all SSL
+ backends are accessed.
- Removed Kerberos 4 as this has been gone for a while now.
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Daniel Stenberg (10 Sep 2014)
-- [Paul Howarth brought this change]
+- [Johannes Schindelin brought this change]
- openssl: build fix for versions < 0.9.8e
+ vtls: use consistent signature for _random() implementations
+
+ This will make the upcoming multissl backend much easier to implement.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- strtooff: fix build for systems with long long but no strtoll option
+
+ Closes #1829
- Bug: http://curl.haxx.se/mail/lib-2014-09/0064.html
+ Reported-by: Dan Fandrich
+ Bug: https://github.com/curl/curl/pull/1758#issuecomment-324861615
-- mk-ca-bundle.pl: first, try downloading HTTPS with curl
+- darwinssl: handle long strings in TLS certs
- As a sort of step forward, this script will now first try to get the
- data from the HTTPS URL using curl, and only if that fails it will
- switch back to the HTTP transfer using perl's native LWP functionality.
- To reduce the risk of this script being tricked.
+ ... as the previous fixed length 128 bytes buffer was sometimes too
+ small.
+
+ Fixes #1823
+ Closes #1831
+
+ Reported-by: Benjamin Sergeant
+ Assisted-by: Bill Pyne, Ray Satiro, Nick Zitzmann
+
+- system.h: include sys/poll.h for AIX
- Using HTTPS to get a cert bundle introduces a chicken-and-egg problem so
- we can't really ever completely disable HTTP, but chances are that most
- users already have a ca cert bundle that trusts the mozilla.org site
- that this script downloads from.
+ ... to get the event/revent defines that might be used for the poll
+ struct.
- A future version of this script will probably switch to require a
- dedicated "insecure" command line option to allow downloading over HTTP
- (or unverified HTTPS).
+ Reported-by: Michael Smith
+ Fixes #1828
+ Closes #1833
-- LICENSE-MIXING: removed krb4 info
+Dan Fandrich (26 Aug 2017)
+- tests: Make sure libtests & unittests call curl_global_cleanup()
- krb4 has been dropped since a while now
+ These were missed in commit c468c27b.
-- bump: on the 7.38.1-DEV train now!
+Jay Satiro (26 Aug 2017)
+- [theantigod brought this change]
-- SSLCERTS: minor updates
+ winbuild: fix embedded manifest option
- Edited format to look better on the web, added a "it is about trust"
- section.
+ Embedded manifest option didn't work due to incorrect path.
+
+ Fixes https://github.com/curl/curl/issues/1832
+
+Daniel Stenberg (25 Aug 2017)
+- fuzz/Makefile.am: remove curlbuild.h leftovers
-Version 7.38.0 (10 Sep 2014)
+- examples/threaded-ssl: mention that this is for openssl before 1.1
-Daniel Stenberg (10 Sep 2014)
-- dist: two cmake files are no more
+- imap: use defined names for response codes
- CMake/FindOpenSSL.cmake and FindZLIB.cmake are gone since 14aa8f0c117b
+ When working on this code I found the previous setup a bit weird while
+ using proper defines increases readability.
+
+ Closes #1824
-- RELEASE-NOTES: final update for 7.38.0
+- CURLOPT_USERPWD.3: see also CURLOPT_PROXYUSERPWD
-- cookies: reject incoming cookies set for TLDs
+- imap: support PREAUTH
+
+ It is a defined possible greeting at server startup that means the
+ connection is already authenticated. See
+ https://tools.ietf.org/html/rfc3501#section-7.1.4
- Test 61 was modified to verify this.
+ Test 846 added to verify.
- CVE-2014-3620
+ Fixes #1818
+ Closes #1820
+
+Jay Satiro (23 Aug 2017)
+- config-tpf: define SIZEOF_LONG
+
+ Recent changes that replaced CURL_SIZEOF_LONG in the source with
+ SIZEOF_LONG broke builds that use the premade configuration files and
+ don't have SIZEOF_LONG defined.
- Reported-by: Tim Ruehsen
- URL: http://curl.haxx.se/docs/adv_20140910B.html
+ Bug: https://github.com/curl/curl/issues/1816
+
+Dan Fandrich (23 Aug 2017)
+- test1453: Fixed <features>
+
+Daniel Stenberg (22 Aug 2017)
+- [Gisle Vanem brought this change]
-- [Tim Ruehsen brought this change]
+ config-dos: add missing defines, SIZEOF_* and two others
+
+ Bug: #1816
- cookies: only use full host matches for hosts used as IP address
+- curl: shorten and clean up CA cert verification error message
+
+ The previous message was just too long for ordinary people and it was
+ encouraging users to use `--insecure` a little too easy.
+
+ Based-on-work-by: Frank Denis
- By not detecting and rejecting domain names for partial literal IP
- addresses properly when parsing received HTTP cookies, libcurl can be
- fooled to both send cookies to wrong sites and to allow arbitrary sites
- to set cookies for others.
+ Closes #1810
+ Closes #1817
+
+- request-target.d: mention added in 7.55.0
+
+Marcel Raad (22 Aug 2017)
+- tool_main: turn off MinGW CRT's globbing
- CVE-2014-3613
+ By default, the MinGW CRT globs command-line arguments. This prevents
+ getting a single asterisk into an argument as test 1299 does. Turn off
+ globbing by setting the global variable _CRT_glob to 0 for MinGW.
- Bug: http://curl.haxx.se/docs/adv_20140910A.html
+ Fixes https://github.com/curl/curl/issues/1751
+ Closes https://github.com/curl/curl/pull/1813
-- HISTORY: fix the 1998 title position
+Viktor Szakats (22 Aug 2017)
+- makefile.m32: add support for libidn2
+
+ libidn was replaced with libidn2 last year in configure.
+ Caveat: libidn2 may depend on a list of further libs.
+ These can be manually specified via CURL_LDFLAG_EXTRAS.
+
+ Closes https://github.com/curl/curl/pull/1815
-- HISTORY: extended and now markdown
+Jay Satiro (22 Aug 2017)
+- [Viktor Szakats brought this change]
-- SSLCERTS: converted to markdown
+ config-win32: define SIZEOF_LONG
- Only minor edits to make it generate nice HTML output using markdown, as
- this document serves both in source release tarballs as on the web site.
+ Recent changes that replaced CURL_SIZEOF_LONG in the source with
+ SIZEOF_LONG broke builds that use the premade configuration files and
+ don't have SIZEOF_LONG defined.
- URL: http://curl.haxx.se/docs/sslcerts.html
+ Closes https://github.com/curl/curl/pull/1814
-- ftp-wildcard.c: spell fix
+Daniel Stenberg (20 Aug 2017)
+- cmake: enable picky compiler options with clang and gcc
- Reported-By: Frank Gevaerts
+ closes #1799
-- RELEASE-NOTES: synced with 921a0c22a6f
+- curl/system.h: fix build for hppa
+
+ Reported-by: John David Anglin
+ Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872502#10
-- THANKS: synced with RELEASE-NOTES for 921a0c22a6f
+- [Even Rouault brought this change]
-- polarassl: avoid memset() when clearing the first byte is enough
+ tftp: fix memory leak on too long filename
+
+ Fixes
+
+ $ valgrind --leak-check=full ~/install-curl-git/bin/curl tftp://localhost/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaz
+
+ ==9752== Memcheck, a memory error detector
+ ==9752== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
+ ==9752== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
+ ==9752== Command: /home/even/install-curl-git/bin/curl tftp://localhost/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaz
+ ==9752==
+ curl: (71) TFTP file name too long
+
+ ==9752==
+ ==9752== HEAP SUMMARY:
+ ==9752== 505 bytes in 1 blocks are definitely lost in loss record 11 of 11
+ ==9752== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==9752== by 0x4E61CED: Curl_urldecode (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x4E75868: tftp_state_machine (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x4E761B6: tftp_do (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x4E711B6: multi_runsingle (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x4E71D00: curl_multi_perform (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x4E6950D: curl_easy_perform (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x40E0B7: operate_do (in /home/even/install-curl-git/bin/curl)
+ ==9752== by 0x40E849: operate (in /home/even/install-curl-git/bin/curl)
+ ==9752== by 0x402693: main (in /home/even/install-curl-git/bin/curl)
+
+ Fixes https://oss-fuzz.com/v2/testcase-detail/5232311106797568
+ Credit to OSS Fuzz
+
+ Closes #1808
-- [Catalin Patulea brought this change]
+Dan Fandrich (19 Aug 2017)
+- runtests: fixed case insensitive matching of keywords
+
+ Commit 5c2aac71 didn't work in the case of mixed-case keywords given on
+ the command-line.
- polarssl: support CURLOPT_CAPATH / --capath
+- tests: Make sure libtests call curl_global_cleanup()
- Signed-off-by: Catalin Patulea <cat@vv.carleton.ca>
+ This ensures that global data allocations are freed so Valgrind stays
+ happy. This was a problem with at least PolarSSL and mbedTLS.
-- SECURITY: eh, make more sense!
+Daniel Stenberg (18 Aug 2017)
+- RELEASE-NOTES: synced with 8baead425
+
+- scripts/contri*sh: use "git log --use-mailmap"
+
+- mailmap: de-duplify some git authors
+
+- http2_recv: return error better on fatal h2 errors
+
+ Ref #1012
+ Figured-out-by: Tatsuhiro Tsujikawa
-- SECURITY: how to join the curl-security list
+- KNOWN_BUGS: HTTP test server 'connection-monitor' problems
+
+ Closes #868
-- RELEASE-NOTES: fix the required nghttp2 version typo
+- curl/system.h: check for __ppc__ as well
+
+ ... regression since issue #1774 (commit 10b3df10596a) since obviously
+ some older gcc doesn't know __powerpc__ while some newer doesn't know
+ __ppc__ ...
+
+ Fixes #1797
+ Closes #1798
+ Reported-by: Ryan Schmidt
-- [Brandon Casey brought this change]
+- [Jan Alexander Steffens (heftig) brought this change]
- Ensure progress.size_dl/progress.size_ul are always >= 0
+ http: Don't wait on CONNECT when there is no proxy
- Historically the default "unknown" value for progress.size_dl and
- progress.size_ul has been zero, since these values are initialized
- implicitly by the calloc that allocates the curl handle that these
- variables are a part of. Users of curl that install progress
- callbacks may expect these values to always be >= 0.
+ Since curl 7.55.0, NetworkManager almost always failed its connectivity
+ check by timeout. I bisected this to 5113ad04 (http-proxy: do the HTTP
+ CONNECT process entirely non-blocking).
- Currently it is possible for progress.size_dl and progress.size_ul
- to by set to a value of -1, if Curl_pgrsSetDownloadSize() or
- Curl_pgrsSetUploadSize() are passed a "size" of -1 (which a few
- places currently do, and a following patch will add more). So
- lets update Curl_pgrsSetDownloadSize() and Curl_pgrsSetUploadSize()
- so they make sure that these variables always contain a value that
- is >= 0.
+ This patch replaces !Curl_connect_complete with Curl_connect_ongoing,
+ which returns false if the CONNECT state was left uninitialized and lets
+ the connection continue.
- Updates test579 and test599.
+ Closes #1803
+ Fixes #1804
- Signed-off-by: Brandon Casey <drafnel@gmail.com>
+ Also-fixed-by: Gergely Nagy
-Steve Holme (7 Sep 2014)
-- tests: Added test1420 to the makefile
+- [Johannes Schindelin brought this change]
-- test1420: Removed unnecessary CURLOPT setting
+ metalink: adjust source code style
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- tests: Added more "Clear Text" authentication keywords
+- CURL_SIZEOF_LONG: removed, use only SIZEOF_LONG
-- tests: Updated "based on" text due to email test renumbering
+- lib557: no longer use CURL_SIZEOF_* defines
-- tests: For consistency added --libcurl to test name
+- config-win32: define SIZEOF_CURL_OFF_T
-- tests: Added --libcurl for IMAP test case
+- cmake: sizeof curl_off_t, remove unused detections
-- multi.c: Avoid invalid memory read after free() from commit 3c8c873252
+- system.h: remove all CURL_SIZEOF_* defines
- As the current element in the list is free()d by Curl_llist_remove(),
- when the associated connection is pending, reworked the loop to avoid
- accessing the next element through e->next afterward.
+ ... as they're not used externally and internally we check for the sizes
+ already in configure etc.
+
+ Closes #1767
-- multi.c: Fixed compilation warning from commit 3c8c873252
+- ftp: fix CWD when doing multicwd then nocwd on same connection
- warning: implicit conversion from enumeration type 'CURLMcode' to
- different enumeration type 'CURLcode'
+ Fixes #1782
+ Closes #1787
+ Reported-by: Peter Lamare
-- url.c: Use CURLAUTH_NONE constant rather than 0
+- CURLOPT_SSH_COMPRESSION.3: enable with 1L
- Small follow up to commit 898808fa8c to use auth constants rather than
- hard code value when clearing picked authentication mechanism.
+ (leaves other values reserved for the future)
+
+- compressed-ssh.d: "Added: 7.56.0"
-- RELEASE-NOTES: Synced with fd1ce3856a
+- curl/system.h: checksrc compliance
-Nick Zitzmann (4 Sep 2014)
-- [Vilmos Nebehaj brought this change]
+Jay Satiro (17 Aug 2017)
+- [Viktor Szakats brought this change]
- darwinssl: Use CopyCertSubject() to check CA cert.
+ ssh: add the ability to enable compression (for SCP/SFTP)
+
+ The required low-level logic was already available as part of
+ `libssh2` (via `LIBSSH2_FLAG_COMPRESS` `libssh2_session_flag()`[1]
+ option.)
+
+ This patch adds the new `libcurl` option `CURLOPT_SSH_COMPRESSION`
+ (boolean) and the new `curl` command-line option `--compressed-ssh`
+ to request this `libssh2` feature. To have compression enabled, it
+ is required that the SSH server supports a (zlib) compatible
+ compression method and that `libssh2` was built with `zlib` support
+ enabled.
- SecCertificateCopyPublicKey() is not available on iPhone. Use
- CopyCertSubject() instead to see if the certificate returned by
- SecCertificateCreateWithData() is valid.
+ [1] https://www.libssh2.org/libssh2_session_flag.html
- Reported-by: Toby Peterson
+ Ref: https://github.com/curl/curl/issues/1732
+ Closes https://github.com/curl/curl/pull/1735
-Steve Holme (4 Sep 2014)
-- RELEASE-NOTES: Clarify email Kerberos support is currently via Windows SSPI
+- examples/ftpuploadresume: checksrc compliance
-Daniel Stenberg (4 Sep 2014)
-- MAIL-ETIQUETTE: "1.8 I posted, now what?"
+- [Maksim Stsepanenka brought this change]
-- CURLOPT_CA*: better refering between *CAINFO and *CAPATH
+ http_proxy: fix build error for CURL_DOES_CONVERSIONS
- ... and a minor wording edit
+ Closes https://github.com/curl/curl/pull/1793
+
+GitHub (16 Aug 2017)
+- [Nick Zitzmann brought this change]
-- THANKS: added Dennis Clarke
+ configure: check for __builtin_available() availability (#1788)
- Dennis Clarke from Blastwave.org for ensuring that nightly builds run
- smooth on Solaris!
+ This change does two things:
+ 1. It un-breaks the build in Xcode 9.0. (Xcode 9.0 is currently
+ failing trying to compile connectx() in lib/connect.c.)
+ 2. It finally weak-links the connectx() function, and falls back on
+ connect() when run on older operating systems.
-- curl_multi_cleanup: remove superfluous NULL assigns
+Daniel Stenberg (16 Aug 2017)
+- travis: add metalink to some osx builds
- ... as the struct is free()d in the end anyway. It was first pointed out
- to me that one of the ->msglist assignments were supposed to have been
- ->pending but was a copy and paste mistake when I realized none of the
- clearing of pointers had to be there.
+ Closes #1790
-- multi: convert CURLM_STATE_CONNECT_PEND handling to a list
+- [Max Dymond brought this change]
+
+ coverage: Use two coveralls commands to get lib/vtls results
- ... instead of scanning through all handles, stash only the actual
- handles that are in that state in the new ->pending list and scan that
- list only. It should be mostly empty or very short. And only used for
- pipelining.
+ closes #1747
+
+- darwinssi: fix error: variable length array used
+
+- m4/curl-compilers.m4: use proper quotes around string, not backticks
- This avoids a rather hefty slow-down especially notable if you add many
- handles to the same multi handle. Regression introduced in commit
- 0f147887 (version 7.30.0).
+ ... when setting clang version to assume 3.7
- Bug: http://curl.haxx.se/mail/lib-2014-07/0206.html
- Reported-by: David Meyer
-
-- RELEASE-NOTES: synced with e608324f9f9
+ Caused a lot of "integer expression expected" warnings by configure.
-- [Andre Heinecke brought this change]
+- [Benbuck Nason brought this change]
- polarssl: implement CURLOPT_SSLVERSION
+ cmake: remove dead code for DISABLED_THREADSAFE
- Forwards the setting as minimum ssl version (if set) to polarssl. If
- the server does not support the requested version the SSL Handshake will
- fail.
+ Closes #1786
+
+Jay Satiro (15 Aug 2017)
+- [Jakub Zakrzewski brought this change]
+
+ curl-confopts.m4: fix --disable-threaded-resolver
- Bug: http://curl.haxx.se/bug/view.cgi?id=1419
+ Closes https://github.com/curl/curl/issues/1784
+
+Daniel Stenberg (15 Aug 2017)
+- [Ryan Winograd brought this change]
-nickzman (1 Sep 2014)
-- Merge pull request #115 from ldx/darwinsslfixpr
+ progress: Track total times following redirects
+
+ Update the progress timers `t_nslookup`, `t_connect`, `t_appconnect`,
+ `t_pretransfer`, and `t_starttransfer` to track the total times for
+ these activities when a redirect is followed. Previously, only the times
+ for the most recent request would be tracked.
+
+ Related changes:
- darwinssl: now accepts cacert bundles in PEM format in addition to single certs
+ - Rename `Curl_pgrsResetTimesSizes` to `Curl_pgrsResetTransferSizes`
+ now that the function only resets transfer sizes and no longer
+ modifies any of the progress timers.
+
+ - Add a bool to the `Progress` struct that is used to prevent
+ double-counting `t_starttransfer` times.
+
+ Added test case 1399.
+
+ Fixes #522 and Known Bug 1.8
+ Closes #1602
+ Reported-by: joshhe on github
+
+- [Benbuck Nason brought this change]
-Vilmos Nebehaj (1 Sep 2014)
-- Check CA certificate in curl_darwinssl.c.
+ cmake: remove dead code for CURL_DISABLE_RTMP
- SecCertificateCreateWithData() returns a non-NULL SecCertificateRef even
- if the buffer holds an invalid or corrupt certificate. Call
- SecCertificateCopyPublicKey() to make sure cacert is a valid
- certificate.
+ Closes #1785
-Daniel Stenberg (31 Aug 2014)
-- low-speed-limit: avoid timeout flood
+Kamil Dudka (15 Aug 2017)
+- zsh.pl: produce a working completion script again
- Introducing Curl_expire_latest(). To be used when we the code flow only
- wants to get called at a later time that is "no later than X" so that
- something can be checked (and another timeout be added).
+ Commit curl-7_54_0-118-g8b2f22e changed the output format of curl --help
+ to use <file> and <dir> instead of FILE and DIR, which caused zsh.pl to
+ produce a broken completion script:
- The low-speed logic for example could easily be made to set very many
- expire timeouts if it would be called faster or sooner than what it had
- set its own timer and this goes for a few other timers too that aren't
- explictiy checked for timer expiration in the code.
+ % curl --<TAB>
+ _curl:10: no such file or directory: seconds
- If there's no condition the code that says if(time-passed >= TIME), then
- Curl_expire_latest() is preferred to Curl_expire().
+ Closes #1779
+
+Daniel Stenberg (15 Aug 2017)
+- curlver: toward 7.56.0?
+
+- RELEASE-NOTES: synced with 91c46dc44
+
+- test1449: FTP download range with an too large size
+
+- strtoofft: reduce integer overflow risks globally
- If there exists such a condition, it is on the other hand important that
- Curl_expire() is used and not the other.
+ ... make sure we bail out on overflows.
- Bug: http://curl.haxx.se/mail/lib-2014-06/0235.html
- Reported-by: Florian Weimer
+ Reported-by: Brian Carpenter
+ Closes #1758
-- [Michael Wallner brought this change]
-
- resolve: cache lookup for async resolvers
+- travis: build the examples too
- While waiting for a host resolve, check if the host cache may have
- gotten the name already (by someone else), for when the same name is
- resolved by several simultanoues requests.
+ to make sure they keep building warning-free
- The resolver thread occasionally gets stuck in getaddrinfo() when the
- DNS or anything else is crappy or slow, so when a host is found in the
- DNS cache, leave the thread alone and let itself cleanup the mess.
+ Closes #1777
+
+- runtests: match keywords case insensitively
-Vilmos Nebehaj (30 Aug 2014)
-- Fix CA certificate bundle handling in darwinssl.
+- examples/ftpuploadresume.c: use portable code
- If the --cacert option is used with a CA certificate bundle that
- contains multiple CA certificates, iterate through it, adding each
- certificate as a trusted root CA.
+ ... converted from the MS specific _snscanf()
+
+Version 7.55.1 (13 Aug 2017)
+
+Daniel Stenberg (13 Aug 2017)
+- RELEASE-NOTES/THANKS: curl 7.55.1 release time
-Daniel Stenberg (29 Aug 2014)
-- [Askar Safin brought this change]
+- gitignore: ignore .xz now instead of .lzma
- getinfo-times: Typo fixed
+- [Sergei Nikulov brought this change]
-- [Askar Safin brought this change]
+ cmake: Threads detection update. ref: #1702
+
+ Closes #1719
- libcurl.3: Typo fixed
+- ipv6_scope: support unique local addresses
+
+ Fixes #1764
+ Closes #1773
+ Reported-by: James Slaughter
-- curl_formadd.3: setting CURLFORM_CONTENTSLENGTH 0 zero means strlen
+- [Alex Potapenko brought this change]
-- curl.1: add an example for -H
+ curl/system.h: GCC doesn't define __ppc__ on PowerPC, uses __powerpc__
+
+ Closes #1774
-- FAQ: mention -w in the 4.20 answer as well
+- test1448: verify redirect to IDN using URL
+
+ Closes #1772
-- FAQ: 4.20 curl doesn't return error for HTTP non-200 responses
+- [Salah-Eddin Shaban brought this change]
-- CURLOPT_NOBODY.3: clarify this option is for downloads
+ redirect: skip URL encoding for host names
- When enabling CURLOPT_NOBODY, libcurl effectively switches off upload
- mode and will do a download (without a body). This is now better
- explained in this man page.
+ This fixes redirects to IDN URLs
- Bug: http://curl.haxx.se/mail/lib-2014-08/0236.html
- Reported-by: John Coffey
+ Fixes #1441
+ Closes #1762
+ Reported by: David Lord
-- INTERNALS: nghttp2 must be 0.6.0 or later
+- test2032: mark as flaky (again)
-- [Tatsuhiro Tsujikawa brought this change]
+- travis: test cmake build on tarball too
+
+ Could've prevented #1755
+
+- [Simon Warta brought this change]
+
+ cmake: allow user to override CMAKE_DEBUG_POSTFIX
+
+ Closes #1763
- Compile with latest nghttp2
+- connect-to.d: better language
-Dan Fandrich (26 Aug 2014)
-- THANKS: removed a few more duplicates
+- connect-to.d: clarified
-Daniel Stenberg (26 Aug 2014)
-- RELEASE-NOTES: synced with 007242257683a
+- bagder/Curl_tvdiff_us: fix the math
- ... and bumped the contributor amount after recount
+ Regression since adef394ac5 (released in 7.55.0)
+
+ Reported-by: Han Qiao
+ Fixes #1769
+ Closes #1771
-- THANKS: added 52 missing contributors
+- curl/system.h: add Oracle Solaris Studio
- I re-ran contributors.sh on all changes since 7.10 and I found these
- contributors who are mentioned in the commits but never were added to
- THANKS before!
+ Fixes #1752
+
+- [Alessandro Ghedini brought this change]
+
+ docs: fix typo funtion -> function
- I also removed a couple of duplicates (mostly due to different
- spellings).
+ Closes #1770
-- contributors: grep and sort case insensitively
+Alessandro Ghedini (12 Aug 2017)
+- docs: fix grammar in CURL_SSLVERSION_MAX_DEFAULT description
-- [Michael Osipov brought this change]
+- docs: fix typo stuct -> struct
+
+Dan Fandrich (12 Aug 2017)
+- test1447: require a curl with http support
+
+Daniel Stenberg (11 Aug 2017)
+- [Thomas Petazzoni brought this change]
+
+ curl/system.h: support more architectures
+
+ The long list of architectures in include/curl/system.h is annoying to
+ maintain, and needs to be extended for each and every architecture to
+ support.
+
+ Instead, let's rely on the __SIZEOF_LONG__ define of the gcc compiler
+ (we are in the GNUC condition anyway), which tells us if long is 4
+ bytes or 8 bytes.
+
+ This fixes the build of libcurl 7.55.0 on architectures such as
+ OpenRISC or ARC.
+
+ Closes #1766
+
+ Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
- configure.ac: Add support for recent GSS-API implementations for HP-UX
+- test2033: this went flaky again
- By default, configure script assumes that libcurl will use the
- HP-supplied GSS-API implementation which does not have krb5-config.
- If a dev needs a more recent version which has that config script,
- the change will allow to pass an appropriate GSSAPI_ROOT.
+ Suspicion: when we enabled the threaded resolver by default.
+
+- test1447: verifies the parse proxy fix in 6e0e152ce5c
-- CONNECT: close proxy connections that fail to CONNECT
+- [Even Rouault brought this change]
+
+ parse_proxy(): fix memory leak in case of invalid proxy server name
- This is usually due to failed auth. There's no point in us keeping such
- a connection alive since it shouldn't be re-used anyway.
+ Fixes the below leak:
- Bug: http://curl.haxx.se/bug/view.cgi?id=1381
- Reported-by: Marcel Raad
+ $ valgrind --leak-check=full ~/install-curl-git/bin/curl --proxy "http://a:b@/x" http://127.0.0.1
+ curl: (5) Couldn't resolve proxy name
+ ==5048==
+ ==5048== HEAP SUMMARY:
+ ==5048== in use at exit: 532 bytes in 12 blocks
+ ==5048== total heap usage: 5,288 allocs, 5,276 frees, 445,271 bytes allocated
+ ==5048==
+ ==5048== 2 bytes in 1 blocks are definitely lost in loss record 1 of 12
+ ==5048== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5048== by 0x4E6CB79: parse_login_details (url.c:5614)
+ ==5048== by 0x4E6BA82: parse_proxy (url.c:5091)
+ ==5048== by 0x4E6C46D: create_conn_helper_init_proxy (url.c:5346)
+ ==5048== by 0x4E6EA18: create_conn (url.c:6498)
+ ==5048== by 0x4E6F9B4: Curl_connect (url.c:6967)
+ ==5048== by 0x4E86D05: multi_runsingle (multi.c:1436)
+ ==5048== by 0x4E88432: curl_multi_perform (multi.c:2160)
+ ==5048== by 0x4E7C515: easy_transfer (easy.c:708)
+ ==5048== by 0x4E7C74A: easy_perform (easy.c:794)
+ ==5048== by 0x4E7C7B1: curl_easy_perform (easy.c:813)
+ ==5048== by 0x414025: operate_do (tool_operate.c:1563)
+ ==5048==
+ ==5048== 2 bytes in 1 blocks are definitely lost in loss record 2 of 12
+ ==5048== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5048== by 0x4E6CBB6: parse_login_details (url.c:5621)
+ ==5048== by 0x4E6BA82: parse_proxy (url.c:5091)
+ ==5048== by 0x4E6C46D: create_conn_helper_init_proxy (url.c:5346)
+ ==5048== by 0x4E6EA18: create_conn (url.c:6498)
+ ==5048== by 0x4E6F9B4: Curl_connect (url.c:6967)
+ ==5048== by 0x4E86D05: multi_runsingle (multi.c:1436)
+ ==5048== by 0x4E88432: curl_multi_perform (multi.c:2160)
+ ==5048== by 0x4E7C515: easy_transfer (easy.c:708)
+ ==5048== by 0x4E7C74A: easy_perform (easy.c:794)
+ ==5048== by 0x4E7C7B1: curl_easy_perform (easy.c:813)
+ ==5048== by 0x414025: operate_do (tool_operate.c:1563)
+
+ Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2984
+ Credit to OSS Fuzz for discovery
+
+ Closes #1761
+
+- RELEASE-NOTES: synced with 37f2195a9
+
+- curlver: bump to 7.55.1
-- RELEASE-NOTES: added two missing HTTP/2 bug fixes
+- openssl: fix "error: this statement may fall through"
- And renamed all http2 references to HTTP/2 in this file
+ A gcc7 warning.
-- RELEASE-NOTES: synced with f646e9075f47
+- [David Benjamin brought this change]
-- [Jakub Zakrzewski brought this change]
+ openssl: remove CONST_ASN1_BIT_STRING.
+
+ Just making the pointer as const works for the pre-1.1.0 path too.
+
+ Closes #1759
+
+- maketgz: remove old *.dist files before making the tarball
+
+ To avoid "old crap" unintentionally getting shipped.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-08/0050.html
+ Reported-by: Christian Weisgerber
- Cmake: Possibility to use OpenLDAP, OpenSSL, LibSSH2 on windows
+Jay Satiro (10 Aug 2017)
+- mkhelp.pl: allow executing this script directly
+
+ - Enable execute permission (chmod +x)
+
+ - Change interpreter to /usr/bin/env perl
- At this point I can build libcurl on windows. It provides at least the same
- list of protocols as for linux build and works with our software.
+ Ref: https://github.com/curl/curl/issues/1743
-- [Jakub Zakrzewski brought this change]
+Daniel Stenberg (10 Aug 2017)
+- configure: use the threaded resolver backend by default if possible
+
+ Closes #1647
- Cmake: Removed repeated content from ending blocks
+- cmake: move cmake_uninstall.cmake to CMake/
- They are unnecesary in modern CMake and removing them improves readability.
+ Closes #1756
-- [Jakub Zakrzewski brought this change]
+- metalink: fix error: ‘*’ in boolean context, suggest ‘&&’ instead
- Cmake: Removed some useless empty SET statements.
+- dist: fix the cmake build by shipping cmake_uninstall.cmake.in too
- Undefined variables resolve to empty strings and we do not ever test if
- the variable is defined thus those SETs are superfluous.
+ Fixes #1755
-- [Jakub Zakrzewski brought this change]
+- travis: verify "make install"
+
+ Help-by: Jay Satiro
+ Closes #1753
- Cmake: Removed useless comments from CMakeLists.txt
+Marcel Raad (10 Aug 2017)
+- build: check out *.sln files with Windows line endings
+
+ Visual Studio doesn't like LF line endings in solution files and always
+ converts them to CRLF when doing changes to the solution. Notably, this
+ affects the solutions in the release archive.
- They look like some relics after changes.
+ Closes https://github.com/curl/curl/pull/1746
-- [Jakub Zakrzewski brought this change]
+- gitignore: ignore top-level .vs folder
+
+ This folder is generated when using the CMake build system from within
+ Visual Studio.
+
+ Closes https://github.com/curl/curl/pull/1746
- Cmake: Don't check for all headers each time
-
- One header at a time is the right way. Apart from that the output on
- windows goes from:
- ...
- -- Looking for include files I:/src/libssh2-1.4.3/include/libssh2.h, ws2tcpip.h
- -- Looking for include files I:/src/libssh2-1.4.3/include/libssh2.h, ws2tcpip.h
- - found
- -- Looking for 3 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., wins
- ock2.h
- -- Looking for 3 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., wins
- ock2.h - found
- -- Looking for 4 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., stdi
- o.h
- -- Looking for 4 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., stdi
- o.h - found
- -- Looking for 5 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., wind
- ows.h
- -- Looking for 5 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., wind
- ows.h - found
- -- Looking for 6 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., wins
- ock.h
- -- Looking for 6 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., wins
- ock.h - found
- -- Looking for 7 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., sys/
- filio.h
- -- Looking for 7 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., sys/
- filio.h - not found
- -- Looking for 7 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., sys/
- ioctl.h
- -- Looking for 7 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., sys/
- ioctl.h - not found
- -- Looking for 7 include files I:/src/libssh2-1.4.3/include/libssh2.h, ..., sys/
- resource.h
- ...
-
- To much nicer:
- ...
- -- Looking for ws2tcpip.h
- -- Looking for ws2tcpip.h - found
- -- Looking for winsock2.h
- -- Looking for winsock2.h - found
- -- Looking for stdio.h
- -- Looking for stdio.h - found
- -- Looking for windows.h
- -- Looking for windows.h - found
- -- Looking for winsock.h
- -- Looking for winsock.h - found
- -- Looking for sys/filio.h
- -- Looking for sys/filio.h - not found
- -- Looking for sys/ioctl.h
- -- Looking for sys/ioctl.h - not found
- -- Looking for sys/resource.h
+Jay Satiro (10 Aug 2017)
+- digest_sspi: Don't reuse context if the user/passwd has changed
+
+ Bug: https://github.com/curl/curl/issues/1685
+ Reported-by: paulharris@users.noreply.github.com
+
+ Assisted-by: Isaac Boukris
+
+ Closes https://github.com/curl/curl/pull/1742
-- [Jakub Zakrzewski brought this change]
+Daniel Stenberg (9 Aug 2017)
+- [Adam Sampson brought this change]
- Cmake: Append OpenSSL include directory to search path
+ dist: Add dictserver.py/negtelnetserver.py to EXTRA_DIST
+
+ These weren't included in the 7.55.0 release, but are required in order
+ to run the full test suite.
- At this point I can build libcurl with OpenSSL, OpenLDAP and LibSSH2.
- Supported protocols are at least:
- HTTP, HTTPS, FTP, SFTP, TFTP, LDAP, LDAPS, POP3, SMTP
- (those are the ones we have regression tests for
- in our product's testsuite)
+ Closes #1744
-- [Jakub Zakrzewski brought this change]
+- [Adam Sampson brought this change]
+
+ curl: do bounds check using a double comparison
+
+ The fix for this in 8661a0aacc01492e0436275ff36a21734f2541bb wasn't
+ complete: if the parsed number in num is larger than will fit in a long,
+ the conversion is undefined behaviour (causing test1427 to fail for me
+ on IA32 with GCC 7.1, although it passes on AMD64 and ARMv7). Getting
+ rid of the cast means the comparison will be done using doubles.
+
+ It might make more sense for the max argument to also be a double...
+
+ Fixes #1750
+ Closes #1749
- Cmake: Search for liblber, LDAP SSL headers, swith for using OpenLDAP code.
+- make install: add 8 missing man pages to the installation
-- [Jakub Zakrzewski brought this change]
+- build: fix 'make install' with configure, install docs/libcurl/* too
+
+ Broken since d24838d4da9faa
+
+ Reported-by: Bernard Spil
- Cmake: LibSSH2 detection and use.
+Version 7.55.0 (9 Aug 2017)
-- [Jakub Zakrzewski brought this change]
+Daniel Stenberg (9 Aug 2017)
+- RELEASE-NOTES: curl 7.55.0
- Cmake: Moved macros out of the main CMakeLists.txt
+- THANKS: 20 new contributors in 7.55.0
-- [Jakub Zakrzewski brought this change]
+- [Viktor Szakats brought this change]
- Cmake: Added missing protocol-disable switches
+ docs/comments: Update to secure URL versions
- They already have their defines in config.h. This makes it possible to
- disable the protocols from command line during configure step.
+ Closes #1741
-- [Jakub Zakrzewski brought this change]
+- configure: fix recv/send/select detection on Android
+
+ ... since they now provide several functions as
+ __attribute__((overloadable)), the argument detection logic need
+ updates.
+
+ Patched-by: destman at github
+
+ Fixes #1738
+ Closes #1739
- Cmake: Made boolean defines be defined to "1" instead of "ON"
+Marcel Raad (8 Aug 2017)
+- ax_code_coverage.m4: update to latest version
- It's by convention, for compatibility and because the comments say so.
- Just mabe someone have written a test like "#if HAVE_XX==1"
+ This updates the script to aad5ad5fedb306b39f901a899b7bd305b66c418d
+ from August 01, 2017. Notably, this removes the lconv version whitelist.
+
+ Closes https://github.com/curl/curl/pull/1716
-- [Jakub Zakrzewski brought this change]
+Daniel Stenberg (7 Aug 2017)
+- test1427: verify command line parser integer overflow detection
- Cmake: Require at least CMake 2.8.
+- curl: detect and bail out early on parameter integer overflows
- CMake 2.6 is already a bit old. Many bugs have been fixed since
- its release. We use 2.8 in our company and we have no intention
- of polluting our environment with old software, so 2.6 would
- not be tested. This shouldn't be a problem since all one need
- to build CMake from source is C and C++ compiler.
+ Make the number parser aware of the maximum limit curl accepts for a
+ value and return an error immediately if larger, instead of running an
+ integer overflow later.
+
+ Fixes #1730
+ Closes #1736
-- disconnect: don't touch easy-related state on disconnects
+- glob: do not continue parsing after a strtoul() overflow range
- This was done to make sure NTLM state that is bound to a connection
- doesn't survive and gets used for the subsequent request - but
- disconnects can also be done to for example make room in the connection
- cache and thus that connection is not strictly related to the easy
- handle's current operation.
+ Added test 1289 to verify.
- The http authentication state is still kept in the easy handle since all
- http auth _except_ NTLM is connection independent and thus survive over
- multiple connections.
+ CVE-2017-1000101
- Bug: http://curl.haxx.se/mail/lib-2014-08/0148.html
- Reported-by: Paras S
+ Bug: https://curl.haxx.se/docs/adv_20170809A.html
+ Reported-by: Brian Carpenter
-- curl.1: clarify --limit-rate's effect on both directions
+- tftp: reject file name lengths that don't fit
- Bug: http://curl.haxx.se/bug/view.cgi?id=1414
- Reported-by: teo8976
-
-- curl.1: mention the --post30x options within the --location desc
-
-Dan Fandrich (22 Aug 2014)
-- sasl: Fixed a memory leak on OOM
+ ... and thereby avoid telling send() to send off more bytes than the
+ size of the buffer!
+
+ CVE-2017-1000100
+
+ Bug: https://curl.haxx.se/docs/adv_20170809B.html
+ Reported-by: Even Rouault
+
+ Credit to OSS-Fuzz for the discovery
-Daniel Stenberg (22 Aug 2014)
-- [Frank Meier brought this change]
+- [Even Rouault brought this change]
- NTLM: ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth
+ file: output the correct buffer to the user
- Problem: if CURLOPT_FORBID_REUSE is set, requests using NTLM failed
- since NTLM requires multiple requests that re-use the same connection
- for the authentication to work
+ Regression brought by 7c312f84ea930d8 (April 2017)
- Solution: Ignore the forbid reuse flag in case the NTLM authentication
- handshake is in progress, according to the NTLM state flag.
+ CVE-2017-1000099
- Fixed known bug #77.
+ Bug: https://curl.haxx.se/docs/adv_20170809C.html
+
+ Credit to OSS-Fuzz for the discovery
-Steve Holme (22 Aug 2014)
-- openssl.c: Fixed longer than 79 columns
+- easy_events: make event data static
+
+ First: this function is only used in debug-builds and not in
+ release/real builds. It is used to drive tests using the event-based
+ API.
+
+ A pointer to the local struct is passed to CURLMOPT_TIMERDATA, but the
+ CURLMOPT_TIMERFUNCTION calback can in fact be called even after this
+ funtion returns, namely when curl_multi_remove_handle() is called.
+
+ Reported-by: Brian Carpenter
-- openssl.c: Fixed compilation warning
+- getparameter: avoid returning uninitialized 'usedarg'
- warning: declaration of 'minor' shadows a global declaration
+ Fixes #1728
-Daniel Stenberg (21 Aug 2014)
-- [Haris Okanovic brought this change]
+Marcel Raad (5 Aug 2017)
+- [Isaac Boukris brought this change]
- win32: Fixed WinSock 2 #if
+ gssapi: fix memory leak of output token in multi round context
- A conditionally compiled block in connect.c references WinSock 2
- symbols, but used `#ifdef HAVE_WINSOCK_H` instead of `#ifdef
- HAVE_WINSOCK2_H`.
+ When multiple rounds are needed to establish a security context
+ (usually ntlm), we overwrite old token with a new one without free.
+ Found by proposed gss tests using stub a gss implementation (by
+ valgrind error), though I have confirmed the leak with a real
+ gssapi implementation as well.
- Bug: http://curl.haxx.se/mail/lib-2014-08/0155.html
+ Closes https://github.com/curl/curl/pull/1733
-- Curl_disconnect: don't free the URL
+- darwinssl: fix compiler warning
- The URL is not a property of the connection so it should not be freed in
- the connection disconnect but in the Curl_close() that frees the easy
- handle.
+ clang complains:
+ vtls/darwinssl.c:40:8: error: extra tokens at end of #endif directive
+ [-Werror,-Wextra-tokens]
- Bug: http://curl.haxx.se/mail/lib-2014-08/0148.html
- Reported-by: Paras S
-
-- help output: minor whitespace edits
+ This breaks the darwinssl build on Travis. Fix it by making this token
+ a comment.
- Should've been amended in the previous commit but wasn't due to a
- mistake.
-
-- [Zearin brought this change]
+ Closes https://github.com/curl/curl/pull/1734
- help output: use ≥2 spaces between option and description
+- CMake: fix CURL_WERROR for MSVC
- ... and some other cleanups
-
-- FAQ: some actually sometimes get paid...
+ When using CURL_WERROR in MSVC builds, the debug flags were overridden
+ by the release flags and /WX got added twice in debug mode.
+
+ Closes https://github.com/curl/curl/pull/1715
-Steve Holme (17 Aug 2014)
-- sasl_sspi: Fixed a memory leak with the GSSAPI base-64 decoded challenge
+Daniel Stenberg (4 Aug 2017)
+- RELEASE-NOTES: synced with 561e9217c
-- sasl_sspi: Renamed GSSAPI mutual authentication parameter
+- test1010: verify that #1718 is fixed
- ...From "mutual" to "mutual_auth" which better describes what it is.
+ ... by doing two transfers in nocwd mode and check that there's no
+ superfluous CWD command.
-- sasl_sspi: Corrected some of the GSSAPI security message error codes
+- FTP: skip unnecessary CWD when in nocwd mode
- Corrected a number of the error codes that can be returned from the
- Curl_sasl_create_gssapi_security_message() function when things go
- wrong.
+ ... when reusing a connection. If it didn't do any CWD previously.
- It makes more sense to return CURLE_BAD_CONTENT_ENCODING when the
- inbound security challenge can't be decoded correctly or doesn't
- contain the KERB_WRAP_NO_ENCRYPT flag and CURLE_OUT_OF_MEMORY when
- EncryptMessage() fails. Unfortunately the previous error code of
- CURLE_RECV_ERROR was a copy and paste mistakes on my part and should
- have been correct in commit 4b491c675f :(
+ Fixes #1718
-- docs: Escaped single backslash
-
-- TODO: Updated following GSSAPI (Kerberos V5) additions
+Marcel Raad (4 Aug 2017)
+- travis: explicitly specify dist
- Updated "FTP 4.6 GSSAPI via Windows SSPI" and "SASL 14.1 Other
- authentication mechanisms" following recent additions.
+ This makes the builds more reproducible as travis is currently rolling
+ out trusty as default dist [1]. Specifically, this avoids coverage
+ check failures when trusty is used as seen in [2] until we figure out
+ what's wrong.
- Added SASL 14.2 GSSAPI via GSS-API libraries.
-
-- CURLOPT_USERNAME.3: Added Kerberos V5 and NTLM domain information
+ [1] https://blog.travis-ci.com/2017-07-11-trusty-as-default-linux-is-coming
+ [2] https://github.com/curl/curl/pull/1692
- This repeats what has already been documented in both the curl manpage
- and CURLOPT_USERPWD documentation but is provided here for completeness
- as someone may not especially read the latter when using libcurl.
+ Closes https://github.com/curl/curl/pull/1725
-- CURLOPT_USERPWD.3: Updated following Kerberos V5 SSPI changes
+Daniel Stenberg (4 Aug 2017)
+- travis: BUILD_TYPE => T
- Added information about Kerberos V5 requiring the domain part in the
- user name.
-
- Mentioned that the user name can be specified in UPN format, and not
- just in Down-Level Logon Name format, following the information
- added in commit 7679cb3fa8 reworking the exisitng information in the
- process.
+ (to make the full line appear nicer on travis web UI)
-- docs: Added Kerberos V5 and NTLM domain information to --user
+- travis: add osx build with darwinssl
+
+ Closes #1706
-- docs: Added Kerberos V5 to the --user SSPI current credentials usage
+- darwin: silence compiler warnings
+
+ With a clang pragma and three type fixes
+
+ Fixes #1722
-- sasl_sspi: Tell the server we don't support a GSSAPI receive buffer
+- BUILD.WINDOWS: mention buildconf.bat for builds off git
-- smtp: Added support for GSSAPI (Kerberos V5) authentication via Windows SSPI
+- darwinssl: fix curlssl_sha256sum() compiler warnings on first argument
-- pop3: Added support for GSSAPI (Kerberos V5) authentication via Windows SSPI
+- test130: verify comments in .netrc
-- imap: Added support for GSSAPI (Kerberos V5) authentication via Windows SSPI
+- [Gisle Vanem brought this change]
-- email: Added mutual authentication flag
+ netrc: skip lines starting with '#'
+
+ Bug: https://curl.haxx.se/mail/lib-2017-08/0008.html
-Daniel Stenberg (15 Aug 2014)
-- RELEASE-NOTES: synced with 0187c9e11d079
+Marcel Raad (3 Aug 2017)
+- CMake: set MSVC warning level to 4
+
+ The MSVC warning level defaults to 3 in CMake. Change it to 4, which is
+ consistent with the Visual Studio and NMake builds. Disable level 4
+ warning C4127 for the library and additionally C4306 for the test
+ servers to get a clean CURL_WERROR build as that warning is raised in
+ some macros in older Visual Studio versions.
+
+ Ref: https://github.com/curl/curl/pull/1667#issuecomment-314082794
+ Closes https://github.com/curl/curl/pull/1711
-- http: fix the Content-Range: parser
+Daniel Stenberg (2 Aug 2017)
+- CURLOPT_NETRC.3: fix typo in 7e48aa386156f9c2
- ... to handle "*/[total]". Also, removed the strange hack that made
- CURLOPT_FAILONERROR on a 416 response after a *RESUME_FROM return
- CURLE_OK.
+ Reported-by: Viktor Szakats
+
+- CURLOPT_NETRC.3: mention the file name on windows
- Reported-by: Dimitrios Siganos
- Bug: http://curl.haxx.se/mail/lib-2014-06/0221.html
+ ... and CURLOPT_NETRC_FILE(3).
+
+- travis: build osx with libressl too
-Steve Holme (14 Aug 2014)
-- email: Introduced the GSSAPI states
+- travis: build osx with openssl too
-- curl_sasl_sspi.c: Fixed more compilation warnings from commit 4b491c675f
+- tests/server/util: fix curltime mistake from 4dee50b9c80f9
+
+Marcel Raad (1 Aug 2017)
+- curl_threads: fix MSVC compiler warning
- warning: unused variable 'resp'
+ Use LongToHandle to convert from long to HANDLE in the Win32
+ implementation.
+ This should fix the following warning when compiling with
+ MSVC 11 (2012) in 64-bit mode:
+ lib\curl_threads.c(113): warning C4306:
+ 'type cast' : conversion from 'long' to 'HANDLE' of greater size
- warning: no previous prototype for 'Curl_sasl_gssapi_cleanup'
+ Closes https://github.com/curl/curl/pull/1717
-- SHA-1: 61c93383b7f6cf79d12ff99e9dced1d1cc2a7064
-
- * curl_sasl_sspi.c: Fixed compilation warning from commit 4b491c675f
+Daniel Stenberg (1 Aug 2017)
+- BUGS: improved phrasing about security bugs
- warning: declaration of 'result' shadows a previous local
+ Reported-by: Max Dymond
+
+- BUGS: clarify how to report security related bugs
+
+- [Brad Spencer brought this change]
-- curl_sasl.h: Fixed compilation error from commit 4b491c675f
+ multi: fix request timer management
- warning: 'struct kerberos5data' declared inside parameter list
+ There are some bugs in how timers are managed for a single easy handle
+ that causes the wrong "next timeout" value to be reported to the
+ application when a new minimum needs to be recomputed and that new
+ minimum should be an existing timer that isn't currently set for the
+ easy handle. When the application drives a set of easy handles via the
+ `curl_multi_socket_action()` API (for example), it gets told to wait the
+ wrong amount of time before the next call, which causes requests to
+ linger for a long time (or, it is my guess, possibly forever).
- Due to missing forward declaration.
+ Bug: https://curl.haxx.se/mail/lib-2017-07/0033.html
-- urldata.h: Fixed compilation warnings from commit 3ec253532e
+Jay Satiro (1 Aug 2017)
+- curl_setup: Define CURL_NO_OLDIES for building libcurl
- warning: extra tokens at end of #endif directive
+ .. to catch accidental use of deprecated error codes.
+
+ Ref: https://github.com/curl/curl/issues/1688#issuecomment-316764237
-- sasl_sspi: Added GSSAPI message functions
+Daniel Stenberg (1 Aug 2017)
+- [Jeremy Tan brought this change]
-- urldata: Introduced a GSSAPI (Kerberos V5) data structure
+ configure: fix the check for IdnToUnicode
- Added a kerberos5data structure which is similar in nature to the
- ntlmdata and negotiatedata structures.
+ Fixes #1669
+ Closes #1713
-- sspi: Moved KERB_WRAP_NO_ENCRYPT from socks_sspi module
+- http: fix response code parser to avoid integer overflow
+
+ test 1429 and 1433 were updated to work with the stricter HTTP status line
+ parser.
- In preparation for the upcoming SSPI implementation of GSSAPI
- authentication, moved the definition of KERB_WRAP_NO_ENCRYPT from
- socks_sspi.c to curl_sspi.h allowing it to be shared amongst other
- SSPI based code.
+ Closes #1714
+ Reported-by: Brian Carpenter
-Daniel Stenberg (13 Aug 2014)
-- mk-ca-bundle.pl: add missing $
+Jay Satiro (31 Jul 2017)
+- [Dwarakanath Yadavalli brought this change]
-- mk-ca-bundle.pl: switched to using hg.mozilla.org
+ libcurl: Stop using error codes defined under CURL_NO_OLDIES
- ... as mxr.mozilla.org is due to be retired.
-
- The new host doesn't support If-Modified-Since nor ETags, meaning that
- the script will now defer to download and do a post-transfer checksum
- check to see if a new output is to be generated. The new output format
- will hold the SHA1 checksum of the source file for that purpose.
+ Fixes https://github.com/curl/curl/issues/1688
+ Closes https://github.com/curl/curl/pull/1712
+
+- include.d: clarify --include is only for response headers
- We call this version 1.22
+ Follow-up to 171f8de and de6de94.
- Reported-by: Ed Morley
- Bug: http://curl.haxx.se/bug/view.cgi?id=1409
+ Bug: https://github.com/curl/curl/commit/de6de94#commitcomment-23370851
+ Reported-by: Daniel Stenberg
-- [Jose Alf brought this change]
+Daniel Stenberg (30 Jul 2017)
+- [Jason Juang brought this change]
- openssl: fix version report for the 0.9.8 branch
+ cmake: support make uninstall
- Fixed libcurl to correctly output the newer versions of OpenSSL 0.9.8,
- starting from openssl-0.9.8za.
+ Closes #1674
-- [Frank Meier brought this change]
+- RELEASE-NOTES: synced with 001701c47
- create_conn: prune dead connections
+Marcel Raad (29 Jul 2017)
+- AppVeyor: now really use CURL_WERROR
- Bringing back the old functionality that was mistakenly removed when the
- connection cache was remade. When creating a new connection, all the
- existing ones are checked and those that are known to be dead get
- disconnected for real and removed from the connection cache. It helps
- the cache from holding on to very many stale connections and aids in
- keeping down the number of system sockets in wait states.
+ It was misspelled as CURL_ERROR in commit
+ 2d86e8d1286e0fbe3d811e2e87fa0b5e53722db4.
- Help-by: Jonatan Vela <jonatan.vela@ergon.ch>
-
- Bug: http://curl.haxx.se/mail/lib-2014-06/0189.html
+ Closes https://github.com/curl/curl/pull/1686
-Kamil Dudka (11 Aug 2014)
-- docs/SSLCERTS: update the section about NSS database
+Jay Satiro (29 Jul 2017)
+- tool_help: clarify --include is only for response headers
- Bug: http://curl.haxx.se/mail/lib-2014-07/0335.html
- Reported-by: David Shaw
-
-Daniel Stenberg (11 Aug 2014)
-- [Peter Wang brought this change]
+ Follow-up to 171f8de.
+
+ Ref: https://github.com/curl/curl/issues/1704
- Curl_poll + Curl_wait_ms: fix timeout return value
+- splay: fix signed/unsigned mismatch warning
- Curl_poll and Curl_wait_ms require the fix applied to Curl_socket_check
- in commits b61e8b8 and c771968:
+ Follow-up to 4dee50b.
- When poll or select are interrupted and coincides with the timeout
- elapsing, the functions return -1 indicating an error instead of 0 for
- the timeout.
+ Ref: https://github.com/curl/curl/pull/1693
-Steve Holme (10 Aug 2014)
-- config-tpf.h: Fixed up line lengths > 79 characters
+Daniel Stenberg (28 Jul 2017)
+- include.d: clarify that it concerns the response headers
+
+ Reported-by: olesteban at github
+ Fixes #1704
-- config-symbian.h: Fixed up line lengths > 79 characters
+- [Johannes Schindelin brought this change]
-- tool_hugehelp.c.cvs: Added copyright
+ curl_rtmp: fix a compiler warning
- Added copyright due to warning from checksrc.pl.
+ The headers of librtmp declare the socket as `int`, and on Windows, that
+ disagrees with curl_socket_t.
+
+ Bug: #1652
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- RELEASE-NOTES: Synced with cd6ecf6a89
+- test1323: verify curlx_tvdiff
-- sasl_sspi: Fixed hard coded buffer for response generation
+- timeval: struct curltime is a struct timeval replacement
- Given the SSPI package info query indicates a token size of 4096 bytes,
- updated to use a dynamic buffer for the response message generation
- rather than a fixed buffer of 1024 bytes.
+ ... to make all libcurl internals able to use the same data types for
+ the struct members. The timeval struct differs subtly on several
+ platforms so it makes it cumbersome to use everywhere.
+
+ Ref: #1652
+ Closes #1693
-- sasl_sspi: Fixed missing free of challenge buffer on SPN failure
+- darwinssl: fix variable type mistake (regression)
+
+ ... which made --tlsv1.2 not work because it would blank the max tls
+ version variable.
+
+ Reported-by: Nick Miyake
+ Bug: #1703
-- http_negotiate_sspi: Tidy up to remove the get_gss_name() function
+- multi: mention integer overflow risk if using > 500 million sockets
+
+ Reported-by: ovidiu-benea@users.noreply.github.com
- Due to the reduction of code in commit 3b924b29 of get_gss_name() the
- function isn't necessary anymore.
+ Closes #1675
+ Closes #1683
-- http_negotiate_sspi: Use a dynamic buffer for SPN generation
+- checksrc: escape open brace in regex
- Updated to use a dynamic buffer for the SPN generation via the recently
- introduced Curl_sasl_build_spn() function rather than a fixed buffer of
- 1024 characters, which should have been more than enough, but by using
- the new function removes the need for another variable sname to do the
- wide character conversion in Unicode builds.
+ ... to silence warning.
-- sasl: Tidy up to rename SPN variable from URI
+Kamil Dudka (20 Jul 2017)
+- nss: fix a possible use-after-free in SelectClientCert()
+
+ ... causing a SIGSEGV in showit() in case the handle used to initiate
+ the connection has already been freed.
+
+ This commit fixes a bug introduced in curl-7_19_5-204-g5f0cae803.
+
+ Reported-by: Rob Sanders
+ Bug: https://bugzilla.redhat.com/1436158
-- sasl: Use a dynamic buffer for SPN generation
+- nss: unify the coding style of nss_send() and nss_recv()
- Updated Curl_sasl_create_digest_md5_message() to use a dynamic buffer
- for the SPN generation via the recently introduced Curl_sasl_build_spn()
- function rather than a fixed buffer of 128 characters.
+ No changes in behavior intended by this commit.
-- sasl_sspi: Fixed SPN not being converted to wchar under Unicode builds
+Marcel Raad (18 Jul 2017)
+- tests/server/resolve.c: fix deprecation warning
- Curl_sasl_create_digest_md5_message() would simply cast the SPN variable
- to a TCHAR when calling InitializeSecurityContext(). This meant that,
- under Unicode builds, it would not be valid wide character string.
+ MSVC warns that gethostbyname is deprecated. Always use getaddrinfo
+ instead to fix this when IPv6 is enabled, also for IPv4 resolves. This
+ is also consistent with what libcurl does.
- Updated to use the recently introduced Curl_sasl_build_spn() function
- which performs the correct conversion for us.
+ Closes https://github.com/curl/curl/pull/1682
-- sasl: Introduced Curl_sasl_build_spn() for building a SPN
+Jay Satiro (17 Jul 2017)
+- darwinssl: fix pinnedpubkey build error
- Various parts of the libcurl source code build a SPN for inclusion in
- authentication data. This information is either used by our own native
- generation routines or passed to authentication functions in third-party
- libraries such as SSPI. However, some of these instances use fixed
- buffers rather than dynamically allocated ones and not all of those that
- should, convert to wide character strings in Unicode builds.
+ - s/SessionHandle/Curl_easy/
- Implemented a common function that generates a SPN and performs the
- wide character conversion where necessary.
+ Bug: https://github.com/curl/curl/commit/eb16305#commitcomment-23035670
+ Reported-by: Gisle Vanem
-- sasl_sspi: Fixed memory leak with not releasing Package Info struct
+Marcel Raad (16 Jul 2017)
+- rtspd: fix GCC warning after MSVC warning fix
- Curl_sasl_create_digest_md5_message() wouldn't free the Package Info
- structure after QuerySecurityPackageInfo() had allocated it.
-
-- [Michael Osipov brought this change]
-
- docs: Update SPNEGO and GSS-API related doc sections
+ Older GCC warns:
+ /tests/server/rtspd.c:1194:10: warning: missing braces around
+ initializer [-Wmissing-braces]
- Reflect recent changes in SPNEGO and GSS-API code in the docs.
- Update them with appropriate namings and remove visible spots for
- GSS-Negotiate.
+ Fix this by using memset instead of an initializer.
-- sspi: Minor code tidy up to standardise coding style
+- libtest: fix MSVC warning C4706
- Following the recent changes and in attempt to align the SSPI based
- authentication code performed the following:
+ With warning level 4, MSVC warns about assignments within conditional
+ expressions. Change the while loop to a do-while loop to fix this. This
+ change is also consistent with CODE_STYLE.md.
+
+- sockfilt: suppress conversion warning with explicit cast
- * Use NULL and SECBUFFVERSION rather than hard coded constants.
- * Avoid comparison of zero in if statements.
- * Standardised the buf and desc setup code.
+ MSVC warns when implicitly casting -1 to unsigned long.
-- schannel: Fixed compilation warning in vtls.c
+- rtspd: fix MSVC level 4 warning
- vtls.c:688:43: warning: unused parameter 'data'
+ warning C4701: potentially uninitialized local variable 'req' used
-- tool_getparam.c: Fixed compilation warning
+- winbuild: re-enable warning C4127 for curl tool
- warning: `orig_opt' might be used uninitialized in this function
+ Disabled in cda19a345f6970e22fe8b7a808aeb8f086a21eac. It only needs to
+ be disabled for libcurl.
-- RELEASE-NOTES: Synced with 159c3aafd8
+- winbuild: build with warning level 4
+
+ This is consistent with 7bc64561a2e63ca93e4b0b31d350773ba80955c2, which
+ changed the warning level from 3 to 4 for the Visual Studio project
+ files. But disable the level 4 warning C4127 "conditional expression is
+ constant", as that one is issued by older versions of the Windows SDK
+ as well as curl itself under some circumstances.
+
+ Closes https://github.com/curl/curl/pull/1667
-Daniel Stenberg (8 Aug 2014)
-- curl_ntlm_msgs: make < 80 columns wide
+Jay Satiro (12 Jul 2017)
+- [Max Dymond brought this change]
-Steve Holme (8 Aug 2014)
-- ntlm: Fixed hard coded buffer for SSPI based auth packet generation
+ travis: install libidn2
+
+ Install libidn2 to increase test coverage (IDN tests)
- Given the SSPI package info query indicates a token size of 2888 bytes,
- and as with the Winbind code and commit 9008f3d56, use a dynamic buffer
- for the Type-1 and Type-3 message generation rather than a fixed buffer
- of 1024 bytes.
+ Closes https://github.com/curl/curl/pull/1673
-- ntlm: Added support for SSPI package info query
+Marcel Raad (12 Jul 2017)
+- travis: enable warnings also in release mode
- Just as with the SSPI implementations of Digest and Negotiate added a
- package info query so that libcurl can a) return a more appropriate
- error code when the NTLM package is not supported and b) it can be of
- use later to allocate a dynamic buffer for the Type-1 and Type-3
- output tokens rather than use a fixed buffer of 1024 bytes.
+ ... to get warnings also on Linux/GCC and OSX/clang.
+
+ Closes https://github.com/curl/curl/pull/1666
-Daniel Stenberg (7 Aug 2014)
-- http2: added some more logging for debugging stream problems
+Daniel Stenberg (12 Jul 2017)
+- [Max Dymond brought this change]
-- [Tatsuhiro Tsujikawa brought this change]
+ travis: install libssh2
+
+ Install libssh2 to increase test coverage (SFTP, SCP)
- HTTP/2: Reset promised stream, not its associated stream.
+Marcel Raad (12 Jul 2017)
+- system.h: include winsock2.h before windows.h
+
+ ... to avoid compiler warnings if the user doesn't want
+ WIN32_LEAN_AND_MEAN.
-- [Tatsuhiro Tsujikawa brought this change]
+- build: remove WIN32_LEAN_AND_MEAN from individual build systems
+
+ It's defined for all build systems in curl_setup.h since commit
+ beb08481d01a07a8b10938b1078a5e298b1c2912. This caused macro
+ redefinition warnings in the configure builds.
+
+ Closes https://github.com/curl/curl/pull/1677
- HTTP/2: Move :authority before non-pseudo header fields
+Jay Satiro (11 Jul 2017)
+- ISSUE_TEMPLATE: Add a comment not to file security issues on github
-- http2: show the received header for better debugging
+Marcel Raad (11 Jul 2017)
+- curl_setup: always define WIN32_LEAN_AND_MEAN on Windows
+
+ Make sure to always define WIN32_LEAN_AND_MEAN before including any
+ Windows headers to avoid pulling in unnecessary headers. This avoids
+ unnecessary macro clashes and compiler warnings.
+
+ Ref: https://github.com/curl/curl/issues/1562
+ Closes https://github.com/curl/curl/pull/1672
-- openssl: replace call to OPENSSL_config
+Jay Satiro (11 Jul 2017)
+- strerror: Preserve Windows error code in some functions
- OPENSSL_config() is "strongly recommended" to use but unfortunately that
- function makes an exit() call on wrongly formatted config files which
- makes it hard to use in some situations. OPENSSL_config() itself calls
- CONF_modules_load_file() and we use that instead and we ignore its
- return code!
+ This is a follow-up to af02162 which removed (SET_)ERRNO macros. That
+ commit was an earlier draft that I committed by mistake, which was then
+ remedied by a5834e5 and e909de6, and now this commit. With this commit
+ there is now no difference between the current code and the changes that
+ were approved in the final draft.
- Reported-by: Jan Ehrhardt
- Bug: http://curl.haxx.se/bug/view.cgi?id=1401
+ Thanks-to: Max Dymond, Marcel Raad, Daniel Stenberg, Gisle Vanem
+ Ref: https://github.com/curl/curl/pull/1589
-Dan Fandrich (7 Aug 2014)
-- [Fabian Keil brought this change]
+Marcel Raad (10 Jul 2017)
+- [Max Dymond brought this change]
- runtests.pl: Pad test case numbers with up to three zeroes
+ tests: Fix up issues with errno in test files
- Test case numbers with four digits have been available for a
- while now.
+ Closes https://github.com/curl/curl/pull/1671
-Steve Holme (7 Aug 2014)
-- docs: Added Negotiate to the SSPI current credentials usage description
+Daniel Stenberg (10 Jul 2017)
+- errno: fix non-windows builds after af0216251b94e7
-- TODO: HTTP Digest via Windows SSPI
+- [Ryan Winograd brought this change]
-- TODO: FTP GSSAPI via Windows SSPI
+ make: fix docs build on OpenBSD
+
+ Ref: #1591
-- http_negotiate_sspi: Fixed specific username and password not working
+Marcel Raad (10 Jul 2017)
+- ldap: fix MinGW compiler warning
- Bug: http://curl.haxx.se/mail/lib-2014-06/0224.html
- Reported-by: Leonardo Rosati
+ ldap_bind_s is marked as deprecated in w32api's winldap.h shipping with
+ the latest original MinGW, resulting in compiler warnings since commit
+ f0fe66f13c93d3d0af45d9fb1231c9164e0f9dc8. Fix this for the non-SSPI
+ case by using ldap_simple_bind_s again instead of ldap_bind_s with
+ LDAP_AUTH_SIMPLE.
+
+ Closes https://github.com/curl/curl/pull/1664
-- http_negotiate_sspi: Fixed endless unauthorized loop in commit 6bc76194e8
+- curl-compilers.m4: disable warning spam with Cygwin's clang
- If the server rejects our authentication attempt and curl hasn't
- called CompleteAuthToken() then the status variable will be
- SEC_I_CONTINUE_NEEDED and not SEC_E_OK.
+ When building with Cygwin or MinGW, libtool uses a wrapper executable
+ instead of a wrapper script [1], which is written in C and throws
+ missing-variable-declarations warnings. Don't enable these warnings on
+ Cygwin and MinGW in order to avoid warnings for every executable built,
+ which spams the test suite output when using Cygwin's clang.
- As such the existing detection mechanism for determining whether or not
- the authentication process has finished is not sufficient.
+ [1] https://www.gnu.org/software/libtool/manual/html_node/Wrapper-executables.html
- However, the WWW-Authenticate: Negotiate header line will not contain
- any data when the server has exhausted the negotiation, so we can use
- that coupled with the already allocated context pointer.
-
-Daniel Stenberg (5 Aug 2014)
-- RELEASE-NOTES: synced with 5b37db44a3eb
+ Closes https://github.com/curl/curl/pull/1665
-Dan Fandrich (5 Aug 2014)
-- parsedate.c: fix the return code for an overflow edge condition
+Jay Satiro (10 Jul 2017)
+- curl_setup_once: Remove ERRNO/SET_ERRNO macros
+
+ Prior to this change (SET_)ERRNO mapped to GetLastError/SetLastError
+ for Win32 and regular errno otherwise.
+
+ I reviewed the code and found no justifiable reason for conflating errno
+ on WIN32 with GetLastError/SetLastError. All Win32 CRTs support errno,
+ and any Win32 multithreaded CRT supports thread-local errno.
+
+ Fixes https://github.com/curl/curl/issues/895
+ Closes https://github.com/curl/curl/pull/1589
-Daniel Stenberg (5 Aug 2014)
-- [Toby Peterson brought this change]
+- tool_getparam: fix potentially uninitialized err
- darwinssl: don't use strtok()
+Marcel Raad (9 Jul 2017)
+- smb: rename variable to fix shadowing warning
- The GetDarwinVersionNumber() function uses strtok, which is not
- thread-safe.
-
-- Curl_ossl_version: adapted to detect BoringSSL
+ GCC 4.6.3 on travis complains:
+ smb.c: In function ‘get_posix_time’:
+ smb.c:725:13: error: declaration of ‘time’ shadows a global declaration
+ [-Werror=shadow]
- This seems to be the way it should work. Right now we can't build with
- BoringSSL and try this out properly due to a minor API breakage.
+ Fix this by renaming the variable.
-- Curl_ossl_version: detect and show libressl
+- tool_cb_wrt: fix variable shadowing warning
- LibreSSL is otherwise OpenSSL API compliant (so far)
-
-- [Tatsuhiro Tsujikawa brought this change]
-
- HTTP/2: Fix infinite loop in readwrite_data()
+ GCC 4.4 complains:
+ tool_cb_wrt.c:81: error: declaration of ‘isatty’ shadows a global
+ declaration
+ /usr/include/unistd.h:782: error: shadowed declaration is here
- To prevent infinite loop in readwrite_data() function when stream is
- reset before any response body comes, reset closed flag to false once
- it is evaluated to true.
+ Fix this by renaming the variable.
+
+ Closes https://github.com/curl/curl/pull/1661
-Dan Fandrich (3 Aug 2014)
-- gtls: only define Curl_gtls_seed if Nettle is not being used
+Daniel Stenberg (8 Jul 2017)
+- RELEASE-NOTES: synced with be2c999b8
-- ssl: provide Curl_ssl_backend even if no SSL library is available
+- travis: install stunnel
-Daniel Stenberg (2 Aug 2014)
-- [Tatsuhiro Tsujikawa brought this change]
+- valgrind.supp: supress OpenSSL false positive seen on travis
- HTTP2: Support expect: 100-continue
+- travis: detect and use valgrind for normal builds
- "Expect: 100-continue", which was once deprecated in HTTP/2, is now
- resurrected in HTTP/2 draft 14. This change adds its support to
- HTTP/2 code. This change also includes stricter header field
- checking.
+ Closes #1653
-- CURLOPT_SSL_VERIFYPEER.3. add a warning about disabling it
+- travis: add SMB, DICT, TELNET torture to coverage test
-- FEATURES: minor update
+- [Paul Harris brought this change]
-- openssl: make ossl_send return CURLE_OK better
+ cmake: offer CMAKE_DEBUG_POSTFIX when building with MSVC
- Previously it only returned a CURLcode for errors, which is when it
- returns a different size than what was passed in to it.
+ Removes BUILD_RELEASE_DEBUG_DIRS since it wasn't used anywhere.
- The http2 code only checked the curlcode and thus failed.
-
-- RELEASE-NOTES: synced with 7bb4c8cadb5d0
+ Closes #1649
-- [Michael Wallner brought this change]
+- CURLOPT_POSTFIELDS.3: explain the 100-continue magic better
- CURLOPT_HEADEROPT.3: typo: do -> to
+- [Max Dymond brought this change]
-- [Marcel Raad brought this change]
-
- schannel: use CryptGenRandom for random numbers
+ test1452: add telnet negotiation
- This function is available for every Windows version since Windows 95/NT.
+ Add a basic telnet server for negotiating some telnet options before
+ echoing back any data that's sent to it.
- reference:
- http://msdn.microsoft.com/en-us/library/windows/desktop/aa379942.aspx
+ Closes #1645
-- curl_version_info.3: 'ssl_version_num' is always 0
+- travis: do more tests in the coverage run
- ... and has been so since 2005
+ I added a selection of torture and event tests that run "fast enough"
-- ssl: generalize how the ssl backend identifier is set
+- curl_easy_escape.3: mention the (lack of) encoding
- Each backend now defines CURL_SSL_BACKEND accordingly. Added the *AXTLS
- one which was missing previously.
+ Fixes #1612
+ Reported-by: Jeroen Ooms
-Dan Fandrich (31 Jul 2014)
-- axtls: define curlssl_random using axTLS's PRNG
+- [Gisle Vanem brought this change]
-- cyassl: fix the test for ASN_NO_SIGNER_E
+ memdebug: don't setbuf() if the file open failed
- It's an enum so a macro test won't work. The CyaSSL changelog doesn't
- say exactly when this error code was introduced, but it's likely
- to be 2.7.0.
+ Bug: https://github.com/curl/curl/issues/828#issuecomment-313475151
-- cyassl: use RNG_GenerateBlock to generate a good random number
+- appveyor: enable CURL_WERROR on all builds
-- opts: fixed some typos
+- cmake: add CURL_WERROR for enabling "warning as errors"
-- smtp: fixed a segfault during test 1320 torture test
-
- Under these circumstances, the connection hasn't been fully established
- and smtp_connect hasn't been called, yet smtp_done still calls the state
- machine which dereferences the NULL conn pointer in struct pingpong.
+- [Hannes Magnusson brought this change]
-Daniel Stenberg (30 Jul 2014)
-- vtls: repair build without TLS support
+ cmake: remove spurious "-l" from linker flags
- ... by defining Curl_ssl_random() properly
+ Fixes #1552
+
+- test506: skip if threaded-resolver
-- polarssl: provide a (weak) random function
+- runtests: support "threaded-resolver" as a feature
- This now provides a weak random function since PolarSSL doesn't have a
- quick and easy way to provide a good one. It does however provide the
- framework to make one so it _can_ and _should_ be done...
+ ... to let tests require it or skip if present
-- [Michael Wallner brought this change]
+- asyn-thread.c: fix unused variable warnings on macOS
- curl_tlsinfo -> curl_tlssessioninfo
+- http: s/TINY_INITIAL_POST_SIZE/EXPECT_100_THRESHOLD
+
+ Make the name reflect its use better, and add a short comment describing
+ what it's for.
-- cyassl: use the default (weeker) random
+- cmake: if inet_pton is used, bump _WIN32_WINNT
+
+ ... and make sure inet_pton is always checked for when *not* using Windows,
+ which is a regression from 4fc6ebe18.
- I couldn't find any dedicated function in its API to get a "good" random
- with.
+ Idea-by: Sergei Nikulov
-- cyassl: made it compile with version 2.0.6 again
+- select.h: avoid macro redefinition harder
- ASN_NO_SIGNER_E didn't exist back then!
+ ... by checking the POLLIN define, as the header file checks don't work
+ on Windows.
-- vtls: make the random function mandatory in the TLS backend
+- inet_pton: fix include on windows to get prototype
- To force each backend implementation to really attempt to provide proper
- random. If a proper random function is missing, then we can explicitly
- make use of the default one we use when TLS support is missing.
+ inet_pton() exists on Windows and gets used by our cmake builds. Make
+ sure the correct header file is included to avoid compiler warnings.
- This commit makes sure it works for darwinssl, gnutls, nss and openssl.
+ Closes #1639
-- libcurl.m4: include the standard source header
+- TODO: 1.10 auto-detect proxy
- ... with permission from David Shaw
+ Closes #1572
-Kamil Dudka (28 Jul 2014)
-- nss: do not check the version of NSS at run time
+- TODO: HTTP proxy CONNECT is non-blocking now
+
+- cmake: fix send/recv argument scanner for windows
+
+ ... by simply trying the Windows argument types first.
- The minimal required version of NSS is 3.14.x so it does not make sense
- to check for NSS 3.12.0+ at run time.
+ Fixes #1640
-Daniel Stenberg (28 Jul 2014)
-- [Anthon Pang brought this change]
+- RELEASE-NOTES: synced with 596cfb6c0
+
+- [Gisle Vanem brought this change]
- curl.h: bring back CURLE_OBSOLETE16
+ smb: add support for CURLOPT_FILETIME
- Removing defines, even obsolete ones that haven't been used for a very
- long time, still break a lot of applications.
+ Bug: https://curl.haxx.se/mail/lib-2017-07/0005.html
- Bug: https://github.com/bagder/curl/pull/106
+ Closes #1643
-Dan Fandrich (26 Jul 2014)
-- [Fabian Keil brought this change]
-
- tests: Fix a couple of incomplete response lines
+- travis: install nghttp2 on linux builds
+
+ Closes #1642
-- [Fabian Keil brought this change]
+- [Gisle Vanem brought this change]
- runtests.pl: Remove filteroff() which hasn't been used since 2001
+ smb: fix build for djgpp/MSDOS
+
+ bug: https://curl.haxx.se/mail/lib-2017-07/0005.html
-- [Fabian Keil brought this change]
+- configure: try ldap/lber in reversed order first
+
+ When scanning for which LDAP libraries to use, try the -lldap -llber
+ combination before the reversed order since it has a greater chance of
+ working when linking with libcurl statically.
+
+ Fixes #1619
+ Closes #1634
+ Reported-by: David E. Narváez
- runtests.pl: Don't expect $TESTDIR/DISABLED to exist
+- configure: remove checks for 5 functions never used
- If a non-standard $TESTDIR is used the file may not be necessary.
+ fork, getprotobyname, inet_addr, perror, uname
- Previously a "missing" file resulted in the warning:
- readline() on closed filehandle D at ./runtests.pl line 4940.
+ closes #1638
-- [Fabian Keil brought this change]
+- dist: add SMB python deps into the tarball
- getpart.pm: Fix a comment typo
+- [Max Dymond brought this change]
-Daniel Stenberg (25 Jul 2014)
-- c-ares: fix build without IPv6 support
+ test1451: add SMB support to the testbed
- Bug: http://curl.haxx.se/mail/lib-2014-07/0337.html
- Reported-by: Spork Schivago
+ Add test 1451 which does some very basic SMB testing using the impacket
+ SMB server.
+
+ Closes #1630
-- Curl_base64url_encode: unit-tested in 1302
+- [Max Dymond brought this change]
-- base64: added Curl_base64url_encode()
+ test: add impacket for SMB testing
- This is now used by the http2 code. It has two different symbols at the
- end of the base64 table to make the output "url safe".
+ Import impacket 0.9.15 for use in SMB testing. This was generated by
+ doing "pip2.7 install -t . impacket"
- Bug: https://github.com/tatsuhiro-t/nghttp2/issues/62
-
-- [Marcel Raad brought this change]
+ Unnecessary files for current testing were deleted.
- SSPI Negotiate: Fix 3 memory leaks
+- travis.yml: use --enable-werror on debug builds
- Curl_base64_decode allocates the output string by itself and two other
- strings were not freed either.
+ ... to better detect and fault on compiler warnings/errors
+
+ Closes #1637
-- symbols: CURL_VERSION_GSSNEGOTIATE is deprecated
+- tool_sleep: typecast to avoid macos compiler warning
+
+ tool_sleep.c:54:24: error: implicit conversion loses integer precision:
+ 'long' to '__darwin_suseconds_t' (aka 'int')
+ [-Werror,-Wshorten-64-to-32]
-- test1013.pl: GSS-Negotiate doesn't exist as a feature anymore
+- [Martin Kepplinger brought this change]
-- [Sergey Nikulov brought this change]
+ timeval.c: Use long long constant type for timeval assignment
+
+ On a 64 bit host, sparse says:
+
+ timeval.c:148:15: warning: constant 0x7fffffffffffffff is so big it is long
+ timeval.c:149:12: warning: constant 0x7fffffffffffffff is so big it is long
+
+ so let's use long long constant types in order to prevent undesired overflow
+ failures.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-07/0003.html
+
+ Closes #1636
+
+ Signed-off-by: Martin Kepplinger <martink@posteo.de>
- libtest: fixed duplicated line in Makefile
+- url: make the original string get used on subsequent transfers
- Bug: https://github.com/bagder/curl/pull/105
+ ... since CURLOPT_URL should follow the same rules as other options:
+ they remain set until changed or cleared.
+
+ Added test 1551 to verify.
+
+ Fixes #1631
+ Closes #1632
+ Reported-by: Pavel Rochnyak
-Patrick Monnerat (23 Jul 2014)
-- GSSAPI: remove useless *_MECHANISM defines.
+- [Johannes Schindelin brought this change]
-Daniel Stenberg (23 Jul 2014)
-- findprotocol: show unsupported protocol within quotes
+ gtls: fix build when sizeof(long) < sizeof(void *)
+
+ - Change gnutls pointer/int macros to pointer/curl_socket_t.
+ Prior to this change they used long type as well.
+
+ The size of the `long` data type can be shorter than that of pointer
+ types. This is the case most notably on Windows.
- ... to aid when for example prefixed with a space or other weird
- character.
+ If C99 were acceptable, we could simply use `intptr_t` here. But we
+ want to retain C89 compatibility.
+
+ Simply use the trick of performing pointer arithmetic with the NULL
+ pointer: to convert an integer `i` to a pointer, simply take the
+ address of the `i`th element of a hypothetical character array
+ starting at address NULL. To convert back, simply cast the pointer
+ difference.
+
+ Thanks to Jay Satiro for the initial modification to use curl_socket_t
+ instead of int/long.
+
+ Closes #1617
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Patrick Monnerat (23 Jul 2014)
-- GSSAPI: private export mechanisms OIDs. OS400: Make RPG binding up to date.
+- [Ryan Winograd brought this change]
-Daniel Stenberg (23 Jul 2014)
-- [Marcel Raad brought this change]
+ unit1399: fix integer overflow
+
+ Bug: #1616
+ Closes #1633
+
+- [Per Malmberg brought this change]
- conncache: fix compiler warning
+ cmake: Added compatibility options for older Windows versions
- warning C4267: '=' : conversion from 'size_t' to 'long', possible loss
- of data
+ CURL_STATIC_CRT and ENABLE_INET_PTON
- The member connection_id of struct connectdata is a long (always a
- 32-bit signed integer on Visual C++) and the member next_connection_id
- of struct conncache is a size_t, so one of them should be changed to
- match the other.
+ Closes #1621
+
+- unit1399: add logging to time comparison
- This patch the size_t in struct conncache to long (the less invasive
- change as that variable is only ever used in a single code line).
+ ... to enable tracking down why autobuilds fail on this
- Bug: http://curl.haxx.se/bug/view.cgi?id=1399
-
-- RELEASE-NOTES: synced with 81cd24adb8b
+ Bug: #1616
-- http2: more and better error checking
+- make: build the docs subdir only from within src
- 1 - fixes the warnings when built without http2 support
+ ... and don't build at all in include
- 2 - adds CURLE_HTTP2, a new error code for errors detected by nghttp2
- basically when they are about http2 specific things.
+ Prompted-by-work-by: Simon Warta
+ Ref: #1590
+ Closes #1591
-Dan Fandrich (23 Jul 2014)
-- cyassl.c: return the correct error code on no CA cert
+- [Max Dymond brought this change]
+
+ test1450: fix up DICT server in torture mode
+
+ As per https://github.com/curl/curl/pull/1615, the DICT server is a
+ little spammy in torture mode due to the sockets being torn down
+ unexpectedly. Fix this by adding some error handling to the handling
+ function.
- CyaSSL 3.0.0 returns a unique error code if no CA cert is available,
- so translate that into CURLE_SSL_CACERT_BADFILE when peer verification
- is requested.
+ Closes #1629
-Daniel Stenberg (23 Jul 2014)
-- symbols-in-versions: new SPNEGO/GSS-API symbols in 7.38.0
+- [Max Dymond brought this change]
-- test1013.pl: remove SPNEGO/GSS-API tweaks
+ test1450: add simple testing for DICT
- No longer necessary after Michael Osipov's rework
-
-- http_negotiate: remove unused variable
+ Add a new server which provides a DICT interface. This is intended to
+ begin coverage testing for lib/dict.c
+
+ Closes #1615
-- [Michael Osipov brought this change]
+- [Dan Fandrich brought this change]
- docs: Improve inline GSS-API naming in code documentation
+ test1521: fix out-of-tree builds, broken with 467da3af
+
+ The test.h file is no longer in the same directory as the source file,
+ so that directory needs to be added to the include path.
+
+ Fixes #1627
+ Closes #1628
-- [Michael Osipov brought this change]
+- [Max Dymond brought this change]
- curl.h/features: Deprecate GSS-Negotiate macros due to bad naming
+ http2: handle PING frames
+
+ Add a connection check function to HTTP2 based off RTSP. This causes
+ PINGs to be handled the next time the connection is reused.
- - Replace CURLAUTH_GSSNEGOTIATE with CURLAUTH_NEGOTIATE
- - CURL_VERSION_GSSNEGOTIATE is deprecated which
- is served by CURL_VERSION_SSPI, CURL_VERSION_GSSAPI and
- CURUL_VERSION_SPNEGO now.
- - Remove display of feature 'GSS-Negotiate'
+ Closes #1521
-- [Michael Osipov brought this change]
+- [Max Dymond brought this change]
- configure/features: Add feature and version info for GSS-API and SPNEGO
+ handler: refactor connection checking
+
+ Add a new type of callback to Curl_handler which performs checks on
+ the connection. Alter RTSP so that it uses this callback to do its
+ own check on connection health.
-- [Michael Osipov brought this change]
+- [Dmitry Kostjuchenko brought this change]
- HTTP: Remove checkprefix("GSS-Negotiate")
+ openssl: improve fallback seed of PRNG with a time based hash
- That auth mech has never existed neither on MS nor on Unix side.
- There is only Negotiate over SPNEGO.
+ Fixes #1620
-- [Michael Osipov brought this change]
+- [Ryan Winograd brought this change]
- curl_gssapi: Add macros for common mechs and pass them appropriately
+ progress: prevent resetting t_starttransfer
- Macros defined: KRB5_MECHANISM and SPNEGO_MECHANISM called from
- HTTP, FTP and SOCKS on Unix
-
-- CONNECT: Revert Curl_proxyCONNECT back to 7.29.0 design
+ Prevent `Curl_pgrsTime` from modifying `t_starttransfer` when invoked
+ with `TIMER_STARTTRANSFER` more than once during a single request.
- This reverts commit cb3e6dfa3511 and instead fixes the problem
- differently.
+ When a redirect occurs, this is considered a new request and
+ `t_starttransfer` can be updated to reflect the `t_starttransfer` time
+ of the redirect request.
- The reverted commit addressed a test failure in test 1021 by simplifying
- and generalizing the code flow in a way that damaged the
- performance. Now we modify the flow so that Curl_proxyCONNECT() again
- does as much as possible in one go, yet still do test 1021 with and
- without valgrind. It failed due to mistakes in the multi state machine.
+ Closes #1616
- Bug: http://curl.haxx.se/bug/view.cgi?id=1397
- Reported-by: Paul Saab
+ Bug: https://github.com/curl/curl/pull/1602#issuecomment-310267370
-- [Marcel Raad brought this change]
-
- url.c: use the preferred symbol name: *READDATA
+- curl_strequal.3: fix typo in SYNOPSIS
- with CURL_NO_OLDIES defined, it doesn't compile because this deprecated
- symbol (*INFILE) is used
+ Reported-by: Jesse Chisholm
- Bug: http://curl.haxx.se/bug/view.cgi?id=1398
-
-Dan Fandrich (19 Jul 2014)
-- [Alessandro Ghedini brought this change]
+ Fixes #1623
- CURLOPT_CHUNK_BGN_FUNCTION: fix typo
+- RELEASE-NOTES: synced with ce2c3ebda
-Kamil Dudka (18 Jul 2014)
-- [Alessandro Ghedini brought this change]
+Kamil Dudka (28 Jun 2017)
+- curl --socks5-{basic,gssapi}: control socks5 auth
+
+ Closes https://github.com/curl/curl/pull/1454
- build: link curl to NSS libraries when NSS support is enabled
+- CURLOPT_SOCKS5_AUTH: allowed methods for SOCKS5 proxy auth
- This fixes a build failure on Debian caused by commit
- 24c3cdce88f39731506c287cb276e8bf4a1ce393.
+ If libcurl was built with GSS-API support, it unconditionally advertised
+ GSS-API authentication while connecting to a SOCKS5 proxy. This caused
+ problems in environments with improperly configured Kerberos: a stock
+ libcurl failed to connect, despite libcurl built without GSS-API
+ connected fine using username and password.
- Bug: http://curl.haxx.se/mail/lib-2014-07/0209.html
-
-Steve Holme (17 Jul 2014)
-- build: Removed unnecessary XML Documentation file directive from VC8 to VC12
+ This commit introduces the CURLOPT_SOCKS5_AUTH option to control the
+ allowed methods for SOCKS5 authentication at run time.
- The curl tool project files for VC8 to VC12 would set this setting to
- $(IntDir) which is the Visual Studio default value. To avoid confusion
- when viewing settings from within Visual Studio and for consistency
- with the libcurl project files removed this setting.
+ Note that a new option was preferred over reusing CURLOPT_PROXYAUTH
+ for compatibility reasons because the set of authentication methods
+ allowed by default was different for HTTP and SOCKS5 proxies.
- Conflicts:
- projects/Windows/VC10/src/curlsrc.tmpl
- projects/Windows/VC11/src/curlsrc.tmpl
- projects/Windows/VC12/src/curlsrc.tmpl
- projects/Windows/VC8/src/curlsrc.tmpl
- projects/Windows/VC9/src/curlsrc.tmpl
+ Bug: https://curl.haxx.se/mail/lib-2017-01/0005.html
+ Closes https://github.com/curl/curl/pull/1454
-- build: Removed unnecessary Precompiled Header file directive in VC7 to VC12
+- socks: deduplicate the code for auth request
+
+- socks: use proxy_user instead of proxy_name
+
+ ... to make it obvious what the data is used for
+
+Daniel Stenberg (27 Jun 2017)
+- libtest/make: generate lib1521.c
- The curl tool project files for VC7 to VC12 would set this settings to
- $(IntDir)$(TargetName).pch which is the Visual Studio default value. To
- avoid confusion when viewing settings from within Visual Studio and for
- consistency with the libcurl project files removed this setting.
+ ... instead of having the generated code checked in. This saves space in
+ the tarball but primarily automatically adapts to newly added options.
- Conflicts:
- projects/Windows/VC10/src/curlsrc.tmpl
- projects/Windows/VC11/src/curlsrc.tmpl
- projects/Windows/VC12/src/curlsrc.tmpl
- projects/Windows/VC8/src/curlsrc.tmpl
- projects/Windows/VC9/src/curlsrc.tmpl
+ Closes #1614
-- build: Removed unnecessary ASM and Object file directives in VC7 to VC12
+Jay Satiro (26 Jun 2017)
+- tool_getparam: fix memory leak on test 1147 OOM (torture tests)
- The curl tool project files for VC7 to VC12 would set these settings to
- $(IntDir) which is the Visual Studio default value. To avoid confusion
- when viewing settings from within Visual Studio and for consistency
- with the libcurl project files removed these two settings.
+ Bug: https://github.com/curl/curl/pull/1486#issuecomment-310926872
+ Reported-by: Dan Fandrich
-Daniel Stenberg (17 Jul 2014)
-- [Dave Reisner brought this change]
+Dan Fandrich (25 Jun 2017)
+- test1537: fixed memory leak on OOM
- src/Makefile.am: add .DELETE_ON_ERROR
+Marcel Raad (25 Jun 2017)
+- test1521: fix compiler warnings
- This prevents targets like tool_hugehelp.c from leaving around
- half-constructed files if the rule fails with GNU make.
+ The integer literal 3123123123 doesn't fit into a 32-bit signed
+ integer, so GCC with 32-bit long warns in C90 mode:
+ this decimal constant is unsigned only in ISO C90 [enabled by default]
+ Fix this by using ULONG_MAX, which should fit in any curl_off_t and has
+ the correct suffix to not issue any warnings.
+ Also adds the missing CURLOPT_REQUEST_TARGET from commit
+ 9b167fd090f596eac828817d48c247eeae53407f.
- Reported-by: Rafaël Carré <funman@videolan.org>
+ Closes https://github.com/curl/curl/pull/1611
-- THANKS: added new contributors from 7.37.1 announcement
+Daniel Stenberg (24 Jun 2017)
+- curl/system.h: add check for XTENSA for 32bit gcc
+
+ Reported-by: Neil Kolban
+ Fixes: 1598
-Dan Fandrich (17 Jul 2014)
-- testcurl.pl: log the value of --runtestopts in the test header
+- [Henrik S. Gaßmann brought this change]
-Daniel Stenberg (16 Jul 2014)
-- RELEASE-NOTES: cleared, working towards next release
+ winbuild: fix boringssl build
+
+ Compile with `WIN32_LEAN_AND_MEAN` which prevents `windows.h` from
+ including too much clutter including `wincrypt.h` which in turn contains
+ some preprocessor macros that clash with boringssl symbols.
+
+ Detect boringssl by checking the existance of `is_boringssl.h` and set
+ the corresponding `HAVE_BORINGSSL` for compilation which is used in
+ `ldap.c` to undefine the evil macros.
+
+ Closes #1610
-- curl_gssapi.c: make line shorter than 80 columns
+- progress: progress.timespent needs to be us
+
+ follow-up to 64ed44a815e4e to fix test 500 failures
-- [David Woodhouse brought this change]
+Marcel Raad (24 Jun 2017)
+- curl-compilers.m4: fix unknown-warning-option on Apple clang
+
+ Since 5598b0bd63f690c151074494ce47ef872f004ab4, clang -v is used to
+ detect the clang version. The version number was expected to come after
+ the word "version". For Apple clang, this doesn't work as it has its
+ own versioning scheme.
+ The version number is now first searched after the string
+ "based on LLVM". This works for Apple clang before version 7, and also
+ for e.g. Ubuntu's clang up to version 3.7. If it's not found and the
+ version string contains "Apple LLVM version", clang version 3.7 is
+ assumed, which is the version that comes with Xcode 7. Otherwise, the
+ version number is still expected after the word "version", which works
+ for very old Apple clang versions.
+
+ Ref: https://trac.macports.org/wiki/XcodeVersionInfo
+ Fixes https://github.com/curl/curl/issues/1606
+ Closes https://github.com/curl/curl/pull/1607
- Fix negotiate auth to proxies to track correct state
+Daniel Stenberg (24 Jun 2017)
+- progress: fix "time spent", broke in adef394ac
-- [David Woodhouse brought this change]
+- CURLINFO_REDIRECT_URL.3: mention the CURLOPT_MAXREDIRS case
+
+ ... supported since 7.54.1
- Don't abort Negotiate auth when the server has a response for us
+- maketgz: switch to -6e for xz
- It's wrong to assume that we can send a single SPNEGO packet which will
- complete the authentication. It's a *negotiation* — the clue is in the
- name. So make sure we handle responses from the server.
+ To reduce the memory requirement for decompress, and still do almost as
+ good compression as with -9e.
- Curl_input_negotiate() will already handle bailing out if it thinks the
- state is GSS_S_COMPLETE (or SEC_E_OK on Windows) and the server keeps
- talking to us, so we should avoid endless loops that way.
+ Pointed-out-by: Dan Fandrich
+
+- libtest/Makefile: remove unused lib1541 variables
-- [David Woodhouse brought this change]
+- CONTRIBUTE.md: mention the out-of-tree build test too
- Don't clear GSSAPI state between each exchange in the negotiation
+- maketgz: switch to xz instead of lzma
- GSSAPI doesn't work very well if we forget everything ever time.
+ The compressed output size seems to be a tad bit smaller, but generally
+ xz seems more preferred these days and is used directly by for example
+ gentoo instead of bz2.
- XX: Is Curl_http_done() the right place to do the final cleanup?
-
-- [David Woodhouse brought this change]
+ "Users of LZMA Utils should move to XZ Utils" =>
+ https://tukaani.org/lzma/
+
+ Closes #1604
- Use SPNEGO for HTTP Negotiate
+- --request-target: instead of --strip-path-slash
- This is the correct way to do SPNEGO. Just ask for it
+ ... and CURLOPT_REQUEST_TARGET instead of CURLOPT_STRIP_PATH_SLASH.
- Now I correctly see it trying NTLMSSP authentication when a Kerberos ticket
- isn't available. Of course, we bail out when the server responds with the
- challenge packet, since we don't expect that. But I'll fix that bug next...
-
-- [David Woodhouse brought this change]
-
- Remove all traces of FBOpenSSL SPNEGO support
+ This option instead provides the full "alternative" target to use in the
+ request, instead of extracting the path from the URL.
- This is just fundamentally broken. SPNEGO (RFC4178) is a protocol which
- allows client and server to negotiate the underlying mechanism which will
- actually be used to authenticate. This is *often* Kerberos, and can also
- be NTLM and other things. And to complicate matters, there are various
- different OIDs which can be used to specify the Kerberos mechanism too.
+ Test 1298 and 1299 updated accordingly.
- A SPNEGO exchange will identify *which* GSSAPI mechanism is being used,
- and will exchange GSSAPI tokens which are appropriate for that mechanism.
+ Idea-by: Evert Pot
+ Suggestion: https://daniel.haxx.se/blog/2017/06/19/options-with-curl/comment-page-1/#comment-18373
- But this SPNEGO implementation just strips the incoming SPNEGO packet
- and extracts the token, if any. And completely discards the information
- about *which* mechanism is being used. Then we *assume* it was Kerberos,
- and feed the token into gss_init_sec_context() with the default
- mechanism (GSS_S_NO_OID for the mech_type argument).
+ Closes #1593
+
+Marcel Raad (21 Jun 2017)
+- lib1521: fix missing-variable-declarations clang warnings
- Furthermore... broken as this code is, it was never even *used* for input
- tokens anyway, because higher layers of curl would just bail out if the
- server actually said anything *back* to us in the negotiation. We assume
- that we send a single token to the server, and it accepts it. If the server
- wants to continue the exchange (as is required for NTLM and for SPNEGO
- to do anything useful), then curl was broken anyway.
+ Declare TU-local variables static.
+
+- travis: enable typecheck-gcc warnings
- So the only bit which actually did anything was the bit in
- Curl_output_negotiate(), which always generates an *initial* SPNEGO
- token saying "Hey, I support only the Kerberos mechanism and this is its
- token".
+ - switch debug and release configurations so that we get an optimized
+ build with GCC 4.3+ as required by typecheck-gcc
+ - enable warnings-as-errors for release builds
+ (which have warnings disabled)
- You could have done that by manually just prefixing the Kerberos token
- with the appropriate bytes, if you weren't going to do any proper SPNEGO
- handling. There's no need for the FBOpenSSL library at all.
+ Closes https://github.com/curl/curl/pull/1595
+
+- typecheck-gcc: add support for CURLINFO_OFF_T
- The sane way to do SPNEGO is just to *ask* the GSSAPI library to do
- SPNEGO. That's what the 'mech_type' argument to gss_init_sec_context()
- is for. And then it should all Just Work™.
+ typecheck-gcc expected curl_socket_t instead of curl_off_t arguments
+ for CURLINFO_OFF_T. Detected by test1521, unfortunately only when run
+ locally.
- That 'sane way' will be added in a subsequent patch, as will bug fixes
- for our failure to handle any exchange other than a single outbound
- token to the server which results in immediate success.
+ Closes https://github.com/curl/curl/pull/1592
-- [David Woodhouse brought this change]
+Daniel Stenberg (21 Jun 2017)
+- [Simon Warta brought this change]
- ntlm_wb: Avoid invoking ntlm_auth helper with empty username
+ ci: whitelist branches to avoid testing feature branches twice
-- [David Woodhouse brought this change]
+- [Gisle Vanem brought this change]
- ntlm_wb: Fix hard-coded limit on NTLM auth packet size
+ lib: fix the djgpp build
- Bumping it to 1KiB in commit aaaf9e50ec is all very well, but having hit
- a hard limit once let's just make it cope by reallocating as necessary.
+ Bug: https://github.com/curl/curl/commit/73a2fcea0b4adea6ba342cd7ed1149782c214ae3#commitcomment-22655993
-Version 7.37.1 (16 Jul 2014)
-
-Daniel Stenberg (16 Jul 2014)
-- RELEASE-NOTES: synced with 4cb2521595
-
-- test506: verify aa6884845168
+Marcel Raad (20 Jun 2017)
+- if2ip: fix compiler warning in ISO C90 mode
- After the fixed cookie lock deadlock, this test now passes and it
- detects double-locking and double-unlocking of mutexes.
+ remote_scope_id is only used when both HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID
+ and ENABLE_IPV6 are defined instead of only one of them.
-- [Yousuke Kimoto brought this change]
+Daniel Stenberg (20 Jun 2017)
+- travis: do the distcheck test build out-of-tree as well
- cookie: avoid mutex deadlock
+- http: add --strip-path-slash and CURLOPT_STRIP_PATH_SLASH
- ... by removing the extra mutex locks around th call to
- Curl_flush_cookies() which takes care of the locking itself already.
+ ... to enable sending "OPTIONS *" which wasn't possible previously.
- Bug: http://curl.haxx.se/mail/lib-2014-02/0184.html
-
-- gnutls: fix compiler warning
+ This option currently only works for HTTP.
- conversion to 'int' from 'long int' may alter its value
-
-Dan Fandrich (15 Jul 2014)
-- test320: strip off the actual negotiated cipher width
+ Added test cases 1298 + 1299 to verify
- It's irrelevant to the test, and will change depending on which SSL
- library is being used by libcurl.
+ Fixes #1280
+ Closes #1462
-- gnutls: detect lack of SRP support in GnuTLS at run-time and try without
+- test1521: test getinfo's OFF_T types too
- Reported-by: David Woodhouse
+ Closes #1588
-Daniel Stenberg (14 Jul 2014)
-- [Michał Górny brought this change]
-
- configure: respect host tool prefix for krb5-config
+- lib1521: add curl_easy_getinfo calls to the test set
- Use ${host_alias}-krb5-config if available. This improves cross-
- compilation support and fixes multilib on Gentoo (at least).
+ Also added return value checks to make sure no unexpected return codes
+ are used.
-- [David Woodhouse brought this change]
+- [Simon Warta brought this change]
- gnutls: handle IP address in cert name check
+ automake: use $(MKHELP) variable instead if constant mkhelp.pl
- Before GnuTLS 3.3.6, the gnutls_x509_crt_check_hostname() function
- didn't actually check IP addresses in SubjectAltName, even though it was
- explicitly documented as doing so. So do it ourselves...
+ this improves symmetry with the rule above
-Dan Fandrich (14 Jul 2014)
-- build: set _POSIX_PTHREAD_SEMANTICS on Solaris to get proper getpwuid_r
+- [Simon Warta brought this change]
-Daniel Stenberg (14 Jul 2014)
-- RELEASE-NOTES: next one is called 7.37.1
+ mkhelp.pl: fix script name in usage text
-Dan Fandrich (13 Jul 2014)
-- gnutls: improved error message if setting cipher list fails
-
- Reported-by: David Woodhouse
+- RELEASE-NOTES: synced with 3b80d3ca4
-- netrc: fixed thread safety problem by using getpwuid_r if available
+- getinfo: return sizes as curl_off_t
- The old way using getpwuid could cause problems in programs that enable
- reading from netrc files simultaneously in multiple threads.
+ This change introduces new alternatives for the existing six
+ curl_easy_getinfo() options that return sizes or speeds as doubles. The
+ new versions are named like the old ones but with an appended '_T':
- Reported-by: David Woodhouse
-
-- RELEASE-NOTES: add the reporter of the previous bug fix
+ CURLINFO_CONTENT_LENGTH_DOWNLOAD_T
+ CURLINFO_CONTENT_LENGTH_UPLOAD_T
+ CURLINFO_SIZE_DOWNLOAD_T
+ CURLINFO_SIZE_UPLOAD_T
+ CURLINFO_SPEED_DOWNLOAD_T
+ CURLINFO_SPEED_UPLOAD_T
+
+ Closes #1511
-- netrc: treat failure to find home dir same as missing netrc file
+- PIPELINING_SERVER_BL: cleanup the internal list use
- This previously caused a fatal error (with a confusing error code, at
- that).
+ The list was freed incorrectly since the llist refactor of
+ cbae73e1dd959. Added test 1550 to verify that it works and avoid future
+ regressions.
- Reported by: Glen A Johnson Jr.
-
-Steve Holme (12 Jul 2014)
-- RELEASE-NOTES: Synced with aaaf9e50ec
-
-- ntlm_wb: Fixed buffer size not being large enough for NTLMv2 sessions
+ Reported-by: Pascal Terjan
- Bug: http://curl.haxx.se/mail/lib-2014-07/0103.html
- Reported-by: David Woodhouse
+ Fixes #1584
+ Closes #1585
-- build: Fixed overridden compiler PDB settings in VC7 to VC12
+- http2: fix OOM crash
- The curl tool project files for VC7 to VC12 would override the default
- setting with the output filename being the same as the linker PDB file.
- As such the compiler file would be overwritten with the linker file
- for all debug builds.
+ torture mode with test 1021 found it
+
+- CURLOPT_PREQUOTE.3: spellfix man page reference
+
+Marcel Raad (18 Jun 2017)
+- http_proxy: fix build with http and proxy
- To avoid this overwrite and for consistency with the libcurl project
- files, removed the setting to force the default filename to be used.
+ After deff7de0eb0e22d2d142b96b9cc84cd8db5d2a48, the build without
+ CURL_DISABLE_PROXY and CURL_DISABLE_HTTP was failing because of missing
+ includes.
-Dan Fandrich (12 Jul 2014)
-- tests: added globbing keyword to URL globbing tests
+- http_proxy: fix compiler warning
+
+ With CURL_DISABLE_PROXY or CURL_DISABLE_HTTP, GCC complained about a
+ missing prototype for Curl_connect_free.
-- Fixed some "statement not reached" warnings
+Daniel Stenberg (18 Jun 2017)
+- TODO: update the TOC too
-- gnutls: fixed a couple of uninitialized variable references
+- TODO: implement support for CURLOPT_PREQUOTE with SFTP
+
+ ... also updated the CURLOPT_PREQUOTE.3 man page to mention the correct
+ protocol support.
+
+ Closes #1514
-- gnutls: fixed compilation against versions < 2.12.0
+- tool_wrte_cb: remove check for config == NULL
+
+ ... as it really cannot have reached this far with config being NULL,
+ thus this is unnecesary and misleading.
- The AES-GCM ciphers were added to GnuTLS as late as ver. 3.0.1 but
- the code path in which they're referenced here is only ever used for
- somewhat older GnuTLS versions. This caused undeclared identifier errors
- when compiling against those.
+ Bug: https://news.ycombinator.com/item?id=14577585 and
+ https://daniel.haxx.se/blog/2017/06/17/curl-doesnt-spew-binary-anymore/comment-page-1/#comment-18356
+
+ Forwarded-to-us-by: Jakub Wilk
-- gnutls: explicitly added SRP to the priority string
+- curl: prevent binary output spewed to terminal
+
+ ... unless "--output -" is used. Binary detection is done by simply
+ checking for a binary zero in early data.
- This seems to have become necessary for SRP support to work starting
- with GnuTLS ver. 2.99.0. Since support for SRP was added to GnuTLS
- before the function that takes this priority string, there should be no
- issue with backward compatibility.
+ Added test 1425 1426 to verify.
+
+ Closes #1512
-- tests: adjust for capitalization differences in newer gnutls-serv
+Marcel Raad (16 Jun 2017)
+- Makefile.m32: enable -W for MinGW32 build
+
+ The configure-based build also has this in addition to -Wall.
+
+ Closes https://github.com/curl/curl/pull/1578
-- test320/1/2/4: fix the port number substitution variables
+- curl-compilers.m4: enable comma clang warning
+
+ It usually warns when using commas instead of semicolons or other
+ operators by accident.
- These tests have been broken since commit 1958fe57 in Oct. 2011
+ Closes https://github.com/curl/curl/pull/1578
-- tests: document more test identifiers and variables
+- curl-compilers.m4: enable missing-variable-declarations clang warning
+
+ It usually warns when forgetting to declare TU-local variables static.
+
+ Closes https://github.com/curl/curl/pull/1578
-- gnutls: ignore invalid certificate dates with VERIFYPEER disabled
+- curl-compilers.m4: enable double-promotion warning
- This makes the behaviour consistent with what happens if a date can
- be extracted from the certificate but is expired.
+ Enable -Wdouble-promotion for both GCC and clang. It warns on implicit
+ promotion from float to double.
+
+ Closes https://github.com/curl/curl/pull/1578
-Steve Holme (10 Jul 2014)
-- CURLOPT_UPLOAD: Corrected argument type
+- curl-compilers.m4: enable vla warning for clang
+
+ Previously, that warning was only implicitly active in C90 mode.
+ Enable it unconditionally as already done for GCC.
+
+ Closes https://github.com/curl/curl/pull/1578
-Daniel Stenberg (9 Jul 2014)
-- FAQ: expand the thread-safe section
+Daniel Stenberg (16 Jun 2017)
+- http-proxy: fix chunked-encoded CONNECT responses
+
+ Regression since 5113ad0424.
- ... with a mention of *NOSIGNAL, based on talk in bug #1386
+ ... and remove 'flaky' from test 1061 again
+
+ Closes #1579
-Dan Fandrich (9 Jul 2014)
-- url.c: Fixed memory leak on OOM
+- http-proxy: deal with EAGAIN
+
+ ... the previous code would reset the header length wrongly (since
+ 5113ad0424). This makes test 1060 reliable again.
- This showed itself on some systems with torture failures
- in tests 1060 and 1061
+ Also: make sws send even smaller chunks of data to increase the
+ likeliness of this happening.
-- Update instances of some obsolete CURLOPTs to their new names
+- libtest/libntlmconnect: fix compiler warnings from f94fcdb
-Daniel Stenberg (5 Jul 2014)
-- [Marcel Raad brought this change]
+- [Jay Satiro brought this change]
- compiler warnings: potentially uninitialized variables
+ HTTPS-Proxy: don't offer h2 for https proxy connections
- ... pointed out by MSVC2013
+ Bug: https://github.com/curl/curl/issues/1254
- Bug: http://curl.haxx.se/bug/view.cgi?id=1391
+ Closes #1546
-Kamil Dudka (4 Jul 2014)
-- nss: make the list of CRL items global
+- tests: stabilize test 2032 and 2033
- Otherwise NSS could use an already freed item for another connection.
-
-- nss: fix a memory leak when CURLOPT_CRLFILE is used
+ Both these tests run the same underlying test code: libntlmconnect.c -
+ this test code made some assumptions about socket ordering when it used
+ curl_easy_fdset() and when we changed timing or got accidental changes
+ in libcurl the tests would fail.
+
+ The tests verify that the different transfers keep using the same
+ connections, which I now instead made sure by adding the number of bytes
+ each transfer gets and then verifies that they always get the same
+ amount as when these tests worked.
+
+ Closes #1576
-- nss: make crl_der allocated on heap
+- test1148: verify the -# progressbar
- ... and spell it as crl_der instead of crlDER
+ Closes #1569
-- nss: let nss_{cache,load}_crl return CURLcode
+- test1061: mark as flaky
+
+ Fails intermittently on travis builds since a few days. Likely due to
+ 5113ad0424.
-- tool: oops, forgot to include <plarenas.h>
+Jay Satiro (16 Jun 2017)
+- url: refactor the check for Windows drive letter in path
+
+ - Move the logic to detect a Windows drive letter prefix
+ (eg c: in c:foo) into a function-like macro.
- ... that contains the declaration of PL_ArenaFinish()
+ Closes https://github.com/curl/curl/pull/1571
-- tool: call PL_ArenaFinish() on exit if NSPR is used
+- mk-ca-bundle.pl: Check curl's exit code after certdata download
- This prevents valgrind from reporting still reachable memory allocated
- by NSPR arenas (mainly the freelist).
+ - No longer allow partial downloads of certdata.
- Reported-by: Hubert Kario
+ Prior to this change partial downloads were (erroneously?) allowed since
+ only the server code was checked to be 200.
+
+ Bug: https://github.com/curl/curl/pull/1577
+ Reported-by: Matteo B.
+
+Daniel Stenberg (16 Jun 2017)
+- dist: add the fuzz dir to the tarball
+
+- configure: disable nghttp2 too if HTTP has been disabled
+
+- http-proxy: fix build with --disable-proxy or --disable-http
+
+ Reported-by: Dan Fandrich
-Daniel Stenberg (3 Jul 2014)
-- [Dimitrios Siganos brought this change]
+- fuzz/README: document how to build
+
+ Fixes #1476
- example: use correct type (long) for CURLOPT_FOLLOWLOCATION
+- [Frederik B brought this change]
-- [Dimitrios Siganos brought this change]
+ fuzz: corpora file structure, initial commit
- Document type of argument for CURLOPT_FOLLOWLOCATION.
+- [Frederik B brought this change]
-- [Dimitrios Siganos brought this change]
+ fuzz: bring oss-fuzz initial code converted to C89
- Document type of argument for CURLOPT_ERRORBUFFER.
+- http-proxy: only attempt FTP over HTTP proxy
+
+ ... all other non-HTTP protocol schemes are now defaulting to "tunnel
+ trough" mode if a HTTP proxy is specified. In reality there are no HTTP
+ proxies out there that allow those other schemes.
+
+ Assisted-by: Ray Satiro, Michael Kaufmann
+
+ Closes #1505
-- [Dimitrios Siganos brought this change]
+- TODO: the generated include file is gone
+
+ ... since commit 73a2fcea0b
- Document type of argument for CURLOPT_COPYPOSTFIELDS.
+- curl_setup.h: error out on CURL_WANTS_CA_BUNDLE_ENV use
+
+ ... to make it really apparent if there's any user using this on purpose.
+
+ Suggested-by: Jay Satiro
+
+ Closes #1542
-- [Dimitrios Siganos brought this change]
+- lib/curl_setup.h: remove CURL_WANTS_CA_BUNDLE_ENV
+
+ When this define was set, libcurl would check the environment variable
+ named CURL_CA_BUNDLE at run-time and use that CA cert bundle. This
+ feature was only defined by the watcom and m32 makefiles and caused
+ inconsistent behaviours among libcurls built on different platforms.
+
+ The curl tool does already feature its own similar logic and the library
+ does not really need it, and it isn't documented libcurl behavior. So
+ this change removes it.
+
+ Ref: #1538
- Document type of argument for CURLOPT_ADDRESS_SCOPE.
+- test1147: verify -H on a file
-- curl.1: minor language fix
+- curl: allow --header and --proxy-header read from file
- Bug: http://curl.haxx.se/mail/archive-2014-07/0006.html
+ So many headers can be provided as @filename.
+
+ Suggested-by: Timothe Litt
+
+ Closes #1486
-- [Ray Satiro brought this change]
+- RELEASE-NOTES: synced with 2ad80eec5
- progress callback: skip last callback update on errors
+- curl/curlver.h: start working on 7.55.0
+
+- http-proxy: do the HTTP CONNECT process entirely non-blocking
- When an error has been detected, skip the final forced call to the
- progress callback by making sure to pass the current return code
- variable in the Curl_done() call in the CURLM_STATE_DONE state.
+ Mentioned as a problem since 2007 (8f87c15bdac63) and of course it
+ existed even before that.
- This avoids the "extra" callback that could occur even if you returned
- error from the progress callback.
+ Closes #1547
+
+- progress: let "current speed" be UL + DL speeds combined
- Bug: http://curl.haxx.se/mail/lib-2014-06/0062.html
- Reported by: Jonathan Cardoso Machado
+ Bug #1556
+ Reported-by: Paul Harris
+ Closes #1559
-Dan Fandrich (2 Jul 2014)
-- opts: fixed some CURLOPT references so they get turned into links
+Marcel Raad (14 Jun 2017)
+- system.h: fix MinGW build
+
+ CURLSYS_PULL_WS2TCPIP_H got renamed to CURL_PULL_WS2TCPIP_H in commit
+ 73a2fcea0b4adea6ba342cd7ed1149782c214ae3.
-Kamil Dudka (2 Jul 2014)
-- tool: call PR_Cleanup() on exit if NSPR is used
+Daniel Stenberg (14 Jun 2017)
+- timers: store internal time stamps as time_t instead of doubles
+
+ This gives us accurate precision and it allows us to avoid storing "no
+ time" for systems with too low timer resolution as we then bump the time
+ up to 1 microsecond. Should fix test 573 on windows.
+
+ Remove the now unused curlx_tvdiff_secs() function.
+
+ Maintains the external getinfo() API with using doubles.
- This prevents valgrind from reporting possibly lost memory that NSPR
- uses for file descriptor cache and other globally allocated internal
- data structures.
+ Fixes #1531
-- nss: make the fallback to SSLv3 work again
+- dist: make the hugehelp.c not get regenerated unnecessarily
- This feature was unintentionally disabled by commit ff92fcfb.
+ The maketgz script now makes sure the generated hugehelp.c file in the
+ tarball is newer than the generated curl.1 man page, so that it doesn't
+ have to get unnecessarily rebuilt first thing in a typical build. It
+ thus also removes the need for perl to build off a plain release
+ tarball.
+
+ Fixes #1565
-- nss: do not abort on connection failure
+- includes: remove curl/curlbuild.h and curl/curlrules.h
+
+ Rely entirely on curl/system.h now.
- ... due to calling SSL_VersionRangeGet() with NULL file descriptor
+ Introduced in Aug 2008 with commit 14240e9e109f. Now gone.
- reported-by: upstream tests 305 and 404
+ Fixes #1456
-Dan Fandrich (1 Jul 2014)
-- opts: Document the socket callback function parameters
+Version 7.54.1 (14 Jun 2017)
-Steve Holme (28 Jun 2014)
-- opts: Fixed some typos
+Daniel Stenberg (14 Jun 2017)
+- release: 7.54.1
-Dan Fandrich (25 Jun 2014)
-- curl_easy_setopt.3: fixed the error code for an unsupported option
+Dan Fandrich (13 Jun 2017)
+- mk-lib1521.pl: updated to match the test changes in 916ec30a
-- opts: added some DEFAULT and RETURN VALUE sections
+Daniel Stenberg (13 Jun 2017)
+- [Stuart Henderson brought this change]
-Daniel Stenberg (21 Jun 2014)
-- libcurl docs: man page edits
+ libressl: OCSP and intermediate certs workaround no longer needed
- mainly to improve how the web versions render
+ lib/vtls/openssl.c has a workaround for a bug with OCSP responses signed
+ by intermediate certs, this was fixed in LibreSSL in
+ https://github.com/libressl-portable/openbsd/commit/912c64f68f7ac4f225b7d1fdc8fbd43168912ba0
+
+ Bug: https://curl.haxx.se/mail/lib-2017-06/0038.html
-Dan Fandrich (21 Jun 2014)
-- curl_easy_setopt.3: fixed some typos
+- url: fix buffer overwrite with file protocol (CVE-2017-9502)
+
+ Bug: https://github.com/curl/curl/issues/1540
+ Advisory: https://curl.haxx.se/docs/adv_20170614.html
+
+ Assisted-by: Ray Satiro
+ Reported-by: Marcel Raad
-Daniel Stenberg (21 Jun 2014)
-- lib man pages: update easy setopt option references
+- urlglob: fix division by zero
- ... by using the "\fIopt(3)\fP" syntax they will be linked properly when
- the web version of the page is generated.
+ The multiply() function that is used to avoid integer overflows, was
+ itself reason for a possible division by zero error when passed a
+ specially formatted glob.
+
+ Reported-by: GwanYeong Kim
-- opts: the CURLOPT_SSL_ENABLE_*PN options are enabled by default
+- configure: update the copyright year in the output
-- [Colin Hogben brought this change]
+- [ygrek brought this change]
- lib: documentation updates in README.hostip
-
- c-ares now does support IPv6;
- avoid implying threaded resolver is Windows-only;
- two referenced source files were renamed in 7de2f92
+ BINDINGS: update SP-Forth and OCaml urls
-- curl_easy_setopt.3: CURLOPT_POSTFIELDS is the exception
+Michael Kaufmann (11 Jun 2017)
+- FindWin32CACert: Use a temporary buffer on the stack
- ... to the always-copy-char *-argument.
+ Don't malloc() the temporary buffer, and use the correct type:
+ SearchPath() works with TCHAR, but SearchPathA() works with char.
+ Set the buffer size to MAX_PATH, because the terminating null byte
+ is already included in MAX_PATH.
- And fix some minor mistakes.
-
-- curl_easy_setopt.3: refer to the individual man pages
+ Reviewed-by: Daniel Stenberg
+ Reviewed-by: Marcel Raad
- With all the new individual option man pages created, this now refers to
- each separate one instead of duplicaing the info. Also makes this page
- easier to overview.
+ Closes #1548
+
+Dan Fandrich (11 Jun 2017)
+- test1521: fixed OOM handling
+
+Daniel Stenberg (9 Jun 2017)
+- RELEASE-PROCEDURE: updated future release dates
+
+- [Paul Harris brought this change]
-Dan Fandrich (21 Jun 2014)
-- opts: fixed mancheck for out-of-tree builds
+ gitignore: ignore all vim swap files
+
+ Closes #1561
-Daniel Stenberg (21 Jun 2014)
-- curl_easy_setopt.3: shorten
+- lib1521: fix compiler warnings on the use of bad 'long' values
- shorten descriptions, mostly refer to the separate descriptions
+ Reported-by: Marcel Raad
+ Bug: https://github.com/curl/curl/commit/cccac4fb2b20d6ed87da7978408c3ecacc464fe4#commitcomment-22453387
-- CURLOPT_DNS_LOCAL_IP4.3: better short desc
+- setopt: check CURLOPT_ADDRESS_SCOPE option range
+
+ ... and return error instead of triggering an assert() when being way
+ out of range.
-Dan Fandrich (20 Jun 2014)
-- opts: document CURLE_OUT_OF_MEMORY among other return values
+Jay Satiro (8 Jun 2017)
+- [TheAssassin brought this change]
-- opts: fixed some typos
+ cmake: Fix inconsistency regarding mbed TLS include directory
+
+ Previously, one had to set MBEDTLS_INCLUDE_DIR to make CMake find the
+ headers, but the system complained that mbed TLS wasn't found due to
+ MBEDTLS_INCLUDE_DIRS (note the trailing s) was not set. This commit
+ attempts to fix that.
+
+ Closes https://github.com/curl/curl/pull/1541
-Daniel Stenberg (20 Jun 2014)
-- opts: various corrections
+Daniel Stenberg (8 Jun 2017)
+- [Ryuichi KAWAMATA brought this change]
-- opts: add the rest of the options
+ examples/multi-uv.c: fix deprecated symbol
- ... and fixed mancheck to ignore obsolete options
+ Closes #1557
+
+- asyn-ares: s/Curl_expire_latest/Curl_expire
-- opts: the final bunch of options as man pages
+- expire: remove Curl_expire_latest()
+
+ With the introduction of expire IDs and the fact that existing timers
+ can be removed now and thus never expire, the concept with adding a
+ "latest" timer is not working anymore as it risks to not expire at all.
+
+ So, to be certain the timers actually are in line and will expire, the
+ plain Curl_expire() needs to be used. The _latest() function was added
+ as a sort of shortcut in the past that's quite simply not necessary
+ anymore.
- Now all current options have their own man pages.
+ Follow-up to 31b39c40cf90
+
+ Reported-by: Paul Harris
+
+ Closes #1555
-- opts: 37 additional man pages
+- [Chris Carlmar brought this change]
-- CURLOPT_URL: move up the text from "Notes"
+ configure: fix link with librtmp when specifying path
+
+ Bug: https://curl.haxx.se/mail/lib-2017-06/0017.html
-- ROADMAP: removed, now ROADMAP.md
+- file: make speedcheck use current time for checks
+
+ ... as it would previously just get the "now" timestamp before the
+ transfer starts and then not update it again.
+
+ Closes #1550
-- ROADMAP.md: make it markdown formatted
+- metalink: remove unused printf() argument
-- ROADMAP: initial commit of "curl the next few years"
+- travis: let some builds *not* use --enable-debug
+
+ typecheck-gcc and other things require optimized builds
- To be further discussed, debated and edited
+ Closes #1544
-- opts: more man pages
+- README.md: show the coverall coverage on github
-- CURLOPT_UNRESTRICTED_AUTH.3: added missing 'T'
+- lib1521: fix compiler warnings
-- opts: makefile now includes all current man pages
+- test1521: make the code < 80 columns wide
-- opts: 11 more man pages
+- test1121: use stricter types to work with typcheck-gcc
-Dan Fandrich (18 Jun 2014)
-- opts: document CURLE_OUT_OF_MEMORY as RETURN VALUE
+- typecheck-gcc: allow CURLOPT_STDERR to be NULL too
-- opts: fixed a couple of typos
+- test1521: test *all* curl_easy_setopt options
+
+ mk-lib1521.pl generates a test program (lib1521.c) that calls
+ curl_easy_setopt() for every known option with a few typical values to
+ make sure they work (ignoring the return codes).
+
+ Some small changes were necessary to avoid asserts and NULL accesses
+ when doing this.
+
+ The perl script needs to be manually rerun when we add new options.
+
+ Closes #1543
-Patrick Monnerat (18 Jun 2014)
-- OS400: make it compilable again. Make RPG binding up to date.
+Dan Fandrich (5 Jun 2017)
+- test1538: added "verbose logs" keyword
+
+ These error messages are not displayed with --disable-verbose
-- buildconf: do not search tools in current directory.
+Daniel Stenberg (5 Jun 2017)
+- test1262: verify ftp download with -z for "if older than this"
-Dan Fandrich (18 Jun 2014)
-- curl.h: renamed CURLOPT_DEPRECATEDx to CURLOPT_OBSOLETEx
+Marcel Raad (5 Jun 2017)
+- curl_ntlm_core: use Curl_raw_toupper instead of toupper
+
+ This was the only remaining use of toupper in the entire source code.
- This is consistent with the existing obsolete error code naming
- convention.
+ Suggested-by: Daniel Stenberg
-Daniel Stenberg (18 Jun 2014)
-- opts: 16 more man pages
+Daniel Stenberg (4 Jun 2017)
+- RELEASE-NOTES: synced with 65ba92650