Changelog
-Daniel Stenberg (15 Dec 2010)
-- RELEASE-NOTES: synced with a865bd9fbaaa43e5c
+Version 7.59.0 (13 Mar 2018)
-- IsPipeliningPossible: only for HTTP
+Daniel Stenberg (13 Mar 2018)
+- release: 7.59.0
+
+Kamil Dudka (13 Mar 2018)
+- tests/.../spnego.py: fix identifier typo
+
+ Detected by Coverity Analysis:
- The function that checks if pipelining is possible now requires the HTTP
- bit to be set so that it doesn't mistakenly tries to do it for other
- protocols.
+ Error: IDENTIFIER_TYPO:
+ curl-7.58.0/tests/python_dependencies/impacket/spnego.py:229: identifier_typo: Using "SuportedMech" appears to be a typo:
+ * Identifier "SuportedMech" is only known to be referenced here, or in copies of this code.
+ * Identifier "SupportedMech" is referenced elsewhere at least 4 times.
+ curl-7.58.0/tests/python_dependencies/impacket/smbserver.py:2651: identifier_use: Example 1: Using identifier "SupportedMech".
+ curl-7.58.0/tests/python_dependencies/impacket/smbserver.py:2308: identifier_use: Example 2: Using identifier "SupportedMech".
+ curl-7.58.0/tests/python_dependencies/impacket/spnego.py:252: identifier_use: Example 3: Using identifier "SupportedMech" (2 total uses in this function).
+ curl-7.58.0/tests/python_dependencies/impacket/spnego.py:229: remediation: Should identifier "SuportedMech" be replaced by "SupportedMech"?
- Bug: http://curl.haxx.se/mail/lib-2010-12/0152.html
- Reported by: Dmitri Shubin
+ Closes #2379
-- multi_runsingle: don't timeout completed handles
+Daniel Stenberg (13 Mar 2018)
+- CURLOPT_COOKIEFILE.3: "-" as file name means stdin
- The generic timeout code must not check easy handles that are already
- completed. Going to completed (again) within there risked decreasing the
- number of alive handles again and thus it could go negative.
+ Reported-by: Aron Bergman
+ Bug: https://curl.haxx.se/mail/lib-2018-03/0049.html
- This regression bug was added in 7.21.2 in commit ca10e28f06f1
+ [ci skip]
-- symbols-in-versions: CURLOPT_KEYPASSWD fixed
+- Revert "hostip: fix compiler warning: 'variable set but not used'"
- It was added in 7.17.0 and is not deprecated
-
-- RELEASE-NOTES: synced with c28443c551825
-
-Dan Fandrich (8 Dec 2010)
-- Mention that using other libraries can affect app licensing
+ This reverts commit a577059f92fc65bd6b81717f0737f897a5b34248.
+
+ The assignment really needs to be there or we risk working with an
+ uninitialized pointer.
-Yang Tse (7 Dec 2010)
-- easy: fix compiler warning: end-of-loop code not reached
+Michael Kaufmann (12 Mar 2018)
+- limit-rate: fix compiler warning
+
+ follow-up to 72a0f62
-Daniel Stenberg (6 Dec 2010)
-- disconnect: pass on the dead_connection argument
+Viktor Szakats (12 Mar 2018)
+- checksrc.pl: add -i and -m options
- Cleanup fix after Kamil's commit 5c7c9a768d0093
+ To sync it with changes made for the libssh2 project.
+ Also cleanup some whitespace.
-Yang Tse (6 Dec 2010)
-- sws: fix compier warning: external definition with no prior declaration
+- curl-openssl.m4: fix spelling [ci skip]
-Daniel Stenberg (6 Dec 2010)
-- [Heinrich Ko brought this change]
+- FAQ: fix a broken URL [ci skip]
- ossl_connect_common: detect connection re-use
+Daniel Stenberg (12 Mar 2018)
+- http2: mark the connection for close on GOAWAY
- ossl_connect_common() now checks whether or not 'struct
- connectdata->state' is equal 'ssl_connection_complete' and if so, will
- return CURLE_OK with 'done' set to 'TRUE'. This check prevents
- ossl_connect_common() from creating a new ssl connection on an existing
- ssl session which causes openssl to fail when it tries to parse an
- encrypted TLS packet since the cipher data was effectively thrown away
- when the new ssl connection was created.
+ ... don't consider it an error!
- Bug: http://curl.haxx.se/mail/lib-2010-11/0169.html
+ Assisted-by: Jay Satiro
+ Reported-by: Łukasz Domeradzki
+ Fixes #2365
+ Closes #2375
-Kamil Dudka (6 Dec 2010)
-- url: provide dead_connection flag in Curl_handler::disconnect
-
- It helps to prevent a hangup with some FTP servers in case idle session
- timeout has exceeded. But it may be useful also for other protocols
- that send any quit message on disconnect. Currently used by FTP, POP3,
- IMAP and SMTP.
+- credits: Viktor prefers without accent
-Yang Tse (6 Dec 2010)
-- ssh: fix a download resume point calculation
+- openldap: white space changes, fixed up the copyright years
-Daniel Stenberg (5 Dec 2010)
-- Curl_wait_for_resolv: correct timeout
-
- When looping in this function and checking for the timeout being
- expired, it was not updating the reference time when calculating the
- timediff since previous round which made it think each subsequent loop
- to have taken longer than it actually did.
+- openldap: check ldap_get_attribute_ber() results for NULL before using
- I also modified the function to use the generic Curl_timeleft() function
- instead of the custom logic.
-
- Bug: http://curl.haxx.se/bug/view.cgi?id=3112579
+ CVE-2018-1000121
+ Reported-by: Dario Weisser
+ Bug: https://curl.haxx.se/docs/adv_2018-97a2.html
-- Curl_send/recv_plain: return errno on failure
+- FTP: reject path components with control codes
- When send() and recv() fail, we now store the errno value to allow the
- app to access it.
+ Refuse to operate when given path components featuring byte values lower
+ than 32.
- Bug: http://curl.haxx.se/bug/view.cgi?id=3128121
- Reported by: Yuri
-
-Guenter Knauf (5 Dec 2010)
-- Updated OpenSSL version.
-
-Yang Tse (4 Dec 2010)
-- fix compiler warning: conversion may lose significant bits
-
-- fix compiler warning: assignment within conditional expression
-
-- fix getinfo CURLINFO_LOCAL* for reused connections (take 2) follow-up
+ Previously, inserting a %00 sequence early in the directory part when
+ using the 'singlecwd' ftp method could make curl write a zero byte
+ outside of the allocated buffer.
- - Show address string from proper buffer in case of connection failure.
+ Test case 340 verifies.
- - Try next address when inet_ntop() fails.
+ CVE-2018-1000120
+ Reported-by: Duy Phan Thanh
+ Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html
-Daniel Stenberg (3 Dec 2010)
-- version-check: added brief documentation
+- readwrite: make sure excess reads don't go beyond buffer end
- and the traditional source header
-
-Yang Tse (3 Dec 2010)
-- build: provide SIZEOF_SIZE_T DOS definition
-
-- build: lib/config.dos renamed to lib/config-dos.h
-
-- build: provide SIZEOF_SIZE_T VMS definition
-
-- build: move config-vms.h from subdir 'packages/vms' into 'lib'
-
-- build: provide SIZEOF_SIZE_T definition for non-configure builds
-
-- build: provide SIZEOF_SIZE_T netware definition
+ CVE-2018-1000122
+ Bug: https://curl.haxx.se/docs/adv_2018-b047.html
+
+ Detected by OSS-fuzz
-- configure: undo using autobuilds to temporarily verify strict aliasing warnings.
+- BUGS: updated link to security process
-- fix compiler warning: rounding, sign extension, or loss of accuracy may result
+- limit-rate: kick in even before "limit" data has been received
+
+ ... and make sure to avoid integer overflows with really large values.
+
+ Reported-by: 刘佩东
+ Fixes #2371
+ Closes #2373
-- fix compiler warning: statement is not reachable
+- docs/SECURITY.md -> docs/SECURITY-PROCESS.md
-- fix compiler warning: conversion may lose significant bits
+- SECURITY.md: call it the security process
-- connect: fix compiler warning: unused variable
+Michael Kaufmann (11 Mar 2018)
+- Curl_range: fix FTP-only and FILE-only builds
+
+ follow-up to e04417d
-- fix getinfo CURLINFO_LOCAL* for reused connections (take 2)
+- hostip: fix compiler warning: 'variable set but not used'
-- fix getinfo CURLINFO_LOCAL* for reused connections follow-up
+Daniel Stenberg (11 Mar 2018)
+- HTTP: allow "header;" to replace an internal header with a blank one
- Reinstate IPV6 build variable that got removed.
+ Reported-by: Michael Kaufmann
+ Fixes #2357
+ Closes #2362
-- fix getinfo CURLINFO_LOCAL* for reused connections
+- http2: verbose output new MAX_CONCURRENT_STREAMS values
- Failed to commit this file changes along with the others.
-
-- fix getinfo CURLINFO_LOCAL* for reused connections
+ ... as it is interesting for many users.
-- atoi: remove atoi usage
+- SECURITY: distros' max embargo time is 14 days now
-- multi: fix compiler warning: conversion may lose significant bits follow-up
+Patrick Monnerat (8 Mar 2018)
+- curl tool: accept --compressed also if Brotli is enabled and zlib is not.
-- ftp: fix 'bool' data type implementation dependant usage
+Daniel Stenberg (5 Mar 2018)
+- THANKS + mailmap: remove duplicates, fixup full names
-- multi: fix compiler warning: conversion may lose significant bits
+- [sergii.kavunenko brought this change]
-- multi: fix compiler warning: enumerated type mixed with another type
+ WolfSSL: adding TLSv1.3
+
+ Closes #2349
-- hostip: edit comment
+- RELEASE-NOTES/THANKS: synced with cc1d4c505
-- xattr: fix compiler warning: enumerated type mixed with another type
+- [Richard Alcock brought this change]
-- s/isspace/ISSPACE
+ winbuild: prefer documented zlib library names
+
+ Check for existence of import and static libraries with documented names
+ and use them if they do. Fallback to previous names.
+
+ According to
+ https://github.com/madler/zlib/blob/master/win32/README-WIN32.txt on
+ Windows, the names of the import library is "zdll.lib" and static
+ library is "zlib.lib".
+
+ closes #2354
-- symbol-scan: use configure script knowledge about how to run the C preprocessor
+Marcel Raad (4 Mar 2018)
+- krb5: use nondeprecated functions
+
+ gss_seal/gss_unseal have been deprecated in favor of
+ gss_wrap/gss_unwrap with GSS-API v2 from January 1997 [1]. The first
+ version of "The Kerberos Version 5 GSS-API Mechanism" [2] from June
+ 1996 already says "GSS_Wrap() (formerly GSS_Seal())" and
+ "GSS_Unwrap() (formerly GSS_Unseal())".
+
+ Use the nondeprecated functions to avoid deprecation warnings.
+
+ [1] https://tools.ietf.org/html/rfc2078
+ [2] https://tools.ietf.org/html/rfc1964
+
+ Closes https://github.com/curl/curl/pull/2356
-- ignore file generated by configure
+Daniel Stenberg (4 Mar 2018)
+- curl.1: mention how to add numerical IP addresses in NO_PROXY
-- curl_multi_info_read: fix compiler warning: conversion may lose significant bits
+- CURLOPT_NOPROXY.3: mention how to list numerical IPv6 addresses
-- inet_pton: fix compiler warning
+- NO_PROXY: fix for IPv6 numericals in the URL
- warning C4146: unary minus operator applied to unsigned type, result still unsigned
-
-- Curl_getaddrinfo_ex: sanitize function results follow-up.
+ Added test 1265 that verifies.
+
+ Reported-by: steelman on github
+ Fixes #2353
+ Closes #2355
-- Curl_getaddrinfo_ex: sanitize function results.
+- build: get CFLAGS (including -werror) used for examples and tests
- Ensure that spurious results from system's getaddrinfo() ares not propagated
- by Curl_getaddrinfo_ex() into the library.
+ ... so that the CI and more detects compiler warnings/errors properly!
- Also ensure that the ai_addrlen member of Curl_getaddrinfo_ex()'s output linked
- list of Curl_addrinfo structures has appropriate family-specific address size.
+ Closes #2337
-Kamil Dudka (22 Nov 2010)
-- openldap: use remote port in URL passed to ldap_init_fd()
+Marcel Raad (3 Mar 2018)
+- curl_ctype: fix macro redefinition warnings
- ... not the proxy port. It makes no difference unless a proxy is used.
-
-Yang Tse (20 Nov 2010)
-- gtls: define and use gtls_EAGAIN, gtls_EINTR and gtls_EIO.
+ On MinGW and Cygwin, GCC and clang have been complaining about macro
+ redefinitions since 4272a0b0fc49a1ac0ceab5c4a365c9f6ab8bf8e2. Fix this
+ by undefining the macros before redefining them as suggested in
+ https://github.com/curl/curl/pull/2269.
- Winsock builds clobber some errno.h defines in setup_once.
+ Suggested-by: Daniel Stenberg
-Dan Fandrich (19 Nov 2010)
-- Added a couple examples that were missing from the tar ball
+Dan Fandrich (2 Mar 2018)
+- unit1307: proper cleanup on OOM to fix torture tests
-- Check for errors while preprocessing curl.h in test 1119
+Marcel Raad (28 Feb 2018)
+- unit1309: fix warning on Windows x64
- This showed a problem when running the test out-of-tree, so
- an include path is now being added to pick up the generated
- curlbuild.h file.
-
-- Use the 3-argument open for compatibility with older perls
-
-- [Matthias Bolte brought this change]
+ When targeting x64, MinGW-w64 complains about conversions between
+ 32-bit long and 64-bit pointers. Fix this by reusing the
+ GNUTLS_POINTER_TO_SOCKET_CAST / GNUTLS_SOCKET_TO_POINTER_CAST logic
+ from gtls.c, moving it to warnless.h as CURLX_POINTER_TO_INTEGER_CAST /
+ CURLX_INTEGER_TO_POINTER_CAST.
+
+ Closes https://github.com/curl/curl/pull/2341
- Detect socket errors in GnuTLS on Windows
+- travis: update compiler versions
- On Windows, translate WSAGetLastError() to errno values as GNU
- TLS does it internally, too. This is necessary because send() and
- recv() on Windows don't set errno when they fail but GNU TLS
- expects a proper errno value.
+ Update clang to version 3.9 and GCC to version 6.
- Bug: http://curl.haxx.se/bug/view.cgi?id=3110991
+ Closes https://github.com/curl/curl/pull/2345
-Yang Tse (19 Nov 2010)
-- test servers: fix strict aliasing compiler warnings
-
-- configure: use autobuilds to temporarily verify strict aliasing warnings.
+Daniel Stenberg (26 Feb 2018)
+- docs/MANUAL: formfind.pl is not accessible on the site anymore
- Temporarily, When cross-compiling with gcc 3.0 or later, enable strict aliasing
- rules and warnings. Given that cross-compiled targets autobuilds do not run the
+ Fixes #2342
-Julien Chaffraix (17 Nov 2010)
-- configure: Prevent link errors with --librtmp.
+Jay Satiro (24 Feb 2018)
+- curl-openssl.m4: Fix version check for OpenSSL 1.1.1
+
+ - Add OpenSSL 1.1.1 to the header/library version lists.
- If --librtmp was specified but pkg-config could not find the librtmp
- file, we would have undefined symbols when linking curl.
+ - Detect OpenSSL 1.1.1 library using its function ERR_clear_last_mark,
+ which was added in that version.
- We prevent this error by disabling this case as suggested on the mailing
- list.
+ Prior to this change an erroneous header/library mismatch was caused by
+ lack of OpenSSL 1.1.1 detection. I tested using openssl-1.1.1-pre1.
-Daniel Stenberg (15 Nov 2010)
-- RELEASE-NOTES: synced with cbf4961bf3e4
+Viktor Szakats (23 Feb 2018)
+- lib655: silence compiler warning
+
+ Closes https://github.com/curl/curl/pull/2335
-- gnutls->handshake: improved timeout handling
+- spelling fixes
- When no timeout is set, we call the socket_ready function with a timeout
- value of 0 during handshake, which makes it loop too much/fast in this
- function. It also made this function return CURLE_OPERATION_TIMEDOUT
- wrongly on a slow handshake.
+ Detected using the `codespell` tool.
- However, the particular bug report that highlighted this problem is not
- solved by this fix, as this fix only makes the more proper error get
- reported instead.
+ Also contains one URL protocol upgrade.
- Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594150
- Reported by: Johannes Ernst
+ Closes https://github.com/curl/curl/pull/2334
-Julien Chaffraix (13 Nov 2010)
-- urldata: Capitalize enum protect_level values.
+Daniel Stenberg (24 Feb 2018)
+- projects/README: remove reference to dead IDN link/package
+
+ Reported-by: Stefan Kanthak and Rod Widdowson
- This makes it easier to spot the enum values from the variables.
- Removed some unneeded DEBUGASSERT added in the previous commit.
+ Fixes #2325
-- security: tighten enum protection_level usage.
+Jay Satiro (23 Feb 2018)
+- [Rod Widdowson brought this change]
+
+ winbuild: Use macros for the names of some build utilities
+
+ - Add macros to the top of the makefile for rc and mt utilities so that
+ it is easier to change their locations.
- While changing Curl_sec_read_msg to accept an enum protection_level
- instead of an int, I went ahead and fixed the usage of the associated
- fields.
+ Bug: https://curl.haxx.se/mail/lib-2018-02/0075.html
+ Reported-by: Stefan Kanthak
- Some code was assuming that prot_clear == 0. Fixed those to use the
- proper value. Added assertions prior to any code that would set the
- protection level.
+ Closes https://github.com/curl/curl/issues/2329
-Yang Tse (13 Nov 2010)
-- configure: fix autoconf 2.68 warning: no AC_LANG_SOURCE call detected in body
+Daniel Stenberg (23 Feb 2018)
+- TODO: remove "sha-256 digest", added in 2b5b37cb9109e7c2
-Daniel Stenberg (12 Nov 2010)
-- curl.1: "a file", not an
+- curl_share_setopt.3: connection cache is shared within multi handles
-- version-check.pl: display version number for symbols
+Jay Satiro (22 Feb 2018)
+- [Rod Widdowson brought this change]
+
+ winbuild: Use CALL to run batch scripts
- This script is the start of a helper tool that scans a source code and
- outputs the most recent libcurl version it finds symbols for. Meaning
- that if there's no conditions in the code, that's the earliest libcurl
- version the scanned code requires.
+ Co-authored-by: Stefan Kanthak
- It is not added to the Makefile.am yet as it is still a bit crude, but
- I'm committing it to keep it and allow us to work on it.
+ Closes https://github.com/curl/curl/issues/2330
+ Closes https://github.com/curl/curl/pull/2331
-- [Adam Light brought this change]
+Patrick Monnerat (22 Feb 2018)
+- os400: add curl_resolver_start_callback type to ILE/RPG binding
- Makefile.vc6: fixed the xattr.c compile
+Daniel Stenberg (22 Feb 2018)
+- form.d: rephrased somewhat, added two example command lines
-Julien Chaffraix (12 Nov 2010)
-- krb5: Use GSS_ERROR to check for error.
-
- This is the advised way of checking for errors in the GSS-API RFC.
- Also added some '\n' to the error message so that they are not mixed
- with other outputs.
+Jay Satiro (21 Feb 2018)
+- [Francisco Sedano brought this change]
-- security: Pass the right parameter to init.
+ url: Add option CURLOPT_RESOLVER_START_FUNCTION
+
+ - Add new option CURLOPT_RESOLVER_START_FUNCTION to set a callback that
+ will be called every time before a new resolve request is started
+ (ie before a host is resolved) with a pointer to backend-specific
+ resolver data. Currently this is only useful for ares.
+
+ - Add new option CURLOPT_RESOLVER_START_DATA to set a user pointer to
+ pass to the resolver start callback.
- init is expecting app_data. Passing it the struct connecdata would make
- us crash later.
+ Closes https://github.com/curl/curl/pull/2311
-Daniel Stenberg (11 Nov 2010)
-- HTTP Auth: Add CURLAUTH_ONLY
+- lib: CURLOPT_HAPPY_EYEBALLS_TIMEOUT => CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS
- This is a meta symbol. OR this value together with a single specific
- auth value to force libcurl to probe for un-restricted auth and if not,
- only that single auth algorithm is acceptable.
+ - In keeping with the naming of our other connect timeout options rename
+ CURLOPT_HAPPY_EYEBALLS_TIMEOUT to CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS.
- For example you can use CURLAUTH_DIGEST|CURLAUTH_ONLY to make libcurl
- first probe for what method to use, but yet only consider Digest to be
- acceptable.
+ This change adds the _MS suffix since the option expects milliseconds.
+ This is more intuitive for our users since other connect timeout options
+ that expect milliseconds use _MS such as CURLOPT_TIMEOUT_MS,
+ CURLOPT_CONNECTTIMEOUT_MS, CURLOPT_ACCEPTTIMEOUT_MS.
- Using _only_ CURLAUTH_DIGEST without the CURLAUTH_ONLY field, will make
- libcurl explicitly use Digest right away and not do any probing.
-
-- ip_version: moved to connection struct
+ The tool option already uses an -ms suffix, --happy-eyeballs-timeout-ms.
- The IP version choice was previously only in the UserDefined struct
- within the SessionHandle, but since we sometimes alter that option
- during a request we need to have it on a per-connection basis.
+ Follow-up to 2427d94 which added the lib and tool option yesterday.
- I also moved more "init conn" code into the allocate_conn() function
- which is designed for that purpose more or less.
+ Ref: https://github.com/curl/curl/pull/2260
-Yang Tse (11 Nov 2010)
-- buildconf: MAC OS X requires libtool version 1.5.26 or newer
+Patrick Monnerat (21 Feb 2018)
+- sasl: prefer PLAIN mechanism over LOGIN
- MAC OS X requires libtool version 1.5.26 or newer, otherwise
- configure will mishandle *.dSYM directories when it runs.
-
-- configure: remove temporary autobuilds exercising of xattr function tests
+ SASL PLAIN is a standard, LOGIN only a draft. The LOGIN draft says
+ PLAIN should be used instead if available.
-- configure: use autobuilds to temporarily exercise xattr function tests
+Daniel Stenberg (21 Feb 2018)
+- RELEASE-NOTES: synced with 2427d94c6
-- xattr: portability fix
+Jay Satiro (20 Feb 2018)
+- [Anders Bakken brought this change]
-- curl-functions: provide xattr function tests that also check number of arguments
+ url: Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT
+
+ - Add new option CURLOPT_HAPPY_EYEBALLS_TIMEOUT to set libcurl's happy
+ eyeball timeout value.
+
+ - Add new optval macro CURL_HET_DEFAULT to represent the default happy
+ eyeballs timeout value (currently 200 ms).
+
+ - Add new tool option --happy-eyeballs-timeout-ms to expose
+ CURLOPT_HAPPY_EYEBALLS_TIMEOUT. The -ms suffix is used because the
+ other -timeout options in the tool expect seconds not milliseconds.
+
+ Closes https://github.com/curl/curl/pull/2260
-Daniel Stenberg (10 Nov 2010)
-- test1120: verify FTP response 421
+- hostip: fix 'potentially uninitialized variable' warning
- curl mustn't try to use the control connection after the 421 is received
+ Follow-up to 50d1b33.
+
+ Caught by AppVeyor.
-- ftpserver.pl: spellfix comment
+Daniel Stenberg (20 Feb 2018)
+- TODO: warning if curl version is not in sync with libcurl version
-- [Rutger Hofman brought this change]
+Jay Satiro (20 Feb 2018)
+- [Anders Bakken brought this change]
- TFTP: resend the correct data
+ CURLOPT_RESOLVE: Add support for multiple IP addresses per entry
- I found a bug in tftp_tx() in tftp.c. If a data resend is done after
- reception of an ACK/OACK, the call to sendto is wrong.
-
-- [Stefan Tomanek brought this change]
-
- write extended attributes by using fsetxattr
+ This enables users to preresolve but still take advantage of happy
+ eyeballs and trying multiple addresses if some are not connecting.
- Instead of reopening the downloaded file, fsetxattr uses the (already
- open) file descriptor to attach extended attributes. This makes the
- procedure more robust against errors caused by moved or deleted files.
+ Ref: https://github.com/curl/curl/pull/2260
-Dan Fandrich (9 Nov 2010)
-- Check for getinfo errors before setting attributes
+Daniel Stenberg (20 Feb 2018)
+- [Sergio Borghese brought this change]
-Kamil Dudka (9 Nov 2010)
-- ftp: treat server's response 421 as CURLE_OPERATION_TIMEDOUT
+ examples/sftpuploadresume: resume upload via CURLOPT_APPEND
- Bug: https://bugzilla.redhat.com/650255
- Reported by: Simon H.
+ URL: https://curl.haxx.se/mail/lib-2018-02/0072.html
-Daniel Stenberg (9 Nov 2010)
-- symbols-in-version: add CURL_SOCKET_BAD
+- curl --version: show PSL if the run-time lib has it enabled
- I also documented the filtering logic in the symbol-scan.pl function to
- clarify why not all CURL_* symbols are included.
-
-Yang Tse (9 Nov 2010)
-- serial number bump
+ ... not of the #define was set at build-time!
-Kamil Dudka (8 Nov 2010)
-- ftp: close connection as soon as ABOR has been sent
+- TODO: "Support in-memory certs/ca certs/keys"
- ... and do not send ABOR unless really necessary.
+ removed SSLKEYLOGFILE support (fixed)
- Bug: https://bugzilla.redhat.com/649347
- Reported by: Simon H.
-
-Daniel Stenberg (8 Nov 2010)
-- RELEASE-NOTES: synced with fc6c4c10f9faab08
+ removed "consider SSL patches" (outdated)
- I also recounted and updated the command line and libcurl options.
-
-- help: indent the --xattr option like the others
+ Closes #2310
-- curl.1: --resolve documented
+- CURLOPT_HEADER.3: clarify problems with different data sizes
-- CURLOPT_RESOLVE: documented
+- test1556: verify >16KB headers to the header callback
-- CURLOPT_USE_SSL: move from FTP options to connection options
-
-- xattr-check: correct the comment as well
+- header callback: don't chop headers into smaller pieces
+
+ Reported-by: Guido Berhoerster
+ Fixes #2314
+ Closes #2316
-- xattr: use const char * for const strings
+- test1154: verify that long HTTP headers get rejected
-- setxattr: fix the checks
+- http: fix the max header length detection logic
- My copy and paste job was a little too much copy and I missed to adjust
- it properly to sys/xattr.h all over and this is a fix to cure that.
-
-- CURLOPT_RESOLVE: added
+ Previously, it would only check for max length if the existing alloc
+ buffer was to small to fit it, which often would make the header still
+ get used.
+
+ Reported-by: Guido Berhoerster
+ Bug: https://curl.haxx.se/mail/lib-2018-02/0056.html
- CURLOPT_RESOLVE is a new option that sends along a curl_slist with
- name:port:address sets that will populate the DNS cache with entries so
- that request can be "fooled" to use another host than what otherwise
- would've been used. Previously we've encouraged the use of Host: for
- that when dealing with HTTP, but this new feature has the added bonus
- that it allows the name from the URL to be used for TLS SNI and server
- certificate name checks as well.
+ Closes #2315
+
+- CURLOPT_HEADERFUNCTION.3: fix typo from d939226813
- This is a first change. Surely more will follow to make it decent.
+ Reported-by: Erik Johansson
+ Bug: https://github.com/curl/curl/commit/d9392268131c1b8d18dec3fa30e0bded833a5db7#commitcomment-27607495
-Yang Tse (8 Nov 2010)
-- fix compiler warning
+- CURLOPT_HEADERFUNCTION.3: mention folded headers
-Dan Fandrich (7 Nov 2010)
-- Added os-specific.c and xattr.c to the Symbian build files
+- TODO: 1.1 Option to refuse usernames in URLs
+
+ Also expanded the CURL_REFUSE_CLEARTEXT section with more ideas.
-Yang Tse (7 Nov 2010)
-- xattr: fix VisualStudio builds
+- TODO: 1.7 Support HTTP/2 for HTTP(S) proxies
-- fix snapshot generation
+- ssh: add two missing state names
+
+ The list of state names (used in debug builds) was out of sync in
+ relation to the list of states (used in all builds).
+
+ I now added an assert to make sure the sizes of the two lists match, to
+ aid in detecting this mistake better in the future.
+
+ Regression since c92d2e14cf, shipped in 7.58.0.
+
+ Reported-by: Somnath Kundu
+
+ Fixes #2312
+ Closes #2313
-Daniel Stenberg (5 Nov 2010)
-- --libcurl: simplify output
+- Revert "KNOWN_BUGS: 2.5 curl should not offer "ALPN: h2" when using https-proxy"
- Removed the code that was needed for libcurl before 7.19.0 which now is
- more than two years old.
+ This reverts commit de9fac00c40db321d44fa6fbab6eb62ec4c83998.
- Simplified the top comment and corrected the URL.
+ Reported-by: Jay Satiro
-- [Alfred Gebert brought this change]
+Jay Satiro (15 Feb 2018)
+- non-ascii: fix implicit declaration warning
+
+ Follow-up to b46cfbc.
+
+ Caught by Travis CI.
- LDAP: detect non-binary attributes properly
+Daniel Stenberg (15 Feb 2018)
+- travis: add build with iconv enabled
- If the query result has a binary attribute, the binary attribute is
- base64 encoded. But all following non binary attributes are also base64
- encoded which is wrong.
+ ... to verify it builds and works fine.
- This is a test (LDAP server is public).
+ Ref: https://curl.haxx.se/mail/lib-2017-09/0031.html
- curl
- ldap://x500.bund.de:389/o=Bund,c=DE?userCertificate,certificateSerialNumber?sub
- ?cn=*Woehleke*
+ Closes #1872
-- xattr: add configure check and #ifdefs
+- TODO: 18.18 retry on network is unreachable
- setxattr is a glibc call to set extended attributes, so configure now
- checks for it and the code is adapted to only build when the
- functionality is present.
-
-- [Stefan Tomanek brought this change]
+ Closes #1603
- save metadata to extended file attributes
+- KNOWN_BUGS: 2.5 curl should not offer "ALPN: h2" when using https-proxy
- It is often convinient to track back the source of a once downloaded
- file; this patch makes curl store the source URL and other metadata
- alongside the retrieved file by using the extended attributes (if
- supported by the file system and enabled by --xattr).
+ Closes #1254
-- test: remove test 580
+Kamil Dudka (15 Feb 2018)
+- nss: use PK11_CreateManagedGenericObject() if available
- Test 580 is removed again for two reasons:
+ ... so that the memory allocated by applications using libcurl does not
+ grow per each TLS connection.
- 1) Some compilers aren't satisfied by just a data variable called 'test'
- when first.o wants a function called 'test'. The Solaris compiler says
- "ld: warning: symbol `test' has differing types:" while the AIX compiler
- downright rejects it.
+ Bug: https://bugzilla.redhat.com/1510247
- 2) Test case 1119 that was added after this test is way more complete
- and cover everything test 580 does and more without introducing the same
- problems.
+ Closes #2297
-- Revert: use Host: name for SNI and cert name checks
-
- This reverts commit b0fd03f5b8d4520dd232a9d13567d16bd0ad8951,
- 4b2fbe1e97891f, afecd1aa13b4f, 68cde058f66b3
+Daniel Stenberg (15 Feb 2018)
+- [Björn Stenberg brought this change]
-- TODO-RELEASE: "TLS SNI use Host:" is done
+ TODO fixed: Detect when called from within callbacks
- 262 - Manual setting of TLS Server Name Indication - use Host:
+ Closes #2302
-- RELEASE-NOTES: synced with 7b823badbcab9d330
+- BINDINGS: fix curb link (and remove ruby-curl-multi)
+
+ Reported-by: Klaus Stein
-- curl.1: added a few missing exit codes
+- curl_gssapi: make sure this file too uses our *printf()
-- certcheck: use the custom Host: name for checks
+- libcurl-security.3: separate file:// section
- If you use a custom Host: name in a request to a SSL server, libcurl
- will now use that given name when it verifies the server certificate to
- be correct rather than using the host name used in the actual URL.
+ ... just to make it more apparent. Even if it repeats
+ some pieces of information.
-- SNI: simplify the custom host name use
+- libcurl-security.3: the http://192.168.0.1/my_router_config case
- The redirect check is already done at the position where the customhost
- field is assigned so there's no point in doing that a second time.
+ Mentioned-By: Rich Moore
-- host: get the custom Host: name more genericly
+- libcurl-security.3: mention the URL standards problems too
+
+- libcurl-security.3: split out from libcurl-tutorial.3
+
+ To make more accessible.
- When given a custom host name in a Host: header, we can use it for
- several different purposes other than just cookies, so we rename it and
- use it for SSL SNI etc.
+ Merged in some new language from "URLs are dangerous things" as discussed on
+ the mailing list a few days ago:
+
+ Bug: https://curl.haxx.se/mail/lib-2018-02/0013.html
-- [Hongli Lai (Phusion) brought this change]
+- RELEASE-NOTES: synced with e551910f8
- SNI: set name to custom Host header
+Patrick Monnerat (13 Feb 2018)
+- tests: new tests for http raw mode
+
+ Test 319 checks proper raw mode data with non-chunked gzip
+ transfer-encoded server data.
+ Test 326 checks raw mode with chunked server data.
- OpenSSL SNI host name should be set to the custom Host header, if the
- user provided one.
+ Bug: #2303
+ Closes #2308
-- fopen.c: re-indented, fixed previous mistake
+Kamil Dudka (12 Feb 2018)
+- tlsauthtype.d: works only if libcurl is built with TLS-SRP support
- I've made the code intended using curl-style now to look more like other
- examples.
+ Bug: https://bugzilla.redhat.com/1542256
- My previous "fix" was a bit too invasive but is now fixed again.
+ Closes #2306
-- multi use: call multi_perform even on select() timeouts
-
-- example: add smtp-multi.c
+Patrick Monnerat (12 Feb 2018)
+- smtp: fix processing of initial dot in data
+
+ RFC 5321 4.1.1.4 specifies the CRLF terminating the DATA command
+ should be taken into account when chasing the <CRLF>.<CRLF> end marker.
+ Thus a leading dot character in data is also subject to escaping.
- An example application source code sending SMTP mail with the multi
- interface. It is based on the code Alona Rossen provided, which in turn
- is based on existing example/test code, and I converted it even more
- into a decent example with a fair multi API use, put the info required
- to edit at the top and I added some comments.
+ Tests 911 and test server are adapted to this situation.
+ New tests 951 and 952 check proper handling of initial dot in data.
+
+ Closes #2304
-- CURLOPT_NOSIGNAL: add blurb about SIGPIPE
+Daniel Stenberg (12 Feb 2018)
+- sha256: avoid redefine
-Dan Fandrich (3 Nov 2010)
-- Allow building test 580 out of tree
+- [Douglas Mencken brought this change]
-Daniel Stenberg (3 Nov 2010)
-- dist: add symbol-scan.pl to the tarball
+ sha256: build with OpenSSL < 0.9.8 too
+
+ support for SHA-2 was introduced in OpenSSL 0.9.8
+
+ Closes #2305
-- test1119: verify symbols-in-versions
+- [Bruno Grasselli brought this change]
-- runtests: allow tests written as perl scripts
+ README: language fix
- If a command is set type="perl", it can now specify a perl program that will
- be run instead of an ordinary curl or built tool.
+ s/off/from
- A perl test automatically disables memory and valgrind debugging.
+ Closes #2300
-- symbol-scan: verifies symbols-in-versions
-
- This new script scans for all enums and #defines used by the curl/curl.h
- and curl/multi.h headers. Then it reads all symbols mentioned in
- symbols-in-vesions and make sure that there's no entries missing in
- there. It then proceeds to verify that the entries that
- symbols-in-vesions mentions but aren't found in the sources are truly
- documented as removed.
+Patrick Monnerat (12 Feb 2018)
+- http_chunks: don't write chunks twice with CURLOPT_HTTP_TRANSFER_DECODING on
- This script is used in the new test case 1119
+ Bug: #2303
+ Reported-By: Henry Roeland
+
+Daniel Stenberg (9 Feb 2018)
+- get_posix_time: only check for overflows if they can happen!
+
+Michael Kaufmann (9 Feb 2018)
+- schannel: fix "no previous prototype" compiler warning
-- symbols-in-versions: added 119 missing symbols
+Jay Satiro (9 Feb 2018)
+- [Mohammad AlSaleh brought this change]
+
+ content_encoding: Add "none" alias to "identity"
+
+ Some servers return a "content-encoding" header with a non-standard
+ "none" value.
- I've developed a script I call symbol-scan.pl that scans the curl.h and
- multi.h header files and compare the symbols it finds in there with the
- symbols symbols-in-versions documents and outputs a report on the
- differences. Using this I've dug through the history to fill up
- symbols-in-versions with all the symbols my script found mismatches for.
+ Add "none" as an alias to "identity" as a work-around, to avoid
+ unrecognised content encoding type errors.
- I will commit symbol-scan.pl separatly and think of a way to put it to
- use in the build/tests so that we from now on will get this in-sync
- check automatically.
+ Signed-off-by: Mohammad AlSaleh <CE.Mohammad.AlSaleh@gmail.com>
+
+ Closes https://github.com/curl/curl/pull/2298
-Dan Fandrich (2 Nov 2010)
-- Added mk580.pl to the tar ball
+Steve Holme (8 Feb 2018)
+- build-openssl.bat: Follow up to 648679ab8e to suppress copy/move output
-Daniel Stenberg (2 Nov 2010)
-- symbols-in-versions: added missing symbols
+- build-openssl.bat: Fixed incorrect move if destination build folder exists
-- ignore: lib580.c is generated by mk580.pl
+Michael Kaufmann (8 Feb 2018)
+- schannel: fix compiler warnings
+
+ Closes #2296
-- test: added test 580 - verifies symbols-in-versions
+Steve Holme (7 Feb 2018)
+- curl_addrinfo.c: Allow Unix Domain Sockets to compile under Windows
- The new perl script mk580.pl generates a C table in a fresh source file
- named lib580.c and if that compiles fine we know that the file
- docs/libcurl/symbols-in-versions at least doesn't include any symbols
- that are misspelled.
+ Windows 10.0.17061 SDK introduces support for Unix Domain Sockets.
+ Added the necessary include file to curl_addrinfo.c.
- An additional feature would be to somehow scan curl/curl.h and compare
- with symbols-in-versions to see if there are symbols missing.
+ Note: The SDK (which is considered beta) has to be installed, VS 2017
+ project file has to be re-targeted for Windows 10.0.17061 and #define
+ enabled in config-win32.h.
-- spellfix: CURLOPT_TFTP_BLKSIZE it is
+Patrick Monnerat (7 Feb 2018)
+- fnmatch: optimize processing of consecutive *s and ?s pattern characters
+
+ Reported-By: Daniel Stenberg
+ Fixes #2291
+ Closes #2293
-Kamil Dudka (29 Oct 2010)
-- ftp: prevent server from hanging on closed data connection
+Steve Holme (6 Feb 2018)
+- build-openssl.bat/build-wolfssl.bat: Build platform is optional
- Some FTP servers (e.g. Pure-ftpd) end up hanging if we close the data
- connection before transferring all the requested data. If we send ABOR
- in that case, it prevents the server from hanging.
+ Whilst the compiler parameter is mandatory, platform is optional as it
+ is automatically calculated by the :configure section.
- Bug: https://bugzilla.redhat.com/643656
- Reported by: Pasi Karkkainen, Patrick Monnerat
+ This partially reverts commit 6d62d2c55d.
-Dan Fandrich (28 Oct 2010)
-- Removed a leftover mention of FTP in an error message
+Daniel Stenberg (6 Feb 2018)
+- [Patrick Schlangen brought this change]
-- Removed the native Makefile.riscos files
+ openssl: Don't add verify locations when verifypeer==0
- These haven't worked in at least 8 years due to missing source
- files, and most active RiscOS developers these days apparently
- cross-compile anyway.
+ When peer verification is disabled, calling
+ SSL_CTX_load_verify_locations is not necessary. Only call it when
+ verification is enabled to save resources and increase performance.
- Signed-off-by: James Bursa <james@zamez.org>
+ Closes #2290
-- Lightened the stack in wc_statemach to permit deeper recursion
+Steve Holme (5 Feb 2018)
+- build-wolfssl.bat: Extend VC15 support to include Enterprise and Professional
- Also, added a few hints to help compilers to perform tail call
- recursion optimization.
+ ...and not just the Community Edition.
-Daniel Stenberg (20 Oct 2010)
-- SSH: use libssh2_session_handshake()
+- build-openssl.bat: Extend VC15 support to include Enterprise and Professional
- In libssh2 1.2.8, libssh2_session_handshake() replaces
- libssh2_session_startup() to fix the previous portability problem with
- the socket type that was too small for win64 and thus easily could cause
- crashes and more.
+ ...and not just the Community Edition.
-- SSH: avoid using the libssh2_ prefix
+Michael Kaufmann (5 Feb 2018)
+- time-cond: fix reading the file modification time on Windows
+
+ On Windows, stat() may adjust the unix file time by a daylight saving time
+ offset. Avoid this by calling GetFileTime() instead.
- It is a bad idea to use the public prefix used by another library and
- now we realize that libssh2 introduces a symbol in the upcoming version
- 1.2.8 that conflicts with our static function named libssh2_free.
+ Fixes #2164
+ Closes #2204
-- formdata: provide error message
+Daniel Stenberg (5 Feb 2018)
+- formdata: use the mime-content type function
- When failing to build form post due to an error, the code now does a
- proper failf(). Previously libcurl would report an error like "failed
- creating formpost data" when a file wasn't possible to open which was
- not easy for users to figure out.
+ Reduce code duplication by making Curl_mime_contenttype available and
+ used by the formdata function. This also makes the formdata function
+ recognize a set of more file extensions by default.
- I also lower cased a function name to be named more curl-style and
- removed some unnecessary code.
+ PR #2280 brought this to my attention.
+
+ Closes #2282
-- URL-parsing: consider ? a divider
+- getdate: return -1 for out of range
- The URL parser got a little stricter as it now considers a ? to be a
- host name divider so that the slightly sloppier URLs work too. The
- problem that made me do this change was the reported problem with an URL
- like: www.example.com?email=name@example.com This form of URL is not
- really a legal URL (due to the missing slash after the host name) but is
- widely accepted by all major browsers and libcurl also already accepted
- it, it was just the '@' letter that triggered the problem now.
+ ...as that's how the function is documented to work.
- The side-effect of this change is that now libcurl no longer accepts the
- ? letter as part of user-name or password when given in the URL, which
- it used to accept (and is tested in test 191). That letter is however
- mentioned in RFC3986 to be required to be percent encoded since it is
- used as a divider.
+ Reported-by: Michael Kaufmann
+ Bug found in an autobuild with 32 bit time_t
- Bug: http://curl.haxx.se/bug/view.cgi?id=3090268
+ Closes #2278
-- curl_easy_setopt.3: spellfix
+- [Ben Greear brought this change]
-- curl_easy_setopt.3: CURLOPT_USE_SSL is not just for FTP
+ build: fix termios issue on android cross-compile
- It is for FTP, SMTP, POP3, IMAP at least.
-
-- krb4.h: removed unused prototypes
-
-- krb4: make a few functions static
+ Bug: https://curl.haxx.se/mail/lib-2018-01/0122.html
+ Signed-off-by: Ben Greear <greearb@candelatech.com>
-- TODO-RELEASE: cleanup for 7.21.3 works
+- time_t-fixes: remove typecasts to 'long' for info.filetime
- "SFTP resume with 4GB file does not work" is now removed as I'm sure
- this is really a libssh2 bug and not a libcurl bug.
+ They're now wrong.
- 7.21.2 is released already
-
-- RELEASE-NOTES: sync with 09a2d93a0f17ca
-
-- http_chunks: remove debug output
+ Reported-by: Michael Kaufmann
- Accidentally left in there during my previous debugging of this
+ Closes #2277
-- Curl_setopt: disallow CURLOPT_USE_SSL without SSL support
+- curl_setup: move the precautionary define of SIZEOF_TIME_T
- In order to avoid for example the pingpong protocols to issue STARTTLS
- (or equivalent) even though there's no SSL support built-in.
+ ... up to before it may be used for the TIME_T_MAX/MIN logic.
- Reported by: Sune Ahlgren
- Bug: http://curl.haxx.se/mail/archive-2010-10/0045.html
+ Reported-by: Michael Kaufmann
-- options: check for features for some options
+- parsedate: s/#if/#ifdef
- Some options, such as the automatic decompression and some SSL related
- ones now will bail out if the underlying libcurl doesn't have support
- for the particular feature needed.
+ Reported-by: Michael Kaufmann
+ Bug: https://github.com/curl/curl/commit/1c39128d974666107fc6d9ea15f294036851f224#commitcomment-27246479
-Dan Fandrich (14 Oct 2010)
-- Fixed the IPv6 host address in test1203
+Patrick Monnerat (31 Jan 2018)
+- fnmatch: pattern syntax can no longer fail
+
+ Whenever an expected pattern syntax rule cannot be matched, the
+ character starting the rule loses its special meaning and the parsing
+ is resumed:
+ - backslash at the end of pattern string matches itself.
+ - Error in [:keyword:] results in set containing :\[dekorwy.
- Reported by: Christian Weisgerber
- Bug: http://curl.haxx.se/bug/view.cgi?id=3087479
+ Unit test 1307 updated for this new situation.
+
+ Closes #2273
-Daniel Stenberg (14 Oct 2010)
-- curl_easy_setopt.3: clarify CURLOPT_CRLF
+- fnmatch: accept an alphanum to be followed by a non-alphanum in char set
- The option takes a parameter that should be 1 or 0 to enable or disable
- the feature.
+ Also be more tolerant about set pattern syntax.
+ Update unit test 1307 accordingly.
- URL: http://curl.haxx.se/bug/view.cgi?id=3086428
+ Bug: https://curl.haxx.se/mail/lib-2018-01/0114.html
-Guenter Knauf (14 Oct 2010)
-- Some more small Watcom makefile fixes.
+- fnmatch: do not match the empty string with a character set
-- Added --noconfigure switch to testcurl.pl.
+Jay Satiro (30 Jan 2018)
+- build: fix windows build methods for curl_ctype.c
+
+ - Fix winbuild and the VS project generator to treat curl_ctype.{c,h} as
+ curlx files since they are required by both src and lib.
+
+ Follow-up to 4272a0b which added curl_ctype.
-- Modified Watcom makefiles to work on Linux too.
+Daniel Stenberg (30 Jan 2018)
+- progress-bar.d: update to match implementation
+
+ ... since commit 993dd5651a6
+
+ Reported-by: Martin Dreher
+ Bug: https://github.com/curl/curl/pull/2242#issuecomment-361059228
+
+ Closes #2271
-- Added MingW32 rtmp target; changed Watcom targets.
+- http2: set DEBUG_HTTP2 to enable more HTTP/2 logging
- Modified Watcom targets to avoid backslashs so that they can
- work on Linux too.
+ ... instead of doing it unconditionally in debug builds. It cluttered up
+ the output a little too much.
-Daniel Stenberg (13 Oct 2010)
-- gitignore: ignore Makefile.vc10.dist made by maketgz
+- [Max Dymond brought this change]
-- curlver.h: start over at 7.21.3
+ file: Check the return code from Curl_range and bail out on error
-- RELEASE-NOTES: start over towards 7.21.3
+- [Max Dymond brought this change]
-- THANKS: added contributors from 7.21.2
+ Curl_range: add check to ensure "from <= to"
-Version 7.21.2 (12 Oct 2010)
+- [Max Dymond brought this change]
-Daniel Stenberg (12 Oct 2010)
-- RELEASE-NOTES: synced with ecd624b8e774a85
+ Curl_range: commonize FTP and FILE range handling
+
+ Closes #2205
-- [Julien Chaffraix brought this change]
+- RELEASE-NOTES: synced with 811beab9f
- CMake: Build fix.
-
- Do not match the trailing '\n' in the regular expression as this would
- make us dump a ) parenthesis on a new line.
-
- This fixes the following error:
-
- would get transformed into:
-
- )
+- curlver: next release will be 7.59.0
+
+- [Michał Janiszewski brought this change]
+
+ curl/curl.h: fix comment typo for CURLOPT_DNS_LOCAL_IP6
- Bug: http://curl.haxx.se/mail/lib-2010-10/0065.html
- Reported by: Dimitre Dimitrov
+ Closes #2275
-- header_callback: strip off file path separated with backslashes
+- time: support > year 2038 time stamps for system with 32bit long
- If the filename contains a backslash, only use filename portion. The
- idea is that even systems that don't handle backslashes as path
- separators probably want that path removed for convenience.
+ ... with the introduction of CURLOPT_TIMEVALUE_LARGE and
+ CURLINFO_FILETIME_T.
- This flaw is considered a security problem, see the curl security
- vulnerability http://curl.haxx.se/docs/adv_20101013.html
+ Fixes #2238
+ Closes #2264
-Dan Fandrich (12 Oct 2010)
-- Get the curl source files for Amiga from Makefile.inc
+- curl_easy_reset: clear digest auth state
- This is similar to how it's done in the lib directory.
- The Amiga build appears to have been broken for a year because
- of a missing homedir.c
-
-- Added section on server-supplied names to security considerations
+ Bug: https://curl.haxx.se/mail/lib-2018-01/0074.html
+ Reported-by: Ruurd Beerstra
+ Fixes #2255
+ Closes #2272
-Guenter Knauf (12 Oct 2010)
-- Fixed Watcom makefile.
+- [Adam Marcionek brought this change]
-- Added build bits for librtmp / libssh2 to Watcom makefiles.
-
-- Added build bits for librtmp to NetWare makefiles.
-
-Daniel Stenberg (12 Oct 2010)
-- SFTP: more ignoring negative file sizes
+ winbuild: make linker generate proper PDB
- As the change in 5f0ae7a0626cbe709 added a precaution against negative
- file sizes that for some reason managed to get returned, this change now
- introduces the same check at the second place in the code where the file
- size from the libssh2 stat call is used.
+ Link.exe requires /DEBUG to properly generate a full pdb file on release
+ builds.
- This check might not be suitable for a 32 bit curl_off_t, but libssh2.h
- assumes long long to work and to be 64 bit so I believe such a small
- curl_off_t will be very unlikely to occur in the wild.
+ Closes #2274
-- SMTP: debug output for no known auth mechanisms supported
+- curl: add --proxy-pinnedpubkey
- ... and some minor source code whitespace edits
-
-- test: urlglob error messages have no extra newline anymore
-
-Guenter Knauf (11 Oct 2010)
-- Added build bits for librtmp to MingW32 makefiles.
-
-Daniel Stenberg (8 Oct 2010)
-- RELEASE-NOTES: synced with 61f4cdb73ae4
+ To verify a proxy's public key. For when using HTTPS proxies.
+
+ Fixes #2192
+ Closes #2268
-- globbing: fix crash on unballanced open brace
+- configure: set PATH_SEPARATOR to colon for PATH w/o separator
- Having an open brace without a closing brace caused a segfault.
+ The logic tries to figure out what the path separator in the $PATH
+ variable is, but if there's only one directory in the $PATH it
+ fails. This change make configure *guess* on colon instead of erroring
+ out, simply because that is probably the more common character.
- Having a closing brace too many caused a silent error to occur, which
- caused curl to bail out and return an error code but no error message
- was shown. It does now!
+ PATH_SEPARATOR can always be set by the user to override the guessing.
- All error message outputs no longer wrongly get _two_ newlines written
- after the error message.
+ (tricky bug to reproduce, as in my case for example the configure script
+ requires binaries in more than one directory so passing in a PATH with a
+ single dir fails.)
- Reported by: Vlad Ureche
- Bug: http://curl.haxx.se/bug/view.cgi?id=3083942
+ Reported-by: Earnestly on github
+ Fixes #2202
+ Closes #2265
-- [Dan Locks brought this change]
-
- libcurl.m4: AC_PATH_PROG fixes
+- curl_ctype: private is*() type macros and functions
+
+ ... since the libc provided one are locale dependent in a way we don't
+ want. Also, the "native" isalnum() (for example) works differently on
+ different platforms which caused test 1307 failures on macos only.
- The invocation of autoconf's AC_PATH_PROG( ) is not quite right for
- finding curl-config. This fix corrects the negative case (where
- curl-config is not found).
+ Closes #2269
-- FAQ: added "How do I submit my patch?"
+Marcel Raad (29 Jan 2018)
+- build: open VC15 projects with VS 2017
+
+ Previously, they were opened with Visual Studio 2015 by default, which
+ cannot build them.
-- examples: use example.com in example URLs
+Daniel Stenberg (29 Jan 2018)
+- RELEASE-NOTES: synced with 094647fca
-- TODO-RELEASE: libidn problem not repeatable
-
- "261 - configure and libidn" is removed from the list since Julien
- Chaffraix tried to repeat it but failed and the reporter did not return
- to provide further details.
+- TODO: UTF-8 filenames in Content-Disposition
- Reported by: Lyndon Hill
- Bug: http://curl.haxx.se/mail/lib-2010-07/0029.html
+ Closes #1888
-- libcurl.m4: mention argument is PREFIX
+- KNOWN_BUGS: DICT responses show the underlying protocol
- The macro provides a --with-libcurl option that expects a PREFIX to be
- specified and not actually a "directory" in which libcurl will be found.
- This now spells that out more clearly.
-
- Reported by: Dan Locks
- Bug: http://curl.haxx.se/bug/view.cgi?id=3079891
+ Closes #1809
-Guenter Knauf (3 Oct 2010)
-- Some NetWare makefile tweaks.
-
- Renamed SDK_* to NDK_*; made NDK_* defines overwriteable from
- environment; removed now obsolete YACC macro;
- moved some curl_config.h defines to IPv6 section since they
- are only needed when IPv6 is enabled - this makes libcurl compile
- with older NDKs too which were not IPv6-aware.
+Jay Satiro (27 Jan 2018)
+- [Alessandro Ghedini brought this change]
-Daniel Stenberg (2 Oct 2010)
-- TODO-RELEASE: 416 error fixed
+ docs: fix typos in man pages
- "3076808 Requests fail silently following a 416 error" done
+ Closes https://github.com/curl/curl/pull/2266
-Julien Chaffraix (2 Oct 2010)
-- krb5-gssapi: Removed a memory leak in krb5_auth.
+Patrick Monnerat (26 Jan 2018)
+- lib555: drop text conversion and encode data as ascii codes
- We forgot to release the buffer passed to gss_init_sec_context.
+ If CURL_DOES_CONVERSION is enabled, uploaded LFs are mapped to CRLFs,
+ giving a result that is different from what is expected.
+ This commit avoids using CURLOPT_TRANSFERTEXT and directly encodes data
+ to upload in ascii.
- The previous logic was difficult to read as we were reusing the same
- variable (gssbuf) for both input buffer and output buffer. Splitted the
- logic in 2 variables to better underline who needs to be released.
- Also made the code break at 80 lines.
+ Bug: https://github.com/curl/curl/pull/1872
-- krb5-gssapi: Made the function always return a value.
+Daniel Stenberg (26 Jan 2018)
+- lib517: make variable static to avoid compiler warning
- kr5_auth missed a final 'return' statement. This is not an error in
- gcc but can lead to potential bugs.
+ ... with clang on macos
-- krb5-gssapi: Delete the GSS-API context.
+Patrick Monnerat (26 Jan 2018)
+- lib544: sync ascii code data with textual data
- This fixes a memory leak related to the GSS-API code.
+ Data mismatch caused test 545 to fail when character encoding
+ conversion is enabled.
- Added a krb5_init and krb5_end functions. Also removed a work-around
- the lack of proper initialization of the GSS-API context.
+ Bug: https://github.com/curl/curl/pull/1872
-Daniel Stenberg (2 Oct 2010)
-- HTTP: remove special case for 416
+Daniel Stenberg (25 Jan 2018)
+- [Travis Burtrum brought this change]
+
+ GSKit: restore pinnedpubkey functionality
- It was pointed out that the special case libcurl did for 416 was
- incorrect and wrong. 416 is not really different to other errors so the
- response body must be handled like for other errors/http responses.
+ inadvertently removed in 283babfaf8d8f3bab9d3c63cea94eb0b84e79c37
- Reported by: Chris Smowton
- Bug: http://curl.haxx.se/bug/view.cgi?id=3076808
+ Closes #2263
-- [Dan Fandrich brought this change]
+- [Dair Grant brought this change]
- sws: Added writedelay HTTP server command
+ darwinssl: Don't import client certificates into Keychain on macOS
- This delays between write operations, hopefully making it easier
- to spot problems where libcurl doesn't flush the socket properly
- before waiting for the next response.
+ Closes #2085
-- TODO-RELEASE: no bug in ftp_nextconnect
+- configure: fix the check for unsigned time_t
- The issue named "266 - Bug in ftp_nextconnect?" was deemed to not be a
- bug and instead resulted in clarified docs.
+ Assign the time_t variable negative value and then check if it is
+ greater than zero, which will evaluate true for unsigned time_t but
+ false for signed time_t.
-- curl_easy_setopt.3: CURLOPT_DIRLISTONLY implies dir list
+- parsedate: fix date parsing for systems with 32 bit long
- Make it explicit that setting CURLOPT_DIRLISTONLY to 1 will make libcurl
- to list the directory.
-
-- RELEASE-NOTES: synced up to 588402585bae
-
-- TODO-RELEASE: move new features to next release
-
-- README.ares: we know require c-ares 1.6.0
-
-- SFTP: avoid downloading negative sizes!
+ Make curl_getdate() handle dates before 1970 as well (returning negative
+ values).
- It is still not clarified exactly why this happens, but libssh2
- sometimes report a negative file size for the remote SFTP file and that
- deeply confuses libcurl (or crashes it) so this precaution is added to
- avoid badness.
+ Make test 517 test dates for 64 bit time_t.
- Reported by: Ernest Beinrohr
- Bug: http://curl.haxx.se/bug/view.cgi?id=3076430
-
-- TODO-RELEASE: drop curl_easy_setoptv
+ This fixes bug (3) mentioned in #2238
- I haven't read any really convincing arguments for adding it
+ Closes #2250
-- [Dirk Manske brought this change]
+- [McDonough, Tim brought this change]
- multi & hiper examples: updates and cleanups
+ openssl: fix pinned public key build error in FIPS mode
- all multi and hiper examples:
+ Here is a version that should work with all versions of openssl 0.9.7
+ through 1.1.0.
- * don't loop curl_multi_perform calls, that was <7.20.0 style, currently
- the exported multi functions will not return CURLM_CALL_MULTI_PERFORM
+ Links to the docs:
+ https://www.openssl.org/docs/man1.0.2/crypto/EVP_DigestInit.html
+ https://www.openssl.org/docs/man1.1.0/crypto/EVP_DigestInit.html
- all hiper examples:
- * renamed check_run_count to check_multi_info
- * don't compare current running handle count with previous value, this
- was the wrong way to check for finished requests, simply call
- curl_multi_info_read
- * it's also safe to call curl_multi_remove_handle inside the
- curl_multi_info_read loop.
+ At the very bottom of the 1.1.0 documentation there is a history section
+ that states, " stack allocated EVP_MD_CTXs are no longer supported."
- ghiper.c:
- * replaced curl_multi_socket (that function is marked as obsolete) calls
- with curl_multi_socket_action calls (as in hiperfifo.c and
- evhiperfifo.c)
+ If EVP_MD_CTX_create and EVP_MD_CTX_destroy are not defined, then a
+ simple mapping can be used as described here:
+ https://wiki.openssl.org/index.php/Talk:OpenSSL_1.1.0_Changes
- ghiper.c and evhiperfifo.c:
- * be smart as hiperfifo.c, don't do uncessary curl_multi_* calls in
- new_conn and main
+ Closes #2258
-- TODO-RELEASE: one fixed, one postponed, one added
-
- As we're already in feature freeze, I pushed the feature onwards.
+- [Travis Burtrum brought this change]
-Dan Fandrich (29 Sep 2010)
-- Renamed test1204 to test1117 to move it into the normal range
+ SChannel/WinSSL: Replace Curl_none_md5sum with Curl_schannel_md5sum
-Patrick Monnerat (29 Sep 2010)
-- Add gopher protocol definition to ILE/RPG binding.
- OS400 compile script in test dir updated for chkhostname.
+- [Travis Burtrum brought this change]
-Julien Chaffraix (28 Sep 2010)
-- krb5-gssapi: Remove several memory leaks.
+ SChannel/WinSSL: Implement public key pinning
- Remove a leak seen on Kerberos/MIT (gss_OID is copied internally and
- we were leaking it). Now we just pass NULL as advised in RFC2744.
-
- |tmp| was never set back to buf->data.
-
- Cleaned up Curl_sec_end to take into account failure in Curl_sec_login
- (where conn->mech would be NULL but not conn->app_data or
- conn->in_buffer->data).
+ Closes #1429
-- security.c: Remove Curl_sec_fflush_fd.
-
- The current implementation would make us send wrong data on a closed
- socket. We don't buffer our data so the method can be safely removed.
+- bump: towards 7.58.1
-- security.c: We should always register the socket handler.
-
- Following a change in the way socket handler are registered, the custom
- recv and send method were conditionaly registered.
- We need to register them everytime to handle the ftp security
- extensions.
+- cookies: remove verbose "cookie size:" output
- Re-added the clear text handling in sec_recv.
+ It was once used for some debugging/verifying logic but should never have
+ ended up in git!
-- security.c: Fix Curl_sec_login after rewrite.
+- TODO: hardcode the "localhost" addresses
+
+- TODO: CURL_REFUSE_CLEARTEXT
- Curl_sec_login was returning the opposite result that the code in ftp.c
- was expecting. Simplified the return code (using a CURLcode) so to see
- more clearly what is going on.
+ An idea that popped up in discussions on twitter.
-- security.c: Readd the '\n' to the infof() calls.
+- progress-bar: don't use stderr explicitly, use bar->out
- They are not automatically added and make the output of the verbose
- mode a lot more readable.
+ Reported-By: Gisle Vanem
+ Bug: https://github.com/curl/curl/commit/993dd5651a6c853bfe3870f6a69c7b329fa4e8ce#commitcomment-27070080
-- security.c: Fix typo (PSBZ -> PBSZ)
+GitHub (24 Jan 2018)
+- [Gisle Vanem brought this change]
-- security.c: Fix ftp_send_command.
+ Fixes for MSDOS etc.
- My use of va_args was completely wrong. Fixed the usage so that
- we send the right commands!
-
-Daniel Stenberg (28 Sep 2010)
-- curl_easy_escape: don't escape "unreserved" characters
+ djgpp do have 'mkdir(dir, mode)'. Other DOS-compilers does not
+ But djgpp seems the only choice for MSDOS anyway.
- According to RFC3986 section 2.3 the letters -, ., _ and ~ should not be
- percent-encoded.
+ PellesC do have a 'F_OK' defined in it's <unistd.h>.
- Reported by: Miguel Diaz
- Bug: http://curl.haxx.se/mail/lib-2010-09/0227.html
+ Update year in Copyright.
-- multi: don't expire timeouts at disonnect or done
-
- The functions Curl_disconnect() and Curl_done() are both used within the
- scope of a single request so they cannot be allowed to use
- Curl_expire(... 0) to kill all timeouts as there are some timeouts that
- are set before a request that are supposed to remain until the request
- is done.
-
- The timeouts are now instead cleared at curl_easy_cleanup() and when the
- multi state machine changes a handle to the complete state.
+- [Gisle Vanem brought this change]
-Dan Fandrich (27 Sep 2010)
-- Changed the TPF make file to get source files from Makefile.inc
-
- Patch was fixed and validated by David McCreedy.
+ Fix small typo.
-- Added test case 1204 to test HTTP range failure
-
- This is an attempt to reproduce bug #3076808
+Version 7.58.0 (23 Jan 2018)
-Daniel Stenberg (27 Sep 2010)
-- [Dirk Manske brought this change]
+Daniel Stenberg (23 Jan 2018)
+- RELEASE: 7.58.0
- multi_runsingle: set timeout error messages
-
- With the latest changes to fix the timeout handling with multi interface
- we lost the timeout error messages. This patch brings them back.
+- [Gisle Vanem brought this change]
-- TODO-RELEASE: updated list of issues to work on
+ progress-bar: get screen width on windows
-- parsedate: allow time specified without seconds
-
- The date format in RFC822 allows that the seconds part of HH:MM:SS is
- left out, but this function didn't allow it. This change also includes a
- modified test case that makes sure that this now works.
-
- Reported by: Matt Ford
- Bug: http://curl.haxx.se/bug/view.cgi?id=3076529
+- test1454: --connect-to with IPv6 address w/o IPv6 support!
-- TFTP: re-indented the source code
+- CONNECT_TO: fail attempt to set an IPv6 numerical without IPv6 support
+
+ Bug: https://curl.haxx.se/mail/lib-2018-01/0087.html
+ Reported-by: John Hascall
- Just made sure that the good old curl indentation style is used all over
- this file.
+ Closes #2257
-- [Tim Newsome brought this change]
+- docs: fix man page syntax to make test 1140 OK again
- TFTP: Work around tftpd-hpa upload bug
+- http: prevent custom Authorization headers in redirects
- tftpd-hpa has a bug where it will send an incorrect ack when the block
- counter wraps and tftp options have been sent. Work around that by
- accepting an ack for 65535 when we're expecting one for 0.
-
-- Revert "security.c: buffer_read various fixes."
+ ... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how
+ curl already handles Authorization headers created internally.
+
+ Note: this changes behavior slightly, for the sake of reducing mistakes.
- This reverts commit fbb38de415b7bb7d743e53a7b4b887ffb12b3e5b.
+ Added test 317 and 318 to verify.
+
+ Reported-by: Craig de Stigter
+ Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html
-- security.c: removed superfluous parentheses
+- curl: progress bar refresh, get width using ioctl()
+
+ Get screen width from the environment variable COLUMNS first, if set. If
+ not, use ioctl(). If nether works, assume 79.
+
+ Closes #2242
+
+ The "refresh" is for the -# output when no total transfer size is
+ known. It will now only use a single updated line even for this case:
- And also removed the FIXME where memory was zeroed just before freed,
- and some other minor whitespace changes.
+ The "-=O=-" ship moves when data is transferred. The four flying
+ "hashes" move (on a sine wave) on each refresh, independent of data.
-- [Julien Chaffraix brought this change]
+- RELEASE-NOTES: synced with bb0ffcc36
- security.c: Update the #include statements after the rewrite.
+- libcurl-env.3: first take
-- [Julien Chaffraix brought this change]
+- TODO: two possible name resolver improvements
- security.c: sec_write tweaks
+- [Kartik Mahajan brought this change]
+
+ http2: don't close connection when single transfer is stopped
- - |fd| is now a curl_socket_t and |len| a size_t to avoid conversions.
- - Added 2 FIXMEs about the 2 unsigned -> signed conversions.
- - Included 2 minor changes to Curl_sec_end.
+ Fixes #2237
+ Closes #2249
-- [Julien Chaffraix brought this change]
+- test558: fix for multissl builds
+
+ vtls.c:multissl_init() might do a curl_free() call so strip that out to
+ make this work with more builds. We just want to verify that
+ memorytracking works so skipping one line is no harm.
- security.c: _sec_send tweaks
+- examples/url2file.c: add missing curl_global_cleanup() call
- - Renamed the method to sec_send now that we
- renamed sec_send to do_sec_send.
- - Some more variable renaming.
+ Reported-by: XhstormR on github
+ Fixes #2245
-- [Julien Chaffraix brought this change]
+- [Michael Gmelin brought this change]
- security.c: sec_read tweaks
+ SSH: Fix state machine for ssh-agent authentication
+
+ In case an identity didn't match[0], the state machine would fail in
+ state SSH_AUTH_AGENT instead of progressing to the next identity in
+ ssh-agent. As a result, ssh-agent authentication only worked if the
+ identity required happened to be the first added to ssh-agent.
+
+ This was introduced as part of commit c4eb10e2f06fbd6cc904f1d78e4, which
+ stated that the "else" statement was required to prevent getting stuck
+ in state SSH_AUTH_AGENT. Given the state machine's logic and libssh2's
+ interface I couldn't see how this could happen or reproduce it and I
+ also couldn't find a more detailed description of the problem which
+ would explain a test case to reproduce the problem this was supposed to
+ fix.
- - Renamed the function to sec_recv.
- - Renamed the parameters and variable to match the rest of the code.
+ [0] libssh2_agent_userauth returning LIBSSH2_ERROR_AUTHENTICATION_FAILED
+
+ Closes #2248
-- [Julien Chaffraix brought this change]
+- openssl: fix potential memory leak in SSLKEYLOGFILE logic
+
+ Coverity CID 1427646.
- security.c: Curl_sec_fflush_fd tweaks
+- openssl: fix the libressl build again
+
+ Follow-up to 84fcaa2e7. libressl does not have the API even if it says it is
+ late OpenSSL version...
+
+ Fixes #2246
+ Closes #2247
- - Use an early return as it makes the code more readable.
- - Added a FIXME about a conversion.
+ Reported-by: jungle-boogie on github
-- [Julien Chaffraix brought this change]
+- unit1307: test many wildcards too
- security.c: sec_send tweaks
+- curl_fnmatch: only allow 5 '*' sections in a single pattern
- - Renamed it to do_sec_send as it is the function doing the actual
- transfer.
- - Do not return any values as no one was checking it and it never
- reported a failure (added a FIXME about checking for errors).
- - Renamed the variables to make their use more specific.
- - Removed some casts (int -> curl_socket_t, ...)
- - Avoid doing the htnl <-> nthl twice by caching the 2 results.
+ ... to avoid excessive recursive calls. The number 5 is totally
+ arbitrary and could be modified if someone has a good motivation.
-- [Julien Chaffraix brought this change]
+- ftp-wildcard: fix matching an empty string with "*[^a]"
+
+ .... and avoid advancing the pointer to trigger an out of buffer read.
+
+ Detected by OSS-fuzz
+ Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5251
+ Assisted-by: Max Dymond
- security.c: Curl_sec_read_msg tweaks
+- SMB: fix numeric constant suffix and variable types
- - Renamed the variables name to better match their intend.
- - Unified the |decoded_len| checks.
- - Added some FIXMEs to flag some improvement that did not go in this
- change.
+ 1. don't use "ULL" suffix since unsupported in older MSVC
+ 2. use curl_off_t instead of custom long long ifdefs
+ 3. make get_posix_time() not do unaligned data access
+
+ Fixes #2211
+ Closes #2240
+ Reported-by: Chester Liu
+
+- [rouzier brought this change]
-- [Julien Chaffraix brought this change]
+ CURLOPT_TCP_NODELAY.3: fix typo
+
+ Closes #2239
- security.c: Curl_sec_set_protection_level tweaking
+- smtp/pop3/imap_get_message: decrease the data length too...
+
+ Follow-up commit to 615edc1f73 which was incomplete.
- - Removed sec_prot_internal as it is now inlined in the function (this removed
- a redundant check).
- - Changed the prototype to return an error code.
- - Updated the method to use the new ftp_send_command function.
- - Added a level_to_char helper method to avoid relying on the compiler's
- bound checks. This default to the maximum security we have in case of a
- wrong input.
+ Assisted-by: Max Dymond
+ Detected by OSS-fuzz
+ Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5206
-- [Julien Chaffraix brought this change]
+- openssl: enable SSLKEYLOGFILE support by default
+
+ Fixes #2210
+ Closes #2236
- security.c: factored the logic from Curl_sec_login into a dedicated method that better reflect its intent.
+Patrick Monnerat (14 Jan 2018)
+- mime: clone mime tree upon easy handle duplication.
+
+ A mime tree attached to an easy handle using CURLOPT_MIMEPOST is
+ strongly bound to the handle: there is a pointer to the easy handle in
+ each item of the mime tree and following the parent pointer list
+ of mime items ends in a dummy part stored within the handle.
+
+ Because of this binding, a mime tree cannot be shared between different
+ easy handles, thus it needs to be cloned upon easy handle duplication.
+
+ There is no way for the caller to get the duplicated mime tree
+ handle: it is then set to be automatically destroyed upon freeing the
+ new easy handle.
+
+ New test 654 checks proper mime structure duplication/release.
+
+ Add a warning note in curl_mime_data_cb() documentation about sharing
+ user data between duplicated handles.
- Introduced a helper method ftp_send_command that synchronously send
- an FTP query.
+ Closes #2235
-- [Julien Chaffraix brought this change]
+- docs: comment about CURLE_READ_ERROR returned by curl_mime_filedata
- security.c: Remove out_buffer as it was never written into.
+Daniel Stenberg (13 Jan 2018)
+- test395: HTTP with overflow Content-Length value
-- [Julien Chaffraix brought this change]
+- test394: verify abort of rubbish in Content-Length: value
- security.c: buffer_read various fixes.
+- test393: verify --max-filesize with excessive Content-Length
+
+- HTTP: bail out on negative Content-Length: values
+
+ ... and make the max filesize check trigger if the value is too big.
- Tighten the type of the |data| parameter to avoid a cast. Also made
- it const as we should not modify it.
+ Updates test 178.
- Added a DEBUGASSERT on the size to be written while changing it.
+ Reported-by: Brad Spencer
+ Fixes #2212
+ Closes #2223
-- [Julien Chaffraix brought this change]
+Marcel Raad (13 Jan 2018)
+- [Dan Johnson brought this change]
- security.c: Made block_write return a CURLcode.
+ configure.ac: append extra linker flags instead of prepending them.
- While doing so, renamed it to socket_write to better match its
- function.
+ Link order should list libraries after the libraries that use them,
+ so when we're guessing that we might also need to add -ldl in order
+ to use -lssl, we should add -ldl after -lssl.
+
+ Closes https://github.com/curl/curl/pull/2234
-- [Julien Chaffraix brought this change]
+Daniel Stenberg (13 Jan 2018)
+- RELEASE-NOTES: synced with 6fa10c8fa
- security.c: Made block_read and sec_get_data return CURLcode.
+Jay Satiro (13 Jan 2018)
+- setopt: fix SSLVERSION to allow CURL_SSLVERSION_MAX_ values
- To do so, made block_read call Curl_read_plain instead of read.
+ Broken since f121575 (precedes 7.56.1).
- While changing them renamed block_read to socket_read and sec_get_data
- to read_data to better match their function.
+ Bug: https://github.com/curl/curl/issues/2225
+ Reported-by: cmfrolick@users.noreply.github.com
- Also fixed a potential memory leak in block_read.
+ Closes https://github.com/curl/curl/pull/2227
-- [Julien Chaffraix brought this change]
-
- Security.c: Fix headers guard to match the rest of the code.
+Patrick Monnerat (13 Jan 2018)
+- setopt: reintroduce non-static Curl_vsetopt() for OS400 support
+
+ This also upgrades ILE/RPG bindings with latest setopt options.
+
+ Reported-By: jonrumsey on github
+ Fixes #2230
+ Closes #2233
-- [Julien Chaffraix brought this change]
+Jay Satiro (11 Jan 2018)
+- [Zhouyihai Ding brought this change]
- configure: Fix the LDAPS disable message
+ http2: fix incorrect trailer buffer size
- ... for example when LDAP is not compiled.
+ Prior to this change the stored byte count of each trailer was
+ miscalculated and 1 less than required. It appears any trailer
+ after the first that was passed to Curl_client_write would be truncated
+ or corrupted as well as the size. Potentially the size of some
+ subsequent trailer could be erroneously extracted from the contents of
+ that trailer, and since that size is used by client write an
+ out-of-bounds read could occur and cause a crash or be otherwise
+ processed by client write.
- Fixed the logic to match the rest of the options' message that is we
- update the default message only if the option is not disabled after the
- different checks.
+ The bug appears to have been born in 0761a51 (precedes 7.49.0).
- Reported by: Guenter Knauf
+ Closes https://github.com/curl/curl/pull/2231
-- RELEASE-NOTES: sync with 8665d4e5 and c-ares >= 1.6.0 note
+- [Basuke Suzuki brought this change]
-- parse_remote_port: ignore colons without port number
+ easy: fix connection ownership in curl_easy_pause
- Obviously, browsers ignore a colon without a following port number. Both
- Firefox and Chrome just removes the colon for such URLs. This change
- does not remove the colon for URLs sent over a HTTP proxy, so we should
- consider doing that change as well.
+ Before calling Curl_client_chop_write(), change the owner of connection
+ to the current Curl_easy handle. This will fix the issue #2217.
- Reported by: github user 'kreshano'
+ Fixes https://github.com/curl/curl/issues/2217
+ Closes https://github.com/curl/curl/pull/2221
-- RELEASE-NOTES: in sync with 19f45eaa799
+Daniel Stenberg (9 Jan 2018)
+- [Dimitrios Apostolou brought this change]
-- duphandle: use ares_dup()
+ system.h: Additionally check __LONG_MAX__ for defining curl_off_t
- curl_easy_duphandle() was not properly duping the ares channel. The
- ares_dup() function was introduced in c-ares 1.6.0 so by starting to use
- this function we also raise the bar and require c-ares >= 1.6.0
- (released Dec 9, 2008) for such builds.
+ __SIZEOF_LONG__ was introduced in GCC 4.4, __LONG_MAX__ was introduced
+ in GCC 3.3.
- Reported by: Ning Dong
- Bug: http://curl.haxx.se/mail/lib-2010-08/0318.html
+ Closes #2216
-- [Hendrik Visage brought this change]
+- COPYING: it's 2018!
- MacOSX-Framework: updates for Snowleopard
-
- 1) PPC64 appears to be an 10.5 only supported architecture, so I
- forced 10.5 for 64bit if there is a need for PPC64, else 64bit only
- does x86_64
+- progress: calculate transfer speed on milliseconds if possible
- 2) proper "make clean" after every ./configure. fixes a bug where
- subsequent runs the 32bit do not get compiled
+ to increase accuracy for quick transfers
- 3) Added a version numbering curl-$VERSION} rather than the "stock standard" A
+ Fixes #2200
+ Closes #2206
-- RELEASE-NOTES: synced with 5fcc4332d62fe
+Jay Satiro (7 Jan 2018)
+- scripts: allow all perl scripts to be run directly
- Removed the duplicate entry of Kamil in the credits.
-
-- configure: don't enable RTMP if the lib detect fails
+ - Enable execute permission (chmod +x)
- librtmp is often statically linked and using sub dependencies like
- OpenSSL, so we need to make sure we can actually link with it properly
- before enabling it. Otherwise we easily end up trying to link with a
- RTMP lib that fails.
-
-- TODO: added 8.4 non-gcrypt under GnuTLS
+ - Change interpreter to /usr/bin/env perl
- We must not assume gcrypt just because of GnuTLS
+ Closes https://github.com/curl/curl/pull/2222
-- configure: check for gcrypt if using GnuTLS
-
- 1 - libcurl assumes that there are gcrypt functions available when
- GnuTLS is.
+- mail-rcpt.d: fix short-text description
+
+- build: remove HAVE_LIMITS_H check
- 2 - GnuTLS can be built to use libnettle instead as crypto library,
- which breaks assumption (1)
+ .. because limits.h presence isn't optional, it's required by C89.
- This change makes configure make sure that if GnuTLS is requested and
- detected, it also makes sure that gcrypt is present or it errors
- out. This is mostly a way to make the user more aware of this flaw, the
- correct fix would be to detect which crypto layer that is in use and
- adapt our code to use that instead of blindly assuming gcrypt.
+ Ref: http://port70.net/~nsz/c/c89/c89-draft.html#2.2.4.2
- Reported by: Michal Gorny
- Bug: http://curl.haxx.se/bug/view.cgi?id=3071038
+ Closes https://github.com/curl/curl/pull/2215
-- RELEASE-NOTES: sync from d2a7fd2fe65b to HEAD
-
-- FTP: fix bad check of Curl_timeleft() return code
+- openssl: fix memory leak of SSLKEYLOGFILE filename
- When it returns 0 it means no timeout. Only a negative value means that
- we're out of time.
-
-- LDAP: moved variable declaration to avoid compiler warn
+ - Free the copy of SSLKEYLOGFILE env returned by curl_getenv during ossl
+ initialization.
- If built without HTTP or proxy support it would cause a compiler warning
- due to the unused variable. I moved the declaration of it into the only
- scope it is used.
+ Caught by ASAN.
-Tor Arntsen (18 Sep 2010)
-- LDAP: Use FALSE instead of bool_false when setting bits.close
+- Revert "curl/system.h: fix compilation with gcc on AIX PPC and IA64 HP-UX"
- bool_false is the internal name used in the setup_once.h definition
- we fall back to for non-C99 non-stdbool systems, it's not the actual
- name to use in assignments (we use bool_false, bool_true there to
- avoid global namespace problems, see comment in setup_once.h).
- The correct C99 value to use is 'false', but let's use FALSE as
- used elsewhere when assigning to bits.close. FALSE is set equal
- to 'false' in setup_once.h when possible.
+ This reverts commit c97648b55080343bb371522bf4233e94a2a13a99.
- This fixes a build problem on C99 targets.
+ SIZEOF_LONG should not be checked in system.h since that macro is only
+ defined when building libcurl.
+
+ Ref: https://github.com/curl/curl/pull/2186#issuecomment-354767080
+ Ref: https://gcc.gnu.org/onlinedocs/cpp/Common-Predefined-Macros.html
-- LDAP: Add missing declaration for 'result'
+Michael Kaufmann (30 Dec 2017)
+- test1554: improve the error handling
-Daniel Stenberg (18 Sep 2010)
-- [Mauro Iorio brought this change]
+- test1554: add global initialization and cleanup
- LDAP: Support for tunnelling queries through HTTP proxy
-
- As of curl-7.21.1 tunnelling ldap queries through HTTP Proxies is not
- supported. Actually if --proxytunnel command-line option (or equivalent
- CURLOPT_HTTPPROXYTUNNEL) is used for ldap queries like
- ldap://ldap.my.server.com/... You are unable to successfully execute the
- query. In facts ldap_*_bind is executed directly against the ldap server
- and proxy is totally ignored. This is true for both openLDAP and
- Microsoft LDAP API.
+Daniel Stenberg (29 Dec 2017)
+- curl_version_info.3: call the argument 'age'
- Step to reproduce the error:
- Just launch "curl --proxytunnel --proxy 192.168.1.1:8080
- ldap://ldap.my.server.com/dc=... "
-
- This fix adds an invocation to Curl_proxyCONNECT against the provided
- proxy address and on successful "CONNECT" it tunnels ldap query to the
- final ldap server through the HTTP proxy. As far as I know Microsoft
- LDAP APIs don't permit tunnelling in any way so the patch provided is
- for OpenLDAP only. The patch has been developed against OpenLDAP 2.4.23
- and has been tested with Microsoft ISA Server 2006 and works properly
- with basic, digest and NTLM authentication.
+ Reported-by: Pete Lomax
+ Bug: https://curl.haxx.se/mail/lib-2017-12/0074.html
+
+Patrick Monnerat (27 Dec 2017)
+- [Mikalai Ananenka brought this change]
-- timeout: use the correct start value as offset
+ brotli: data at the end of content can be lost
- Rodric provide an awesome recipe that proved libcurl didn't timeout at
- the requested time - it instead often timed out at [connect time] +
- [timeout time] instead of the documented and intended [timeout time]
- only. This bug was due to the code using the wrong base offset when
- comparing against "now". I could also take the oppurtinity to simplify
- the code by properly using of the generic help function for this:
- Curl_timeleft.
+ Decoding loop implementation did not concern the case when all
+ received data is consumed by Brotli decoder and the size of decoded
+ data internally hold by Brotli decoder is greater than CURL_MAX_WRITE_SIZE.
+ For content with unencoded length greater than CURL_MAX_WRITE_SIZE this
+ can result in the loss of data at the end of content.
- Reported by: Rodric Glaser
- Bug: http://curl.haxx.se/bug/view.cgi?id=3061535
+ Closes #2194
-- Curl_timeleft: avoid returning "no timeout" by mistake
+Jay Satiro (26 Dec 2017)
+- examples/cacertinmem: ignore cert-already-exists error
- As this function uses return code 0 to mean that there is no timeout, it
- needs to check that it doesn't return a time left value that is exactly
- zero. It could lead to libcurl doing an extra 1000 ms select() call and
- thus not timing out as accurately as it should.
+ - Ignore X509_R_CERT_ALREADY_IN_HASH_TABLE errors in the CTX callback
+ since it's possible the cert may have already been loaded by libcurl.
- I fell over this bug when working on the bug 3061535 but this fix does
- not correct that problem alone, although this is a problem that needs to
- be fixed.
+ - Remove the EXAMPLE code in the CURLOPT_SSL_CTX_FUNCTION.3 doc.
+ Instead have it direct the reader to this cacertinmem.c example.
- Reported by: Rodric Glaser
- Bug: http://curl.haxx.se/bug/view.cgi?id=3061535
-
-- whitespace: unified source
+ - Fix the CA certificate to use the right CA for example.com, Digicert.
- if ( => if(
- while ( => while(
+ Bug: https://curl.haxx.se/mail/lib-2017-12/0057.html
+ Reported-by: Thomas van Hesteren
- and some other changes in the similar spirit, trying to make the
- whole file use the same style
-
-- remote-header-name: don't output filename when NULL
+ Closes https://github.com/curl/curl/pull/2182
-- [James Bursa brought this change]
+- [Gisle Vanem brought this change]
- TheArtOfHttpScripting: use long options
-
-- [James Bursa brought this change]
-
- getinmemory: make the example easier to follow
+ tool_getparam: Support size modifiers for --max-filesize
- 1. Remove the comment warning that it's "not been verified to work". It
- works with no problems in my testing.
+ - Move the size modifier detection code from limit-rate to its own
+ function so that it can also be used with max-filesize.
- 2. Remove 2 unnecessary includes.
+ Size modifiers are the suffixes such as G (gigabyte), M (megabyte) etc.
- 3. Remove the myrealloc(). Initialize chunk.memory with malloc() instead
- of NULL. The comments for these two parts contradicted each other.
+ For example --max-filesize 1G
- 4. Handle out of memory from realloc() instead of continuing.
+ Ref: https://curl.haxx.se/mail/archive-2017-12/0000.html
- 5. Print a brief status message at the end.
+ Closes https://github.com/curl/curl/pull/2179
-- multi: don't do extra expire calls for the connection
-
- The timeout is set for the connect phase already at the start of the
- request so we should not add a new one, and we MUST not set expire to 0
- as that will remove any other potentially existing timeouts.
+Steve Holme (22 Dec 2017)
+- build: Fixed incorrect script termination from commit ad1dc10e61
-- [Peter Pentchev brought this change]
+- Makefile.vc: Added our standard copyright header
- Fix a bashism: test a = b is more portable than ==.
+- winbuild: Added support for VC15
-- glob_word: remove a check that is always false
+- build: Added Visual Studio 2017 project files
-- inflate_stream: remove redundant check that is always true
+- build-wolfssl.bat: Added support for VC15
-- digest: make it clear the condition is always true
+- build-openssl.bat: Added support for VC15
-- ssluse: removed redundant check that is always true
+Jay Satiro (22 Dec 2017)
+- [Dimitrios Apostolou brought this change]
-Dan Fandrich (11 Sep 2010)
-- Link curl and the test apps with -lrt explicitly when necessary
-
- When curl calls a function from that library then it needs to
- explicitly link to the library instead of piggybacking on
- libcurl's own dependency. Without this, GNU ld with the
- --no-add-needed flag fails when linking (which Fedora now does
- by default).
+ curl/system.h: fix compilation with gcc on AIX PPC and IA64 HP-UX
- Reported by: Quanah Gibson-Mount
- Bug: http://curl.haxx.se/mail/lib-2010-09/0085.html
+ Closes https://github.com/curl/curl/pull/2186
-- Mention the Debian Popularity Contest
+- [Mattias Fornander brought this change]
-Tor Arntsen (9 Sep 2010)
-- test565: Don't hardcode IP:PORT
+ examples/rtsp: fix error handling macros
- Use %HOSTIP:%HTTPPORT instead of 127.0.0.1:8990 so that
- verification works if the baseport change option is used
- when executing runtests.pl.
+ Closes https://github.com/curl/curl/pull/2185
-Daniel Stenberg (9 Sep 2010)
-- curl.1: updated protocols and polished language
+Patrick Monnerat (20 Dec 2017)
+- curl_easy_reset: release mime-related data.
+
+ Move curl_mime_initpart() and curl_mime_cleanpart() calls to lower-level
+ functions dealing with UserDefined structure contents.
+ This avoids memory leakages on curl-generated part mime headers.
+ New test 2073 checks this using the cli tool --next option: it
+ triggers a valgrind error if bug is present.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-12/0060.html
+ Reported-by: Martin Galvan
-- FAQ: CURL_STATICLIB for visual studio users
+- content_encoding: rework zlib_inflate
- Clarified as it isn't used with a -D option for them.
+ - When zlib version is < 1.2.0.4, process gzip trailer before considering
+ extra data as an error.
+ - Inflate with Z_BLOCK instead of Z_SYNC_FLUSH to maximize correct data
+ and minimize corrupt data output.
+ - Do not try to restart deflate decompression in raw mode if output has
+ started or if the leading data is not available anymore.
+ - New test 232 checks inflating raw-deflated content.
- Reported by: Artfunkel
- Bug: http://curl.haxx.se/bug/view.cgi?id=3060381
+ Closes #2068
-- FAQ: updated and added host with custom IP question
+- brotli: allow compiling with version 0.6.0.
- Added "3.19 How do I get HTTP from a host using a specific IP address?"
- and updated some stuff about certs etc.
+ Some error codes were not yet defined in brotli 0.6.0: do not issue code
+ for them in this case.
-- chunky parser: only rewind if needed
+Daniel Stenberg (13 Dec 2017)
+- CURLOPT_READFUNCTION.3: refer to argument with correct name
- The code reading chunked encoding attempts to rewind the code if it had
- read more data than the chunky parser consumes. The rewinding can fail
- and it will then cause an error. This change now makes the rewinding
- only happen if pipelining is in use - as that's the only time it really
- needs to be done.
+ Bug: #2175
- Bug: http://curl.haxx.se/mail/lib-2010-08/0297.html
- Reported by: Ron Parker
-
-Kamil Dudka (6 Sep 2010)
-- rtsp: avoid SIGSEGV on malformed header
-
-- rtsp: avoid SIGSEGV on malformed header
+ [ci skip]
-Daniel Stenberg (6 Sep 2010)
-- warning: fix conversion to 'int' from 'size_t'
-
-- portabilty: use proper variable type to hold sockets
+- rand: add a clang-analyzer work-around
- Curl_getconnectinfo() is changed to return a proper curl_socket_t for
- the last socket so that it'll work more portably (and cause less
- compiler warnings).
-
-Guenter Knauf (3 Sep 2010)
-- Trial to fix another compiler warning with braces.
+ scan-build would warn on a potential access of an uninitialized
+ buffer. I deem it a false positive and had to add this somewhat ugly
+ work-around to silence it.
-Dan Fandrich (2 Sep 2010)
-- Use checkprefix() to compare protocol-specific strings
+- krb5: fix a potential access of uninitialized memory
- Otherwise, there could be problems running in certain locales.
-
-Guenter Knauf (2 Sep 2010)
-- Moved S_ISREG define to setup as suggested by Dan.
-
-- Use own typedef as workaround for broken sspi.h header (f.e. Watcom).
+ A scan-build warning.
-- Added some hacks in order to build with VC from git.
+- conncache: fix a return code [regression]
- Adam Light posted this patch to the list which enables builds from
- git with VC versions other than vc6; also he added a vc10 target.
+ This broke in 07cb27c98e. Make sure to return 'result' properly. Pointed
+ out by scan-build!
-- Added S_ISREG define for Win32.
-
-Daniel Stenberg (1 Sep 2010)
-- multi: fixes for timing out handles
-
- Add a timeout check for handles in the state machine so that they will
- timeout in all states disregarding what actions that may or may not
- happen.
+- curl: support >256 bytes warning messsages
- Fixed a bug in socket_action introduced recently when looping over timed
- out handles: it wouldn't assign the 'data' variable and thus it wouldn't
- properly take care of handles.
-
- In the update_timer function, the code now checks if the timeout has
- been removed and then it tells the application. Previously it would
- always let the remaining timeout(s) just linger to expire later on.
+ Bug: #2174
-- threaded resolver: no more expire 0 calls
+Michael Kaufmann (12 Dec 2017)
+- libssh: fix a syntax error in configure.ac
- Curl_expire() set to 0 expires ALL timeouts so it should only be called
- if we truly and really want to remove all timeouts for the handle.
-
-- resolve_server: simplify code
+ Follow-up to c92d2e1
- Make use of the helper function Curl_timeleft() instead of duplicating
- code.
+ Closes #2172
-- multi: make sure the next timeout is used when one expires
+Daniel Stenberg (12 Dec 2017)
+- examples/smtp-mail.c: use separate defines for options and mail
- Each easy handle has a list of timeouts, so as soon as the main timeout
- for a handle expires, we must make sure to get the next entry from the
- list and re-add the handle to the splay tree.
+ ... to make it clearer that the options want address-only, while the
+ headers in an email can also have the real name.
- This was attempted previously but was done poorly in my commit
- 232ad6549a68450.
+ Assisted-by: Sean MacLennan
-Dan Fandrich (30 Aug 2010)
-- Added proxy keyword to allow skipping test in proxyless configs
-
-Daniel Stenberg (29 Aug 2010)
-- multi: set timeouts when transfer begins
+- THANKS: added missing names
- When a new transfer is about to start we now set the proper timeouts to
- expire for the multi interface if they are set for the handle. This is a
- follow-up bugfix to make sure that easy handles timeout properly when
- the times expire and the multi interface is used. This also improves
- curl_multi_timeout().
-
-- CURLOPT_DIRLISTONLY: don't use with CURLOPT_WILDCARDMATCH
-
-- FAQ: update list of supported protocols
-
-- [Fabian Keil brought this change]
+ ... as I reran the contrithanks script after the mailmap name fixups.
- In the m4 detection line, factor out the 2>dev/null
+- mailmap: added/clarified several names
-- [Fabian Keil brought this change]
-
- If m4 doesn't support --version, try if gm4 does.
-
-- [Fabian Keil brought this change]
-
- If the m4 version isn't recognized at all, just say so
+- setopt: less *or equal* than INT_MAX/1000 should be fine
- 'm4 version found. You need a GNU m4 installed!' is a bit confusing.
-
-- HISTORY: mention the gopher story
-
-Dan Fandrich (25 Aug 2010)
-- Tweaked some test data files
+ ... for the CURLOPT_TIMEOUT, CURLOPT_CONNECTTIMEOUT and
+ CURLOPT_SERVER_RESPONSE_TIMEOUT range checks.
- Fixed some issues that caused xmllint failures, added features
- and keywords, fixed some quotes and removed some <strip> sections
- that unnecessarily limited test checking.
-
-- Added new source files to Symbian and TPF makefiles
-
-Daniel Stenberg (25 Aug 2010)
-- RELEASE-NOTES: sync from b980c9a02 to HEAD
-
-- Makefile: add gopher.c file to build
+ Reported-by: Dominik Hölzl
+ Bug: https://curl.haxx.se/mail/lib-2017-12/0037.html
- As the VC and RISCOS makefiles don't use the .inc file
+ Closes #2173
-- runtests: fix uninitialized variable warning
+- [Dmitry Kostjuchenko brought this change]
-- gopher tests: revert parts of gopher in the pingpong server
+ vtls: replaced getenv() with curl_getenv()
- Introduced in the initial gopher commits, there was added logic to do
- GOPHER test serving in the pingpong server but as it resembles HTTP much
- more than FTP or SMTP, the gopher testing has been moved over to instead
- use the sws (HTTP) server. This change simply removes unused code.
-
-- gopher tests: use sws and adjusted to more standard style
-
-- sws: added basic gopher support
+ Fixed undefined symbol of getenv() which does not exist when compiling
+ for Windows 10 App (CURL_WINDOWS_APP). Replaced getenv() with
+ curl_getenv() which is aware of getenv() absence when CURL_WINDOWS_APP
+ is defined.
+
+ Closes #2171
-- gopher: enable the header callback/verbosity
+- RELEASE-NOTES: synced with 3b9ea70ee
-- gopher: fix test case line endings
+- TODO: Expose tried IP addresses that failed
- Patches over email very easily lose CRLF line endings in files otherwise
- LF-only so I had to put them back where needed.
-
-- gopher: fix memory leak and busyloop
+ Suggested-by: Rainer Canavan
- The fix for the busyloop really only is a temporary work-around. It
- causes a BLOCKING behavior which is a NO-NO. This function should rather
- be split up in a do and a doing piece where the pieces that aren't
- possible to send now will be sent in the doing function repeatedly until
- the entire request is sent.
+ Closes #2126
-- [Cameron Kaiser brought this change]
+- curl.1: mention http:// and https:// as valid proxy prefixes
- Gopher using Curl_write; test suite (4 tests)
+- curl.1: documented two missing valid exit codes
-- [Cameron Kaiser brought this change]
+- CURLOPT_DNS_LOCAL_IP4.3: fixed the seel also to not self-reference
- Remove url.c test
-
-- [Cameron Kaiser brought this change]
-
- Forgot gopher.h in Makefile.inc
+- Revert "curl: don't set CURLOPT_INTERLEAVEDATA"
+
+ This reverts commit 9ffad8eb1329bb35c8988115ac7ed85cf91ef955.
+
+ It was actually added rather recently in 8e8afa82cbb629 due to a crash
+ that would otherwise happen in the RTSP code. As I don't think we've
+ fixed that behavior yet, we better keep this work-around until we have
+ fixed it better.
-- [Cameron Kaiser brought this change]
+Michael Kaufmann (10 Dec 2017)
+- tests: mark data files as non-executable in git
- Gopher protocol support (initial release)
+- tests: update .gitignore for libtests
-- http: handle trailer headers in all chunked responses
+Daniel Stenberg (10 Dec 2017)
+- multi_done: prune DNS cache
- HTTP allows that a server sends trailing headers after all the chunks
- have been sent WITHOUT signalling their presence in the first response
- headers. The "Trailer:" header is only a SHOULD there and as we need to
- handle the situation even without that header I made libcurl ignore
- Trailer: completely.
+ Prune the DNS cache immediately after the dns entry is unlocked in
+ multi_done. Timed out entries will then get discarded in a more orderly
+ fashion.
- Test case 1116 was added to verify this and to make sure we handle more
- than one trailer header properly.
+ Test506 is updated
- Reported by: Patrick McManus
- Bug: http://curl.haxx.se/bug/view.cgi?id=3052450
+ Reported-by: Oleg Pudeyev
+
+ Fixes #2169
+ Closes #2170
-- TODO: we now support RTMP
+- mailmap: fixup two old git Author "aliases"
-- TODO: done "NTLM with other crypto functions"
+Jay Satiro (10 Dec 2017)
+- openssl: Disable file buffering for Win32 SSLKEYLOGFILE
- Since NTLM was made to work with the NSS API as well, the primary SSL
- alternatives will be built with NTLM support in libcurl.
-
-- TODO: fixed "Make curl_multi_info_read faster"
+ Prior to this change SSLKEYLOGFILE used line buffering on WIN32 just
+ like it does for other platforms. However, the Windows CRT does not
+ actually support line buffering (_IOLBF) and will use full buffering
+ (_IOFBF) instead. We can't use full buffering because multiple processes
+ may be writing to the file and that could lead to corruption, and since
+ full buffering is the only buffering available this commit disables
+ buffering for Windows SSLKEYLOGFILE entirely (_IONBF).
- It is really fast now
+ Ref: https://github.com/curl/curl/pull/1346#issuecomment-350530901
-Dan Fandrich (24 Aug 2010)
-- Fixed a NULL pointer dereference in form posting
+Daniel Stenberg (10 Dec 2017)
+- RESOLVE: output verbose text when trying to set a duplicate name
- It was introduced in commit eeb2cb05 along with the -F type=
- change. Also fixed a typo in the name of the magic filename=
- parameter. Tweaked tests 39 and 173 to better test this path.
+ ... to help users understand what is or isn't done!
-Daniel Stenberg (24 Aug 2010)
-- [Ben Greear brought this change]
+- CURLOPT_DNS_CACHE_TIMEOUT.3: see also CURLOPT_RESOLVE
+
+- [John DeHelian brought this change]
- multi: Fix compile warning on 64-bit systems
+ sftp: allow quoted commands to use relative paths
+
+ Closes #1900
-Dan Fandrich (23 Aug 2010)
-- Mention PolarSSL in tutorial & add some URLs to INSTALL
+Jay Satiro (8 Dec 2017)
+- [Richard Alcock brought this change]
-Daniel Stenberg (23 Aug 2010)
-- RESUME_FROM: clarify what ftp uploads do
+ CURLOPT_PRIVATE.3: fix grammar
- The numerical value passed to CURLOPT_RESUME_FROM for FTP uploads is
- interpreted and used as position where to resume the _reading_ of the
- local file and it will "blindly" append that data on the remote
- file. This was certainly not clear in the docs previously.
+ - Change "never does nothing" double-negative to "never does anything".
- Reported by: catalin
- Bug: http://curl.haxx.se/bug/view.cgi?id=3048174
-
-- [Dirk Manske brought this change]
+ Closes https://github.com/curl/curl/pull/2168
- Curl_is_connected: use correct errno
+Daniel Stenberg (8 Dec 2017)
+- curl: remove __EMX__ #ifdefs
- The correctly extracted errno contents were mistakenly overwritten by a newer
- value that wasn't the correct error value.
+ These are OS/2-specific things added to the code in the year 2000. They
+ were always ugly. If there's any user left, they still don't need it
+ done this way.
- Bug: http://curl.haxx.se/mail/lib-2010-08/0242.html
+ Closes #2166
-- cmdline: make -F type= accept ;charset=
+Jay Satiro (8 Dec 2017)
+- openssl: improve data-pending check for https proxy
- The -F option allows some custom parameters within the given string, and
- those strings are separated with semicolons. You can for example specify
- "name=daniel;type=text/plain" to set content-type for the
- field. However, the use of semicolons like that made it not work fine if
- you specified one within the content-type, like for:
- "name=daniel;type=text/plain;charset=UTF-8"
- ... as the second one would be seen as a separator and "charset" is no
- parameter curl knows anything about so it was just silently discarded.
+ - Allow proxy_ssl to be checked for pending data even when connssl does
+ not yet have an SSL handle.
- The new logic now checks if the semicolon and following keyword looks
- like a parameter it knows about and if it isn't it is assumed to be
- meant to be used within the content-type string itself.
+ This change is for posterity. Currently there doesn't seem to be a code
+ path that will cause a pending data check when proxyssl could have
+ pending data and the connssl handle doesn't yet exist [1].
- I modified test case 186 to verify that this works as intended.
+ [1]: Recall that an https proxy connection starts out in connssl but if
+ the destination is also https then the proxy SSL backend data is moved
+ from connssl to proxyssl, which means connssl handle is temporarily
+ empty until an SSL handle for the destination can be created.
- Reported by: Larry Stone
- Bug: http://curl.haxx.se/bug/view.cgi?id=3048988
-
-Guenter Knauf (20 Aug 2010)
-- Added mk-ca-bundle.vbs script.
+ Ref: https://github.com/curl/curl/commit/f4a6238#commitcomment-24396542
- The script works exactly same as the Perl one except for one thing:
- when the text descriptions generated with openssl are included then
- the md5 fingerprints are missing; seems openssl has either a bug or
- a feature which prints the md5 fingerprint output to stdout instead
- of writing them to specified file; this script could here do the same
- as what the Perl scripr does (redirect stdout into file) but this
- makes the script take up double the time because it needs to launch
- cmd.exe 140 times (fo each openssl call). So I think for now we just
- ommit the md5 fingerprints, and see if openssl will be fixed.
+ Closes https://github.com/curl/curl/pull/1916
-- Trial to fix win32 autobuilds.
+Daniel Stenberg (8 Dec 2017)
+- curl: don't set CURLOPT_INTERLEAVEDATA
- It seems that its time to look at some better ideas for the win32
- non-configure builds; probably a prebuild target which copies
- config-win32.h to curl_config.h and appends also then feature
- defines like USE_ARES.
-
-Dan Fandrich (19 Aug 2010)
-- Use the S_ISREG macro to determine what is a regular file
-
-Kamil Dudka (19 Aug 2010)
-- AC_INIT: avoid a warning with autoconf 2.66
+ That data is only ever used by the CURLOPT_INTERLEAVEFUNCTION callback
+ and that option isn't set or used by the curl tool!
+
+ Updates the 9 tests that verify --libcurl
- It was complaining about the '=>' operator, introduced in e3fc0d5.
+ Closes #2167
-Dan Fandrich (18 Aug 2010)
-- Fixed a memory leak during OOM in the multi timeout code
+- curl.h: remove incorrect comment about ERRORBUFFER
+
+ ... error messages are _not_ sent to stderr if this is not set.
-- Removed a C99ism & made an array const
+- [Michael Felt brought this change]
-Daniel Stenberg (19 Aug 2010)
-- [Julien Chaffraix brought this change]
+ configure: add AX_CODE_COVERAGE only if using gcc
+
+ Fixes #2076
+ Closes #2125
- test: added test 579 to verify progress callback for chunked post
+- curl: limit -# update frequency for unknown total size
- The 66 bytes checked are those 38 bytes with the chunked encoding
- headers added: 8+8+10+35+5 = 66
+ Make it use a max 10Hz update frequency for this case as well. Return
+ early if the "point" hasn't moved since last invoke.
- The three-letter words become 8 bytes on the wire because they are sent
- like: "3\r\none\r\n"
+ Reported-by: Elliot Saba
- ... and there's the trailing 5 bytes write after the four lines since
- the final chunk is sent (which is "0\r\n\r\n").
+ Fixes #2158
+ Closes #2163
-- multi: avoid sending multiple complete messages
+- BINDINGS: another PostgreSQL client
- I fell over this bug report that mentioned that libcurl could wrongly
- send more than one complete messages at the end of a transfer. Reading
- the code confirmed this, so I've added a new multi state to make it not
- happen. The mentioned bug report was made by Brad Jorsch but is (oddly
- enough) filed in Debian's bug tracker for the "wmweather+" tool.
+ ...the former link is dead.
- Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=593390
+ Reported-by: Frank Gevaerts
-- FAQ: update the list of supported protocols
+- [Zachary Seguin brought this change]
-- FAQ: added blurb about ECCN
+ CONNECT: keep close connection flag in http_connect_state struct
- "1.13 curl's ECCN number" is a new section mostly made up from
- Alessandro Vesely's very informative ML post on the subject:
- http://curl.haxx.se/mail/lib-2008-03/0251.html
+ Fixes #2088
+ Closes #2157
-Guenter Knauf (18 Aug 2010)
-- It is sufficient to pipe stderr to NUL to get rid of the nasty messages.
+- [Per Malmberg brought this change]
-- Added SSPI build to Watcom makefile.
+ include: get netinet/in.h before linux/tcp.h
+
+ ... to allow build on older Linux dists (specifically CentOS 4.8 on gcc
+ 4.8.5)
+
+ Closes #2160
-Daniel Stenberg (16 Aug 2010)
-- [Julien Chaffraix brought this change]
+- openldap: fix checksrc nits
- progress: callback for POSTs less than MAX_INITIAL_POST_SIZE
+- [Stepan Broz brought this change]
+
+ openldap: add commented out debug possibilities
- Add a call to Curl_pgrsSetUploadSize in this case valided by a test
- case.
+ ... to aid debugging openldap library using its built-in debug messages.
- Reported by: Никита Дорохин.
- Bug: http://curl.haxx.se/mail/lib-2010-04/0173.html
+ Closes #2159
-Dan Fandrich (16 Aug 2010)
-- Make the LD_PRELOAD path absolute in the tests that use it
+- examples: move threaded-shared-conn.c to the "complicated" ones
- In some situations, libtool will change directories and perform
- a link step before executing the libtest test app. Since
- LD_PRELOAD is in effect for this entire process, the path to the
- binary must be absolute so it will be valid no matter in which
- directory the app is running.
+ ... due it relying on pthreads to link.
-Daniel Stenberg (16 Aug 2010)
-- negotiation: Wrong proxy authorization
+- RELEASE-NOTES: synced with b261c44e8
- There's an error in http_negotiation.c where a mistake is using only
- userpwd even for proxy requests. Ludek provided a patch, but I decided
- to write the fix slightly different using his patch as inspiration.
-
- Reported by: Ludek Finstrle
- Bug: http://curl.haxx.se/bug/view.cgi?id=3046066
+ ... and bump next release version to 7.58.0
+
+- [Jan Ehrhardt brought this change]
-Dan Fandrich (16 Aug 2010)
-- Clear stdout and stderr files on each test run
+ URL: tolerate backslash after drive letter for FILE:
- This allows a test to be run several times in the same test
- session even when the -k option is given.
+ ... as in "file://c:\some\path\curl.out"
+
+ Reviewed-by: Matthew Kerwin
+ Closes #2154
-Guenter Knauf (15 Aug 2010)
-- Syncroniszed vclean target; fixed some comments.
+- [Randall S. Becker brought this change]
-Daniel Stenberg (15 Aug 2010)
-- THANKS: added contributors from 7.21.1
+ tests: added netinet/in6.h includes in test servers
-- multi: two fixes done
+- [Randall S. Becker brought this change]
-- multi: use timeouts properly for MAX_RECV/SEND_SPEED
+ configure: check for netinet/in6.h
+
+ Needed by HPE NonStop NSE and NSX systems
- When detecting that the send or recv speed, the multi interface changes
- state to TOOFAST and previously there was no timeout set that would
- force a recheck but it would rely on the application to somehow call
- libcurl anyway. This now sets a timeout for a suitable future time to
- check again if the average transfer speed is then below the threshold
- again.
+ Fixes #2146
+ Closes #2155
-- multi: support timeouts
+- curl-config: add --ssl-backends
- Curl_expire() is now expanded to hold a list of timeouts for each easy
- handle. Only the closest in time will be the one used as the primary
- timeout for the handle and will be used for the splay tree (which sorts
- and lists all handles within the multi handle).
+ Lists all SSL backends that were enabled at build-time.
- When the main timeout has triggered/expired, the next timeout in time
- that is kept in the list will be moved to the main timeout position and
- used as the key to splay with. This way, all timeouts that are set with
- Curl_expire() internally will end up as a proper timeout. Previously any
- Curl_expire() that set a _later_ timeout than what was already set was
- just silently ignored and thus missed.
+ Suggested-by: Oleg Pudeyev
+ Fixes #2128
+
+- conncache: only allow multiplexing within same multi handle
- Setting Curl_expire() with timeout 0 (zero) will cancel all previously
- added timeouts.
+ Connections that are used for HTTP/1.1 Pipelining or HTTP/2 multiplexing
+ only get additional transfers added to them if the existing connection
+ is held by the same multi or easy handle. libcurl does not support doing
+ HTTP/2 streams in different threads using a shared connection.
- Corrects known bug #62.
+ Closes #2152
-- Curl_llist_insert_next: allow insertion first in the list
-
- When we specify the "insert after" entry as NULL, this function now
- inserts the new entry first in the list.
+- threaded-shared-conn.c: fixed typo in commenta
-- multi: make curl_multi_info_read perform O(1)
-
- Instead of looping over all attached easy handles, this now keeps a list
- of messages in the multi handle. It allows curl_multi_info_read() to
- perform O(1) no matter how many easy handles that are handled. This is
- of importance since this function may be polled very frequently by apps
- using the multi interface.
+- threaded-shared-conn.c: new example
-Kamil Dudka (15 Aug 2010)
-- curl -T: ignore file size of special files
+- conncache: fix several lock issues
- original bug report at https://bugzilla.redhat.com/622520
-
-Dan Fandrich (13 Aug 2010)
-- Reset environment variables before starting servers
+ If the lock is released before the dealings with the bundle is over, it may
+ have changed by another thread in the mean time.
- Otherwise, variables from tests could affect the servers
- themselves.
+ Fixes #2132
+ Fixes #2151
+ Closes #2139
-Kamil Dudka (12 Aug 2010)
-- typecheck-gcc: work around gcc upstream bug #32061
+- libssh: remove dead code in sftp_qoute
- original bug report at https://bugzilla.redhat.com/617757
-
-Daniel Stenberg (11 Aug 2010)
-- release cycle loop: start over toward 7.21.2
-
-Version 7.21.1 (11 Aug 2010)
-
-Daniel Stenberg (11 Aug 2010)
-- RELEASE-NOTES: mention the runtests fix as well
+ ... by removing a superfluous NULL pointer check that also confuses
+ Coverity.
+
+ Fixes #2143
+ Closes #2153
-- runtests: clear old setenv remainders before test
+- sasl_getmesssage: make sure we have a long enough string to pass
- Due to the layout of the singletest function there are situations where
- it returns before it clears the environment variables that were
- especially set for the single specific test case. That could lead to
- subsequent tests getting executed with environment variables sticking
- around from a previous test which could lead to badness.
+ For pop3/imap/smtp, added test 891 to somewhat verify the pop3
+ case.
- This change makes sure to clear all custom variables that may be laying
- around from a previous round, before running a test case.
+ For this, I enhanced the pingpong test server to be able to send back
+ responses with LF-only instead of always using CRLF.
- Reported by: Kamil Dudka
- Bug: http://curl.haxx.se/mail/lib-2010-08/0141.html
-
-Guenter Knauf (11 Aug 2010)
-- Added OpenSSL builds to Watcom makefiles.
+ Closes #2150
-Yang Tse (11 Aug 2010)
-- configure: werror related adjustments
+- libssh2: remove dead code from SSH_SFTP_QUOTE
+
+ Figured out while reviewing code in the libssh backend. The pointer was
+ checked for NULL after having been dereferenced, so we know it would
+ always equal true or it would've crashed.
+
+ Pointed-out-by: Nikos Mavrogiannopoulos
+
+ Bug #2143
+ Closes #2148
-Daniel Stenberg (11 Aug 2010)
-- FAQ: s/libcurl.so.3/libcurl.so.X
+- ssh-libssh.c: please checksrc
-Dan Fandrich (10 Aug 2010)
-- KNOWN_BUG #59 is fixed. Clarify support of IPv6 zone IDs.
+Nikos Mavrogiannopoulos (4 Dec 2017)
+- libssh: fixed dereference in statvfs access
+
+ The behavior is now equivalent to ssh.c when SSH_SFTP_QUOTE_STATVFS
+ handling fails.
+
+ Fixes #2142
-- Fixed typo in Android configure command
+Daniel Stenberg (4 Dec 2017)
+- [Guitared brought this change]
-Daniel Stenberg (11 Aug 2010)
-- HISTORY: added stuff from recent years
+ RESOURCES: update spec names
+
+ Closes #2145
-- warning: silence the compiler
+Nikos Mavrogiannopoulos (3 Dec 2017)
+- libssh: corrected use of sftp_statvfs() in SSH_SFTP_QUOTE_STATVFS
- warning: conversion to 'long int' from 'time_t' may alter its value
+ The previous code was incorrectly following the libssh2 error detection
+ for libssh2_sftp_statvfs, which is not correct for libssh's sftp_statvfs.
- ... on win64 when time_t is 64bit and long is 32bit.
-
-- RELEASE-NOTES: synced, 3 additional bugfixes
+ Fixes #2142
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-- multi_socket_action: clarify how to kickstart it
+- libssh: no need to call sftp_get_error as ssh_get_error is sufficient
- The callbacks are called when curl_multi_socket_action() is called, not
- when handles are added. This is now mentioned in the "TYPICAL USAGE"
- section.
+ Fixes #2141
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-- callbacks: acknowledge progress callback error returns
+Daniel Stenberg (2 Dec 2017)
+- libssh: fix minor static code analyzer nits
- When the progress callback is called during the TCP connection, an error
- return would accidentally not abort the operation as intended but would
- instead be counted as a failure to connect to that particular IP and
- libcurl would just continue to try the next. I made singleipconnect()
- and trynextip() return CURLcode properly.
+ - remove superfluous NULL check which otherwise tricks the static code
+ analyzers to assume NULL pointer dereferences.
- Added bonus: it corrected the error code for bad --interface usages,
- like tested in test 1084 and test 1085.
+ - fix fallthrough in switch()
- Reported by: Adam Light
- Bug: http://curl.haxx.se/mail/lib-2010-08/0105.html
+ - indent mistake
-Guenter Knauf (10 Aug 2010)
-- More Watcom makefile fixes ...
+- openssl: pkcs12 is supported by boringssl
+
+ Removes another #ifdef for BoringSSL
- Final fix (hopefully!) for dll wlink loader;
- prefer faster internal rm if available.
+ Pointed-out-by: David Benjamin
+
+ Closes #2134
-- Fixed my wrong edit.
+- [Jay Satiro brought this change]
-- More Watcom makefile fixes.
+ travis: use pip2 instead of pip
- Added the -br switch to dynamic builds which fixes the issue I saw
- with curl's --version output. Added debug info and symfile for debug
- builds to linker opts. Added DLL loader for wlink back, but this time
- dependend on wlink version.
- Patch posted to the list by malak.jiri AT gmail.com.
-
-- Changed test for -u switch in order to enable other wmake switches.
+ .. since now mac osx image expects pip2 or pip3, and doesn't know pip:
- The var %MAKEFLAGS is only set in 3 cases: if set as environment
- var or as macro definition from commandline, and either with the
- -u or -ms switch. Since all these cases are unlikely for the average
- user it should be safe to only test if %MAKEFLAGS is defined; this
- has the benefit that now all other switches can be used again in
- addition to the -u which was formerly not possible.
-
-Daniel Stenberg (10 Aug 2010)
-- llist: hide Curl_llist_init
+ 0.01s$ pip install --user cpp-coveralls
+ /Users/travis/.travis/job_stages: line 57: pip: command not found
+
+ Ref: https://github.com/travis-ci/travis-ci/issues/8829
- Curl_llist_init is never used outside of llist.c and thus it should be
- static. I also removed the protos for Curl_llist_insert_prev and
- Curl_llist_remove_next which are functions we removed from llist.c ages
- ago.
+ Closes https://github.com/curl/curl/pull/2133
-Guenter Knauf (10 Aug 2010)
-- Added msys Perl since git for Win32 comes with own Perl which identifies as msys.
+- [Nikos Mavrogiannopoulos brought this change]
-- Updated lib dependency versions.
+ lib582: do not verify host for SFTP
+
+ This SFTP test fails with libssh back-end due to failure to verify
+ the peer. Disable peer verification in the test as there seems to
+ be the intention of the test.
+
+ Note that the libssh back-end automatically verifies the peer's
+ host using the default known_hosts file.
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-- Make testcurl.pl Watcom-aware.
+- [Nikos Mavrogiannopoulos brought this change]
-Daniel Stenberg (10 Aug 2010)
-- parse_remote_port: fix ;type= URL suffix over HTTP proxy
+ libssh: added SFTP support
+
+ The SFTP back-end supports asynchronous reading only, limited
+ to 32-bit file length. Writing is synchronous with no other
+ limitations.
- Test 563 is enabled now and verifies that the combo FTP type=A URL,
- CURLOPT_PORT set and proxy work fine. As a bonus I managed to remove the
- somewhat odd FTP check in parse_remote_port() and instead converted it
- to a better and more generic 'slash_removed' struct field. Checking the
- ->protocol field isn't right since when an FTP:// URL is sent over a
- HTTP proxy, the protocol is HTTP but the URL was handled by the FTP code
- and thus slash_removed is set TRUE for this case.
+ This also brings keyboard-interactive authentication.
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-- indent: white space fixes only
+- [Nikos Mavrogiannopoulos brought this change]
-Yang Tse (9 Aug 2010)
-- build: fix previous push
+ symbols-in-versions: added new symbols with 7.56.3 version
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-- build: don't build libhostname unless shared libcurl is built
+- [Nikos Mavrogiannopoulos brought this change]
-- build: libhostname and chkhostname linkage adjustments followup
+ .travis.yml: added build --with-libssh
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-Daniel Stenberg (8 Aug 2010)
-- typo: remove duplicate semicolon
+- [Nikos Mavrogiannopoulos brought this change]
-- multi: avoid a malloc() when a transfer is complete
+ libssh2: return CURLE_UPLOAD_FAILED on failure to upload
- The struct used for storing the message for a completed transfer is now
- no longer allocated separatly but is kept within the main struct kept
- for each easy handle so that we avoid one malloc (and the subsequent
- free).
-
-Yang Tse (8 Aug 2010)
-- build: libhostname linkage adjustments followup
+ This brings its in sync with the error code returned by the
+ libssh backend.
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-Guenter Knauf (7 Aug 2010)
-- Fix to overwrite libcurl name.
+- [Nikos Mavrogiannopoulos brought this change]
-Yang Tse (7 Aug 2010)
-- build: chkhostname build adjustments followup
+ libssh2: send the correct CURLE error code on scp file not found
+
+ That also updates tests to expect the right error code
+
+ libssh2 back-end returns CURLE_SSH error if the remote file
+ is not found. Expect instead CURLE_REMOTE_FILE_NOT_FOUND
+ which is sent by the libssh backend.
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-U-D5B1PQ1J\Administrador (7 Aug 2010)
-- build: allow NTLM tests to run on more build configurations
+- [Nikos Mavrogiannopoulos brought this change]
-Daniel Stenberg (7 Aug 2010)
-- curl_easy_setopt.3: rename stream to userdata
+ Added support for libssh SSH SCP back-end
- In some places where the name 'stream' has been used for naming a
- function argument that is in fact settable with a setopt() option we now
- call that argument 'userdata' to make it more obvious that it is in fact
- possible to set by the application.
+ libssh is an alternative library to libssh2.
+ https://www.libssh.org/
- Suggested by: Jeff Pohlmeyer
+ That patch set also introduces support for ECDSA
+ ed25519 keys, as well as gssapi authentication.
+
+ Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-Guenter Knauf (7 Aug 2010)
-- Block created curlbuild.h for NetWare to avoid usage from other platforms.
+- RELEASE-NOTES: synced with af8cc7a69
-Daniel Stenberg (7 Aug 2010)
-- RELEASE-NOTES: synced with recent changes
+- curlver: towards 7.57.1
-Yang Tse (6 Aug 2010)
-- build: ensure that libhostname doesn't get installed
+- [W. Mark Kubacki brought this change]
-Daniel Stenberg (6 Aug 2010)
-- multi_socket: set timeout for 100-continue
+ lib: don't export all symbols, just everything curl_*
- When libcurl internally decided to wait for a 100-continue header, there
- was no call to the timeout function so there was no timeout callback
- called when the multi_socket API was used and thus applications became
- either completely wrong or at least ineffecient depending on how they
- handled the situation. We now set a timeout to get triggered.
+ Absent any 'symbol map' or script to limit what gets exported, static
+ linking of libraries previously resulted in a libcurl with curl's and
+ those other symbols being (re-)exported.
- Reported by: Ben Darnell
- Bug: http://curl.haxx.se/bug/view.cgi?id=3039744
-
-Guenter Knauf (6 Aug 2010)
-- Some more Watcom makefile massage ...
+ This did not happen if 'versioned symbols' were enabled (which is not
+ the default) because then a version script is employed.
+
+ This limits exports to everything starting in 'curl_*'., which is
+ what "libcurl.vers" exports.
+
+ This avoids strange side-effects such as with mixing methods
+ from system libraries and those erroneously offered by libcurl.
- For now removed the .autodepend directive until I've figured out
- which of my changes broke it again.
+ Closes #2127
-Yang Tse (5 Aug 2010)
-- build: fix libssh2_scp_send64() availability
+- [Johannes Schindelin brought this change]
-- build: remove unneeded cast to (void *)
+ SSL: Avoid magic allocation of SSL backend specific data
+
+ Originally, my idea was to allocate the two structures (or more
+ precisely, the connectdata structure and the four SSL backend-specific
+ strucutres required for ssl[0..1] and proxy_ssl[0..1]) in one go, so
+ that they all could be free()d together.
+
+ However, getting the alignment right is tricky. Too tricky.
+
+ So let's just bite the bullet and allocate the SSL backend-specific
+ data separately.
+
+ As a consequence, we now have to be very careful to release the memory
+ allocated for the SSL backend-specific data whenever we release any
+ connectdata.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+ Closes #2119
-- build: remove unused file
+- examples/xmlstream.c: don't switch off CURL_GLOBAL_SSL
+
+ Reported-by: Dima Tisnek
-Daniel Stenberg (4 Aug 2010)
-- SCP: send large files properly with new enough libssh2
+- travis: add boringssl build
- libssh2 1.2.6 and later handle >32bit file sizes properly even on 32bit
- architectures and we make sure to use that ability.
+ Uses a separate build without --enable-debug and no valgrind.
- Reported by: Mikael Johansson
- Bug: http://curl.haxx.se/mail/lib-2010-08/0052.html
-
-Yang Tse (3 Aug 2010)
-- build: add missing new files to non-configure target build files
+ The debug option causes far too many warnings in boringssl's headers
+ (C++ comments, trailing commas etc). Valgrind triggers some false
+ positive errors in thread-local data used by boringssl.
+
+ Closes #2118
-- md4: replace bcopy usage with memcpy
+Version 7.57.0 (29 Nov 2017)
-Daniel Stenberg (3 Aug 2010)
-- RELEASE-NOTES: synced with recent changes
+Daniel Stenberg (29 Nov 2017)
+- RELEASE-NOTES: curl 7.57.0
-- TODO-RELEASE: clear, file not really used ATM
+- THANKS: added contributors from 7.57.0 release
-- typecheck-gcc: add checks for recently added options
+- openssl: fix boringssl build again
- I added all OBJECTPOINT curl_easy_setopt() options from 178 to 202. Left
- to add: the five FUNCTIONPOINT (callbacks) options added since:
+ commit d3ab7c5a21e broke the boringssl build since it doesn't have
+ RSA_flags(), so we disable that code block for boringssl builds.
- SSH_KEYFUNCTION
- INTERLEAVEFUNCTION
- CHUNK_BGN_FUNCTION
- CHUNK_END_FUNCTION
- FNMATCH_FUNCTION
+ Reported-by: W. Mark Kubacki
+ Fixes #2117
-- .gitignore: ignore all built examples
+- curl_ntlm_core.c: use the limits.h's SIZE_T_MAX if provided
-- example: fix code to build warning-free
+- libcurl-share.3: the connection cache is shareable now
-- Curl_connected_proxy: skip the bits.tcpconnect check
+- global_init: ignore CURL_GLOBAL_SSL's absense
- Simply because the TCP might be connected already we cannot skip the
- proxy connect procedure. We need to be careful to not overload more
- meaning to the bits.tcpconnect field like this.
+ This bit is no longer used. It is not clear what it meant for users to
+ "init the TLS" in a world with different TLS backends and since the
+ introduction of multissl, libcurl didn't properly work if inited without
+ this bit set.
- With this fix, SOCKS proxies work again when the multi interface is
- used. I believe this regression was added with commit 4b351d018e,
- released as 7.20.1.
+ Not a single user responded to the call for users of it:
+ https://curl.haxx.se/mail/lib-2017-11/0072.html
- Left todo: add a test case that verifies this functionality that
- prevents us from breaking it again in the future!
+ Reported-by: Evgeny Grin
+ Assisted-by: Jay Satiro
- Reported by: Robin Cornelius
- Bug: http://curl.haxx.se/bug/view.cgi?id=3033966
+ Fixes #2089
+ Fixes #2083
+ Closes #2107
-- sethostname: provide local prototype for gethostname
+- ntlm: avoid integer overflow for malloc size
+
+ Reported-by: Alex Nichols
+ Assisted-by: Kamil Dudka and Max Dymond
- This is only to avoid warnings on some systems.
+ CVE-2017-8816
+
+ Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
-- build: add typecast to avoid warning
+- wildcardmatch: fix heap buffer overflow in setcharset
+
+ The code would previous read beyond the end of the pattern string if the
+ match pattern ends with an open bracket when the default pattern
+ matching function is used.
- There is an implicit conversion from "unsigned long" to "long";
- rounding, sign extension, or loss of accuracy may result.
+ Detected by OSS-Fuzz:
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161
+
+ CVE-2017-8817
+
+ Bug: https://curl.haxx.se/docs/adv_2017-ae72.html
-Guenter Knauf (2 Aug 2010)
-- Rename CURL_SOURCES macro; revert previous rename of curl_SOURCES macro.
+- [Jay Satiro brought this change]
+
+ url: fix alignment of ssl_backend_data struct
+
+ - Align the array of ssl_backend_data on a max 32 byte boundary.
+
+ 8 is likely to be ok but I went with 32 for posterity should one of
+ the ssl_backend_data structs change to contain a larger sized variable
+ in the future.
+
+ Prior to this change (since dev 70f1db3, release 7.56) the connectdata
+ structure was undersized by 4 bytes in 32-bit builds with ssl enabled
+ because long long * was mistakenly used for alignment instead of
+ long long, with the intention being an 8 byte boundary. Also long long
+ may not be an available type.
+
+ The undersized connectdata could lead to oob read/write past the end in
+ what was expected to be the last 4 bytes of the connection's secondary
+ socket https proxy ssl_backend_data struct (the secondary socket in a
+ connection is used by ftp, others?).
+
+ Closes https://github.com/curl/curl/issues/2093
+
+ CVE-2017-8818
+
+ Bug: https://curl.haxx.se/docs/adv_2017-af0a.html
-- Removed ugly dependency lists since wmake knows the .autodepend directive.
+- ssh: remove check for a NULL pointer (!)
+
+ With this check present, scan-build warns that we might dereference this
+ point in other places where it isn't first checked for NULL. Thus, if it
+ *can* be NULL we have a problem on a few places. However, this pointer
+ should not be possible to be NULL here so I remove the check and thus
+ also three different scan-build warnings.
+
+ Closes #2111
-- Use suffix search path for sources in lib folder.
+- [Matthew Kerwin brought this change]
-- Changed src/Makefile.Watcom to use CURL_SOURCES from src/Makefile.inc.
+ test: add test for bad UNC/SMB path in file: URL
-- Renamed curl_SOURCES to CURL_ALLFILES to overcome wmake's case-insensitivity.
+- [Matthew Kerwin brought this change]
-- Removed wlink from DLL loader list because it doesnt work with Watcom < 1.8.
+ test: add tests to ensure basic file: URLs
-- Moved the LDAP API defines from Makefile.Watcom to config-win32.h.
-
- These defines are only needed for older Watcom versions (< 1280).
+- [Matthew Kerwin brought this change]
-Daniel Stenberg (2 Aug 2010)
-- retry: consider retrying even if -f is used
+ URL: update "file:" URL handling
- The --retry logic does retry HTTP when some specific response codes are
- returned, but because the -f option sets the CURLOPT_FAILONERROR to
- libcurl, the return codes are different for such situations and then the
- curl tool failed to consider it for retrying.
+ * LOTS of comment updates
+ * explicit error for SMB shares (e.g. "file:////share/path/file")
+ * more strict handling of authority (i.e. "//localhost/")
+ * now accepts dodgy old "C:|" drive letters
+ * more precise handling of drive letters in and out of Windows
+ (especially recognising both "file:c:/" and "file:/c:/")
- Reported by: Mike Power
- Bug: http://curl.haxx.se/bug/view.cgi?id=3037362
+ Closes #2110
-- multi: fix FTPS connecting the data connection with OpenSSL
+- metalink: fix memory-leak and NULL pointer dereference
- Commit 496002ea1cd76af7f (released in 7.20.1) broke FTPS when using the
- multi interface and OpenSSL was used. The condition for the non-blocking
- connect was incorrect.
+ Reported by scan-build
- Reported by: Georg Lippitsch
- Bug: http://curl.haxx.se/mail/lib-2010-07/0270.html
+ Closes #2109
-Guenter Knauf (1 Aug 2010)
-- Fixed curlbuild.h rule.
+- [Alessandro Ghedini brought this change]
-- Added rule to create curlbuild.h if not present (for builds from git).
+ connect: add support for new TCP Fast Open API on Linux
+
+ The new API added in Linux 4.11 only requires setting a socket option
+ before connecting, without the whole sento() machinery.
+
+ Notably, this makes it possible to use TFO with SSL connections on Linux
+ as well, without the need to mess around with OpenSSL (or whatever other
+ SSL library) internals.
+
+ Closes #2056
-- Added dependend libs for curl static linking.
+- make: fix "make distclean"
+
+ Fixes #2097
+ Closes #2108
-- Fixed curl.exe static linking.
+- RELEASE-NOTES: synced with 31f18d272
-Daniel Stenberg (30 Jul 2010)
-- warning: silence a win64 compiler warning
+Jay Satiro (23 Nov 2017)
+- connect: improve the bind error message
- conversion from 'size_t' to 'curl_socklen_t', possible loss of data
+ eg consider a non-existent interface eth8, curl --interface eth8
- Reported by: Adam Light
-
-- KNOWN_BUG: The SOCKET type in Win64 is 64 bits
+ Before: curl: (45) Could not resolve host: eth8
+ After: curl: (45) Couldn't bind to 'eth8'
- The SOCKET type in Win64 is 64 bits large (and thus so is curl_socket_t
- on that platform), and long is only 32 bits. It makes it impossible for
- curl_easy_getinfo() to return a socket properly with the
- CURLINFO_LASTSOCKET option as for all other operating systems.
+ Bug: https://github.com/curl/curl/issues/2104
+ Reported-by: Alfonso Martone
-- smtp_connect: always provide host name buffer
+Daniel Stenberg (23 Nov 2017)
+- examples/rtsp: clear RANGE again after use
- Previously the host name buffer was only used if gethostname() exists,
- but since we converted that into a curl private function that function
- always exists and will be used so the buffer needs to exist for all
- cases/systems.
+ Fixes #2106
+ Reported-by: youngchopin on github
-- sethostname: avoid including unistd.h to duck for warnings
+- [Michael Kaufmann brought this change]
-- sethostname: ISO C does not allow extra `;' outside of a function
+ test1264: verify URL with space in host name being rejected
-- [Kamil Dudka brought this change]
-
- NTLM tests: boost coverage by forcing the hostname
+- url: reject ASCII control characters and space in host names
+
+ Host names like "127.0.0.1 moo" would otherwise be accepted by some
+ getaddrinfo() implementations.
- A shared library tests/libtest/.libs/lihostname.so is preloaded in NTLM
- test-cases to override the system implementation of gethostname(). It
- makes it possible to test the NTLM authentication for exact match, and
- this way test the implementation of MD4 and DES.
+ Updated test 1034 and 1035 accordingly.
- If LD_PRELOAD doesn't work, a debug build willl also workk as debug
- builds are now made to prefer a specific environment variable and will
- then return that content as host name instead of the actual one.
+ Fixes #2073
+ Closes #2092
+
+- Curl_open: fix OOM return error correctly
- Kamil wrote the bulk of this, Daniel Stenberg polished it.
+ Closes #2098
-Guenter Knauf (29 Jul 2010)
-- Added a comment with an alternate idea to avoid the backslash line contination character.
+- http2: fix "Value stored to 'end' is never read" scan-build error
-- Changed comparison to match size_t var type.
+- http2: fix "Value stored to 'hdbuf' is never read" scan-build error
-- Removed unused vars to avoid compiler warnings.
+- openssl: fix "Value stored to 'rc' is never read" scan-build error
-- Make Watcom makefiles use Makefile.inc to reduce future maintainance.
-
- lib/Makefile.Watcom works fine already, for src/Makefile.Watcom we
- need first to tweak src/Makefile.inc a bit - therefore the handtweaked
- list still exists for now.
+- mime: fix "Value stored to 'sz' is never read" scan-build error
-- Watcom makefiles overhaul.
+- Curl_llist_remove: fix potential NULL pointer deref
- - make both libcurl and curl makefiles use register calling convention
- (previously libcurl had stack calling convention).
- - added include paths to the Watcom headers so its no longer required
- to set the environment vars for this.
- - added -wcd=201 to supress compiler warning about unreachable code.
- - use macros for all tools, and removed dependency on GNU tools like rm.
- - make ipv6 and debug builds controlable via env vars and so make them
- optional instead of default.
- - commented WINLDAPAPI and WINBERAPI since they broke with OW 1.8, and
- it seems they're not needed (anymore?).
- - added rule for hugehelp.c.cvs so that it will be created when not
- already exist - this is required for building from a release tarball
- since there we have no hugehelp.c.cvs, thus compilation broke.
- - removed C_ARG creation from lib/Makefile.Watcom and use CFLAGS
- directly as done too in src/Makefile.Watcom - this has the benefit
- that we will see all active cflags and defines during compile.
- - added LINK-ARG to src/Makefile.Watcom in order to better control
- linker input.
- - a couple of other minor makefile tweaks here and there ...
- - added largefile support for Watcom builds to config-win32.h. Not yet
- tested if it really works, but should since Win32 supports it.
- - added loaddll stuff to speed up builds if supported.
+ Fixes a scan-build warning.
-- some cosmetic changes.
+- ntlm: remove unnecessary NULL-check to please scan-build
-Dan Fandrich (26 Jul 2010)
-- Added md4.c to the Watcom makefile
+- BUGS: spellchecked
-- Added PolarSSL to the docs
+Jay Satiro (18 Nov 2017)
+- [fmmedeiros brought this change]
-Daniel Stenberg (25 Jul 2010)
-- curl-config: --built-shared returns shared info
+ examples/curlx: Fix code style
- The curl-config now features a --built-shared command line option that
- will output 'yes' or 'no' depending if the build process was asked to
- build shared library/libraries or not.
+ - Add braces around multi-line if statement.
- It is primarily made to offer more details to the test suite to know
- what kind of stunts it can expect to work.
+ Closes https://github.com/curl/curl/pull/2096
-- add_buffer_send: fix compiler warning
+Daniel Stenberg (17 Nov 2017)
+- resolve: allow IP address within [] brackets
- Win64's 32 bit long but 64 bit size_t caused a warning that we avoid
- with a typecast. A small whitespace indent fix was also applied.
+ ... so that IPv6 addresses can be passed like they can for connect-to
+ and how they're used in URLs.
- Reported by: Adam Light
-
-Guenter Knauf (22 Jul 2010)
-- Updated library versions.
-
-- Fixed script version which was still based on CVS Revision tag.
-
-Dan Fandrich (21 Jul 2010)
-- FAQ: Why doesn't cURL error out when the cable is unplugged?
+ Added test 1324 to verify
+ Reported-by: Alex Malinovich
- This one was long overdue to be mentioned in the FAQ. Also, mention the
- new ftp wildcard downloading feature.
+ Fixes #2087
+ Closes #2091
-Daniel Stenberg (21 Jul 2010)
-- [Ben Greear brought this change]
+- [Pavol Markovic brought this change]
- ssh: Fix compile error on 64-bit systems.
+ macOS: Fix missing connectx function with Xcode version older than 9.0
- Signed-off-by: Ben Greear <greearb@candelatech.com>
+ The previous fix https://github.com/curl/curl/pull/1788 worked just for
+ Xcode 9. This commit extends the fix to older Xcode versions effectively
+ by not using connectx function.
+
+ Fixes https://github.com/curl/curl/issues/1330
+ Fixes https://github.com/curl/curl/issues/2080
+ Closes https://github.com/curl/curl/pull/1336
+ Closes #2082
-- [Ben Greear brought this change]
+- [Dirk Feytons brought this change]
- build: Enable configure --enable-werror
+ openssl: fix too broad use of HAVE_OPAQUE_EVP_PKEY
- This passes -Werror to gcc when building curl and libcurl,
- allowing easy dection of compile warnings.
+ Fixes #2079
+ Closes #2081
+
+- TODO: ignore private IP addresses in PASV response
- Signed-off-by: Ben Greear <greearb@candelatech.com>
+ Closes #1455
-- [Ben Greear brought this change]
+- RELEASE-NOTES: synced with ae7369b6d
- pingpong: Fix indentation (whitespace change only)
+Michael Kaufmann (14 Nov 2017)
+- URL: return error on malformed URLs with junk after IPv6 bracket
- Signed-off-by: Ben Greear <greearb@candelatech.com>
+ Follow-up to aadb7c7. Verified by new test 1263.
+
+ Closes #2072
-- [Jan Van Boghout brought this change]
+Daniel Stenberg (14 Nov 2017)
+- INTERNALS: we may use libidn2 now, not libidn
- CUSTOMREQUEST: shouldn't be disabled when HTTP is disabled
+Patrick Monnerat (13 Nov 2017)
+- zlib/brotli: only include header files in modules needing them
- ... since FTP is using it as well, and potentially other protocols!
+ There is a conflict on symbol 'free_func' between openssl/crypto.h and
+ zlib.h on AIX. This is an attempt to resolve it.
- Also, an #endif CURL_DISABLE_HTTP was incorrectly marked, as it seems to
- end the proxy block instead.
+ Bug: https://curl.haxx.se/mail/lib-2017-11/0032.html
+ Reported-By: Michael Felt
-- [Jan Van Boghout brought this change]
-
- pingpong: response_time is milliseconds
+Daniel Stenberg (13 Nov 2017)
+- SMB: fix uninitialized local variable
- Fixed the comment/document for the response_time struct member.
+ Reported-by: Brian Carpenter
-- [Jan Van Boghout brought this change]
+- [Orgad Shaneh brought this change]
- ftp: response timeout bug in "quote" sending
+ connect.c: remove executable bit on file
- The FTP implementation was missing a timestamp reset point, making the
- waiting for responses after sending a post-transfer "QUOTE" command not
- working as supposedly. This bug was introduced in 7.20.0
+ Closes #2071
-- [Jeff Pohlmeyer brought this change]
+- [hsiao yi brought this change]
- remote-header-name: chop filename at next semicolon
+ README.md: fixed layout
- The --remote-header-name option for the command-line tool assumes that
- everything beyond the filename= field is part of the filename, but that
- might not always be the case, for example:
+ Closes #2069
+
+- setopt: split out curl_easy_setopt() to its own file
- Content-Disposition: attachment; filename=file.txt; modification-date=...
+ ... to make url.c smaller.
- This fix chops the filename off at the next semicolon, if there is one.
+ Closes #1944
-- --retry: access violation with URL part sets continued
+Jay Satiro (10 Nov 2017)
+- [John Starks brought this change]
+
+ cmake: Add missing setmode check
- When getting multiple URLs, curl didn't properly reset the byte counter
- after a successful transfer so if the subsequent transfer failed it
- would wrongly use the previous byte counter and behave badly (segfault)
- because of that. The code assumes that the byte counter and the 'stream'
- pointer is well in synch.
+ Ensure HAVE_SETMODE is set to 1 on OSes that have setmode. Without this,
+ curl will corrupt binary files when writing them to stdout on Windows.
- Reported by: Jon Sargeant
- Bug: http://curl.haxx.se/bug/view.cgi?id=3028241
+ Closes https://github.com/curl/curl/pull/2067
-- releasnote: synch up with commit f3b77e5611d
+Daniel Stenberg (10 Nov 2017)
+- curl_share_setopt: va_end was not called if conncache errors
+
+ CID 984459, detected by Coverity
-- [Constantine Sapuntzakis brought this change]
+Sergei Nikulov (10 Nov 2017)
+- [John Starks brought this change]
- examples: add curl_multi_timeout
+ cmake: Correctly include curl.rc in Windows builds (#2064)
- Make the multi-interface using examples use curl_multi_timeout to
- properly educate users how to do things.
+ Update CMakeLists.txt to add curl.rc to the correct list.
-- configure: document the STATICLIB variable
+Daniel Stenberg (9 Nov 2017)
+- RELEASE-NOTES: synced with 32828cc4f
-- [Constantine Sapuntzakis brought this change]
+- [Luca Boccassi brought this change]
- multi: fix condition that remove timers before trigger
+ --interface: add support for Linux VRF
- curl_multi perform has two phases: run through every easy handle calling
- multi_runsingle and remove expired timers (timer removal).
+ The --interface command (CURLOPT_INTERFACE option) already uses
+ SO_BINDTODEVICE on Linux, but it tries to parse it as an interface or IP
+ address first, which fails in case the user passes a VRF.
- If a small timer (e.g. 1-10ms) is set during multi_runsingle, then it's
- possible that the timer has passed by when the timer removal runs. The
- timer which was just added is then removed. This will potentially cause
- the timer list to be empty and cause the next call to curl_multi_timeout
- to return -1. Ideally, curl_multi_timeout should return 0 in this case.
+ Try to use the socket option immediately and parse it as a fallback
+ instead. Update the documentation to mention this feature, and that it
+ requires the binary to be ran by root or with CAP_NET_RAW capabilities
+ for this to work.
- One way to fix this is to move the struct timeval now = Curl_tvnow(); to
- the top of curl_multi_perform. The change does that.
+ Closes #2024
-- [Constantine Sapuntzakis brought this change]
-
- threaded resolver: fix timeout issue
+- curl_share_setopt.3: document CURL_LOCK_DATA_CONNECT
- Reset old timer first so we can set a new one further in the future.
+ Closes #2043
-- configure: allow environments variable to override internals
-
- configure checks for grep, egrep, sed and ar and set the variables GREP,
- EGREP, SED and AR accordingly. We now let already set variables override
- the internal choices to let users make decisions when they know the
- right choice already. This is a regression as our configure script used
- to allow this back before commit 0b57c475 (up to 7.18.2).
-
- Reported by: "kdekker"
- Bug: http://curl.haxx.se/bug/view.cgi?id=3028318
+- examples: add shared-connection-cache
-Dan Fandrich (9 Jul 2010)
-- Improved the Android build instructions
+- test1554: verify connection cache sharing
-Daniel Stenberg (7 Jul 2010)
-- [Tor Arntsen brought this change]
+- share: add support for sharing the connection cache
- upload: Avoid infinite loop when checking for auth bits
+- imap: deal with commands case insensitively
- The test would loop forever if authtype bit 0 wasn't set.
-
-- upload: warn users trying to upload from stdin with anyauth
+ As documented in RFC 3501 section 9:
+ https://tools.ietf.org/html/rfc3501#section-9
- Since uploading from stdin is very likely to not work with anyauth and
- its multi-phase probing for what authentication to actually use, alert
- the user about it. Multi-phase negotiate almost certainly will involve
- sending data and thus libcurl will need to rewind the stream to send
- again, and it cannot do that with stdin.
+ Closes #2061
-- http: don't enable chunked during authentication negotiations
+- connect: store IPv6 connection status after valid connection
- As mentioned in bug report #2956968, the HTTP code wouldn't send the
- first empty chunk during the auth negotiation phase of the HTTP request
- sending, so the server would wait for data to come and libcurl would
- wait for data to arrive... I've made the code not enable chunked
- encoding until the auth negotiation is done and thus this scenario
- doesn't occur anymore.
+ ... previously it would store it already in the happy eyeballs stage
+ which could lead to the IPv6 bit being set for an IPv4 connection,
+ leading to curl not wanting to do EPSV=>PASV for FTP transfers.
- Reported by: Sidney San Martín
- Bug: http://curl.haxx.se/bug/view.cgi?id=2956968
+ Closes #2053
-- --libcurl: list the tricky options instead of using [REMARK]
+- curl_multi_fdset.3: emphasize curl_multi_timeout
- I think the [REMARK] and commented function calls cluttered the code a
- bit too much and made the generated code ugly to read. Now we instead
- track the remarks one specially and just lists them at the end of the
- generated code more as additional information.
+ ... even when there's no socket to wait for, the timeout can still be
+ very short.
-- curl: avoid setting libcurl options to its default
+Jay Satiro (9 Nov 2017)
+- content_encoding: fix inflate_stream for no bytes available
+
+ - Don't call zlib's inflate() when avail_in stream bytes is 0.
+
+ This is a follow up to the parent commit 19e66e5. Prior to that change
+ libcurl's inflate_stream could call zlib's inflate even when no bytes
+ were available, causing inflate to return Z_BUF_ERROR, and then
+ inflate_stream would treat that as a hard error and return
+ CURLE_BAD_CONTENT_ENCODING.
- it makes the --libcurl output easier to follow.
+ According to the zlib FAQ, Z_BUF_ERROR is not fatal.
+
+ This bug would happen randomly since packet sizes are arbitrary. A test
+ of 10,000 transfers had 55 fail (ie 0.55%).
+
+ Ref: https://zlib.net/zlib_faq.html#faq05
+
+ Closes https://github.com/curl/curl/pull/2060
+
+Patrick Monnerat (7 Nov 2017)
+- content_encoding: do not write 0 length data
-- --libcurl: hide setopt() calls setting default options
+Daniel Stenberg (6 Nov 2017)
+- fnmatch: remove dead code
- And additionally, don't show function or object pointers actual value
- since they make no sense to anyone. Show 'functionpointer' and
- 'objectpointer' instead.
+ There was a duplicate check for backslashes in the setcharset()
+ function.
+
+ Coverity CID 1420611
-- --libcurl: use *_LARGE options with typecasted constants
+- url: remove unncessary NULL-check
- In the generated code --libcurl makes, all calls to curl_easy_setopt()
- that use *_LARGE options now have the value typecasted to curl_off_t, so
- that it works correctly for 32bit systems with 64bit curl_off_t type.
+ Since 'conn' won't be NULL in there and we also access the pointer in
+ there without the check.
+
+ Coverity CID 1420610
-- multi: CURLINFO_LASTSOCKET doesn't work after remove_handle
+Viktor Szakats (6 Nov 2017)
+- src/Makefile.m32: fix typo in brotli lib customization
- When curl_multi_remove_handle() is called and an easy handle is returned
- to the connection cache held in the multi handle, then we cannot allow
- CURLINFO_LASTSOCKET to extract it since that will more or less encourage
- that the user uses the socket while it can get used by libcurl again.
+ Ref cc1f4436099decb9d1a7034b2bb773a9f8379d31
+
+- Makefile.m32: allow to customize brotli libs
- Without this fix, we'd get a segfault in Curl_getconnectinfo() trying to
- dereference the NULL pointer in 'data->state.connc'.
+ It adds the ability to link against static brotli libs.
- Bug: http://curl.haxx.se/bug/view.cgi?id=3023840
+ Also fix brotli include path.
-- [Pierre Joye brought this change]
+Patrick Monnerat (5 Nov 2017)
+- travis: add a job with brotli enabled
- build: add enable IPV6 option for the VC makefiles
+- [Viktor Szakats brought this change]
-- FAQ: the threaded resolver works universally now
+ Makefile.m32: add brotli support
-Kamil Dudka (30 Jun 2010)
-- http_ntlm: add support for NSS
+- HTTP: implement Brotli content encoding
- When configured with '--without-ssl --with-nss', NTLM authentication
- now uses NSS crypto library for MD5 and DES. For MD4 we have a local
- implementation in that case. More details are available at
- https://bugzilla.redhat.com/603783
+ This uses the brotli external library (https://github.com/google/brotli).
+ Brotli becomes a feature: additional curl_version_info() bit and
+ structure fields are provided for it and CURLVERSION_NOW bumped.
- In order to get it working, curl_global_init() must be called with
- CURL_GLOBAL_SSL or CURL_GLOBAL_ALL. That's necessary because NSS needs
- to be initialized globally and we do so only when the NSS library is
- actually required by protocol. The mentioned call of curl_global_init()
- is responsible for creating of the initialization mutex.
+ Tests 314 and 315 check Brotli content unencoding with correct and
+ erroneous data.
- There was also slightly changed the NSS initialization scenario, in
- particular, loading of the NSS PEM module. It used to be loaded always
- right after the NSS library was initialized. Now the library is
- initialized as soon as any SSL or NTLM is required, while the PEM module
- is prevented from being loaded until the SSL is actually required.
+ Some tests are updated to accomodate with the now configuration dependent
+ parameters of the Accept-Encoding header.
-Daniel Stenberg (29 Jun 2010)
-- glob: backslash escaping bug
+- HTTP: support multiple Content-Encodings
- curl didn't properly handle escaping characters in a URL with the use of
- backslash. It did an attempt, but that failed as reported in bug
- 3022551. The described example was using the URL
- "http://example.com?{AB,C\,D}".
+ This is implemented as an output streaming stack of unencoders, the last
+ calling the client write procedure.
- I've now removed the special-handling of letters following the backslash
- and I also removed the bad extra check that triggered this particular
- bug.
+ New test 230 checks this feature.
- Bug: http://curl.haxx.se/bug/view.cgi?id=3022551
- Reported by: Jon Sargeant
+ Bug: https://github.com/curl/curl/pull/2002
+ Reported-By: Daniel Bankhead
-- release-notes: sync up with recent commits
-
-- CONTRIBUTE: the git commit message line length is 72 columns
-
-- [Pavel Raiskup brought this change]
-
- ftp wildcard: FTP LIST parser FIX
+Jay Satiro (4 Nov 2017)
+- url: remove arg value check from CURLOPT_SSH_AUTH_TYPES
+
+ Since CURLSSH_AUTH_ANY (aka CURLSSH_AUTH_DEFAULT) is ~0 an arg value
+ check on this option is incorrect; we have to accept any value.
- There was a problem when a UNIX-like server returned information
- about directory size (total NNNNNN) at the first line of
- response.
+ Prior to this change since f121575 (7.56.1+) CURLOPT_SSH_AUTH_TYPES
+ erroneously rejected CURLSSH_AUTH_ANY with CURLE_BAD_FUNCTION_ARGUMENT.
+
+ Bug: https://github.com/curl/curl/commit/f121575#commitcomment-25347120
-- [Pavel Raiskup brought this change]
+Daniel Stenberg (4 Nov 2017)
+- ntlm: avoid malloc(0) for zero length passwords
+
+ It triggers an assert() when built with memdebug since malloc(0) may
+ return NULL *or* a valid pointer.
+
+ Detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4054
+
+ Assisted-by: Max Dymond
+ Closes #2054
- examples: new FTP wildcard showcase
+- RELEASE-NOTES: synced with ee8016b3d
-- multi_socket: re-use of same socket without notifying app
+- curl: speed up handling of many URLs
- When a hostname resolves to multiple IP addresses and the first one
- tried doesn't work, the socket for the second attempt may get dropped on
- the floor, causing the request to eventually time out. The issue is that
- when using kqueue (as on mac and bsd platforms) instead of select, the
- kernel removes the first fd from kqueue when it is closed (in trynextip,
- connect.c:503). Trynextip() then goes on to open a new socket, which
- gets assigned the same number as the one it just closed. Later in
- multi.c, socket_cb is not called because the fd is already in
- multi->sockhash, so the new socket is never added to kqueue.
+ By properly keeping track of the last entry in the list of URLs/uploads
+ to handle, curl now avoids many meaningless traverses of the list which
+ speeds up many-URL handling *MASSIVELY* (several magnitudes on 100K
+ URLs).
- The correct fix is to ensure that socket_cb is called to remove the fd
- when trynextip() closes the socket, and again to re-add it after
- singleipsocket(). I'm not sure how to cleanly do that, but the attached
- patch works around the problem in an admittedly kludgy way by delaying
- the close to ensure that the newly-opened socket gets a different fd.
+ Added test 1291, to verify that it doesn't take ages - but we don't have
+ any detection of "too slow" command in the test suite.
- Daniel's added comment: I didn't spot a way to easily do a nicer fix so
- I've proceeded with Ben's patch.
-
- Bug: http://curl.haxx.se/bug/view.cgi?id=3017819
- Patch by: Ben Darnell
+ Reported-by: arainchik on github
+ Fixes #1959
+ Closes #2052
-Kamil Dudka (24 Jun 2010)
-- [Pavel Raiskup brought this change]
+- curl: pass through [] in URLs instead of calling globbing error
+
+ Assisted-by: Per Lundberg
+ Fixes #2044
+ Closes #2046
+ Closes #2048
- ftp-wildcard: avoid tight loop when used without any pattern
+- CURLOPT_INFILESIZE: accept -1
- It was broken for URLs like "ftp://example.com/".
+ Regression since f121575
+
+ Reported-by: Petr Voytsik
+ Fixes #2047
-Daniel Stenberg (21 Jun 2010)
-- maketgz: produce CHANGES automatically with the 1000 most recent commits
+Jay Satiro (2 Nov 2017)
+- url: fix CURLOPT_DNS_CACHE_TIMEOUT arg value check to allow -1
- It passes the git log output through 'log2changes.pl' to produce
- the lot.
+ Prior to this change since f121575 (7.56.1+) CURLOPT_DNS_CACHE_TIMEOUT
+ erroneously rejected -1 with CURLE_BAD_FUNCTION_ARGUMENT.
-- ignore: CHANGES.dist gets generated by maketgz
+Dan Fandrich (1 Nov 2017)
+- http2: Fixed OOM handling in upgrade request
+
+ This caused the torture tests on test 1800 to fail.
-- CHANGES: move all contents from CHANGES to CHANGES.0
+- tests: Fixed torture tests on tests 556 and 650
- CHANGES is no longer used for manually edited content. It is to
- be generated automatically by maketgz when we make release
- tarballs.
+ Test cleanup after OOM wasn't being consistently performed.
-- log2changes: correct command line, fix tag usage, change Version output
+Daniel Stenberg (1 Nov 2017)
+- CURLOPT_MAXREDIRS: allow -1 as a value
- --decorate=full is needed with my git 1.7.1 to get the necessary
- output so that the previous edit would work to extract the
- Version stuff.
+ ... which is valid according to documentation. Regression since
+ f121575c0b5f.
- ... but I had to edit how the refs/tags was extracted since it
- had a little flaw that made it miss the 7.20.1 output.
+ Verified now in test 501.
- Finally, I changed so that Version is outputted even more similar
- to how CHANGES does it.
+ Reported-by: cbartl on github
+ Fixes #2038
+ Closes #2039
-Dan Fandrich (21 Jun 2010)
-- Make the output of log2changes.pl even more closely match CHANGES
-
- Add the ASCII art header, and list version commits by decoding
- the ref tag names, when available (using the git log --decorate
- option).
+- include: remove conncache.h inclusion from where its not needed
-Daniel Stenberg (19 Jun 2010)
-- log2changes: first version of the git log to CHANGES conversion script
+Jay Satiro (1 Nov 2017)
+- url: fix CURLOPT_POSTFIELDSIZE arg value check to allow -1
- $ git log --pretty=fuller --no-color --date=short | ./log2changes.pl
+ .. also add same arg value check to CURLOPT_POSTFIELDSIZE_LARGE.
- Of course, limiting the log output with a range like with
- "[tag]..HEAD" appended can be very useful too.
-
-- sendrecv: treat all negative values from send/recv as errors
+ Prior to this change since f121575 (7.56.1+) CURLOPT_POSTFIELDSIZE
+ erroneously rejected -1 value with CURLE_BAD_FUNCTION_ARGUMENT.
- For example the libssh2 based functions return other negative
- values than -1 to signal errors and it is important that we catch
- them properly. Right before this, various failures from libssh2
- were treated as negative download amounts which caused havoc.
+ Bug: https://curl.haxx.se/mail/lib-2017-11/0000.html
+ Reported-by: Andrew Lambert
-- multi: prevent NULL pointer dereference
+Daniel Stenberg (31 Oct 2017)
+- cookie: avoid NULL dereference
- My additional call to Curl_pgrsUpdate() would sometimes get
- called even though there's no connection (left) so a NULL pointer
- would get passed, causing a segfault.
-
-- smtp: fixed a few uses of size_t that seemed to believe it was signed
+ ... when expiring old cookies.
- Reported-by: Steven M. Schweda
+ Reported-by: Pavel Gushchin
+ Fixes #2032
+ Closes #2035
-Dan Fandrich (17 Jun 2010)
-- Fixed an OOM memory leak in the FTP wildcard code
+Marcel Raad (30 Oct 2017)
+- memdebug: use send/recv signature for curl_dosend/curl_dorecv
+
+ This avoids build errors and warnings caused by implicit casts.
+
+ Closes https://github.com/curl/curl/pull/2031
-Kamil Dudka (17 Jun 2010)
-- test575: do not fail with threaded DNS resolver
+Daniel Stenberg (30 Oct 2017)
+- [Juro Bystricky brought this change]
-Daniel Stenberg (17 Jun 2010)
-- [Krister Johansen brought this change]
+ mkhelp.pl: support reproducible build
+
+ Do not generate line with the current date, such as:
+
+ * Generation time: Tue Oct-24 18:01:41 2017
+
+ This will improve reproducibility. The generated string is only
+ part of a comment, so there should be no adverse consequences.
+
+ Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
+
+ closes #2026
- multi: unmark handle as used when no longer head of pipeline
+Dan Fandrich (30 Oct 2017)
+- runtests.pl: Fixed typo in message
-- multi: call the progress function only once and allow abort
+Daniel Stenberg (30 Oct 2017)
+- curlx: the timeval functions are no longer provided as curlx_*
- 1) no need to call the progress function twice when in the
- CURLM_STATE_TOOFAST state.
-
- 2) Make sure that the progress callback's return code is
- acknowledged when used
+ Pointed-out-by: Dmitri Tikhonov
+ Bug: #2034
-- multi: call the progress callback in all states
+- select: update comments
- As long as no error is reported, the progress function can get
- called. This may be a little TOO often so we should keep an eye
- on this and possibly make this conditional somehow.
+ s/curlx_tvnow/Curl_now
+
+- INTERNALS: remove curlx_tv* functions no longer provided
-- configure: spell --disable-threaded-resolver correctly
+- [Dmitri Tikhonov brought this change]
+
+ timeval: use mach time on MacOS
- Previously we only accepted the option when named
- --disable-threaded-resover, which wasn't quite intended.
+ If clock_gettime() is not supported, use mach_absolute_time() on MacOS.
- Reported by: Helwing Lutz
+ closes #2033
-- release: start on 7.21.1, bump contributor count
+monnerat (29 Oct 2017)
+- [Patrick Monnerat brought this change]
-- version: start working on the 7.21.1-dev version
+ cli tool: improve ";type=" handling in -F option arguments
-- THANKS: added contributors from the 7.21.0 release
+- [Patrick Monnerat brought this change]
-Version 7.21.0 (16 Jun 2010)
+ cli tool: in -F option arg, comma is a delimiter for files only
+
+ Also upgrade test 1133 to cover this case and clarify man page about
+ form data quoting.
+
+ Bug: https://github.com/curl/curl/issues/2022
+ Reported-By: omau on github
-Daniel Stenberg (16 Jun 2010)
-- release: 7.21.0
+Daniel Stenberg (29 Oct 2017)
+- timeleft: made two more users of Curl_timeleft use timediff_t
-Yang Tse (10 Jun 2010)
-- remove unused 'tmpdata' and 'backup' ftp_parselist_data struct members
+Jakub Zakrzewski (28 Oct 2017)
+- cmake: Export libcurl and curl targets to use by other cmake projects
+
+ The config files define curl and libcurl targets as imported targets
+ CURL::curl and CURL::libcurl. For backward compatibility with CMake-
+ provided find-module the CURL_INCLUDE_DIRS and CURL_LIBRARIES are
+ also set.
+
+ Closes #1879
-- replace isprint() with ISPRINT()
+Daniel Stenberg (28 Oct 2017)
+- RELEASE-NOTES: synced with f20cbac97
-- ensure that Curl_wildcard_dtor() leaves WildcardData struct zero initialized
+- [Florin Petriuc brought this change]
-Patrick Monnerat (9 Jun 2010)
-- ILE/RPG binding updated to current curl.h definitions.
+ auth: Added test cases for RFC7616
+
+ Updated docs to include support for RFC7616
+
+ Signed-off-by: Florin <petriuc.florin@gmail.com>
+
+ Closes #1934
-Yang Tse (9 Jun 2010)
-- code simplification
+- [Florin Petriuc brought this change]
-- add Curl_ prefix to conform with cURL naming standards
+ auth: add support for RFC7616 - HTTP Digest access authentication
+
+ Signed-off-by: Florin <petriuc.florin@gmail.com>
-- Merge branch 'master' of git@github.com:bagder/curl
+- [Daniel Bankhead brought this change]
-- fix compiler warning using curl_socket_t to store socket descriptor
+ TODO: support multiple Content-Encodings
+
+ Closes #2002
-Daniel Stenberg (8 Jun 2010)
-- inet_pton: warnings: use size_t to store pointer deltas
+- ROADMAP: cleanup
+
+ Removed done stuff. Removed entries no longer considered for the near
+ term.
-Yang Tse (8 Jun 2010)
-- avoid redundant work when reusing same connection
+- [Magicansk brought this change]
-- fix function result checking
+ ROADMAP.md: spelling fixes
+
+ Closes #2028
-Daniel Stenberg (8 Jun 2010)
-- transfer: warning: implicit conversion
+- Curl_timeleft: change return type to timediff_t
- There is an implicit conversion from "unsigned long" to "long";
- rounding, sign extension, or loss of accuracy may result.
+ returning 'time_t' is problematic when that type is unsigned and we
+ return values less than zero to signal "already expired", used in
+ several places in the code.
- Fixed by an added typecast.
+ Closes #2021
-- TFTP: fix compiler warning
+- appveyor: add a win32 build
+
+- setopt: fix CURLOPT_SSH_AUTH_TYPES option read
+
+ Regression since f121575c0b5f
- Curl_fillreadbuffer()'s second argument takes an int, so
- typecasting to another is a bad idea.
+ Reported-by: Rob Cotrone
-- TFTP: fix warning for sendto() usage on non-POSIX systems
+Marcel Raad (27 Oct 2017)
+- resolvers: only include anything if needed
- Older unixes want an 'int' instead of 'size_t' as the 3rd
- argumment so before this change it would cause warnings such as:
+ This avoids warnings about unused stuff.
- There is an implicit conversion from "unsigned long" to "int";
- rounding, sign extension, or loss of accuracy may result.
+ Closes https://github.com/curl/curl/pull/2023
-Dan Fandrich (7 Jun 2010)
-- Include Makefile.inc to get the list of source files for Amiga
+Daniel Stenberg (27 Oct 2017)
+- HELP-US: rename the subtitle too since the label is changed
- Signed-off-by: Diego Casorran <dcasorran@gmail.com>
+ "PR-welcome" was the former name.
-Yang Tse (7 Jun 2010)
-- Curl_updateconninfo() error handling fix
+- curl_setup.h: oops, shorten the too long line
-Daniel Stenberg (5 Jun 2010)
-- [Constantine Sapuntzakis brought this change]
+- [Martin Storsjo brought this change]
- OpenSSL: fix spurious SSL connection aborts
+ curl_setup: Improve detection of CURL_WINDOWS_APP
- Was seeing spurious SSL connection aborts using libcurl and
- OpenSSL. I tracked it down to uncleared error state on the
- OpenSSL error stack - patch attached deals with that.
+ If WINAPI_FAMILY is defined, it should be safe to try to include
+ winapifamily.h to check what the define evaluates to.
- Rough idea of problem:
+ This should fix detection of CURL_WINDOWS_APP if building with
+ _WIN32_WINNT set to 0x0600.
- Code that uses libcurl calls some library that uses OpenSSL but
- don't clear the OpenSSL error stack after an error.
+ Closes #2025
+
+Jay Satiro (26 Oct 2017)
+- transfer: Fix chunked-encoding upload bug
- ssluse.c calls SSL_read which eventually gets an EWOULDBLOCK from
- the OS. Returns -1 to indicate an error
+ - When uploading via chunked-encoding don't compare file size to bytes
+ sent to determine whether the upload has finished.
- ssluse.c calls SSL_get_error. First thing, SSL_get_error calls
- ERR_get_error to check the OpenSSL error stack, finds an old
- error and returns SSL_ERROR_SSL instead of SSL_ERROR_WANT_READ or
- SSL_ERROR_WANT_WRITE.
+ Chunked-encoding adds its own overhead which why the bytes sent is not
+ equal to the file size. Prior to this change if a file was uploaded in
+ chunked-encoding and its size was known it was possible that the upload
+ could end prematurely without sending the final few chunks. That would
+ result in a server hang waiting for the remaining data, likely followed
+ by a disconnect.
- ssluse.c returns an error and aborts the connection
+ The scope of this bug is limited to some arbitrary file sizes which have
+ not been determined. One size that triggers the bug is 475020.
- Solution:
+ Bug: https://github.com/curl/curl/issues/2001
+ Reported-by: moohoorama@users.noreply.github.com
- Clear the openssl error stack before calling SSL_* operation if
- we're going to call SSL_get_error afterwards.
+ Closes https://github.com/curl/curl/pull/2010
+
+Daniel Stenberg (26 Oct 2017)
+- timeval: make timediff_t also work on 32bit windows
- Notes:
+ ... by using curl_off_t for the typedef if time_t is larger than 4
+ bytes.
- This is much more likely to happen with multi because it's easier
- to intersperse other calls to the OpenSSL library in the same
- thread.
+ Reported-by: Gisle Vanem
+ Bug: https://github.com/curl/curl/commit/b9d25f9a6b3ca791385b80a6a3c3fa5ae113e1e0#co
+ mmitcomment-25205058
+ Closes #2019
-Yang Tse (5 Jun 2010)
-- replace socklen_t with curl_socklen_t
-
-Daniel Stenberg (5 Jun 2010)
-- [Frank Meier brought this change]
-
- getinfo: added *_PRIMARY_PORT, *_LOCAL_IP and *_LOCAL_PORT
+- curl_fnmatch: return error on illegal wildcard pattern
+
+ ... instead of doing an infinite loop!
+
+ Added test 1162 to verify.
+
+ Reported-by: Max Dymond
+ Fixes #2015
+ Closes #2017
-- RELEASE-NOTES: add contributors not mentioned
+- [Max Dymond brought this change]
-Yang Tse (4 Jun 2010)
-- Enable OpenLDAP support for cygwin builds.
+ wildcards: don't use with non-supported protocols
- Enable OpenLDAP support for cygwin builds. This support was disabled back
- in 2008 due to incompatibilities between OpenSSL and OpenLDAP headers.
- cygwin's OpenSSL 0.9.8l and OpenLDAP 2.3.43 versions on cygwin 1.5.25
- allow building an OpenLDAP enabled libcurl supporting back to Windows 95.
+ Fixes timeouts in the fuzzing tests for non-FTP protocols.
- Remove non-functional CURL_LDAP_HYBRID code and references.
-
-Kamil Dudka (2 Jun 2010)
-- ftplistparser.c: oops, fix typo in the last commit
+ Closes #2016
-- ftplistparser.c: avoid some invalid dereferences
+- [Max Dymond brought this change]
-- lib: eliminate some dead code
+ multi: allow table handle sizes to be overridden
+
+ Allow users to specify their own hash define for
+ CURL_CONNECTION_HASH_SIZE so that both values can be overridden.
+
+ Closes #1982
-Daniel Stenberg (2 Jun 2010)
-- SSH: corrected the inability to respect the timeout
+- time: rename Curl_tvnow to Curl_now
- Jason McDonald posted bug report #3006786 when he found that the
- SFTP code didn't timeout properly in several places in the code
- even if a timeout was set properly.
+ ... since the 'tv' stood for timeval and this function does not return a
+ timeval struct anymore.
- Based on his suggested patch, I wrote a different implementation
- that I think addressed the issue better and also uses the connect
- timeout for the initial part of the SSH/SFTP done during the
- "protocol connect" phase.
+ Also, cleaned up the Curl_timediff*() functions to avoid typecasts and
+ clean up the descriptive comments.
- (http://curl.haxx.se/bug/view.cgi?id=3006786)
+ Closes #2011
-Yang Tse (2 Jun 2010)
-- mention last changes
+- ftplistparser: follow-up cleanup to remove PL_ERROR()
-- add missing new files to non-configure target build files
+- [Max Dymond brought this change]
-- include libcurl standard internal headers
-
-Daniel Stenberg (2 Jun 2010)
-- TODO: add multi interface improvement remove ldap select
-
-Yang Tse (2 Jun 2010)
-- make setup.h first included file
+ ftplistparser: free off temporary memory always
+
+ When using the FTP list parser, ensure that the memory that's
+ allocated is always freed.
+
+ Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3682
+ Closes #2013
-- fix spnego memory leak
+- timediff: return timediff_t from the time diff functions
+
+ ... to cater for systems with unsigned time_t variables.
+
+ - Renamed the functions to curlx_timediff and Curl_timediff_us.
+
+ - Added overflow protection for both of them in either direction for
+ both 32 bit and 64 bit time_ts
+
+ - Reprefixed the curlx_time functions to use Curl_*
+
+ Reported-by: Peter Piekarski
+ Fixes #2004
+ Closes #2005
-- openldap header inclusions fix
+- [Paul Howarth brought this change]
-Daniel Stenberg (1 Jun 2010)
-- multi_socket: handles timer inaccuracy better for timeouts
+ libtest: Add required test libraries for lib1552 and lib1553
- Igor Novoseltsev reported a problem with the multi socket API and
- using timeouts and timers. It boiled down to a problem with
- libcurl's use of GetTickCount() interally to figure out the
- current time, while Igor's own application code used another
- function call.
+ They use $(TESTUTIL) and thus should use $(TESTUTIL_LIBS) too.
- It made his app call the socket API timeout function a bit
- _before_ libcurl would consider the timeout to trigger, and that
- could easily lead to timeouts or stalls in the app. It seems
- GetTickCount() in general often has no better resolution than
- 16ms and switching to the alternative function
- QueryPerformanceCounter has its share of problems:
- http://www.virtualdub.org/blog/pivot/entry.php?id=106
+ This fixes build failures on Fedora 13.
- We address this problem by simply having libcurl treat timers
- that already has occured or will occur within 40ms subject for
- treatment. I'm confident that there are other implementations and
- operating systems with similarly in accurate timer functions so
- it makes sense to have applied generically and I don't believe we
- sacrifice much by adding a 40ms inaccuracy on these timeouts.
+ Closes #2006
-Yang Tse (1 Jun 2010)
-- fix ldaps option issue
+- [Alessandro Ghedini brought this change]
-- fix ldap related compilation issues
-
-- fix compiler warning: enumerated type mixed with another type
+ libcurl-tutorial.3: fix typo
+
+ closes #2008
-- fix compiler warning: enumerated type mixed with another type
+Alessandro Ghedini (23 Oct 2017)
+- curl_mime_filedata.3: fix typos
-Patrick Monnerat (31 May 2010)
-- smtp_authenticate: avoid compiler warnings
+Daniel Stenberg (23 Oct 2017)
+- RELEASE-NOTES: clean slate towards 7.57.0
-Yang Tse (31 May 2010)
-- fix compiler warning: enumerated type mixed with another type
+- [Max Dymond brought this change]
-- fix compiler warning: enumerated type mixed with another type
+ travis: exit if any steps fail
+
+ We don't expect any steps to fail in travis. Exit the script if they do.
+
+ Closes #1966
-- fix compiler warning: enumerated type mixed with another type
+Version 7.56.1 (23 Oct 2017)
-- fix compiler warning: external declaration in primary source file
+Daniel Stenberg (23 Oct 2017)
+- RELEASE-NOTES: 7.56.1
-- fix compiler warning: variable was set but never used
+- THANKS: update at 7.56.1 release time
-- fix compiler warning: enumerated type mixed with another type
+- [Jon DeVree brought this change]
-- fix compiler warning: external declaration in primary source file
+ mk-ca-bundle: Remove URL for aurora
+
+ Aurora is no longer used by Mozilla
+ https://hacks.mozilla.org/2017/04/simplifying-firefox-release-channels/
-- update year in copyright notice
+- [Jon DeVree brought this change]
-Kamil Dudka (29 May 2010)
-- strtoofft: rename CURL_LLONG_MIN -> CURL_OFF_T_MIN
+ mk-ca-bundle: Fix URL for NSS
+
+ The 'tip' is the most recent branch committed to, this should be
+ 'default' like the URLs for the browser are.
- ... and CURL_LLONG_MAX -> CURL_OFF_T_MAX
+ Closes #1998
-- CURL_LLONG_MAX: avoid constant overflow
+- imap: if a FETCH response has no size, don't call write callback
- ... when (CURL_SIZEOF_CURL_OFF_T == 4)
+ CVE-2017-1000257
+
+ Reported-by: Brian Carpenter and 0xd34db347
+ Also detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3586
-Daniel Stenberg (28 May 2010)
-- [Howard Chu brought this change]
+- ftp: reject illegal IP/port in PASV 227 response
+
+ ... by using range checks. Among other things, this avoids an undefined
+ behavior for a left shift that could happen on negative or very large
+ values.
+
+ Closes #1997
+
+ Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3694
- LDAPS: list availability depending on SSL's presence
+Patrick Monnerat (20 Oct 2017)
+- test653: check reuse of easy handle after mime data change
+
+ See issue #1999
-- [Howard Chu brought this change]
+- mime: do not reuse previously computed multipart size
+
+ The contents might have changed: size must be recomputed.
+
+ Reported-by: moteus on github
+ Fixes #1999
- LDAP: make it build without SSL if no such support is available
+- test308: disable if MultiSSL feature enabled
- of course it also goes for the case where SSL is explicitly
- disabled
+ Even if OpenSSL is enabled, it might not be the default backend when
+ multi-ssl is enabled, causing the test to fail.
+
+- runtests: support MultiSSL client feature
-- TODO: removed fixed items
+- vtls: change struct Curl_ssl `close' field name to `close_one'.
- These two items are now actually implemented:
+ On OS/400, `close' is an ASCII system macro that corrupts the code if
+ not used in a context not targetting the close() system API.
+
+- os400: add missing symbols in config file.
- 11.1 Content-Disposition
- 11.5 ftp wildcard download
+ Also adjust makefile to renamed files and warn about installation dirs mix-up.
-Kamil Dudka (28 May 2010)
-- lib: eliminate 'statement not reached' warnings
+- test652: curl_mime_data + base64 encoder with large contents
-Daniel Stenberg (28 May 2010)
-- test1115: verify that unexpected 1xx responses work fine
+- mime: limit bas64-encoded lines length to 76 characters
-Kamil Dudka (28 May 2010)
-- lib577: avoid redefinition of ERROR
+Daniel Stenberg (16 Oct 2017)
+- RELEASE-NOTES: synced with f121575c0
-- test313: a new test for CRL support
+- setopt: range check most long options
+
+ ... filter early instead of risking "funny values" having to be dealt
+ with elsewhere.
-- tests/certs: re-generated because of lost pass-phrase
+- setopt: avoid integer overflows when setting millsecond values
+
+ ... that are multiplied by 1000 when stored.
+
+ For 32 bit long systems, the max value accepted (2147483 seconds) is >
+ 596 hours which is unlikely to ever be set by a legitimate application -
+ and previously it didn't work either, it just caused undefined behavior.
+
+ Also updated the man pages for these timeout options to mention the
+ return code.
+
+ Closes #1938
-- tests/certs/scripts: generate also CRL
+Viktor Szakats (15 Oct 2017)
+- makefile.m32: allow to override gcc, ar and ranlib
+
+ Allow to ovverride certain build tools, making it possible to
+ use LLVM/Clang to build curl. The default behavior is unchanged.
+ To build with clang (as offered by MSYS2), these settings can
+ be used:
- ... and make it possible to do so without any user interaction
+ CURL_CC=clang
+ CURL_AR=llvm-ar
+ CURL_RANLIB=llvm-ranlib
+
+ Closes https://github.com/curl/curl/pull/1993
-Daniel Stenberg (27 May 2010)
-- [Howard Chu brought this change]
+- ldap: silence clang warning
+
+ Use memset() to initialize a structure to avoid LLVM/Clang warning:
+ ldap.c:193:39: warning: missing field 'UserLength' initializer [-Wmissing-field-initializers]
+
+ Closes https://github.com/curl/curl/pull/1992
- openldap: fix compiler warnings
+Daniel Stenberg (14 Oct 2017)
+- runtests: use valgrind for torture as well
+
+ NOTE: it makes them terribly slow. I recommend only using valgrind for
+ specific torture tests or using lots of patience.
-- indent: some whitespace edits
+- memdebug: trace send, recv and socket
+
+ ... to allow them to be included in torture tests too.
+
+ closes #1980
-Kamil Dudka (27 May 2010)
-- wildcard.c: add missing include of "setup.h"
+- configure: remove the C++ compiler check
+
+ ... we used it only for the fuzzer, which we now have in a separate git
+ repo.
+
+ Closes #1990
-- [Tor Arntsen brought this change]
+Patrick Monnerat (13 Oct 2017)
+- mime: do not call failf() if easy handle is NULL.
- lib573: do not compare double for exact match
+Daniel Stenberg (13 Oct 2017)
+- test651: curl_formadd with huge COPYCONTENTS
-- [Pavel Raiskup brought this change]
+- mime: fix the content reader to handle >16K data properly
+
+ Reported-by: Jeroen Ooms
+ Closes #1988
- wildcard.c: add missing include of "curl_memory.h"
+Patrick Monnerat (12 Oct 2017)
+- mime: keep "text/plain" content type if user-specified.
+
+ Include test cases in 554, 587, 650.
+
+ Fixes https://github.com/curl/curl/issues/1986
-- [Tor Arntsen brought this change]
+- cli tool: use file2memory() to buffer stdin in -F option.
+
+ Closes PR https://github.com/curl/curl/pull/1985
- setup_once: use enum type for 'bool' on non-C99 platforms
+- cli tool: reimplement stdin buffering in -F option.
- An enum will catch non-bool assignments to bool on platforms with
- a strict compiler, e.g MIPSPro.
+ If stdin is not a regular file, its content is memory-buffered to enable
+ a possible data "rewind".
+ In all cases, stdin data size is determined before real use to avoid
+ having an unknown part's size.
- Signed-off-by: Kamil Dudka <kdudka@redhat.com>
-
-- url.c: avoid implied cast to bool
+ --libcurl generated code is left as an unbuffered stdin fread/fseek callback
+ part with unknown data size.
+
+ Buffering is not supported in deprecated curl_formadd() API.
-- [Tor Arntsen brought this change]
+Daniel Stenberg (12 Oct 2017)
+- winbuild/BUILD.WINDOWS.txt: mention WITH_NGHTTP2
- curl_fnmatch: remove use of register keyword
+- HELP-US: the label "PR-welcome" is now renamed to "help wanted"
- Using the 'register' keyword rarely improves anything with modern
- compilers and architectures.
+ following the new github "standard"
-Daniel Stenberg (26 May 2010)
-- [Julien Chaffraix brought this change]
+- RELEASE-NOTES: synced with 5505df7d2
- RTMP: Fix compiler warnings
+Jay Satiro (11 Oct 2017)
+- [Artak Galoyan brought this change]
-- [Julien Chaffraix brought this change]
-
- OOM fixes in http_negociate.c and lib/splay.c
+ url: Update current connection SSL verify params in setopt
+
+ Now VERIFYHOST, VERIFYPEER and VERIFYSTATUS options change during active
+ connection updates the current connection's (i.e.'connectdata'
+ structure) appropriate ssl_config (and ssl_proxy_config) structures
+ variables, making these options effective for ongoing connection.
- Fix 2 OOM errors: a missing NULL-check in lib/http_negociate.c
- and a potential NULL dereferencing in lib/splay.c
+ This functionality was available before and was broken by the
+ following change:
+ "proxy: Support HTTPS proxy and SOCKS+HTTP(s)"
+ CommitId: cb4e2be7c6d42ca0780f8e0a747cecf9ba45f151.
+
+ Bug: https://github.com/curl/curl/issues/1941
+
+ Closes https://github.com/curl/curl/pull/1951
-- [Howard Chu brought this change]
+Daniel Stenberg (11 Oct 2017)
+- [David Benjamin brought this change]
- LDAP: properly implemented as a curl_handler
+ openssl: don't use old BORINGSSL_YYYYMM macros
- makes the LDAP code much cleaner, nicer and in general being a
- better libcurl citizen. If a new enough OpenLDAP version is
- detect, the new and shiny lib/openldap.c code is then used
- instead of the old cruft
+ Those were temporary things we'd add and remove for our own convenience
+ long ago. The last few stayed around for too long as an oversight but
+ have since been removed. These days we have a running
+ BORINGSSL_API_VERSION counter which is bumped when we find it
+ convenient, but 2015-11-19 was quite some time ago, so just check
+ OPENSSL_IS_BORINGSSL.
- Code by Howard, minor cleanups by Daniel.
+ Closes #1979
-- [Tor Arntsen brought this change]
+- test950; verify SMTP with custom request
- curl_fnmatch: Use int not bool when function returns int
+- ftpserver: support case insensitive commands
+
+- smtp_done: free data before returning (on send failure)
+
+ ... as otherwise it could leak that memory.
- bool in curl internals is unsigned char and should not be used
- to receive return value from functions returning int - this fails
- when using IBM VisualAge and Tru64 compilers.
+ Detected by OSS-fuzz:
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3600
+
+ Assisted-by: Max Dymond
+ Closes #1977
-- TFTP: send legal timeout value
+- FTP: URL decode path for dir listing in nocwd mode
- Eric Mertens posted bug #3003705: when we made TFTP use the
- correct timeout option when sent to the server (fixed May 18th
- 2010) it became obvious that libcurl used invalid timeout values
- (300 by default while the RFC allows nothing above 255). While of
- course it is obvious that as TFTP has worked thus far without
- being able to set timeout at all, just removing the setting
- wouldn't make any difference in behavior. I decided to still keep
- it (but fix the problem) as it now actually allows for easier
- (future) customization of the timeout.
+ Reported-by: Zenju on github
- (http://curl.haxx.se/bug/view.cgi?id=3003705)
+ Test 244 added to verify
+ Fixes #1974
+ Closes #1976
-- TFTP: don't ack if wrong block num is received
+- test298: verify --ftp-method nowcwd with URL encoded path
- If an unexpected block number was received, break out of the
- switch loop.
+ Ref: #1974
+
+- CURLOPT_XFERINFODATA.3: fix duplicate see also
+
+- CURLOPT_NOPROGRESS.3: also refer to xferinfofunction
+
+- FAQ: s/CURLOPT_PROGRESSFUNCTION/CURLOPT_XFERINFOFUNCTION
-- TFTP: block id wrap bug fix
+- openssl: enable PKCS12 support for !BoringSSL
- In a normal expression, doing [unsigned short] + 1 will not wrap
- at 16 bits so the comparisons and outputs were done wrong. I
- added a macro do make sure it gets done right.
+ Enable PKCS12 for all non-boringssl builds without relying on configure
+ or cmake checks.
- Douglas Kilpatrick filed bug report #3004787 about it:
- http://curl.haxx.se/bug/view.cgi?id=3004787
+ Bug: https://curl.haxx.se/mail/lib-2017-10/0007.html
+ Reported-by: Christian Schmitz
+ Closes #1948
-- [Ben Greear brought this change]
+- [Kristiyan Tsaklev brought this change]
- Fix build warnings.
+ curl: don't pass semicolons when parsing Content-Disposition
- Signed-off-by: Ben Greear <greearb@candelatech.com>
+ Test 1422 updated to verify.
+
+ Closes #1964
-- [Ben Greear brought this change]
+Patrick Monnerat (9 Oct 2017)
+- mime: properly unbind mime structure in curl_mime_free().
+
+ This allows freeing a mime structure bound to the easy handle before
+ curl_easy_cleanup().
+
+ Fixes #1970.
- setopt: Fix setting of set.is_fwrite_set
+Daniel Stenberg (9 Oct 2017)
+- RTSP: avoid integer overflow on funny RTSP response
- Signed-off-by: Ben Greear <greearb@candelatech.com>
+ ... like a very large non-existing RTSP version number.
+
+ Added test 577 to verify.
+
+ Detected by OSS-fuzz.
+ Closes #1969
+
+Patrick Monnerat (8 Oct 2017)
+- ftpserver: properly reset $ftptargetdir.
-- [Tanguy Fautre brought this change]
+- test643: verify curl_mime_subparts() rejects cyclic additions.
- build: allow curl to build with Microsoft VC10
+- mime: refuse to add subparts to one of their own descendants.
- By undefing a bunch of E* defines that VC10 has started to define
- but that we redefine internally to their WSA* alternatives when
- building for Windows.
+ Reported-by: Alexey Melnichuk
+ Fixes #1962
-Kamil Dudka (20 May 2010)
-- [Tor Arntsen brought this change]
+- mime: avoid resetting a part's encoder when part's contents change.
- Test 573: Use correct type for CURLINFO_CONNECT_TIME
+- mime: improve unbinding top multipart from easy handle.
- curl_easy_getinfo() called with a pointer to long instead of double
- would sigbus on RISC processors (e.g. MIPS) due to wrong alignment
- of pointer address.
+ Also avoid dangling pointers in referencing parts.
-- [Tor Arntsen brought this change]
+Daniel Stenberg (8 Oct 2017)
+- RELEASE-NOTES: synced with a4c1c75da30af1
- lib: Fix AIX build failure
+- curlver.h: next expected release is 7.57.0
-Dan Fandrich (19 May 2010)
-- Fixed some memory leaks in the POP3 torture tests
+Patrick Monnerat (8 Oct 2017)
+- mime: be tolerant about setting twice the same header list in a part.
-- Fixed a memory leak in the SMTP torture tests
+- docs: clarify form/mime usage of non-regular data files.
-Daniel Stenberg (18 May 2010)
-- TFTP: send timeout option correctly
+Daniel Stenberg (8 Oct 2017)
+- Revert "multi_done: wait for name resolve to finish if still ongoing"
- Eric Mertens posted bug report #3003005 pointing out that the
- libcurl TFTP code was not sending the timeout option properly to
- the server, and suggested a fix.
+ This reverts commit f3e03f6c0ac52a1bf396e03f7d7e9b5b3b7165fe.
- (http://curl.haxx.se/bug/view.cgi?id=3003005)
-
-Kamil Dudka (16 May 2010)
-- [Tor Arntsen brought this change]
+ Caused memory leaks in the fuzzer, needs to be done differently.
+
+ Disable test 1553 for now too, as it causes memory leaks without this
+ commit!
- lib: Change some CRLF line endings to LF
+- remove_handle: call multi_done() first, then clear dns cache pointer
- An update had added a couple of lines with DOS line endings,
- and some compilers will choke on that (e.g. the Tru64 compiler).
+ Closes #1960
-- ftp wildcard: a new option CURLOPT_FNMATCH_DATA
+- multi_done: wait for name resolve to finish if still ongoing
+
+ ... as we must clean up memory.
-Daniel Stenberg (15 May 2010)
-- [Howard Chu brought this change]
+- pingpong: return error when trying to send without connection
+
+ When imap_done() got called before a connection is setup, it would try
+ to "finish up" and dereffed a NULL pointer.
+
+ Test case 1553 managed to reproduce. I had to actually use a host name
+ to try to resolve to slow it down, as using the normal local server IP
+ will make libcurl get a connection in the first curl_multi_perform()
+ loop and then the bug doesn't trigger.
+
+ Fixes #1953
+ Assisted-by: Max Dymond
- RMTP: the version code is now rtmp aware
+Dan Fandrich (6 Oct 2017)
+- tests: added flaky keyword to tests 587 and 644
+
+ These are around 5% flaky in my Linux x86 autobuilds.
-- [Howard Chu brought this change]
+Marcel Raad (6 Oct 2017)
+- vtls: fix warnings with --disable-crypto-auth
+
+ When CURL_DISABLE_CRYPTO_AUTH is defined, Curl_none_md5sum's parameters
+ are not used.
- RTMP: fix wrong #ifdef
+Daniel Stenberg (6 Oct 2017)
+- multi_cleanup: call DONE on handles that never got that
+
+ ... fixes a memory leak with at least IMAP when remove_handle is never
+ called and the transfer is abruptly just abandoned early.
+
+ Test 1552 added to verify
+
+ Detected by OSS-fuzz
+ Assisted-by: Max Dymond
+ Closes #1954
-- [Pavel Raiskup brought this change]
+- [Benbuck Nason brought this change]
- ftp wildcard: fix int32_t and size/group mixups
+ strtoofft: Remove extraneous null check
+
+ Fixes #1950: curlx_strtoofft() doesn't fully protect against null 'str'
+ argument.
+
+ Closes #1952
-Dan Fandrich (14 May 2010)
-- Fixed test 577 to work when --enable-hidden-symbols is configured
+- openssl: fix build without HAVE_OPAQUE_EVP_PKEY
+
+ Reported-by: Javier Sixto
+ Fixes #1955
+ Closes #1956
-Daniel Stenberg (14 May 2010)
-- OpenSSL: multi interface handshake could hang
+Viktor Szakats (6 Oct 2017)
+- lib/config-win32.h: let SMB/SMBS be enabled with OpenSSL/NSS
- John-Mark Bell filed bug #3000052 that identified a problem (with
- an associated patch) with the OpenSSL handshake state machine
- when the multi interface is used:
+ The source code is now prepared to handle the case when both
+ Win32 Crypto and OpenSSL/NSS crypto backends are enabled
+ at the same time, making it now possible to enable `USE_WIN32_CRYPTO`
+ whenever the targeted Windows version supports it. Since this
+ matches the minimum Windows version supported by curl
+ (Windows 2000), enable it unconditionally for the Win32 platform.
- Performing an https request using a curl multi handle and using
- select or epoll to wait for events results in a hang. It appears
- that the cause is the fix for bug #2958179, which makes
- ossl_connect_common unconditionally return from the step 2 loop
- when fetching from a multi handle.
+ This in turn enables SMB (and SMBS) protocol support whenever
+ Win32 Crypto is available, regardless of what other crypto backends
+ are enabled.
- When ossl_connect_step2 has completed, it updates
- connssl->connecting_state to ssl_connect_3. ossl_connect_common
- will then return to the caller, as a multi handle is in
- use. Eventually, the client code will call curl_multi_fdset to
- obtain an updated fdset to select or epoll on. For https
- requests, curl_multi_fdset will cause https_getsock to be called.
- https_getsock will only return a socket handle if the
- connecting_state is ssl_connect_2_reading or
- ssl_connect_2_writing. Therefore, the client will never obtain a
- valid fdset, and thus not drive the multi handle, resulting in a
- hang.
+ Ref: https://github.com/curl/curl/pull/1840#issuecomment-325682052
- (http://curl.haxx.se/bug/view.cgi?id=3000052)
+ Closes https://github.com/curl/curl/pull/1943
-- changelog: add link to bug report
+Daniel Stenberg (5 Oct 2017)
+- build: fix --disable-crypto-auth
+
+ Reported-by: Wyatt O'Day
+ Fixes #1945
+ Closes #1947
-Dan Fandrich (14 May 2010)
-- Added directories.pm to the source tar ball
+Jay Satiro (5 Oct 2017)
+- [Nick Zitzmann brought this change]
-Daniel Stenberg (14 May 2010)
-- follow redirect: ignore response-body on redirect even if compressed
+ darwinssl: add support for TLSv1.3
- Sebastian V reported bug #3000056 identifying a problem with
- redirect following. It showed that when curl followed redirects
- it didn't properly ignore the response body of the 30X response
- if that response was using compressed Content-Encoding!
-
- (http://curl.haxx.se/bug/view.cgi?id=3000056)
+ Closes https://github.com/curl/curl/pull/1794
-- version: we're now going for 7.21.0
+Daniel Stenberg (4 Oct 2017)
+- [Felix Kaiser brought this change]
-- [Hoi-Ho Chan brought this change]
+ docs: fix typo in curl_mime_data_cb man page
+
+ Closes #1946
- Remove support for BSD version of PolarSSL
+Viktor Szakats (4 Oct 2017)
+- lib/Makefile.m32: allow customizing dll suffixes
- "The BSD version of PolarSSL was made for migratory purposes only and is not
- maintained. The GPL version of PolarSSL is actually the only actively
- developed version, so I would be very reluctant to use the BSD version." /
- Paul Bakker, PolarSSL hacker.
+ - New `CURL_DLL_SUFFIX` envvar will add a suffix to the generated
+ libcurl dll name. Useful to add `-x64` to 64-bit builds so that
+ it can live in the same directory as the 32-bit one. By default
+ this is empty.
- Signed-off-by: Hoi-Ho Chan <hoiho.chan@gmail.com>
-
-Dan Fandrich (12 May 2010)
-- Added Polar SSL and RTMP files to the non-autoconf build files
+ - New `CURL_DLL_A_SUFFIX` envvar to customize the suffix of the
+ generated import library (implib) for libcurl .dll. It defaults
+ to `dll`, and it's useful to modify that to `.dll` to have the
+ standard naming scheme for mingw-built .dlls, i.e. `libcurl.dll.a`.
- I didn't bother with a few that have little hope of running the required
- dependent libraries.
-
-- Added the new ftp source files to the non-autoconf build files
+ Closes https://github.com/curl/curl/pull/1942
-- Copy the license file so it's seen by the Android build system
+Daniel Stenberg (4 Oct 2017)
+- [Max Dymond brought this change]
-Daniel Stenberg (13 May 2010)
-- updated with symbols added in recent commits for 7.21.0
-
-- changelogs: mention RTMP and the FTP wildcard support
+ fuzzer: move to using external curl-fuzzer
+
+ Use the external curl-fuzzer repository for fuzzing.
+
+ Closes #1923
-- ftp wildcards: mention they're added in 7.21.0
+- failf: skip the sprintf() if there are no consumers
+
+ Closes #1936
-- style: minor whitespace change
+- ftp: UBsan fixup 'pointer index expression overflowed'
+
+ Closes #1939
-- syntax: cleanups
+- RELEASE-PROCEDURE: update the release schedule
-- [Pavel Raiskup brought this change]
+Version 7.56.0 (4 Oct 2017)
- FTP: WILDCARDMATCH/CHUNKING/FNMATCH added
+Daniel Stenberg (4 Oct 2017)
+- RELEASE-NOTES: curl 7.56.0
-- [Howard Chu brought this change]
+- THANKS: added new 7.56.0 contributors
- RTMP: initial support added, powered by librtmp
+Jay Satiro (4 Oct 2017)
+- build-openssl.bat: Warn OpenSSL 1.1.0 not yet supported
- librtmp is found at http://rtmpdump.mplayerhq.hu/
+ Ref: https://github.com/curl/curl/issues/1002
-- [Howard Chu brought this change]
+Michael Kaufmann (3 Oct 2017)
+- idn: fix source code comment
- sendrecv: make them two pairs of send/recv to properly deal with FTPS
+- vtls: compare and clone ssl configs properly
+
+ Compare these settings in Curl_ssl_config_matches():
+ - verifystatus (CURLOPT_SSL_VERIFYSTATUS)
+ - random_file (CURLOPT_RANDOM_FILE)
+ - egdsocket (CURLOPT_EGDSOCKET)
- FTP(S) use two connections that can be set to different recv and
- send functions independently, so by introducing recv+send pairs
- in the same manner we already have sockets/connections we can
- work with FTPS fine.
+ Also copy the setting "verifystatus" in Curl_clone_primary_ssl_config(),
+ and copy the setting "sessionid" unconditionally.
- This commit fixes the FTPS regression introduced in change d64bd82.
+ This means that reusing connections that are secured with a client
+ certificate is now possible, and the statement "TLS session resumption
+ is disabled when a client certificate is used" in the old advisory at
+ https://curl.haxx.se/docs/adv_20170419.html is obsolete.
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #1917
-Kamil Dudka (11 May 2010)
-- changelog: fixed CRL support in libcurl-NSS
+- proxy: read the "no_proxy" variable only if necessary
+
+ Reviewed-by: Daniel Stenberg
+
+ Closes #1919
-- nss: make it possible to read ASCII and DER CRL
+Patrick Monnerat (3 Oct 2017)
+- libcurl-tutorial: add casts in example to avoid compilation warnings.
-- nss: add CRL to cache instead of read-only NSS db
+Daniel Stenberg (3 Oct 2017)
+- examples: bring back curl_formadd-using examples
+
+ ... now with a -formadd suffix. While the new mime API is introduced in
+ 7.56.0 we must acknowledge that lots of users can't upgrade their curl
+ versions immediately.
-Daniel Stenberg (10 May 2010)
-- git: how to write a fine commit message
+- test1153: verify quoted double-qoutes in PWD response
-- findtool: file name as a full path requires a slash
+- FTP: zero terminate the entry path even on bad input
+
+ ... a single double quote could leave the entry path buffer without a zero
+ terminating byte. CVE-2017-1000254
- Kalle Vahlman's patch applied a while ago broke how the findtool
- function searches for tools, as it would always check if "$file"
- was present first, which thus made the bad assumption that a file
- in the current directory would be a match.
+ Test 1152 added to verify.
- I noticed when it found 'libtool' in the current directory but
- libtoolize is not there, which confused the script.
+ Reported-by: Max Dymond
+ Bug: https://curl.haxx.se/docs/adv_20171004.html
-Hacki (8 May 2010)
-- moved vars into conditional since seems that winsock implementation doesnt use them.
+Jay Satiro (2 Oct 2017)
+- [Sergei Nikulov brought this change]
-Daniel Stenberg (7 May 2010)
-- multi interface: missed storing connection time
+ cmake: disable tests and man generation if perl/nroff not found
- Dirk Manske reported a regression. When connecting with the multi
- interface, there were situations where libcurl wouldn't store
- connect time correctly as it used to (and is documented to) do.
+ Fixes https://github.com/curl/curl/issues/1500
+ Reported-by: Jay Satiro
- Using his fine sample program we could repeat it, and I wrote up
- test case 573 using that code. The problem does not easily show
- itself using the local test suite though.
+ Fixes https://github.com/curl/curl/pull/1662
+ Assisted-by: Tom Seddon
+ Assisted-by: dpull@users.noreply.github.com
+ Assisted-by: elelel@users.noreply.github.com
- The fix, also as suggested by Dirk, is a bit on the ugly side as
- it adds yet another call to Curl_verboseconnect() and setting the
- TIMER_CONNECT time. That situation is subject for some closer
- inspection in the future.
+ Closes https://github.com/curl/curl/pull/1924
-- verboseconnect: so the verbose checking within the function
-
- As the function is used more than once and libcurl can be built
- without it, do the conditional check within the verboseconnect()
- function itself.
+Patrick Monnerat (2 Oct 2017)
+- libcurl-tutorial: fix two typos.
-- changelogs: split the I/O handling
+- TODO: remove deprecated form API items.
-- [Howard Chu brought this change]
+- libcurl-tutorial: describe MIME API and deprecate form API.
+
+ Include a guide to form/mime API conversion.
- sendrecv: split the I/O handling into private handler
+Daniel Stenberg (30 Sep 2017)
+- cookie: fix memory leak if path was set twice in header
- Howard Chu brought the bulk work of this patch that properly
- moves out the sending and recving of data to the parts of the
- code that are properly responsible for the various ways of doing
- so.
+ ... this will let the second occurance override the first.
- Daniel Stenberg assisted with polishing a few bits and fixed some
- minor flaws in the original patch.
+ Added test 1161 to verify.
- Another upside of this patch is that we now abuse CURLcodes less
- with the "magic" -1 return codes and instead use CURLE_AGAIN more
- consistently.
+ Reported-by: Max Dymond
+ Fixes #1932
+ Closes #1933
-- changelog: PolarSSL
-
-- [Hoi-Ho Chan brought this change]
-
- PolarSSL: initial support added
+Dan Fandrich (30 Sep 2017)
+- test650: Use variable replacement to set the host address and port
- This is Hoi-Ho Chan's patch with some minor fixes by me. There
- are some potential issues in this, but none worse than we can
- sort out on the list and over time.
+ Otherwise, the test fails when the -b test option is used to set a
+ different test port range.
-- TODO: we've done PRET already, consider HOST for the future
+- Set and use more necessary options when some protocols are disabled
- ... and GnuTLS connects are non-blocking, TFTP is better
- integrated as a "real" protocol and RTSP is supported.
+ When curl and libcurl are built with some protocols disabled, they stop
+ setting and receiving some options that don't make sense with those
+ protocols. In particular, when HTTP is disabled many options aren't set
+ that are used only by HTTP. However, some options that appear to be
+ HTTP-only are actually used by other protocols as well (some despite
+ having HTTP in the name) and should be set, but weren't. This change now
+ causes some of these options to be set and used for more (or for all)
+ protocols. In particular, this fixes tests 646 through 649 in an
+ HTTP-disabled build, which use the MIME API in the mail protocols.
-- TODO: GnuTLS connects are now non-blocking
+Daniel Stenberg (29 Sep 2017)
+- test1160: verifies cookie leak for large cookies
- Since commit c288860 by Jerome Vouillon
+ The fix done in 20ea22ff735
-- INTERNALS: tftp is decent now, ldap is not
+- cookie: fix memory leak on oversized rejection
- It's not quite fair to list TFTP is a "crappy" member of the
- libcurl family so I removed its mentioning.
-
-- changelog: mention Ben Greear's telnet work
+ Regression brought by 2bc230de63b
+
+ Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3513
+ Assisted-by: Max Dymond
+
+ Closes #1930
-- [Ben Greear brought this change]
+- [Anders Bakken brought this change]
- telnet: Allow programatic use of telnet.
+ connect: fix race condition with happy eyeballs timeout
- The main change is to allow input from user-specified methods,
- when they are specified with CURLOPT_READFUNCTION.
- All calls to fflush(stdout) in telnet.c were removed, which makes
- using 'curl telnet://foo.com' painful since prompts and other data
- are not always returned to the user promptly. Use
- 'curl --no-buffer telnet://foo.com' instead. In general,
- the user should have their CURLOPT_WRITEFUNCTION do a fflush
- for interactive use.
+ The timer should be started after conn->connecttime is set. Otherwise
+ the timer could expire without this condition being true:
- Also fix assumption that reading from stdin never returns < 0.
- Old code could crash in that case.
+ /* should we try another protocol family? */
+ if(i == 0 && conn->tempaddr[1] == NULL &&
+ curlx_tvdiff(now, conn->connecttime) >= HAPPY_EYEBALLS_TIMEOUT) {
- Call progress functions in telnet main loop.
+ Ref: #1928
+
+Michael Kaufmann (28 Sep 2017)
+- docs: link CURLOPT_CONNECTTIMEOUT and CURLOPT_CONNECTTIMEOUT_MS
- Signed-off-by: Ben Greear <greearb@candelatech.com>
+ Closes #1922
-- test: enable valgrind for 604, seems to work
-
-Kamil Dudka (28 Apr 2010)
-- [Paul Howarth brought this change]
+- docs: clarify the use of environment variables for proxy
+
+ Closes #1921
- add 1s post-command delay to tests 513 and 514
+- http: add custom empty headers to repeated requests
- addressing http://curl.haxx.se/mail/lib-2009-12/0031.html
+ Closes #1920
-Daniel Stenberg (26 Apr 2010)
-- [Kalle Vahlman brought this change]
+- reuse_conn: don't copy flags that are known to be equal
+
+ A connection can only be reused if the flags "conn_to_host" and
+ "conn_to_port" match. Therefore it is not necessary to copy these flags
+ in reuse_conn().
+
+ Closes #1918
- Allow tools to be defined with full path in buildconf
+Daniel Stenberg (27 Sep 2017)
+- curl.h: include <sys/select.h> on cygwin too
+
+ When building with -std=c++14 on cygwin, this header won't be
+ automatically included as it otherwise is.
- This is required in Scratchbox where
- LIBTOOL=/targets/links/arch_tools/bin/libtool
- is set in the environment.
+ The <sys/select.h> include decision should ideally be reversed and be
+ avoided where that header file doesn't exist.
+
+ Reported-by: Ian Fette
+ Fixes #1925
+
+- RELEASE-NOTES: synced with d8ab5dc50
-- progress callback: can be called more than once per sec
+Michael Kaufmann (24 Sep 2017)
+- tests: adjust .gitignore for new tests
-- SSH: init and cleanup libssh2 in global_init/cleanup
+Jay Satiro (23 Sep 2017)
+- ntlm: move NTLM_NEEDS_NSS_INIT define into core NTLM header
- The necessary libssh2 functions require libssh2 1.2.5 or later.
+ .. and include the core NTLM header in all NTLM-related source files.
+
+ Follow up to 6f86022. Since then http_ntlm checks NTLM_NEEDS_NSS_INIT
+ but did not include vtls.h where it was defined.
+
+ Closes https://github.com/curl/curl/pull/1911
+
+Daniel Stenberg (23 Sep 2017)
+- file_range: avoid integer overflow when figuring out byte range
+
+ When trying to bump the value with one and the value is already at max,
+ it causes an integer overflow.
+
+ Closes #1908
+ Detected by oss-fuzz:
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3465
+
+ Assisted-by: Max Dymond
-- new configure option --enable-threaded-resolver
+Michael Kaufmann (23 Sep 2017)
+- tests: fix a compiler warning in test 643
+
+Jay Satiro (23 Sep 2017)
+- symbols-in-versions: fix CURLSSLSET_NO_BACKENDS entry
+
+ - Use spaces instead of tabs as the delimiter.
+
+ Follow up to 7c52b12 which added the entry. The entry had used tabs but
+ the symbol-scan parser doesn't recognize tabs and would fail the symbol.
-- configure: check for libssh2_init and libssh2_exit
+Viktor Szakats (22 Sep 2017)
+- metalink: fix NSS issue in MultiSSL builds
+
+ In MultiSSL mode (i.e. when more than one SSL backend is compiled
+ in), we cannot use the compile time flag `USE_NSS` as indicator that
+ the NSS backend is in use. As far as Metalink is concerned, the SSL
+ backend is only used for MD5, SHA-1 and SHA-256 calculations,
+ therefore one of the available SSL backends is selected at compile
+ time, in a strict order of preference.
+
+ Let's introduce a new `HAVE_NSS_CONTEXT` constant that can be used
+ to determine whether the SSL backend used for Metalink is the NSS
+ backend, and use that to guard the code that wants to de-initialize
+ the NSS-specific data structure.
+
+ Ref: https://github.com/curl/curl/pull/1848
-Kamil Dudka (24 Apr 2010)
-- nss: fix SSL handshake timeout underflow
+- ntlm: use strict order for SSL backend #if branches
+
+ With the recently introduced MultiSSL support multiple SSL backends
+ can be compiled into cURL That means that now the order of the SSL
+
+ One option would be to use the same SSL backend as was configured
+ via `curl_global_sslset()`, however, NTLMv2 support would appear
+ to be available only with some SSL backends. For example, when
+ eb88d778e (ntlm: Use Windows Crypt API, 2014-12-02) introduced
+ support for NTLMv1 using Windows' Crypt API, it specifically did
+ *not* introduce NTLMv2 support using Crypt API at the same time.
+
+ So let's select one specific SSL backend for NTLM support when
+ compiled with multiple SSL backends, using a priority order such
+ that we support NTLMv2 even if only one compiled-in SSL backend can
+ be used for that.
+
+ Ref: https://github.com/curl/curl/pull/1848
-Guenter Knauf (24 Apr 2010)
-- encourage users to take latest lib dependencies.
+Daniel Stenberg (22 Sep 2017)
+- symbols-in-versions: add CURLSSLSET_NO_BACKENDS
+
+ ...fixup from b8e0fe19ec
-Daniel Stenberg (24 Apr 2010)
-- socks5: please static code analyzer
+- imap: quote atoms properly when escaping characters
- Make sure we don't call memcpy() if the argument is NULL even
- though we also passed a zero length then, as the clang analyzer
- whined and we want to limit warnings (even false positives) when
- they're this easy to fix.
+ Updates test 800 to verify
- The change of (char) to (unsigned char) will fix long user names
- and passwords on systems that have the char type signed by
- default.
+ Fixes #1902
+ Closes #1903
-- gzip: Value stored to 'data' is never read
+- tests: make the imap server not verify user+password
+
+ ... as the test cases themselves do that and it makes it easier to add
+ crazy test cases.
+
+ Test 800 updated to use user name + password that need quoting.
+
+ Test 856 updated to trigger an auth fail differently.
+
+ Ref: #1902
-- RELEASE-NOTES: update top numbers
+- vtls: provide curl_global_sslset() even in non-SSL builds
+
+ ... it just returns error:
+
+ Bug: https://github.com/curl/curl/commit/1328f69d53f2f2e937696ea954c480412b018451#commitcomment-24470367
+ Reported-by: Marcel Raad
+
+ Closes #1906
-- changelog: added the --proto and -proto-redir options
+Patrick Monnerat (22 Sep 2017)
+- form/mime: field names are not allowed to contain zero-valued bytes.
+
+ Also suppress length argument of curl_mime_name() (names are always
+ zero-terminated).
-- [Alex Bligh brought this change]
+Daniel Stenberg (21 Sep 2017)
+- [Dirk Feytons brought this change]
- curl: added --proto and --proto-redir
+ openssl: only verify RSA private key if supported
- --proto tells curl to use the listed protocols for its initial
- retrieval
+ In some cases the RSA key does not support verifying it because it's
+ located on a smart card, an engine wants to hide it, ...
+ Check the flags on the key before trying to verify it.
+ OpenSSL does the same thing internally; see ssl/ssl_rsa.c
- --proto-redir tells curl to use the listed protocols after a
- redirect
+ Closes #1904
-Kamil Dudka (24 Apr 2010)
-- test536: do not fail with threaded DNS resolver
+Marcel Raad (21 Sep 2017)
+- examples/post-callback: use long for CURLOPT_POSTFIELDSIZE
- Also tweaked comments in certain examples using curl_multi_fdset().
+ Otherwise, typecheck-gcc.h warns on MinGW-w64.
-Daniel Stenberg (21 Apr 2010)
-- curl: -O crash on windows
+Patrick Monnerat (20 Sep 2017)
+- mime: rephrase the multipart output state machine (#1898) ...
- The -O option caused curl to crash on windows and DOS due to the
- tool writing out of boundary memory.
+ ... in hope coverity will like it much.
-Yang Tse (20 Apr 2010)
-- hmac.c related compilation adjustment
+- mime: fix an explicit null dereference (#1899)
-- hmac.c related compilation adjustment
+Daniel Stenberg (20 Sep 2017)
+- curl: check fseek() return code and bail on error
+
+ Detected by coverity. CID 1418137.
-monnerat (20 Apr 2010)
-- Add compilation directives for hmac in Watcom,riscos and vc6 platform-specific makefiles.
+- smtp: fix memory leak in OOM
+
+ Regression since ce0881edee
+
+ Coverity CID 1418139 and CID 1418136 found it, but it was also seen in
+ torture testing.
-Yang Tse (20 Apr 2010)
-- [Ruslan Gazizov brought this change]
+- RELEASE-NOTES: synced with 5fe85587c
- replaced wsock32.lib usage with ws2_32.lib in MSVC makefiles
+- [Pavel Pavlov brought this change]
-monnerat (19 Apr 2010)
-- Merge branch 'master' of github.com:bagder/curl
+ cookies: use lock when using CURLINFO_COOKIELIST
+
+ Closes #1896
-- Remove null-effect leftover code.
+- [Max Dymond brought this change]
-Daniel Stenberg (19 Apr 2010)
-- changelog: -J/--remote-header-name strips CRLF
+ ossfuzz: changes before merging the generated corpora
+
+ Before merging in the oss-fuzz corpora from Google, there are some changes
+ to the fuzzer.
+ - Add a read corpus script, to display corpus files nicely.
+ - Change the behaviour of the fuzzer so that TLV parse failures all now
+ go down the same execution paths, which should reduce the size of the
+ corpora.
+ - Make unknown TLVs a failure to parse, which should decrease the size
+ of the corpora as well.
+
+ Closes #1881
-- parse_filename: strip trailing CRs and LFs
+- mime:escape_string minor clarification change
+
+ ... as it also removes a warning with old gcc versions.
- The feature that uses the file name given in a
- Content-disposition: header didn't properly skip trailing
- carriage returns and linefeed characters from the end of the file
- name when it was given without quotes.
+ Bug: https://curl.haxx.se/mail/lib-2017-09/0049.html
+ Reported-by: Ben Greear
-- Curl_HMAC_MD5: fix the array init to not warn with picky compilers
+- [Max Dymond brought this change]
-monnerat (19 Apr 2010)
-- Fix GnuTLS compilation problem in md5.c
+ ossfuzz: don't write out to stdout
+
+ Don't make the fuzzer write out to stdout - instead write some of the
+ contents to a memory block so we exercise the data output code but
+ quietly.
+
+ Closes #1885
-- Fix compilation problem: declare Curl_HMAC_MD5 as extern in include file.
+- cookies: reject oversized cookies
+
+ ... instead of truncating them.
+
+ There's no fixed limit for acceptable cookie names in RFC 6265, but the
+ entire cookie is said to be less than 4096 bytes (section 6.1). This is
+ also what browsers seem to implement.
+
+ We now allow max 5000 bytes cookie header. Max 4095 bytes length per
+ cookie name and value. Name + value together may not exceed 4096 bytes.
+
+ Added test 1151 to verify
+
+ Bug: https://curl.haxx.se/mail/lib-2017-09/0062.html
+ Reported-by: Kevin Smith
+
+ Closes #1894
-- Merge branch 'master' of github.com:bagder/curl
+- travis: on mac, don't install openssl or libidn
+
+ - openssl is already installed and causes warnings when trying to
+ install again
+
+ - libidn isn't used these days, and homebrew doesn't seem to have a
+ libidn2 package to replace with easily
+
+ Closes #1895
-- Implement SMTP authentication
+- curl: make str2udouble not return values on error
+
+ ... previously it would store a return value even when it returned
+ error, which could make the value get used anyway!
+
+ Reported-by: Brian Carpenter
+ Closes #1893
-Daniel Stenberg (17 Apr 2010)
-- parseconfig: Value stored to 'line' is never read
+Jay Satiro (18 Sep 2017)
+- socks: fix incorrect port number in SOCKS4 error message
- Make the function call with (void) as we don't care about the
- return code.
+ Prior to this change it appears the SOCKS5 port parsing was erroneously
+ used for the SOCKS4 error message, and as a result an incorrect port
+ would be shown in the error message.
+
+ Bug: https://github.com/curl/curl/issues/1892
+ Reported-by: Jackarain@users.noreply.github.com
+
+- [Marc Aldorasi brought this change]
-- parsedate: Value stored to 'found' is never read
+ schannel: Support partial send for when data is too large
+
+ Schannel can only encrypt a certain amount of data at once. Instead of
+ failing when too much data is to be sent at once, send as much data as
+ we can and let the caller send the remaining data by calling send again.
+
+ Bug: https://curl.haxx.se/mail/lib-2014-07/0033.html
+
+ Closes https://github.com/curl/curl/pull/1890
-- check_gzip_header: Value stored to 'data' is never read
+- [David Benjamin brought this change]
-- dprintf_formatf: Value stored to 'left' is never read
+ openssl: add missing includes
+
+ lib/vtls/openssl.c uses OpenSSL APIs from BUF_MEM and BIO APIs. Include
+ their headers directly rather than relying on other OpenSSL headers
+ including things.
+
+ Closes https://github.com/curl/curl/pull/1891
-- curl_version: remove superfluous assignments
+Daniel Stenberg (15 Sep 2017)
+- conversions: fix several compiler warnings
-- FTP PORT: Value stored to 'rc' is never read
+- server/getpart: provide dummy function to build conversion enabled
-- Curl_setup_transfer: no longer returns anything
+- non-ascii: use iconv() with 'char **' argument
- This function could only return CURLE_OK and by changing it to
- a void instead, we can simplify code all over.
+ Bug: https://curl.haxx.se/mail/lib-2017-09/0031.html
+
+- escape.c: error: pointer targets differ in signedness
-- PASV response: Value stored to 'rc' is never read
+- docs: clarify the CURLOPT_INTERLEAVE* options behavior
-- Curl_perform: Value stored to 'res2' is never read
+- [Max Dymond brought this change]
-- sftp range: remove unnecessary check for NULL pointer
+ rtsp: Segfault in rtsp.c when using WRITEDATA
+
+ If the INTERLEAVEFUNCTION is defined, then use that plus the
+ INTERLEAVEDATA information when writing RTP. Otherwise, use
+ WRITEFUNCTION and WRITEDATA.
+
+ Fixes #1880
+ Closes #1884
-- ftp_range: remove unnecessary check for NULL pointer
+Marcel Raad (15 Sep 2017)
+- [Isaac Boukris brought this change]
-- file_range: remove unnecessary check for NULL pointer
+ tests: enable gssapi in travis-ci linux build
+
+ Closes https://github.com/curl/curl/pull/1687
-- SOCKS4: Value stored to 'rc' is never read
+- [Isaac Boukris brought this change]
-- FTP PASV: Value stored to 'rc' is never read
+ tests: add initial gssapi test using stub implementation
+
+ The stub implementation is pre-loaded using LD_PRELOAD
+ and emulates common gssapi uses (only builds if curl is
+ initially built with gssapi support).
+
+ The initial tests are currently disabled for debug builds
+ as LD_PRELOAD is not used then.
+
+ Ref: https://github.com/curl/curl/pull/1687
-- ftp_range: Value stored to 'totalsize' is never read
+Daniel Stenberg (15 Sep 2017)
+- test1150: verify same host fetch using different ports over proxy
- Simplified the code by removing a local variable completely.
+ Closes #1889
-- SOCKS5: when name resolves fail return immediately
+- URL: on connection re-use, still pick the new remote port
- This makes the code flow more obvious and reacts on the return
- code properly, even if the code acted the same way before.
+ ... as when a proxy connection is being re-used, it can still get a
+ different remote port.
+
+ Fixes #1887
+ Reported-by: Oli Kingshott
-- POP3: when USER command fails, don't even try PASS
+- RELEASE-NOTES: synced with 87501e57f
-- tftp_rx: Value stored to 'sbytes' is never read
+- code style: remove wrong uses of multiple spaces
+
+ Closes #1878
-- file_range: Value stored to 'totalsize' is never read
+- checksrc: detect and warn for multiple spaces
-- changelog: GnuTLS: SSL handshake phase is non-blocking
+- code style: use space after semicolon
-- [Jerome Vouillon brought this change]
+- checksrc: verify space after semicolons
- GnuTLS: make the connection phase non-blocking
-
- When multi interface is used, the SSL handshake is no longer
- blocking when GnuTLS is used.
+- code style: use spaces around pluses
-- krb5_auth: fix my previous change to compile
+- checksrc: detect and warn for lack of spaces next to plus signs
-unknown (16 Apr 2010)
-- OS400 version V5R2M0 not supported anymore by IBM: default target release changed to V5R3M0.
+- code style: use spaces around equals signs
-Daniel Stenberg (16 Apr 2010)
-- changelog: GnuTLS fix, no reverse loopkups and fixed GSS detection
+- checksrc: verify spaces around equals signs
+
+ ... as the code style mandates.
-- SSL_RECV: EOF is not an error here
+- Curl_checkheaders: make it available for IMAP and SMTP too
- The recent overhaul of the SSL recv function made this treat a
- zero returned from gnutls_record_recv() as an error, and this
- caused our HTTPS test cases to fail. We leave it to upper layer
- code to detect if an EOF is a problem or not.
+ ... not only HTTP uses this now.
+
+ Closes #1875
-- [Paul Howarth brought this change]
+- travis: add build without HTTP/SMTP/IMAP
- configure: GSSAPI detection on ancient Linux distros
+Jay Satiro (10 Sep 2017)
+- mbedtls: enable CA path processing
- On some ancient distributions such as RHEL-3, <gssapi/gssapi_krb5.h> needs
- to be processed after <gssapi/gssapi.h>, but does not include it itself.
- This patch checks for <gssapi/gssapi.h> first and then includes it
- in the test for <gssapi/gssapi_krb5.h>, resolving the problem.
+ CA path processing was implemented when mbedtls.c was added to libcurl
+ in fe7590f, but it was never enabled.
- Without the patch, <gssapi/gssapi_krb5.h> is "present but cannot be
- compiled".
+ Bug: https://github.com/curl/curl/issues/1877
+ Reported-by: SBKarr@users.noreply.github.com
-- resolvers: no more using AI_CANONNAME
+Daniel Stenberg (8 Sep 2017)
+- rtsp: do not call fwrite() with NULL pointer FILE *
+
+ If the default write callback is used and no destination has been set, a
+ NULL pointer would be passed to fwrite()'s 4th argument.
+
+ OSS-fuzz bug https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3327
+ (not publicly open yet)
- No resolver anymore needs to use AI_CANONNAME and do reverse
- lookups. We should work hard to avoid having code that relies on
- it.
+ Detected by OSS-fuzz
+ Closes #1874
-- KRB5: use given host name instead of reverse lookup'ed name
+- configure: use -Wno-varargs on clang 3.9[.X] debug builds
- This code would previously use dns_entry->addr->ai_canonname
- instead of the given host name, which caused us grief and
- problems since not all our resolver options do the reverse lookup
- and I would also guess that it caused problems with KRB5/GSS with
- virtual name-based hosts. Now the host name from the URL is used.
+ ... to avoid a clang bug
-Dan Fandrich (15 Apr 2010)
-- Remove redundant conditional
+- [Max Dymond brought this change]
-- Eliminated an unlikely race condition in some tests.
+ ossfuzz: add some more handled CURL options
- Based on a patch from the FreeBSD ports by Peter Pentchev.
+ Add support for HEADER, COOKIE, RANGE, CUSTOMREQUEST, MAIL_RECIPIENT,
+ MAIL_FROM and uploading data.
-Daniel Stenberg (15 Apr 2010)
-- changelog: prevent needless reverse name lookups
-
-- Curl_ipv4_resolve_r: only set AI_CANONNAME when needed
+- configure: check for C++ compiler after C, to make it non-fatal
+
+ The tests for object file/executable file extensions are presumably only
+ done for the first of these macros in the configure file.
- As reported in bug report #2987196, the code for ipv6 already did
- the setting of this bit correctly so we copied that logic into
- the Curl_ipv4_resolve_r() function as well. KRB code is the only
- code we know that might need the cannonical name so only resolve
- it for such requests!
+ Bug: https://github.com/curl/curl/pull/1851#issuecomment-327597515
+ Reported-by: Marcel Raad
+ Closes #1873
-- IGNORE: files generated by maketgz
+Patrick Monnerat (7 Sep 2017)
+- form API: add new test 650.
+
+ Now that the form API is deprecated and not used anymore in curl tool,
+ a lot of its features left untested. Test 650 attempts to check all these
+ features not tested elsewhere.
-- bumped to start the journey towards 7.20.2
+Jay Satiro (7 Sep 2017)
+- configure: fix curl_off_t check's include order
+
+ - Prepend srcdir include path instead of append.
+
+ Prior to this change it was possible that during the check for the size
+ of curl_off_t the include path of a user's already installed curl could
+ come before the include path of the to-be-built curl, resulting in the
+ system.h of the former being incorrectly included for that check.
+
+ Closes https://github.com/curl/curl/pull/1870
-- added contributors from the 7.20.1 RELEASE-NOTES
+Daniel Stenberg (7 Sep 2017)
+- [Jakub Zakrzewski brought this change]
-- ignore files generated by 'maketgz'
+ KNOWN_BUGS: Remove CMake symbol hiding issue
+
+ It has already been fixed in 6140dfc
-Version 7.20.1 (14 Apr 2010)
+- http-proxy: when not doing CONNECT, that phase is done immediately
+
+ `conn->connect_state` is NULL when doing a regular non-CONNECT request
+ over the proxy and should therefor be considered complete at once.
+
+ Fixes #1853
+ Closes #1862
+ Reported-by: Lawrence Wagerfield
-Daniel Stenberg (14 Apr 2010)
-- 7.20.1: 14 April 2010
+- [Johannes Schindelin brought this change]
-Guenter Knauf (13 Apr 2010)
-- Use correct directory for c-ares git pull
- Signed-off-by: Tor Arntsen <tor@spacetec.no>
+ OpenSSL: fix yet another mistake while encapsulating SSL backend data
+
+ Another mistake in my manual fixups of the largely mechanical
+ search-and-replace ("connssl->" -> "BACKEND->"), just like the previous
+ commit concerning HTTPS proxies (and hence not caught during my
+ earlier testing).
+
+ Fixes #1855
+ Closes #1871
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Yang Tse (13 Apr 2010)
-- fix compiler warning: variable might be clobbered by longjmp or vfork
+- [Johannes Schindelin brought this change]
-Guenter Knauf (13 Apr 2010)
-- added last git commit output for c-ares too.
+ OpenSSL: fix erroneous SSL backend encapsulation
+
+ In d65e6cc4f (vtls: prepare the SSL backends for encapsulated private
+ data, 2017-06-21), this developer prepared for a separation of the
+ private data of the SSL backends from the general connection data.
+
+ This conversion was partially automated (search-and-replace) and
+ partially manual (e.g. proxy_ssl's backend data).
+
+ Sadly, there was a crucial error in the manual part, where the wrong
+ handle was used: rather than connecting ssl[sockindex]' BIO to the
+ proxy_ssl[sockindex]', we reconnected proxy_ssl[sockindex]. The reason
+ was an incorrect location to paste "BACKEND->"... d'oh.
+
+ Reported by Jay Satiro in https://github.com/curl/curl/issues/1855.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- changed the git update block to take care of c-ares repo if detected.
+- [Jay Satiro brought this change]
-- updated timestamp of the script.
+ vtls: fix memory corruption
+
+ Ever since 70f1db321 (vtls: encapsulate SSL backend-specific data,
+ 2017-07-28), the code handling HTTPS proxies was broken because the
+ pointer to the SSL backend data was not swapped between
+ conn->ssl[sockindex] and conn->proxy_ssl[sockindex] as intended, but
+ instead set to NULL (causing segmentation faults).
+
+ [jes: provided the commit message, tested and verified the patch]
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- removed obsolete var in gitpull() function
- no need to create a var - lets just return the status var itself.
+- vtls: switch to CURL_SHA256_DIGEST_LENGTH define
+
+ ... instead of the prefix-less version since WolfSSL 3.12 now uses an
+ enum with that name that causes build failures for us.
+
+ Fixes #1865
+ Closes #1867
+ Reported-by: Gisle Vanem
-- added a cast to silent compiler warning with 64bit systems.
+- travis: add c-ares enabled builds linux + osx
+
+ Closes #1868
-- fixed a path typo in src/Makefile.netware.
+- HISTORY: added some recent items
-Daniel Stenberg (12 Apr 2010)
-- Added text for How To Make a Patch with git
+Jay Satiro (6 Sep 2017)
+- SSL: fix unused parameter warnings
-- update the section on timeouts
+Patrick Monnerat (6 Sep 2017)
+- mime: drop internal FILE * support.
- The section that describes how to work with timeouts was
- misleading and could easily trick users to use the wrong API.
+ - The part kind MIMEKIND_FILE and associated code are suppressed.
+ - Seek data origin offset not used anymore: suppressed.
+ - MIMEKIND_NAMEDFILE renamed MIMEKIND_FILE; associated fields/functions
+ renamed accordingly.
+ - Curl_getformdata() processes stdin via a callback.
-- update URL and cut out wrong info on ipv6
+Daniel Stenberg (6 Sep 2017)
+- configure: remove --enable-soname-bump and SONAME_BUMP
- c-ares has had its own URL for a while and we should point
- people to that. It also works with IPv6 since a long time.
-
-- refer to CURLMOPT_TIMERFUNCTION for multi_socket users
+ Back in 2008, (and commit 3f3d6ebe665f3) we changed the logic in how we
+ determine the native type for `curl_off_t`. To really make sure we
+ didn't break ABI without bumping SONAME, we introduced logic that
+ attempted to detect that it would use a different size and thus not be
+ compatible. We also provided a manual switch that allowed users to tell
+ configure to bump SONAME by force.
- curl_multi_timeout(3) is simply the wrong function to use
- if you're using the multi_socket API and this document now
- states this pretty clearly to help guiding users.
-
-- s/CVS/git
-
-- modified to use the git file, not cvs
+ Today, we know of no one who ever got a SONAME bump auto-detected and we
+ don't know of anyone who's using the manual bump feature. The auto-
+ detection is also no longer working since we introduced defining
+ curl_off_t in system.h (7.55.0).
- I've done this blindly, and the last piece that works with ares
- should possibly be done differently now that c-ares isn't a
- subtree within the curl tree anymore...
+ Finally, this bumping logic is not present in the cmake build.
+
+ Closes #1861
-- mention missing test servers for <server>
+Jay Satiro (6 Sep 2017)
+- [Gisle Vanem brought this change]
-- FTP quote commands prefixed with '*' now can fail without aborting
+ vtls: select ssl backend case-insensitive (follow-up)
- Prefixing the FTP quote commands with an asterisk really only
- worked for the postquote actions. This is now fixed and test case
- 227 has been extended to verify.
-
-Kamil Dudka (7 Apr 2010)
-- qssl: reflect recent code changes in SSL interface
+ - Do a case-insensitive comparison of CURL_SSL_BACKEND env as well.
- Reported by Guenter Knauf.
-
-- nss: handle client certificate related errors
-
-- [Ben Greear brought this change]
+ - Change Curl_strcasecompare calls to strcasecompare
+ (maps to the former but shorter).
+
+ Follow-up to c290b8f.
+
+ Bug: https://github.com/curl/curl/commit/c290b8f#commitcomment-24094313
+
+ Co-authored-by: Jay Satiro
- ssl: Fix build when SSL isn't enabled
+- openssl: Integrate Peter Wu's SSLKEYLOGFILE implementation
- Signed-off-by: Ben Greear <greearb@candelatech.com>
+ This is an adaptation of 2 of Peter Wu's SSLKEYLOGFILE implementations.
+
+ The first one, written for old OpenSSL versions:
+ https://git.lekensteyn.nl/peter/wireshark-notes/tree/src/sslkeylog.c
+
+ The second one, written for BoringSSL and new OpenSSL versions:
+ https://github.com/curl/curl/pull/1346
+
+ Note the first one is GPL licensed but the author gave permission to
+ waive that license for libcurl.
+
+ As of right now this feature is disabled by default, and does not have
+ a configure option to enable it. To enable this feature define
+ ENABLE_SSLKEYLOGFILE when building libcurl and set environment
+ variable SSLKEYLOGFILE to a pathname that will receive the keys.
+
+ And in Wireshark change your preferences to point to that key file:
+ Edit > Preferences > Protocols > SSL > Master-Secret
+
+ Co-authored-by: Peter Wu
+
+ Ref: https://github.com/curl/curl/pull/1030
+ Ref: https://github.com/curl/curl/pull/1346
+
+ Closes https://github.com/curl/curl/pull/1866
-- refactorize interface of Curl_ssl_recv/Curl_ssl_send
+Patrick Monnerat (5 Sep 2017)
+- mime: fix a trivial warning.
-- simplify code of Curl_resolv_timeout()
+- mime: replace 'struct Curl_mimepart' by 'curl_mimepart' in encoder code.
+
+ mime_state is now a typedef.
-- eliminate a race condition in Curl_resolv_timeout()
+- mime: implement encoders.
+
+ curl_mime_encoder() is operational and documented.
+ curl tool -F option is extended with ";encoder=".
+ curl tool --libcurl option generates calls to curl_mime_encoder().
+ New encoder tests 648 & 649.
+ Test 1404 extended with an encoder specification.
-Daniel Stenberg (2 Apr 2010)
-- [Ben Greear brought this change]
+- runtests.pl: support attribute "nonewline" in part verify/upload.
- fixed compiler warnings
+- [Daniel Stenberg brought this change]
-- updated contributor count
+ fixup data/test1135
-- add contributors from the 7.20.0 release notes
+- [Daniel Stenberg brought this change]
-- fix SFTP download hang
+ mime: unified to use the typedef'd mime structs everywhere
- Matt Wixson found and fixed a bug in the SCP/SFTP area where the
- code treated a 0 return code from libssh2 to be the same as
- EAGAIN while in reality it isn't. The problem caused a hang in
- SFTP transfers from a MessageWay server.
+ ... and slightly edited to follow our code style better.
-Dan Fandrich (31 Mar 2010)
-- Fixed misleading test message
+- [Daniel Stenberg brought this change]
-Daniel Stenberg (31 Mar 2010)
-- update the generic copyright year range
+ curl.h: use lower case curl_mime* as for all public symbols
-- removed README.cmake due to the improved situation
+- [Daniel Stenberg brought this change]
-Guenter Knauf (31 Mar 2010)
-- fix compiler warning with a cast.
+ docs/curl_mime_*.3: use correct variable types in examples
-- make folks use latest available dependent libraries.
-
-Dan Fandrich (30 Mar 2010)
-- Call curl_global_cleanup() in test 560 to avoid a memory leak
+Kamil Dudka (5 Sep 2017)
+- openssl: use OpenSSL's default ciphers by default
+
+ Up2date versions of OpenSSL maintain the default reasonably secure
+ without breaking compatibility, so it is better not to override the
+ default by curl. Suggested at https://bugzilla.redhat.com/1483972
+
+ Closes #1846
-- Allow test 538 to run even when proxy support is disabled
+Viktor Szakats (5 Sep 2017)
+- examples/mime: minor example code fixes
-Daniel Stenberg (29 Mar 2010)
-- use (s)size_t for string lengths to fix compiler warns
+Daniel Stenberg (5 Sep 2017)
+- docs/curl_mime_*.3: added examples
-- use size_t to hold string length
+- configure: add MultiSSL to FEATURES when enabled
- using int is not fine on 64bit systems
-
-- [Ben Greear brought this change]
+ ...for curl-config and its corresponding test 1014
- Fix compile warnings in ssh.c
+- http-proxy: treat all 2xx as CONNECT success
- strlen() returns size_t, but ssh libraries are wanting 'unsigned int'. Add
- explicit casts and use _ex versions of the ssh library calls.
+ Added test 1904 to verify.
- Signed-off-by: Ben Greear <greearb@candelatech.com>
+ Reported-by: Lawrence Wagerfield
+ Fixes #1859
+ Closes #1860
-- [Ben Greear brought this change]
+- MAIL-ETIQUETTE: added "1.9 Your emails are public"
- fix smtp compile warning
-
- Use ssize_t instead of int for the Curl_smtp_escape_eob nread
- argument.
+- curl.h: fix "unused checksrc ignore", remove dangling reference
- Signed-off-by: Ben Greear <greearb@candelatech.com>
+ ... to a README file that doesn't exist anymore
-- Ben's POP3 change
+Viktor Szakats (4 Sep 2017)
+- docs: Update to secure URL versions
-- [Ben Greear brought this change]
+- mime: use CURL_ZERO_TERMINATED in examples
+
+ and some minor whitespace fixes
- pop3: Get message listing if no mailbox in URL
+Daniel Stenberg (4 Sep 2017)
+- schannel: return CURLE_SSL_CACERT on failed verification
- If you pass a URL to pop3 that does not contain a message ID as
- part of the URL, it will currently ask for 'INBOX' which just
- causes the pop3 server to return an error.
+ ... not *CACERT_BADFILE as it isn't really because of a bad file.
- The change makes libcurl treat en empty message ID as a request
- for LIST (list of pop3 message IDs). User's code could then
- parse this and download individual messages as desired.
+ Bug: https://curl.haxx.se/mail/lib-2017-09/0002.html
+ Closes #1858
-- [Ben Greear brought this change]
+- test1135: fixed after bd8070085f9
- Allow running ./tests/testcurl.pl from within git repo.
+- examples/post-callback: stop returning one byte at a time
- My first instinct was to run the test script within the checked out
- repository. This small change to the script allows that to work as
- expected.
+ ... since people copy and paste code from this example and thus they get
+ an inefficient POST operation without a good reason and sometimes
+ without understanding why.
- Signed-off-by: Ben Greear <greearb@candelatech.com>
+ Instead this now returns as much data as possible.
-- minor language fix
+- RELEASE-NOTES: fixed the function counter script
-- [Ben Greear brought this change]
-
- allow user+password in the URL for all protocols
+- curl.h: make the curl_strequal() protos use the same style
- Ben Greear brought a patch that from now on allows all protocols
- to specify name and user within the URL, in the same manner HTTP
- and FTP have been allowed to in the past - although far from all
- of the libcurl supported protocols actually have that feature in
- their URL definition spec.
+ ... as the other functions. Makes it easier to machine-parse!
-- ignore pid files and stunnel.conf
-
- all used while running tests
+- docs: curl_mime_*.3 man page formatting edits
-- make sure git pull is actually done!
+- RELEASE-NOTES: synced with 1ab9e9b50
-- changelogged: smoother rate limiting
+Patrick Monnerat (4 Sep 2017)
+- lib: bump version info (soname). Adapt and reenable test 1135.
-- [Ben Greear brought this change]
+Daniel Stenberg (3 Sep 2017)
+- headers: move the global_sslset() proto from multi.h to curl.h
+
+ As it was added to multi.h simply to not break test 1135, which now has
+ been disabled due to the mime API addition anyway and su we can now move
+ the sslset stuff to where the other curl_global_* prototypes are.
- Make rate-limitation logic smoother
+Patrick Monnerat (3 Sep 2017)
+- mime: fix signed/unsigned conversions.
- This gives a smoother rate limitation performance by using
- sub-second pauses and also taking the buffer sizes into
- account.
+ Use and generate CURL_ZERO_TERMINATED in curl tool and tests.
-- remove all .cvsignore files
+Jay Satiro (3 Sep 2017)
+- tool_formparse: fix some trivial warnings
-- PROT_CLOSEACTION should not include TFTP
+Patrick Monnerat (3 Sep 2017)
+- mime: use size_t instead of ssize_t in public API interface.
- TFTP is not a protocol that uses close actions so it should
- not be set in that bitmask!
-
-- [Tor Arntsen brought this change]
+ To support telling a string is nul-terminated, symbol CURL_ZERO_TERMINATED
+ has been introduced.
+
+ Documentation updated accordingly.
+
+ symbols in versions updated. Added form API symbols deprecation info.
- Avoid double newline for the 'last commits' log in testcurl.pl
+- mime: remove support "-" stdin pseudo-file name in curl_mime_filedata().
- The backtick command which extracts 'git log' lines come with a
- newline, so chomp the newline before calling logit(), as the logit
- function adds a newline by itself.
+ This feature is badly supported in Windows: as a replacement, a caller has
+ to use curl_mime_data_cb() with fread, fseek and possibly fclose
+ callbacks to process opened files.
+
+ The cli tool and documentation are updated accordingly.
+
+ The feature is however kept internally for form API compatibility, with
+ the known caveats it always had.
+
+ As a side effect, stdin size is not determined by the cli tool even if
+ possible and this results in a chunked transfer encoding. Test 173 is
+ updated accordingly.
-- [Tor Arntsen brought this change]
+- mime: fix some implicit curl_off_t --> size_t conversion warnings.
- Change to version-independent git option for 'git log --oneline'
+- mime: tests and examples.
- 'git log --oneline' is a relatively recent Git function. It is
- documented to be the same as 'git log --pretty=oneline --abbrev-commit',
- so use that instead. It works all the way back to Git 1.5.0.
-
-- show 5 commits even if no git pull was made
+ Additional mime-specific tests.
+ Existing tests updated to reflect small differences (Expect: 100-continue,
+ data size change due to empty lines, etc).
+ Option -F headers= keyword added to tests.
+ test1135 disabled until the entry point order change is resolved.
+ New example smtp-mime.
+ Examples postit2 and multi-post converted from form API to mime API.
-- don't touch ares/aclocal.m4 and show recent git commits
+- mime: use in curl cli tool instead of form API.
- since c-ares no longer embedded, we must not touch such files
- anymore
+ Extended -F option syntax to support multipart mail messages.
+ -F keyword headers= added to include custom headers in parts.
+ Documentation upgraded.
+
+- mime: new MIME API.
- we show the 5 last git commits if git was proven in use, to help
- us see exactly what's being tested
+ Available in HTTP, SMTP and IMAP.
+ Deprecates the FORM API.
+ See CURLOPT_MIMEPOST.
+ Lib code and associated documentation.
-- use CURL_SIZEOF_LONG instead of SIZEOF_LONG
+- test564: Add a warning comment about shell profile output.
- That's the symbol we have or generate in include/curl/curlbuild.h
+ Shell profile output makes the SSH server failing and this problem reason
+ is not easy to find when no hint is given.
-- s/CVS/DEV in the version string from the git repo
+- checksrc: disable SPACEBEFOREPAREN for case statement.
+
+ The case keyword may be followed by a constant expression and thus should
+ allow it to start with an open parenthesis.
-Bill Hoffman (24 Mar 2010)
-- Merge branch 'master' of github.com:bagder/curl
+- runtests.pl: allow <file[1-4]> tags in client section.
+
+ This enables tests to create more than one file on the client side.
-- Add .gitattributes files to turn off CRLF translation for some files
+- runtests.pl: Apply strippart to upload too.
+
+ This will allow substitution of boundaries in mail messages.
-Daniel Stenberg (24 Mar 2010)
-- provide a version number as today's date
+- Curl_base64_encode: always call with a real data handle.
- It should at least help visualize which autobuilds that are
- using this script.
+ Some calls in different modules were setting the data handle to NULL, causing
+ segmentation faults when using builds that enable character code conversions.
-- testcurl now uses git instead of CVS
+- non-ascii: allow conversion functions to be called with a NULL data handle.
-Bill Hoffman (24 Mar 2010)
-- Merge branch 'master' of github.com:bagder/curl
+- http: fix a memory leakage in checkrtspprefix().
-- Enable LDAP by default since it is now disabled when ldap.h is not found,
+Daniel Stenberg (2 Sep 2017)
+- [Max Dymond brought this change]
-- CMake fixes for Linux.
+ ossfuzz: Move to C++ for curl_fuzzer.
- Make sure <sys/socket.h> is included if around when testing/using
- socklen_t. Also, disable LDAP if LDAP_H is not found on the system.
+ Automake gets confused if you want to use C++ static libraries with C
+ code - basically we need to involve the clang++ linker. The easiest way
+ of achieving this is to rename the C code as C++ code. This gets us a
+ bit further along the path and ought to be compatible with Google's
+ version of clang.
-Daniel Stenberg (24 Mar 2010)
-- [Bob Richmond brought this change]
+- curl_global_sslset: select backend by name case insensitively
+
+ Closes #1849
+
+- [Max Dymond brought this change]
- fix: timeout after last data chunk was handled
+ ossfuzz: additional seed corpora
- Bob Richmond: There's an annoying situation where libcurl will
- read new HTTP response data from a socket, then check if it's a
- timeout if one is set. If the last packet received constitutes
- the end of the response body, libcurl still treats it as a
- timeout condition and reports a message like:
+ Create simple seed corpora for:
+ - FTP
+ - telnet
+ - dict
+ - tftp
+ - imap
+ - pop3
- "Operation timed out after 3000 milliseconds with 876 out of 876
- bytes received"
+ based off the tests of the same number.
- It should only a timeout if the timer lapsed and we DIDN'T
- receive the end of the response body yet.
+ Closes #1842
-- avoid compiler warning without USE_ALARM_TIMEOUT
+- [Max Dymond brought this change]
-Bill Hoffman (24 Mar 2010)
-- Fix curl CMake build.
+ ossfuzz: moving towards the ideal integration
- This commit fixes the cmake build of curl, and cleans up the
- cmake code a little. It removes some commented out code and
- some trailing whitespace. To get curl to build the binary
- tree include/curl directory needed to be added to the include
- path. Also, SIZEOF_SHORT needed to be added. A check for the
- lack of defines of SIZEOF_* for warnless.c was added.
+ - Start with the basic code from the ossfuzz project.
+ - Rewrite fuzz corpora to be binary files full of Type-Length-Value
+ data, and write a glue layer in the fuzzing function to convert
+ corpora into CURL options.
+ - Have supporting functions to generate corpora from existing tests
+ - Integrate with Makefile.am
-Daniel Stenberg (24 Mar 2010)
-- [Chris Conroy brought this change]
+- strcase: corrected comment header for Curl_strcasecompare()
- remove debug printfs
+- unit1301: fix error message on first test
-- RTSP GET_PARAMETER fix
+- curl_global_sslset.3: show the struct and enum too
- Christopher Conroy fixed a problem with RTSP and GET_PARAMETER
- reported to us by Massimo Callegari. There's a new test case 572
- that verifies this now.
-
-- remove trace of CVS
-
-- [Chris Conroy brought this change]
+ ... so that users can actually write code based on the man page alone,
+ not having to read the header file.
- Fix RTSP GET_PARAMETER empty and non-empty operation.
+Jay Satiro (31 Aug 2017)
+- darwinssl: handle long strings in TLS certs (follow-up)
- Test coverage included. Thanks to Massimo Callegari for the bug report
-
-- s/CVS/DEV/ in the version string for repo versions
-
-- scrapped all left-over TODOs
+ - Fix handling certificate subjects that are already UTF-8 encoded.
- In order to get back on track, I've removed all the plans for
- stuff I had in the queue. I will instead focus on fixing bugs and
- relying on that people who truly want things added will come back
- on the mailing list and nag and provide patches.
+ Follow-up to b3b75d1 from two days ago. Since then a copy would be
+ skipped if the subject was already UTF-8, possibly resulting in a NULL
+ deref later on.
- 7.20.1 should be possible to release in April 2010
-
-- restore executable bits on some files
-
-- remove the CVSish $Id$ lines
-
-- The 'ares' subtree has been removed from the source repository
-
-- s/CVS/git
-
-- update to current state
-
-- remove the ares subtree
+ Ref: https://github.com/curl/curl/issues/1823
+ Ref: https://github.com/curl/curl/pull/1831
- c-ares is now hosted entirely separate from the curl project
- see http://c-ares.haxx.se/ for all details concerning c-ares,
- its source repository and more.
+ Closes https://github.com/curl/curl/pull/1836
-- mark connection as connected
+Daniel Stenberg (31 Aug 2017)
+- cyassl: call it the "WolfSSL" backend
- Kenny To filed the bug report #2963679 with patch to fix a
- problem he experienced with doing multi interface HTTP POST over
- a proxy using PROXYTUNNEL. He found a case where it would connect
- fine but bits.tcpconnect was not set correct so libcurl didn't
- work properly.
+ ... instead of cyassl, as this is the current name for it.
- (http://curl.haxx.se/bug/view.cgi?id=2963679)
+ Closes #1844
-- enabled valgrind
+- polarssl: fix multissl breakage
- I ran it now successfully and it helped to pinpoint a libssh2
- memory leak!
+ Reported-by: Dan Fandrich
+ Bug: https://curl.haxx.se/mail/lib-2017-08/0121.html
+ Closes #1843
-Dan Fandrich (23 Mar 2010)
-- Updated Symbian notes
-
-Daniel Stenberg (23 Mar 2010)
-- chunked-encoding with Content-Length: header problem
+- configure: remove the leading comma from the backends list
- Akos Pasztory filed debian bug report #572276
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572276
- mentioning a problem with a resource that returns chunked-encoded
- _and_ with a Content-Length and libcurl failed to properly ignore
- the latter information.
-
-- delayed easy handle kill caused double Curl_close() call
+ ... when darwinssl is used.
- Hauke Duden provided an example program that made the multi
- interface crash. His example simply used the multi interface and
- did first one FTP transfer and after completion it used a second
- easy handle and did another FTP transfer on the same FTP server.
+ Reported-by: Viktor Szakats
+ Bug: https://github.com/curl/curl/commit/b0989cd3abaff4f9a0717b4875022fa79e33b481#commitcomment-23943493
- This triggered a bug in the "delayed easy handle kill" system
- that curl uses: when an FTP connection is left alive it must keep
- an easy handle around internally - only for the purpose of having
- an easy handle when it later disconnects it. The code assumed
- that when the easy handle was removed and an internal reference
- was made, that version could be killed later on when a new easy
- handle came using the same connection. This was wrong as Hauke's
- example showed that the removed handle wasn't killed for real
- until later. This caused a double close attempt => segfault.
+ Closes #1845
-- ignore more files generated when tests run in the source tree
-
-- Thomas Lopatic fixed the alarm()-based DNS timeout
+Kamil Dudka (30 Aug 2017)
+- examples/sslbackend.c: fix failure of 'make checksrc'
+
+ ./sslbackend.c:58:3: warning: else after closing brace on same line (BRACEELSE)
+ } else if(isdigit(*name)) {
+ ^
+ ./sslbackend.c:62:3: warning: else after closing brace on same line (BRACEELSE)
+ } else
+ ^
-- [Thomas Lopatic brought this change]
+Viktor Szakats (30 Aug 2017)
+- makefile.m32: add multissl support
+
+ Closes https://github.com/curl/curl/pull/1840
- fix the alarm()-based DNS timeout
+Daniel Stenberg (30 Aug 2017)
+- curl.h: CURLSSLBACKEND_WOLFSSL used wrong value
- Looking at the code of Curl_resolv_timeout() in hostip.c, I think
- that in case of a timeout, the signal handler for SIGALRM never
- gets removed. I think that in my case it gets executed at some
- point later on when execution has long left Curl_resolv_timeout()
- or even the cURL library.
+ The CURLSSLBACKEND_WOLFSSL is supposed to be an alias for
+ CURLSSLBACKEND_CYASSL, but used an erronous value. To reduce the risk
+ for a similar mistake, define the backend aliases to use the enum values
+ instead.
- The code that is jumped to with siglongjmp() simply sets the
- error message to "name lookup timed out" and then returns with
- CURLRESOLV_ERROR. I guess that instead of simply returning
- without cleaning up, the code should have a goto that jumps to
- the spot right after the call to Curl_resolv().
+ Reported-by: Gisle Vanem
+ Bug: https://curl.haxx.se/mail/lib-2017-08/0120.html
-- [Daniel Johnson brought this change]
+- curl_global_sslset.3: clarify
+
+ it is a one time *set*, not necessarily a one time use... it can be
+ called again if the first call failed or just listed the alternatives.
+
+ clarify that the available backends are the ones this build supports
+
+ plus add some formatting
+
+ Reported-by: Rich Gray
+ Bug: https://curl.haxx.se/mail/lib-2017-08/0119.html
- Fix warnings for clang
+- curl/multi.h: remove duplicated closing c++ brace
+
+ Regression since 1328f69d53f2f2e93
+
+ Fixes #1841
+ Reported-by: Andrei Karas
-- Merge branch 'master' of github.com:bagder/curl
+- RELEASE-NOTES: synced with 8c33c963a
-Kamil Dudka (22 Mar 2010)
-- [douglas steinwand brought this change]
+- HELP-US.md: spelling
- Fix insufficient initialization in Curl_clone_ssl_config()
+- HELP-US.md: "How to get started helping out in the curl project"
- which could have caused a double free when reusing curl handle.
+ Closes #1837
-Daniel Stenberg (22 Mar 2010)
-- we never used this file anyway
+Dan Fandrich (29 Aug 2017)
+- asyn-thread: Fixed cleanup after OOM
+
+ destroy_async_data() assumes that if the flag "done" is not set yet, the
+ thread itself will clean up once the request is complete. But if an
+ error (generally OOM) occurs before the thread even has a chance to
+ start, it will never get a chance to clean up and memory will be leaked.
+ By clearing "done" only just before starting the thread, the correct
+ cleanup sequence will happen in all cases.
-- s/CVS/git
+Daniel Stenberg (28 Aug 2017)
+- curl_global_init.3: mention curl_global_sslset(3)
-- various changes of CVS to git
+Dan Fandrich (28 Aug 2017)
+- unit1606: Fixed shadowed variable warning
-- remove references to CVS in the code and use DEV instead
+- asyn-thread: Improved cleanup after OOM situations
-- Ben Greear's two fixes explained
+- asyn-thread: Set errno to the proper value ENOMEM in OOM situation
+
+ This used to be set in some configurations to EAI_MEMORY which is not a
+ valid value for errno and caused Curl_strerror to fail an assertion.
-- [Ben Greear brought this change]
+Daniel Stenberg (28 Aug 2017)
+- [Johannes Schindelin brought this change]
- Fix tftp return codes and tsize upload handling
+ configure: Handle "MultiSSL" specially When versioning symbols
- Error codes were not properly returned to the main curl code (and on to apps
- using libcurl).
+ There is a mode in which libcurl is compiled with versioned symbols,
+ depending on the active SSL backend.
- tftp was crapping out when tsize == 0 on upload, but I see no reason to fail
- to upload just because the remote file is zero-length. Ignore tsize option on
- upload.
-
-- more files to ignore
+ When multiple SSL backends are active, it does not make sense to favor
+ one over the others, so let's not: introduce a new prefix for the case
+ where multiple SSL backends are compiled into cURL.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- provide an initial set of .gitignore files
+- [Johannes Schindelin brought this change]
-Kamil Dudka (19 Mar 2010)
-- - Improved Curl_read() to not ignore the error returned from Curl_ssl_recv().
+ configure: allow setting the default SSL backend
+
+ Previously, we used as default SSL backend whatever was first in the
+ `available_backends` array.
+
+ However, some users may want to override that default without patching
+ the source code.
+
+ Now they can: with the --with-default-ssl-backend=<backend> option of
+ the ./configure script.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Daniel Stenberg (18 Mar 2010)
-- fix warning about conversions between curl_off_t and long
+- [Johannes Schindelin brought this change]
-Yang Tse (18 Mar 2010)
-- another shot at the ftp_init() icc 9.1 optimizer issue
+ vtls: use Curl_ssl_multi pseudo backend only when needed
+
+ When only one SSL backend is configured, it is totally unnecessary to
+ let multissl_init() configure the backend at runtime, we can select the
+ correct backend at build time already.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- replaced intel compiler option -no-ansi-alias with -fno-strict-aliasing
+- [Johannes Schindelin brought this change]
-- update outdated serial number
+ version: if built with more than one SSL backend, report all of them
+
+ To discern the active one from the inactive ones, put the latter into
+ parentheses.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Dan Fandrich (16 Mar 2010)
-- Factored out some code into a few independent functions
+- [Johannes Schindelin brought this change]
-Daniel Stenberg (15 Mar 2010)
-- - Constantine Sapuntzakis brought a patch:
+ version: add the CURL_VERSION_MULTI_SSL feature flag
- The problem mentioned on Dec 10 2009
- (http://curl.haxx.se/bug/view.cgi?id=2905220) was only partially fixed.
- Partially because an easy handle can be associated with many connections in
- the cache (e.g. if there is a redirect during the lifetime of the easy
- handle). The previous patch only cleaned up the first one. The new fix now
- removes the easy handle from all connections, not just the first one.
-
-Yang Tse (11 Mar 2010)
-- fix compiler warning
+ This new feature flag reports When cURL was built with multiple SSL
+ backends.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Dan Fandrich (11 Mar 2010)
-- SSL should now be working out-of-the-box on Symbian S60.
+- [Johannes Schindelin brought this change]
-- Enable Symbian zlib support by default.
+ metalink: allow compiling with multiple SSL backends
+
+ Previously, the code assumed that at most one of the SSL backends would
+ be compiled in, emulating OpenSSL's functions if the configured backend
+ was not OpenSSL itself.
+
+ However, now we allow building with multiple SSL backends and choosing
+ one at runtime. Therefore, metalink needs to be adjusted to handle this
+ scenario, too.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- Allow compilation even when OpenSSL has been configured without MD4 support.
+- [Johannes Schindelin brought this change]
-- A few Symbian build changes
+ docs/examples: demonstrate how to select SSL backends
+
+ The newly-introduced curl_global_sslset() function deserves to be
+ show-cased.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Yang Tse (9 Mar 2010)
-- watt32 compilation fix
+- [Johannes Schindelin brought this change]
-Daniel Stenberg (6 Mar 2010)
-- - Ben Greear brought a patch that fixed the rate limiting logic for TFTP when
- the easy interface was used.
+ Add a man page for curl_global_sslset()
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- indent fix by Ben Greear, I removed some braces for single-line conditional
- expressions
+- [Johannes Schindelin brought this change]
-Yang Tse (6 Mar 2010)
-- Added another VS10 version string
+ vtls: introduce curl_global_sslset()
+
+ Let's add a compile time safe API to select an SSL backend. This
+ function needs to be called *before* curl_global_init(), and can be
+ called only once.
+
+ Side note: we do not explicitly test that it is called before
+ curl_global_init(), but we do verify that it is not called multiple times
+ (even implicitly).
+
+ If SSL is used before the function was called, it will use whatever the
+ CURL_SSL_BACKEND environment variable says (or default to the first
+ available SSL backend), and if a subsequent call to
+ curl_global_sslset() disagrees with the previous choice, it will fail
+ with CURLSSLSET_TOO_LATE.
+
+ The function also accepts an "avail" parameter to point to a (read-only)
+ NULL-terminated list of available backends. This comes in real handy if
+ an application wants to let the user choose between whatever SSL backends
+ the currently available libcurl has to offer: simply call
+
+ curl_global_sslset(-1, NULL, &avail);
+
+ which will return CURLSSLSET_UNKNOWN_BACKEND and populate the avail
+ variable to point to the relevant information to present to the user.
+
+ Just like with the HTTP/2 push functions, we have to add the function
+ declaration of curl_global_sslset() function to the header file
+ *multi.h* because VMS and OS/400 require a stable order of functions
+ declared in include/curl/*.h (where the header files are sorted
+ alphabetically). This looks a bit funny, but it cannot be helped.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- fix line break
+- [Johannes Schindelin brought this change]
-- removed usage of 's6_addr', fixing compilation issue triggered with no
- longer using 'in6_addr' but only our 'ares_in6_addr' struct
+ vtls: refactor out essential information about the SSL backends
+
+ There is information about the compiled-in SSL backends that is really
+ no concern of any code other than the SSL backend itself, such as which
+ function (if any) implements SHA-256 summing.
+
+ And there is information that is really interesting to the user, such as
+ the name, or the curl_sslbackend value.
+
+ Let's factor out the latter into a publicly visible struct. This
+ information will be used in the upcoming API to set the SSL backend
+ globally.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Daniel Stenberg (5 Mar 2010)
-- Daniel Johnson provided fixes for building with the clang compiler
+- [Johannes Schindelin brought this change]
-Yang Tse (5 Mar 2010)
-- Added IPv6 name servers support
+ vtls: allow selecting which SSL backend to use at runtime
+
+ When building software for the masses, it is sometimes not possible to
+ decide for all users which SSL backend is appropriate.
+
+ Git for Windows, for example, uses cURL to perform clones, fetches and
+ pushes via HTTPS, and some users strongly prefer OpenSSL, while other
+ users really need to use Secure Channel because it offers
+ enterprise-ready tools to manage credentials via Windows' Credential
+ Store.
+
+ The current Git for Windows versions use the ugly work-around of
+ building libcurl once with OpenSSL support and once with Secure Channel
+ support, and switching out the binaries in the installer depending on
+ the user's choice.
+
+ Needless to say, this is a super ugly workaround that actually only
+ works in some cases: Git for Windows also comes in a portable form, and
+ in a form intended for third-party applications requiring Git
+ functionality, in which cases this "swap out libcurl-4.dll" simply is
+ not an option.
+
+ Therefore, the Git for Windows project has a vested interest in teaching
+ cURL to make the SSL backend a *runtime* option.
+
+ This patch makes that possible.
+
+ By running ./configure with multiple --with-<backend> options, cURL will
+ be built with multiple backends.
+
+ For the moment, the backend can be configured using the environment
+ variable CURL_SSL_BACKEND (valid values are e.g. "openssl" and
+ "schannel").
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Gisle Vanem (5 Mar 2010)
-- Ops!. Readded ares_nowarn.h.
+- [Johannes Schindelin brought this change]
-- Added ares_nowarn.c.
+ vtls: fold the backend ID into the Curl_ssl structure
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Yang Tse (5 Mar 2010)
-- Constantine Sapuntzakis detected and fixed a double free in builds done
- with threaded resolver enabled (Windows default configuration) that would
- get triggered when a curl handle is closed while doing DNS resolution.
+- [Johannes Schindelin brought this change]
-- Added SIZEOF_INT and SIZEOF_SHORT definitions for VMS configuration file
+ curl_ntlm_core: don't complain but #include OpenSSL header if needed
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Daniel Stenberg (4 Mar 2010)
-- Julien Chaffraix clarified CURLOPT_HEADERFUNCTION and made
- CURLOPT_HEADERFUNCTION and CURLOPT_WRITEFUNCTION more consistent
+- [Johannes Schindelin brought this change]
-- - [Daniel Johnson] I've been trying to build libcurl with clang on Darwin and
- ran into some issues with the GSSAPI tests in configure.ac. The tests first
- try to determine the include dirs and libs and set CPPFLAGS and LIBS
- accordingly. It then checks for the headers and finally sets LIBS a second
- time, causing the libs to be included twice. The first setting of LIBS seems
- redundant and should be left out, since the first part is otherwise just
- about finding headers.
+ vtls: encapsulate SSL backend-specific data
- My second issue is that 'krb5-config --libs gssapi' on Darwin is less than
- useless and returns junk that, while it happens to work with gcc, causes
- clang to choke. For example, --libs returns $CFLAGS along with the libs,
- which is really retarded. Simply setting 'LIBS="$LIBS -lgssapi_krb5
- -lresolv"' on Darwin is sufficient.
-
-- - Based on patch provided by Jacob Moshenko, the transfer logic now properly
- makes sure that when using sub-second timeouts, there's no final bad 1000ms
- wait. Previously, a sub-second timeout would often make the elapsed time end
- up the time rounded up to the nearest second (e.g. 1s for 200ms timeout)
+ So far, all of the SSL backends' private data has been declared as
+ part of the ssl_connect_data struct, in one big #if .. #elif .. #endif
+ block.
+
+ This can only work as long as the SSL backend is a compile-time option,
+ something we want to change in the next commits.
+
+ Therefore, let's encapsulate the exact data needed by each SSL backend
+ into a private struct, and let's avoid bleeding any SSL backend-specific
+ information into urldata.h. This is also necessary to allow multiple SSL
+ backends to be compiled in at the same time, as e.g. OpenSSL's and
+ CyaSSL's headers cannot be included in the same .c file.
+
+ To avoid too many malloc() calls, we simply append the private structs
+ to the connectdata struct in allocate_conn().
+
+ This requires us to take extra care of alignment issues: struct fields
+ often need to be aligned on certain boundaries e.g. 32-bit values need to
+ be stored at addresses that divide evenly by 4 (= 32 bit / 8
+ bit-per-byte).
+
+ We do that by assuming that no SSL backend's private data contains any
+ fields that need to be aligned on boundaries larger than `long long`
+ (typically 64-bit) would need. Under this assumption, we simply add a
+ dummy field of type `long long` to the `struct connectdata` struct. This
+ field will never be accessed but acts as a placeholder for the four
+ instances of ssl_backend_data instead. the size of each ssl_backend_data
+ struct is stored in the SSL backend-specific metadata, to allow
+ allocate_conn() to know how much extra space to allocate, and how to
+ initialize the ssl[sockindex]->backend and proxy_ssl[sockindex]->backend
+ pointers.
+
+ This would appear to be a little complicated at first, but is really
+ necessary to encapsulate the private data of each SSL backend correctly.
+ And we need to encapsulate thusly if we ever want to allow selecting
+ CyaSSL and OpenSSL at runtime, as their headers cannot be included within
+ the same .c file (there are just too many conflicting definitions and
+ declarations for that).
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- update the generic copyright year range to include 2010
+- [Johannes Schindelin brought this change]
-- - Andrei Benea filed bug report #2956698 and pointed out that the
- CURLOPT_CERTINFO feature leaked memory due to a missing OpenSSL function
- call. He provided the patch to fix it too.
+ vtls: prepare the SSL backends for encapsulated private data
- http://curl.haxx.se/bug/view.cgi?id=2956698
-
-- - Markus Duft pointed out in bug #2961796 that even though Interix has a
- poll() function it doesn't quite work the way we want it so we must disable
- it, and he also provided a patch for it.
+ At the moment, cURL's SSL backend needs to be configured at build time.
+ As such, it is totally okay for them to hard-code their backend-specific
+ data in the ssl_connect_data struct.
- http://curl.haxx.se/bug/view.cgi?id=2961796
-
-- - Made the pingpong timeout code properly deal with the response timeout AND
- the global timeout if set. Also, as was reported in the bug report #2956437
- by Ryan Chan, the time stamp to use as basis for the per command timeout was
- not set properly in the DONE phase for FTP (and not for SMTP) so I fixed
- that just now. This was a regression compared to 7.19.7 due to the
- conversion of FTP code over to the generic pingpong concepts.
+ In preparation for making the SSL backend a runtime option, let's make
+ the access of said private data a bit more abstract so that it can be
+ adjusted later in an easy manner.
- http://curl.haxx.se/bug/view.cgi?id=2956437
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- remove assignment never used
+- [Johannes Schindelin brought this change]
-- - Ben Greear provided an update for TFTP that fixes upload.
+ urldata.h: move SSPI-specific #include to correct location
+
+ In 86b889485 (sasl_gssapi: Added GSS-API based Kerberos V5 variables,
+ 2014-12-03), an SSPI-specific field was added to the kerberos5data
+ struct without moving the #include "curl_sspi.h" later in the same file.
+
+ This broke the build when SSPI was enabled, unless Secure Channel was
+ used as SSL backend, because it just so happens that Secure Channel also
+ requires "curl_sspi.h" to be #included.
+
+ In f4739f639 (urldata: include curl_sspi.h when Windows SSPI is enabled,
+ 2017-02-21), this bug was fixed incorrectly: Instead of moving the
+ appropriate conditional #include, the Secure Channel-conditional part
+ was now also SSPI-conditional.
+
+ Fix this problem by moving the correct #include instead.
+
+ This is also required for an upcoming patch that moves all the Secure
+ Channel-specific stuff out of urldata.h and encapsulates it properly in
+ vtls/schannel.c instead.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- SSL, not SSH, SSL
+- [Johannes Schindelin brought this change]
-- - Wesley Miaw reported bug #2958179 which identified a case of looping during
- OpenSSL based SSL handshaking even though the multi interface was used and
- there was no good reason for it.
+ urldata.h: remove support for obsolete PolarSSL version
+
+ Since 5017d5ada (polarssl: now require 1.3.0+, 2014-03-17), we require
+ a newer PolarSSL version. No need to keep code trying to support any
+ older version.
- http://curl.haxx.se/bug/view.cgi?id=2958179
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Yang Tse (28 Feb 2010)
-- Added SIZEOF_INT and SIZEOF_SHORT definitions for non-configure systems
+- [Johannes Schindelin brought this change]
-- Added ares_nowarn.* to VC6 project file
+ getinfo: access SSL internals via Curl_ssl
+
+ In the ongoing endeavor to abstract out all SSL backend-specific
+ functionality, this is the next step: Instead of hard-coding how the
+ different SSL backends access their internal data in getinfo.c, let's
+ implement backend-specific functions to do that task.
+
+ This will also allow for switching SSL backends as a runtime option.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Daniel Stenberg (26 Feb 2010)
-- spellchecked by Stéphane Fillod
+- [Johannes Schindelin brought this change]
-- - Pat Ray in bug #2958474 pointed out an off-by-one case when receiving a
- chunked-encoding trailer.
+ vtls: move SSL backends' private constants out of their header files
- http://curl.haxx.se/bug/view.cgi?id=2958474
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Dan Fandrich (26 Feb 2010)
-- Fixed a couple of out of memory leaks and a segfault in the IMAP code.
+- [Johannes Schindelin brought this change]
-Yang Tse (26 Feb 2010)
-- fix sizeof short
+ axtls: use Curl_none_* versions of init() and cleanup()
+
+ There are convenient no-op versions of the init/cleanup functions now,
+ no need to define private ones for axTLS.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- Added SIZEOF_INT and SIZEOF_SHORT definitions for non-configure systems
+- [Johannes Schindelin brought this change]
-- Added SIZEOF_INT definition
+ vtls: remove obsolete declarations of SSL backend functionality
+
+ These functions are all available via the Curl_ssl struct now, no need
+ to declare them separately anymore.
+
+ As the global declarations are removed, the corresponding function
+ definitions are marked as file-local. The only two exceptions here are
+ Curl_mbedtls_shutdown() and Curl_polarssl_shutdown(): only the
+ declarations were removed, there are no function definitions to mark
+ file-local.
+
+ Please note that Curl_nss_force_init() is *still* declared globally, as
+ the only SSL backend-specific function, because it was introduced
+ specifically for the use case where cURL was compiled with
+ `--without-ssl --with-nss`. For details, see f3b77e561 (http_ntlm: add
+ support for NSS, 2010-06-27).
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- fix compiler warning
+- [Johannes Schindelin brought this change]
-- fix compiler warning
+ schannel: reorder functions topologically
+
+ The _shutdown() function calls the _session_free() function; While this
+ is not a problem now (because schannel.h declares both functions), a
+ patch looming in the immediate future with make all of these functions
+ file-local.
+
+ So let's just move the _session_free() function's definition before it
+ is called.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- fix compiler warning
+- [Johannes Schindelin brought this change]
-Dan Fandrich (25 Feb 2010)
-- Fixed a couple of out of memory leaks and a segfault in the SMTP code.
+ axtls: reorder functions topologically
+
+ The connect_finish() function (like many other functions after it) calls
+ the Curl_axtls_close() function; While this is not a problem now
+ (because axtls.h declares the latter function), a patch looming in the
+ immediate future with make all of these functions file-local.
+
+ So let's just move the Curl_axtls_close() function's definition before
+ it is called.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-Yang Tse (25 Feb 2010)
-- fix file name
+- [Johannes Schindelin brought this change]
-- Fixed bug report #2958074 indicating
- (http://curl.haxx.se/bug/view.cgi?id=2958074) that curl on Windows with
- option --trace-time did not use local time when timestamping trace lines.
- This could also happen on other systems depending on time souurce.
+ vtls: move the SUPPORT_HTTPS_PROXY flag into the Curl_ssl struct
+
+ That will allow us to choose the SSL backend at runtime.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- enable 802 and 803
+- [Johannes Schindelin brought this change]
-- fix compiler warning
+ vtls: convert the have_curlssl_* constants to runtime flags
+
+ The entire idea of introducing the Curl_ssl struct to describe SSL
+ backends is to prepare for choosing the SSL backend at runtime.
+
+ To that end, convert all the #ifdef have_curlssl_* style conditionals
+ to use bit flags instead.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- fix compiler warning
+- [Johannes Schindelin brought this change]
-- fix compiler warning
+ vtls: move sha256sum into the Curl_ssl struct
+
+ The SHA-256 checksumming is also an SSL backend-specific function.
+ Let's include it in the struct declaring the functionality of SSL
+ backends.
+
+ In contrast to MD5, there is no fall-back code. To indicate this, the
+ respective entries are NULL for those backends that offer no support for
+ SHA-256 checksumming.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: move md5sum into the Curl_ssl struct
+
+ The MD5 summing is also an SSL backend-specific function. So let's
+ include it, offering the previous fall-back code as a separate function
+ now: Curl_none_md5sum(). To allow for that, the signature had to be
+ changed so that an error could be returned from the implementation
+ (Curl_none_md5sum() can run out of memory).
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: use the Curl_ssl struct to access all SSL backends' functionality
+
+ This is the first step to unify the SSL backend handling. Now all the
+ SSL backend-specific functionality is accessed via a global instance of
+ the Curl_ssl struct.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: declare Curl_ssl structs for every SSL backend
+
+ The idea of introducing the Curl_ssl struct was to unify how the SSL
+ backends are declared and called. To this end, we now provide an
+ instance of the Curl_ssl struct for each and every SSL backend.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: introduce a new struct for SSL backends
+
+ This new struct is similar in nature to Curl_handler: it will define the
+ functions and capabilities of all the SSL backends (where Curl_handler
+ defines the functions and capabilities of protocol handlers).
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: make sure every _sha256sum()'s first arg is const
+
+ This patch makes the signature of the _sha256sum() functions consistent
+ among the SSL backends, in preparation for unifying the way all SSL
+ backends are accessed.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: make sure all _data_pending() functions return bool
+
+ This patch makes the signature of the _data_pending() functions
+ consistent among the SSL backends, in preparation for unifying the way
+ all SSL backends are accessed.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: make sure all _cleanup() functions return void
+
+ This patch makes the signature of the _cleanup() functions consistent
+ among the SSL backends, in preparation for unifying the way all SSL
+ backends are accessed.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- [Johannes Schindelin brought this change]
+
+ vtls: use consistent signature for _random() implementations
+
+ This will make the upcoming multissl backend much easier to implement.
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- strtooff: fix build for systems with long long but no strtoll option
+
+ Closes #1829
+
+ Reported-by: Dan Fandrich
+ Bug: https://github.com/curl/curl/pull/1758#issuecomment-324861615
+
+- darwinssl: handle long strings in TLS certs
+
+ ... as the previous fixed length 128 bytes buffer was sometimes too
+ small.
+
+ Fixes #1823
+ Closes #1831
+
+ Reported-by: Benjamin Sergeant
+ Assisted-by: Bill Pyne, Ray Satiro, Nick Zitzmann
+
+- system.h: include sys/poll.h for AIX
+
+ ... to get the event/revent defines that might be used for the poll
+ struct.
+
+ Reported-by: Michael Smith
+ Fixes #1828
+ Closes #1833
+
+Dan Fandrich (26 Aug 2017)
+- tests: Make sure libtests & unittests call curl_global_cleanup()
+
+ These were missed in commit c468c27b.
+
+Jay Satiro (26 Aug 2017)
+- [theantigod brought this change]
+
+ winbuild: fix embedded manifest option
+
+ Embedded manifest option didn't work due to incorrect path.
+
+ Fixes https://github.com/curl/curl/issues/1832
+
+Daniel Stenberg (25 Aug 2017)
+- fuzz/Makefile.am: remove curlbuild.h leftovers
+
+- examples/threaded-ssl: mention that this is for openssl before 1.1
+
+- imap: use defined names for response codes
+
+ When working on this code I found the previous setup a bit weird while
+ using proper defines increases readability.
+
+ Closes #1824
+
+- CURLOPT_USERPWD.3: see also CURLOPT_PROXYUSERPWD
+
+- imap: support PREAUTH
+
+ It is a defined possible greeting at server startup that means the
+ connection is already authenticated. See
+ https://tools.ietf.org/html/rfc3501#section-7.1.4
+
+ Test 846 added to verify.
+
+ Fixes #1818
+ Closes #1820
+
+Jay Satiro (23 Aug 2017)
+- config-tpf: define SIZEOF_LONG
+
+ Recent changes that replaced CURL_SIZEOF_LONG in the source with
+ SIZEOF_LONG broke builds that use the premade configuration files and
+ don't have SIZEOF_LONG defined.
+
+ Bug: https://github.com/curl/curl/issues/1816
+
+Dan Fandrich (23 Aug 2017)
+- test1453: Fixed <features>
+
+Daniel Stenberg (22 Aug 2017)
+- [Gisle Vanem brought this change]
+
+ config-dos: add missing defines, SIZEOF_* and two others
+
+ Bug: #1816
+
+- curl: shorten and clean up CA cert verification error message
+
+ The previous message was just too long for ordinary people and it was
+ encouraging users to use `--insecure` a little too easy.
+
+ Based-on-work-by: Frank Denis
+
+ Closes #1810
+ Closes #1817
+
+- request-target.d: mention added in 7.55.0
+
+Marcel Raad (22 Aug 2017)
+- tool_main: turn off MinGW CRT's globbing
+
+ By default, the MinGW CRT globs command-line arguments. This prevents
+ getting a single asterisk into an argument as test 1299 does. Turn off
+ globbing by setting the global variable _CRT_glob to 0 for MinGW.
+
+ Fixes https://github.com/curl/curl/issues/1751
+ Closes https://github.com/curl/curl/pull/1813
+
+Viktor Szakats (22 Aug 2017)
+- makefile.m32: add support for libidn2
+
+ libidn was replaced with libidn2 last year in configure.
+ Caveat: libidn2 may depend on a list of further libs.
+ These can be manually specified via CURL_LDFLAG_EXTRAS.
+
+ Closes https://github.com/curl/curl/pull/1815
+
+Jay Satiro (22 Aug 2017)
+- [Viktor Szakats brought this change]
+
+ config-win32: define SIZEOF_LONG
+
+ Recent changes that replaced CURL_SIZEOF_LONG in the source with
+ SIZEOF_LONG broke builds that use the premade configuration files and
+ don't have SIZEOF_LONG defined.
+
+ Closes https://github.com/curl/curl/pull/1814
+
+Daniel Stenberg (20 Aug 2017)
+- cmake: enable picky compiler options with clang and gcc
+
+ closes #1799
+
+- curl/system.h: fix build for hppa
+
+ Reported-by: John David Anglin
+ Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872502#10
+
+- [Even Rouault brought this change]
+
+ tftp: fix memory leak on too long filename
+
+ Fixes
+
+ $ valgrind --leak-check=full ~/install-curl-git/bin/curl tftp://localhost/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaz
+
+ ==9752== Memcheck, a memory error detector
+ ==9752== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
+ ==9752== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
+ ==9752== Command: /home/even/install-curl-git/bin/curl tftp://localhost/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaz
+ ==9752==
+ curl: (71) TFTP file name too long
+
+ ==9752==
+ ==9752== HEAP SUMMARY:
+ ==9752== 505 bytes in 1 blocks are definitely lost in loss record 11 of 11
+ ==9752== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==9752== by 0x4E61CED: Curl_urldecode (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x4E75868: tftp_state_machine (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x4E761B6: tftp_do (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x4E711B6: multi_runsingle (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x4E71D00: curl_multi_perform (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x4E6950D: curl_easy_perform (in /home/even/install-curl-git/lib/libcurl.so.4.4.0)
+ ==9752== by 0x40E0B7: operate_do (in /home/even/install-curl-git/bin/curl)
+ ==9752== by 0x40E849: operate (in /home/even/install-curl-git/bin/curl)
+ ==9752== by 0x402693: main (in /home/even/install-curl-git/bin/curl)
+
+ Fixes https://oss-fuzz.com/v2/testcase-detail/5232311106797568
+ Credit to OSS Fuzz
+
+ Closes #1808
+
+Dan Fandrich (19 Aug 2017)
+- runtests: fixed case insensitive matching of keywords
+
+ Commit 5c2aac71 didn't work in the case of mixed-case keywords given on
+ the command-line.
+
+- tests: Make sure libtests call curl_global_cleanup()
+
+ This ensures that global data allocations are freed so Valgrind stays
+ happy. This was a problem with at least PolarSSL and mbedTLS.
+
+Daniel Stenberg (18 Aug 2017)
+- RELEASE-NOTES: synced with 8baead425
+
+- scripts/contri*sh: use "git log --use-mailmap"
+
+- mailmap: de-duplify some git authors
+
+- http2_recv: return error better on fatal h2 errors
+
+ Ref #1012
+ Figured-out-by: Tatsuhiro Tsujikawa
+
+- KNOWN_BUGS: HTTP test server 'connection-monitor' problems
+
+ Closes #868
+
+- curl/system.h: check for __ppc__ as well
+
+ ... regression since issue #1774 (commit 10b3df10596a) since obviously
+ some older gcc doesn't know __powerpc__ while some newer doesn't know
+ __ppc__ ...
+
+ Fixes #1797
+ Closes #1798
+ Reported-by: Ryan Schmidt
+
+- [Jan Alexander Steffens (heftig) brought this change]
+
+ http: Don't wait on CONNECT when there is no proxy
+
+ Since curl 7.55.0, NetworkManager almost always failed its connectivity
+ check by timeout. I bisected this to 5113ad04 (http-proxy: do the HTTP
+ CONNECT process entirely non-blocking).
+
+ This patch replaces !Curl_connect_complete with Curl_connect_ongoing,
+ which returns false if the CONNECT state was left uninitialized and lets
+ the connection continue.
+
+ Closes #1803
+ Fixes #1804
+
+ Also-fixed-by: Gergely Nagy
+
+- [Johannes Schindelin brought this change]
+
+ metalink: adjust source code style
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- CURL_SIZEOF_LONG: removed, use only SIZEOF_LONG
+
+- lib557: no longer use CURL_SIZEOF_* defines
+
+- config-win32: define SIZEOF_CURL_OFF_T
+
+- cmake: sizeof curl_off_t, remove unused detections
+
+- system.h: remove all CURL_SIZEOF_* defines
+
+ ... as they're not used externally and internally we check for the sizes
+ already in configure etc.
+
+ Closes #1767
+
+- ftp: fix CWD when doing multicwd then nocwd on same connection
+
+ Fixes #1782
+ Closes #1787
+ Reported-by: Peter Lamare
+
+- CURLOPT_SSH_COMPRESSION.3: enable with 1L
+
+ (leaves other values reserved for the future)
+
+- compressed-ssh.d: "Added: 7.56.0"
+
+- curl/system.h: checksrc compliance
+
+Jay Satiro (17 Aug 2017)
+- [Viktor Szakats brought this change]
+
+ ssh: add the ability to enable compression (for SCP/SFTP)
+
+ The required low-level logic was already available as part of
+ `libssh2` (via `LIBSSH2_FLAG_COMPRESS` `libssh2_session_flag()`[1]
+ option.)
+
+ This patch adds the new `libcurl` option `CURLOPT_SSH_COMPRESSION`
+ (boolean) and the new `curl` command-line option `--compressed-ssh`
+ to request this `libssh2` feature. To have compression enabled, it
+ is required that the SSH server supports a (zlib) compatible
+ compression method and that `libssh2` was built with `zlib` support
+ enabled.
+
+ [1] https://www.libssh2.org/libssh2_session_flag.html
+
+ Ref: https://github.com/curl/curl/issues/1732
+ Closes https://github.com/curl/curl/pull/1735
+
+- examples/ftpuploadresume: checksrc compliance
+
+- [Maksim Stsepanenka brought this change]
+
+ http_proxy: fix build error for CURL_DOES_CONVERSIONS
+
+ Closes https://github.com/curl/curl/pull/1793
+
+GitHub (16 Aug 2017)
+- [Nick Zitzmann brought this change]
+
+ configure: check for __builtin_available() availability (#1788)
+
+ This change does two things:
+ 1. It un-breaks the build in Xcode 9.0. (Xcode 9.0 is currently
+ failing trying to compile connectx() in lib/connect.c.)
+ 2. It finally weak-links the connectx() function, and falls back on
+ connect() when run on older operating systems.
+
+Daniel Stenberg (16 Aug 2017)
+- travis: add metalink to some osx builds
+
+ Closes #1790
+
+- [Max Dymond brought this change]
+
+ coverage: Use two coveralls commands to get lib/vtls results
+
+ closes #1747
+
+- darwinssi: fix error: variable length array used
+
+- m4/curl-compilers.m4: use proper quotes around string, not backticks
+
+ ... when setting clang version to assume 3.7
+
+ Caused a lot of "integer expression expected" warnings by configure.
+
+- [Benbuck Nason brought this change]
+
+ cmake: remove dead code for DISABLED_THREADSAFE
+
+ Closes #1786
+
+Jay Satiro (15 Aug 2017)
+- [Jakub Zakrzewski brought this change]
+
+ curl-confopts.m4: fix --disable-threaded-resolver
+
+ Closes https://github.com/curl/curl/issues/1784
+
+Daniel Stenberg (15 Aug 2017)
+- [Ryan Winograd brought this change]
+
+ progress: Track total times following redirects
+
+ Update the progress timers `t_nslookup`, `t_connect`, `t_appconnect`,
+ `t_pretransfer`, and `t_starttransfer` to track the total times for
+ these activities when a redirect is followed. Previously, only the times
+ for the most recent request would be tracked.
+
+ Related changes:
+
+ - Rename `Curl_pgrsResetTimesSizes` to `Curl_pgrsResetTransferSizes`
+ now that the function only resets transfer sizes and no longer
+ modifies any of the progress timers.
+
+ - Add a bool to the `Progress` struct that is used to prevent
+ double-counting `t_starttransfer` times.
+
+ Added test case 1399.
+
+ Fixes #522 and Known Bug 1.8
+ Closes #1602
+ Reported-by: joshhe on github
+
+- [Benbuck Nason brought this change]
+
+ cmake: remove dead code for CURL_DISABLE_RTMP
+
+ Closes #1785
+
+Kamil Dudka (15 Aug 2017)
+- zsh.pl: produce a working completion script again
+
+ Commit curl-7_54_0-118-g8b2f22e changed the output format of curl --help
+ to use <file> and <dir> instead of FILE and DIR, which caused zsh.pl to
+ produce a broken completion script:
+
+ % curl --<TAB>
+ _curl:10: no such file or directory: seconds
+
+ Closes #1779
+
+Daniel Stenberg (15 Aug 2017)
+- curlver: toward 7.56.0?
+
+- RELEASE-NOTES: synced with 91c46dc44
+
+- test1449: FTP download range with an too large size
+
+- strtoofft: reduce integer overflow risks globally
+
+ ... make sure we bail out on overflows.
+
+ Reported-by: Brian Carpenter
+ Closes #1758
+
+- travis: build the examples too
+
+ to make sure they keep building warning-free
+
+ Closes #1777
+
+- runtests: match keywords case insensitively
+
+- examples/ftpuploadresume.c: use portable code
+
+ ... converted from the MS specific _snscanf()
+
+Version 7.55.1 (13 Aug 2017)
+
+Daniel Stenberg (13 Aug 2017)
+- RELEASE-NOTES/THANKS: curl 7.55.1 release time
+
+- gitignore: ignore .xz now instead of .lzma
+
+- [Sergei Nikulov brought this change]
+
+ cmake: Threads detection update. ref: #1702
+
+ Closes #1719
+
+- ipv6_scope: support unique local addresses
+
+ Fixes #1764
+ Closes #1773
+ Reported-by: James Slaughter
+
+- [Alex Potapenko brought this change]
+
+ curl/system.h: GCC doesn't define __ppc__ on PowerPC, uses __powerpc__
+
+ Closes #1774
+
+- test1448: verify redirect to IDN using URL
+
+ Closes #1772
+
+- [Salah-Eddin Shaban brought this change]
+
+ redirect: skip URL encoding for host names
+
+ This fixes redirects to IDN URLs
+
+ Fixes #1441
+ Closes #1762
+ Reported by: David Lord
+
+- test2032: mark as flaky (again)
+
+- travis: test cmake build on tarball too
+
+ Could've prevented #1755
+
+- [Simon Warta brought this change]
+
+ cmake: allow user to override CMAKE_DEBUG_POSTFIX
+
+ Closes #1763
+
+- connect-to.d: better language
+
+- connect-to.d: clarified
+
+- bagder/Curl_tvdiff_us: fix the math
+
+ Regression since adef394ac5 (released in 7.55.0)
+
+ Reported-by: Han Qiao
+ Fixes #1769
+ Closes #1771
+
+- curl/system.h: add Oracle Solaris Studio
+
+ Fixes #1752
+
+- [Alessandro Ghedini brought this change]
+
+ docs: fix typo funtion -> function
+
+ Closes #1770
+
+Alessandro Ghedini (12 Aug 2017)
+- docs: fix grammar in CURL_SSLVERSION_MAX_DEFAULT description
+
+- docs: fix typo stuct -> struct
+
+Dan Fandrich (12 Aug 2017)
+- test1447: require a curl with http support
+
+Daniel Stenberg (11 Aug 2017)
+- [Thomas Petazzoni brought this change]
+
+ curl/system.h: support more architectures
+
+ The long list of architectures in include/curl/system.h is annoying to
+ maintain, and needs to be extended for each and every architecture to
+ support.
+
+ Instead, let's rely on the __SIZEOF_LONG__ define of the gcc compiler
+ (we are in the GNUC condition anyway), which tells us if long is 4
+ bytes or 8 bytes.
+
+ This fixes the build of libcurl 7.55.0 on architectures such as
+ OpenRISC or ARC.
+
+ Closes #1766
+
+ Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+
+- test2033: this went flaky again
+
+ Suspicion: when we enabled the threaded resolver by default.
+
+- test1447: verifies the parse proxy fix in 6e0e152ce5c
+
+- [Even Rouault brought this change]
+
+ parse_proxy(): fix memory leak in case of invalid proxy server name
+
+ Fixes the below leak:
+
+ $ valgrind --leak-check=full ~/install-curl-git/bin/curl --proxy "http://a:b@/x" http://127.0.0.1
+ curl: (5) Couldn't resolve proxy name
+ ==5048==
+ ==5048== HEAP SUMMARY:
+ ==5048== in use at exit: 532 bytes in 12 blocks
+ ==5048== total heap usage: 5,288 allocs, 5,276 frees, 445,271 bytes allocated
+ ==5048==
+ ==5048== 2 bytes in 1 blocks are definitely lost in loss record 1 of 12
+ ==5048== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5048== by 0x4E6CB79: parse_login_details (url.c:5614)
+ ==5048== by 0x4E6BA82: parse_proxy (url.c:5091)
+ ==5048== by 0x4E6C46D: create_conn_helper_init_proxy (url.c:5346)
+ ==5048== by 0x4E6EA18: create_conn (url.c:6498)
+ ==5048== by 0x4E6F9B4: Curl_connect (url.c:6967)
+ ==5048== by 0x4E86D05: multi_runsingle (multi.c:1436)
+ ==5048== by 0x4E88432: curl_multi_perform (multi.c:2160)
+ ==5048== by 0x4E7C515: easy_transfer (easy.c:708)
+ ==5048== by 0x4E7C74A: easy_perform (easy.c:794)
+ ==5048== by 0x4E7C7B1: curl_easy_perform (easy.c:813)
+ ==5048== by 0x414025: operate_do (tool_operate.c:1563)
+ ==5048==
+ ==5048== 2 bytes in 1 blocks are definitely lost in loss record 2 of 12
+ ==5048== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5048== by 0x4E6CBB6: parse_login_details (url.c:5621)
+ ==5048== by 0x4E6BA82: parse_proxy (url.c:5091)
+ ==5048== by 0x4E6C46D: create_conn_helper_init_proxy (url.c:5346)
+ ==5048== by 0x4E6EA18: create_conn (url.c:6498)
+ ==5048== by 0x4E6F9B4: Curl_connect (url.c:6967)
+ ==5048== by 0x4E86D05: multi_runsingle (multi.c:1436)
+ ==5048== by 0x4E88432: curl_multi_perform (multi.c:2160)
+ ==5048== by 0x4E7C515: easy_transfer (easy.c:708)
+ ==5048== by 0x4E7C74A: easy_perform (easy.c:794)
+ ==5048== by 0x4E7C7B1: curl_easy_perform (easy.c:813)
+ ==5048== by 0x414025: operate_do (tool_operate.c:1563)
+
+ Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2984
+ Credit to OSS Fuzz for discovery
+
+ Closes #1761
+
+- RELEASE-NOTES: synced with 37f2195a9
+
+- curlver: bump to 7.55.1
+
+- openssl: fix "error: this statement may fall through"
+
+ A gcc7 warning.
+
+- [David Benjamin brought this change]
+
+ openssl: remove CONST_ASN1_BIT_STRING.
+
+ Just making the pointer as const works for the pre-1.1.0 path too.
+
+ Closes #1759
+
+- maketgz: remove old *.dist files before making the tarball
+
+ To avoid "old crap" unintentionally getting shipped.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-08/0050.html
+ Reported-by: Christian Weisgerber
+
+Jay Satiro (10 Aug 2017)
+- mkhelp.pl: allow executing this script directly
+
+ - Enable execute permission (chmod +x)
+
+ - Change interpreter to /usr/bin/env perl
+
+ Ref: https://github.com/curl/curl/issues/1743
+
+Daniel Stenberg (10 Aug 2017)
+- configure: use the threaded resolver backend by default if possible
+
+ Closes #1647
+
+- cmake: move cmake_uninstall.cmake to CMake/
+
+ Closes #1756
+
+- metalink: fix error: ‘*’ in boolean context, suggest ‘&&’ instead
+
+- dist: fix the cmake build by shipping cmake_uninstall.cmake.in too
+
+ Fixes #1755
+
+- travis: verify "make install"
+
+ Help-by: Jay Satiro
+ Closes #1753
+
+Marcel Raad (10 Aug 2017)
+- build: check out *.sln files with Windows line endings
+
+ Visual Studio doesn't like LF line endings in solution files and always
+ converts them to CRLF when doing changes to the solution. Notably, this
+ affects the solutions in the release archive.
+
+ Closes https://github.com/curl/curl/pull/1746
+
+- gitignore: ignore top-level .vs folder
+
+ This folder is generated when using the CMake build system from within
+ Visual Studio.
+
+ Closes https://github.com/curl/curl/pull/1746
+
+Jay Satiro (10 Aug 2017)
+- digest_sspi: Don't reuse context if the user/passwd has changed
+
+ Bug: https://github.com/curl/curl/issues/1685
+ Reported-by: paulharris@users.noreply.github.com
+
+ Assisted-by: Isaac Boukris
+
+ Closes https://github.com/curl/curl/pull/1742
+
+Daniel Stenberg (9 Aug 2017)
+- [Adam Sampson brought this change]
+
+ dist: Add dictserver.py/negtelnetserver.py to EXTRA_DIST
+
+ These weren't included in the 7.55.0 release, but are required in order
+ to run the full test suite.
+
+ Closes #1744
+
+- [Adam Sampson brought this change]
+
+ curl: do bounds check using a double comparison
+
+ The fix for this in 8661a0aacc01492e0436275ff36a21734f2541bb wasn't
+ complete: if the parsed number in num is larger than will fit in a long,
+ the conversion is undefined behaviour (causing test1427 to fail for me
+ on IA32 with GCC 7.1, although it passes on AMD64 and ARMv7). Getting
+ rid of the cast means the comparison will be done using doubles.
+
+ It might make more sense for the max argument to also be a double...
+
+ Fixes #1750
+ Closes #1749
+
+- make install: add 8 missing man pages to the installation
+
+- build: fix 'make install' with configure, install docs/libcurl/* too
+
+ Broken since d24838d4da9faa
+
+ Reported-by: Bernard Spil
+
+Version 7.55.0 (9 Aug 2017)
+
+Daniel Stenberg (9 Aug 2017)
+- RELEASE-NOTES: curl 7.55.0
+
+- THANKS: 20 new contributors in 7.55.0
+
+- [Viktor Szakats brought this change]
+
+ docs/comments: Update to secure URL versions
+
+ Closes #1741
+
+- configure: fix recv/send/select detection on Android
+
+ ... since they now provide several functions as
+ __attribute__((overloadable)), the argument detection logic need
+ updates.
+
+ Patched-by: destman at github
+
+ Fixes #1738
+ Closes #1739
+
+Marcel Raad (8 Aug 2017)
+- ax_code_coverage.m4: update to latest version
+
+ This updates the script to aad5ad5fedb306b39f901a899b7bd305b66c418d
+ from August 01, 2017. Notably, this removes the lconv version whitelist.
+
+ Closes https://github.com/curl/curl/pull/1716
+
+Daniel Stenberg (7 Aug 2017)
+- test1427: verify command line parser integer overflow detection
+
+- curl: detect and bail out early on parameter integer overflows
+
+ Make the number parser aware of the maximum limit curl accepts for a
+ value and return an error immediately if larger, instead of running an
+ integer overflow later.
+
+ Fixes #1730
+ Closes #1736
+
+- glob: do not continue parsing after a strtoul() overflow range
+
+ Added test 1289 to verify.
+
+ CVE-2017-1000101
+
+ Bug: https://curl.haxx.se/docs/adv_20170809A.html
+ Reported-by: Brian Carpenter
+
+- tftp: reject file name lengths that don't fit
+
+ ... and thereby avoid telling send() to send off more bytes than the
+ size of the buffer!
+
+ CVE-2017-1000100
+
+ Bug: https://curl.haxx.se/docs/adv_20170809B.html
+ Reported-by: Even Rouault
+
+ Credit to OSS-Fuzz for the discovery
+
+- [Even Rouault brought this change]
+
+ file: output the correct buffer to the user
+
+ Regression brought by 7c312f84ea930d8 (April 2017)
+
+ CVE-2017-1000099
+
+ Bug: https://curl.haxx.se/docs/adv_20170809C.html
+
+ Credit to OSS-Fuzz for the discovery
+
+- easy_events: make event data static
+
+ First: this function is only used in debug-builds and not in
+ release/real builds. It is used to drive tests using the event-based
+ API.
+
+ A pointer to the local struct is passed to CURLMOPT_TIMERDATA, but the
+ CURLMOPT_TIMERFUNCTION calback can in fact be called even after this
+ funtion returns, namely when curl_multi_remove_handle() is called.
+
+ Reported-by: Brian Carpenter
+
+- getparameter: avoid returning uninitialized 'usedarg'
+
+ Fixes #1728
+
+Marcel Raad (5 Aug 2017)
+- [Isaac Boukris brought this change]
+
+ gssapi: fix memory leak of output token in multi round context
+
+ When multiple rounds are needed to establish a security context
+ (usually ntlm), we overwrite old token with a new one without free.
+ Found by proposed gss tests using stub a gss implementation (by
+ valgrind error), though I have confirmed the leak with a real
+ gssapi implementation as well.
+
+ Closes https://github.com/curl/curl/pull/1733
+
+- darwinssl: fix compiler warning
+
+ clang complains:
+ vtls/darwinssl.c:40:8: error: extra tokens at end of #endif directive
+ [-Werror,-Wextra-tokens]
+
+ This breaks the darwinssl build on Travis. Fix it by making this token
+ a comment.
+
+ Closes https://github.com/curl/curl/pull/1734
+
+- CMake: fix CURL_WERROR for MSVC
+
+ When using CURL_WERROR in MSVC builds, the debug flags were overridden
+ by the release flags and /WX got added twice in debug mode.
+
+ Closes https://github.com/curl/curl/pull/1715
+
+Daniel Stenberg (4 Aug 2017)
+- RELEASE-NOTES: synced with 561e9217c
+
+- test1010: verify that #1718 is fixed
+
+ ... by doing two transfers in nocwd mode and check that there's no
+ superfluous CWD command.
+
+- FTP: skip unnecessary CWD when in nocwd mode
+
+ ... when reusing a connection. If it didn't do any CWD previously.
+
+ Fixes #1718
+
+Marcel Raad (4 Aug 2017)
+- travis: explicitly specify dist
+
+ This makes the builds more reproducible as travis is currently rolling
+ out trusty as default dist [1]. Specifically, this avoids coverage
+ check failures when trusty is used as seen in [2] until we figure out
+ what's wrong.
+
+ [1] https://blog.travis-ci.com/2017-07-11-trusty-as-default-linux-is-coming
+ [2] https://github.com/curl/curl/pull/1692
+
+ Closes https://github.com/curl/curl/pull/1725
+
+Daniel Stenberg (4 Aug 2017)
+- travis: BUILD_TYPE => T
+
+ (to make the full line appear nicer on travis web UI)
+
+- travis: add osx build with darwinssl
+
+ Closes #1706
+
+- darwin: silence compiler warnings
+
+ With a clang pragma and three type fixes
+
+ Fixes #1722
+
+- BUILD.WINDOWS: mention buildconf.bat for builds off git
+
+- darwinssl: fix curlssl_sha256sum() compiler warnings on first argument
+
+- test130: verify comments in .netrc
+
+- [Gisle Vanem brought this change]
+
+ netrc: skip lines starting with '#'
+
+ Bug: https://curl.haxx.se/mail/lib-2017-08/0008.html
+
+Marcel Raad (3 Aug 2017)
+- CMake: set MSVC warning level to 4
+
+ The MSVC warning level defaults to 3 in CMake. Change it to 4, which is
+ consistent with the Visual Studio and NMake builds. Disable level 4
+ warning C4127 for the library and additionally C4306 for the test
+ servers to get a clean CURL_WERROR build as that warning is raised in
+ some macros in older Visual Studio versions.
+
+ Ref: https://github.com/curl/curl/pull/1667#issuecomment-314082794
+ Closes https://github.com/curl/curl/pull/1711
+
+Daniel Stenberg (2 Aug 2017)
+- CURLOPT_NETRC.3: fix typo in 7e48aa386156f9c2
+
+ Reported-by: Viktor Szakats
+
+- CURLOPT_NETRC.3: mention the file name on windows
+
+ ... and CURLOPT_NETRC_FILE(3).
+
+- travis: build osx with libressl too
+
+- travis: build osx with openssl too
+
+- tests/server/util: fix curltime mistake from 4dee50b9c80f9
+
+Marcel Raad (1 Aug 2017)
+- curl_threads: fix MSVC compiler warning
+
+ Use LongToHandle to convert from long to HANDLE in the Win32
+ implementation.
+ This should fix the following warning when compiling with
+ MSVC 11 (2012) in 64-bit mode:
+ lib\curl_threads.c(113): warning C4306:
+ 'type cast' : conversion from 'long' to 'HANDLE' of greater size
+
+ Closes https://github.com/curl/curl/pull/1717
+
+Daniel Stenberg (1 Aug 2017)
+- BUGS: improved phrasing about security bugs
+
+ Reported-by: Max Dymond
+
+- BUGS: clarify how to report security related bugs
+
+- [Brad Spencer brought this change]
+
+ multi: fix request timer management
+
+ There are some bugs in how timers are managed for a single easy handle
+ that causes the wrong "next timeout" value to be reported to the
+ application when a new minimum needs to be recomputed and that new
+ minimum should be an existing timer that isn't currently set for the
+ easy handle. When the application drives a set of easy handles via the
+ `curl_multi_socket_action()` API (for example), it gets told to wait the
+ wrong amount of time before the next call, which causes requests to
+ linger for a long time (or, it is my guess, possibly forever).
+
+ Bug: https://curl.haxx.se/mail/lib-2017-07/0033.html
+
+Jay Satiro (1 Aug 2017)
+- curl_setup: Define CURL_NO_OLDIES for building libcurl
+
+ .. to catch accidental use of deprecated error codes.
+
+ Ref: https://github.com/curl/curl/issues/1688#issuecomment-316764237
+
+Daniel Stenberg (1 Aug 2017)
+- [Jeremy Tan brought this change]
+
+ configure: fix the check for IdnToUnicode
+
+ Fixes #1669
+ Closes #1713
+
+- http: fix response code parser to avoid integer overflow
+
+ test 1429 and 1433 were updated to work with the stricter HTTP status line
+ parser.
+
+ Closes #1714
+ Reported-by: Brian Carpenter
+
+Jay Satiro (31 Jul 2017)
+- [Dwarakanath Yadavalli brought this change]
+
+ libcurl: Stop using error codes defined under CURL_NO_OLDIES
+
+ Fixes https://github.com/curl/curl/issues/1688
+ Closes https://github.com/curl/curl/pull/1712
+
+- include.d: clarify --include is only for response headers
+
+ Follow-up to 171f8de and de6de94.
+
+ Bug: https://github.com/curl/curl/commit/de6de94#commitcomment-23370851
+ Reported-by: Daniel Stenberg
+
+Daniel Stenberg (30 Jul 2017)
+- [Jason Juang brought this change]
+
+ cmake: support make uninstall
+
+ Closes #1674
+
+- RELEASE-NOTES: synced with 001701c47
+
+Marcel Raad (29 Jul 2017)
+- AppVeyor: now really use CURL_WERROR
+
+ It was misspelled as CURL_ERROR in commit
+ 2d86e8d1286e0fbe3d811e2e87fa0b5e53722db4.
+
+ Closes https://github.com/curl/curl/pull/1686
+
+Jay Satiro (29 Jul 2017)
+- tool_help: clarify --include is only for response headers
+
+ Follow-up to 171f8de.
+
+ Ref: https://github.com/curl/curl/issues/1704
+
+- splay: fix signed/unsigned mismatch warning
+
+ Follow-up to 4dee50b.
+
+ Ref: https://github.com/curl/curl/pull/1693
+
+Daniel Stenberg (28 Jul 2017)
+- include.d: clarify that it concerns the response headers
+
+ Reported-by: olesteban at github
+ Fixes #1704
+
+- [Johannes Schindelin brought this change]
+
+ curl_rtmp: fix a compiler warning
+
+ The headers of librtmp declare the socket as `int`, and on Windows, that
+ disagrees with curl_socket_t.
+
+ Bug: #1652
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
+
+- test1323: verify curlx_tvdiff
+
+- timeval: struct curltime is a struct timeval replacement
+
+ ... to make all libcurl internals able to use the same data types for
+ the struct members. The timeval struct differs subtly on several
+ platforms so it makes it cumbersome to use everywhere.
+
+ Ref: #1652
+ Closes #1693
+
+- darwinssl: fix variable type mistake (regression)
+
+ ... which made --tlsv1.2 not work because it would blank the max tls
+ version variable.
+
+ Reported-by: Nick Miyake
+ Bug: #1703
+
+- multi: mention integer overflow risk if using > 500 million sockets
+
+ Reported-by: ovidiu-benea@users.noreply.github.com
+
+ Closes #1675
+ Closes #1683
+
+- checksrc: escape open brace in regex
+
+ ... to silence warning.
+
+Kamil Dudka (20 Jul 2017)
+- nss: fix a possible use-after-free in SelectClientCert()
+
+ ... causing a SIGSEGV in showit() in case the handle used to initiate
+ the connection has already been freed.
+
+ This commit fixes a bug introduced in curl-7_19_5-204-g5f0cae803.
+
+ Reported-by: Rob Sanders
+ Bug: https://bugzilla.redhat.com/1436158
+
+- nss: unify the coding style of nss_send() and nss_recv()
+
+ No changes in behavior intended by this commit.
-- fix socket data type
+Marcel Raad (18 Jul 2017)
+- tests/server/resolve.c: fix deprecation warning
+
+ MSVC warns that gethostbyname is deprecated. Always use getaddrinfo
+ instead to fix this when IPv6 is enabled, also for IPv4 resolves. This
+ is also consistent with what libcurl does.
+
+ Closes https://github.com/curl/curl/pull/1682
+
+Jay Satiro (17 Jul 2017)
+- darwinssl: fix pinnedpubkey build error
+
+ - s/SessionHandle/Curl_easy/
+
+ Bug: https://github.com/curl/curl/commit/eb16305#commitcomment-23035670
+ Reported-by: Gisle Vanem
+
+Marcel Raad (16 Jul 2017)
+- rtspd: fix GCC warning after MSVC warning fix
+
+ Older GCC warns:
+ /tests/server/rtspd.c:1194:10: warning: missing braces around
+ initializer [-Wmissing-braces]
+
+ Fix this by using memset instead of an initializer.
+
+- libtest: fix MSVC warning C4706
+
+ With warning level 4, MSVC warns about assignments within conditional
+ expressions. Change the while loop to a do-while loop to fix this. This
+ change is also consistent with CODE_STYLE.md.
+
+- sockfilt: suppress conversion warning with explicit cast
+
+ MSVC warns when implicitly casting -1 to unsigned long.
+
+- rtspd: fix MSVC level 4 warning
+
+ warning C4701: potentially uninitialized local variable 'req' used
+
+- winbuild: re-enable warning C4127 for curl tool
+
+ Disabled in cda19a345f6970e22fe8b7a808aeb8f086a21eac. It only needs to
+ be disabled for libcurl.
-- fix socket data type and logging format in debug tracking socket functions
+- winbuild: build with warning level 4
+
+ This is consistent with 7bc64561a2e63ca93e4b0b31d350773ba80955c2, which
+ changed the warning level from 3 to 4 for the Visual Studio project
+ files. But disable the level 4 warning C4127 "conditional expression is
+ constant", as that one is issued by older versions of the Windows SDK
+ as well as curl itself under some circumstances.
+
+ Closes https://github.com/curl/curl/pull/1667
-- convert Curl_ultous() and Curl_ultouc() functions to curlx_ultous() and
- curlx_ultouc(), exposing them through curlx.h to allow proper code reuse
- later in our test harness.
+Jay Satiro (12 Jul 2017)
+- [Max Dymond brought this change]
-- updated sources
+ travis: install libidn2
+
+ Install libidn2 to increase test coverage (IDN tests)
+
+ Closes https://github.com/curl/curl/pull/1673
-Patrick Monnerat (22 Feb 2010)
-- _ Adjusted RFC821 HELO fallback and enabled test804
+Marcel Raad (12 Jul 2017)
+- travis: enable warnings also in release mode
+
+ ... to get warnings also on Linux/GCC and OSX/clang.
+
+ Closes https://github.com/curl/curl/pull/1666
-- - Proper handling of STARTTLS on SMTP, taking CURLUSESSL_TRY into account.
- - SMTP falls back to RFC821 HELO when EHLO fails (and SSL is not required).
- - Use of true local host name (i.e.: via gethostname()) when available, as default argument to SMTP HELO/EHLO.
- - Test case 804 for HELO fallback.
+Daniel Stenberg (12 Jul 2017)
+- [Max Dymond brought this change]
-Yang Tse (22 Feb 2010)
-- add header inclusion
+ travis: install libssh2
+
+ Install libssh2 to increase test coverage (SFTP, SCP)
-- fix compiler warning
+Marcel Raad (12 Jul 2017)
+- system.h: include winsock2.h before windows.h
+
+ ... to avoid compiler warnings if the user doesn't want
+ WIN32_LEAN_AND_MEAN.
-- fix compiler warning
+- build: remove WIN32_LEAN_AND_MEAN from individual build systems
+
+ It's defined for all build systems in curl_setup.h since commit
+ beb08481d01a07a8b10938b1078a5e298b1c2912. This caused macro
+ redefinition warnings in the configure builds.
+
+ Closes https://github.com/curl/curl/pull/1677
-Daniel Stenberg (21 Feb 2010)
-- clarify more details on section "2.1 More non-blocking"
+Jay Satiro (11 Jul 2017)
+- ISSUE_TEMPLATE: Add a comment not to file security issues on github
-- TFTP transfers are not blocking since 7.20.0
+Marcel Raad (11 Jul 2017)
+- curl_setup: always define WIN32_LEAN_AND_MEAN on Windows
+
+ Make sure to always define WIN32_LEAN_AND_MEAN before including any
+ Windows headers to avoid pulling in unnecessary headers. This avoids
+ unnecessary macro clashes and compiler warnings.
+
+ Ref: https://github.com/curl/curl/issues/1562
+ Closes https://github.com/curl/curl/pull/1672
-- - Fixed the SMTP compliance by making sure RCPT TO addresses are specified
- properly in angle brackets. Recipients provided with CURLOPT_MAIL_RCPT now
- get angle bracket wrapping automatically by libcurl unless the recipient
- starts with an angle bracket as then the app is assumed to deal with that
- properly on its own.
+Jay Satiro (11 Jul 2017)
+- strerror: Preserve Windows error code in some functions
+
+ This is a follow-up to af02162 which removed (SET_)ERRNO macros. That
+ commit was an earlier draft that I committed by mistake, which was then
+ remedied by a5834e5 and e909de6, and now this commit. With this commit
+ there is now no difference between the current code and the changes that
+ were approved in the final draft.
+
+ Thanks-to: Max Dymond, Marcel Raad, Daniel Stenberg, Gisle Vanem
+ Ref: https://github.com/curl/curl/pull/1589
-- - I made the SMTP code expect a 250 response back from the server after the
- full DATA has been sent, and I modified the test SMTP server to also send
- that response. As usual, the DONE operation that is made after a completed
- transfer is still not doable in a non-blocking way so this waiting for 250
- is unfortunately made blockingly.
+Marcel Raad (10 Jul 2017)
+- [Max Dymond brought this change]
-- corected a comment and wrapped a few longish lines
+ tests: Fix up issues with errno in test files
+
+ Closes https://github.com/curl/curl/pull/1671
-Yang Tse (20 Feb 2010)
-- fix compiler warning
+Daniel Stenberg (10 Jul 2017)
+- errno: fix non-windows builds after af0216251b94e7
-- fix compiler warning
+- [Ryan Winograd brought this change]
-- fix compiler warning
+ make: fix docs build on OpenBSD
+
+ Ref: #1591
-- fix compiler warning
+Marcel Raad (10 Jul 2017)
+- ldap: fix MinGW compiler warning
+
+ ldap_bind_s is marked as deprecated in w32api's winldap.h shipping with
+ the latest original MinGW, resulting in compiler warnings since commit
+ f0fe66f13c93d3d0af45d9fb1231c9164e0f9dc8. Fix this for the non-SSPI
+ case by using ldap_simple_bind_s again instead of ldap_bind_s with
+ LDAP_AUTH_SIMPLE.
+
+ Closes https://github.com/curl/curl/pull/1664
-- fix compiler warning
+- curl-compilers.m4: disable warning spam with Cygwin's clang
+
+ When building with Cygwin or MinGW, libtool uses a wrapper executable
+ instead of a wrapper script [1], which is written in C and throws
+ missing-variable-declarations warnings. Don't enable these warnings on
+ Cygwin and MinGW in order to avoid warnings for every executable built,
+ which spams the test suite output when using Cygwin's clang.
+
+ [1] https://www.gnu.org/software/libtool/manual/html_node/Wrapper-executables.html
+
+ Closes https://github.com/curl/curl/pull/1665
-Daniel Stenberg (17 Feb 2010)
-- ares_reinit()
+Jay Satiro (10 Jul 2017)
+- curl_setup_once: Remove ERRNO/SET_ERRNO macros
+
+ Prior to this change (SET_)ERRNO mapped to GetLastError/SetLastError
+ for Win32 and regular errno otherwise.
- - To allow an app to force a re-read of /etc/resolv.conf etc, pretty much
- like the res_init() resolver function offers
+ I reviewed the code and found no justifiable reason for conflating errno
+ on WIN32 with GetLastError/SetLastError. All Win32 CRTs support errno,
+ and any Win32 multithreaded CRT supports thread-local errno.
+
+ Fixes https://github.com/curl/curl/issues/895
+ Closes https://github.com/curl/curl/pull/1589
+
+- tool_getparam: fix potentially uninitialized err
-- use curl standard indentation and line lengths
+Marcel Raad (9 Jul 2017)
+- smb: rename variable to fix shadowing warning
+
+ GCC 4.6.3 on travis complains:
+ smb.c: In function ‘get_posix_time’:
+ smb.c:725:13: error: declaration of ‘time’ shadows a global declaration
+ [-Werror=shadow]
+
+ Fix this by renaming the variable.
-Yang Tse (16 Feb 2010)
-- replaced tabs with spaces
+- tool_cb_wrt: fix variable shadowing warning
+
+ GCC 4.4 complains:
+ tool_cb_wrt.c:81: error: declaration of ‘isatty’ shadows a global
+ declaration
+ /usr/include/unistd.h:782: error: shadowed declaration is here
+
+ Fix this by renaming the variable.
+
+ Closes https://github.com/curl/curl/pull/1661
-- fix Content-Length validation
+Daniel Stenberg (8 Jul 2017)
+- RELEASE-NOTES: synced with be2c999b8
-Daniel Stenberg (15 Feb 2010)
-- use (void) in front of fwrite() calls that ignore the return code
+- travis: install stunnel
-Yang Tse (15 Feb 2010)
-- fix compiler warning: conversion from "long" to "size_t" may lose sign
+- valgrind.supp: supress OpenSSL false positive seen on travis
-- fix compiler warning: conversion from "long" to "size_t" may lose sign
+- travis: detect and use valgrind for normal builds
+
+ Closes #1653
-Daniel Stenberg (15 Feb 2010)
-- -w speed_download and speed_upload are measured in bytes per second
+- travis: add SMB, DICT, TELNET torture to coverage test
-- 75. NTLM authentication involving unicode user name or password.
- http://curl.haxx.se/mail/lib-2009-10/0024.html
- http://curl.haxx.se/bug/view.cgi?id=2944325
+- [Paul Harris brought this change]
-Yang Tse (14 Feb 2010)
-- removed trailing whitespace
+ cmake: offer CMAKE_DEBUG_POSTFIX when building with MSVC
+
+ Removes BUILD_RELEASE_DEBUG_DIRS since it wasn't used anywhere.
+
+ Closes #1649
-- fix compiler warning
+- CURLOPT_POSTFIELDS.3: explain the 100-continue magic better
-- Overhauled test suite getpart() function. Fixing potential out of bounds
- stack and memory overwrites triggered with huge test case definitions.
+- [Max Dymond brought this change]
-Daniel Stenberg (13 Feb 2010)
-- - Martin Hager reported and fixed a problem with a missing quote in libcurl.m4
+ test1452: add telnet negotiation
- (http://curl.haxx.se/bug/view.cgi?id=2951319)
+ Add a basic telnet server for negotiating some telnet options before
+ echoing back any data that's sent to it.
+
+ Closes #1645
-Gunter Knauf (13 Feb 2010)
-- used allways #ifdef / #ifndef;
- moved gethostbyname_thread() to #else case to avoid 'not used' compiler warning.
+- travis: do more tests in the coverage run
+
+ I added a selection of torture and event tests that run "fast enough"
-- replaced tabs by spaces, removed trailing tabs/spaces.
+- curl_easy_escape.3: mention the (lack of) encoding
+
+ Fixes #1612
+ Reported-by: Jeroen Ooms
-Daniel Stenberg (13 Feb 2010)
-- - Tom Donovan fixed the CURL_FORMAT_* defines when building with cmake.
+- [Gisle Vanem brought this change]
-- - Jack Zhang reported a problem with SMTP: we wrongly used multiple addresses
- in the same RCPT TO line, when they should be sent in separate single
- commands. I updated test case 802 to verify this.
+ memdebug: don't setbuf() if the file open failed
- - I also fixed a bad use of my_setopt_str() of CURLOPT_MAIL_RCPT in the curl
- tool which made it try to output it as string for the --libcurl feature
- which could lead to crashes.
+ Bug: https://github.com/curl/curl/issues/828#issuecomment-313475151
+
+- appveyor: enable CURL_WERROR on all builds
-- CURLOPT_MAIL_RCPT is *not* a string so we must not try to printf() it
+- cmake: add CURL_WERROR for enabling "warning as errors"
-- free --mail-from strings properly
+- [Hannes Magnusson brought this change]
-Patrick Monnerat (11 Feb 2010)
-- _ Make it compilable again on OS400.
- _ Upgrade OS400 EBCDIC wrappers for new options.
- _ Upgrade ILE/RPG bindings to current state.
+ cmake: remove spurious "-l" from linker flags
+
+ Fixes #1552
+
+- test506: skip if threaded-resolver
-Yang Tse (11 Feb 2010)
-- mention last changes
+- runtests: support "threaded-resolver" as a feature
+
+ ... to let tests require it or skip if present
-- Steven M. Schweda updated VMS readme file
+- asyn-thread.c: fix unused variable warnings on macOS
-- Steven M. Schweda removed batch_compile.com and defines.com
+- http: s/TINY_INITIAL_POST_SIZE/EXPECT_100_THRESHOLD
+
+ Make the name reflect its use better, and add a short comment describing
+ what it's for.
-- Steven M. Schweda fixed:
+- cmake: if inet_pton is used, bump _WIN32_WINNT
- VMS builder bad behavior when used in a batch job.
+ ... and make sure inet_pton is always checked for when *not* using Windows,
+ which is a regression from 4fc6ebe18.
- Various ".LIS" and ".MAP" files created without being requested
- by a "LIST" command-line option, and in the wrong place, too.
+ Idea-by: Sergei Nikulov
+
+- select.h: avoid macro redefinition harder
- Some minor typographical changes.
+ ... by checking the POLLIN define, as the header file checks don't work
+ on Windows.
-Dan Fandrich (10 Feb 2010)
-- Mention the minimum size of CURL_MAX_WRITE_SIZE
+- inet_pton: fix include on windows to get prototype
+
+ inet_pton() exists on Windows and gets used by our cmake builds. Make
+ sure the correct header file is included to avoid compiler warnings.
+
+ Closes #1639
-Yang Tse (10 Feb 2010)
-- - remove extra "\r\n" from doc404_RTSP
+- TODO: 1.10 auto-detect proxy
- - avoid memory alignment issue when setting RTSP packet length
+ Closes #1572
-Dan Fandrich (9 Feb 2010)
-- Removed some erroneous "compressed" key words
+- TODO: HTTP proxy CONNECT is non-blocking now
-Daniel Stenberg (9 Feb 2010)
-- start working on 7.20.1
+- cmake: fix send/recv argument scanner for windows
+
+ ... by simply trying the Windows argument types first.
+
+ Fixes #1640
-Version 7.20.0 (9 Feb 2010)
+- RELEASE-NOTES: synced with 596cfb6c0
-Daniel Stenberg (9 Feb 2010)
-- spell and 7.20.0
+- [Gisle Vanem brought this change]
-- - When downloading compressed content over HTTP and the app as asked libcurl
- to automatically uncompress it with the CURLOPT_ENCODING option, libcurl
- could wrongly provide the callback with more data than what the maximum
- documented amount. An application could thus get tricked into badness if the
- maximum limit was trusted to be enforced by libcurl itself (as it is
- documented).
+ smb: add support for CURLOPT_FILETIME
+
+ Bug: https://curl.haxx.se/mail/lib-2017-07/0005.html
- This is further detailed and explained in the libcurl security advisory
- 20100209 at
+ Closes #1643
+
+- travis: install nghttp2 on linux builds
- http://curl.haxx.se/docs/adv_20100209.html
+ Closes #1642
+
+- [Gisle Vanem brought this change]
-- set VERSIONINFO accordingly for the 7.20.0 release
+ smb: fix build for djgpp/MSDOS
+
+ bug: https://curl.haxx.se/mail/lib-2017-07/0005.html
-Yang Tse (6 Feb 2010)
-- warning fix
+- configure: try ldap/lber in reversed order first
+
+ When scanning for which LDAP libraries to use, try the -lldap -llber
+ combination before the reversed order since it has a greater chance of
+ working when linking with libcurl statically.
+
+ Fixes #1619
+ Closes #1634
+ Reported-by: David E. Narváez
-- OOM handling fix
+- configure: remove checks for 5 functions never used
+
+ fork, getprotobyname, inet_addr, perror, uname
+
+ closes #1638
-- OOM handling fix
+- dist: add SMB python deps into the tarball
-- fix compiler warning
+- [Max Dymond brought this change]
-- fix compiler warning
+ test1451: add SMB support to the testbed
+
+ Add test 1451 which does some very basic SMB testing using the impacket
+ SMB server.
+
+ Closes #1630
-- fix compiler warning
+- [Max Dymond brought this change]
-- Addes OOM handling for curl_easy_setopt() calls in test
+ test: add impacket for SMB testing
+
+ Import impacket 0.9.15 for use in SMB testing. This was generated by
+ doing "pip2.7 install -t . impacket"
+
+ Unnecessary files for current testing were deleted.
-- - avoid OpenSSL 0.9.8 ENGINE_by_id memory leak
+- travis.yml: use --enable-werror on debug builds
+
+ ... to better detect and fault on compiler warnings/errors
- - cleanup parenthesis usage in return statements
+ Closes #1637
-- - attempt to workaround icc 9.1 optimizer issue
+- tool_sleep: typecast to avoid macos compiler warning
+
+ tool_sleep.c:54:24: error: implicit conversion loses integer precision:
+ 'long' to '__darwin_suseconds_t' (aka 'int')
+ [-Werror,-Wshorten-64-to-32]
-- fix printf-style format strings
+- [Martin Kepplinger brought this change]
-- Validate server port argument
+ timeval.c: Use long long constant type for timeval assignment
+
+ On a 64 bit host, sparse says:
+
+ timeval.c:148:15: warning: constant 0x7fffffffffffffff is so big it is long
+ timeval.c:149:12: warning: constant 0x7fffffffffffffff is so big it is long
+
+ so let's use long long constant types in order to prevent undesired overflow
+ failures.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-07/0003.html
+
+ Closes #1636
+
+ Signed-off-by: Martin Kepplinger <martink@posteo.de>
-- Fix variable initialization
+- url: make the original string get used on subsequent transfers
+
+ ... since CURLOPT_URL should follow the same rules as other options:
+ they remain set until changed or cleared.
+
+ Added test 1551 to verify.
+
+ Fixes #1631
+ Closes #1632
+ Reported-by: Pavel Rochnyak
-- Modified test case 557 to additionally verify libcurl's internal curl_m*printf()
- functions formatting functionality when handling signed and unsigned shorts.
+- [Johannes Schindelin brought this change]
-- Added size check for 'short' data type
+ gtls: fix build when sizeof(long) < sizeof(void *)
+
+ - Change gnutls pointer/int macros to pointer/curl_socket_t.
+ Prior to this change they used long type as well.
+
+ The size of the `long` data type can be shorter than that of pointer
+ types. This is the case most notably on Windows.
+
+ If C99 were acceptable, we could simply use `intptr_t` here. But we
+ want to retain C89 compatibility.
+
+ Simply use the trick of performing pointer arithmetic with the NULL
+ pointer: to convert an integer `i` to a pointer, simply take the
+ address of the `i`th element of a hypothetical character array
+ starting at address NULL. To convert back, simply cast the pointer
+ difference.
+
+ Thanks to Jay Satiro for the initial modification to use curl_socket_t
+ instead of int/long.
+
+ Closes #1617
+
+ Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-- Fix compiler warning: unused variable
+- [Ryan Winograd brought this change]
-- added an additional second to allow test to pass on heavily loaded servers
+ unit1399: fix integer overflow
+
+ Bug: #1616
+ Closes #1633
-Dan Fandrich (3 Feb 2010)
-- Changed the Watcom makefiles to make them easier to keep in sync with
- Makefile.inc since that can't be included directly.
+- [Per Malmberg brought this change]
-Daniel Stenberg (3 Feb 2010)
-- more symbols added in 7.20.0
+ cmake: Added compatibility options for older Windows versions
+
+ CURL_STATIC_CRT and ENABLE_INET_PTON
+
+ Closes #1621
-Yang Tse (3 Feb 2010)
-- Fix OOM handling
+- unit1399: add logging to time comparison
+
+ ... to enable tracking down why autobuilds fail on this
+
+ Bug: #1616
-- Fix progressmode Configurable struct member data type. Changed to
- 'int' which fits better with existing CURL_PROGRESS_* definitions.
+- make: build the docs subdir only from within src
+
+ ... and don't build at all in include
+
+ Prompted-by-work-by: Simon Warta
+ Ref: #1590
+ Closes #1591
-- Fix portability issue related with unaligned memory access
+- [Max Dymond brought this change]
-- Fix compiler warnings: conversion from 'const int ' to 'unsigned char ', possible loss of data
+ test1450: fix up DICT server in torture mode
+
+ As per https://github.com/curl/curl/pull/1615, the DICT server is a
+ little spammy in torture mode due to the sockets being torn down
+ unexpectedly. Fix this by adding some error handling to the handling
+ function.
+
+ Closes #1629
-- cookies with same path length might get sorted in different order when
- using different qsort implementations. In order to make this test give
- same results on different systems, paths now have different lengths.
+- [Max Dymond brought this change]
-- added an additional second to allow test to pass on heavily loaded servers
+ test1450: add simple testing for DICT
+
+ Add a new server which provides a DICT interface. This is intended to
+ begin coverage testing for lib/dict.c
+
+ Closes #1615
-- Fix compiler warning: conditional expression is constant
+- [Dan Fandrich brought this change]
-- Fix compiler warning: local variable may be used without having been initialized.
+ test1521: fix out-of-tree builds, broken with 467da3af
+
+ The test.h file is no longer in the same directory as the source file,
+ so that directory needs to be added to the include path.
+
+ Fixes #1627
+ Closes #1628
-- Fix compiler warnings: conversion from 'const int ' to 'unsigned char ', possible loss of data
+- [Max Dymond brought this change]
-- Fix compiler warnings:
+ http2: handle PING frames
- (1) conversion from 'const int ' to 'unsigned char ', possible loss of data
- (2) conditional expression is constant
+ Add a connection check function to HTTP2 based off RTSP. This causes
+ PINGs to be handled the next time the connection is reused.
+
+ Closes #1521
-- mention a couple of changes back from November
+- [Max Dymond brought this change]
-- mention run time statistics options
+ handler: refactor connection checking
+
+ Add a new type of callback to Curl_handler which performs checks on
+ the connection. Alter RTSP so that it uses this callback to do its
+ own check on connection health.
-- - Symbol CURL_FORMAT_OFF_T now obsoleted, will be removed in a future release,
- symbol will not be available when building with CURL_NO_OLDIES defined. Use
- of CURL_FORMAT_CURL_OFF_T is preferred since 7.19.0
+- [Dmitry Kostjuchenko brought this change]
-- avoid possibility of using obsoleted stuff
+ openssl: improve fallback seed of PRNG with a time based hash
+
+ Fixes #1620
-- remove setup.h inclusion which is already done from test.h inclusion
+- [Ryan Winograd brought this change]
-Kamil Dudka (2 Feb 2010)
-- mention SOCKS related problems in the curl(1) man page
+ progress: prevent resetting t_starttransfer
+
+ Prevent `Curl_pgrsTime` from modifying `t_starttransfer` when invoked
+ with `TIMER_STARTTRANSFER` more than once during a single request.
+
+ When a redirect occurs, this is considered a new request and
+ `t_starttransfer` can be updated to reflect the `t_starttransfer` time
+ of the redirect request.
+
+ Closes #1616
+
+ Bug: https://github.com/curl/curl/pull/1602#issuecomment-310267370
-Yang Tse (2 Feb 2010)
-- Fix compiler warning: variable was set but never used
+- curl_strequal.3: fix typo in SYNOPSIS
+
+ Reported-by: Jesse Chisholm
- Simplify preprocessor symbol checking
+ Fixes #1623
-Daniel Stenberg (2 Feb 2010)
-- Julien Chaffraix pointed out a comment mistake, and I re-indented the code
- slightly while editing
+- RELEASE-NOTES: synced with ce2c3ebda
-Yang Tse (2 Feb 2010)
-- include headers
+Kamil Dudka (28 Jun 2017)
+- curl --socks5-{basic,gssapi}: control socks5 auth
+
+ Closes https://github.com/curl/curl/pull/1454
-- Conroy added a check to the coded message size since the docs stipulate
- that each call will contain a full protocol packet.
+- CURLOPT_SOCKS5_AUTH: allowed methods for SOCKS5 proxy auth
+
+ If libcurl was built with GSS-API support, it unconditionally advertised
+ GSS-API authentication while connecting to a SOCKS5 proxy. This caused
+ problems in environments with improperly configured Kerberos: a stock
+ libcurl failed to connect, despite libcurl built without GSS-API
+ connected fine using username and password.
+
+ This commit introduces the CURLOPT_SOCKS5_AUTH option to control the
+ allowed methods for SOCKS5 authentication at run time.
+
+ Note that a new option was preferred over reusing CURLOPT_PROXYAUTH
+ for compatibility reasons because the set of authentication methods
+ allowed by default was different for HTTP and SOCKS5 proxies.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-01/0005.html
+ Closes https://github.com/curl/curl/pull/1454
-- Conroy's fix to make the code match with the RTP documentation regarding
- writing out the whole header. The docs say it writes the whole header,
- but the code (before this patch) did not write out the leading $.
+- socks: deduplicate the code for auth request
-Daniel Stenberg (1 Feb 2010)
-- We introduce a loop in lib/multi.c around all calls to multi_runsingle() and
- simply check for CURLM_CALL_MULTI_PERFORM internally. This has the added
- benefit that this goes in line with my long-term wishes to get rid of the
- CURLM_CALL_MULTI_PERFORM all together from the public API.
+- socks: use proxy_user instead of proxy_name
+
+ ... to make it obvious what the data is used for
-Yang Tse (1 Feb 2010)
-- update rtsp server header field from SWS to RTSPD
+Daniel Stenberg (27 Jun 2017)
+- libtest/make: generate lib1521.c
+
+ ... instead of having the generated code checked in. This saves space in
+ the tarball but primarily automatically adapts to newly added options.
+
+ Closes #1614
-- Test suite support for RTSP
+Jay Satiro (26 Jun 2017)
+- tool_getparam: fix memory leak on test 1147 OOM (torture tests)
+
+ Bug: https://github.com/curl/curl/pull/1486#issuecomment-310926872
+ Reported-by: Dan Fandrich
-- Make Curl_pop3_write() additionally truncate trailing POP3_EOB from received
- string buffer, otherwise Curl_client_write() call with zero size would write
- to the end of string buffer including matched POP3_EOB.
+Dan Fandrich (25 Jun 2017)
+- test1537: fixed memory leak on OOM
-- WIN32 fix, _beginthreadex() may return either 0 or -1L upon failure
+Marcel Raad (25 Jun 2017)
+- test1521: fix compiler warnings
+
+ The integer literal 3123123123 doesn't fit into a 32-bit signed
+ integer, so GCC with 32-bit long warns in C90 mode:
+ this decimal constant is unsigned only in ISO C90 [enabled by default]
+ Fix this by using ULONG_MAX, which should fit in any curl_off_t and has
+ the correct suffix to not issue any warnings.
+ Also adds the missing CURLOPT_REQUEST_TARGET from commit
+ 9b167fd090f596eac828817d48c247eeae53407f.
+
+ Closes https://github.com/curl/curl/pull/1611
-- fix errno usage for WIN32 builds
+Daniel Stenberg (24 Jun 2017)
+- curl/system.h: add check for XTENSA for 32bit gcc
+
+ Reported-by: Neil Kolban
+ Fixes: 1598
-- fix printf-style format strings
+- [Henrik S. Gaßmann brought this change]
-- Chris Conroy fixed test #568 issues with carriage returns
+ winbuild: fix boringssl build
+
+ Compile with `WIN32_LEAN_AND_MEAN` which prevents `windows.h` from
+ including too much clutter including `wincrypt.h` which in turn contains
+ some preprocessor macros that clash with boringssl symbols.
+
+ Detect boringssl by checking the existance of `is_boringssl.h` and set
+ the corresponding `HAVE_BORINGSSL` for compilation which is used in
+ `ldap.c` to undefine the evil macros.
+
+ Closes #1610
-- RTSP followup fix. Both the pipelined and non-pipelined case need to
- check for (excess > 0 && !k->ignorebody).
+- progress: progress.timespent needs to be us
+
+ follow-up to 64ed44a815e4e to fix test 500 failures
-Daniel Stenberg (28 Jan 2010)
-- - Tommie Gannert pointed out a silly bug in ares_process_fd() since it didn't
- check for broken connections like ares_process() did. Based on that, I
- merged the two functions into a single generic one with two front-ends.
+Marcel Raad (24 Jun 2017)
+- curl-compilers.m4: fix unknown-warning-option on Apple clang
+
+ Since 5598b0bd63f690c151074494ce47ef872f004ab4, clang -v is used to
+ detect the clang version. The version number was expected to come after
+ the word "version". For Apple clang, this doesn't work as it has its
+ own versioning scheme.
+ The version number is now first searched after the string
+ "based on LLVM". This works for Apple clang before version 7, and also
+ for e.g. Ubuntu's clang up to version 3.7. If it's not found and the
+ version string contains "Apple LLVM version", clang version 3.7 is
+ assumed, which is the version that comes with Xcode 7. Otherwise, the
+ version number is still expected after the word "version", which works
+ for very old Apple clang versions.
+
+ Ref: https://trac.macports.org/wiki/XcodeVersionInfo
+ Fixes https://github.com/curl/curl/issues/1606
+ Closes https://github.com/curl/curl/pull/1607
-Yang Tse (28 Jan 2010)
-- fix printf-style format strings
+Daniel Stenberg (24 Jun 2017)
+- progress: fix "time spent", broke in adef394ac
-- Use 'size_t' for GETNAMEINFO_TYPE_ARG2 definition for VMS.
+- CURLINFO_REDIRECT_URL.3: mention the CURLOPT_MAXREDIRS case
- http://curl.haxx.se/mail/lib-2009-12/0293.html
+ ... supported since 7.54.1
-- portability fix
+- maketgz: switch to -6e for xz
+
+ To reduce the memory requirement for decompress, and still do almost as
+ good compression as with -9e.
+
+ Pointed-out-by: Dan Fandrich
-- fix printf-style format strings
+- libtest/Makefile: remove unused lib1541 variables
-- Known bug #64 fixed by Constantine Sapuntzakis and Joshua Kwan in 7.20.0
+- CONTRIBUTE.md: mention the out-of-tree build test too
-- Chris Conroy provided first RTSP tests
+- maketgz: switch to xz instead of lzma
+
+ The compressed output size seems to be a tad bit smaller, but generally
+ xz seems more preferred these days and is used directly by for example
+ gentoo instead of bz2.
+
+ "Users of LZMA Utils should move to XZ Utils" =>
+ https://tukaani.org/lzma/
+
+ Closes #1604
-- RTSP tests disabled until test harness RTSP support is updated
+- --request-target: instead of --strip-path-slash
+
+ ... and CURLOPT_REQUEST_TARGET instead of CURLOPT_STRIP_PATH_SLASH.
+
+ This option instead provides the full "alternative" target to use in the
+ request, instead of extracting the path from the URL.
+
+ Test 1298 and 1299 updated accordingly.
+
+ Idea-by: Evert Pot
+ Suggestion: https://daniel.haxx.se/blog/2017/06/19/options-with-curl/comment-page-1/#comment-18373
+
+ Closes #1593
-- Chris Conroy's RTSP followup fixes
+Marcel Raad (21 Jun 2017)
+- lib1521: fix missing-variable-declarations clang warnings
+
+ Declare TU-local variables static.
-- mention asynchronous DNS lookups enhancements
+- travis: enable typecheck-gcc warnings
+
+ - switch debug and release configurations so that we get an optimized
+ build with GCC 4.3+ as required by typecheck-gcc
+ - enable warnings-as-errors for release builds
+ (which have warnings disabled)
+
+ Closes https://github.com/curl/curl/pull/1595
-- Restore normal operation:
+- typecheck-gcc: add support for CURLINFO_OFF_T
- c-ares is only enabled when specifically requested.
+ typecheck-gcc expected curl_socket_t instead of curl_off_t arguments
+ for CURLINFO_OFF_T. Detected by test1521, unfortunately only when run
+ locally.
- Consequently, c-ares default setting is disabled.
+ Closes https://github.com/curl/curl/pull/1592
+
+Daniel Stenberg (21 Jun 2017)
+- [Simon Warta brought this change]
-- fix c-ares assumed check being skipped
+ ci: whitelist branches to avoid testing feature branches twice
-- fix compiler warning
+- [Gisle Vanem brought this change]
-- fix LDFLAGS preservation in CURL_CHECK_LIB_ARES
+ lib: fix the djgpp build
+
+ Bug: https://github.com/curl/curl/commit/73a2fcea0b4adea6ba342cd7ed1149782c214ae3#commitcomment-22655993
-Daniel Stenberg (26 Jan 2010)
-- no need to take precautiono for how things were before 7.16.0 since that
- is now a very long time ago
+Marcel Raad (20 Jun 2017)
+- if2ip: fix compiler warning in ISO C90 mode
+
+ remote_scope_id is only used when both HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID
+ and ENABLE_IPV6 are defined instead of only one of them.
-- - Mike Crowe made libcurl return CURLE_COULDNT_RESOLVE_PROXY when it is the
- proxy that cannot be resolved when using c-ares. This matches the behaviour
- when not using c-ares.
+Daniel Stenberg (20 Jun 2017)
+- travis: do the distcheck test build out-of-tree as well
-Dan Fandrich (26 Jan 2010)
-- Added curl_threads.c to a few more non-configure build files
+- http: add --strip-path-slash and CURLOPT_STRIP_PATH_SLASH
+
+ ... to enable sending "OPTIONS *" which wasn't possible previously.
+
+ This option currently only works for HTTP.
+
+ Added test cases 1298 + 1299 to verify
+
+ Fixes #1280
+ Closes #1462
-Yang Tse (26 Jan 2010)
-- minor fixes for --enable-ares configure option
+- test1521: test getinfo's OFF_T types too
+
+ Closes #1588
-Daniel Stenberg (26 Jan 2010)
-- Andre Guibert de Bruet improved the libssh2 error code translation
+- lib1521: add curl_easy_getinfo calls to the test set
+
+ Also added return value checks to make sure no unexpected return codes
+ are used.
-Yang Tse (26 Jan 2010)
-- resolver selection for non-configure Windows builds, default is threaded DNS
+- [Simon Warta brought this change]
-- add curl_threads.c to non-configure target build files
+ automake: use $(MKHELP) variable instead if constant mkhelp.pl
+
+ this improves symmetry with the rule above
-- onstantine Sapuntzakis threaded resolver enhancements
+- [Simon Warta brought this change]
-- Constantine Sapuntzakis threaded resolver enhancements
+ mkhelp.pl: fix script name in usage text
-- Constantine Sapuntzakis provided initial thread abstraction layer
+- RELEASE-NOTES: synced with 3b80d3ca4
-- make Curl_handler_*_proxy definition static
+- getinfo: return sizes as curl_off_t
+
+ This change introduces new alternatives for the existing six
+ curl_easy_getinfo() options that return sizes or speeds as doubles. The
+ new versions are named like the old ones but with an appended '_T':
+
+ CURLINFO_CONTENT_LENGTH_DOWNLOAD_T
+ CURLINFO_CONTENT_LENGTH_UPLOAD_T
+ CURLINFO_SIZE_DOWNLOAD_T
+ CURLINFO_SIZE_UPLOAD_T
+ CURLINFO_SPEED_DOWNLOAD_T
+ CURLINFO_SPEED_UPLOAD_T
+
+ Closes #1511
-Dan Fandrich (25 Jan 2010)
-- Updated minimum library sizes
+- PIPELINING_SERVER_BL: cleanup the internal list use
+
+ The list was freed incorrectly since the llist refactor of
+ cbae73e1dd959. Added test 1550 to verify that it works and avoid future
+ regressions.
+
+ Reported-by: Pascal Terjan
+
+ Fixes #1584
+ Closes #1585
-Yang Tse (25 Jan 2010)
-- fix compiler warning
+- http2: fix OOM crash
+
+ torture mode with test 1021 found it
-Daniel Stenberg (24 Jan 2010)
-- Julien Chaffraix corrected bad #elif lines to silence warnings
+- CURLOPT_PREQUOTE.3: spellfix man page reference
-Yang Tse (24 Jan 2010)
-- HAVE_GETADDRINFO_THREADSAFE definition for non-configure win32 builds
+Marcel Raad (18 Jun 2017)
+- http_proxy: fix build with http and proxy
+
+ After deff7de0eb0e22d2d142b96b9cc84cd8db5d2a48, the build without
+ CURL_DISABLE_PROXY and CURL_DISABLE_HTTP was failing because of missing
+ includes.
-Bjorn Stenberg (23 Jan 2010)
-- Mention -J change
+- http_proxy: fix compiler warning
+
+ With CURL_DISABLE_PROXY or CURL_DISABLE_HTTP, GCC complained about a
+ missing prototype for Curl_connect_free.
-- Added -J/--remote-header-name.
+Daniel Stenberg (18 Jun 2017)
+- TODO: update the TOC too
-Daniel Stenberg (23 Jan 2010)
-- "remove progress meter from libcurl" at next API break
+- TODO: implement support for CURLOPT_PREQUOTE with SFTP
+
+ ... also updated the CURLOPT_PREQUOTE.3 man page to mention the correct
+ protocol support.
+
+ Closes #1514
-Yang Tse (23 Jan 2010)
-- add inclusion of curl_memory.h
+- tool_wrte_cb: remove check for config == NULL
+
+ ... as it really cannot have reached this far with config being NULL,
+ thus this is unnecesary and misleading.
+
+ Bug: https://news.ycombinator.com/item?id=14577585 and
+ https://daniel.haxx.se/blog/2017/06/17/curl-doesnt-spew-binary-anymore/comment-page-1/#comment-18356
+
+ Forwarded-to-us-by: Jakub Wilk
-- adjust preprocessor symbol definition check relative to resolver specialty
+- curl: prevent binary output spewed to terminal
+
+ ... unless "--output -" is used. Binary detection is done by simply
+ checking for a binary zero in early data.
+
+ Added test 1425 1426 to verify.
+
+ Closes #1512
-- PKTSIZE might have been already defined in arpa/tftp.h
+Marcel Raad (16 Jun 2017)
+- Makefile.m32: enable -W for MinGW32 build
+
+ The configure-based build also has this in addition to -Wall.
+
+ Closes https://github.com/curl/curl/pull/1578
-Dan Fandrich (23 Jan 2010)
-- Include "curl_memory.h" to get the strdup replacement when necessary
+- curl-compilers.m4: enable comma clang warning
+
+ It usually warns when using commas instead of semicolons or other
+ operators by accident.
+
+ Closes https://github.com/curl/curl/pull/1578
-Daniel Stenberg (22 Jan 2010)
-- wrap long lines and do some indent policing
+- curl-compilers.m4: enable missing-variable-declarations clang warning
+
+ It usually warns when forgetting to declare TU-local variables static.
+
+ Closes https://github.com/curl/curl/pull/1578
-Yang Tse (22 Jan 2010)
-- Definitions of resolver specialty compile-time defines CURLRES_* moved
- from hostip.h to setup.h in order to allow proper inclusion in any file.
+- curl-compilers.m4: enable double-promotion warning
- This represents no functional change at all in which resolver is used,
- everything still works as usual, internally and externally there is no
- difference in behavior.
+ Enable -Wdouble-promotion for both GCC and clang. It warns on implicit
+ promotion from float to double.
+
+ Closes https://github.com/curl/curl/pull/1578
-- adjust rtsp protocol support in curl-config and libcurl.pc when http is disabled
+- curl-compilers.m4: enable vla warning for clang
+
+ Previously, that warning was only implicitly active in C90 mode.
+ Enable it unconditionally as already done for GCC.
+
+ Closes https://github.com/curl/curl/pull/1578
-- deal with the possibility that CURL_DISABLE_RTSP may already be defined
+Daniel Stenberg (16 Jun 2017)
+- http-proxy: fix chunked-encoded CONNECT responses
+
+ Regression since 5113ad0424.
+
+ ... and remove 'flaky' from test 1061 again
+
+ Closes #1579
-- fix compiler warning: statement is unreachable
+- http-proxy: deal with EAGAIN
+
+ ... the previous code would reset the header length wrongly (since
+ 5113ad0424). This makes test 1060 reliable again.
+
+ Also: make sws send even smaller chunks of data to increase the
+ likeliness of this happening.
-- fix compilation when http is disabled
+- libtest/libntlmconnect: fix compiler warnings from f94fcdb
-- disabling of rtsp when http isn't enabled required here for non-configure systems
+- [Jay Satiro brought this change]
-Daniel Stenberg (22 Jan 2010)
-- wrap long lines, remove (very old) attribution from code
+ HTTPS-Proxy: don't offer h2 for https proxy connections
+
+ Bug: https://github.com/curl/curl/issues/1254
+
+ Closes #1546
-- cleanups by Julien Chaffraix
+- tests: stabilize test 2032 and 2033
+
+ Both these tests run the same underlying test code: libntlmconnect.c -
+ this test code made some assumptions about socket ordering when it used
+ curl_easy_fdset() and when we changed timing or got accidental changes
+ in libcurl the tests would fail.
+
+ The tests verify that the different transfers keep using the same
+ connections, which I now instead made sure by adding the number of bytes
+ each transfer gets and then verifies that they always get the same
+ amount as when these tests worked.
+
+ Closes #1576
-- alphabetically sort the list of supported protocols
+- test1148: verify the -# progressbar
+
+ Closes #1569
-- In spite claiming to tbe disabled by default, RTSP is enabled and it now
- also says so. I also made the list of protocols get sorted.
+- test1061: mark as flaky
+
+ Fails intermittently on travis builds since a few days. Likely due to
+ 5113ad0424.
-- expanded to provide info about the newer protocols too
+Jay Satiro (16 Jun 2017)
+- url: refactor the check for Windows drive letter in path
+
+ - Move the logic to detect a Windows drive letter prefix
+ (eg c: in c:foo) into a function-like macro.
+
+ Closes https://github.com/curl/curl/pull/1571
-- s/RTPFUNCTION/INTERLEAVEFUNCTION/
- s/RTPDATA/INTERLEAVEDATA/
+- mk-ca-bundle.pl: Check curl's exit code after certdata download
+
+ - No longer allow partial downloads of certdata.
+
+ Prior to this change partial downloads were (erroneously?) allowed since
+ only the server code was checked to be 200.
+
+ Bug: https://github.com/curl/curl/pull/1577
+ Reported-by: Matteo B.
-- keep lines shorter than 80 columns, and reduce/remove the use of the word
- 'note' in most description as it is mostly useless.
+Daniel Stenberg (16 Jun 2017)
+- dist: add the fuzz dir to the tarball
-Yang Tse (22 Jan 2010)
-- Julien Chaffraix adjusted "<name> section" line length
+- configure: disable nghttp2 too if HTTP has been disabled
-- Constantine Sapuntzakis refactoring of async callbacks, allowing
- removal of Curl_addrinfo_copy(), Curl_addrinfo6_callback(), and
- Curl_addrinfo4_callback()
+- http-proxy: fix build with --disable-proxy or --disable-http
+
+ Reported-by: Dan Fandrich
-Dan Fandrich (21 Jan 2010)
-- Added rtsp.c to the non-configure target build files
+- fuzz/README: document how to build
+
+ Fixes #1476
-Yang Tse (21 Jan 2010)
-- fix compiler warning
+- [Frederik B brought this change]
-- make tftp_translate_code() static, it is only used from within tftp.c
+ fuzz: corpora file structure, initial commit
-- fix warning triggered when debugging on cygwin
+- [Frederik B brought this change]
-- allow exporting of exe_ext() sub
+ fuzz: bring oss-fuzz initial code converted to C89
-- improve displaylogcontent() sub fixing a warning
+- http-proxy: only attempt FTP over HTTP proxy
+
+ ... all other non-HTTP protocol schemes are now defaulting to "tunnel
+ trough" mode if a HTTP proxy is specified. In reality there are no HTTP
+ proxies out there that allow those other schemes.
+
+ Assisted-by: Ray Satiro, Michael Kaufmann
+
+ Closes #1505
-Daniel Stenberg (21 Jan 2010)
-- remove typedef we ended up not using
+- TODO: the generated include file is gone
+
+ ... since commit 73a2fcea0b
-- Chris Conroy brought support for RTSP transfers, and with it comes 8(!) new
- libcurl options for controlling what to get and how to receive posssibly
- interleaved RTP data. Initial commit.
+- curl_setup.h: error out on CURL_WANTS_CA_BUNDLE_ENV use
+
+ ... to make it really apparent if there's any user using this on purpose.
+
+ Suggested-by: Jay Satiro
+
+ Closes #1542
-- Julien Chaffraix fixed line lengths
+- lib/curl_setup.h: remove CURL_WANTS_CA_BUNDLE_ENV
+
+ When this define was set, libcurl would check the environment variable
+ named CURL_CA_BUNDLE at run-time and use that CA cert bundle. This
+ feature was only defined by the watcom and m32 makefiles and caused
+ inconsistent behaviours among libcurls built on different platforms.
+
+ The curl tool does already feature its own similar logic and the library
+ does not really need it, and it isn't documented libcurl behavior. So
+ this change removes it.
+
+ Ref: #1538
-- Julien Chaffraix removed an old obsolete typedef
+- test1147: verify -H on a file
-- Yun Fu pointed out a flaw in the loop that checks handles, and I indented
- the code more curl-style
+- curl: allow --header and --proxy-header read from file
+
+ So many headers can be provided as @filename.
+
+ Suggested-by: Timothe Litt
+
+ Closes #1486
-- "5.3 Sort outgoing cookies" removed, we now sort them
+- RELEASE-NOTES: synced with 2ad80eec5
-Yang Tse (20 Jan 2010)
-- SIGTERM is the signal to trap here, SIGKILL can't be caught.
+- curl/curlver.h: start working on 7.55.0
-- Use killsockfilters() to kill sockfilter processes, this ensures that when
- killing a sockfilter process the actual PID from the pid file is used and
- not the one returned by open2() which might be different.
+- http-proxy: do the HTTP CONNECT process entirely non-blocking
+
+ Mentioned as a problem since 2007 (8f87c15bdac63) and of course it
+ existed even before that.
+
+ Closes #1547
-- Allow killsockfilters() to take a 5th optional parameter that when provided
- indicates that only one of the two possible sockfilter processes should be
- killed. Valid values for this parameter are 'main' and 'data'.
+- progress: let "current speed" be UL + DL speeds combined
+
+ Bug #1556
+ Reported-by: Paul Harris
+ Closes #1559
-- Use delete() to unset environment variables instead of assigning undef which
- generates warning 'Use of uninitialized value in scalar assignment' with perl
- versions older than 5.10
+Marcel Raad (14 Jun 2017)
+- system.h: fix MinGW build
+
+ CURLSYS_PULL_WS2TCPIP_H got renamed to CURL_PULL_WS2TCPIP_H in commit
+ 73a2fcea0b4adea6ba342cd7ed1149782c214ae3.
-- Adjust valgrind logs file name detection.
+Daniel Stenberg (14 Jun 2017)
+- timers: store internal time stamps as time_t instead of doubles
+
+ This gives us accurate precision and it allows us to avoid storing "no
+ time" for systems with too low timer resolution as we then bump the time
+ up to 1 microsecond. Should fix test 573 on windows.
- Adjust environment vars setting and restoring from test definition.
+ Remove the now unused curlx_tvdiff_secs() function.
- Avoid using strftime in torture sub.
+ Maintains the external getinfo() API with using doubles.
+
+ Fixes #1531
-Daniel Stenberg (20 Jan 2010)
-- modified test case 8 to also make sure that we deal with cookies using
- identical names but different paths properly
+- dist: make the hugehelp.c not get regenerated unnecessarily
+
+ The maketgz script now makes sure the generated hugehelp.c file in the
+ tarball is newer than the generated curl.1 man page, so that it doesn't
+ have to get unnecessarily rebuilt first thing in a typical build. It
+ thus also removes the need for perl to build off a plain release
+ tarball.
+
+ Fixes #1565
-- - As was pointed out on the http-state mailing list, the order of cookies in a
- HTTP Cookie: header _needs_ to be sorted on the path length in the cases
- where two cookies using the same name are set more than once using
- (overlapping) paths. Realizing this, identically named cookies must be
- sorted correctly. But detecting only identically named cookies and take care
- of them individually is harder than just to blindly and unconditionally sort
- all cookies based on their path lengths. All major browsers also already do
- this, so this makes our behavior one step closer to them in the cookie area.
+- includes: remove curl/curlbuild.h and curl/curlrules.h
+
+ Rely entirely on curl/system.h now.
- Test case 8 was the only one that broke due to this change and I updated it
- accordingly.
+ Introduced in Aug 2008 with commit 14240e9e109f. Now gone.
+
+ Fixes #1456
+
+Version 7.54.1 (14 Jun 2017)
-- oops, I forgot to cvs add this before my previous commit (Dan Fandrich
- pointed it out to me)
+Daniel Stenberg (14 Jun 2017)
+- release: 7.54.1
-- - David McCreedy brought a fix and a new test case (129) to make libcurl work
- again when downloading files over FTP using ASCII and it turns out that the
- final size of the file is not the same as the initial size the server
- reported. This is very common since servers don't take the newline
- conversions into account.
+Dan Fandrich (13 Jun 2017)
+- mk-lib1521.pl: updated to match the test changes in 916ec30a
-- "260 - IMAP, POP3 and SMTP support" done!
+Daniel Stenberg (13 Jun 2017)
+- [Stuart Henderson brought this change]
-- avoid "Use of uninitialized value $l in concatenation"
+ libressl: OCSP and intermediate certs workaround no longer needed
+
+ lib/vtls/openssl.c has a workaround for a bug with OCSP responses signed
+ by intermediate certs, this was fixed in LibreSSL in
+ https://github.com/libressl-portable/openbsd/commit/912c64f68f7ac4f225b7d1fdc8fbd43168912ba0
+
+ Bug: https://curl.haxx.se/mail/lib-2017-06/0038.html
+
+- url: fix buffer overwrite with file protocol (CVE-2017-9502)
+
+ Bug: https://github.com/curl/curl/issues/1540
+ Advisory: https://curl.haxx.se/docs/adv_20170614.html
+
+ Assisted-by: Ray Satiro
+ Reported-by: Marcel Raad
-Yang Tse (19 Jan 2010)
-- Fail harder when curl coredumps trying to verify http and ftp servers.
+- urlglob: fix division by zero
+
+ The multiply() function that is used to avoid integer overflows, was
+ itself reason for a possible division by zero error when passed a
+ specially formatted glob.
- Add some debug messages to see what's going on with valgrind logs.
+ Reported-by: GwanYeong Kim
+
+- configure: update the copyright year in the output
+
+- [ygrek brought this change]
-- prevent %runcert hash growth when clearing items
+ BINDINGS: update SP-Forth and OCaml urls
-- update copyright year notice
+Michael Kaufmann (11 Jun 2017)
+- FindWin32CACert: Use a temporary buffer on the stack
+
+ Don't malloc() the temporary buffer, and use the correct type:
+ SearchPath() works with TCHAR, but SearchPathA() works with char.
+ Set the buffer size to MAX_PATH, because the terminating null byte
+ is already included in MAX_PATH.
+
+ Reviewed-by: Daniel Stenberg
+ Reviewed-by: Marcel Raad
+
+ Closes #1548
-- Constantine Sapuntzakis enhancements to make memory tracking log file writing
- of messages atomic, on systems where an fwrite of a memory buffer is atomic.
+Dan Fandrich (11 Jun 2017)
+- test1521: fixed OOM handling
-Dan Fandrich (18 Jan 2010)
-- Added PEM certificate keyword
+Daniel Stenberg (9 Jun 2017)
+- RELEASE-PROCEDURE: updated future release dates
-Yang Tse (18 Jan 2010)
-- fix warnings
+- [Paul Harris brought this change]
-- Stop ssl running server when cert file currently used by server is
- different than the one specified in test definition for same server
+ gitignore: ignore all vim swap files
+
+ Closes #1561
-- fix warnings
+- lib1521: fix compiler warnings on the use of bad 'long' values
+
+ Reported-by: Marcel Raad
+ Bug: https://github.com/curl/curl/commit/cccac4fb2b20d6ed87da7978408c3ecacc464fe4#commitcomment-22453387
-- - Remove QD restarting of https servers. Proper fixing required.
- This will make tests 310 311 and 312 fail while fixing.
+- setopt: check CURLOPT_ADDRESS_SCOPE option range
- - Remove some debug messages
+ ... and return error instead of triggering an assert() when being way
+ out of range.
-- make verifyhttp use different file names depending on server characteristics
+Jay Satiro (8 Jun 2017)
+- [TheAssassin brought this change]
-- add serverfactors() sub which returns server characterization factors
+ cmake: Fix inconsistency regarding mbed TLS include directory
+
+ Previously, one had to set MBEDTLS_INCLUDE_DIR to make CMake find the
+ headers, but the system complained that mbed TLS wasn't found due to
+ MBEDTLS_INCLUDE_DIRS (note the trailing s) was not set. This commit
+ attempts to fix that.
+
+ Closes https://github.com/curl/curl/pull/1541
-- fix warnings
+Daniel Stenberg (8 Jun 2017)
+- [Ryuichi KAWAMATA brought this change]
-- fix warnings
+ examples/multi-uv.c: fix deprecated symbol
+
+ Closes #1557
-- fix warnings
+- asyn-ares: s/Curl_expire_latest/Curl_expire
-- add some debug messages
+- expire: remove Curl_expire_latest()
+
+ With the introduction of expire IDs and the fact that existing timers
+ can be removed now and thus never expire, the concept with adding a
+ "latest" timer is not working anymore as it risks to not expire at all.
+
+ So, to be certain the timers actually are in line and will expire, the
+ plain Curl_expire() needs to be used. The _latest() function was added
+ as a sort of shortcut in the past that's quite simply not necessary
+ anymore.
+
+ Follow-up to 31b39c40cf90
+
+ Reported-by: Paul Harris
+
+ Closes #1555
-- use servername_id() from serverhelp.pm
+- [Chris Carlmar brought this change]
-- refactored stopping of test harness servers
+ configure: fix link with librtmp when specifying path
+
+ Bug: https://curl.haxx.se/mail/lib-2017-06/0017.html
-- Store now this file in CVS with unix line endings.
+- file: make speedcheck use current time for checks
- maketgz already converts this file to DOS style with an awk filter.
+ ... as it would previously just get the "now" timestamp before the
+ transfer starts and then not update it again.
+
+ Closes #1550
+
+- metalink: remove unused printf() argument
-- Declaration of $sshdlog is done in sshhelp.pm
+- travis: let some builds *not* use --enable-debug
+
+ typecheck-gcc and other things require optimized builds
+
+ Closes #1544
-- Start using the centralized pidfile and logfile name generation
- subroutines for ssh and socks test suite servers.
+- README.md: show the coverall coverage on github
-Dan Fandrich (15 Jan 2010)
-- Added the new protocol source files to the non-autoconf build files
+- lib1521: fix compiler warnings
-Yang Tse (14 Jan 2010)
-- Squeeze slack time when killing more than one server from
- the <killserver> section of test harness definition files.
+- test1521: make the code < 80 columns wide
-Kamil Dudka (14 Jan 2010)
-- - Suppressed side effect of OpenSSL configure checks, which prevented NSS from
- being properly detected under certain circumstances. It had been caused by
- strange behavior of pkg-config when handling PKG_CONFIG_LIBDIR. pkg-config
- distinguishes among empty and non-existent environment variable in that case.
+- test1121: use stricter types to work with typcheck-gcc
-Yang Tse (13 Jan 2010)
-- Give the test a bit mote time to run so it passes on slow machines
+- typecheck-gcc: allow CURLOPT_STDERR to be NULL too
-Kamil Dudka (13 Jan 2010)
-- remove trailing spaces from configure.ac
+- test1521: test *all* curl_easy_setopt options
+
+ mk-lib1521.pl generates a test program (lib1521.c) that calls
+ curl_easy_setopt() for every known option with a few typical values to
+ make sure they work (ignoring the return codes).
+
+ Some small changes were necessary to avoid asserts and NULL accesses
+ when doing this.
+
+ The perl script needs to be manually rerun when we add new options.
+
+ Closes #1543
-Yang Tse (12 Jan 2010)
-- Added test case #1112 which does an FTPS download with strict timeout
- and slow data transfer in a similar way as test case #1086 does for FTP.
+Dan Fandrich (5 Jun 2017)
+- test1538: added "verbose logs" keyword
- This also exercises <killserver> section for the FTPS server.
+ These error messages are not displayed with --disable-verbose
-- Make runtests.pl actually support any (valid) server specification
- for the <killserver> section of test harness definition files.
+Daniel Stenberg (5 Jun 2017)
+- test1262: verify ftp download with -z for "if older than this"
-- Fix tftp and sftp supported protocols in servername_str()
+Marcel Raad (5 Jun 2017)
+- curl_ntlm_core: use Curl_raw_toupper instead of toupper
+
+ This was the only remaining use of toupper in the entire source code.
+
+ Suggested-by: Daniel Stenberg
-- Make sockfilter kill messages look alike server ones
+Daniel Stenberg (4 Jun 2017)
+- RELEASE-NOTES: synced with 65ba92650