X-Git-Url: http://review.tizen.org/git/?a=blobdiff_plain;f=CHANGES;h=dce9c1779d53c35e6ab9652dafbb80927ecc110e;hb=HEAD;hp=01856fe6a397fed13564c1516d3e7cef35e55a7c;hpb=82e9b78a388ab539c8784cd853adf6e4a97d52c5;p=platform%2Fupstream%2Fcurl.git diff --git a/CHANGES b/CHANGES index 01856fe..dce9c17 100644 --- a/CHANGES +++ b/CHANGES @@ -6,2163 +6,6965 @@ Changelog -Daniel Stenberg (24 Apr 2010) -- Alex Bligh introduced the --proto and -proto-redir options that limit what - protocols curl accepts for the requests and when following redirects. - -Kamil Dudka (24 Apr 2010) -- Fixed test536 in order to not fail with threaded DNS resolver and tweaked - comments in certain examples using curl_multi_fdset(). - -- Fixed SSL handshake timeout underflow in libcurl-NSS, which caused test405 - to hang on a slow machine. - -Daniel Stenberg (21 Apr 2010) -- The -O option caused curl to crash on windows and DOS due to the tool - writing out of boundary memory. - -Yang Tse (20 Apr 2010) -- Ruslan Gazizov detected that MSVC makefiles were using wsock32.lib instead - of ws2_32.lib, this generated linking issues on MSVC IPv6 enabled builds - that were done using those makefiles. - -Daniel Stenberg (19 Apr 2010) -- -J/--remote-header-name didn't strip trailing carriage returns or linefeeds - properly, so they could be used in the file name. - -Daniel Stenberg (16 Apr 2010) -- Jerome Vouillon made the GnuTLS SSL handshake phase non-blocking. - -- The recent overhaul of the SSL recv function made the GnuTLS specific code - treat a zero returned from gnutls_record_recv() as an error, and this caused - our HTTPS test cases to fail. We leave it to upper layer code to detect if - an EOF is a problem or not. - -- I reverted the resolver fix from yesterday and instead removed all uses of - AI_CANONNAME all over libcurl and made the only user of that info (krb5.c) - use the host name from the URL instead. No reverse resolving is a good - thing. - -- Paul Howarth made configure properly detect GSS "on ancient Linux distros" - by editing in which order we use headers to detect GSS. - -Daniel Stenberg (15 Apr 2010) -- Rainer Canavan filed bug report #2987196 that identified libcurl doing - unnecesary reverse name lookups in many cases when built to use IPv4 and - getaddrinfo(). The logic for ipv6 is now used for ipv4 too. - - (http://curl.haxx.se/bug/view.cgi?id=2963679) - -Version 7.20.1 (14 April 2010) - -Daniel Stenberg (9 Apr 2010) -- Prefixing the FTP quote commands with an asterisk really only worked for the - postquote actions. This is now fixed and test case 227 has been extended to - verify. - -Kamil Dudka (4 Apr 2010) -- Eliminated a race condition in Curl_resolv_timeout(). - -- Refactorized interface of Curl_ssl_recv()/Curl_ssl_send(). - -- libcurl-NSS now provides more accurate messages and error codes in case of - client certificate problem. Either during connection, or transfer phase. - -Daniel Stenberg (1 Apr 2010) -- Matt Wixson found and fixed a bug in the SCP/SFTP area where the code - treated a 0 return code from libssh2 to be the same as EAGAIN while in - reality it isn't. The problem caused a hang in SFTP transfers from a - MessageWay server. - -Daniel Stenberg (28 Mar 2010) -- Ben Greear: If you pass a URL to pop3 that does not contain a message ID as - part of the URL, it would previously ask for 'INBOX' which just causes the - pop3 server to return an error. - - Now libcurl treats en empty message ID as a request for LIST (list of pop3 - message IDs). User's code could then parse this and download individual - messages as desired. - -Daniel Stenberg (27 Mar 2010) -- Ben Greear brought a patch that from now on allows all protocols to specify - name and user within the URL, in the same manner HTTP and FTP have been - allowed to in the past - although far from all of the libcurl supported - protocls actually have that feature in their URL definition spec. - -Daniel Stenberg (26 Mar 2010) -- Ben Greear brought code that makes the rate limiting code for the easy - interface a bit smoother as it introduces sub-second sleeps during it and it - also takes the buffer sizes into account. - -Daniel Stenberg (24 Mar 2010) -- Bob Richmond: There's an annoying situation where libcurl will read new HTTP - response data from a socket, then check if it's a timeout if one is set. If - the last packet received constitutes the end of the response body, libcurl - still treats it as a timeout condition and reports a message like: - - "Operation timed out after 3000 milliseconds with 876 out of 876 bytes - received" - - It should only a timeout if the timer lapsed and we DIDN'T receive the end - of the response body yet. - -- Christopher Conroy fixed a problem with RTSP and GET_PARAMETER reported - to us by Massimo Callegari. There's a new test case 572 that verifies this - now. - -- The 'ares' subtree has been removed from the source repository. It was - always a separate project that sort of piggybacked on the curl project since - the dawn of times and now the time has come for it to go stand on its own - legs and continue living its own life. All details on c-ares and its new - source code repository is found at http://c-ares.haxx.se/ - -Daniel Stenberg (23 Mar 2010) -- Kenny To filed the bug report #2963679 with patch to fix a problem he - experienced with doing multi interface HTTP POST over a proxy using - PROXYTUNNEL. He found a case where it would connect fine but bits.tcpconnect - was not set correct so libcurl didn't work properly. - - (http://curl.haxx.se/bug/view.cgi?id=2963679) - -- Akos Pasztory filed debian bug report #572276 - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572276 mentioning a problem - with a resource that returns chunked-encoded _and_ with a Content-Length - and libcurl failed to properly ignore the latter information. - -- Hauke Duden provided an example program that made the multi interface crash. - His example simply used the multi interface and did first one FTP transfer - and after completion it used a second easy handle and did another FTP - transfer on the same FTP server. - - This triggered a bug in the "delayed easy handle kill" system that curl - uses: when an FTP connection is left alive it must keep an easy handle - around internally - only for the purpose of having an easy handle when it - later disconnects it. The code assumed that when the easy handle was removed - and an internal reference was made, that version could be killed later on - when a new easy handle came using the same connection. This was wrong as - Hauke's example showed that the removed handle wasn't killed for real until - later. This caused a double close attempt => segfault. - -Daniel Stenberg (22 Mar 2010) -- Thomas Lopatic fixed the alarm()-based DNS timeout: - - Looking at the code of Curl_resolv_timeout() in hostip.c, I think that in - case of a timeout, the signal handler for SIGALRM never gets removed. I - think that in my case it gets executed at some point later on when execution - has long left Curl_resolv_timeout() or even the cURL library. - - The code that is jumped to with siglongjmp() simply sets the error message - to "name lookup timed out" and then returns with CURLRESOLV_ERROR. I guess - that instead of simply returning without cleaning up, the code should have a - goto that jumps to the spot right after the call to Curl_resolv(). - -Kamil Dudka (22 Mar 2010) -- Douglas Steinwand contributed a patch fixing insufficient initialization in - Curl_clone_ssl_config() - -Daniel Stenberg (21 Mar 2010) -- Ben Greear improved TFTP: the error code returning and the treatment - of TSIZE == 0 when uploading. - -- We've switched from CVS to git. See http://curl.haxx.se/source.html - -Kamil Dudka (19 Mar 2010) -- Improved Curl_read() to not ignore the error returned from Curl_ssl_recv(). - -Daniel Stenberg (15 Mar 2010) -- Constantine Sapuntzakis brought a patch: - - The problem mentioned on Dec 10 2009 - (http://curl.haxx.se/bug/view.cgi?id=2905220) was only partially fixed. - Partially because an easy handle can be associated with many connections in - the cache (e.g. if there is a redirect during the lifetime of the easy - handle). The previous patch only cleaned up the first one. The new fix now - removes the easy handle from all connections, not just the first one. - -Daniel Stenberg (6 Mar 2010) -- Ben Greear brought a patch that fixed the rate limiting logic for TFTP when - the easy interface was used. - -Daniel Stenberg (5 Mar 2010) -- Daniel Johnson provided fixes for building curl with the clang compiler. - -Yang Tse (5 Mar 2010) -- Constantine Sapuntzakis detected and fixed a double free in builds done - with threaded resolver enabled (Windows default configuration) that would - get triggered when a curl handle is closed while doing DNS resolution. - -Daniel Stenberg (2 Mar 2010) -- [Daniel Johnson] I've been trying to build libcurl with clang on Darwin and - ran into some issues with the GSSAPI tests in configure.ac. The tests first - try to determine the include dirs and libs and set CPPFLAGS and LIBS - accordingly. It then checks for the headers and finally sets LIBS a second - time, causing the libs to be included twice. The first setting of LIBS seems - redundant and should be left out, since the first part is otherwise just - about finding headers. - - My second issue is that 'krb5-config --libs gssapi' on Darwin is less than - useless and returns junk that, while it happens to work with gcc, causes - clang to choke. For example, --libs returns $CFLAGS along with the libs, - which is really retarded. Simply setting 'LIBS="$LIBS -lgssapi_krb5 - -lresolv"' on Darwin is sufficient. - -- Based on patch provided by Jacob Moshenko, the transfer logic now properly - makes sure that when using sub-second timeouts, there's no final bad 1000ms - wait. Previously, a sub-second timeout would often make the elapsed time end - up the time rounded up to the nearest second (e.g. 1s for 200ms timeout) - -- Andrei Benea filed bug report #2956698 and pointed out that the - CURLOPT_CERTINFO feature leaked memory due to a missing OpenSSL function - call. He provided the patch to fix it too. - - http://curl.haxx.se/bug/view.cgi?id=2956698 - -- Markus Duft pointed out in bug #2961796 that even though Interix has a - poll() function it doesn't quite work the way we want it so we must disable - it, and he also provided a patch for it. - - http://curl.haxx.se/bug/view.cgi?id=2961796 - -- Made the pingpong timeout code properly deal with the response timeout AND - the global timeout if set. Also, as was reported in the bug report #2956437 - by Ryan Chan, the time stamp to use as basis for the per command timeout was - not set properly in the DONE phase for FTP (and not for SMTP) so I fixed - that just now. This was a regression compared to 7.19.7 due to the - conversion of FTP code over to the generic pingpong concepts. - - http://curl.haxx.se/bug/view.cgi?id=2956437 - -Daniel Stenberg (1 Mar 2010) -- Ben Greear provided an update for TFTP that fixes upload. - -- Wesley Miaw reported bug #2958179 which identified a case of looping during - OpenSSL based SSL handshaking even though the multi interface was used and - there was no good reason for it. - - http://curl.haxx.se/bug/view.cgi?id=2958179 - -Daniel Stenberg (26 Feb 2010) -- Pat Ray in bug #2958474 pointed out an off-by-one case when receiving a - chunked-encoding trailer. +Version 7.59.0 (13 Mar 2018) - http://curl.haxx.se/bug/view.cgi?id=2958474 - -Daniel Fandrich (25 Feb 2010) -- Fixed a couple of out of memory leaks and a segfault in the SMTP & IMAP code. - -Yang Tse (25 Feb 2010) -- I fixed bug report #2958074 indicating - (http://curl.haxx.se/bug/view.cgi?id=2958074) that curl on Windows with - option --trace-time did not use local time when timestamping trace lines. - This could also happen on other systems depending on time souurce. - -Patrick Monnerat (22 Feb 2010) -- Proper handling of STARTTLS on SMTP, taking CURLUSESSL_TRY into account. -- SMTP falls back to RFC821 HELO when EHLO fails (and SSL is not required). -- Use of true local host name (i.e.: via gethostname()) when available, as - default argument to SMTP HELO/EHLO. -- Test case 804 for HELO fallback. - -Daniel Stenberg (20 Feb 2010) -- Fixed the SMTP compliance by making sure RCPT TO addresses are specified - properly in angle brackets. Recipients provided with CURLOPT_MAIL_RCPT now - get angle bracket wrapping automatically by libcurl unless the recipient - starts with an angle bracket as then the app is assumed to deal with that - properly on its own. - -- I made the SMTP code expect a 250 response back from the server after the - full DATA has been sent, and I modified the test SMTP server to also send - that response. As usual, the DONE operation that is made after a completed - transfer is still not doable in a non-blocking way so this waiting for 250 - is unfortunately made blockingly. - -Yang Tse (14 Feb 2010) -- Overhauled test suite getpart() function. Fixing potential out of bounds - stack and memory overwrites triggered with huge test case definitions. - -Daniel Stenberg (13 Feb 2010) -- Martin Hager reported and fixed a problem with a missing quote in libcurl.m4 - - (http://curl.haxx.se/bug/view.cgi?id=2951319) - -- Tom Donovan fixed the CURL_FORMAT_* defines when building with cmake. - - (http://curl.haxx.se/bug/view.cgi?id=2951269) - -Daniel Stenberg (12 Feb 2010) -- Jack Zhang reported a problem with SMTP: we wrongly used multiple addresses - in the same RCPT TO line, when they should be sent in separate single - commands. I updated test case 802 to verify this. - -- I also fixed a bad use of my_setopt_str() of CURLOPT_MAIL_RCPT in the curl - tool which made it try to output it as string for the --libcurl feature - which could lead to crashes. - -Yang Tse (11 Feb 2010) -- Steven M. Schweda fixed VMS builder bad behavior when used in a batch job, - removed obsolete batch_compile.com and defines.com and updated VMS readme. - -Version 7.20.0 (9 February 2010) - -Daniel Stenberg (9 Feb 2010) -- When downloading compressed content over HTTP and the app asked libcurl to - automatically uncompress it with the CURLOPT_ENCODING option, libcurl could - wrongly provide the callback with more data than the maximum documented - amount. An application could thus get tricked into badness if the maximum - limit was trusted to be enforced by libcurl itself (as it is documented). - - This is further detailed and explained in the libcurl security advisory - 20100209 at - - http://curl.haxx.se/docs/adv_20100209.html - -Daniel Fandrich (3 Feb 2010) -- Changed the Watcom makefiles to make them easier to keep in sync with - Makefile.inc since that can't be included directly. - -Yang Tse (2 Feb 2010) -- Symbol CURL_FORMAT_OFF_T now obsoleted, will be removed in a future release, - symbol will not be available when building with CURL_NO_OLDIES defined. Use - of CURL_FORMAT_CURL_OFF_T is preferred since 7.19.0 - -Daniel Stenberg (1 Feb 2010) -- Using the multi_socket API, it turns out at times it seemed to "forget" - connections (which caused a hang). It turned out to be an existing (7.19.7) - bug in libcurl (that's been around for a long time) and it happened like - this: - - The app calls curl_multi_add_handle() to add a new easy handle, libcurl will - then set it to timeout in 1 millisecond so libcurl will tell the app about - it. - - The app's timeout fires off that there's a timeout, the app calls libcurl as - we so often document it: - - do { - res = curl_multi_socket_action(... TIMEOUT ...); - } while(CURLM_CALL_MULTI_PERFORM == res); - - And this is the problem number one: - - When curl_multi_socket_action() is called with no specific handle, but only - a timeout-action, it will *only* perform actions within libcurl that are - marked to run at this time. In this case, the request would go from INIT to - CONNECT and return CURLM_CALL_MULTI_PERFORM. When the app then calls libcurl - again, there's no timer set for this handle so it remains in the CONNECT - state. The CONNECT state is a transitional state in libcurl so it reports no - sockets there, and thus libcurl never tells the app anything more about that - easy handle/connection. - - libcurl _does_ set a 1ms timeout for the handle at the end of - multi_runsingle() if it returns CURLM_CALL_MULTI_PERFORM, but since the loop - is instant the new job is not ready to run at that point (and there's no - code that makes libcurl call the app to update the timout for this new - timeout). It will simply rely on that some other timeout will trigger later - on or that something else will update the timeout callback. This makes the - bug fairly hard to repeat. - - The fix made to adress this issue: - - We introduce a loop in lib/multi.c around all calls to multi_runsingle() and - simply check for CURLM_CALL_MULTI_PERFORM internally. This has the added - benefit that this goes in line with my long-term wishes to get rid of the - CURLM_CALL_MULTI_PERFORM all together from the public API. - - The downside of this fix, is that the counter we return in 'running_handles' - in several of our public functions then gets a slightly new and possibly - confusing behavior during times: - - If an app adds a handle that fails to connect (very quickly) it may just - as well never appear as a 'running_handle' with this fix. Previously it - would first bump the counter only to get it decreased again at next call. - Even I have used that change in handle counter to signal "end of a - transfer". The only *good* way to find the end of a individual transfer - is calling curl_multi_info_read() to see if it returns one. - - Of course, if the app previously did the looping before it checked the - counter, it really shouldn't be any new effect. - -Yang Tse (26 Jan 2010) -- Constantine Sapuntzakis' and Joshua Kwan's work done in the last four months - relative to the asynchronous DNS lookups, along with with some integration - adjustments I have done are finally committed to CVS. - - Currently these enhancements will benefit builds done using c-ares on any - platform as well as Windows builds using the default threaded resolver. - - This release does not make generally available POSIX threaded DNS lookups - yet. There is no configure option to enable this feature yet. It is possible - to experimantally try this feature running configure with compiler flags that - make simultaneous definition of preprocessor symbols USE_THREADS_POSIX and - HAVE_PTHREAD_H, as well as whatever reentrancy compiler flags and linker ones - are required to link and properly use pthread_* functions on each platform. - -Daniel Stenberg (26 Jan 2010) -- Mike Crowe made libcurl return CURLE_COULDNT_RESOLVE_PROXY when it is the - proxy that cannot be resolved when using c-ares. This matches the behaviour - when not using c-ares. - -Björn Stenberg (23 Jan 2010) -- Added a new flag: -J/--remote-header-name. This option tells the - -O/--remote-name option to use the server-specified Content-Disposition - filename instead of extracting a filename from the URL. - -Daniel Stenberg (21 Jan 2010) -- Chris Conroy brought support for RTSP transfers, and with it comes 8(!) new - libcurl options for controlling what to get and how to receive posssibly - interleaved RTP data. - -Daniel Stenberg (20 Jan 2010) -- As was pointed out on the http-state mailing list, the order of cookies in a - HTTP Cookie: header _needs_ to be sorted on the path length in the cases - where two cookies using the same name are set more than once using - (overlapping) paths. Realizing this, identically named cookies must be - sorted correctly. But detecting only identically named cookies and take care - of them individually is harder than just to blindly and unconditionally sort - all cookies based on their path lengths. All major browsers also already do - this, so this makes our behavior one step closer to them in the cookie area. - - Test case 8 was the only one that broke due to this change and I updated it - accordingly. - -Daniel Stenberg (19 Jan 2010) -- David McCreedy brought a fix and a new test case (129) to make libcurl work - again when downloading files over FTP using ASCII and it turns out that the - final size of the file is not the same as the initial size the server - reported. This is very common since servers don't take the newline - conversions into account. - -Kamil Dudka (14 Jan 2010) -- Suppressed side effect of OpenSSL configure checks, which prevented NSS from - being properly detected under certain circumstances. It had been caused by - strange behavior of pkg-config when handling PKG_CONFIG_LIBDIR. pkg-config - distinguishes among empty and non-existent environment variable in that case. - -Daniel Stenberg (12 Jan 2010) -- Gil Weber reported a peculiar flaw with the multi interface when doing SFTP - transfers: curl_multi_fdset() would return -1 and not set and file - descriptors several times during a transfer of a single file. It turned out - to be due to two different flaws now fixed. Gil's excellent recipe helped me - nail this. - -Daniel Stenberg (11 Jan 2010) -- Made sure that the progress callback is repeatedly called at a regular - interval even during very slow connects. - -- The tests/runtests.pl script now checks to see if the test case that runs is - present in the tests/data/Makefile.am and outputs a notice message on the - screen if not. Each test file has to be included in that Makefile.am to get - included in release archives and forgetting to add files there is a common - mistake. This is an attempt to make it harder to forget. - -Daniel Stenberg (9 Jan 2010) -- Johan van Selst found and fixed a OpenSSL session ref count leak: - - ossl_connect_step3() increments an SSL session handle reference counter on - each call. When sessions are re-used this reference counter may be - incremented many times, but it will be decremented only once when done (by - Curl_ossl_session_free()); and the internal OpenSSL data will not be freed - if this reference count remains positive. When a session is re-used the - reference counter should be corrected by explicitly calling - SSL_SESSION_free() after each consecutive SSL_get1_session() to avoid - introducing a memory leak. - - (http://curl.haxx.se/bug/view.cgi?id=2926284) - -Daniel Stenberg (7 Jan 2010) -- Make sure the progress callback is called repeatedly even during very slow - name resolves when c-ares is used for resolving. - -Claes Jakobsson (6 Jan 2010) -- Julien Chaffraix fixed so that the fragment part in an URL is not sent - to the server anymore. - -Kamil Dudka (3 Jan 2010) -- Julien Chaffraix eliminated a duplicated initialization in singlesocket(). - -Daniel Stenberg (2 Jan 2010) -- Make curl support --ssl and --ssl-reqd instead of the previous FTP-specific - versions --ftp-ssl and --ftp-ssl-reqd as these options are now used to - control SSL/TLS for IMAP, POP3 and SMTP as well in addition to FTP. The old - option names are still working but the new ones are the ones listed and - documented. - -Daniel Stenberg (1 Jan 2010) -- Ingmar Runge enhanced libcurl's FTP engine to support the PRET command. This - command is a special "hack" used by the drftpd server, but even though it is - a custom extension I've deemed it fine to add to libcurl since this server - seems to survive and people keep using it and want libcurl to support - it. The new libcurl option is named CURLOPT_FTP_USE_PRET, and it is also - usable from the curl tool with --ftp-pret. Using this option on a server - that doesn't support this command will make libcurl fail. - - I added test cases 1107 and 1108 to verify the functionality. - - The PRET command is documented at - http://www.drftpd.org/index.php/Distributed_PASV - -Yang Tse (30 Dec 2009) -- Steven M. Schweda improved VMS build system, and Craig A. Berry helped - with the patch and testing. - -Daniel Stenberg (26 Dec 2009) -- Renato Botelho and Peter Pentchev brought a patch that makes the libcurl - headers work correctly even on FreeBSD systems before v8. - - (http://curl.haxx.se/bug/view.cgi?id=2916915) - -Daniel Stenberg (17 Dec 2009) -- David Byron fixed Curl_ossl_cleanup to actually call ENGINE_cleanup when - available. - -- Follow-up fix for the proxy fix I did for Jon Nelson's bug. It turned out I - was a bit too quick and broke test case 1101 with that change. The order of - some of the setups is sensitive. I now changed it slightly again to make - sure we do them in this order: - - 1 - parse URL and figure out what protocol is used in the URL - 2 - prepend protocol:// to URL if missing - 3 - parse name+password off URL, which needs to know what protocol is used - (since only some allows for name+password in the URL) - 4 - figure out if a proxy should be used set by an option - 5 - if no proxy option, check proxy environment variables - 6 - run the protocol-specific setup function, which needs to have the proxy - already set - -Daniel Stenberg (15 Dec 2009) -- Jon Nelson found a regression that turned out to be a flaw in how libcurl - detects and uses proxies based on the environment variables. If the proxy - was given as an explicit option it worked, but due to the setup order - mistake proxies would not be used fine for a few protocols when picked up - from '[protocol]_proxy'. Obviously this broke after 7.19.4. I now also added - test case 1106 that verifies this functionality. - - (http://curl.haxx.se/bug/view.cgi?id=2913886) - -Daniel Stenberg (12 Dec 2009) -- IMAP, POP3 and SMTP support and their TLS versions (including IMAPS, POP3S - and SMTPS) are now supported. The current state may not yet be solid, but - the foundation is in place and the test suite has some initial support for - these protocols. Work will now persue to make them nice libcurl citizens - until release. - - The work with supporting these new protocols was sponsored by - networking4all.com - thanks! - -Daniel Stenberg (10 Dec 2009) -- Siegfried Gyuricsko found out that the curl manual said --retry would retry - on FTP errors in the transient 5xx range. Transient FTP errors are in the - 4xx range. The code itself only tried on 5xx errors that occured _at login_. - Now the retry code retries on all FTP transfer failures that ended with a - 4xx response. - - (http://curl.haxx.se/bug/view.cgi?id=2911279) - -- Constantine Sapuntzakis figured out a case which would lead to libcurl - accessing alredy freed memory and thus crash when using HTTPS (with - OpenSSL), multi interface and the CURLOPT_DEBUGFUNCTION and a certain order - of cleaning things up. I fixed it. - - (http://curl.haxx.se/bug/view.cgi?id=2905220) - -Daniel Stenberg (7 Dec 2009) -- Martin Storsjo made libcurl use the Expect: 100-continue header for posts - with unknown size. Previously it was only used for posts with a known size - larger than 1024 bytes. - -Daniel Stenberg (1 Dec 2009) -- If the Expect: 100-continue header has been set by the application through - curl_easy_setopt with CURLOPT_HTTPHEADER, the library should set - data->state.expect100header accordingly - the current code (in 7.19.7 at - least) doesn't handle this properly. Martin Storsjo provided the fix! - -Yang Tse (28 Nov 2009) -- Added Diffie-Hellman parameters to several test harness certificate files in - PEM format. Required by several stunnel versions used by our test harness. - -Daniel Stenberg (28 Nov 2009) -- Markus Koetter provided a polished and updated version of Chad Monroe's TFTP - rework patch that now integrates TFTP properly into libcurl so that it can - be used non-blocking with the multi interface and more. BLKSIZE also works. - - The --tftp-blksize option was added to allow setting the TFTP BLKSIZE from - the command line. - -Daniel Stenberg (26 Nov 2009) -- Extended and fixed the change I did on Dec 11 for the the progress - meter/callback during FTP command/response sequences. It turned out it was - really lame before and now the progress meter SHOULD get called at least - once per second. - -Daniel Stenberg (23 Nov 2009) -- Bjorn Augustsson reported a bug which made curl not report any problems even - though it failed to write a very small download to disk (done in a single - fwrite call). It turned out to be because fwrite() returned success, but - there was insufficient error-checking for the fclose() call which tricked - curl to believe things were fine. - -Yang Tse (23 Nov 2009) -- David Byron modified Makefile.dist vc8 and vc9 targets in order to allow - finer granularity control when generating src and lib makefiles. - -Yang Tse (22 Nov 2009) -- I modified configure to force removal of the curlbuild.h file included in - distribution tarballs for use by non-configure systems. As intended, this - would get overwriten when doing in-tree builds. But VPATH builds would end - having two curlbuild.h files, one in the source tree and another in the - build tree. With the modification I introduced 5 Nov 2009 this could become - an issue when running libcurl's test suite. - -Daniel Stenberg (20 Nov 2009) -- Constantine Sapuntzakis identified a write after close, as the sockets were - closed by libcurl before the SSL lib were shutdown and they may write to its - socket. Detected to at least happen with OpenSSL builds. - -- Jad Chamcham pointed out a bug with connection re-use. If a connection had - CURLOPT_HTTPPROXYTUNNEL enabled over a proxy, a subsequent request using the - same proxy with the tunnel option disabled would still wrongly re-use that - previous connection and the outcome would only be badness. - -Yang Tse (18 Nov 2009) -- I modified the memory tracking system to make it intolerant with zero sized - malloc(), calloc() and realloc() function calls. - -Daniel Stenberg (17 Nov 2009) -- Constantine Sapuntzakis provided another fix for the DNS cache that could - end up with entries that wouldn't time-out: - - 1. Set up a first web server that redirects (307) to a http://server:port - that's down - 2. Have curl connect to the first web server using curl multi - - After the curl_easy_cleanup call, there will be curl dns entries hanging - around with in_use != 0. - - (http://curl.haxx.se/bug/view.cgi?id=2891591) - -- Marc Kleine-Budde fixed: curl saved the LDFLAGS set during configure into - its pkg-config file. So -Wl stuff ended up in the .pc file, which is really - bad, and breaks if there are multiple -Wl in our LDFLAGS (which are in - PTXdist). bug #2893592 (http://curl.haxx.se/bug/view.cgi?id=2893592) - -Kamil Dudka (15 Nov 2009) -- David Byron improved the configure script to use pkg-config to find OpenSSL - (and in particular the list of required libraries) even if a path is given - as argument to --with-ssl - -Yang Tse (15 Nov 2009) -- I removed enable-thread / disable-thread configure option. These were only - placebo options. The library is always built as thread safe as possible on - every system. - -Claes Jakobsson (14 Nov 2009) -- curl-config now accepts '--configure' to see what arguments was - passed to the configure script when building curl. - -Daniel Stenberg (14 Nov 2009) -- Claes Jakobsson restored the configure functionality to detect NSS when - --with-nss is set but not "yes". - - I think we can still improve that to check for pkg-config in that path etc, - but at least this patch brings back the same functionality we had before. - -- Camille Moncelier added support for the file type SSL_FILETYPE_ENGINE for - the client certificate. It also disable the key name test as some engines - can select a private key/cert automatically (When there is only one key - and/or certificate on the hardware device used by the engine) - -Yang Tse (14 Nov 2009) -- Constantine Sapuntzakis provided the fix that ensures that an SSL connection - won't be reused unless protection level for peer and host verification match. - - I refactored how preprocessor symbol _THREAD_SAFE definition is done. - -Kamil Dudka (12 Nov 2009) -- Kevin Baughman provided a fix preventing libcurl-NSS from crash on doubly - closed NSPR descriptor. The issue was hard to find, reported several times - before and always closed unresolved. More info at the RH bug: - https://bugzilla.redhat.com/534176 - -- libcurl-NSS now tries to reconnect with TLS disabled in case it detects - a broken TLS server. However it does not happen if SSL version is selected - manually. The approach was originally taken from PSM. Kaspar Brand helped me - to complete the patch. Original bug reports: - https://bugzilla.redhat.com/525496 - https://bugzilla.redhat.com/527771 - -Yang Tse (12 Nov 2009) -- I modified configure script to make the getaddrinfo function check also - verify if the function is thread safe. - -Yang Tse (11 Nov 2009) -- Marco Maggi reported that compilation failed when configured --with-gssapi - and GNU GSS installed due to a missing mutual exclusion of header files in - the Kerberos 5 code path. He also verified that my patch worked for him. - -Daniel Stenberg (11 Nov 2009) -- Constantine Sapuntzakis posted bug #2891595 - (http://curl.haxx.se/bug/view.cgi?id=2891595) which identified how an entry - in the DNS cache would linger too long if the request that added it was in - use that long. He also provided the patch that now makes libcurl capable of - still doing a request while the DNS hash entry may get timed out. - -- Christian Schmitz noticed that the progress meter/callback was not properly - used during the FTP connection phase (after the actual TCP connect), while - it of course should be. I also made the speed check get called correctly so - that really slow servers will trigger that properly too. - -Kamil Dudka (5 Nov 2009) -- Dropped misleading timeouts in libcurl-NSS and made sure the SSL socket works - in non-blocking mode. - -Yang Tse (5 Nov 2009) -- I removed leading 'curl' path on the 'curlbuild.h' include statement in - curl.h, adjusting auto-makefiles include path, to enhance portability to - OS's without an orthogonal directory tree structure such as OS/400. - -Daniel Stenberg (4 Nov 2009) -- I fixed several problems with the transfer progress meter. It showed the - wrong percentage for small files, most notable for <1000 bytes and could - easily end up showing more than 100% at the end. It also didn't show any - percentage, transfer size or estimated transfer times when transferring - less than 100 bytes. - -Version 7.19.7 (4 November 2009) - -Daniel Stenberg (2 Nov 2009) -- As reported independent by both Stan van de Burgt and Didier Brisebourg, - CURLINFO_SIZE_DOWNLOAD (the -w variable size_download) didn't work when - getting data from ldap! - -Daniel Stenberg (31 Oct 2009) -- Gabriel Kuri reported a problem with CURLINFO_CONTENT_LENGTH_DOWNLOAD if the - download was 0 bytes, as libcurl would then return the size as unknown (-1) - and not 0. I wrote a fix and test case 566 to verify it. - -Daniel Stenberg (30 Oct 2009) -- Liza Alenchery mentioned a problem with re-used SCP connection when a bad - auth is used, as it caused a crash. I failed to repeat the issue, but still - made a change that now forces the TCP connection used for a freed SCP - session to get closed and not be re-used. - -- "Tom" posted a bug report that mentioned how libcurl did wrong when doing a - POST using a read callback, with Digest authentication and - "Transfer-Encoding: chunked" enforced. I would then cause the first request - to be wrongly sent and then basically hang until the server closed the - connection. I fixed the problem and added test case 565 to verify it. - -Daniel Stenberg (25 Oct 2009) -- Dima Barsky made the curl cookie parser accept cookies even with blank or - unparsable expiry dates and then treat them as session cookies - previously - libcurl would reject cookies with a date format it couldn't parse. Research - shows that the major browser treat such cookies as session cookies. I - modified test 8 and 31 to verify this. - -Daniel Stenberg (21 Oct 2009) -- Attempt to use pkg-config for finding out libssh2 installation details - during configure. - -- A patch in bug report #2883177 (http://curl.haxx.se/bug/view.cgi?id=2883177) - by Johan van Selst introduced the --crlfile option to curl, which makes curl - tell libcurl about a file with CRL (certificate revocation list) data to - read. - -Daniel Stenberg (18 Oct 2009) -- Ray Dassen provided a patch in Debian's bug tracker (bug number #551461) - that now makes curl_getdate(3) actually handles RFC 822 formatted dates that - use the "single letter military timezones". - http://www.rfc-ref.org/RFC-TEXTS/822/chapter5.html has the details. - -- Fixed memory leak in the SCP/SFTP code as it never freed the knownhosts - data! - -- John Dennis filed bug report #2873666 - (http://curl.haxx.se/bug/view.cgi?id=2873666) which identified a problem - which made libcurl loop infinitely when given incorrect credentials when - using HTTP GSS negotiate authentication. He also provided a small and simple - patch for it. - -- Kevin Baughman found a double close() problem with libcurl-NSS, as when - libcurl called NSS to close the SSL "session" it also closed the actual - socket. - -Yang Tse (17 Oct 2009) -- Bug report #2866724 indicated - (http://curl.haxx.se/bug/view.cgi?id=2866724) that curl on Windows failed - when writing files whose file names originally contained characters which - are not valid for file names on Windows. Dan Fandrich provided an initial - patch and another revised one to fix this issue. - -Daniel Stenberg (1 Oct 2009) -- Tom Mueller correctly reported in bug report #2870221 - (http://curl.haxx.se/bug/view.cgi?id=2870221) that libcurl returned an - incorrect return code from the internal trynextip() function which caused - him grief. This is a regression that was introduced in 7.19.1 and I find it - strange it hasn't hit us harder, but I won't persue into figuring out - exactly why. - -- Constantine Sapuntzakis: The current implementation will always set - SO_SNDBUF to CURL_WRITE_SIZE even if the SO_SNDBUF starts out larger. The - patch doesn't do a setsockopt if SO_SNDBUF is already greater than - CURL_WRITE_SIZE. This should help folks who have set up their computer with - large send buffers. - -Daniel Stenberg (27 Sep 2009) -- I introduced a maximum limit for received HTTP headers. It is controlled by - the define CURL_MAX_HTTP_HEADER which is even exposed in the public header - file to allow for users to fairly easy rebuild libcurl with a modified - limit. The rationale for a fixed limit is that libcurl is realloc()ing a - buffer to be able to put a full header into it, so that it can call the - header callback with the entire header, but that also risk getting it into - trouble if a server by mistake or willingly sends a header that is more or - less without an end. The limit is set to 100K. - -Daniel Stenberg (26 Sep 2009) -- John P. McCaskey posted a bug report that showed how libcurl did wrong when - saving received cookies with no given path, if the path in the request had a - query part. That is means a question mark (?) and characters on the right - side of that. I wrote test case 1105 and fixed this problem. - -Kamil Dudka (26 Sep 2009) -- Implemented a protocol independent way to specify blocking direction, used by - transfer.c for blocking. It is currently used only by SCP and SFTP protocols. - This enhancement resolves an issue with 100% CPU usage during SFTP upload, - reported by Vourhey. - -Daniel Stenberg (25 Sep 2009) -- Chris Mumford filed bug report #2861587 - (http://curl.haxx.se/bug/view.cgi?id=2861587) identifying that libcurl used - the OpenSSL function X509_load_crl_file() wrongly and failed if it would - load a CRL file with more than one certificate within. This is now fixed. - -Daniel Stenberg (16 Sep 2009) -- Sven Anders reported that we introduced a cert verfication flaw for OpenSSL- - powered libcurl in 7.19.6. If there was a X509v3 Subject Alternative Name - field in the certficate it had to match and so even if non-DNS and non-IP - entry was present it caused the verification to fail. - -Daniel Fandrich (15 Sep 2009) -- Moved the libssh2 checks after the SSL library checks. This helps when - statically linking since libssh2 needs the SSL library link flags to be - set up already to satisfy its dependencies. This wouldn't be necessary if - the libssh2 configure check was changed to use pkg-config since the - --static flag would add the dependencies automatically. - -Yang Tse (14 Sep 2009) -- Revert Joshua Kwan's patch committed 11 Sep 2009. - - Some systems poll function sets POLLHUP in revents without setting - POLLIN, and sets POLLERR without setting POLLIN and POLLOUT. In some - libcurl code execution paths this could trigger busy wait loops with - high CPU usage until a timeout condition aborted the loop. - - The reverted patch addressed the above issue for a very specific case, - when awaiting c-ares to resolve. A libcurl-wide fix for Curl_poll now - superceeds this one. - -Guenter Knauf (11 Sep 2009) -- Joshua Kwan provided a patch to pass POLLERR / POLLHUP back to c-ares. - This fixes a loop problem with high CPU usage. - -Daniel Stenberg (10 Sep 2009) -- Claes Jakobsson fixed a problem with cookie expiry dates at exctly the epoch - start second "Thu Jan 1 00:00:00 GMT 1970" as the date parser then returns 0 - which internally then is treated as a session cookie. That particular date - is now made to get the value of 1. - -Daniel Stenberg (2 Sep 2009) -- Daniel Johnson found a flaw in the code converting sftp-errors to libcurl - errors. - -Daniel Stenberg (1 Sep 2009) -- Peter Sylvester made a debug feature for Curl_resolv() that now will force - libcurl to resolve 'localhost' whatever name you use in the URL *if* you set - the --interface option to (exactly) "LocalHost". This will enable us to - write tests for custom hosts names but still use a local host server. - -- configure now tries to use pkg-config for a number of sub-dependencies even - when cross-compiling. The key to success is then you properly setup - PKG_CONFIG_PATH before invoking configure. - - I also improved how NSS is detected by trying nss-config if pkg-config isn't - present, and as a last resort just use the lib name and force the user to - setup the LIBS/LDFLAGS/CFLAGS etc properly. The previous last resort would - add a range of various libs that would almost never be quite correct. - -Daniel Stenberg (31 Aug 2009) -- When using the multi interface with FTP and you asked for NOBODY, you did no - QUOTE commands and the request used the same path as the connection had - already changed to, it would decide that no commands would be necessary for - the "DO" action and that was not handled properly but libcurl would instead - hang. - -Kamil Dudka (28 Aug 2009) -- Improved error message for not matching certificate subject name in - libcurl-NSS. Originally reported at: - https://bugzilla.redhat.com/show_bug.cgi?id=516056#c9 - -Patrick Monnerat (24 Aug 2009) -- Introduced a SYST-based test to properly set-up name format when dealing - with the OS/400 FTP server. - -- Fixed an ftp_readresp() bug preventing detection of failing control socket - and causing FTP client to loop forever. - -Daniel Stenberg (24 Aug 2009) -- Marc de Bruin pointed out that configure --with-gnutls=PATH didn't work - properly and provided a fix. http://curl.haxx.se/bug/view.cgi?id=2843008 - -- Eric Wong introduced support for the new option -T. (dot) that makes curl - read stdin in a non-blocking fashion. This also brings back -T- (minus) to - the previous blocking behavior since it could break stuff for people at - times. - -Michal Marek (21 Aug 2009) -- With CURLOPT_PROXY_TRANSFER_MODE, avoid sending invalid URLs like - ftp://example.com;type=i if the user specified ftp://example.com without the - slash. - -Daniel Stenberg (21 Aug 2009) -- Andre Guibert de Bruet pointed out a missing return code check for a - strdup() that could lead to segfault if it returned NULL. I extended his - suggest patch to now have Curl_retry_request() return a regular return code - and better check that. - -- Lots of good work by Krister Johansen, mostly related to pipelining: - - Fix SIGSEGV on free'd easy_conn when pipe unexpectedly breaks - Fix data corruption issue with re-connected transfers - Fix use after free if we're completed but easy_conn not NULL - -Kamil Dudka (13 Aug 2009) -- Changed NSS code to not ignore the value of ssl.verifyhost and produce more - verbose error messages. Originally reported at: - https://bugzilla.redhat.com/show_bug.cgi?id=516056 - -Daniel Stenberg (12 Aug 2009) -- Karl Moerder fixed the Makefile.vc* makefiles to include the new file - nonblock.c so that they work fine again - -- I expanded test 517 with a bunch of more dates that originate from the - Chrome browser test suite. It turns out most of them get parsed the same - way. - -Version 7.19.6 (12 August 2009) - -Daniel Stenberg (12 Aug 2009) -- Carsten Lange reported a bug and provided a patch for TFTP upload and the - sending of the TSIZE option. I don't like fixing bugs just hours before - a release, but since it was broken and the patch fixes this for him I decided - to get it in anyway. - -Daniel Stenberg (11 Aug 2009) -- Peter Sylvester made the HTTPS test server use specific certificates for - each test, so that the test suite can now be used to actually test the - verification of cert names etc. This made an error show up in the OpenSSL- - specific code where it would attempt to match the CN field even if a - subjectAltName exists that doesn't match. This is now fixed and verified - in test 311. - -- Benbuck Nason posted the bug report #2835196 - (http://curl.haxx.se/bug/view.cgi?id=2835196), fixing a few compiler - warnings when mixing ints and bools. - -Daniel Fandrich (10 Aug 2009) -- Fixed a memory leak in the FTP code and an off-by-one heap buffer overflow. - -Daniel Fandrich (9 Aug 2009) -- Fixed some memory leaks in the command-line tool that caused most of the - torture tests to fail. - -Daniel Stenberg (2 Aug 2009) -- Curt Bogmine reported a problem with SNI enabled on a particular server. We - should introduce an option to disable SNI, but as we're in feature freeze - now I've addressed the obvious bug here (pointed out by Peter Sylvester): we - shouldn't try to enable SNI when SSLv2 or SSLv3 is explicitly selected. - Code for OpenSSL and GnuTLS was fixed. NSS doesn't seem to have a particular - option for SNI, or are we simply not using it? - -Daniel Stenberg (1 Aug 2009) -- Scott Cantor posted the bug report #2829955 - (http://curl.haxx.se/bug/view.cgi?id=2829955) mentioning the recent SSL cert - verification flaw found and exploited by Moxie Marlinspike. The presentation - he did at Black Hat is available here: - https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike - - Apparently at least one CA allowed a subjectAltName or CN that contain a - zero byte, and thus clients that assumed they would never have zero bytes - were exploited to OK a certificate that didn't actually match the site. Like - if the name in the cert was "example.com\0theatualsite.com", libcurl would - happily verify that cert for example.com. - - libcurl now better uses the length of the extracted name, not using the zero - termination for getting the string length. - - This fixing only made and needed in OpenSSL interfacing code. - -- Tanguy Fautre pointed out that OpenSSL's function RAND_screen() (present - only in some OpenSSL installs - like on Windows) isn't thread-safe and we - agreed that moving it to the global_init() function is a decent way to deal - with this situation. - -- Alexander Beedie provided the patch for a noproxy problem: If I have set - CURLOPT_NOPROXY to "*", or to a host that should not use a proxy, I actually - could still end up using a proxy if a proxy environment variable was set. - -Daniel Stenberg (27 Jul 2009) -- All the quote options (CURLOPT_QUOTE, CURLOPT_POSTQUOTE and - CURLOPT_PREQUOTE) now accept a preceeding asterisk before the command to - send when using FTP, as a sign that libcurl shall simply ignore the response - from the server instead of treating it as an error. Not treating a 400+ FTP - response code as an error means that failed commands will not abort the - chain of commands, nor will they cause the connection to get disconnected. - -Daniel Stenberg (26 Jul 2009) -- Johan van Selst posted bug report #2825989 - (http://curl.haxx.se/bug/view.cgi?id=2825989) pointing out that - OpenSSL-powered libcurl didn't support the SHA-2 digest algorithm, and - provided the solution too: to use OpenSSL_add_all_algorithms() in addition - to the older SSLeay_* alternative. OpenSSL_add_all_algorithms was added in - OpenSSL 0.9.5 - -Daniel Stenberg (23 Jul 2009) -- Added CURLOPT_SSH_KNOWNHOSTS, CURLOPT_SSH_KEYFUNCTION, CURLOPT_SSH_KEYDATA. - They introduce known_host support for SSH keys to libcurl. See docs for - details. Note that this feature depends on a new enough libssh2 version, to - be supported in libssh2 1.2 and later (or current git repo at this time). - -Michal Marek (22 Jul 2009) -- David Binderman found a memory and fd leak in lib/gtls.c:load_file() - (https://bugzilla.novell.com/523919). When looking at the code, I found that - also the ptr pointer can leak. - -Kamil Dudka (20 Jul 2009) -- Claes Jakobsson improved the support for client certificates handling in - NSS-powered libcurl. Now the client certificates can be selected - automatically by a NSS built-in hook. Additionally pre-login to all PKCS11 - slots is no more performed. It used to cause problems with HW tokens. - -- Fixed reference counting for NSS client certificates. Now the PEM reader - module should be always properly unloaded on Curl_nss_cleanup(). If the - unload fails though, libcurl will try to reuse the already loaded instance. - -Daniel Fandrich (15 Jul 2009) -- Added nonblock.c to the non-automake makefiles (note that the dependencies - in the Watcom makefiles aren't quite correct). - -Michal Marek (15 Jul 2009) -- Changed the description of CURLINFO_OS_ERRNO to make it clear that the - errno is not reset on success. - -Guenter Knauf (14 Jul 2009) -- renamed generated config.h to curl_config.h to avoid any future clashes - with config.h from other projects. - -Daniel Stenberg (9 Jul 2009) -- Eric Wong introduced curlx_nonblock() that the curl tool now (re-)uses for - setting a file descriptor non-blocking. Used by the functionality Eric - himself brough on June 15th. - -Daniel Stenberg (8 Jul 2009) -- Constantine Sapuntzakis posted bug report #2813123 - (http://curl.haxx.se/bug/view.cgi?id=2813123) and an a patch that fixes the - problem: - - Url A is accessed using auth. Url A redirects to Url B (on a different - server0. Url B reuses a persistent connection. Url B has auth, even though - it's on a different server. - - Note: if Url B does not reuse a persistent connection, auth is not sent. - - reason: - - data->state.first_host is not initialized becuase Curl_http_connect is not - called when a connection is reused. - - Solution: - - move initialization of data->state.first_host to Curl_http. No code before - Curl_http uses data->state.first_host anyway. - -Guenter Knauf (4 Jul 2009) -- Markus Koetter provided a patch to avoid getnameinfo() usage which broke a - couple of both IPv4 and IPv6 autobuilds. - -Daniel Stenberg (29 Jun 2009) -- Markus Koetter made CURLOPT_FTPPORT (and curl's -P/--ftpport) support a port - range if given colon-separated after the host name/address part. Like - "192.168.0.1:2000-10000" - -- Modified the separators used for CURLOPT_CERTINFO in multi-part outputs. I - don't know how they got wrong in the first place, but using this output - format makes it possible to quite easily separate the string into an array - of multiple items. - -Daniel Fandrich (16 June 2009) -- Added a few more compiler warning options for gcc. - -Daniel Stenberg (16 Jun 2009) -- Reuven Wachtfogel made curl -o - properly produce a binary output on windows - (no newline translations). Use -B/--use-ascii if you rather get the ascii - approach. - -Michal Marek (16 Jun 2009) -- When doing non-anonymous ftp via http proxies and the password is not - provided in the url, add it there (squid needs this). - -Daniel Stenberg (15 Jun 2009) -- Eric Wong's patch: - - This allows curl(1) to be used as a client-side tunnel for arbitrary stream - protocols by abusing chunked transfer encoding in both the HTTP request and - HTTP response. This requires server support for sending a response while a - request is still being read, of course. - - If attempting to read from stdin returns EAGAIN, then we pause our sender. - This leaves curl to attempt to read from the socket while reading from stdin - (and thus sending) is paused. - - This change was needed to allow successfully tunneling the git protocol over - HTTP (--no-buffer is needed, as well). - -Patrick Monnerat (15 Jun 2009) -- Replaced use of standard C library rand()/srand() by our own pseudo-random - number generator. - -Yang Tse (11 Jun 2009) -- I adapted testcurl script to allow building test harness programs when - cross-compiling for a *-*-mingw* host. - -Daniel Stenberg (10 Jun 2009) -- Fabian Keil ran clang on the (lib)curl code, found a bunch of warnings and - contributed a range of patches to fix them. - -Yang Tse (10 Jun 2009) -- I introduced configure script option --enable-curldebug which now allows - the decoupled enabling or disabling of the curl debug memory tracking - feature from the --enable-debug option which no longer controls this. - - curl --version will list 'Debug' feature for debug enabled builds, and - will list 'TrackMemory' feature for curl debug memory tracking capable - builds. These features are independent and can be controlled when running - the configure script. When --enable-debug is given both features will be - enabled, unless some restriction prevents memory tracking from being used. - - Internally, definition of preprocessor symbol DEBUGBUILD restricts code - which is only compiled for debug enabled builds. And symbol CURLDEBUG is - used to differentiate code which is _only_ used for memory tracking. - -Yang Tse (9 Jun 2009) -- Daniel Steinberg pointed out that Curl_FormInit() in formdata.c was not - initializing the fread callback pointer and this triggered a compiler - warning, also provided a friendly suggestion on how to fix it. - -Daniel Stenberg (8 Jun 2009) -- Claes Jakobsson provided a patch for libcurl-NSS that fixed a bad refcount - issue with client certs that caused issues like segfaults. - http://curl.haxx.se/mail/lib-2009-05/0316.html - -- Triggered by bug report #2798852 and the patch in there, I fixed configure - to detect gnutls build options with pkg-config only and not libgnutls-config - anymore since GnuTLS has stopped distributing that tool. If an explicit path - is given to configure, we will instead guess on how to link and use that - lib. I did not use the patch from the bug report. - -Yang Tse (8 Jun 2009) -- Igor Novoseltsev adjusted Makefile.vxworks to get sources and headers - included from Makefile.inc, and provided docs\INSTALL VxWorks section. - -- I removed buildconf.bat from release and daily snapshot archives. This - file is only for CVS tree checkout builds. - -Daniel Stenberg (8 Jun 2009) -- Eric Wong fixed --no-buffer to actually switch off output buffering. Been - broken since 7.19.0 - -Bill Hoffman (6 Jun 2009) -- Added some cmake docs and fixed socklen_t in the build. - -Yang Tse (5 Jun 2009) -- John E. Malmberg provided VMS specific patch: "This fixes an existing bug - in urlglob.c where it was not converting the Curl Unix exit code to a VMS - DCL compatible exit code. This fix required the enhancement described next. - This also adds an enhancement to main.c so that when curl is run under a - Unix shell like Bash on VMS, it will return the standard Unix exit codes - and messages." And another patch for docs/examples. - - I introduced os-specific.c and os-specific.h for use in curl tool code - and adjusted John E. Malmberg's patch placement to use these new files - as an effort to prevent main.c from growing ad infinitum. Code already - existing in main.c which is OS specific should be moved into these files. - -Daniel Stenberg (4 June 2009) -- Setting the Content-Length: header from your app when you do a POST or PUT - is almost always a VERY BAD IDEA. Yet there are still apps out there doing - this, and now recently it triggered a bug/side-effect in libcurl as when - libcurl sends a POST or PUT with NTLM, it sends an empty post first when it - knows it will just get a 401/407 back. If the app then replaced the - Content-Length header, it caused the server to wait for input that libcurl - wouldn't send. Aaron Oneal reported this problem in bug report #2799008 - (http://curl.haxx.se/bug/view.cgi?id=2799008) and helped us verify the fix. - -Yang Tse (4 Jun 2009) -- Igor Novoseltsev provided patches and information, that after some - adjustments to better fit curl's way of doing things, have resulted - in the posibility of building libcurl for VxWorks. - -Daniel Fandrich (2 June 2009) -- Checked in a Google Android make file. To use it, you must first - create a config.h file by running configure in the Android environment, - which doesn't seem to be easy to do. If no easy way can be found, a - static config-android.h may need to be created and checked in to the - libcurl source tree. - -Daniel Stenberg (1 June 2009) -- Claes Jakobsson fixed the configure script to better find and use NSS - without pkg-config. - -Yang Tse (1 Jun 2009) -- John E. Malmberg provided a VMS specific clean-up for curl.h, and pointed - out that the configure script was failing to detect the timeval struct on - VMS when building with _XOPEN_SOURCE_EXTENDED undefined due to definition - taking place in socket.h instead of time.h. I have adjusted configure - script to also include this header when checking struct timeval. - -Daniel Stenberg (27 May 2009) -- Frank McGeough provided a small OpenSSL #include fix to make libcurl compile - fine with Nokia 5th edition 1.0 SDK for Symbian. - -- Andre Guibert de Bruet found a call to a OpenSSL function that didn't check - for a failure properly. - -- Mike Crowe pointed out that setting CURLOPT_USERPWD to NULL used to clear - the auth credentials back in 7.19.0 and earlier while now you have to set "" - to get the same effect. His patch brings back the ability to use NULL. - -- Claes Jakobsson fixed libcurl-NSS to build fine even without the - PK11_CreateGenericObject() function. - -Daniel Stenberg (25 May 2009) -- bug report #2796358 (http://curl.haxx.se/bug/view.cgi?id=2796358) pointed - out that the cookie parser would leak memory when it parses cookies that are - received with domain, path etc set multiple times in the same header. While - such a cookie is questionable, they occur in the wild and libcurl no longer - leaks memory for them. I added such a header to test case 8. - -Daniel Fandrich (22 May 2009) -- Removed some obsolete digest code that caused a valgrind error in test 551. - -Daniel Fandrich (20 May 2009) -- Added "non-existing host" test keywords to make it easy to skip those - tests on machines that have broken DNS configurations (such as - those configured to use OpenDNS). - -Daniel Stenberg (19 May 2009) -- Kamil Dudka brought the patch from the Redhat bug entry - https://bugzilla.redhat.com/show_bug.cgi?id=427966 which was libcurl closing - a bad file descriptor when closing down the FTP data connection. Caolan - McNamara seems to be the original author of it. - -Version 7.19.5 (18 May 2009) - -Daniel Stenberg (17 May 2009) -- James Bursa posted a patch to the mailing list that fixed a problem with - no_proxy which made it not skip the proxy if the URL entered contained a - user name. I added test case 1101 to verify. - -Daniel Stenberg (11 May 2009) -- Balint Szilakszi reported a memory leak when libcurl did gzip decompression - of streams that had some parts (legitimately) missing. We now provide and use - a proper cleanup function for the content encoding submodule. - http://curl.haxx.se/mail/lib-2009-05/0092.html - -- Kamil Dudka provided a fix for libcurl-NSS reported by Michael Cronenworth - at https://bugzilla.redhat.com/show_bug.cgi?id=453612#c12 - - If an incorrect password is given while loading a private key, libcurl ends - up in an infinite loop consuming memory. The bug is critical. - -- I fixed the problem with doing NTLM, POST and then following a 302 redirect, - as reported by Ebenezer Ikonne (on curl-users) and Laurent Rabret (on - curl-library). The transfer was mistakenly marked to get more data to send - but since it didn't actually have that, it just hung there... - -Daniel Stenberg (10 May 2009) -- Andre Guibert de Bruet correctly pointed out an over-alloc with one wasted - byte in the digest code. - -Yang Tse (9 May 2009) -- Removed DOS and TPF package's subdirectory Makefile.am, it was only used - to include some files in the distribution tarball serving no other purpose. - Files from the DOS and TPF subdirectories are now included in the EXTRA_DIST - of the Makefile in the parent subdirectory. - -Yang Tse (8 May 2009) -- Changed host name literal in several tests to one under the haxx.se domain. - -- Renamed vc6 workspace and project files to avoid filename clash when used - for conversion to later VS versions. - -Daniel Stenberg (8 May 2009) -- Constantine Sapuntzakis fixed bug report #2784055 - (http://curl.haxx.se/bug/view.cgi?id=2784055) identifying a problem to - connect to SOCKS proxies when using the multi interface. It turned out to - almost not work at all previously. We need to wait for the TCP connect to - be properly verified before doing the SOCKS magic. - - There's still a flaw in the FTP code for this. - -Daniel Stenberg (7 May 2009) -- Made the SO_SNDBUF setting for the data connection socket for ftp uploads as - well. See change 28 Apr 2009. - -Yang Tse (7 May 2009) -- Fixed an issue affecting FTP transfers, introduced with the transfer.c - patch committed May 4. - -Daniel Stenberg (7 May 2009) -- Man page *roff problems fixed thanks to input from Colin Watson. Problems - reported in the Debian package. - -- Vijay G filed bug report #2723236 - (http://curl.haxx.se/bug/view.cgi?id=2723236) identifying a problem with - libcurl's TFTP code and its lack of dealing with the OACK packet. - -Yang Tse (5 May 2009) -- Fixed the --ftp-port address of test #251 to the CLIENTIP address, and - reverted the change affecting test suite harness committed 4 May. - -Daniel Stenberg (5 May 2009) -- Inspired by Michael Smith's session id fix for OpenSSL, I did the - corresponding fix in the GnuTLS code: make sure to store the new session id - in case the previous re-used one is rejected. - -Daniel Stenberg (4 May 2009) -- Michael Smith posted bug report #2786255 - (http://curl.haxx.se/bug/view.cgi?id=2786255) with a patch, identifying how - libcurl did not deal with SSL session ids properly if the server rejected a - re-use of one. Starting now, it will forget the rejected one and remember - the new. This change was for OpenSSL only, it is likely that other SSL lib - code needs similar fixes. - -Yang Tse (4 May 2009) -- Applied David McCreedy's "transfer.c fixes for CURL_DO_LINEEND_CONV and - non-ASCII platform HTTP requests" patch addressing two HTTP PUT problems: - 1) On non-ASCII platforms not all of the protocol portions of the PUT are - being translated to ASCII. 2) On all platforms the line endings of part of - the protocol portions are mangled from CRLF to CRCRLF if data->set.crlf or - data->set.prefer_ascii are set (depending on CURL_DO_LINEEND_CONV). - -- Applied David McCreedy's patch to fix test suite harness to allow test FTP - server and client on different machines, providing FTP client address when - running the FTP test server. - -Daniel Fandrich (3 May 2009) -- Added and disabled test case 563 which shows KNOWN_BUGS #59. The bug - report failed to mention that a proxy must be used to reproduce it. - -Yang Tse (2 May 2009) -- Use a build-time configured curl_socklen_t data type instead of socklen_t. - -Yang Tse (1 May 2009) -- Applied David McCreedy's patches "TPF-platform specific changes to various - files" and "http.c fix to Curl_proxyCONNECT for non-ASCII platforms", the - former with minor edits. - -Daniel Stenberg (30 Apr 2009) -- I was going to fix issue #59 in KNOWN_BUGS - - If the CURLOPT_PORT option is used on an FTP URL like - "ftp://example.com/file;type=A" the ";type=A" is stripped off. - - I added test case 562 to verify, only to find out that I couldn't repeat - this bug so I hereby consider it not a bug anymore! - -Daniel Stenberg (29 Apr 2009) -- Based on bug report #2723219 (http://curl.haxx.se/bug/view.cgi?id=2723219) - I've now made TFTP "connections" not being kept for re-use within libcurl. - TFTP is UDP-based so the benefit was really low (if even existing) to begin - with so instead of tracking down to fix this problem we instead removed the - re-use. I also enabled test case 1099 that I wrote a few days ago to verify - that this change fixes the reported problem. - -Daniel Stenberg (28 Apr 2009) -- Constantine Sapuntzakis filed bug report #2783090 - (http://curl.haxx.se/bug/view.cgi?id=2783090) pointing out that on windows - we need to grow the SO_SNDBUF buffer somewhat to get really good upload - speeds. http://support.microsoft.com/kb/823764 has the details. Friends - confirmed that simply adding 32 to CURL_MAX_WRITE_SIZE is enough. - -- Bug report #2709004 (http://curl.haxx.se/bug/view.cgi?id=2709004) by Tim - Chen pointed out how curl couldn't upload with resume when reading from a - pipe. - - This ended up with the introduction of a new return code for the - CURLOPT_SEEKFUNCTION callback that basically says that the seek failed but - that libcurl may try to resolve the situation anyway. In our case this means - libcurl will attempt to instead read that much data from the stream instead - of seeking and that way curl can now upload with resume when data is read - from a stream! - -Daniel Stenberg (26 Apr 2009) -- Bug report #2779733 (http://curl.haxx.se/bug/view.cgi?id=2779733) by Sven - Wegener pointed out that CURLINFO_APPCONNECT_TIME didn't work with the multi - interface and provided a patch that fixed the problem! - -Daniel Stenberg (24 Apr 2009) -- Kamil Dudka fixed another NSS-related leak when client certs were used. - -- Bug report #2779245 (http://curl.haxx.se/bug/view.cgi?id=2779245) by Rainer - Koenig pointed out that the man page didn't tell that the *_proxy - environment variables can be specified lower case or UPPER CASE and the - lower case takes precedence, - -Daniel Fandrich (21 Apr 2009) -- Added new libcurl source files to Amiga, RiscOS and VC6 build files. - -Yang Tse (21 Apr 2009) -- Moved potential inclusion of system's malloc.h and memory.h header files to - setup_once.h. Inclusion of each header file is based on the definition of - NEED_MALLOC_H and NEED_MEMORY_H respectively. - - Renamed libcurl's memory.h to curl_memory.h - -Daniel Stenberg (20 Apr 2009) -- Leanic Lefever reported a crash and did some detailed research on why and - how it occurs (http://curl.haxx.se/mail/lib-2009-04/0289.html). The - conclusion was that if an error is detected and Curl_done() is called for - the connection, ftp_done() could at times return another error code that - then would take precedence and that new code confused existing logic that - works for the first error code (CURLE_SEND_ERROR) only. - -- Gisle Vanem noticed that --libtool would produce bogus strings at times for - OBJECTPOINT options. Now we've introduced a new function - my_setopt_str - - within the app for setting plain string options to avoid the risk of this - mistake happening. - -Daniel Stenberg (17 Apr 2009) -- Pramod Sharma reported and tracked down a bug when doing FTP over a HTTP - proxy. libcurl would then wrongly close the connection after each - request. In his case it had the weird side-effect that it killed NTLM auth - for the proxy causing an inifinite loop! - - I added test case 1098 to verify this fix. The test case does however not - properly verify that the transfers are done persistently - as I couldn't - think of a clever way to achieve it right now - but you need to read the - stderr output after a test run to see that it truly did the right thing. - -Daniel Stenberg (13 Apr 2009) -- bug report #2727981 (http://curl.haxx.se/bug/view.cgi?id=2727981) by Martin - Storsjö pointed out how setting CURLOPT_NOBODY to 0 could be downright - confusing as it set the method to either GET or HEAD. The example he showed - looked like: - - curl_easy_setopt(curl, CURLOPT_PUT, 1); - curl_easy_setopt(curl, CURLOPT_NOBODY, 0); - - The new way doesn't alter the method until the request is about to start. If - CURLOPT_NOBODY is then 1 the HTTP request will be HEAD. If CURLOPT_NOBODY is - 0 and the request happens to have been set to HEAD, it will then instead be - set to GET. I believe this will be less surprising to users, and hopefully - not hit any existing users badly. - -- Toshio Kuratomi reported a memory leak problem with libcurl+NSS that turned - out to be leaking cacerts. Kamil Dudka helped me complete the fix. The issue - is found in Redhat's bug tracker: - https://bugzilla.redhat.com/show_bug.cgi?id=453612 - - There are still memory leaks present, but they seem to have other reasons. - -Daniel Fandrich (11 Apr 2009) -- Added new libcurl source files to Symbian OS build files. -- Improved Symbian support for SSL. - -Yang Tse (10 Apr 2009) -- Daniel Johnson improved the MacOSX-Framework shell script to now perform all - the steps required to build a Mac OS X four way fat ppc/i386/ppc64/x86_64 - libcurl.framework. Four way fat framework requires OS X 10.5 SDK or later. - -Yang Tse (8 Apr 2009) -- Removed Sun compilers preprocessor block from curlbuild.h.dist, this also - removes it from the curlbuild.h file originally distributed by the cURL - project as this file is intended for systems not capable of running the - configure script. For those who have been building curl out of the source - code curl distribution tarball provided by curl.haxx.se the change implies - nothing. Previous change in this area committed 2 Apr becomes irrelevant. - -Daniel Stenberg (6 Apr 2009) -- I clarified in the docs that CURLOPT_SEEKFUNCTION should return 0 on success - and 1 on fatal errors. Previously it only mentioned non-zero on fatal - errors. This is a slight change in meaning, but it follows what we've done - elsewhere before and it opens up for LOTS of more useful return codes - whenever we can think of them... - -Yang Tse (2 Apr 2009) -- Fix curl_off_t definition for builds done using Sun compilers and a - non-configured libcurl. In this case curl_off_t data type was gated - to the off_t data type which depends on the _FILE_OFFSET_BITS. This - configuration is exactly the unwanted configuration for our curl_off_t - data type which must not depend on such setting. This breaks ABI for - libcurl libraries built with Sun compilers which were built without - having run the configure script with _FILE_OFFSET_BITS different than - 64 and using the ILP32 data model. - -Daniel Stenberg (1 Apr 2009) -- Andre Guibert de Bruet fixed a NULL pointer use in an infof() call if a - strdup() call failed. - -Daniel Fandrich (31 Mar 2009) -- Properly return an error code in curl_easy_recv (reported by Jim Freeman). - -Daniel Stenberg (18 Mar 2009) -- Kamil Dudka brought a patch that enables 6 additional crypto algorithms when - NSS is used. These ciphers were added in NSS 3.4 and require to be enabled - explicitly. - -Daniel Stenberg (13 Mar 2009) -- Use libssh2_version() to present the libssh2 version in case the libssh2 - library is found to support it. - -Yang Tse (12 Mar 2009) -- Added missing Curl_read() return code checking in TELNET transfers. - -- Pierre Brico found and fixed TELNET transfers not being aborted upon - a write callback failure. - -Daniel Stenberg (11 Mar 2009) -- Kamil Dudka made the curl tool properly call curl_global_init() before any - other libcurl function. - -Yang Tse (11 Mar 2009) -- Added missing TELNET timeout support for Windows builds. This issue was - reported by Pierre Brico. - -Daniel Stenberg (9 Mar 2009) -- Frank Hempel found out a bug and provided the fix: - - curl_easy_duphandle did not necessarily duplicate the CURLOPT_COOKIEFILE - option. It only enabled the cookie engine in the destination handle if - data->cookies is not NULL (where data is the source handle). In case of a - newly initialized handle which just had the cookie support enabled by a - curl_easy_setopt(handle, CURL_COOKIEFILE, "")-call, handle->cookies was - still NULL because the setopt-call only appends the value to - data->change.cookielist, hence duplicating this handle would not have the - cookie engine switched on. - - We also concluded that the slist-functionality would be suitable for being - put in its own module rather than simply hanging out in lib/sendf.c so I - created lib/slist.[ch] for them. - -- Andreas Farber made the 'buildconf' script check for the presence of m4 - scripts to make it detect a bad checkout earlier. People with older - checkouts who don't do cvs update with the -d option won't get the new dirs - and then will get funny outputs that can be a bit hard to understand and +Daniel Stenberg (13 Mar 2018) +- release: 7.59.0 + +Kamil Dudka (13 Mar 2018) +- tests/.../spnego.py: fix identifier typo + + Detected by Coverity Analysis: + + Error: IDENTIFIER_TYPO: + curl-7.58.0/tests/python_dependencies/impacket/spnego.py:229: identifier_typo: Using "SuportedMech" appears to be a typo: + * Identifier "SuportedMech" is only known to be referenced here, or in copies of this code. + * Identifier "SupportedMech" is referenced elsewhere at least 4 times. + curl-7.58.0/tests/python_dependencies/impacket/smbserver.py:2651: identifier_use: Example 1: Using identifier "SupportedMech". + curl-7.58.0/tests/python_dependencies/impacket/smbserver.py:2308: identifier_use: Example 2: Using identifier "SupportedMech". + curl-7.58.0/tests/python_dependencies/impacket/spnego.py:252: identifier_use: Example 3: Using identifier "SupportedMech" (2 total uses in this function). + curl-7.58.0/tests/python_dependencies/impacket/spnego.py:229: remediation: Should identifier "SuportedMech" be replaced by "SupportedMech"? + + Closes #2379 + +Daniel Stenberg (13 Mar 2018) +- CURLOPT_COOKIEFILE.3: "-" as file name means stdin + + Reported-by: Aron Bergman + Bug: https://curl.haxx.se/mail/lib-2018-03/0049.html + + [ci skip] + +- Revert "hostip: fix compiler warning: 'variable set but not used'" + + This reverts commit a577059f92fc65bd6b81717f0737f897a5b34248. + + The assignment really needs to be there or we risk working with an + uninitialized pointer. + +Michael Kaufmann (12 Mar 2018) +- limit-rate: fix compiler warning + + follow-up to 72a0f62 + +Viktor Szakats (12 Mar 2018) +- checksrc.pl: add -i and -m options + + To sync it with changes made for the libssh2 project. + Also cleanup some whitespace. + +- curl-openssl.m4: fix spelling [ci skip] + +- FAQ: fix a broken URL [ci skip] + +Daniel Stenberg (12 Mar 2018) +- http2: mark the connection for close on GOAWAY + + ... don't consider it an error! + + Assisted-by: Jay Satiro + Reported-by: Łukasz Domeradzki + Fixes #2365 + Closes #2375 + +- credits: Viktor prefers without accent + +- openldap: white space changes, fixed up the copyright years + +- openldap: check ldap_get_attribute_ber() results for NULL before using + + CVE-2018-1000121 + Reported-by: Dario Weisser + Bug: https://curl.haxx.se/docs/adv_2018-97a2.html + +- FTP: reject path components with control codes + + Refuse to operate when given path components featuring byte values lower + than 32. + + Previously, inserting a %00 sequence early in the directory part when + using the 'singlecwd' ftp method could make curl write a zero byte + outside of the allocated buffer. + + Test case 340 verifies. + + CVE-2018-1000120 + Reported-by: Duy Phan Thanh + Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html + +- readwrite: make sure excess reads don't go beyond buffer end + + CVE-2018-1000122 + Bug: https://curl.haxx.se/docs/adv_2018-b047.html + + Detected by OSS-fuzz + +- BUGS: updated link to security process + +- limit-rate: kick in even before "limit" data has been received + + ... and make sure to avoid integer overflows with really large values. + + Reported-by: 刘佩东 + Fixes #2371 + Closes #2373 + +- docs/SECURITY.md -> docs/SECURITY-PROCESS.md + +- SECURITY.md: call it the security process + +Michael Kaufmann (11 Mar 2018) +- Curl_range: fix FTP-only and FILE-only builds + + follow-up to e04417d + +- hostip: fix compiler warning: 'variable set but not used' + +Daniel Stenberg (11 Mar 2018) +- HTTP: allow "header;" to replace an internal header with a blank one + + Reported-by: Michael Kaufmann + Fixes #2357 + Closes #2362 + +- http2: verbose output new MAX_CONCURRENT_STREAMS values + + ... as it is interesting for many users. + +- SECURITY: distros' max embargo time is 14 days now + +Patrick Monnerat (8 Mar 2018) +- curl tool: accept --compressed also if Brotli is enabled and zlib is not. + +Daniel Stenberg (5 Mar 2018) +- THANKS + mailmap: remove duplicates, fixup full names + +- [sergii.kavunenko brought this change] + + WolfSSL: adding TLSv1.3 + + Closes #2349 + +- RELEASE-NOTES/THANKS: synced with cc1d4c505 + +- [Richard Alcock brought this change] + + winbuild: prefer documented zlib library names + + Check for existence of import and static libraries with documented names + and use them if they do. Fallback to previous names. + + According to + https://github.com/madler/zlib/blob/master/win32/README-WIN32.txt on + Windows, the names of the import library is "zdll.lib" and static + library is "zlib.lib". + + closes #2354 + +Marcel Raad (4 Mar 2018) +- krb5: use nondeprecated functions + + gss_seal/gss_unseal have been deprecated in favor of + gss_wrap/gss_unwrap with GSS-API v2 from January 1997 [1]. The first + version of "The Kerberos Version 5 GSS-API Mechanism" [2] from June + 1996 already says "GSS_Wrap() (formerly GSS_Seal())" and + "GSS_Unwrap() (formerly GSS_Unseal())". + + Use the nondeprecated functions to avoid deprecation warnings. + + [1] https://tools.ietf.org/html/rfc2078 + [2] https://tools.ietf.org/html/rfc1964 + + Closes https://github.com/curl/curl/pull/2356 + +Daniel Stenberg (4 Mar 2018) +- curl.1: mention how to add numerical IP addresses in NO_PROXY + +- CURLOPT_NOPROXY.3: mention how to list numerical IPv6 addresses + +- NO_PROXY: fix for IPv6 numericals in the URL + + Added test 1265 that verifies. + + Reported-by: steelman on github + Fixes #2353 + Closes #2355 + +- build: get CFLAGS (including -werror) used for examples and tests + + ... so that the CI and more detects compiler warnings/errors properly! + + Closes #2337 + +Marcel Raad (3 Mar 2018) +- curl_ctype: fix macro redefinition warnings + + On MinGW and Cygwin, GCC and clang have been complaining about macro + redefinitions since 4272a0b0fc49a1ac0ceab5c4a365c9f6ab8bf8e2. Fix this + by undefining the macros before redefining them as suggested in + https://github.com/curl/curl/pull/2269. + + Suggested-by: Daniel Stenberg + +Dan Fandrich (2 Mar 2018) +- unit1307: proper cleanup on OOM to fix torture tests + +Marcel Raad (28 Feb 2018) +- unit1309: fix warning on Windows x64 + + When targeting x64, MinGW-w64 complains about conversions between + 32-bit long and 64-bit pointers. Fix this by reusing the + GNUTLS_POINTER_TO_SOCKET_CAST / GNUTLS_SOCKET_TO_POINTER_CAST logic + from gtls.c, moving it to warnless.h as CURLX_POINTER_TO_INTEGER_CAST / + CURLX_INTEGER_TO_POINTER_CAST. + + Closes https://github.com/curl/curl/pull/2341 + +- travis: update compiler versions + + Update clang to version 3.9 and GCC to version 6. + + Closes https://github.com/curl/curl/pull/2345 + +Daniel Stenberg (26 Feb 2018) +- docs/MANUAL: formfind.pl is not accessible on the site anymore + + Fixes #2342 + +Jay Satiro (24 Feb 2018) +- curl-openssl.m4: Fix version check for OpenSSL 1.1.1 + + - Add OpenSSL 1.1.1 to the header/library version lists. + + - Detect OpenSSL 1.1.1 library using its function ERR_clear_last_mark, + which was added in that version. + + Prior to this change an erroneous header/library mismatch was caused by + lack of OpenSSL 1.1.1 detection. I tested using openssl-1.1.1-pre1. + +Viktor Szakats (23 Feb 2018) +- lib655: silence compiler warning + + Closes https://github.com/curl/curl/pull/2335 + +- spelling fixes + + Detected using the `codespell` tool. + + Also contains one URL protocol upgrade. + + Closes https://github.com/curl/curl/pull/2334 + +Daniel Stenberg (24 Feb 2018) +- projects/README: remove reference to dead IDN link/package + + Reported-by: Stefan Kanthak and Rod Widdowson + + Fixes #2325 + +Jay Satiro (23 Feb 2018) +- [Rod Widdowson brought this change] + + winbuild: Use macros for the names of some build utilities + + - Add macros to the top of the makefile for rc and mt utilities so that + it is easier to change their locations. + + Bug: https://curl.haxx.se/mail/lib-2018-02/0075.html + Reported-by: Stefan Kanthak + + Closes https://github.com/curl/curl/issues/2329 + +Daniel Stenberg (23 Feb 2018) +- TODO: remove "sha-256 digest", added in 2b5b37cb9109e7c2 + +- curl_share_setopt.3: connection cache is shared within multi handles + +Jay Satiro (22 Feb 2018) +- [Rod Widdowson brought this change] + + winbuild: Use CALL to run batch scripts + + Co-authored-by: Stefan Kanthak + + Closes https://github.com/curl/curl/issues/2330 + Closes https://github.com/curl/curl/pull/2331 + +Patrick Monnerat (22 Feb 2018) +- os400: add curl_resolver_start_callback type to ILE/RPG binding + +Daniel Stenberg (22 Feb 2018) +- form.d: rephrased somewhat, added two example command lines + +Jay Satiro (21 Feb 2018) +- [Francisco Sedano brought this change] + + url: Add option CURLOPT_RESOLVER_START_FUNCTION + + - Add new option CURLOPT_RESOLVER_START_FUNCTION to set a callback that + will be called every time before a new resolve request is started + (ie before a host is resolved) with a pointer to backend-specific + resolver data. Currently this is only useful for ares. + + - Add new option CURLOPT_RESOLVER_START_DATA to set a user pointer to + pass to the resolver start callback. + + Closes https://github.com/curl/curl/pull/2311 + +- lib: CURLOPT_HAPPY_EYEBALLS_TIMEOUT => CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS + + - In keeping with the naming of our other connect timeout options rename + CURLOPT_HAPPY_EYEBALLS_TIMEOUT to CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS. + + This change adds the _MS suffix since the option expects milliseconds. + This is more intuitive for our users since other connect timeout options + that expect milliseconds use _MS such as CURLOPT_TIMEOUT_MS, + CURLOPT_CONNECTTIMEOUT_MS, CURLOPT_ACCEPTTIMEOUT_MS. + + The tool option already uses an -ms suffix, --happy-eyeballs-timeout-ms. + + Follow-up to 2427d94 which added the lib and tool option yesterday. + + Ref: https://github.com/curl/curl/pull/2260 + +Patrick Monnerat (21 Feb 2018) +- sasl: prefer PLAIN mechanism over LOGIN + + SASL PLAIN is a standard, LOGIN only a draft. The LOGIN draft says + PLAIN should be used instead if available. + +Daniel Stenberg (21 Feb 2018) +- RELEASE-NOTES: synced with 2427d94c6 + +Jay Satiro (20 Feb 2018) +- [Anders Bakken brought this change] + + url: Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT + + - Add new option CURLOPT_HAPPY_EYEBALLS_TIMEOUT to set libcurl's happy + eyeball timeout value. + + - Add new optval macro CURL_HET_DEFAULT to represent the default happy + eyeballs timeout value (currently 200 ms). + + - Add new tool option --happy-eyeballs-timeout-ms to expose + CURLOPT_HAPPY_EYEBALLS_TIMEOUT. The -ms suffix is used because the + other -timeout options in the tool expect seconds not milliseconds. + + Closes https://github.com/curl/curl/pull/2260 + +- hostip: fix 'potentially uninitialized variable' warning + + Follow-up to 50d1b33. + + Caught by AppVeyor. + +Daniel Stenberg (20 Feb 2018) +- TODO: warning if curl version is not in sync with libcurl version + +Jay Satiro (20 Feb 2018) +- [Anders Bakken brought this change] + + CURLOPT_RESOLVE: Add support for multiple IP addresses per entry + + This enables users to preresolve but still take advantage of happy + eyeballs and trying multiple addresses if some are not connecting. + + Ref: https://github.com/curl/curl/pull/2260 + +Daniel Stenberg (20 Feb 2018) +- [Sergio Borghese brought this change] + + examples/sftpuploadresume: resume upload via CURLOPT_APPEND + + URL: https://curl.haxx.se/mail/lib-2018-02/0072.html + +- curl --version: show PSL if the run-time lib has it enabled + + ... not of the #define was set at build-time! + +- TODO: "Support in-memory certs/ca certs/keys" + + removed SSLKEYLOGFILE support (fixed) + + removed "consider SSL patches" (outdated) + + Closes #2310 + +- CURLOPT_HEADER.3: clarify problems with different data sizes + +- test1556: verify >16KB headers to the header callback + +- header callback: don't chop headers into smaller pieces + + Reported-by: Guido Berhoerster + Fixes #2314 + Closes #2316 + +- test1154: verify that long HTTP headers get rejected + +- http: fix the max header length detection logic + + Previously, it would only check for max length if the existing alloc + buffer was to small to fit it, which often would make the header still + get used. + + Reported-by: Guido Berhoerster + Bug: https://curl.haxx.se/mail/lib-2018-02/0056.html + + Closes #2315 + +- CURLOPT_HEADERFUNCTION.3: fix typo from d939226813 + + Reported-by: Erik Johansson + Bug: https://github.com/curl/curl/commit/d9392268131c1b8d18dec3fa30e0bded833a5db7#commitcomment-27607495 + +- CURLOPT_HEADERFUNCTION.3: mention folded headers + +- TODO: 1.1 Option to refuse usernames in URLs + + Also expanded the CURL_REFUSE_CLEARTEXT section with more ideas. + +- TODO: 1.7 Support HTTP/2 for HTTP(S) proxies + +- ssh: add two missing state names + + The list of state names (used in debug builds) was out of sync in + relation to the list of states (used in all builds). + + I now added an assert to make sure the sizes of the two lists match, to + aid in detecting this mistake better in the future. + + Regression since c92d2e14cf, shipped in 7.58.0. + + Reported-by: Somnath Kundu + + Fixes #2312 + Closes #2313 + +- Revert "KNOWN_BUGS: 2.5 curl should not offer "ALPN: h2" when using https-proxy" + + This reverts commit de9fac00c40db321d44fa6fbab6eb62ec4c83998. + + Reported-by: Jay Satiro + +Jay Satiro (15 Feb 2018) +- non-ascii: fix implicit declaration warning + + Follow-up to b46cfbc. + + Caught by Travis CI. + +Daniel Stenberg (15 Feb 2018) +- travis: add build with iconv enabled + + ... to verify it builds and works fine. + + Ref: https://curl.haxx.se/mail/lib-2017-09/0031.html + + Closes #1872 + +- TODO: 18.18 retry on network is unreachable + + Closes #1603 + +- KNOWN_BUGS: 2.5 curl should not offer "ALPN: h2" when using https-proxy + + Closes #1254 + +Kamil Dudka (15 Feb 2018) +- nss: use PK11_CreateManagedGenericObject() if available + + ... so that the memory allocated by applications using libcurl does not + grow per each TLS connection. + + Bug: https://bugzilla.redhat.com/1510247 + + Closes #2297 + +Daniel Stenberg (15 Feb 2018) +- [Björn Stenberg brought this change] + + TODO fixed: Detect when called from within callbacks + + Closes #2302 + +- BINDINGS: fix curb link (and remove ruby-curl-multi) + + Reported-by: Klaus Stein + +- curl_gssapi: make sure this file too uses our *printf() + +- libcurl-security.3: separate file:// section + + ... just to make it more apparent. Even if it repeats + some pieces of information. + +- libcurl-security.3: the http://192.168.0.1/my_router_config case + + Mentioned-By: Rich Moore + +- libcurl-security.3: mention the URL standards problems too + +- libcurl-security.3: split out from libcurl-tutorial.3 + + To make more accessible. + + Merged in some new language from "URLs are dangerous things" as discussed on + the mailing list a few days ago: + + Bug: https://curl.haxx.se/mail/lib-2018-02/0013.html + +- RELEASE-NOTES: synced with e551910f8 + +Patrick Monnerat (13 Feb 2018) +- tests: new tests for http raw mode + + Test 319 checks proper raw mode data with non-chunked gzip + transfer-encoded server data. + Test 326 checks raw mode with chunked server data. + + Bug: #2303 + Closes #2308 + +Kamil Dudka (12 Feb 2018) +- tlsauthtype.d: works only if libcurl is built with TLS-SRP support + + Bug: https://bugzilla.redhat.com/1542256 + + Closes #2306 + +Patrick Monnerat (12 Feb 2018) +- smtp: fix processing of initial dot in data + + RFC 5321 4.1.1.4 specifies the CRLF terminating the DATA command + should be taken into account when chasing the . end marker. + Thus a leading dot character in data is also subject to escaping. + + Tests 911 and test server are adapted to this situation. + New tests 951 and 952 check proper handling of initial dot in data. + + Closes #2304 + +Daniel Stenberg (12 Feb 2018) +- sha256: avoid redefine + +- [Douglas Mencken brought this change] + + sha256: build with OpenSSL < 0.9.8 too + + support for SHA-2 was introduced in OpenSSL 0.9.8 + + Closes #2305 + +- [Bruno Grasselli brought this change] + + README: language fix + + s/off/from + + Closes #2300 + +Patrick Monnerat (12 Feb 2018) +- http_chunks: don't write chunks twice with CURLOPT_HTTP_TRANSFER_DECODING on + + Bug: #2303 + Reported-By: Henry Roeland + +Daniel Stenberg (9 Feb 2018) +- get_posix_time: only check for overflows if they can happen! + +Michael Kaufmann (9 Feb 2018) +- schannel: fix "no previous prototype" compiler warning + +Jay Satiro (9 Feb 2018) +- [Mohammad AlSaleh brought this change] + + content_encoding: Add "none" alias to "identity" + + Some servers return a "content-encoding" header with a non-standard + "none" value. + + Add "none" as an alias to "identity" as a work-around, to avoid + unrecognised content encoding type errors. + + Signed-off-by: Mohammad AlSaleh + + Closes https://github.com/curl/curl/pull/2298 + +Steve Holme (8 Feb 2018) +- build-openssl.bat: Follow up to 648679ab8e to suppress copy/move output + +- build-openssl.bat: Fixed incorrect move if destination build folder exists + +Michael Kaufmann (8 Feb 2018) +- schannel: fix compiler warnings + + Closes #2296 + +Steve Holme (7 Feb 2018) +- curl_addrinfo.c: Allow Unix Domain Sockets to compile under Windows + + Windows 10.0.17061 SDK introduces support for Unix Domain Sockets. + Added the necessary include file to curl_addrinfo.c. + + Note: The SDK (which is considered beta) has to be installed, VS 2017 + project file has to be re-targeted for Windows 10.0.17061 and #define + enabled in config-win32.h. + +Patrick Monnerat (7 Feb 2018) +- fnmatch: optimize processing of consecutive *s and ?s pattern characters + + Reported-By: Daniel Stenberg + Fixes #2291 + Closes #2293 + +Steve Holme (6 Feb 2018) +- build-openssl.bat/build-wolfssl.bat: Build platform is optional + + Whilst the compiler parameter is mandatory, platform is optional as it + is automatically calculated by the :configure section. + + This partially reverts commit 6d62d2c55d. + +Daniel Stenberg (6 Feb 2018) +- [Patrick Schlangen brought this change] + + openssl: Don't add verify locations when verifypeer==0 + + When peer verification is disabled, calling + SSL_CTX_load_verify_locations is not necessary. Only call it when + verification is enabled to save resources and increase performance. + + Closes #2290 + +Steve Holme (5 Feb 2018) +- build-wolfssl.bat: Extend VC15 support to include Enterprise and Professional + + ...and not just the Community Edition. + +- build-openssl.bat: Extend VC15 support to include Enterprise and Professional + + ...and not just the Community Edition. + +Michael Kaufmann (5 Feb 2018) +- time-cond: fix reading the file modification time on Windows + + On Windows, stat() may adjust the unix file time by a daylight saving time + offset. Avoid this by calling GetFileTime() instead. + + Fixes #2164 + Closes #2204 + +Daniel Stenberg (5 Feb 2018) +- formdata: use the mime-content type function + + Reduce code duplication by making Curl_mime_contenttype available and + used by the formdata function. This also makes the formdata function + recognize a set of more file extensions by default. + + PR #2280 brought this to my attention. + + Closes #2282 + +- getdate: return -1 for out of range + + ...as that's how the function is documented to work. + + Reported-by: Michael Kaufmann + Bug found in an autobuild with 32 bit time_t + + Closes #2278 + +- [Ben Greear brought this change] + + build: fix termios issue on android cross-compile + + Bug: https://curl.haxx.se/mail/lib-2018-01/0122.html + Signed-off-by: Ben Greear + +- time_t-fixes: remove typecasts to 'long' for info.filetime + + They're now wrong. + + Reported-by: Michael Kaufmann + + Closes #2277 + +- curl_setup: move the precautionary define of SIZEOF_TIME_T + + ... up to before it may be used for the TIME_T_MAX/MIN logic. + + Reported-by: Michael Kaufmann + +- parsedate: s/#if/#ifdef + + Reported-by: Michael Kaufmann + Bug: https://github.com/curl/curl/commit/1c39128d974666107fc6d9ea15f294036851f224#commitcomment-27246479 + +Patrick Monnerat (31 Jan 2018) +- fnmatch: pattern syntax can no longer fail + + Whenever an expected pattern syntax rule cannot be matched, the + character starting the rule loses its special meaning and the parsing + is resumed: + - backslash at the end of pattern string matches itself. + - Error in [:keyword:] results in set containing :\[dekorwy. + + Unit test 1307 updated for this new situation. + + Closes #2273 + +- fnmatch: accept an alphanum to be followed by a non-alphanum in char set + + Also be more tolerant about set pattern syntax. + Update unit test 1307 accordingly. + + Bug: https://curl.haxx.se/mail/lib-2018-01/0114.html + +- fnmatch: do not match the empty string with a character set + +Jay Satiro (30 Jan 2018) +- build: fix windows build methods for curl_ctype.c + + - Fix winbuild and the VS project generator to treat curl_ctype.{c,h} as + curlx files since they are required by both src and lib. + + Follow-up to 4272a0b which added curl_ctype. + +Daniel Stenberg (30 Jan 2018) +- progress-bar.d: update to match implementation + + ... since commit 993dd5651a6 + + Reported-by: Martin Dreher + Bug: https://github.com/curl/curl/pull/2242#issuecomment-361059228 + + Closes #2271 + +- http2: set DEBUG_HTTP2 to enable more HTTP/2 logging + + ... instead of doing it unconditionally in debug builds. It cluttered up + the output a little too much. + +- [Max Dymond brought this change] + + file: Check the return code from Curl_range and bail out on error + +- [Max Dymond brought this change] + + Curl_range: add check to ensure "from <= to" + +- [Max Dymond brought this change] + + Curl_range: commonize FTP and FILE range handling + + Closes #2205 + +- RELEASE-NOTES: synced with 811beab9f + +- curlver: next release will be 7.59.0 + +- [Michał Janiszewski brought this change] + + curl/curl.h: fix comment typo for CURLOPT_DNS_LOCAL_IP6 + + Closes #2275 + +- time: support > year 2038 time stamps for system with 32bit long + + ... with the introduction of CURLOPT_TIMEVALUE_LARGE and + CURLINFO_FILETIME_T. + + Fixes #2238 + Closes #2264 + +- curl_easy_reset: clear digest auth state + + Bug: https://curl.haxx.se/mail/lib-2018-01/0074.html + Reported-by: Ruurd Beerstra + Fixes #2255 + Closes #2272 + +- [Adam Marcionek brought this change] + + winbuild: make linker generate proper PDB + + Link.exe requires /DEBUG to properly generate a full pdb file on release + builds. + + Closes #2274 + +- curl: add --proxy-pinnedpubkey + + To verify a proxy's public key. For when using HTTPS proxies. + + Fixes #2192 + Closes #2268 + +- configure: set PATH_SEPARATOR to colon for PATH w/o separator + + The logic tries to figure out what the path separator in the $PATH + variable is, but if there's only one directory in the $PATH it + fails. This change make configure *guess* on colon instead of erroring + out, simply because that is probably the more common character. + + PATH_SEPARATOR can always be set by the user to override the guessing. + + (tricky bug to reproduce, as in my case for example the configure script + requires binaries in more than one directory so passing in a PATH with a + single dir fails.) + + Reported-by: Earnestly on github + Fixes #2202 + Closes #2265 + +- curl_ctype: private is*() type macros and functions + + ... since the libc provided one are locale dependent in a way we don't + want. Also, the "native" isalnum() (for example) works differently on + different platforms which caused test 1307 failures on macos only. + + Closes #2269 + +Marcel Raad (29 Jan 2018) +- build: open VC15 projects with VS 2017 + + Previously, they were opened with Visual Studio 2015 by default, which + cannot build them. + +Daniel Stenberg (29 Jan 2018) +- RELEASE-NOTES: synced with 094647fca + +- TODO: UTF-8 filenames in Content-Disposition + + Closes #1888 + +- KNOWN_BUGS: DICT responses show the underlying protocol + + Closes #1809 + +Jay Satiro (27 Jan 2018) +- [Alessandro Ghedini brought this change] + + docs: fix typos in man pages + + Closes https://github.com/curl/curl/pull/2266 + +Patrick Monnerat (26 Jan 2018) +- lib555: drop text conversion and encode data as ascii codes + + If CURL_DOES_CONVERSION is enabled, uploaded LFs are mapped to CRLFs, + giving a result that is different from what is expected. + This commit avoids using CURLOPT_TRANSFERTEXT and directly encodes data + to upload in ascii. + + Bug: https://github.com/curl/curl/pull/1872 + +Daniel Stenberg (26 Jan 2018) +- lib517: make variable static to avoid compiler warning + + ... with clang on macos + +Patrick Monnerat (26 Jan 2018) +- lib544: sync ascii code data with textual data + + Data mismatch caused test 545 to fail when character encoding + conversion is enabled. + + Bug: https://github.com/curl/curl/pull/1872 + +Daniel Stenberg (25 Jan 2018) +- [Travis Burtrum brought this change] + + GSKit: restore pinnedpubkey functionality + + inadvertently removed in 283babfaf8d8f3bab9d3c63cea94eb0b84e79c37 + + Closes #2263 + +- [Dair Grant brought this change] + + darwinssl: Don't import client certificates into Keychain on macOS + + Closes #2085 + +- configure: fix the check for unsigned time_t + + Assign the time_t variable negative value and then check if it is + greater than zero, which will evaluate true for unsigned time_t but + false for signed time_t. + +- parsedate: fix date parsing for systems with 32 bit long + + Make curl_getdate() handle dates before 1970 as well (returning negative + values). + + Make test 517 test dates for 64 bit time_t. + + This fixes bug (3) mentioned in #2238 + + Closes #2250 + +- [McDonough, Tim brought this change] + + openssl: fix pinned public key build error in FIPS mode + + Here is a version that should work with all versions of openssl 0.9.7 + through 1.1.0. + + Links to the docs: + https://www.openssl.org/docs/man1.0.2/crypto/EVP_DigestInit.html + https://www.openssl.org/docs/man1.1.0/crypto/EVP_DigestInit.html + + At the very bottom of the 1.1.0 documentation there is a history section + that states, " stack allocated EVP_MD_CTXs are no longer supported." + + If EVP_MD_CTX_create and EVP_MD_CTX_destroy are not defined, then a + simple mapping can be used as described here: + https://wiki.openssl.org/index.php/Talk:OpenSSL_1.1.0_Changes + + Closes #2258 + +- [Travis Burtrum brought this change] + + SChannel/WinSSL: Replace Curl_none_md5sum with Curl_schannel_md5sum + +- [Travis Burtrum brought this change] + + SChannel/WinSSL: Implement public key pinning + + Closes #1429 + +- bump: towards 7.58.1 + +- cookies: remove verbose "cookie size:" output + + It was once used for some debugging/verifying logic but should never have + ended up in git! + +- TODO: hardcode the "localhost" addresses + +- TODO: CURL_REFUSE_CLEARTEXT + + An idea that popped up in discussions on twitter. + +- progress-bar: don't use stderr explicitly, use bar->out + + Reported-By: Gisle Vanem + Bug: https://github.com/curl/curl/commit/993dd5651a6c853bfe3870f6a69c7b329fa4e8ce#commitcomment-27070080 + +GitHub (24 Jan 2018) +- [Gisle Vanem brought this change] + + Fixes for MSDOS etc. + + djgpp do have 'mkdir(dir, mode)'. Other DOS-compilers does not + But djgpp seems the only choice for MSDOS anyway. + + PellesC do have a 'F_OK' defined in it's . + + Update year in Copyright. + +- [Gisle Vanem brought this change] + + Fix small typo. + +Version 7.58.0 (23 Jan 2018) + +Daniel Stenberg (23 Jan 2018) +- RELEASE: 7.58.0 + +- [Gisle Vanem brought this change] + + progress-bar: get screen width on windows + +- test1454: --connect-to with IPv6 address w/o IPv6 support! + +- CONNECT_TO: fail attempt to set an IPv6 numerical without IPv6 support + + Bug: https://curl.haxx.se/mail/lib-2018-01/0087.html + Reported-by: John Hascall + + Closes #2257 + +- docs: fix man page syntax to make test 1140 OK again + +- http: prevent custom Authorization headers in redirects + + ... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how + curl already handles Authorization headers created internally. + + Note: this changes behavior slightly, for the sake of reducing mistakes. + + Added test 317 and 318 to verify. + + Reported-by: Craig de Stigter + Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html + +- curl: progress bar refresh, get width using ioctl() + + Get screen width from the environment variable COLUMNS first, if set. If + not, use ioctl(). If nether works, assume 79. + + Closes #2242 + + The "refresh" is for the -# output when no total transfer size is + known. It will now only use a single updated line even for this case: + + The "-=O=-" ship moves when data is transferred. The four flying + "hashes" move (on a sine wave) on each refresh, independent of data. + +- RELEASE-NOTES: synced with bb0ffcc36 + +- libcurl-env.3: first take + +- TODO: two possible name resolver improvements + +- [Kartik Mahajan brought this change] + + http2: don't close connection when single transfer is stopped + + Fixes #2237 + Closes #2249 + +- test558: fix for multissl builds + + vtls.c:multissl_init() might do a curl_free() call so strip that out to + make this work with more builds. We just want to verify that + memorytracking works so skipping one line is no harm. + +- examples/url2file.c: add missing curl_global_cleanup() call + + Reported-by: XhstormR on github + Fixes #2245 + +- [Michael Gmelin brought this change] + + SSH: Fix state machine for ssh-agent authentication + + In case an identity didn't match[0], the state machine would fail in + state SSH_AUTH_AGENT instead of progressing to the next identity in + ssh-agent. As a result, ssh-agent authentication only worked if the + identity required happened to be the first added to ssh-agent. + + This was introduced as part of commit c4eb10e2f06fbd6cc904f1d78e4, which + stated that the "else" statement was required to prevent getting stuck + in state SSH_AUTH_AGENT. Given the state machine's logic and libssh2's + interface I couldn't see how this could happen or reproduce it and I + also couldn't find a more detailed description of the problem which + would explain a test case to reproduce the problem this was supposed to fix. + + [0] libssh2_agent_userauth returning LIBSSH2_ERROR_AUTHENTICATION_FAILED + + Closes #2248 + +- openssl: fix potential memory leak in SSLKEYLOGFILE logic + + Coverity CID 1427646. + +- openssl: fix the libressl build again + + Follow-up to 84fcaa2e7. libressl does not have the API even if it says it is + late OpenSSL version... + + Fixes #2246 + Closes #2247 + + Reported-by: jungle-boogie on github + +- unit1307: test many wildcards too + +- curl_fnmatch: only allow 5 '*' sections in a single pattern + + ... to avoid excessive recursive calls. The number 5 is totally + arbitrary and could be modified if someone has a good motivation. + +- ftp-wildcard: fix matching an empty string with "*[^a]" + + .... and avoid advancing the pointer to trigger an out of buffer read. + + Detected by OSS-fuzz + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5251 + Assisted-by: Max Dymond + +- SMB: fix numeric constant suffix and variable types + + 1. don't use "ULL" suffix since unsupported in older MSVC + 2. use curl_off_t instead of custom long long ifdefs + 3. make get_posix_time() not do unaligned data access + + Fixes #2211 + Closes #2240 + Reported-by: Chester Liu + +- [rouzier brought this change] + + CURLOPT_TCP_NODELAY.3: fix typo + + Closes #2239 + +- smtp/pop3/imap_get_message: decrease the data length too... + + Follow-up commit to 615edc1f73 which was incomplete. + + Assisted-by: Max Dymond + Detected by OSS-fuzz + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5206 + +- openssl: enable SSLKEYLOGFILE support by default + + Fixes #2210 + Closes #2236 + +Patrick Monnerat (14 Jan 2018) +- mime: clone mime tree upon easy handle duplication. + + A mime tree attached to an easy handle using CURLOPT_MIMEPOST is + strongly bound to the handle: there is a pointer to the easy handle in + each item of the mime tree and following the parent pointer list + of mime items ends in a dummy part stored within the handle. + + Because of this binding, a mime tree cannot be shared between different + easy handles, thus it needs to be cloned upon easy handle duplication. + + There is no way for the caller to get the duplicated mime tree + handle: it is then set to be automatically destroyed upon freeing the + new easy handle. + + New test 654 checks proper mime structure duplication/release. + + Add a warning note in curl_mime_data_cb() documentation about sharing + user data between duplicated handles. + + Closes #2235 + +- docs: comment about CURLE_READ_ERROR returned by curl_mime_filedata + +Daniel Stenberg (13 Jan 2018) +- test395: HTTP with overflow Content-Length value + +- test394: verify abort of rubbish in Content-Length: value + +- test393: verify --max-filesize with excessive Content-Length + +- HTTP: bail out on negative Content-Length: values + + ... and make the max filesize check trigger if the value is too big. + + Updates test 178. + + Reported-by: Brad Spencer + Fixes #2212 + Closes #2223 + +Marcel Raad (13 Jan 2018) +- [Dan Johnson brought this change] + + configure.ac: append extra linker flags instead of prepending them. + + Link order should list libraries after the libraries that use them, + so when we're guessing that we might also need to add -ldl in order + to use -lssl, we should add -ldl after -lssl. + + Closes https://github.com/curl/curl/pull/2234 + +Daniel Stenberg (13 Jan 2018) +- RELEASE-NOTES: synced with 6fa10c8fa + +Jay Satiro (13 Jan 2018) +- setopt: fix SSLVERSION to allow CURL_SSLVERSION_MAX_ values + + Broken since f121575 (precedes 7.56.1). + + Bug: https://github.com/curl/curl/issues/2225 + Reported-by: cmfrolick@users.noreply.github.com + + Closes https://github.com/curl/curl/pull/2227 + +Patrick Monnerat (13 Jan 2018) +- setopt: reintroduce non-static Curl_vsetopt() for OS400 support + + This also upgrades ILE/RPG bindings with latest setopt options. + + Reported-By: jonrumsey on github + Fixes #2230 + Closes #2233 + +Jay Satiro (11 Jan 2018) +- [Zhouyihai Ding brought this change] + + http2: fix incorrect trailer buffer size + + Prior to this change the stored byte count of each trailer was + miscalculated and 1 less than required. It appears any trailer + after the first that was passed to Curl_client_write would be truncated + or corrupted as well as the size. Potentially the size of some + subsequent trailer could be erroneously extracted from the contents of + that trailer, and since that size is used by client write an + out-of-bounds read could occur and cause a crash or be otherwise + processed by client write. + + The bug appears to have been born in 0761a51 (precedes 7.49.0). + + Closes https://github.com/curl/curl/pull/2231 + +- [Basuke Suzuki brought this change] + + easy: fix connection ownership in curl_easy_pause + + Before calling Curl_client_chop_write(), change the owner of connection + to the current Curl_easy handle. This will fix the issue #2217. + + Fixes https://github.com/curl/curl/issues/2217 + Closes https://github.com/curl/curl/pull/2221 + +Daniel Stenberg (9 Jan 2018) +- [Dimitrios Apostolou brought this change] + + system.h: Additionally check __LONG_MAX__ for defining curl_off_t + + __SIZEOF_LONG__ was introduced in GCC 4.4, __LONG_MAX__ was introduced + in GCC 3.3. + + Closes #2216 + +- COPYING: it's 2018! + +- progress: calculate transfer speed on milliseconds if possible + + to increase accuracy for quick transfers + + Fixes #2200 + Closes #2206 + +Jay Satiro (7 Jan 2018) +- scripts: allow all perl scripts to be run directly + + - Enable execute permission (chmod +x) + + - Change interpreter to /usr/bin/env perl + + Closes https://github.com/curl/curl/pull/2222 + +- mail-rcpt.d: fix short-text description + +- build: remove HAVE_LIMITS_H check + + .. because limits.h presence isn't optional, it's required by C89. + + Ref: http://port70.net/~nsz/c/c89/c89-draft.html#2.2.4.2 + + Closes https://github.com/curl/curl/pull/2215 + +- openssl: fix memory leak of SSLKEYLOGFILE filename + + - Free the copy of SSLKEYLOGFILE env returned by curl_getenv during ossl + initialization. + + Caught by ASAN. + +- Revert "curl/system.h: fix compilation with gcc on AIX PPC and IA64 HP-UX" + + This reverts commit c97648b55080343bb371522bf4233e94a2a13a99. + + SIZEOF_LONG should not be checked in system.h since that macro is only + defined when building libcurl. + + Ref: https://github.com/curl/curl/pull/2186#issuecomment-354767080 + Ref: https://gcc.gnu.org/onlinedocs/cpp/Common-Predefined-Macros.html + +Michael Kaufmann (30 Dec 2017) +- test1554: improve the error handling + +- test1554: add global initialization and cleanup + +Daniel Stenberg (29 Dec 2017) +- curl_version_info.3: call the argument 'age' + + Reported-by: Pete Lomax + Bug: https://curl.haxx.se/mail/lib-2017-12/0074.html + +Patrick Monnerat (27 Dec 2017) +- [Mikalai Ananenka brought this change] + + brotli: data at the end of content can be lost + + Decoding loop implementation did not concern the case when all + received data is consumed by Brotli decoder and the size of decoded + data internally hold by Brotli decoder is greater than CURL_MAX_WRITE_SIZE. + For content with unencoded length greater than CURL_MAX_WRITE_SIZE this + can result in the loss of data at the end of content. + + Closes #2194 + +Jay Satiro (26 Dec 2017) +- examples/cacertinmem: ignore cert-already-exists error + + - Ignore X509_R_CERT_ALREADY_IN_HASH_TABLE errors in the CTX callback + since it's possible the cert may have already been loaded by libcurl. + + - Remove the EXAMPLE code in the CURLOPT_SSL_CTX_FUNCTION.3 doc. + Instead have it direct the reader to this cacertinmem.c example. + + - Fix the CA certificate to use the right CA for example.com, Digicert. + + Bug: https://curl.haxx.se/mail/lib-2017-12/0057.html + Reported-by: Thomas van Hesteren + + Closes https://github.com/curl/curl/pull/2182 + +- [Gisle Vanem brought this change] + + tool_getparam: Support size modifiers for --max-filesize + + - Move the size modifier detection code from limit-rate to its own + function so that it can also be used with max-filesize. + + Size modifiers are the suffixes such as G (gigabyte), M (megabyte) etc. + + For example --max-filesize 1G + + Ref: https://curl.haxx.se/mail/archive-2017-12/0000.html + + Closes https://github.com/curl/curl/pull/2179 + +Steve Holme (22 Dec 2017) +- build: Fixed incorrect script termination from commit ad1dc10e61 + +- Makefile.vc: Added our standard copyright header + +- winbuild: Added support for VC15 + +- build: Added Visual Studio 2017 project files + +- build-wolfssl.bat: Added support for VC15 + +- build-openssl.bat: Added support for VC15 + +Jay Satiro (22 Dec 2017) +- [Dimitrios Apostolou brought this change] + + curl/system.h: fix compilation with gcc on AIX PPC and IA64 HP-UX + + Closes https://github.com/curl/curl/pull/2186 + +- [Mattias Fornander brought this change] + + examples/rtsp: fix error handling macros + + Closes https://github.com/curl/curl/pull/2185 + +Patrick Monnerat (20 Dec 2017) +- curl_easy_reset: release mime-related data. + + Move curl_mime_initpart() and curl_mime_cleanpart() calls to lower-level + functions dealing with UserDefined structure contents. + This avoids memory leakages on curl-generated part mime headers. + New test 2073 checks this using the cli tool --next option: it + triggers a valgrind error if bug is present. + + Bug: https://curl.haxx.se/mail/lib-2017-12/0060.html + Reported-by: Martin Galvan + +- content_encoding: rework zlib_inflate + + - When zlib version is < 1.2.0.4, process gzip trailer before considering + extra data as an error. + - Inflate with Z_BLOCK instead of Z_SYNC_FLUSH to maximize correct data + and minimize corrupt data output. + - Do not try to restart deflate decompression in raw mode if output has + started or if the leading data is not available anymore. + - New test 232 checks inflating raw-deflated content. + + Closes #2068 + +- brotli: allow compiling with version 0.6.0. + + Some error codes were not yet defined in brotli 0.6.0: do not issue code + for them in this case. + +Daniel Stenberg (13 Dec 2017) +- CURLOPT_READFUNCTION.3: refer to argument with correct name + + Bug: #2175 + + [ci skip] + +- rand: add a clang-analyzer work-around + + scan-build would warn on a potential access of an uninitialized + buffer. I deem it a false positive and had to add this somewhat ugly + work-around to silence it. + +- krb5: fix a potential access of uninitialized memory + + A scan-build warning. + +- conncache: fix a return code [regression] + + This broke in 07cb27c98e. Make sure to return 'result' properly. Pointed + out by scan-build! + +- curl: support >256 bytes warning messsages + + Bug: #2174 + +Michael Kaufmann (12 Dec 2017) +- libssh: fix a syntax error in configure.ac + + Follow-up to c92d2e1 + + Closes #2172 + +Daniel Stenberg (12 Dec 2017) +- examples/smtp-mail.c: use separate defines for options and mail + + ... to make it clearer that the options want address-only, while the + headers in an email can also have the real name. + + Assisted-by: Sean MacLennan + +- THANKS: added missing names + + ... as I reran the contrithanks script after the mailmap name fixups. + +- mailmap: added/clarified several names + +- setopt: less *or equal* than INT_MAX/1000 should be fine + + ... for the CURLOPT_TIMEOUT, CURLOPT_CONNECTTIMEOUT and + CURLOPT_SERVER_RESPONSE_TIMEOUT range checks. + + Reported-by: Dominik Hölzl + Bug: https://curl.haxx.se/mail/lib-2017-12/0037.html + + Closes #2173 + +- [Dmitry Kostjuchenko brought this change] + + vtls: replaced getenv() with curl_getenv() + + Fixed undefined symbol of getenv() which does not exist when compiling + for Windows 10 App (CURL_WINDOWS_APP). Replaced getenv() with + curl_getenv() which is aware of getenv() absence when CURL_WINDOWS_APP + is defined. + + Closes #2171 + +- RELEASE-NOTES: synced with 3b9ea70ee + +- TODO: Expose tried IP addresses that failed + + Suggested-by: Rainer Canavan + + Closes #2126 + +- curl.1: mention http:// and https:// as valid proxy prefixes + +- curl.1: documented two missing valid exit codes + +- CURLOPT_DNS_LOCAL_IP4.3: fixed the seel also to not self-reference + +- Revert "curl: don't set CURLOPT_INTERLEAVEDATA" + + This reverts commit 9ffad8eb1329bb35c8988115ac7ed85cf91ef955. + + It was actually added rather recently in 8e8afa82cbb629 due to a crash + that would otherwise happen in the RTSP code. As I don't think we've + fixed that behavior yet, we better keep this work-around until we have + fixed it better. + +Michael Kaufmann (10 Dec 2017) +- tests: mark data files as non-executable in git + +- tests: update .gitignore for libtests + +Daniel Stenberg (10 Dec 2017) +- multi_done: prune DNS cache + + Prune the DNS cache immediately after the dns entry is unlocked in + multi_done. Timed out entries will then get discarded in a more orderly + fashion. + + Test506 is updated + + Reported-by: Oleg Pudeyev + + Fixes #2169 + Closes #2170 + +- mailmap: fixup two old git Author "aliases" + +Jay Satiro (10 Dec 2017) +- openssl: Disable file buffering for Win32 SSLKEYLOGFILE + + Prior to this change SSLKEYLOGFILE used line buffering on WIN32 just + like it does for other platforms. However, the Windows CRT does not + actually support line buffering (_IOLBF) and will use full buffering + (_IOFBF) instead. We can't use full buffering because multiple processes + may be writing to the file and that could lead to corruption, and since + full buffering is the only buffering available this commit disables + buffering for Windows SSLKEYLOGFILE entirely (_IONBF). + + Ref: https://github.com/curl/curl/pull/1346#issuecomment-350530901 + +Daniel Stenberg (10 Dec 2017) +- RESOLVE: output verbose text when trying to set a duplicate name + + ... to help users understand what is or isn't done! + +- CURLOPT_DNS_CACHE_TIMEOUT.3: see also CURLOPT_RESOLVE + +- [John DeHelian brought this change] + + sftp: allow quoted commands to use relative paths + + Closes #1900 + +Jay Satiro (8 Dec 2017) +- [Richard Alcock brought this change] + + CURLOPT_PRIVATE.3: fix grammar + + - Change "never does nothing" double-negative to "never does anything". + + Closes https://github.com/curl/curl/pull/2168 + +Daniel Stenberg (8 Dec 2017) +- curl: remove __EMX__ #ifdefs + + These are OS/2-specific things added to the code in the year 2000. They + were always ugly. If there's any user left, they still don't need it + done this way. + + Closes #2166 + +Jay Satiro (8 Dec 2017) +- openssl: improve data-pending check for https proxy + + - Allow proxy_ssl to be checked for pending data even when connssl does + not yet have an SSL handle. + + This change is for posterity. Currently there doesn't seem to be a code + path that will cause a pending data check when proxyssl could have + pending data and the connssl handle doesn't yet exist [1]. + + [1]: Recall that an https proxy connection starts out in connssl but if + the destination is also https then the proxy SSL backend data is moved + from connssl to proxyssl, which means connssl handle is temporarily + empty until an SSL handle for the destination can be created. + + Ref: https://github.com/curl/curl/commit/f4a6238#commitcomment-24396542 + + Closes https://github.com/curl/curl/pull/1916 + +Daniel Stenberg (8 Dec 2017) +- curl: don't set CURLOPT_INTERLEAVEDATA + + That data is only ever used by the CURLOPT_INTERLEAVEFUNCTION callback + and that option isn't set or used by the curl tool! + + Updates the 9 tests that verify --libcurl + + Closes #2167 + +- curl.h: remove incorrect comment about ERRORBUFFER + + ... error messages are _not_ sent to stderr if this is not set. + +- [Michael Felt brought this change] + + configure: add AX_CODE_COVERAGE only if using gcc + + Fixes #2076 + Closes #2125 + +- curl: limit -# update frequency for unknown total size + + Make it use a max 10Hz update frequency for this case as well. Return + early if the "point" hasn't moved since last invoke. + + Reported-by: Elliot Saba + + Fixes #2158 + Closes #2163 + +- BINDINGS: another PostgreSQL client + + ...the former link is dead. + + Reported-by: Frank Gevaerts + +- [Zachary Seguin brought this change] + + CONNECT: keep close connection flag in http_connect_state struct + + Fixes #2088 + Closes #2157 + +- [Per Malmberg brought this change] + + include: get netinet/in.h before linux/tcp.h + + ... to allow build on older Linux dists (specifically CentOS 4.8 on gcc + 4.8.5) + + Closes #2160 + +- openldap: fix checksrc nits + +- [Stepan Broz brought this change] + + openldap: add commented out debug possibilities + + ... to aid debugging openldap library using its built-in debug messages. + + Closes #2159 + +- examples: move threaded-shared-conn.c to the "complicated" ones + + ... due it relying on pthreads to link. + +- RELEASE-NOTES: synced with b261c44e8 + + ... and bump next release version to 7.58.0 + +- [Jan Ehrhardt brought this change] + + URL: tolerate backslash after drive letter for FILE: + + ... as in "file://c:\some\path\curl.out" + + Reviewed-by: Matthew Kerwin + Closes #2154 + +- [Randall S. Becker brought this change] + + tests: added netinet/in6.h includes in test servers + +- [Randall S. Becker brought this change] + + configure: check for netinet/in6.h + + Needed by HPE NonStop NSE and NSX systems + + Fixes #2146 + Closes #2155 + +- curl-config: add --ssl-backends + + Lists all SSL backends that were enabled at build-time. + + Suggested-by: Oleg Pudeyev + Fixes #2128 + +- conncache: only allow multiplexing within same multi handle + + Connections that are used for HTTP/1.1 Pipelining or HTTP/2 multiplexing + only get additional transfers added to them if the existing connection + is held by the same multi or easy handle. libcurl does not support doing + HTTP/2 streams in different threads using a shared connection. + + Closes #2152 + +- threaded-shared-conn.c: fixed typo in commenta + +- threaded-shared-conn.c: new example + +- conncache: fix several lock issues + + If the lock is released before the dealings with the bundle is over, it may + have changed by another thread in the mean time. + + Fixes #2132 + Fixes #2151 + Closes #2139 + +- libssh: remove dead code in sftp_qoute + + ... by removing a superfluous NULL pointer check that also confuses + Coverity. + + Fixes #2143 + Closes #2153 + +- sasl_getmesssage: make sure we have a long enough string to pass + + For pop3/imap/smtp, added test 891 to somewhat verify the pop3 + case. + + For this, I enhanced the pingpong test server to be able to send back + responses with LF-only instead of always using CRLF. + + Closes #2150 + +- libssh2: remove dead code from SSH_SFTP_QUOTE + + Figured out while reviewing code in the libssh backend. The pointer was + checked for NULL after having been dereferenced, so we know it would + always equal true or it would've crashed. + + Pointed-out-by: Nikos Mavrogiannopoulos + + Bug #2143 + Closes #2148 + +- ssh-libssh.c: please checksrc + +Nikos Mavrogiannopoulos (4 Dec 2017) +- libssh: fixed dereference in statvfs access + + The behavior is now equivalent to ssh.c when SSH_SFTP_QUOTE_STATVFS + handling fails. + + Fixes #2142 + +Daniel Stenberg (4 Dec 2017) +- [Guitared brought this change] + + RESOURCES: update spec names + + Closes #2145 + +Nikos Mavrogiannopoulos (3 Dec 2017) +- libssh: corrected use of sftp_statvfs() in SSH_SFTP_QUOTE_STATVFS + + The previous code was incorrectly following the libssh2 error detection + for libssh2_sftp_statvfs, which is not correct for libssh's sftp_statvfs. + + Fixes #2142 + + Signed-off-by: Nikos Mavrogiannopoulos + +- libssh: no need to call sftp_get_error as ssh_get_error is sufficient + + Fixes #2141 + + Signed-off-by: Nikos Mavrogiannopoulos + +Daniel Stenberg (2 Dec 2017) +- libssh: fix minor static code analyzer nits + + - remove superfluous NULL check which otherwise tricks the static code + analyzers to assume NULL pointer dereferences. + + - fix fallthrough in switch() + + - indent mistake + +- openssl: pkcs12 is supported by boringssl + + Removes another #ifdef for BoringSSL + + Pointed-out-by: David Benjamin + + Closes #2134 + +- [Jay Satiro brought this change] + + travis: use pip2 instead of pip + + .. since now mac osx image expects pip2 or pip3, and doesn't know pip: + + 0.01s$ pip install --user cpp-coveralls + /Users/travis/.travis/job_stages: line 57: pip: command not found + + Ref: https://github.com/travis-ci/travis-ci/issues/8829 + + Closes https://github.com/curl/curl/pull/2133 + +- [Nikos Mavrogiannopoulos brought this change] + + lib582: do not verify host for SFTP + + This SFTP test fails with libssh back-end due to failure to verify + the peer. Disable peer verification in the test as there seems to + be the intention of the test. + + Note that the libssh back-end automatically verifies the peer's + host using the default known_hosts file. + + Signed-off-by: Nikos Mavrogiannopoulos + +- [Nikos Mavrogiannopoulos brought this change] + + libssh: added SFTP support + + The SFTP back-end supports asynchronous reading only, limited + to 32-bit file length. Writing is synchronous with no other + limitations. + + This also brings keyboard-interactive authentication. + + Signed-off-by: Nikos Mavrogiannopoulos + +- [Nikos Mavrogiannopoulos brought this change] + + symbols-in-versions: added new symbols with 7.56.3 version + + Signed-off-by: Nikos Mavrogiannopoulos + +- [Nikos Mavrogiannopoulos brought this change] + + .travis.yml: added build --with-libssh + + Signed-off-by: Nikos Mavrogiannopoulos + +- [Nikos Mavrogiannopoulos brought this change] + + libssh2: return CURLE_UPLOAD_FAILED on failure to upload + + This brings its in sync with the error code returned by the + libssh backend. + + Signed-off-by: Nikos Mavrogiannopoulos + +- [Nikos Mavrogiannopoulos brought this change] + + libssh2: send the correct CURLE error code on scp file not found + + That also updates tests to expect the right error code + + libssh2 back-end returns CURLE_SSH error if the remote file + is not found. Expect instead CURLE_REMOTE_FILE_NOT_FOUND + which is sent by the libssh backend. + + Signed-off-by: Nikos Mavrogiannopoulos + +- [Nikos Mavrogiannopoulos brought this change] + + Added support for libssh SSH SCP back-end + + libssh is an alternative library to libssh2. + https://www.libssh.org/ + + That patch set also introduces support for ECDSA + ed25519 keys, as well as gssapi authentication. + + Signed-off-by: Nikos Mavrogiannopoulos + +- RELEASE-NOTES: synced with af8cc7a69 + +- curlver: towards 7.57.1 + +- [W. Mark Kubacki brought this change] + + lib: don't export all symbols, just everything curl_* + + Absent any 'symbol map' or script to limit what gets exported, static + linking of libraries previously resulted in a libcurl with curl's and + those other symbols being (re-)exported. + + This did not happen if 'versioned symbols' were enabled (which is not + the default) because then a version script is employed. + + This limits exports to everything starting in 'curl_*'., which is + what "libcurl.vers" exports. + + This avoids strange side-effects such as with mixing methods + from system libraries and those erroneously offered by libcurl. + + Closes #2127 + +- [Johannes Schindelin brought this change] + + SSL: Avoid magic allocation of SSL backend specific data + + Originally, my idea was to allocate the two structures (or more + precisely, the connectdata structure and the four SSL backend-specific + strucutres required for ssl[0..1] and proxy_ssl[0..1]) in one go, so + that they all could be free()d together. + + However, getting the alignment right is tricky. Too tricky. + + So let's just bite the bullet and allocate the SSL backend-specific + data separately. + + As a consequence, we now have to be very careful to release the memory + allocated for the SSL backend-specific data whenever we release any + connectdata. + + Signed-off-by: Johannes Schindelin + + Closes #2119 + +- examples/xmlstream.c: don't switch off CURL_GLOBAL_SSL + + Reported-by: Dima Tisnek + +- travis: add boringssl build + + Uses a separate build without --enable-debug and no valgrind. + + The debug option causes far too many warnings in boringssl's headers + (C++ comments, trailing commas etc). Valgrind triggers some false + positive errors in thread-local data used by boringssl. + + Closes #2118 + +Version 7.57.0 (29 Nov 2017) + +Daniel Stenberg (29 Nov 2017) +- RELEASE-NOTES: curl 7.57.0 + +- THANKS: added contributors from 7.57.0 release + +- openssl: fix boringssl build again + + commit d3ab7c5a21e broke the boringssl build since it doesn't have + RSA_flags(), so we disable that code block for boringssl builds. + + Reported-by: W. Mark Kubacki + Fixes #2117 + +- curl_ntlm_core.c: use the limits.h's SIZE_T_MAX if provided + +- libcurl-share.3: the connection cache is shareable now + +- global_init: ignore CURL_GLOBAL_SSL's absense + + This bit is no longer used. It is not clear what it meant for users to + "init the TLS" in a world with different TLS backends and since the + introduction of multissl, libcurl didn't properly work if inited without + this bit set. + + Not a single user responded to the call for users of it: + https://curl.haxx.se/mail/lib-2017-11/0072.html + + Reported-by: Evgeny Grin + Assisted-by: Jay Satiro + + Fixes #2089 + Fixes #2083 + Closes #2107 + +- ntlm: avoid integer overflow for malloc size + + Reported-by: Alex Nichols + Assisted-by: Kamil Dudka and Max Dymond + + CVE-2017-8816 + + Bug: https://curl.haxx.se/docs/adv_2017-11e7.html + +- wildcardmatch: fix heap buffer overflow in setcharset + + The code would previous read beyond the end of the pattern string if the + match pattern ends with an open bracket when the default pattern + matching function is used. + + Detected by OSS-Fuzz: + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161 + + CVE-2017-8817 + + Bug: https://curl.haxx.se/docs/adv_2017-ae72.html + +- [Jay Satiro brought this change] + + url: fix alignment of ssl_backend_data struct + + - Align the array of ssl_backend_data on a max 32 byte boundary. + + 8 is likely to be ok but I went with 32 for posterity should one of + the ssl_backend_data structs change to contain a larger sized variable + in the future. + + Prior to this change (since dev 70f1db3, release 7.56) the connectdata + structure was undersized by 4 bytes in 32-bit builds with ssl enabled + because long long * was mistakenly used for alignment instead of + long long, with the intention being an 8 byte boundary. Also long long + may not be an available type. + + The undersized connectdata could lead to oob read/write past the end in + what was expected to be the last 4 bytes of the connection's secondary + socket https proxy ssl_backend_data struct (the secondary socket in a + connection is used by ftp, others?). + + Closes https://github.com/curl/curl/issues/2093 + + CVE-2017-8818 + + Bug: https://curl.haxx.se/docs/adv_2017-af0a.html + +- ssh: remove check for a NULL pointer (!) + + With this check present, scan-build warns that we might dereference this + point in other places where it isn't first checked for NULL. Thus, if it + *can* be NULL we have a problem on a few places. However, this pointer + should not be possible to be NULL here so I remove the check and thus + also three different scan-build warnings. + + Closes #2111 + +- [Matthew Kerwin brought this change] + + test: add test for bad UNC/SMB path in file: URL + +- [Matthew Kerwin brought this change] + + test: add tests to ensure basic file: URLs + +- [Matthew Kerwin brought this change] + + URL: update "file:" URL handling + + * LOTS of comment updates + * explicit error for SMB shares (e.g. "file:////share/path/file") + * more strict handling of authority (i.e. "//localhost/") + * now accepts dodgy old "C:|" drive letters + * more precise handling of drive letters in and out of Windows + (especially recognising both "file:c:/" and "file:/c:/") + + Closes #2110 + +- metalink: fix memory-leak and NULL pointer dereference + + Reported by scan-build + + Closes #2109 + +- [Alessandro Ghedini brought this change] + + connect: add support for new TCP Fast Open API on Linux + + The new API added in Linux 4.11 only requires setting a socket option + before connecting, without the whole sento() machinery. + + Notably, this makes it possible to use TFO with SSL connections on Linux + as well, without the need to mess around with OpenSSL (or whatever other + SSL library) internals. + + Closes #2056 + +- make: fix "make distclean" + + Fixes #2097 + Closes #2108 + +- RELEASE-NOTES: synced with 31f18d272 + +Jay Satiro (23 Nov 2017) +- connect: improve the bind error message + + eg consider a non-existent interface eth8, curl --interface eth8 + + Before: curl: (45) Could not resolve host: eth8 + After: curl: (45) Couldn't bind to 'eth8' + + Bug: https://github.com/curl/curl/issues/2104 + Reported-by: Alfonso Martone + +Daniel Stenberg (23 Nov 2017) +- examples/rtsp: clear RANGE again after use + + Fixes #2106 + Reported-by: youngchopin on github + +- [Michael Kaufmann brought this change] + + test1264: verify URL with space in host name being rejected + +- url: reject ASCII control characters and space in host names + + Host names like "127.0.0.1 moo" would otherwise be accepted by some + getaddrinfo() implementations. + + Updated test 1034 and 1035 accordingly. + + Fixes #2073 + Closes #2092 + +- Curl_open: fix OOM return error correctly + + Closes #2098 + +- http2: fix "Value stored to 'end' is never read" scan-build error + +- http2: fix "Value stored to 'hdbuf' is never read" scan-build error + +- openssl: fix "Value stored to 'rc' is never read" scan-build error + +- mime: fix "Value stored to 'sz' is never read" scan-build error + +- Curl_llist_remove: fix potential NULL pointer deref + + Fixes a scan-build warning. + +- ntlm: remove unnecessary NULL-check to please scan-build + +- BUGS: spellchecked + +Jay Satiro (18 Nov 2017) +- [fmmedeiros brought this change] + + examples/curlx: Fix code style + + - Add braces around multi-line if statement. + + Closes https://github.com/curl/curl/pull/2096 + +Daniel Stenberg (17 Nov 2017) +- resolve: allow IP address within [] brackets + + ... so that IPv6 addresses can be passed like they can for connect-to + and how they're used in URLs. + + Added test 1324 to verify + Reported-by: Alex Malinovich + + Fixes #2087 + Closes #2091 + +- [Pavol Markovic brought this change] + + macOS: Fix missing connectx function with Xcode version older than 9.0 + + The previous fix https://github.com/curl/curl/pull/1788 worked just for + Xcode 9. This commit extends the fix to older Xcode versions effectively + by not using connectx function. + + Fixes https://github.com/curl/curl/issues/1330 + Fixes https://github.com/curl/curl/issues/2080 + Closes https://github.com/curl/curl/pull/1336 + Closes #2082 + +- [Dirk Feytons brought this change] + + openssl: fix too broad use of HAVE_OPAQUE_EVP_PKEY + + Fixes #2079 + Closes #2081 + +- TODO: ignore private IP addresses in PASV response + + Closes #1455 + +- RELEASE-NOTES: synced with ae7369b6d + +Michael Kaufmann (14 Nov 2017) +- URL: return error on malformed URLs with junk after IPv6 bracket + + Follow-up to aadb7c7. Verified by new test 1263. + + Closes #2072 + +Daniel Stenberg (14 Nov 2017) +- INTERNALS: we may use libidn2 now, not libidn + +Patrick Monnerat (13 Nov 2017) +- zlib/brotli: only include header files in modules needing them + + There is a conflict on symbol 'free_func' between openssl/crypto.h and + zlib.h on AIX. This is an attempt to resolve it. + + Bug: https://curl.haxx.se/mail/lib-2017-11/0032.html + Reported-By: Michael Felt + +Daniel Stenberg (13 Nov 2017) +- SMB: fix uninitialized local variable + + Reported-by: Brian Carpenter + +- [Orgad Shaneh brought this change] + + connect.c: remove executable bit on file + + Closes #2071 + +- [hsiao yi brought this change] + + README.md: fixed layout + + Closes #2069 + +- setopt: split out curl_easy_setopt() to its own file + + ... to make url.c smaller. + + Closes #1944 + +Jay Satiro (10 Nov 2017) +- [John Starks brought this change] + + cmake: Add missing setmode check + + Ensure HAVE_SETMODE is set to 1 on OSes that have setmode. Without this, + curl will corrupt binary files when writing them to stdout on Windows. + + Closes https://github.com/curl/curl/pull/2067 + +Daniel Stenberg (10 Nov 2017) +- curl_share_setopt: va_end was not called if conncache errors + + CID 984459, detected by Coverity + +Sergei Nikulov (10 Nov 2017) +- [John Starks brought this change] + + cmake: Correctly include curl.rc in Windows builds (#2064) + + Update CMakeLists.txt to add curl.rc to the correct list. + +Daniel Stenberg (9 Nov 2017) +- RELEASE-NOTES: synced with 32828cc4f + +- [Luca Boccassi brought this change] + + --interface: add support for Linux VRF + + The --interface command (CURLOPT_INTERFACE option) already uses + SO_BINDTODEVICE on Linux, but it tries to parse it as an interface or IP + address first, which fails in case the user passes a VRF. + + Try to use the socket option immediately and parse it as a fallback + instead. Update the documentation to mention this feature, and that it + requires the binary to be ran by root or with CAP_NET_RAW capabilities + for this to work. + + Closes #2024 + +- curl_share_setopt.3: document CURL_LOCK_DATA_CONNECT + + Closes #2043 + +- examples: add shared-connection-cache + +- test1554: verify connection cache sharing + +- share: add support for sharing the connection cache + +- imap: deal with commands case insensitively + + As documented in RFC 3501 section 9: + https://tools.ietf.org/html/rfc3501#section-9 + + Closes #2061 + +- connect: store IPv6 connection status after valid connection + + ... previously it would store it already in the happy eyeballs stage + which could lead to the IPv6 bit being set for an IPv4 connection, + leading to curl not wanting to do EPSV=>PASV for FTP transfers. + + Closes #2053 + +- curl_multi_fdset.3: emphasize curl_multi_timeout + + ... even when there's no socket to wait for, the timeout can still be + very short. + +Jay Satiro (9 Nov 2017) +- content_encoding: fix inflate_stream for no bytes available + + - Don't call zlib's inflate() when avail_in stream bytes is 0. + + This is a follow up to the parent commit 19e66e5. Prior to that change + libcurl's inflate_stream could call zlib's inflate even when no bytes + were available, causing inflate to return Z_BUF_ERROR, and then + inflate_stream would treat that as a hard error and return + CURLE_BAD_CONTENT_ENCODING. + + According to the zlib FAQ, Z_BUF_ERROR is not fatal. + + This bug would happen randomly since packet sizes are arbitrary. A test + of 10,000 transfers had 55 fail (ie 0.55%). + + Ref: https://zlib.net/zlib_faq.html#faq05 + + Closes https://github.com/curl/curl/pull/2060 + +Patrick Monnerat (7 Nov 2017) +- content_encoding: do not write 0 length data + +Daniel Stenberg (6 Nov 2017) +- fnmatch: remove dead code + + There was a duplicate check for backslashes in the setcharset() + function. + + Coverity CID 1420611 + +- url: remove unncessary NULL-check + + Since 'conn' won't be NULL in there and we also access the pointer in + there without the check. + + Coverity CID 1420610 + +Viktor Szakats (6 Nov 2017) +- src/Makefile.m32: fix typo in brotli lib customization + + Ref cc1f4436099decb9d1a7034b2bb773a9f8379d31 + +- Makefile.m32: allow to customize brotli libs + + It adds the ability to link against static brotli libs. + + Also fix brotli include path. + +Patrick Monnerat (5 Nov 2017) +- travis: add a job with brotli enabled + +- [Viktor Szakats brought this change] + + Makefile.m32: add brotli support + +- HTTP: implement Brotli content encoding + + This uses the brotli external library (https://github.com/google/brotli). + Brotli becomes a feature: additional curl_version_info() bit and + structure fields are provided for it and CURLVERSION_NOW bumped. + + Tests 314 and 315 check Brotli content unencoding with correct and + erroneous data. + + Some tests are updated to accomodate with the now configuration dependent + parameters of the Accept-Encoding header. + +- HTTP: support multiple Content-Encodings + + This is implemented as an output streaming stack of unencoders, the last + calling the client write procedure. + + New test 230 checks this feature. + + Bug: https://github.com/curl/curl/pull/2002 + Reported-By: Daniel Bankhead + +Jay Satiro (4 Nov 2017) +- url: remove arg value check from CURLOPT_SSH_AUTH_TYPES + + Since CURLSSH_AUTH_ANY (aka CURLSSH_AUTH_DEFAULT) is ~0 an arg value + check on this option is incorrect; we have to accept any value. + + Prior to this change since f121575 (7.56.1+) CURLOPT_SSH_AUTH_TYPES + erroneously rejected CURLSSH_AUTH_ANY with CURLE_BAD_FUNCTION_ARGUMENT. + + Bug: https://github.com/curl/curl/commit/f121575#commitcomment-25347120 + +Daniel Stenberg (4 Nov 2017) +- ntlm: avoid malloc(0) for zero length passwords + + It triggers an assert() when built with memdebug since malloc(0) may + return NULL *or* a valid pointer. + + Detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4054 + + Assisted-by: Max Dymond + Closes #2054 + +- RELEASE-NOTES: synced with ee8016b3d + +- curl: speed up handling of many URLs + + By properly keeping track of the last entry in the list of URLs/uploads + to handle, curl now avoids many meaningless traverses of the list which + speeds up many-URL handling *MASSIVELY* (several magnitudes on 100K + URLs). + + Added test 1291, to verify that it doesn't take ages - but we don't have + any detection of "too slow" command in the test suite. + + Reported-by: arainchik on github + Fixes #1959 + Closes #2052 + +- curl: pass through [] in URLs instead of calling globbing error + + Assisted-by: Per Lundberg + Fixes #2044 + Closes #2046 + Closes #2048 + +- CURLOPT_INFILESIZE: accept -1 + + Regression since f121575 + + Reported-by: Petr Voytsik + Fixes #2047 + +Jay Satiro (2 Nov 2017) +- url: fix CURLOPT_DNS_CACHE_TIMEOUT arg value check to allow -1 + + Prior to this change since f121575 (7.56.1+) CURLOPT_DNS_CACHE_TIMEOUT + erroneously rejected -1 with CURLE_BAD_FUNCTION_ARGUMENT. + +Dan Fandrich (1 Nov 2017) +- http2: Fixed OOM handling in upgrade request + + This caused the torture tests on test 1800 to fail. + +- tests: Fixed torture tests on tests 556 and 650 + + Test cleanup after OOM wasn't being consistently performed. + +Daniel Stenberg (1 Nov 2017) +- CURLOPT_MAXREDIRS: allow -1 as a value + + ... which is valid according to documentation. Regression since + f121575c0b5f. + + Verified now in test 501. + + Reported-by: cbartl on github + Fixes #2038 + Closes #2039 + +- include: remove conncache.h inclusion from where its not needed + +Jay Satiro (1 Nov 2017) +- url: fix CURLOPT_POSTFIELDSIZE arg value check to allow -1 + + .. also add same arg value check to CURLOPT_POSTFIELDSIZE_LARGE. + + Prior to this change since f121575 (7.56.1+) CURLOPT_POSTFIELDSIZE + erroneously rejected -1 value with CURLE_BAD_FUNCTION_ARGUMENT. + + Bug: https://curl.haxx.se/mail/lib-2017-11/0000.html + Reported-by: Andrew Lambert + +Daniel Stenberg (31 Oct 2017) +- cookie: avoid NULL dereference + + ... when expiring old cookies. + + Reported-by: Pavel Gushchin + Fixes #2032 + Closes #2035 + +Marcel Raad (30 Oct 2017) +- memdebug: use send/recv signature for curl_dosend/curl_dorecv + + This avoids build errors and warnings caused by implicit casts. + + Closes https://github.com/curl/curl/pull/2031 + +Daniel Stenberg (30 Oct 2017) +- [Juro Bystricky brought this change] + + mkhelp.pl: support reproducible build + + Do not generate line with the current date, such as: + + * Generation time: Tue Oct-24 18:01:41 2017 + + This will improve reproducibility. The generated string is only + part of a comment, so there should be no adverse consequences. + + Signed-off-by: Juro Bystricky + + closes #2026 + +Dan Fandrich (30 Oct 2017) +- runtests.pl: Fixed typo in message + +Daniel Stenberg (30 Oct 2017) +- curlx: the timeval functions are no longer provided as curlx_* + + Pointed-out-by: Dmitri Tikhonov + Bug: #2034 + +- select: update comments + + s/curlx_tvnow/Curl_now + +- INTERNALS: remove curlx_tv* functions no longer provided + +- [Dmitri Tikhonov brought this change] + + timeval: use mach time on MacOS + + If clock_gettime() is not supported, use mach_absolute_time() on MacOS. + + closes #2033 + +monnerat (29 Oct 2017) +- [Patrick Monnerat brought this change] + + cli tool: improve ";type=" handling in -F option arguments + +- [Patrick Monnerat brought this change] + + cli tool: in -F option arg, comma is a delimiter for files only + + Also upgrade test 1133 to cover this case and clarify man page about + form data quoting. + + Bug: https://github.com/curl/curl/issues/2022 + Reported-By: omau on github + +Daniel Stenberg (29 Oct 2017) +- timeleft: made two more users of Curl_timeleft use timediff_t + +Jakub Zakrzewski (28 Oct 2017) +- cmake: Export libcurl and curl targets to use by other cmake projects + + The config files define curl and libcurl targets as imported targets + CURL::curl and CURL::libcurl. For backward compatibility with CMake- + provided find-module the CURL_INCLUDE_DIRS and CURL_LIBRARIES are + also set. + + Closes #1879 + +Daniel Stenberg (28 Oct 2017) +- RELEASE-NOTES: synced with f20cbac97 + +- [Florin Petriuc brought this change] + + auth: Added test cases for RFC7616 + + Updated docs to include support for RFC7616 + + Signed-off-by: Florin + + Closes #1934 + +- [Florin Petriuc brought this change] + + auth: add support for RFC7616 - HTTP Digest access authentication + + Signed-off-by: Florin + +- [Daniel Bankhead brought this change] + + TODO: support multiple Content-Encodings + + Closes #2002 + +- ROADMAP: cleanup + + Removed done stuff. Removed entries no longer considered for the near + term. + +- [Magicansk brought this change] + + ROADMAP.md: spelling fixes + + Closes #2028 + +- Curl_timeleft: change return type to timediff_t + + returning 'time_t' is problematic when that type is unsigned and we + return values less than zero to signal "already expired", used in + several places in the code. + + Closes #2021 + +- appveyor: add a win32 build + +- setopt: fix CURLOPT_SSH_AUTH_TYPES option read + + Regression since f121575c0b5f + + Reported-by: Rob Cotrone + +Marcel Raad (27 Oct 2017) +- resolvers: only include anything if needed + + This avoids warnings about unused stuff. + + Closes https://github.com/curl/curl/pull/2023 + +Daniel Stenberg (27 Oct 2017) +- HELP-US: rename the subtitle too since the label is changed + + "PR-welcome" was the former name. + +- curl_setup.h: oops, shorten the too long line + +- [Martin Storsjo brought this change] + + curl_setup: Improve detection of CURL_WINDOWS_APP + + If WINAPI_FAMILY is defined, it should be safe to try to include + winapifamily.h to check what the define evaluates to. + + This should fix detection of CURL_WINDOWS_APP if building with + _WIN32_WINNT set to 0x0600. + + Closes #2025 + +Jay Satiro (26 Oct 2017) +- transfer: Fix chunked-encoding upload bug + + - When uploading via chunked-encoding don't compare file size to bytes + sent to determine whether the upload has finished. + + Chunked-encoding adds its own overhead which why the bytes sent is not + equal to the file size. Prior to this change if a file was uploaded in + chunked-encoding and its size was known it was possible that the upload + could end prematurely without sending the final few chunks. That would + result in a server hang waiting for the remaining data, likely followed + by a disconnect. + + The scope of this bug is limited to some arbitrary file sizes which have + not been determined. One size that triggers the bug is 475020. + + Bug: https://github.com/curl/curl/issues/2001 + Reported-by: moohoorama@users.noreply.github.com + + Closes https://github.com/curl/curl/pull/2010 + +Daniel Stenberg (26 Oct 2017) +- timeval: make timediff_t also work on 32bit windows + + ... by using curl_off_t for the typedef if time_t is larger than 4 + bytes. + + Reported-by: Gisle Vanem + Bug: https://github.com/curl/curl/commit/b9d25f9a6b3ca791385b80a6a3c3fa5ae113e1e0#co + mmitcomment-25205058 + Closes #2019 + +- curl_fnmatch: return error on illegal wildcard pattern + + ... instead of doing an infinite loop! + + Added test 1162 to verify. + + Reported-by: Max Dymond + Fixes #2015 + Closes #2017 + +- [Max Dymond brought this change] + + wildcards: don't use with non-supported protocols + + Fixes timeouts in the fuzzing tests for non-FTP protocols. + + Closes #2016 + +- [Max Dymond brought this change] + + multi: allow table handle sizes to be overridden + + Allow users to specify their own hash define for + CURL_CONNECTION_HASH_SIZE so that both values can be overridden. + + Closes #1982 + +- time: rename Curl_tvnow to Curl_now + + ... since the 'tv' stood for timeval and this function does not return a + timeval struct anymore. + + Also, cleaned up the Curl_timediff*() functions to avoid typecasts and + clean up the descriptive comments. + + Closes #2011 + +- ftplistparser: follow-up cleanup to remove PL_ERROR() + +- [Max Dymond brought this change] + + ftplistparser: free off temporary memory always + + When using the FTP list parser, ensure that the memory that's + allocated is always freed. + + Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3682 + Closes #2013 + +- timediff: return timediff_t from the time diff functions + + ... to cater for systems with unsigned time_t variables. + + - Renamed the functions to curlx_timediff and Curl_timediff_us. + + - Added overflow protection for both of them in either direction for + both 32 bit and 64 bit time_ts + + - Reprefixed the curlx_time functions to use Curl_* + + Reported-by: Peter Piekarski + Fixes #2004 + Closes #2005 + +- [Paul Howarth brought this change] + + libtest: Add required test libraries for lib1552 and lib1553 + + They use $(TESTUTIL) and thus should use $(TESTUTIL_LIBS) too. + + This fixes build failures on Fedora 13. + + Closes #2006 + +- [Alessandro Ghedini brought this change] + + libcurl-tutorial.3: fix typo + + closes #2008 + +Alessandro Ghedini (23 Oct 2017) +- curl_mime_filedata.3: fix typos + +Daniel Stenberg (23 Oct 2017) +- RELEASE-NOTES: clean slate towards 7.57.0 + +- [Max Dymond brought this change] + + travis: exit if any steps fail + + We don't expect any steps to fail in travis. Exit the script if they do. + + Closes #1966 + +Version 7.56.1 (23 Oct 2017) + +Daniel Stenberg (23 Oct 2017) +- RELEASE-NOTES: 7.56.1 + +- THANKS: update at 7.56.1 release time + +- [Jon DeVree brought this change] + + mk-ca-bundle: Remove URL for aurora + + Aurora is no longer used by Mozilla + https://hacks.mozilla.org/2017/04/simplifying-firefox-release-channels/ + +- [Jon DeVree brought this change] + + mk-ca-bundle: Fix URL for NSS + + The 'tip' is the most recent branch committed to, this should be + 'default' like the URLs for the browser are. + + Closes #1998 + +- imap: if a FETCH response has no size, don't call write callback + + CVE-2017-1000257 + + Reported-by: Brian Carpenter and 0xd34db347 + Also detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3586 + +- ftp: reject illegal IP/port in PASV 227 response + + ... by using range checks. Among other things, this avoids an undefined + behavior for a left shift that could happen on negative or very large + values. + + Closes #1997 + + Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3694 + +Patrick Monnerat (20 Oct 2017) +- test653: check reuse of easy handle after mime data change + + See issue #1999 + +- mime: do not reuse previously computed multipart size + + The contents might have changed: size must be recomputed. + + Reported-by: moteus on github + Fixes #1999 + +- test308: disable if MultiSSL feature enabled + + Even if OpenSSL is enabled, it might not be the default backend when + multi-ssl is enabled, causing the test to fail. + +- runtests: support MultiSSL client feature + +- vtls: change struct Curl_ssl `close' field name to `close_one'. + + On OS/400, `close' is an ASCII system macro that corrupts the code if + not used in a context not targetting the close() system API. + +- os400: add missing symbols in config file. + + Also adjust makefile to renamed files and warn about installation dirs mix-up. + +- test652: curl_mime_data + base64 encoder with large contents + +- mime: limit bas64-encoded lines length to 76 characters + +Daniel Stenberg (16 Oct 2017) +- RELEASE-NOTES: synced with f121575c0 + +- setopt: range check most long options + + ... filter early instead of risking "funny values" having to be dealt + with elsewhere. + +- setopt: avoid integer overflows when setting millsecond values + + ... that are multiplied by 1000 when stored. + + For 32 bit long systems, the max value accepted (2147483 seconds) is > + 596 hours which is unlikely to ever be set by a legitimate application - + and previously it didn't work either, it just caused undefined behavior. + + Also updated the man pages for these timeout options to mention the + return code. + + Closes #1938 + +Viktor Szakats (15 Oct 2017) +- makefile.m32: allow to override gcc, ar and ranlib + + Allow to ovverride certain build tools, making it possible to + use LLVM/Clang to build curl. The default behavior is unchanged. + To build with clang (as offered by MSYS2), these settings can + be used: + + CURL_CC=clang + CURL_AR=llvm-ar + CURL_RANLIB=llvm-ranlib + + Closes https://github.com/curl/curl/pull/1993 + +- ldap: silence clang warning + + Use memset() to initialize a structure to avoid LLVM/Clang warning: + ldap.c:193:39: warning: missing field 'UserLength' initializer [-Wmissing-field-initializers] + + Closes https://github.com/curl/curl/pull/1992 + +Daniel Stenberg (14 Oct 2017) +- runtests: use valgrind for torture as well + + NOTE: it makes them terribly slow. I recommend only using valgrind for + specific torture tests or using lots of patience. + +- memdebug: trace send, recv and socket + + ... to allow them to be included in torture tests too. + + closes #1980 + +- configure: remove the C++ compiler check + + ... we used it only for the fuzzer, which we now have in a separate git + repo. + + Closes #1990 + +Patrick Monnerat (13 Oct 2017) +- mime: do not call failf() if easy handle is NULL. + +Daniel Stenberg (13 Oct 2017) +- test651: curl_formadd with huge COPYCONTENTS + +- mime: fix the content reader to handle >16K data properly + + Reported-by: Jeroen Ooms + Closes #1988 + +Patrick Monnerat (12 Oct 2017) +- mime: keep "text/plain" content type if user-specified. + + Include test cases in 554, 587, 650. + + Fixes https://github.com/curl/curl/issues/1986 + +- cli tool: use file2memory() to buffer stdin in -F option. + + Closes PR https://github.com/curl/curl/pull/1985 + +- cli tool: reimplement stdin buffering in -F option. + + If stdin is not a regular file, its content is memory-buffered to enable + a possible data "rewind". + In all cases, stdin data size is determined before real use to avoid + having an unknown part's size. + + --libcurl generated code is left as an unbuffered stdin fread/fseek callback + part with unknown data size. + + Buffering is not supported in deprecated curl_formadd() API. + +Daniel Stenberg (12 Oct 2017) +- winbuild/BUILD.WINDOWS.txt: mention WITH_NGHTTP2 + +- HELP-US: the label "PR-welcome" is now renamed to "help wanted" + + following the new github "standard" + +- RELEASE-NOTES: synced with 5505df7d2 + +Jay Satiro (11 Oct 2017) +- [Artak Galoyan brought this change] + + url: Update current connection SSL verify params in setopt + + Now VERIFYHOST, VERIFYPEER and VERIFYSTATUS options change during active + connection updates the current connection's (i.e.'connectdata' + structure) appropriate ssl_config (and ssl_proxy_config) structures + variables, making these options effective for ongoing connection. + + This functionality was available before and was broken by the + following change: + "proxy: Support HTTPS proxy and SOCKS+HTTP(s)" + CommitId: cb4e2be7c6d42ca0780f8e0a747cecf9ba45f151. + + Bug: https://github.com/curl/curl/issues/1941 + + Closes https://github.com/curl/curl/pull/1951 + +Daniel Stenberg (11 Oct 2017) +- [David Benjamin brought this change] + + openssl: don't use old BORINGSSL_YYYYMM macros + + Those were temporary things we'd add and remove for our own convenience + long ago. The last few stayed around for too long as an oversight but + have since been removed. These days we have a running + BORINGSSL_API_VERSION counter which is bumped when we find it + convenient, but 2015-11-19 was quite some time ago, so just check + OPENSSL_IS_BORINGSSL. + + Closes #1979 + +- test950; verify SMTP with custom request + +- ftpserver: support case insensitive commands + +- smtp_done: free data before returning (on send failure) + + ... as otherwise it could leak that memory. + + Detected by OSS-fuzz: + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3600 + + Assisted-by: Max Dymond + Closes #1977 + +- FTP: URL decode path for dir listing in nocwd mode + + Reported-by: Zenju on github + + Test 244 added to verify + Fixes #1974 + Closes #1976 + +- test298: verify --ftp-method nowcwd with URL encoded path + + Ref: #1974 + +- CURLOPT_XFERINFODATA.3: fix duplicate see also + +- CURLOPT_NOPROGRESS.3: also refer to xferinfofunction + +- FAQ: s/CURLOPT_PROGRESSFUNCTION/CURLOPT_XFERINFOFUNCTION + +- openssl: enable PKCS12 support for !BoringSSL + + Enable PKCS12 for all non-boringssl builds without relying on configure + or cmake checks. + + Bug: https://curl.haxx.se/mail/lib-2017-10/0007.html + Reported-by: Christian Schmitz + Closes #1948 + +- [Kristiyan Tsaklev brought this change] + + curl: don't pass semicolons when parsing Content-Disposition + + Test 1422 updated to verify. + + Closes #1964 + +Patrick Monnerat (9 Oct 2017) +- mime: properly unbind mime structure in curl_mime_free(). + + This allows freeing a mime structure bound to the easy handle before + curl_easy_cleanup(). + + Fixes #1970. + +Daniel Stenberg (9 Oct 2017) +- RTSP: avoid integer overflow on funny RTSP response + + ... like a very large non-existing RTSP version number. + + Added test 577 to verify. + + Detected by OSS-fuzz. + Closes #1969 + +Patrick Monnerat (8 Oct 2017) +- ftpserver: properly reset $ftptargetdir. + +- test643: verify curl_mime_subparts() rejects cyclic additions. + +- mime: refuse to add subparts to one of their own descendants. + + Reported-by: Alexey Melnichuk + Fixes #1962 + +- mime: avoid resetting a part's encoder when part's contents change. + +- mime: improve unbinding top multipart from easy handle. + + Also avoid dangling pointers in referencing parts. + +Daniel Stenberg (8 Oct 2017) +- RELEASE-NOTES: synced with a4c1c75da30af1 + +- curlver.h: next expected release is 7.57.0 + +Patrick Monnerat (8 Oct 2017) +- mime: be tolerant about setting twice the same header list in a part. + +- docs: clarify form/mime usage of non-regular data files. + +Daniel Stenberg (8 Oct 2017) +- Revert "multi_done: wait for name resolve to finish if still ongoing" + + This reverts commit f3e03f6c0ac52a1bf396e03f7d7e9b5b3b7165fe. + + Caused memory leaks in the fuzzer, needs to be done differently. + + Disable test 1553 for now too, as it causes memory leaks without this + commit! + +- remove_handle: call multi_done() first, then clear dns cache pointer + + Closes #1960 + +- multi_done: wait for name resolve to finish if still ongoing + + ... as we must clean up memory. + +- pingpong: return error when trying to send without connection + + When imap_done() got called before a connection is setup, it would try + to "finish up" and dereffed a NULL pointer. + + Test case 1553 managed to reproduce. I had to actually use a host name + to try to resolve to slow it down, as using the normal local server IP + will make libcurl get a connection in the first curl_multi_perform() + loop and then the bug doesn't trigger. + + Fixes #1953 + Assisted-by: Max Dymond + +Dan Fandrich (6 Oct 2017) +- tests: added flaky keyword to tests 587 and 644 + + These are around 5% flaky in my Linux x86 autobuilds. + +Marcel Raad (6 Oct 2017) +- vtls: fix warnings with --disable-crypto-auth + + When CURL_DISABLE_CRYPTO_AUTH is defined, Curl_none_md5sum's parameters + are not used. + +Daniel Stenberg (6 Oct 2017) +- multi_cleanup: call DONE on handles that never got that + + ... fixes a memory leak with at least IMAP when remove_handle is never + called and the transfer is abruptly just abandoned early. + + Test 1552 added to verify + + Detected by OSS-fuzz + Assisted-by: Max Dymond + Closes #1954 + +- [Benbuck Nason brought this change] + + strtoofft: Remove extraneous null check + + Fixes #1950: curlx_strtoofft() doesn't fully protect against null 'str' + argument. + + Closes #1952 + +- openssl: fix build without HAVE_OPAQUE_EVP_PKEY + + Reported-by: Javier Sixto + Fixes #1955 + Closes #1956 + +Viktor Szakats (6 Oct 2017) +- lib/config-win32.h: let SMB/SMBS be enabled with OpenSSL/NSS + + The source code is now prepared to handle the case when both + Win32 Crypto and OpenSSL/NSS crypto backends are enabled + at the same time, making it now possible to enable `USE_WIN32_CRYPTO` + whenever the targeted Windows version supports it. Since this + matches the minimum Windows version supported by curl + (Windows 2000), enable it unconditionally for the Win32 platform. + + This in turn enables SMB (and SMBS) protocol support whenever + Win32 Crypto is available, regardless of what other crypto backends + are enabled. + + Ref: https://github.com/curl/curl/pull/1840#issuecomment-325682052 + + Closes https://github.com/curl/curl/pull/1943 + +Daniel Stenberg (5 Oct 2017) +- build: fix --disable-crypto-auth + + Reported-by: Wyatt O'Day + Fixes #1945 + Closes #1947 + +Jay Satiro (5 Oct 2017) +- [Nick Zitzmann brought this change] + + darwinssl: add support for TLSv1.3 + + Closes https://github.com/curl/curl/pull/1794 + +Daniel Stenberg (4 Oct 2017) +- [Felix Kaiser brought this change] + + docs: fix typo in curl_mime_data_cb man page + + Closes #1946 + +Viktor Szakats (4 Oct 2017) +- lib/Makefile.m32: allow customizing dll suffixes + + - New `CURL_DLL_SUFFIX` envvar will add a suffix to the generated + libcurl dll name. Useful to add `-x64` to 64-bit builds so that + it can live in the same directory as the 32-bit one. By default + this is empty. + + - New `CURL_DLL_A_SUFFIX` envvar to customize the suffix of the + generated import library (implib) for libcurl .dll. It defaults + to `dll`, and it's useful to modify that to `.dll` to have the + standard naming scheme for mingw-built .dlls, i.e. `libcurl.dll.a`. + + Closes https://github.com/curl/curl/pull/1942 + +Daniel Stenberg (4 Oct 2017) +- [Max Dymond brought this change] + + fuzzer: move to using external curl-fuzzer + + Use the external curl-fuzzer repository for fuzzing. + + Closes #1923 + +- failf: skip the sprintf() if there are no consumers + + Closes #1936 + +- ftp: UBsan fixup 'pointer index expression overflowed' + + Closes #1939 + +- RELEASE-PROCEDURE: update the release schedule + +Version 7.56.0 (4 Oct 2017) + +Daniel Stenberg (4 Oct 2017) +- RELEASE-NOTES: curl 7.56.0 + +- THANKS: added new 7.56.0 contributors + +Jay Satiro (4 Oct 2017) +- build-openssl.bat: Warn OpenSSL 1.1.0 not yet supported + + Ref: https://github.com/curl/curl/issues/1002 + +Michael Kaufmann (3 Oct 2017) +- idn: fix source code comment + +- vtls: compare and clone ssl configs properly + + Compare these settings in Curl_ssl_config_matches(): + - verifystatus (CURLOPT_SSL_VERIFYSTATUS) + - random_file (CURLOPT_RANDOM_FILE) + - egdsocket (CURLOPT_EGDSOCKET) + + Also copy the setting "verifystatus" in Curl_clone_primary_ssl_config(), + and copy the setting "sessionid" unconditionally. + + This means that reusing connections that are secured with a client + certificate is now possible, and the statement "TLS session resumption + is disabled when a client certificate is used" in the old advisory at + https://curl.haxx.se/docs/adv_20170419.html is obsolete. + + Reviewed-by: Daniel Stenberg + + Closes #1917 + +- proxy: read the "no_proxy" variable only if necessary + + Reviewed-by: Daniel Stenberg + + Closes #1919 + +Patrick Monnerat (3 Oct 2017) +- libcurl-tutorial: add casts in example to avoid compilation warnings. + +Daniel Stenberg (3 Oct 2017) +- examples: bring back curl_formadd-using examples + + ... now with a -formadd suffix. While the new mime API is introduced in + 7.56.0 we must acknowledge that lots of users can't upgrade their curl + versions immediately. + +- test1153: verify quoted double-qoutes in PWD response + +- FTP: zero terminate the entry path even on bad input + + ... a single double quote could leave the entry path buffer without a zero + terminating byte. CVE-2017-1000254 + + Test 1152 added to verify. + + Reported-by: Max Dymond + Bug: https://curl.haxx.se/docs/adv_20171004.html + +Jay Satiro (2 Oct 2017) +- [Sergei Nikulov brought this change] + + cmake: disable tests and man generation if perl/nroff not found + + Fixes https://github.com/curl/curl/issues/1500 + Reported-by: Jay Satiro + + Fixes https://github.com/curl/curl/pull/1662 + Assisted-by: Tom Seddon + Assisted-by: dpull@users.noreply.github.com + Assisted-by: elelel@users.noreply.github.com + + Closes https://github.com/curl/curl/pull/1924 + +Patrick Monnerat (2 Oct 2017) +- libcurl-tutorial: fix two typos. + +- TODO: remove deprecated form API items. + +- libcurl-tutorial: describe MIME API and deprecate form API. + + Include a guide to form/mime API conversion. + +Daniel Stenberg (30 Sep 2017) +- cookie: fix memory leak if path was set twice in header + + ... this will let the second occurance override the first. + + Added test 1161 to verify. + + Reported-by: Max Dymond + Fixes #1932 + Closes #1933 + +Dan Fandrich (30 Sep 2017) +- test650: Use variable replacement to set the host address and port + + Otherwise, the test fails when the -b test option is used to set a + different test port range. + +- Set and use more necessary options when some protocols are disabled + + When curl and libcurl are built with some protocols disabled, they stop + setting and receiving some options that don't make sense with those + protocols. In particular, when HTTP is disabled many options aren't set + that are used only by HTTP. However, some options that appear to be + HTTP-only are actually used by other protocols as well (some despite + having HTTP in the name) and should be set, but weren't. This change now + causes some of these options to be set and used for more (or for all) + protocols. In particular, this fixes tests 646 through 649 in an + HTTP-disabled build, which use the MIME API in the mail protocols. + +Daniel Stenberg (29 Sep 2017) +- test1160: verifies cookie leak for large cookies + + The fix done in 20ea22ff735 + +- cookie: fix memory leak on oversized rejection + + Regression brought by 2bc230de63b + + Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3513 + Assisted-by: Max Dymond + + Closes #1930 + +- [Anders Bakken brought this change] + + connect: fix race condition with happy eyeballs timeout + + The timer should be started after conn->connecttime is set. Otherwise + the timer could expire without this condition being true: + + /* should we try another protocol family? */ + if(i == 0 && conn->tempaddr[1] == NULL && + curlx_tvdiff(now, conn->connecttime) >= HAPPY_EYEBALLS_TIMEOUT) { + + Ref: #1928 + +Michael Kaufmann (28 Sep 2017) +- docs: link CURLOPT_CONNECTTIMEOUT and CURLOPT_CONNECTTIMEOUT_MS + + Closes #1922 + +- docs: clarify the use of environment variables for proxy + + Closes #1921 + +- http: add custom empty headers to repeated requests + + Closes #1920 + +- reuse_conn: don't copy flags that are known to be equal + + A connection can only be reused if the flags "conn_to_host" and + "conn_to_port" match. Therefore it is not necessary to copy these flags + in reuse_conn(). + + Closes #1918 + +Daniel Stenberg (27 Sep 2017) +- curl.h: include on cygwin too + + When building with -std=c++14 on cygwin, this header won't be + automatically included as it otherwise is. + + The include decision should ideally be reversed and be + avoided where that header file doesn't exist. + + Reported-by: Ian Fette + Fixes #1925 + +- RELEASE-NOTES: synced with d8ab5dc50 + +Michael Kaufmann (24 Sep 2017) +- tests: adjust .gitignore for new tests + +Jay Satiro (23 Sep 2017) +- ntlm: move NTLM_NEEDS_NSS_INIT define into core NTLM header + + .. and include the core NTLM header in all NTLM-related source files. + + Follow up to 6f86022. Since then http_ntlm checks NTLM_NEEDS_NSS_INIT + but did not include vtls.h where it was defined. + + Closes https://github.com/curl/curl/pull/1911 + +Daniel Stenberg (23 Sep 2017) +- file_range: avoid integer overflow when figuring out byte range + + When trying to bump the value with one and the value is already at max, + it causes an integer overflow. + + Closes #1908 + Detected by oss-fuzz: + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3465 + + Assisted-by: Max Dymond + +Michael Kaufmann (23 Sep 2017) +- tests: fix a compiler warning in test 643 + +Jay Satiro (23 Sep 2017) +- symbols-in-versions: fix CURLSSLSET_NO_BACKENDS entry + + - Use spaces instead of tabs as the delimiter. + + Follow up to 7c52b12 which added the entry. The entry had used tabs but + the symbol-scan parser doesn't recognize tabs and would fail the symbol. + +Viktor Szakats (22 Sep 2017) +- metalink: fix NSS issue in MultiSSL builds + + In MultiSSL mode (i.e. when more than one SSL backend is compiled + in), we cannot use the compile time flag `USE_NSS` as indicator that + the NSS backend is in use. As far as Metalink is concerned, the SSL + backend is only used for MD5, SHA-1 and SHA-256 calculations, + therefore one of the available SSL backends is selected at compile + time, in a strict order of preference. + + Let's introduce a new `HAVE_NSS_CONTEXT` constant that can be used + to determine whether the SSL backend used for Metalink is the NSS + backend, and use that to guard the code that wants to de-initialize + the NSS-specific data structure. + + Ref: https://github.com/curl/curl/pull/1848 + +- ntlm: use strict order for SSL backend #if branches + + With the recently introduced MultiSSL support multiple SSL backends + can be compiled into cURL That means that now the order of the SSL + + One option would be to use the same SSL backend as was configured + via `curl_global_sslset()`, however, NTLMv2 support would appear + to be available only with some SSL backends. For example, when + eb88d778e (ntlm: Use Windows Crypt API, 2014-12-02) introduced + support for NTLMv1 using Windows' Crypt API, it specifically did + *not* introduce NTLMv2 support using Crypt API at the same time. + + So let's select one specific SSL backend for NTLM support when + compiled with multiple SSL backends, using a priority order such + that we support NTLMv2 even if only one compiled-in SSL backend can + be used for that. + + Ref: https://github.com/curl/curl/pull/1848 + +Daniel Stenberg (22 Sep 2017) +- symbols-in-versions: add CURLSSLSET_NO_BACKENDS + + ...fixup from b8e0fe19ec + +- imap: quote atoms properly when escaping characters + + Updates test 800 to verify + + Fixes #1902 + Closes #1903 + +- tests: make the imap server not verify user+password + + ... as the test cases themselves do that and it makes it easier to add + crazy test cases. + + Test 800 updated to use user name + password that need quoting. + + Test 856 updated to trigger an auth fail differently. + + Ref: #1902 + +- vtls: provide curl_global_sslset() even in non-SSL builds + + ... it just returns error: + + Bug: https://github.com/curl/curl/commit/1328f69d53f2f2e937696ea954c480412b018451#commitcomment-24470367 + Reported-by: Marcel Raad + + Closes #1906 + +Patrick Monnerat (22 Sep 2017) +- form/mime: field names are not allowed to contain zero-valued bytes. + + Also suppress length argument of curl_mime_name() (names are always + zero-terminated). + +Daniel Stenberg (21 Sep 2017) +- [Dirk Feytons brought this change] + + openssl: only verify RSA private key if supported + + In some cases the RSA key does not support verifying it because it's + located on a smart card, an engine wants to hide it, ... + Check the flags on the key before trying to verify it. + OpenSSL does the same thing internally; see ssl/ssl_rsa.c + + Closes #1904 + +Marcel Raad (21 Sep 2017) +- examples/post-callback: use long for CURLOPT_POSTFIELDSIZE + + Otherwise, typecheck-gcc.h warns on MinGW-w64. + +Patrick Monnerat (20 Sep 2017) +- mime: rephrase the multipart output state machine (#1898) ... + + ... in hope coverity will like it much. + +- mime: fix an explicit null dereference (#1899) + +Daniel Stenberg (20 Sep 2017) +- curl: check fseek() return code and bail on error + + Detected by coverity. CID 1418137. + +- smtp: fix memory leak in OOM + + Regression since ce0881edee + + Coverity CID 1418139 and CID 1418136 found it, but it was also seen in + torture testing. + +- RELEASE-NOTES: synced with 5fe85587c + +- [Pavel Pavlov brought this change] + + cookies: use lock when using CURLINFO_COOKIELIST + + Closes #1896 + +- [Max Dymond brought this change] + + ossfuzz: changes before merging the generated corpora + + Before merging in the oss-fuzz corpora from Google, there are some changes + to the fuzzer. + - Add a read corpus script, to display corpus files nicely. + - Change the behaviour of the fuzzer so that TLV parse failures all now + go down the same execution paths, which should reduce the size of the + corpora. + - Make unknown TLVs a failure to parse, which should decrease the size + of the corpora as well. + + Closes #1881 + +- mime:escape_string minor clarification change + + ... as it also removes a warning with old gcc versions. + + Bug: https://curl.haxx.se/mail/lib-2017-09/0049.html + Reported-by: Ben Greear + +- [Max Dymond brought this change] + + ossfuzz: don't write out to stdout + + Don't make the fuzzer write out to stdout - instead write some of the + contents to a memory block so we exercise the data output code but + quietly. + + Closes #1885 + +- cookies: reject oversized cookies + + ... instead of truncating them. + + There's no fixed limit for acceptable cookie names in RFC 6265, but the + entire cookie is said to be less than 4096 bytes (section 6.1). This is + also what browsers seem to implement. + + We now allow max 5000 bytes cookie header. Max 4095 bytes length per + cookie name and value. Name + value together may not exceed 4096 bytes. + + Added test 1151 to verify + + Bug: https://curl.haxx.se/mail/lib-2017-09/0062.html + Reported-by: Kevin Smith + + Closes #1894 + +- travis: on mac, don't install openssl or libidn + + - openssl is already installed and causes warnings when trying to + install again + + - libidn isn't used these days, and homebrew doesn't seem to have a + libidn2 package to replace with easily + + Closes #1895 + +- curl: make str2udouble not return values on error + + ... previously it would store a return value even when it returned + error, which could make the value get used anyway! + + Reported-by: Brian Carpenter + Closes #1893 + +Jay Satiro (18 Sep 2017) +- socks: fix incorrect port number in SOCKS4 error message + + Prior to this change it appears the SOCKS5 port parsing was erroneously + used for the SOCKS4 error message, and as a result an incorrect port + would be shown in the error message. + + Bug: https://github.com/curl/curl/issues/1892 + Reported-by: Jackarain@users.noreply.github.com + +- [Marc Aldorasi brought this change] + + schannel: Support partial send for when data is too large + + Schannel can only encrypt a certain amount of data at once. Instead of + failing when too much data is to be sent at once, send as much data as + we can and let the caller send the remaining data by calling send again. + + Bug: https://curl.haxx.se/mail/lib-2014-07/0033.html + + Closes https://github.com/curl/curl/pull/1890 + +- [David Benjamin brought this change] + + openssl: add missing includes + + lib/vtls/openssl.c uses OpenSSL APIs from BUF_MEM and BIO APIs. Include + their headers directly rather than relying on other OpenSSL headers + including things. + + Closes https://github.com/curl/curl/pull/1891 + +Daniel Stenberg (15 Sep 2017) +- conversions: fix several compiler warnings + +- server/getpart: provide dummy function to build conversion enabled + +- non-ascii: use iconv() with 'char **' argument + + Bug: https://curl.haxx.se/mail/lib-2017-09/0031.html + +- escape.c: error: pointer targets differ in signedness + +- docs: clarify the CURLOPT_INTERLEAVE* options behavior + +- [Max Dymond brought this change] + + rtsp: Segfault in rtsp.c when using WRITEDATA + + If the INTERLEAVEFUNCTION is defined, then use that plus the + INTERLEAVEDATA information when writing RTP. Otherwise, use + WRITEFUNCTION and WRITEDATA. + + Fixes #1880 + Closes #1884 + +Marcel Raad (15 Sep 2017) +- [Isaac Boukris brought this change] + + tests: enable gssapi in travis-ci linux build + + Closes https://github.com/curl/curl/pull/1687 + +- [Isaac Boukris brought this change] + + tests: add initial gssapi test using stub implementation + + The stub implementation is pre-loaded using LD_PRELOAD + and emulates common gssapi uses (only builds if curl is + initially built with gssapi support). + + The initial tests are currently disabled for debug builds + as LD_PRELOAD is not used then. + + Ref: https://github.com/curl/curl/pull/1687 + +Daniel Stenberg (15 Sep 2017) +- test1150: verify same host fetch using different ports over proxy + + Closes #1889 + +- URL: on connection re-use, still pick the new remote port + + ... as when a proxy connection is being re-used, it can still get a + different remote port. + + Fixes #1887 + Reported-by: Oli Kingshott + +- RELEASE-NOTES: synced with 87501e57f + +- code style: remove wrong uses of multiple spaces + + Closes #1878 + +- checksrc: detect and warn for multiple spaces + +- code style: use space after semicolon + +- checksrc: verify space after semicolons + +- code style: use spaces around pluses + +- checksrc: detect and warn for lack of spaces next to plus signs + +- code style: use spaces around equals signs + +- checksrc: verify spaces around equals signs + + ... as the code style mandates. + +- Curl_checkheaders: make it available for IMAP and SMTP too + + ... not only HTTP uses this now. + + Closes #1875 + +- travis: add build without HTTP/SMTP/IMAP + +Jay Satiro (10 Sep 2017) +- mbedtls: enable CA path processing + + CA path processing was implemented when mbedtls.c was added to libcurl + in fe7590f, but it was never enabled. + + Bug: https://github.com/curl/curl/issues/1877 + Reported-by: SBKarr@users.noreply.github.com + +Daniel Stenberg (8 Sep 2017) +- rtsp: do not call fwrite() with NULL pointer FILE * + + If the default write callback is used and no destination has been set, a + NULL pointer would be passed to fwrite()'s 4th argument. + + OSS-fuzz bug https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3327 + (not publicly open yet) + + Detected by OSS-fuzz + Closes #1874 + +- configure: use -Wno-varargs on clang 3.9[.X] debug builds + + ... to avoid a clang bug + +- [Max Dymond brought this change] + + ossfuzz: add some more handled CURL options + + Add support for HEADER, COOKIE, RANGE, CUSTOMREQUEST, MAIL_RECIPIENT, + MAIL_FROM and uploading data. + +- configure: check for C++ compiler after C, to make it non-fatal + + The tests for object file/executable file extensions are presumably only + done for the first of these macros in the configure file. + + Bug: https://github.com/curl/curl/pull/1851#issuecomment-327597515 + Reported-by: Marcel Raad + Closes #1873 + +Patrick Monnerat (7 Sep 2017) +- form API: add new test 650. + + Now that the form API is deprecated and not used anymore in curl tool, + a lot of its features left untested. Test 650 attempts to check all these + features not tested elsewhere. + +Jay Satiro (7 Sep 2017) +- configure: fix curl_off_t check's include order + + - Prepend srcdir include path instead of append. + + Prior to this change it was possible that during the check for the size + of curl_off_t the include path of a user's already installed curl could + come before the include path of the to-be-built curl, resulting in the + system.h of the former being incorrectly included for that check. + + Closes https://github.com/curl/curl/pull/1870 + +Daniel Stenberg (7 Sep 2017) +- [Jakub Zakrzewski brought this change] + + KNOWN_BUGS: Remove CMake symbol hiding issue + + It has already been fixed in 6140dfc + +- http-proxy: when not doing CONNECT, that phase is done immediately + + `conn->connect_state` is NULL when doing a regular non-CONNECT request + over the proxy and should therefor be considered complete at once. + + Fixes #1853 + Closes #1862 + Reported-by: Lawrence Wagerfield + +- [Johannes Schindelin brought this change] + + OpenSSL: fix yet another mistake while encapsulating SSL backend data + + Another mistake in my manual fixups of the largely mechanical + search-and-replace ("connssl->" -> "BACKEND->"), just like the previous + commit concerning HTTPS proxies (and hence not caught during my + earlier testing). + + Fixes #1855 + Closes #1871 + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + OpenSSL: fix erroneous SSL backend encapsulation + + In d65e6cc4f (vtls: prepare the SSL backends for encapsulated private + data, 2017-06-21), this developer prepared for a separation of the + private data of the SSL backends from the general connection data. + + This conversion was partially automated (search-and-replace) and + partially manual (e.g. proxy_ssl's backend data). + + Sadly, there was a crucial error in the manual part, where the wrong + handle was used: rather than connecting ssl[sockindex]' BIO to the + proxy_ssl[sockindex]', we reconnected proxy_ssl[sockindex]. The reason + was an incorrect location to paste "BACKEND->"... d'oh. + + Reported by Jay Satiro in https://github.com/curl/curl/issues/1855. + + Signed-off-by: Johannes Schindelin + +- [Jay Satiro brought this change] + + vtls: fix memory corruption + + Ever since 70f1db321 (vtls: encapsulate SSL backend-specific data, + 2017-07-28), the code handling HTTPS proxies was broken because the + pointer to the SSL backend data was not swapped between + conn->ssl[sockindex] and conn->proxy_ssl[sockindex] as intended, but + instead set to NULL (causing segmentation faults). + + [jes: provided the commit message, tested and verified the patch] + + Signed-off-by: Johannes Schindelin + +- vtls: switch to CURL_SHA256_DIGEST_LENGTH define + + ... instead of the prefix-less version since WolfSSL 3.12 now uses an + enum with that name that causes build failures for us. + + Fixes #1865 + Closes #1867 + Reported-by: Gisle Vanem + +- travis: add c-ares enabled builds linux + osx + + Closes #1868 + +- HISTORY: added some recent items + +Jay Satiro (6 Sep 2017) +- SSL: fix unused parameter warnings + +Patrick Monnerat (6 Sep 2017) +- mime: drop internal FILE * support. + + - The part kind MIMEKIND_FILE and associated code are suppressed. + - Seek data origin offset not used anymore: suppressed. + - MIMEKIND_NAMEDFILE renamed MIMEKIND_FILE; associated fields/functions + renamed accordingly. + - Curl_getformdata() processes stdin via a callback. + +Daniel Stenberg (6 Sep 2017) +- configure: remove --enable-soname-bump and SONAME_BUMP + + Back in 2008, (and commit 3f3d6ebe665f3) we changed the logic in how we + determine the native type for `curl_off_t`. To really make sure we + didn't break ABI without bumping SONAME, we introduced logic that + attempted to detect that it would use a different size and thus not be + compatible. We also provided a manual switch that allowed users to tell + configure to bump SONAME by force. + + Today, we know of no one who ever got a SONAME bump auto-detected and we + don't know of anyone who's using the manual bump feature. The auto- + detection is also no longer working since we introduced defining + curl_off_t in system.h (7.55.0). + + Finally, this bumping logic is not present in the cmake build. + + Closes #1861 + +Jay Satiro (6 Sep 2017) +- [Gisle Vanem brought this change] + + vtls: select ssl backend case-insensitive (follow-up) + + - Do a case-insensitive comparison of CURL_SSL_BACKEND env as well. + + - Change Curl_strcasecompare calls to strcasecompare + (maps to the former but shorter). + + Follow-up to c290b8f. + + Bug: https://github.com/curl/curl/commit/c290b8f#commitcomment-24094313 + + Co-authored-by: Jay Satiro + +- openssl: Integrate Peter Wu's SSLKEYLOGFILE implementation + + This is an adaptation of 2 of Peter Wu's SSLKEYLOGFILE implementations. + + The first one, written for old OpenSSL versions: + https://git.lekensteyn.nl/peter/wireshark-notes/tree/src/sslkeylog.c + + The second one, written for BoringSSL and new OpenSSL versions: + https://github.com/curl/curl/pull/1346 + + Note the first one is GPL licensed but the author gave permission to + waive that license for libcurl. + + As of right now this feature is disabled by default, and does not have + a configure option to enable it. To enable this feature define + ENABLE_SSLKEYLOGFILE when building libcurl and set environment + variable SSLKEYLOGFILE to a pathname that will receive the keys. + + And in Wireshark change your preferences to point to that key file: + Edit > Preferences > Protocols > SSL > Master-Secret + + Co-authored-by: Peter Wu + + Ref: https://github.com/curl/curl/pull/1030 + Ref: https://github.com/curl/curl/pull/1346 + + Closes https://github.com/curl/curl/pull/1866 + +Patrick Monnerat (5 Sep 2017) +- mime: fix a trivial warning. + +- mime: replace 'struct Curl_mimepart' by 'curl_mimepart' in encoder code. + + mime_state is now a typedef. + +- mime: implement encoders. + + curl_mime_encoder() is operational and documented. + curl tool -F option is extended with ";encoder=". + curl tool --libcurl option generates calls to curl_mime_encoder(). + New encoder tests 648 & 649. + Test 1404 extended with an encoder specification. + +- runtests.pl: support attribute "nonewline" in part verify/upload. + +- [Daniel Stenberg brought this change] + + fixup data/test1135 + +- [Daniel Stenberg brought this change] + + mime: unified to use the typedef'd mime structs everywhere + + ... and slightly edited to follow our code style better. + +- [Daniel Stenberg brought this change] + + curl.h: use lower case curl_mime* as for all public symbols + +- [Daniel Stenberg brought this change] + + docs/curl_mime_*.3: use correct variable types in examples + +Kamil Dudka (5 Sep 2017) +- openssl: use OpenSSL's default ciphers by default + + Up2date versions of OpenSSL maintain the default reasonably secure + without breaking compatibility, so it is better not to override the + default by curl. Suggested at https://bugzilla.redhat.com/1483972 + + Closes #1846 + +Viktor Szakats (5 Sep 2017) +- examples/mime: minor example code fixes + +Daniel Stenberg (5 Sep 2017) +- docs/curl_mime_*.3: added examples + +- configure: add MultiSSL to FEATURES when enabled + + ...for curl-config and its corresponding test 1014 + +- http-proxy: treat all 2xx as CONNECT success + + Added test 1904 to verify. + + Reported-by: Lawrence Wagerfield + Fixes #1859 + Closes #1860 + +- MAIL-ETIQUETTE: added "1.9 Your emails are public" + +- curl.h: fix "unused checksrc ignore", remove dangling reference + + ... to a README file that doesn't exist anymore + +Viktor Szakats (4 Sep 2017) +- docs: Update to secure URL versions + +- mime: use CURL_ZERO_TERMINATED in examples + + and some minor whitespace fixes + +Daniel Stenberg (4 Sep 2017) +- schannel: return CURLE_SSL_CACERT on failed verification + + ... not *CACERT_BADFILE as it isn't really because of a bad file. + + Bug: https://curl.haxx.se/mail/lib-2017-09/0002.html + Closes #1858 + +- test1135: fixed after bd8070085f9 + +- examples/post-callback: stop returning one byte at a time + + ... since people copy and paste code from this example and thus they get + an inefficient POST operation without a good reason and sometimes + without understanding why. + + Instead this now returns as much data as possible. + +- RELEASE-NOTES: fixed the function counter script + +- curl.h: make the curl_strequal() protos use the same style + + ... as the other functions. Makes it easier to machine-parse! + +- docs: curl_mime_*.3 man page formatting edits + +- RELEASE-NOTES: synced with 1ab9e9b50 + +Patrick Monnerat (4 Sep 2017) +- lib: bump version info (soname). Adapt and reenable test 1135. + +Daniel Stenberg (3 Sep 2017) +- headers: move the global_sslset() proto from multi.h to curl.h + + As it was added to multi.h simply to not break test 1135, which now has + been disabled due to the mime API addition anyway and su we can now move + the sslset stuff to where the other curl_global_* prototypes are. + +Patrick Monnerat (3 Sep 2017) +- mime: fix signed/unsigned conversions. + + Use and generate CURL_ZERO_TERMINATED in curl tool and tests. + +Jay Satiro (3 Sep 2017) +- tool_formparse: fix some trivial warnings + +Patrick Monnerat (3 Sep 2017) +- mime: use size_t instead of ssize_t in public API interface. + + To support telling a string is nul-terminated, symbol CURL_ZERO_TERMINATED + has been introduced. + + Documentation updated accordingly. + + symbols in versions updated. Added form API symbols deprecation info. + +- mime: remove support "-" stdin pseudo-file name in curl_mime_filedata(). + + This feature is badly supported in Windows: as a replacement, a caller has + to use curl_mime_data_cb() with fread, fseek and possibly fclose + callbacks to process opened files. + + The cli tool and documentation are updated accordingly. + + The feature is however kept internally for form API compatibility, with + the known caveats it always had. + + As a side effect, stdin size is not determined by the cli tool even if + possible and this results in a chunked transfer encoding. Test 173 is + updated accordingly. + +- mime: fix some implicit curl_off_t --> size_t conversion warnings. + +- mime: tests and examples. + + Additional mime-specific tests. + Existing tests updated to reflect small differences (Expect: 100-continue, + data size change due to empty lines, etc). + Option -F headers= keyword added to tests. + test1135 disabled until the entry point order change is resolved. + New example smtp-mime. + Examples postit2 and multi-post converted from form API to mime API. + +- mime: use in curl cli tool instead of form API. + + Extended -F option syntax to support multipart mail messages. + -F keyword headers= added to include custom headers in parts. + Documentation upgraded. + +- mime: new MIME API. + + Available in HTTP, SMTP and IMAP. + Deprecates the FORM API. + See CURLOPT_MIMEPOST. + Lib code and associated documentation. + +- test564: Add a warning comment about shell profile output. + + Shell profile output makes the SSH server failing and this problem reason + is not easy to find when no hint is given. + +- checksrc: disable SPACEBEFOREPAREN for case statement. + + The case keyword may be followed by a constant expression and thus should + allow it to start with an open parenthesis. + +- runtests.pl: allow tags in client section. + + This enables tests to create more than one file on the client side. + +- runtests.pl: Apply strippart to upload too. + + This will allow substitution of boundaries in mail messages. + +- Curl_base64_encode: always call with a real data handle. + + Some calls in different modules were setting the data handle to NULL, causing + segmentation faults when using builds that enable character code conversions. + +- non-ascii: allow conversion functions to be called with a NULL data handle. + +- http: fix a memory leakage in checkrtspprefix(). + +Daniel Stenberg (2 Sep 2017) +- [Max Dymond brought this change] + + ossfuzz: Move to C++ for curl_fuzzer. + + Automake gets confused if you want to use C++ static libraries with C + code - basically we need to involve the clang++ linker. The easiest way + of achieving this is to rename the C code as C++ code. This gets us a + bit further along the path and ought to be compatible with Google's + version of clang. + +- curl_global_sslset: select backend by name case insensitively + + Closes #1849 + +- [Max Dymond brought this change] + + ossfuzz: additional seed corpora + + Create simple seed corpora for: + - FTP + - telnet + - dict + - tftp + - imap + - pop3 + + based off the tests of the same number. + + Closes #1842 + +- [Max Dymond brought this change] + + ossfuzz: moving towards the ideal integration + + - Start with the basic code from the ossfuzz project. + - Rewrite fuzz corpora to be binary files full of Type-Length-Value + data, and write a glue layer in the fuzzing function to convert + corpora into CURL options. + - Have supporting functions to generate corpora from existing tests + - Integrate with Makefile.am + +- strcase: corrected comment header for Curl_strcasecompare() + +- unit1301: fix error message on first test + +- curl_global_sslset.3: show the struct and enum too + + ... so that users can actually write code based on the man page alone, + not having to read the header file. + +Jay Satiro (31 Aug 2017) +- darwinssl: handle long strings in TLS certs (follow-up) + + - Fix handling certificate subjects that are already UTF-8 encoded. + + Follow-up to b3b75d1 from two days ago. Since then a copy would be + skipped if the subject was already UTF-8, possibly resulting in a NULL + deref later on. + + Ref: https://github.com/curl/curl/issues/1823 + Ref: https://github.com/curl/curl/pull/1831 + + Closes https://github.com/curl/curl/pull/1836 + +Daniel Stenberg (31 Aug 2017) +- cyassl: call it the "WolfSSL" backend + + ... instead of cyassl, as this is the current name for it. + + Closes #1844 + +- polarssl: fix multissl breakage + + Reported-by: Dan Fandrich + Bug: https://curl.haxx.se/mail/lib-2017-08/0121.html + Closes #1843 + +- configure: remove the leading comma from the backends list + + ... when darwinssl is used. + + Reported-by: Viktor Szakats + Bug: https://github.com/curl/curl/commit/b0989cd3abaff4f9a0717b4875022fa79e33b481#commitcomment-23943493 + + Closes #1845 + +Kamil Dudka (30 Aug 2017) +- examples/sslbackend.c: fix failure of 'make checksrc' + + ./sslbackend.c:58:3: warning: else after closing brace on same line (BRACEELSE) + } else if(isdigit(*name)) { + ^ + ./sslbackend.c:62:3: warning: else after closing brace on same line (BRACEELSE) + } else + ^ + +Viktor Szakats (30 Aug 2017) +- makefile.m32: add multissl support + + Closes https://github.com/curl/curl/pull/1840 + +Daniel Stenberg (30 Aug 2017) +- curl.h: CURLSSLBACKEND_WOLFSSL used wrong value + + The CURLSSLBACKEND_WOLFSSL is supposed to be an alias for + CURLSSLBACKEND_CYASSL, but used an erronous value. To reduce the risk + for a similar mistake, define the backend aliases to use the enum values + instead. + + Reported-by: Gisle Vanem + Bug: https://curl.haxx.se/mail/lib-2017-08/0120.html + +- curl_global_sslset.3: clarify + + it is a one time *set*, not necessarily a one time use... it can be + called again if the first call failed or just listed the alternatives. + + clarify that the available backends are the ones this build supports + + plus add some formatting + + Reported-by: Rich Gray + Bug: https://curl.haxx.se/mail/lib-2017-08/0119.html + +- curl/multi.h: remove duplicated closing c++ brace + + Regression since 1328f69d53f2f2e93 + + Fixes #1841 + Reported-by: Andrei Karas + +- RELEASE-NOTES: synced with 8c33c963a + +- HELP-US.md: spelling + +- HELP-US.md: "How to get started helping out in the curl project" + + Closes #1837 + +Dan Fandrich (29 Aug 2017) +- asyn-thread: Fixed cleanup after OOM + + destroy_async_data() assumes that if the flag "done" is not set yet, the + thread itself will clean up once the request is complete. But if an + error (generally OOM) occurs before the thread even has a chance to + start, it will never get a chance to clean up and memory will be leaked. + By clearing "done" only just before starting the thread, the correct + cleanup sequence will happen in all cases. + +Daniel Stenberg (28 Aug 2017) +- curl_global_init.3: mention curl_global_sslset(3) + +Dan Fandrich (28 Aug 2017) +- unit1606: Fixed shadowed variable warning + +- asyn-thread: Improved cleanup after OOM situations + +- asyn-thread: Set errno to the proper value ENOMEM in OOM situation + + This used to be set in some configurations to EAI_MEMORY which is not a + valid value for errno and caused Curl_strerror to fail an assertion. + +Daniel Stenberg (28 Aug 2017) +- [Johannes Schindelin brought this change] + + configure: Handle "MultiSSL" specially When versioning symbols + + There is a mode in which libcurl is compiled with versioned symbols, + depending on the active SSL backend. + + When multiple SSL backends are active, it does not make sense to favor + one over the others, so let's not: introduce a new prefix for the case + where multiple SSL backends are compiled into cURL. + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + configure: allow setting the default SSL backend + + Previously, we used as default SSL backend whatever was first in the + `available_backends` array. + + However, some users may want to override that default without patching + the source code. + + Now they can: with the --with-default-ssl-backend= option of + the ./configure script. + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + vtls: use Curl_ssl_multi pseudo backend only when needed + + When only one SSL backend is configured, it is totally unnecessary to + let multissl_init() configure the backend at runtime, we can select the + correct backend at build time already. + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + version: if built with more than one SSL backend, report all of them + + To discern the active one from the inactive ones, put the latter into + parentheses. + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + version: add the CURL_VERSION_MULTI_SSL feature flag + + This new feature flag reports When cURL was built with multiple SSL + backends. + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + metalink: allow compiling with multiple SSL backends + + Previously, the code assumed that at most one of the SSL backends would + be compiled in, emulating OpenSSL's functions if the configured backend + was not OpenSSL itself. + + However, now we allow building with multiple SSL backends and choosing + one at runtime. Therefore, metalink needs to be adjusted to handle this + scenario, too. + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + docs/examples: demonstrate how to select SSL backends + + The newly-introduced curl_global_sslset() function deserves to be + show-cased. + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + Add a man page for curl_global_sslset() + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + vtls: introduce curl_global_sslset() + + Let's add a compile time safe API to select an SSL backend. This + function needs to be called *before* curl_global_init(), and can be + called only once. + + Side note: we do not explicitly test that it is called before + curl_global_init(), but we do verify that it is not called multiple times + (even implicitly). + + If SSL is used before the function was called, it will use whatever the + CURL_SSL_BACKEND environment variable says (or default to the first + available SSL backend), and if a subsequent call to + curl_global_sslset() disagrees with the previous choice, it will fail + with CURLSSLSET_TOO_LATE. + + The function also accepts an "avail" parameter to point to a (read-only) + NULL-terminated list of available backends. This comes in real handy if + an application wants to let the user choose between whatever SSL backends + the currently available libcurl has to offer: simply call + + curl_global_sslset(-1, NULL, &avail); + + which will return CURLSSLSET_UNKNOWN_BACKEND and populate the avail + variable to point to the relevant information to present to the user. + + Just like with the HTTP/2 push functions, we have to add the function + declaration of curl_global_sslset() function to the header file + *multi.h* because VMS and OS/400 require a stable order of functions + declared in include/curl/*.h (where the header files are sorted + alphabetically). This looks a bit funny, but it cannot be helped. + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + vtls: refactor out essential information about the SSL backends + + There is information about the compiled-in SSL backends that is really + no concern of any code other than the SSL backend itself, such as which + function (if any) implements SHA-256 summing. + + And there is information that is really interesting to the user, such as + the name, or the curl_sslbackend value. + + Let's factor out the latter into a publicly visible struct. This + information will be used in the upcoming API to set the SSL backend + globally. + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + vtls: allow selecting which SSL backend to use at runtime + + When building software for the masses, it is sometimes not possible to + decide for all users which SSL backend is appropriate. + + Git for Windows, for example, uses cURL to perform clones, fetches and + pushes via HTTPS, and some users strongly prefer OpenSSL, while other + users really need to use Secure Channel because it offers + enterprise-ready tools to manage credentials via Windows' Credential + Store. + + The current Git for Windows versions use the ugly work-around of + building libcurl once with OpenSSL support and once with Secure Channel + support, and switching out the binaries in the installer depending on + the user's choice. + + Needless to say, this is a super ugly workaround that actually only + works in some cases: Git for Windows also comes in a portable form, and + in a form intended for third-party applications requiring Git + functionality, in which cases this "swap out libcurl-4.dll" simply is + not an option. + + Therefore, the Git for Windows project has a vested interest in teaching + cURL to make the SSL backend a *runtime* option. + + This patch makes that possible. + + By running ./configure with multiple --with- options, cURL will + be built with multiple backends. + + For the moment, the backend can be configured using the environment + variable CURL_SSL_BACKEND (valid values are e.g. "openssl" and + "schannel"). + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + vtls: fold the backend ID into the Curl_ssl structure + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + curl_ntlm_core: don't complain but #include OpenSSL header if needed + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + vtls: encapsulate SSL backend-specific data + + So far, all of the SSL backends' private data has been declared as + part of the ssl_connect_data struct, in one big #if .. #elif .. #endif + block. + + This can only work as long as the SSL backend is a compile-time option, + something we want to change in the next commits. + + Therefore, let's encapsulate the exact data needed by each SSL backend + into a private struct, and let's avoid bleeding any SSL backend-specific + information into urldata.h. This is also necessary to allow multiple SSL + backends to be compiled in at the same time, as e.g. OpenSSL's and + CyaSSL's headers cannot be included in the same .c file. + + To avoid too many malloc() calls, we simply append the private structs + to the connectdata struct in allocate_conn(). + + This requires us to take extra care of alignment issues: struct fields + often need to be aligned on certain boundaries e.g. 32-bit values need to + be stored at addresses that divide evenly by 4 (= 32 bit / 8 + bit-per-byte). + + We do that by assuming that no SSL backend's private data contains any + fields that need to be aligned on boundaries larger than `long long` + (typically 64-bit) would need. Under this assumption, we simply add a + dummy field of type `long long` to the `struct connectdata` struct. This + field will never be accessed but acts as a placeholder for the four + instances of ssl_backend_data instead. the size of each ssl_backend_data + struct is stored in the SSL backend-specific metadata, to allow + allocate_conn() to know how much extra space to allocate, and how to + initialize the ssl[sockindex]->backend and proxy_ssl[sockindex]->backend + pointers. + + This would appear to be a little complicated at first, but is really + necessary to encapsulate the private data of each SSL backend correctly. + And we need to encapsulate thusly if we ever want to allow selecting + CyaSSL and OpenSSL at runtime, as their headers cannot be included within + the same .c file (there are just too many conflicting definitions and + declarations for that). + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + vtls: prepare the SSL backends for encapsulated private data + + At the moment, cURL's SSL backend needs to be configured at build time. + As such, it is totally okay for them to hard-code their backend-specific + data in the ssl_connect_data struct. + + In preparation for making the SSL backend a runtime option, let's make + the access of said private data a bit more abstract so that it can be + adjusted later in an easy manner. + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + urldata.h: move SSPI-specific #include to correct location + + In 86b889485 (sasl_gssapi: Added GSS-API based Kerberos V5 variables, + 2014-12-03), an SSPI-specific field was added to the kerberos5data + struct without moving the #include "curl_sspi.h" later in the same file. + + This broke the build when SSPI was enabled, unless Secure Channel was + used as SSL backend, because it just so happens that Secure Channel also + requires "curl_sspi.h" to be #included. + + In f4739f639 (urldata: include curl_sspi.h when Windows SSPI is enabled, + 2017-02-21), this bug was fixed incorrectly: Instead of moving the + appropriate conditional #include, the Secure Channel-conditional part + was now also SSPI-conditional. + + Fix this problem by moving the correct #include instead. + + This is also required for an upcoming patch that moves all the Secure + Channel-specific stuff out of urldata.h and encapsulates it properly in + vtls/schannel.c instead. + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + urldata.h: remove support for obsolete PolarSSL version + + Since 5017d5ada (polarssl: now require 1.3.0+, 2014-03-17), we require + a newer PolarSSL version. No need to keep code trying to support any + older version. + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + getinfo: access SSL internals via Curl_ssl + + In the ongoing endeavor to abstract out all SSL backend-specific + functionality, this is the next step: Instead of hard-coding how the + different SSL backends access their internal data in getinfo.c, let's + implement backend-specific functions to do that task. + + This will also allow for switching SSL backends as a runtime option. + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + vtls: move SSL backends' private constants out of their header files + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + axtls: use Curl_none_* versions of init() and cleanup() + + There are convenient no-op versions of the init/cleanup functions now, + no need to define private ones for axTLS. + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + vtls: remove obsolete declarations of SSL backend functionality + + These functions are all available via the Curl_ssl struct now, no need + to declare them separately anymore. + + As the global declarations are removed, the corresponding function + definitions are marked as file-local. The only two exceptions here are + Curl_mbedtls_shutdown() and Curl_polarssl_shutdown(): only the + declarations were removed, there are no function definitions to mark + file-local. + + Please note that Curl_nss_force_init() is *still* declared globally, as + the only SSL backend-specific function, because it was introduced + specifically for the use case where cURL was compiled with + `--without-ssl --with-nss`. For details, see f3b77e561 (http_ntlm: add + support for NSS, 2010-06-27). + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + schannel: reorder functions topologically + + The _shutdown() function calls the _session_free() function; While this + is not a problem now (because schannel.h declares both functions), a + patch looming in the immediate future with make all of these functions + file-local. + + So let's just move the _session_free() function's definition before it + is called. + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + axtls: reorder functions topologically + + The connect_finish() function (like many other functions after it) calls + the Curl_axtls_close() function; While this is not a problem now + (because axtls.h declares the latter function), a patch looming in the + immediate future with make all of these functions file-local. + + So let's just move the Curl_axtls_close() function's definition before + it is called. + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + vtls: move the SUPPORT_HTTPS_PROXY flag into the Curl_ssl struct + + That will allow us to choose the SSL backend at runtime. + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + vtls: convert the have_curlssl_* constants to runtime flags + + The entire idea of introducing the Curl_ssl struct to describe SSL + backends is to prepare for choosing the SSL backend at runtime. + + To that end, convert all the #ifdef have_curlssl_* style conditionals + to use bit flags instead. + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + vtls: move sha256sum into the Curl_ssl struct + + The SHA-256 checksumming is also an SSL backend-specific function. + Let's include it in the struct declaring the functionality of SSL + backends. + + In contrast to MD5, there is no fall-back code. To indicate this, the + respective entries are NULL for those backends that offer no support for + SHA-256 checksumming. + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + vtls: move md5sum into the Curl_ssl struct + + The MD5 summing is also an SSL backend-specific function. So let's + include it, offering the previous fall-back code as a separate function + now: Curl_none_md5sum(). To allow for that, the signature had to be + changed so that an error could be returned from the implementation + (Curl_none_md5sum() can run out of memory). + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + vtls: use the Curl_ssl struct to access all SSL backends' functionality + + This is the first step to unify the SSL backend handling. Now all the + SSL backend-specific functionality is accessed via a global instance of + the Curl_ssl struct. + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + vtls: declare Curl_ssl structs for every SSL backend + + The idea of introducing the Curl_ssl struct was to unify how the SSL + backends are declared and called. To this end, we now provide an + instance of the Curl_ssl struct for each and every SSL backend. + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + vtls: introduce a new struct for SSL backends + + This new struct is similar in nature to Curl_handler: it will define the + functions and capabilities of all the SSL backends (where Curl_handler + defines the functions and capabilities of protocol handlers). + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + vtls: make sure every _sha256sum()'s first arg is const + + This patch makes the signature of the _sha256sum() functions consistent + among the SSL backends, in preparation for unifying the way all SSL + backends are accessed. + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + vtls: make sure all _data_pending() functions return bool + + This patch makes the signature of the _data_pending() functions + consistent among the SSL backends, in preparation for unifying the way + all SSL backends are accessed. + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + vtls: make sure all _cleanup() functions return void + + This patch makes the signature of the _cleanup() functions consistent + among the SSL backends, in preparation for unifying the way all SSL + backends are accessed. + + Signed-off-by: Johannes Schindelin + +- [Johannes Schindelin brought this change] + + vtls: use consistent signature for _random() implementations + + This will make the upcoming multissl backend much easier to implement. + + Signed-off-by: Johannes Schindelin + +- strtooff: fix build for systems with long long but no strtoll option + + Closes #1829 + + Reported-by: Dan Fandrich + Bug: https://github.com/curl/curl/pull/1758#issuecomment-324861615 + +- darwinssl: handle long strings in TLS certs + + ... as the previous fixed length 128 bytes buffer was sometimes too + small. + + Fixes #1823 + Closes #1831 + + Reported-by: Benjamin Sergeant + Assisted-by: Bill Pyne, Ray Satiro, Nick Zitzmann + +- system.h: include sys/poll.h for AIX + + ... to get the event/revent defines that might be used for the poll + struct. + + Reported-by: Michael Smith + Fixes #1828 + Closes #1833 + +Dan Fandrich (26 Aug 2017) +- tests: Make sure libtests & unittests call curl_global_cleanup() + + These were missed in commit c468c27b. + +Jay Satiro (26 Aug 2017) +- [theantigod brought this change] + + winbuild: fix embedded manifest option + + Embedded manifest option didn't work due to incorrect path. + + Fixes https://github.com/curl/curl/issues/1832 + +Daniel Stenberg (25 Aug 2017) +- fuzz/Makefile.am: remove curlbuild.h leftovers + +- examples/threaded-ssl: mention that this is for openssl before 1.1 + +- imap: use defined names for response codes + + When working on this code I found the previous setup a bit weird while + using proper defines increases readability. + + Closes #1824 + +- CURLOPT_USERPWD.3: see also CURLOPT_PROXYUSERPWD + +- imap: support PREAUTH + + It is a defined possible greeting at server startup that means the + connection is already authenticated. See + https://tools.ietf.org/html/rfc3501#section-7.1.4 + + Test 846 added to verify. + + Fixes #1818 + Closes #1820 + +Jay Satiro (23 Aug 2017) +- config-tpf: define SIZEOF_LONG + + Recent changes that replaced CURL_SIZEOF_LONG in the source with + SIZEOF_LONG broke builds that use the premade configuration files and + don't have SIZEOF_LONG defined. + + Bug: https://github.com/curl/curl/issues/1816 + +Dan Fandrich (23 Aug 2017) +- test1453: Fixed + +Daniel Stenberg (22 Aug 2017) +- [Gisle Vanem brought this change] + + config-dos: add missing defines, SIZEOF_* and two others + + Bug: #1816 + +- curl: shorten and clean up CA cert verification error message + + The previous message was just too long for ordinary people and it was + encouraging users to use `--insecure` a little too easy. + + Based-on-work-by: Frank Denis + + Closes #1810 + Closes #1817 + +- request-target.d: mention added in 7.55.0 + +Marcel Raad (22 Aug 2017) +- tool_main: turn off MinGW CRT's globbing + + By default, the MinGW CRT globs command-line arguments. This prevents + getting a single asterisk into an argument as test 1299 does. Turn off + globbing by setting the global variable _CRT_glob to 0 for MinGW. + + Fixes https://github.com/curl/curl/issues/1751 + Closes https://github.com/curl/curl/pull/1813 + +Viktor Szakats (22 Aug 2017) +- makefile.m32: add support for libidn2 + + libidn was replaced with libidn2 last year in configure. + Caveat: libidn2 may depend on a list of further libs. + These can be manually specified via CURL_LDFLAG_EXTRAS. + + Closes https://github.com/curl/curl/pull/1815 + +Jay Satiro (22 Aug 2017) +- [Viktor Szakats brought this change] + + config-win32: define SIZEOF_LONG + + Recent changes that replaced CURL_SIZEOF_LONG in the source with + SIZEOF_LONG broke builds that use the premade configuration files and + don't have SIZEOF_LONG defined. + + Closes https://github.com/curl/curl/pull/1814 + +Daniel Stenberg (20 Aug 2017) +- cmake: enable picky compiler options with clang and gcc + + closes #1799 + +- curl/system.h: fix build for hppa + + Reported-by: John David Anglin + Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872502#10 + +- [Even Rouault brought this change] + + tftp: fix memory leak on too long filename + + Fixes + + $ valgrind --leak-check=full ~/install-curl-git/bin/curl tftp://localhost/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaz + + ==9752== Memcheck, a memory error detector + ==9752== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. + ==9752== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info + ==9752== Command: /home/even/install-curl-git/bin/curl tftp://localhost/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaz + ==9752== + curl: (71) TFTP file name too long + + ==9752== + ==9752== HEAP SUMMARY: + ==9752== 505 bytes in 1 blocks are definitely lost in loss record 11 of 11 + ==9752== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) + ==9752== by 0x4E61CED: Curl_urldecode (in /home/even/install-curl-git/lib/libcurl.so.4.4.0) + ==9752== by 0x4E75868: tftp_state_machine (in /home/even/install-curl-git/lib/libcurl.so.4.4.0) + ==9752== by 0x4E761B6: tftp_do (in /home/even/install-curl-git/lib/libcurl.so.4.4.0) + ==9752== by 0x4E711B6: multi_runsingle (in /home/even/install-curl-git/lib/libcurl.so.4.4.0) + ==9752== by 0x4E71D00: curl_multi_perform (in /home/even/install-curl-git/lib/libcurl.so.4.4.0) + ==9752== by 0x4E6950D: curl_easy_perform (in /home/even/install-curl-git/lib/libcurl.so.4.4.0) + ==9752== by 0x40E0B7: operate_do (in /home/even/install-curl-git/bin/curl) + ==9752== by 0x40E849: operate (in /home/even/install-curl-git/bin/curl) + ==9752== by 0x402693: main (in /home/even/install-curl-git/bin/curl) + + Fixes https://oss-fuzz.com/v2/testcase-detail/5232311106797568 + Credit to OSS Fuzz + + Closes #1808 + +Dan Fandrich (19 Aug 2017) +- runtests: fixed case insensitive matching of keywords + + Commit 5c2aac71 didn't work in the case of mixed-case keywords given on + the command-line. + +- tests: Make sure libtests call curl_global_cleanup() + + This ensures that global data allocations are freed so Valgrind stays + happy. This was a problem with at least PolarSSL and mbedTLS. + +Daniel Stenberg (18 Aug 2017) +- RELEASE-NOTES: synced with 8baead425 + +- scripts/contri*sh: use "git log --use-mailmap" + +- mailmap: de-duplify some git authors + +- http2_recv: return error better on fatal h2 errors + + Ref #1012 + Figured-out-by: Tatsuhiro Tsujikawa + +- KNOWN_BUGS: HTTP test server 'connection-monitor' problems + + Closes #868 + +- curl/system.h: check for __ppc__ as well + + ... regression since issue #1774 (commit 10b3df10596a) since obviously + some older gcc doesn't know __powerpc__ while some newer doesn't know + __ppc__ ... + + Fixes #1797 + Closes #1798 + Reported-by: Ryan Schmidt + +- [Jan Alexander Steffens (heftig) brought this change] + + http: Don't wait on CONNECT when there is no proxy + + Since curl 7.55.0, NetworkManager almost always failed its connectivity + check by timeout. I bisected this to 5113ad04 (http-proxy: do the HTTP + CONNECT process entirely non-blocking). + + This patch replaces !Curl_connect_complete with Curl_connect_ongoing, + which returns false if the CONNECT state was left uninitialized and lets + the connection continue. + + Closes #1803 + Fixes #1804 + + Also-fixed-by: Gergely Nagy + +- [Johannes Schindelin brought this change] + + metalink: adjust source code style + + Signed-off-by: Johannes Schindelin + +- CURL_SIZEOF_LONG: removed, use only SIZEOF_LONG + +- lib557: no longer use CURL_SIZEOF_* defines + +- config-win32: define SIZEOF_CURL_OFF_T + +- cmake: sizeof curl_off_t, remove unused detections + +- system.h: remove all CURL_SIZEOF_* defines + + ... as they're not used externally and internally we check for the sizes + already in configure etc. + + Closes #1767 + +- ftp: fix CWD when doing multicwd then nocwd on same connection + + Fixes #1782 + Closes #1787 + Reported-by: Peter Lamare + +- CURLOPT_SSH_COMPRESSION.3: enable with 1L + + (leaves other values reserved for the future) + +- compressed-ssh.d: "Added: 7.56.0" + +- curl/system.h: checksrc compliance + +Jay Satiro (17 Aug 2017) +- [Viktor Szakats brought this change] + + ssh: add the ability to enable compression (for SCP/SFTP) + + The required low-level logic was already available as part of + `libssh2` (via `LIBSSH2_FLAG_COMPRESS` `libssh2_session_flag()`[1] + option.) + + This patch adds the new `libcurl` option `CURLOPT_SSH_COMPRESSION` + (boolean) and the new `curl` command-line option `--compressed-ssh` + to request this `libssh2` feature. To have compression enabled, it + is required that the SSH server supports a (zlib) compatible + compression method and that `libssh2` was built with `zlib` support + enabled. + + [1] https://www.libssh2.org/libssh2_session_flag.html + + Ref: https://github.com/curl/curl/issues/1732 + Closes https://github.com/curl/curl/pull/1735 + +- examples/ftpuploadresume: checksrc compliance + +- [Maksim Stsepanenka brought this change] + + http_proxy: fix build error for CURL_DOES_CONVERSIONS + + Closes https://github.com/curl/curl/pull/1793 + +GitHub (16 Aug 2017) +- [Nick Zitzmann brought this change] + + configure: check for __builtin_available() availability (#1788) + + This change does two things: + 1. It un-breaks the build in Xcode 9.0. (Xcode 9.0 is currently + failing trying to compile connectx() in lib/connect.c.) + 2. It finally weak-links the connectx() function, and falls back on + connect() when run on older operating systems. + +Daniel Stenberg (16 Aug 2017) +- travis: add metalink to some osx builds + + Closes #1790 + +- [Max Dymond brought this change] + + coverage: Use two coveralls commands to get lib/vtls results + + closes #1747 + +- darwinssi: fix error: variable length array used + +- m4/curl-compilers.m4: use proper quotes around string, not backticks + + ... when setting clang version to assume 3.7 + + Caused a lot of "integer expression expected" warnings by configure. + +- [Benbuck Nason brought this change] + + cmake: remove dead code for DISABLED_THREADSAFE + + Closes #1786 + +Jay Satiro (15 Aug 2017) +- [Jakub Zakrzewski brought this change] + + curl-confopts.m4: fix --disable-threaded-resolver + + Closes https://github.com/curl/curl/issues/1784 + +Daniel Stenberg (15 Aug 2017) +- [Ryan Winograd brought this change] + + progress: Track total times following redirects + + Update the progress timers `t_nslookup`, `t_connect`, `t_appconnect`, + `t_pretransfer`, and `t_starttransfer` to track the total times for + these activities when a redirect is followed. Previously, only the times + for the most recent request would be tracked. + + Related changes: + + - Rename `Curl_pgrsResetTimesSizes` to `Curl_pgrsResetTransferSizes` + now that the function only resets transfer sizes and no longer + modifies any of the progress timers. + + - Add a bool to the `Progress` struct that is used to prevent + double-counting `t_starttransfer` times. + + Added test case 1399. + + Fixes #522 and Known Bug 1.8 + Closes #1602 + Reported-by: joshhe on github + +- [Benbuck Nason brought this change] + + cmake: remove dead code for CURL_DISABLE_RTMP + + Closes #1785 + +Kamil Dudka (15 Aug 2017) +- zsh.pl: produce a working completion script again + + Commit curl-7_54_0-118-g8b2f22e changed the output format of curl --help + to use and instead of FILE and DIR, which caused zsh.pl to + produce a broken completion script: + + % curl -- + _curl:10: no such file or directory: seconds + + Closes #1779 + +Daniel Stenberg (15 Aug 2017) +- curlver: toward 7.56.0? + +- RELEASE-NOTES: synced with 91c46dc44 + +- test1449: FTP download range with an too large size + +- strtoofft: reduce integer overflow risks globally + + ... make sure we bail out on overflows. + + Reported-by: Brian Carpenter + Closes #1758 + +- travis: build the examples too + + to make sure they keep building warning-free + + Closes #1777 + +- runtests: match keywords case insensitively + +- examples/ftpuploadresume.c: use portable code + + ... converted from the MS specific _snscanf() + +Version 7.55.1 (13 Aug 2017) + +Daniel Stenberg (13 Aug 2017) +- RELEASE-NOTES/THANKS: curl 7.55.1 release time + +- gitignore: ignore .xz now instead of .lzma + +- [Sergei Nikulov brought this change] + + cmake: Threads detection update. ref: #1702 + + Closes #1719 + +- ipv6_scope: support unique local addresses + + Fixes #1764 + Closes #1773 + Reported-by: James Slaughter + +- [Alex Potapenko brought this change] + + curl/system.h: GCC doesn't define __ppc__ on PowerPC, uses __powerpc__ + + Closes #1774 + +- test1448: verify redirect to IDN using URL + + Closes #1772 + +- [Salah-Eddin Shaban brought this change] + + redirect: skip URL encoding for host names + + This fixes redirects to IDN URLs + + Fixes #1441 + Closes #1762 + Reported by: David Lord + +- test2032: mark as flaky (again) + +- travis: test cmake build on tarball too + + Could've prevented #1755 + +- [Simon Warta brought this change] + + cmake: allow user to override CMAKE_DEBUG_POSTFIX + + Closes #1763 + +- connect-to.d: better language + +- connect-to.d: clarified + +- bagder/Curl_tvdiff_us: fix the math + + Regression since adef394ac5 (released in 7.55.0) + + Reported-by: Han Qiao + Fixes #1769 + Closes #1771 + +- curl/system.h: add Oracle Solaris Studio + + Fixes #1752 + +- [Alessandro Ghedini brought this change] + + docs: fix typo funtion -> function + + Closes #1770 + +Alessandro Ghedini (12 Aug 2017) +- docs: fix grammar in CURL_SSLVERSION_MAX_DEFAULT description + +- docs: fix typo stuct -> struct + +Dan Fandrich (12 Aug 2017) +- test1447: require a curl with http support + +Daniel Stenberg (11 Aug 2017) +- [Thomas Petazzoni brought this change] + + curl/system.h: support more architectures + + The long list of architectures in include/curl/system.h is annoying to + maintain, and needs to be extended for each and every architecture to + support. + + Instead, let's rely on the __SIZEOF_LONG__ define of the gcc compiler + (we are in the GNUC condition anyway), which tells us if long is 4 + bytes or 8 bytes. + + This fixes the build of libcurl 7.55.0 on architectures such as + OpenRISC or ARC. + + Closes #1766 + + Signed-off-by: Thomas Petazzoni + +- test2033: this went flaky again + + Suspicion: when we enabled the threaded resolver by default. + +- test1447: verifies the parse proxy fix in 6e0e152ce5c + +- [Even Rouault brought this change] + + parse_proxy(): fix memory leak in case of invalid proxy server name + + Fixes the below leak: + + $ valgrind --leak-check=full ~/install-curl-git/bin/curl --proxy "http://a:b@/x" http://127.0.0.1 + curl: (5) Couldn't resolve proxy name + ==5048== + ==5048== HEAP SUMMARY: + ==5048== in use at exit: 532 bytes in 12 blocks + ==5048== total heap usage: 5,288 allocs, 5,276 frees, 445,271 bytes allocated + ==5048== + ==5048== 2 bytes in 1 blocks are definitely lost in loss record 1 of 12 + ==5048== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) + ==5048== by 0x4E6CB79: parse_login_details (url.c:5614) + ==5048== by 0x4E6BA82: parse_proxy (url.c:5091) + ==5048== by 0x4E6C46D: create_conn_helper_init_proxy (url.c:5346) + ==5048== by 0x4E6EA18: create_conn (url.c:6498) + ==5048== by 0x4E6F9B4: Curl_connect (url.c:6967) + ==5048== by 0x4E86D05: multi_runsingle (multi.c:1436) + ==5048== by 0x4E88432: curl_multi_perform (multi.c:2160) + ==5048== by 0x4E7C515: easy_transfer (easy.c:708) + ==5048== by 0x4E7C74A: easy_perform (easy.c:794) + ==5048== by 0x4E7C7B1: curl_easy_perform (easy.c:813) + ==5048== by 0x414025: operate_do (tool_operate.c:1563) + ==5048== + ==5048== 2 bytes in 1 blocks are definitely lost in loss record 2 of 12 + ==5048== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) + ==5048== by 0x4E6CBB6: parse_login_details (url.c:5621) + ==5048== by 0x4E6BA82: parse_proxy (url.c:5091) + ==5048== by 0x4E6C46D: create_conn_helper_init_proxy (url.c:5346) + ==5048== by 0x4E6EA18: create_conn (url.c:6498) + ==5048== by 0x4E6F9B4: Curl_connect (url.c:6967) + ==5048== by 0x4E86D05: multi_runsingle (multi.c:1436) + ==5048== by 0x4E88432: curl_multi_perform (multi.c:2160) + ==5048== by 0x4E7C515: easy_transfer (easy.c:708) + ==5048== by 0x4E7C74A: easy_perform (easy.c:794) + ==5048== by 0x4E7C7B1: curl_easy_perform (easy.c:813) + ==5048== by 0x414025: operate_do (tool_operate.c:1563) + + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2984 + Credit to OSS Fuzz for discovery + + Closes #1761 + +- RELEASE-NOTES: synced with 37f2195a9 + +- curlver: bump to 7.55.1 + +- openssl: fix "error: this statement may fall through" + + A gcc7 warning. + +- [David Benjamin brought this change] + + openssl: remove CONST_ASN1_BIT_STRING. + + Just making the pointer as const works for the pre-1.1.0 path too. + + Closes #1759 + +- maketgz: remove old *.dist files before making the tarball + + To avoid "old crap" unintentionally getting shipped. + + Bug: https://curl.haxx.se/mail/lib-2017-08/0050.html + Reported-by: Christian Weisgerber + +Jay Satiro (10 Aug 2017) +- mkhelp.pl: allow executing this script directly + + - Enable execute permission (chmod +x) + + - Change interpreter to /usr/bin/env perl + + Ref: https://github.com/curl/curl/issues/1743 + +Daniel Stenberg (10 Aug 2017) +- configure: use the threaded resolver backend by default if possible + + Closes #1647 + +- cmake: move cmake_uninstall.cmake to CMake/ + + Closes #1756 + +- metalink: fix error: ‘*’ in boolean context, suggest ‘&&’ instead + +- dist: fix the cmake build by shipping cmake_uninstall.cmake.in too + + Fixes #1755 + +- travis: verify "make install" + + Help-by: Jay Satiro + Closes #1753 + +Marcel Raad (10 Aug 2017) +- build: check out *.sln files with Windows line endings + + Visual Studio doesn't like LF line endings in solution files and always + converts them to CRLF when doing changes to the solution. Notably, this + affects the solutions in the release archive. + + Closes https://github.com/curl/curl/pull/1746 + +- gitignore: ignore top-level .vs folder + + This folder is generated when using the CMake build system from within + Visual Studio. + + Closes https://github.com/curl/curl/pull/1746 + +Jay Satiro (10 Aug 2017) +- digest_sspi: Don't reuse context if the user/passwd has changed + + Bug: https://github.com/curl/curl/issues/1685 + Reported-by: paulharris@users.noreply.github.com + + Assisted-by: Isaac Boukris + + Closes https://github.com/curl/curl/pull/1742 + +Daniel Stenberg (9 Aug 2017) +- [Adam Sampson brought this change] + + dist: Add dictserver.py/negtelnetserver.py to EXTRA_DIST + + These weren't included in the 7.55.0 release, but are required in order + to run the full test suite. + + Closes #1744 + +- [Adam Sampson brought this change] + + curl: do bounds check using a double comparison + + The fix for this in 8661a0aacc01492e0436275ff36a21734f2541bb wasn't + complete: if the parsed number in num is larger than will fit in a long, + the conversion is undefined behaviour (causing test1427 to fail for me + on IA32 with GCC 7.1, although it passes on AMD64 and ARMv7). Getting + rid of the cast means the comparison will be done using doubles. + + It might make more sense for the max argument to also be a double... + + Fixes #1750 + Closes #1749 + +- make install: add 8 missing man pages to the installation + +- build: fix 'make install' with configure, install docs/libcurl/* too + + Broken since d24838d4da9faa + + Reported-by: Bernard Spil + +Version 7.55.0 (9 Aug 2017) + +Daniel Stenberg (9 Aug 2017) +- RELEASE-NOTES: curl 7.55.0 + +- THANKS: 20 new contributors in 7.55.0 + +- [Viktor Szakats brought this change] + + docs/comments: Update to secure URL versions + + Closes #1741 + +- configure: fix recv/send/select detection on Android + + ... since they now provide several functions as + __attribute__((overloadable)), the argument detection logic need + updates. + + Patched-by: destman at github + + Fixes #1738 + Closes #1739 + +Marcel Raad (8 Aug 2017) +- ax_code_coverage.m4: update to latest version + + This updates the script to aad5ad5fedb306b39f901a899b7bd305b66c418d + from August 01, 2017. Notably, this removes the lconv version whitelist. + + Closes https://github.com/curl/curl/pull/1716 + +Daniel Stenberg (7 Aug 2017) +- test1427: verify command line parser integer overflow detection + +- curl: detect and bail out early on parameter integer overflows + + Make the number parser aware of the maximum limit curl accepts for a + value and return an error immediately if larger, instead of running an + integer overflow later. + + Fixes #1730 + Closes #1736 + +- glob: do not continue parsing after a strtoul() overflow range + + Added test 1289 to verify. + + CVE-2017-1000101 + + Bug: https://curl.haxx.se/docs/adv_20170809A.html + Reported-by: Brian Carpenter + +- tftp: reject file name lengths that don't fit + + ... and thereby avoid telling send() to send off more bytes than the + size of the buffer! + + CVE-2017-1000100 + + Bug: https://curl.haxx.se/docs/adv_20170809B.html + Reported-by: Even Rouault + + Credit to OSS-Fuzz for the discovery + +- [Even Rouault brought this change] + + file: output the correct buffer to the user + + Regression brought by 7c312f84ea930d8 (April 2017) + + CVE-2017-1000099 + + Bug: https://curl.haxx.se/docs/adv_20170809C.html + + Credit to OSS-Fuzz for the discovery + +- easy_events: make event data static + + First: this function is only used in debug-builds and not in + release/real builds. It is used to drive tests using the event-based + API. + + A pointer to the local struct is passed to CURLMOPT_TIMERDATA, but the + CURLMOPT_TIMERFUNCTION calback can in fact be called even after this + funtion returns, namely when curl_multi_remove_handle() is called. + + Reported-by: Brian Carpenter + +- getparameter: avoid returning uninitialized 'usedarg' + + Fixes #1728 + +Marcel Raad (5 Aug 2017) +- [Isaac Boukris brought this change] + + gssapi: fix memory leak of output token in multi round context + + When multiple rounds are needed to establish a security context + (usually ntlm), we overwrite old token with a new one without free. + Found by proposed gss tests using stub a gss implementation (by + valgrind error), though I have confirmed the leak with a real + gssapi implementation as well. + + Closes https://github.com/curl/curl/pull/1733 + +- darwinssl: fix compiler warning + + clang complains: + vtls/darwinssl.c:40:8: error: extra tokens at end of #endif directive + [-Werror,-Wextra-tokens] + + This breaks the darwinssl build on Travis. Fix it by making this token + a comment. + + Closes https://github.com/curl/curl/pull/1734 + +- CMake: fix CURL_WERROR for MSVC + + When using CURL_WERROR in MSVC builds, the debug flags were overridden + by the release flags and /WX got added twice in debug mode. + + Closes https://github.com/curl/curl/pull/1715 + +Daniel Stenberg (4 Aug 2017) +- RELEASE-NOTES: synced with 561e9217c + +- test1010: verify that #1718 is fixed + + ... by doing two transfers in nocwd mode and check that there's no + superfluous CWD command. + +- FTP: skip unnecessary CWD when in nocwd mode + + ... when reusing a connection. If it didn't do any CWD previously. + + Fixes #1718 + +Marcel Raad (4 Aug 2017) +- travis: explicitly specify dist + + This makes the builds more reproducible as travis is currently rolling + out trusty as default dist [1]. Specifically, this avoids coverage + check failures when trusty is used as seen in [2] until we figure out + what's wrong. + + [1] https://blog.travis-ci.com/2017-07-11-trusty-as-default-linux-is-coming + [2] https://github.com/curl/curl/pull/1692 + + Closes https://github.com/curl/curl/pull/1725 + +Daniel Stenberg (4 Aug 2017) +- travis: BUILD_TYPE => T + + (to make the full line appear nicer on travis web UI) + +- travis: add osx build with darwinssl + + Closes #1706 + +- darwin: silence compiler warnings + + With a clang pragma and three type fixes + + Fixes #1722 + +- BUILD.WINDOWS: mention buildconf.bat for builds off git + +- darwinssl: fix curlssl_sha256sum() compiler warnings on first argument + +- test130: verify comments in .netrc + +- [Gisle Vanem brought this change] + + netrc: skip lines starting with '#' + + Bug: https://curl.haxx.se/mail/lib-2017-08/0008.html + +Marcel Raad (3 Aug 2017) +- CMake: set MSVC warning level to 4 + + The MSVC warning level defaults to 3 in CMake. Change it to 4, which is + consistent with the Visual Studio and NMake builds. Disable level 4 + warning C4127 for the library and additionally C4306 for the test + servers to get a clean CURL_WERROR build as that warning is raised in + some macros in older Visual Studio versions. + + Ref: https://github.com/curl/curl/pull/1667#issuecomment-314082794 + Closes https://github.com/curl/curl/pull/1711 + +Daniel Stenberg (2 Aug 2017) +- CURLOPT_NETRC.3: fix typo in 7e48aa386156f9c2 + + Reported-by: Viktor Szakats + +- CURLOPT_NETRC.3: mention the file name on windows + + ... and CURLOPT_NETRC_FILE(3). + +- travis: build osx with libressl too + +- travis: build osx with openssl too + +- tests/server/util: fix curltime mistake from 4dee50b9c80f9 + +Marcel Raad (1 Aug 2017) +- curl_threads: fix MSVC compiler warning + + Use LongToHandle to convert from long to HANDLE in the Win32 + implementation. + This should fix the following warning when compiling with + MSVC 11 (2012) in 64-bit mode: + lib\curl_threads.c(113): warning C4306: + 'type cast' : conversion from 'long' to 'HANDLE' of greater size + + Closes https://github.com/curl/curl/pull/1717 + +Daniel Stenberg (1 Aug 2017) +- BUGS: improved phrasing about security bugs + + Reported-by: Max Dymond + +- BUGS: clarify how to report security related bugs + +- [Brad Spencer brought this change] + + multi: fix request timer management + + There are some bugs in how timers are managed for a single easy handle + that causes the wrong "next timeout" value to be reported to the + application when a new minimum needs to be recomputed and that new + minimum should be an existing timer that isn't currently set for the + easy handle. When the application drives a set of easy handles via the + `curl_multi_socket_action()` API (for example), it gets told to wait the + wrong amount of time before the next call, which causes requests to + linger for a long time (or, it is my guess, possibly forever). + + Bug: https://curl.haxx.se/mail/lib-2017-07/0033.html + +Jay Satiro (1 Aug 2017) +- curl_setup: Define CURL_NO_OLDIES for building libcurl + + .. to catch accidental use of deprecated error codes. + + Ref: https://github.com/curl/curl/issues/1688#issuecomment-316764237 + +Daniel Stenberg (1 Aug 2017) +- [Jeremy Tan brought this change] + + configure: fix the check for IdnToUnicode + + Fixes #1669 + Closes #1713 + +- http: fix response code parser to avoid integer overflow + + test 1429 and 1433 were updated to work with the stricter HTTP status line + parser. + + Closes #1714 + Reported-by: Brian Carpenter + +Jay Satiro (31 Jul 2017) +- [Dwarakanath Yadavalli brought this change] + + libcurl: Stop using error codes defined under CURL_NO_OLDIES + + Fixes https://github.com/curl/curl/issues/1688 + Closes https://github.com/curl/curl/pull/1712 + +- include.d: clarify --include is only for response headers + + Follow-up to 171f8de and de6de94. + + Bug: https://github.com/curl/curl/commit/de6de94#commitcomment-23370851 + Reported-by: Daniel Stenberg + +Daniel Stenberg (30 Jul 2017) +- [Jason Juang brought this change] + + cmake: support make uninstall + + Closes #1674 + +- RELEASE-NOTES: synced with 001701c47 + +Marcel Raad (29 Jul 2017) +- AppVeyor: now really use CURL_WERROR + + It was misspelled as CURL_ERROR in commit + 2d86e8d1286e0fbe3d811e2e87fa0b5e53722db4. + + Closes https://github.com/curl/curl/pull/1686 + +Jay Satiro (29 Jul 2017) +- tool_help: clarify --include is only for response headers + + Follow-up to 171f8de. + + Ref: https://github.com/curl/curl/issues/1704 + +- splay: fix signed/unsigned mismatch warning + + Follow-up to 4dee50b. + + Ref: https://github.com/curl/curl/pull/1693 + +Daniel Stenberg (28 Jul 2017) +- include.d: clarify that it concerns the response headers + + Reported-by: olesteban at github + Fixes #1704 + +- [Johannes Schindelin brought this change] + + curl_rtmp: fix a compiler warning + + The headers of librtmp declare the socket as `int`, and on Windows, that + disagrees with curl_socket_t. + + Bug: #1652 + + Signed-off-by: Johannes Schindelin + +- test1323: verify curlx_tvdiff + +- timeval: struct curltime is a struct timeval replacement + + ... to make all libcurl internals able to use the same data types for + the struct members. The timeval struct differs subtly on several + platforms so it makes it cumbersome to use everywhere. + + Ref: #1652 + Closes #1693 + +- darwinssl: fix variable type mistake (regression) + + ... which made --tlsv1.2 not work because it would blank the max tls + version variable. + + Reported-by: Nick Miyake + Bug: #1703 + +- multi: mention integer overflow risk if using > 500 million sockets + + Reported-by: ovidiu-benea@users.noreply.github.com + + Closes #1675 + Closes #1683 + +- checksrc: escape open brace in regex + + ... to silence warning. + +Kamil Dudka (20 Jul 2017) +- nss: fix a possible use-after-free in SelectClientCert() + + ... causing a SIGSEGV in showit() in case the handle used to initiate + the connection has already been freed. + + This commit fixes a bug introduced in curl-7_19_5-204-g5f0cae803. + + Reported-by: Rob Sanders + Bug: https://bugzilla.redhat.com/1436158 + +- nss: unify the coding style of nss_send() and nss_recv() + + No changes in behavior intended by this commit. + +Marcel Raad (18 Jul 2017) +- tests/server/resolve.c: fix deprecation warning + + MSVC warns that gethostbyname is deprecated. Always use getaddrinfo + instead to fix this when IPv6 is enabled, also for IPv4 resolves. This + is also consistent with what libcurl does. + + Closes https://github.com/curl/curl/pull/1682 + +Jay Satiro (17 Jul 2017) +- darwinssl: fix pinnedpubkey build error + + - s/SessionHandle/Curl_easy/ + + Bug: https://github.com/curl/curl/commit/eb16305#commitcomment-23035670 + Reported-by: Gisle Vanem + +Marcel Raad (16 Jul 2017) +- rtspd: fix GCC warning after MSVC warning fix + + Older GCC warns: + /tests/server/rtspd.c:1194:10: warning: missing braces around + initializer [-Wmissing-braces] + + Fix this by using memset instead of an initializer. + +- libtest: fix MSVC warning C4706 + + With warning level 4, MSVC warns about assignments within conditional + expressions. Change the while loop to a do-while loop to fix this. This + change is also consistent with CODE_STYLE.md. + +- sockfilt: suppress conversion warning with explicit cast + + MSVC warns when implicitly casting -1 to unsigned long. + +- rtspd: fix MSVC level 4 warning + + warning C4701: potentially uninitialized local variable 'req' used + +- winbuild: re-enable warning C4127 for curl tool + + Disabled in cda19a345f6970e22fe8b7a808aeb8f086a21eac. It only needs to + be disabled for libcurl. + +- winbuild: build with warning level 4 + + This is consistent with 7bc64561a2e63ca93e4b0b31d350773ba80955c2, which + changed the warning level from 3 to 4 for the Visual Studio project + files. But disable the level 4 warning C4127 "conditional expression is + constant", as that one is issued by older versions of the Windows SDK + as well as curl itself under some circumstances. + + Closes https://github.com/curl/curl/pull/1667 + +Jay Satiro (12 Jul 2017) +- [Max Dymond brought this change] + + travis: install libidn2 + + Install libidn2 to increase test coverage (IDN tests) + + Closes https://github.com/curl/curl/pull/1673 + +Marcel Raad (12 Jul 2017) +- travis: enable warnings also in release mode + + ... to get warnings also on Linux/GCC and OSX/clang. + + Closes https://github.com/curl/curl/pull/1666 + +Daniel Stenberg (12 Jul 2017) +- [Max Dymond brought this change] + + travis: install libssh2 + + Install libssh2 to increase test coverage (SFTP, SCP) + +Marcel Raad (12 Jul 2017) +- system.h: include winsock2.h before windows.h + + ... to avoid compiler warnings if the user doesn't want + WIN32_LEAN_AND_MEAN. + +- build: remove WIN32_LEAN_AND_MEAN from individual build systems + + It's defined for all build systems in curl_setup.h since commit + beb08481d01a07a8b10938b1078a5e298b1c2912. This caused macro + redefinition warnings in the configure builds. + + Closes https://github.com/curl/curl/pull/1677 + +Jay Satiro (11 Jul 2017) +- ISSUE_TEMPLATE: Add a comment not to file security issues on github + +Marcel Raad (11 Jul 2017) +- curl_setup: always define WIN32_LEAN_AND_MEAN on Windows + + Make sure to always define WIN32_LEAN_AND_MEAN before including any + Windows headers to avoid pulling in unnecessary headers. This avoids + unnecessary macro clashes and compiler warnings. + + Ref: https://github.com/curl/curl/issues/1562 + Closes https://github.com/curl/curl/pull/1672 + +Jay Satiro (11 Jul 2017) +- strerror: Preserve Windows error code in some functions + + This is a follow-up to af02162 which removed (SET_)ERRNO macros. That + commit was an earlier draft that I committed by mistake, which was then + remedied by a5834e5 and e909de6, and now this commit. With this commit + there is now no difference between the current code and the changes that + were approved in the final draft. + + Thanks-to: Max Dymond, Marcel Raad, Daniel Stenberg, Gisle Vanem + Ref: https://github.com/curl/curl/pull/1589 + +Marcel Raad (10 Jul 2017) +- [Max Dymond brought this change] + + tests: Fix up issues with errno in test files + + Closes https://github.com/curl/curl/pull/1671 + +Daniel Stenberg (10 Jul 2017) +- errno: fix non-windows builds after af0216251b94e7 + +- [Ryan Winograd brought this change] + + make: fix docs build on OpenBSD + + Ref: #1591 + +Marcel Raad (10 Jul 2017) +- ldap: fix MinGW compiler warning + + ldap_bind_s is marked as deprecated in w32api's winldap.h shipping with + the latest original MinGW, resulting in compiler warnings since commit + f0fe66f13c93d3d0af45d9fb1231c9164e0f9dc8. Fix this for the non-SSPI + case by using ldap_simple_bind_s again instead of ldap_bind_s with + LDAP_AUTH_SIMPLE. + + Closes https://github.com/curl/curl/pull/1664 + +- curl-compilers.m4: disable warning spam with Cygwin's clang + + When building with Cygwin or MinGW, libtool uses a wrapper executable + instead of a wrapper script [1], which is written in C and throws + missing-variable-declarations warnings. Don't enable these warnings on + Cygwin and MinGW in order to avoid warnings for every executable built, + which spams the test suite output when using Cygwin's clang. + + [1] https://www.gnu.org/software/libtool/manual/html_node/Wrapper-executables.html + + Closes https://github.com/curl/curl/pull/1665 + +Jay Satiro (10 Jul 2017) +- curl_setup_once: Remove ERRNO/SET_ERRNO macros + + Prior to this change (SET_)ERRNO mapped to GetLastError/SetLastError + for Win32 and regular errno otherwise. + + I reviewed the code and found no justifiable reason for conflating errno + on WIN32 with GetLastError/SetLastError. All Win32 CRTs support errno, + and any Win32 multithreaded CRT supports thread-local errno. + + Fixes https://github.com/curl/curl/issues/895 + Closes https://github.com/curl/curl/pull/1589 + +- tool_getparam: fix potentially uninitialized err + +Marcel Raad (9 Jul 2017) +- smb: rename variable to fix shadowing warning + + GCC 4.6.3 on travis complains: + smb.c: In function ‘get_posix_time’: + smb.c:725:13: error: declaration of ‘time’ shadows a global declaration + [-Werror=shadow] + + Fix this by renaming the variable. + +- tool_cb_wrt: fix variable shadowing warning + + GCC 4.4 complains: + tool_cb_wrt.c:81: error: declaration of ‘isatty’ shadows a global + declaration + /usr/include/unistd.h:782: error: shadowed declaration is here + + Fix this by renaming the variable. + + Closes https://github.com/curl/curl/pull/1661 + +Daniel Stenberg (8 Jul 2017) +- RELEASE-NOTES: synced with be2c999b8 + +- travis: install stunnel + +- valgrind.supp: supress OpenSSL false positive seen on travis + +- travis: detect and use valgrind for normal builds + + Closes #1653 + +- travis: add SMB, DICT, TELNET torture to coverage test + +- [Paul Harris brought this change] + + cmake: offer CMAKE_DEBUG_POSTFIX when building with MSVC + + Removes BUILD_RELEASE_DEBUG_DIRS since it wasn't used anywhere. + + Closes #1649 + +- CURLOPT_POSTFIELDS.3: explain the 100-continue magic better + +- [Max Dymond brought this change] + + test1452: add telnet negotiation + + Add a basic telnet server for negotiating some telnet options before + echoing back any data that's sent to it. + + Closes #1645 + +- travis: do more tests in the coverage run + + I added a selection of torture and event tests that run "fast enough" + +- curl_easy_escape.3: mention the (lack of) encoding + + Fixes #1612 + Reported-by: Jeroen Ooms + +- [Gisle Vanem brought this change] + + memdebug: don't setbuf() if the file open failed + + Bug: https://github.com/curl/curl/issues/828#issuecomment-313475151 + +- appveyor: enable CURL_WERROR on all builds + +- cmake: add CURL_WERROR for enabling "warning as errors" + +- [Hannes Magnusson brought this change] + + cmake: remove spurious "-l" from linker flags + + Fixes #1552 + +- test506: skip if threaded-resolver + +- runtests: support "threaded-resolver" as a feature + + ... to let tests require it or skip if present + +- asyn-thread.c: fix unused variable warnings on macOS + +- http: s/TINY_INITIAL_POST_SIZE/EXPECT_100_THRESHOLD + + Make the name reflect its use better, and add a short comment describing + what it's for. + +- cmake: if inet_pton is used, bump _WIN32_WINNT + + ... and make sure inet_pton is always checked for when *not* using Windows, + which is a regression from 4fc6ebe18. + + Idea-by: Sergei Nikulov + +- select.h: avoid macro redefinition harder + + ... by checking the POLLIN define, as the header file checks don't work + on Windows. + +- inet_pton: fix include on windows to get prototype + + inet_pton() exists on Windows and gets used by our cmake builds. Make + sure the correct header file is included to avoid compiler warnings. + + Closes #1639 + +- TODO: 1.10 auto-detect proxy + + Closes #1572 + +- TODO: HTTP proxy CONNECT is non-blocking now + +- cmake: fix send/recv argument scanner for windows + + ... by simply trying the Windows argument types first. + + Fixes #1640 + +- RELEASE-NOTES: synced with 596cfb6c0 + +- [Gisle Vanem brought this change] + + smb: add support for CURLOPT_FILETIME + + Bug: https://curl.haxx.se/mail/lib-2017-07/0005.html + + Closes #1643 + +- travis: install nghttp2 on linux builds + + Closes #1642 + +- [Gisle Vanem brought this change] + + smb: fix build for djgpp/MSDOS + + bug: https://curl.haxx.se/mail/lib-2017-07/0005.html + +- configure: try ldap/lber in reversed order first + + When scanning for which LDAP libraries to use, try the -lldap -llber + combination before the reversed order since it has a greater chance of + working when linking with libcurl statically. + + Fixes #1619 + Closes #1634 + Reported-by: David E. Narváez + +- configure: remove checks for 5 functions never used + + fork, getprotobyname, inet_addr, perror, uname + + closes #1638 + +- dist: add SMB python deps into the tarball + +- [Max Dymond brought this change] + + test1451: add SMB support to the testbed + + Add test 1451 which does some very basic SMB testing using the impacket + SMB server. + + Closes #1630 + +- [Max Dymond brought this change] + + test: add impacket for SMB testing + + Import impacket 0.9.15 for use in SMB testing. This was generated by + doing "pip2.7 install -t . impacket" + + Unnecessary files for current testing were deleted. + +- travis.yml: use --enable-werror on debug builds + + ... to better detect and fault on compiler warnings/errors + + Closes #1637 + +- tool_sleep: typecast to avoid macos compiler warning + + tool_sleep.c:54:24: error: implicit conversion loses integer precision: + 'long' to '__darwin_suseconds_t' (aka 'int') + [-Werror,-Wshorten-64-to-32] + +- [Martin Kepplinger brought this change] + + timeval.c: Use long long constant type for timeval assignment + + On a 64 bit host, sparse says: + + timeval.c:148:15: warning: constant 0x7fffffffffffffff is so big it is long + timeval.c:149:12: warning: constant 0x7fffffffffffffff is so big it is long + + so let's use long long constant types in order to prevent undesired overflow + failures. + + Bug: https://curl.haxx.se/mail/lib-2017-07/0003.html + + Closes #1636 + + Signed-off-by: Martin Kepplinger + +- url: make the original string get used on subsequent transfers + + ... since CURLOPT_URL should follow the same rules as other options: + they remain set until changed or cleared. + + Added test 1551 to verify. + + Fixes #1631 + Closes #1632 + Reported-by: Pavel Rochnyak + +- [Johannes Schindelin brought this change] + + gtls: fix build when sizeof(long) < sizeof(void *) + + - Change gnutls pointer/int macros to pointer/curl_socket_t. + Prior to this change they used long type as well. + + The size of the `long` data type can be shorter than that of pointer + types. This is the case most notably on Windows. + + If C99 were acceptable, we could simply use `intptr_t` here. But we + want to retain C89 compatibility. + + Simply use the trick of performing pointer arithmetic with the NULL + pointer: to convert an integer `i` to a pointer, simply take the + address of the `i`th element of a hypothetical character array + starting at address NULL. To convert back, simply cast the pointer + difference. + + Thanks to Jay Satiro for the initial modification to use curl_socket_t + instead of int/long. + + Closes #1617 + + Signed-off-by: Johannes Schindelin + +- [Ryan Winograd brought this change] + + unit1399: fix integer overflow + + Bug: #1616 + Closes #1633 + +- [Per Malmberg brought this change] + + cmake: Added compatibility options for older Windows versions + + CURL_STATIC_CRT and ENABLE_INET_PTON + + Closes #1621 + +- unit1399: add logging to time comparison + + ... to enable tracking down why autobuilds fail on this + + Bug: #1616 + +- make: build the docs subdir only from within src + + ... and don't build at all in include + + Prompted-by-work-by: Simon Warta + Ref: #1590 + Closes #1591 + +- [Max Dymond brought this change] + + test1450: fix up DICT server in torture mode + + As per https://github.com/curl/curl/pull/1615, the DICT server is a + little spammy in torture mode due to the sockets being torn down + unexpectedly. Fix this by adding some error handling to the handling + function. + + Closes #1629 + +- [Max Dymond brought this change] + + test1450: add simple testing for DICT + + Add a new server which provides a DICT interface. This is intended to + begin coverage testing for lib/dict.c + + Closes #1615 + +- [Dan Fandrich brought this change] + + test1521: fix out-of-tree builds, broken with 467da3af + + The test.h file is no longer in the same directory as the source file, + so that directory needs to be added to the include path. + + Fixes #1627 + Closes #1628 + +- [Max Dymond brought this change] + + http2: handle PING frames + + Add a connection check function to HTTP2 based off RTSP. This causes + PINGs to be handled the next time the connection is reused. + + Closes #1521 + +- [Max Dymond brought this change] + + handler: refactor connection checking + + Add a new type of callback to Curl_handler which performs checks on + the connection. Alter RTSP so that it uses this callback to do its + own check on connection health. + +- [Dmitry Kostjuchenko brought this change] + + openssl: improve fallback seed of PRNG with a time based hash + + Fixes #1620 + +- [Ryan Winograd brought this change] + + progress: prevent resetting t_starttransfer + + Prevent `Curl_pgrsTime` from modifying `t_starttransfer` when invoked + with `TIMER_STARTTRANSFER` more than once during a single request. + + When a redirect occurs, this is considered a new request and + `t_starttransfer` can be updated to reflect the `t_starttransfer` time + of the redirect request. + + Closes #1616 + + Bug: https://github.com/curl/curl/pull/1602#issuecomment-310267370 + +- curl_strequal.3: fix typo in SYNOPSIS + + Reported-by: Jesse Chisholm + + Fixes #1623 + +- RELEASE-NOTES: synced with ce2c3ebda + +Kamil Dudka (28 Jun 2017) +- curl --socks5-{basic,gssapi}: control socks5 auth + + Closes https://github.com/curl/curl/pull/1454 + +- CURLOPT_SOCKS5_AUTH: allowed methods for SOCKS5 proxy auth + + If libcurl was built with GSS-API support, it unconditionally advertised + GSS-API authentication while connecting to a SOCKS5 proxy. This caused + problems in environments with improperly configured Kerberos: a stock + libcurl failed to connect, despite libcurl built without GSS-API + connected fine using username and password. + + This commit introduces the CURLOPT_SOCKS5_AUTH option to control the + allowed methods for SOCKS5 authentication at run time. + + Note that a new option was preferred over reusing CURLOPT_PROXYAUTH + for compatibility reasons because the set of authentication methods + allowed by default was different for HTTP and SOCKS5 proxies. + + Bug: https://curl.haxx.se/mail/lib-2017-01/0005.html + Closes https://github.com/curl/curl/pull/1454 + +- socks: deduplicate the code for auth request + +- socks: use proxy_user instead of proxy_name + + ... to make it obvious what the data is used for + +Daniel Stenberg (27 Jun 2017) +- libtest/make: generate lib1521.c + + ... instead of having the generated code checked in. This saves space in + the tarball but primarily automatically adapts to newly added options. + + Closes #1614 + +Jay Satiro (26 Jun 2017) +- tool_getparam: fix memory leak on test 1147 OOM (torture tests) + + Bug: https://github.com/curl/curl/pull/1486#issuecomment-310926872 + Reported-by: Dan Fandrich + +Dan Fandrich (25 Jun 2017) +- test1537: fixed memory leak on OOM + +Marcel Raad (25 Jun 2017) +- test1521: fix compiler warnings + + The integer literal 3123123123 doesn't fit into a 32-bit signed + integer, so GCC with 32-bit long warns in C90 mode: + this decimal constant is unsigned only in ISO C90 [enabled by default] + Fix this by using ULONG_MAX, which should fit in any curl_off_t and has + the correct suffix to not issue any warnings. + Also adds the missing CURLOPT_REQUEST_TARGET from commit + 9b167fd090f596eac828817d48c247eeae53407f. + + Closes https://github.com/curl/curl/pull/1611 + +Daniel Stenberg (24 Jun 2017) +- curl/system.h: add check for XTENSA for 32bit gcc + + Reported-by: Neil Kolban + Fixes: 1598 + +- [Henrik S. Gaßmann brought this change] + + winbuild: fix boringssl build + + Compile with `WIN32_LEAN_AND_MEAN` which prevents `windows.h` from + including too much clutter including `wincrypt.h` which in turn contains + some preprocessor macros that clash with boringssl symbols. + + Detect boringssl by checking the existance of `is_boringssl.h` and set + the corresponding `HAVE_BORINGSSL` for compilation which is used in + `ldap.c` to undefine the evil macros. + + Closes #1610 + +- progress: progress.timespent needs to be us + + follow-up to 64ed44a815e4e to fix test 500 failures + +Marcel Raad (24 Jun 2017) +- curl-compilers.m4: fix unknown-warning-option on Apple clang + + Since 5598b0bd63f690c151074494ce47ef872f004ab4, clang -v is used to + detect the clang version. The version number was expected to come after + the word "version". For Apple clang, this doesn't work as it has its + own versioning scheme. + The version number is now first searched after the string + "based on LLVM". This works for Apple clang before version 7, and also + for e.g. Ubuntu's clang up to version 3.7. If it's not found and the + version string contains "Apple LLVM version", clang version 3.7 is + assumed, which is the version that comes with Xcode 7. Otherwise, the + version number is still expected after the word "version", which works + for very old Apple clang versions. + + Ref: https://trac.macports.org/wiki/XcodeVersionInfo + Fixes https://github.com/curl/curl/issues/1606 + Closes https://github.com/curl/curl/pull/1607 + +Daniel Stenberg (24 Jun 2017) +- progress: fix "time spent", broke in adef394ac + +- CURLINFO_REDIRECT_URL.3: mention the CURLOPT_MAXREDIRS case + + ... supported since 7.54.1 + +- maketgz: switch to -6e for xz + + To reduce the memory requirement for decompress, and still do almost as + good compression as with -9e. + + Pointed-out-by: Dan Fandrich + +- libtest/Makefile: remove unused lib1541 variables + +- CONTRIBUTE.md: mention the out-of-tree build test too + +- maketgz: switch to xz instead of lzma + + The compressed output size seems to be a tad bit smaller, but generally + xz seems more preferred these days and is used directly by for example + gentoo instead of bz2. + + "Users of LZMA Utils should move to XZ Utils" => + https://tukaani.org/lzma/ + + Closes #1604 + +- --request-target: instead of --strip-path-slash + + ... and CURLOPT_REQUEST_TARGET instead of CURLOPT_STRIP_PATH_SLASH. + + This option instead provides the full "alternative" target to use in the + request, instead of extracting the path from the URL. + + Test 1298 and 1299 updated accordingly. + + Idea-by: Evert Pot + Suggestion: https://daniel.haxx.se/blog/2017/06/19/options-with-curl/comment-page-1/#comment-18373 + + Closes #1593 + +Marcel Raad (21 Jun 2017) +- lib1521: fix missing-variable-declarations clang warnings + + Declare TU-local variables static. + +- travis: enable typecheck-gcc warnings + + - switch debug and release configurations so that we get an optimized + build with GCC 4.3+ as required by typecheck-gcc + - enable warnings-as-errors for release builds + (which have warnings disabled) + + Closes https://github.com/curl/curl/pull/1595 + +- typecheck-gcc: add support for CURLINFO_OFF_T + + typecheck-gcc expected curl_socket_t instead of curl_off_t arguments + for CURLINFO_OFF_T. Detected by test1521, unfortunately only when run + locally. + + Closes https://github.com/curl/curl/pull/1592 + +Daniel Stenberg (21 Jun 2017) +- [Simon Warta brought this change] + + ci: whitelist branches to avoid testing feature branches twice + +- [Gisle Vanem brought this change] + + lib: fix the djgpp build + + Bug: https://github.com/curl/curl/commit/73a2fcea0b4adea6ba342cd7ed1149782c214ae3#commitcomment-22655993 + +Marcel Raad (20 Jun 2017) +- if2ip: fix compiler warning in ISO C90 mode + + remote_scope_id is only used when both HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID + and ENABLE_IPV6 are defined instead of only one of them. + +Daniel Stenberg (20 Jun 2017) +- travis: do the distcheck test build out-of-tree as well + +- http: add --strip-path-slash and CURLOPT_STRIP_PATH_SLASH + + ... to enable sending "OPTIONS *" which wasn't possible previously. + + This option currently only works for HTTP. + + Added test cases 1298 + 1299 to verify + + Fixes #1280 + Closes #1462 + +- test1521: test getinfo's OFF_T types too + + Closes #1588 + +- lib1521: add curl_easy_getinfo calls to the test set + + Also added return value checks to make sure no unexpected return codes + are used. + +- [Simon Warta brought this change] + + automake: use $(MKHELP) variable instead if constant mkhelp.pl + + this improves symmetry with the rule above + +- [Simon Warta brought this change] + + mkhelp.pl: fix script name in usage text + +- RELEASE-NOTES: synced with 3b80d3ca4 + +- getinfo: return sizes as curl_off_t + + This change introduces new alternatives for the existing six + curl_easy_getinfo() options that return sizes or speeds as doubles. The + new versions are named like the old ones but with an appended '_T': + + CURLINFO_CONTENT_LENGTH_DOWNLOAD_T + CURLINFO_CONTENT_LENGTH_UPLOAD_T + CURLINFO_SIZE_DOWNLOAD_T + CURLINFO_SIZE_UPLOAD_T + CURLINFO_SPEED_DOWNLOAD_T + CURLINFO_SPEED_UPLOAD_T + + Closes #1511 + +- PIPELINING_SERVER_BL: cleanup the internal list use + + The list was freed incorrectly since the llist refactor of + cbae73e1dd959. Added test 1550 to verify that it works and avoid future + regressions. + + Reported-by: Pascal Terjan + + Fixes #1584 + Closes #1585 + +- http2: fix OOM crash + + torture mode with test 1021 found it + +- CURLOPT_PREQUOTE.3: spellfix man page reference + +Marcel Raad (18 Jun 2017) +- http_proxy: fix build with http and proxy + + After deff7de0eb0e22d2d142b96b9cc84cd8db5d2a48, the build without + CURL_DISABLE_PROXY and CURL_DISABLE_HTTP was failing because of missing + includes. + +- http_proxy: fix compiler warning + + With CURL_DISABLE_PROXY or CURL_DISABLE_HTTP, GCC complained about a + missing prototype for Curl_connect_free. + +Daniel Stenberg (18 Jun 2017) +- TODO: update the TOC too + +- TODO: implement support for CURLOPT_PREQUOTE with SFTP + + ... also updated the CURLOPT_PREQUOTE.3 man page to mention the correct + protocol support. + + Closes #1514 + +- tool_wrte_cb: remove check for config == NULL + + ... as it really cannot have reached this far with config being NULL, + thus this is unnecesary and misleading. + + Bug: https://news.ycombinator.com/item?id=14577585 and + https://daniel.haxx.se/blog/2017/06/17/curl-doesnt-spew-binary-anymore/comment-page-1/#comment-18356 + + Forwarded-to-us-by: Jakub Wilk + +- curl: prevent binary output spewed to terminal + + ... unless "--output -" is used. Binary detection is done by simply + checking for a binary zero in early data. + + Added test 1425 1426 to verify. + + Closes #1512 + +Marcel Raad (16 Jun 2017) +- Makefile.m32: enable -W for MinGW32 build + + The configure-based build also has this in addition to -Wall. + + Closes https://github.com/curl/curl/pull/1578 + +- curl-compilers.m4: enable comma clang warning + + It usually warns when using commas instead of semicolons or other + operators by accident. + + Closes https://github.com/curl/curl/pull/1578 + +- curl-compilers.m4: enable missing-variable-declarations clang warning + + It usually warns when forgetting to declare TU-local variables static. + + Closes https://github.com/curl/curl/pull/1578 + +- curl-compilers.m4: enable double-promotion warning + + Enable -Wdouble-promotion for both GCC and clang. It warns on implicit + promotion from float to double. + + Closes https://github.com/curl/curl/pull/1578 + +- curl-compilers.m4: enable vla warning for clang + + Previously, that warning was only implicitly active in C90 mode. + Enable it unconditionally as already done for GCC. + + Closes https://github.com/curl/curl/pull/1578 + +Daniel Stenberg (16 Jun 2017) +- http-proxy: fix chunked-encoded CONNECT responses + + Regression since 5113ad0424. + + ... and remove 'flaky' from test 1061 again + + Closes #1579 + +- http-proxy: deal with EAGAIN + + ... the previous code would reset the header length wrongly (since + 5113ad0424). This makes test 1060 reliable again. + + Also: make sws send even smaller chunks of data to increase the + likeliness of this happening. + +- libtest/libntlmconnect: fix compiler warnings from f94fcdb + +- [Jay Satiro brought this change] + + HTTPS-Proxy: don't offer h2 for https proxy connections + + Bug: https://github.com/curl/curl/issues/1254 + + Closes #1546 + +- tests: stabilize test 2032 and 2033 + + Both these tests run the same underlying test code: libntlmconnect.c - + this test code made some assumptions about socket ordering when it used + curl_easy_fdset() and when we changed timing or got accidental changes + in libcurl the tests would fail. + + The tests verify that the different transfers keep using the same + connections, which I now instead made sure by adding the number of bytes + each transfer gets and then verifies that they always get the same + amount as when these tests worked. + + Closes #1576 + +- test1148: verify the -# progressbar + + Closes #1569 + +- test1061: mark as flaky + + Fails intermittently on travis builds since a few days. Likely due to + 5113ad0424. + +Jay Satiro (16 Jun 2017) +- url: refactor the check for Windows drive letter in path + + - Move the logic to detect a Windows drive letter prefix + (eg c: in c:foo) into a function-like macro. + + Closes https://github.com/curl/curl/pull/1571 + +- mk-ca-bundle.pl: Check curl's exit code after certdata download + + - No longer allow partial downloads of certdata. + + Prior to this change partial downloads were (erroneously?) allowed since + only the server code was checked to be 200. + + Bug: https://github.com/curl/curl/pull/1577 + Reported-by: Matteo B. + +Daniel Stenberg (16 Jun 2017) +- dist: add the fuzz dir to the tarball + +- configure: disable nghttp2 too if HTTP has been disabled + +- http-proxy: fix build with --disable-proxy or --disable-http + + Reported-by: Dan Fandrich + +- fuzz/README: document how to build + + Fixes #1476 + +- [Frederik B brought this change] + + fuzz: corpora file structure, initial commit + +- [Frederik B brought this change] + + fuzz: bring oss-fuzz initial code converted to C89 + +- http-proxy: only attempt FTP over HTTP proxy + + ... all other non-HTTP protocol schemes are now defaulting to "tunnel + trough" mode if a HTTP proxy is specified. In reality there are no HTTP + proxies out there that allow those other schemes. + + Assisted-by: Ray Satiro, Michael Kaufmann + + Closes #1505 + +- TODO: the generated include file is gone + + ... since commit 73a2fcea0b + +- curl_setup.h: error out on CURL_WANTS_CA_BUNDLE_ENV use + + ... to make it really apparent if there's any user using this on purpose. + + Suggested-by: Jay Satiro + + Closes #1542 + +- lib/curl_setup.h: remove CURL_WANTS_CA_BUNDLE_ENV + + When this define was set, libcurl would check the environment variable + named CURL_CA_BUNDLE at run-time and use that CA cert bundle. This + feature was only defined by the watcom and m32 makefiles and caused + inconsistent behaviours among libcurls built on different platforms. + + The curl tool does already feature its own similar logic and the library + does not really need it, and it isn't documented libcurl behavior. So + this change removes it. + + Ref: #1538 + +- test1147: verify -H on a file + +- curl: allow --header and --proxy-header read from file + + So many headers can be provided as @filename. + + Suggested-by: Timothe Litt + + Closes #1486 + +- RELEASE-NOTES: synced with 2ad80eec5 + +- curl/curlver.h: start working on 7.55.0 + +- http-proxy: do the HTTP CONNECT process entirely non-blocking + + Mentioned as a problem since 2007 (8f87c15bdac63) and of course it + existed even before that. + + Closes #1547 + +- progress: let "current speed" be UL + DL speeds combined + + Bug #1556 + Reported-by: Paul Harris + Closes #1559 + +Marcel Raad (14 Jun 2017) +- system.h: fix MinGW build + + CURLSYS_PULL_WS2TCPIP_H got renamed to CURL_PULL_WS2TCPIP_H in commit + 73a2fcea0b4adea6ba342cd7ed1149782c214ae3. + +Daniel Stenberg (14 Jun 2017) +- timers: store internal time stamps as time_t instead of doubles + + This gives us accurate precision and it allows us to avoid storing "no + time" for systems with too low timer resolution as we then bump the time + up to 1 microsecond. Should fix test 573 on windows. + + Remove the now unused curlx_tvdiff_secs() function. + + Maintains the external getinfo() API with using doubles. + + Fixes #1531 + +- dist: make the hugehelp.c not get regenerated unnecessarily + + The maketgz script now makes sure the generated hugehelp.c file in the + tarball is newer than the generated curl.1 man page, so that it doesn't + have to get unnecessarily rebuilt first thing in a typical build. It + thus also removes the need for perl to build off a plain release + tarball. + + Fixes #1565 + +- includes: remove curl/curlbuild.h and curl/curlrules.h + + Rely entirely on curl/system.h now. + + Introduced in Aug 2008 with commit 14240e9e109f. Now gone. + + Fixes #1456 + +Version 7.54.1 (14 Jun 2017) + +Daniel Stenberg (14 Jun 2017) +- release: 7.54.1 + +Dan Fandrich (13 Jun 2017) +- mk-lib1521.pl: updated to match the test changes in 916ec30a + +Daniel Stenberg (13 Jun 2017) +- [Stuart Henderson brought this change] -Daniel Stenberg (8 Mar 2009) -- Andre Guibert de Bruet found and fixed a code segment in ssluse.c where the - allocation of the memory BIO was not being properly checked. - -- Andre Guibert de Bruet fixed the gnutls-using code: There are a few places - in the gnutls code where we were checking for negative values for errors, - when the man pages state that GNUTLS_E_SUCCESS is returned on success and - other values indicate error conditions. - -- Bill Egert pointed out (http://curl.haxx.se/bug/view.cgi?id=2671602) that - curl didn't use sprintf() in a way that is documented to work in POSIX but - since we use our own printf() code (from libcurl) that shouldn't be a - problem. Nonetheless I modified the code to not rely on such particular - features and to not cause further raised eyebrowse with no good reason. - -Daniel Fandrich (5 Mar 2009) -- Expanded the security section of the libcurl-tutorial man page to cover - more issues for authors to consider when writing robust libcurl-using - applications. - -Yang Tse (5 Mar 2009) -- Fixed NTLM authentication memory leak on SSPI enabled Windows builds. This - issue was noticed by Chris Deidun. - -Daniel Fandrich (4 Mar 2009) -- Fixed a problem with m4 quoting in the OpenSSL configure check reported - by Daniel Johnson. - -Daniel Stenberg (3 Mar 2009) -- David James brought a patch that make libcurl close (all) dead connections - whenever you attempt to open a new connection. - - 1. After cleaning up a dead connection, "continue" instead of - returning FALSE. This ensures that we clean up all dead connections, - rather than just cleaning up the first dead connection. - 2. Move up the cleanup for dead connections so that it occurs for - all connections, rather than just the connections which have the same - preferences as our current new connection. - -Version 7.19.4 (3 March 2009) - -Daniel Stenberg (3 Mar 2009) -- David Kierznowski notified us about a security flaw - (http://curl.haxx.se/docs/adv_20090303.html also known as CVE-2009-0037) in - which previous libcurl versions (by design) can be tricked to access an - arbitrary local/different file instead of a remote one when - CURLOPT_FOLLOWLOCATION is enabled. This flaw is now fixed in this release - together this the addition of two new setopt options for controlling this - new behavior: - - o CURLOPT_REDIR_PROTOCOLS controls what protocols libcurl is allowed to - follow to when CURLOPT_FOLLOWLOCATION is enabled. By default, this option - excludes the FILE and SCP protocols and thus you nee to explicitly allow - them in your app if you really want that behavior. - - o CURLOPT_PROTOCOLS controls what protocol(s) libcurl is allowed to fetch - using the primary URL option. This is useful if you want to allow a user or - other outsiders control what URL to pass to libcurl and yet not allow all - protocols libcurl may have been built to support. - -Daniel Stenberg (27 Feb 2009) -- Senthil Raja Velu reported a problem when CURLOPT_INTERFACE and - CURLOPT_LOCALPORT were used together (the local port bind failed), and - Markus Koetter provided the fix! - -Daniel Stenberg (25 Feb 2009) -- As Daniel Fandrich figured out, we must do the GnuTLS initing in the - curl_global_init() function to properly maintain the performing functions - thread-safe. We've previously (28 April 2007) moved the init to a later time - just to avoid it to fail very early when libgcrypt dislikes the situation, - but that move was bad and the fix should rather be in libgcrypt or - elsewhere. - -Daniel Stenberg (24 Feb 2009) -- Brian J. Murrell found out that Negotiate proxy authentication didn't work. - It happened because the code used the struct for server-based auth all the - time for both proxy and server auth which of course was wrong. - -Daniel Stenberg (23 Feb 2009) -- After a bug reported by James Cheng I've made curl_easy_getinfo() for - CURLINFO_CONTENT_LENGTH_DOWNLOAD and CURLINFO_CONTENT_LENGTH_UPLOAD return - -1 if the sizes aren't know. Previously these returned 0, make it impossible - to detect the difference between actually zero and unknown. - -Yang Tse (23 Feb 2009) -- Daniel Johnson provided a shell script that will perform all the steps needed - to build a Mac OS X fat ppc/i386 or ppc64/x86_64 libcurl.framework - -Daniel Stenberg (23 Feb 2009) -- I renamed everything in the windows builds files that used the name 'curllib' - to the proper 'libcurl' as clearly this caused confusion. - -Yang Tse (20 Feb 2009) -- Do not halt compilation when using VS2008 to build a Windows 2000 target. - -Daniel Stenberg (20 Feb 2009) -- Linus Nielsen Feltzing reported and helped me repeat and fix a problem with - FTP with the multi interface: when a transfer fails, like when aborted by a - write callback, the control connection was wrongly closed and thus not - re-used properly. - - This change is also an attempt to cleanup the code somewhat in this area, as - now the FTP code attempts to keep (better) track on pending responses - necessary to get read in ftp_done(). - -Daniel Stenberg (19 Feb 2009) -- Patrik Thunstrom reported a problem and helped me repeat it. It turned out - libcurl did a superfluous 1000ms wait when doing SFTP downloads! - - We read data with libssh2 while doing the "DO" operation for SFTP and then - when we were about to start getting data for the actual file part, the - "TRANSFER" part, we waited for socket action (in 1000ms) before doing a - libssh2-read. But in this case libssh2 had already read and buffered the - data so we ended up always just waiting 1000ms before we get working on the - data! - -Patrick Monnerat (18 Feb 2009) -- FTP downloads (i.e.: RETR) ending with code 550 now return error - CURLE_REMOTE_FILE_NOT_FOUND instead of CURLE_FTP_COULDNT_RETR_FILE. - -Daniel Stenberg (17 Feb 2009) -- Kamil Dudka made NSS-powered builds compile and run again! - -- A second follow-up change by Andre Guibert de Bruet to fix a related memory - leak like that fixed on the 14th. When zlib returns failure, we need to - cleanup properly before returning error. - -- CURLOPT_FTP_CREATE_MISSING_DIRS can now be set to 2 in addition to 1 for - plain FTP connections, and it will then allow MKD to fail once and retry the - CWD afterwards. This is especially useful if you're doing many simultanoes - connections against the same server and they all have this option enabled, - as then CWD may first fail but then another connection does MKD before this - connection and thus MKD fails but trying CWD works! The numbers can - (should?) now be set with the convenience enums now called - CURLFTP_CREATE_DIR and CURLFTP_CREATE_DIR_RETRY. - - Tests has proven that if you're making an application that uploads a set of - files to an ftp server, you will get a noticable gain in speed if you're - using multiple connections and this option will be then be very useful. - -Daniel Stenberg (14 Feb 2009) -- Andre Guibert de Bruet found and fixed a memory leak in the content encoding - code, which could happen on libz errors. - -Daniel Fandrich (12 Feb 2009) -- Added support for Digest and NTLM authentication using GnuTLS. - -Daniel Stenberg (11 Feb 2009) -- CURLINFO_CONDITION_UNMET was added to allow an application to get to know if - the condition in the previous request was unmet. This is typically a time - condition set with CURLOPT_TIMECONDITION and was previously not possible to - reliably figure out. From bug report #2565128 - (http://curl.haxx.se/bug/view.cgi?id=2565128) filed by Jocelyn Jaubert. - -Daniel Fandrich (4 Feb 2009) -- Don't add the standard /usr/lib or /usr/include paths to LDFLAGS and CPPFLAGS - (respectively) when --with-ssl=/usr is used (patch based on FreeBSD). - -- Added an explicit buffer limit check in msdosify() (patch based on FreeBSD). - This couldn't ever overflow in curl, but might if the code were used - elsewhere or under different conditions. - -Daniel Stenberg (3 Feb 2009) -- Hidemoto Nakada provided a small fix that makes it possible to get the - CURLINFO_CONTENT_LENGTH_DOWNLOAD size from file:// "transfers" with - CURLOPT_NOBODY set true. - -Daniel Stenberg (2 Feb 2009) -- Patrick Scott found a rather large memory leak when using the multi - interface and setting CURLMOPT_MAXCONNECTS to something less than the number - of handles you add to the multi handle. All the connections that didn't fit - in the cache would not be properly disconnected nor freed! - -- Craig A West brought us: libcurl now defaults to do CONNECT with HTTP - version 1.1 instead of 1.0 like before. This change also introduces the new - proxy type for libcurl called 'CURLPROXY_HTTP_1_0' that then allows apps to - switch (back) to CONNECT 1.0 requests. The curl tool also got a --proxy1.0 - option that works exactly like --proxy but sets CURLPROXY_HTTP_1_0. - - I updated all test cases cases that use CONNECT and I tried to do some using - --proxy1.0 and some updated to do CONNECT 1.1 to get both versions run. - -Daniel Stenberg (31 Jan 2009) -- When building with c-ares 1.6.1 (not yet released) or later and IPv6 support - enabled, we can now take advantage of its brand new AF_UNSPEC support in - ares_gethostbyname(). This makes test case 241 finally run fine for me with - this setup since it now parses the "::1 ip6-localhost" line fine in my - /etc/hosts file! - -Daniel Stenberg (30 Jan 2009) -- Scott Cantor filed bug report #2550061 - (http://curl.haxx.se/bug/view.cgi?id=2550061) mentioning that I failed to - properly make sure that the VC9 makefiles got included in the latest - release. I've now fixed the release script and verified it so next release - will hopefully include them properly! - -Daniel Fandrich (30 Jan 2009) -- Fixed --disable-proxy for FTP and SOCKS. Thanks to Daniel Egger for - reporting. - -Yang Tse (29 Jan 2009) -- Introduced curl_sspi.c and curl_sspi.h for the implementation of functions - Curl_sspi_global_init() and Curl_sspi_global_cleanup() which previously were - named Curl_ntlm_global_init() and Curl_ntlm_global_cleanup() in http_ntlm.c - Also adjusted socks_sspi.c to remove the link-time dependency on the Windows - SSPI library using it now in the same way as it was done in http_ntlm.c. - -Daniel Stenberg (28 Jan 2009) -- Markus Moeller introduced two new options to libcurl: - CURLOPT_SOCKS5_GSSAPI_SERVICE and CURLOPT_SOCKS5_GSSAPI_NEC to allow libcurl - to do GSS-style authentication with SOCKS5 proxies. The curl tool got the - options called --socks5-gssapi-service and --socks5-gssapi-nec to enable - these. - -Daniel Stenberg (26 Jan 2009) -- Chad Monroe provided the new CURLOPT_TFTP_BLKSIZE option that allows an app - to set desired block size to use for TFTP transfers instead of the default - 512 bytes. - -- The "-no_ticket" option was introduced in Openssl0.9.8j. It's a flag to - disable "rfc4507bis session ticket support". rfc4507bis was later turned - into the proper RFC5077 it seems: http://tools.ietf.org/html/rfc5077 - - The enabled extension concerns the session management. I wonder how often - libcurl stops a connection and then resumes a TLS session. also, sending the - session data is some overhead. .I suggest that you just use your proposed - patch (which explicitly disables TICKET). - - If someone writes an application with libcurl and openssl who wants to - enable the feature, one can do this in the SSL callback. - - Sharad Gupta brought this to my attention. Peter Sylvester helped me decide - on the proper action. - -- Alexey Borzov filed bug report #2535504 - (http://curl.haxx.se/bug/view.cgi?id=2535504) pointing out that realms with - quoted quotation marks in HTTP Digest headers didn't work. I've now added - test case 1095 that verifies my fix. - -- Craig A West brought CURLOPT_NOPROXY and the corresponding --noproxy option. - They basically offer the same thing the NO_PROXY environment variable only - offered previously: list a set of host names that shall not use the proxy - even if one is specified. - -Daniel Fandrich (20 Jan 2009) -- Call setlocale() for libtest tests to test the effects of locale-induced - libc changes on libcurl. - -- Fixed a couple more locale-dependent toupper conversions, mainly for - clarity. This does fix one problem that causes ;type=i FTP URLs - to fail in the Turkish locale when CURLOPT_PROXY_TRANSFER_MODE is - used (test case 561) - -- Added tests 561 and 1091 through 1094 to test various combinations - of ;type= and ;mode= URLs that could potentially fail in the Turkish - locale. - -Daniel Stenberg (20 Jan 2009) -- Lisa Xu pointed out that the ssh.obj file was missing from the - lib/Makefile.vc6 file (and thus from the vc8 and vc9 ones too). - -Version 7.19.3 (19 January 2009) - -Daniel Stenberg (16 Jan 2009) -- Andrew de los Reyes fixed curlbuild.h for "generic" gcc builds on PPC, both - 32 bit and 64 bit. - -Daniel Stenberg (15 Jan 2009) -- Tim Ansell fixed a compiler warning in lib/cookie.c - -Daniel Stenberg (14 Jan 2009) -- Grant Erickson fixed timeouts for TFTP such that specifying a - connect-timeout, a max-time or both options work correctly and as expected - by passing the correct boolean value to Curl_timeleft via the - 'duringconnect' parameter. - - With this small change, curl TFTP now behaves as expected (and likely as - originally-designed): - - 1) For non-existent or unreachable dotted IP addresses: - - a) With no options, follows the default curl 300s timeout... - b) With --connect-timeout only, follows that value... - c) With --max-time only, follows that value... - d) With both --connect-timeout and --max-time, follows the smaller value... - - and times out with a "curl: (7) Couldn't connect to server" error. - - 2) For transfers to/from a valid host: - - a) With no options, follows default curl 300s timeout for the - first XRQ/DATA/ACK transaction and the default TFTP 3600s - timeout for the remainder of the transfer... - - b) With --connect-time only, follows that value for the - first XRQ/DATA/ACK transaction and the default TFTP 3600s - timeout for the remainder of the transfer... - - c) With --max-time only, follows that value for the first - XRQ/DATA/ACK transaction and for the remainder of the - transfer... - - d) With both --connect-timeout and --max-time, follows the former - for the first XRQ/DATA/ACK transaction and the latter for the - remainder of the transfer... - - and times out with a "curl: (28) Timeout was reached" error as - appropriate. - -Daniel Stenberg (13 Jan 2009) -- Michael Wallner fixed a NULL pointer deref when calling - curl_easy_setup(curl, CURLOPT_COOKIELIST, "SESS") on a CURL handle with no - cookies data. - -- Stefan Teleman brought a patch to fix the default curlbuild.h file for the - SunPro compilers. - -Daniel Stenberg (12 Jan 2009) -- Based on bug report #2498665 (http://curl.haxx.se/bug/view.cgi?id=2498665) - by Daniel Black, I've now added magic to the configure script that makes it - use pkg-config to detect gnutls details as well if the existing method - (using libgnutls-config) fails. While doing this, I cleaned up and unified - the pkg-config usage when detecting openssl and nss as well. - -Daniel Stenberg (11 Jan 2009) -- Karl Moerder brought the patch that creates vc9 Makefiles, and I made - 'maketgz' now use the actual makefile targets to do the VC8 and VC9 - makefiles. - -Daniel Stenberg (10 Jan 2009) -- Emil Romanus fixed: - - When using the multi interface over HTTP and the server returns a Location - header, the running easy handle will get stuck in the CURLM_STATE_PERFORM - state, leaving the external event loop stuck waiting for data from the - ingoing socket (when using the curl_multi_socket_action stuff). While this - bug was pretty hard to find, it seems to require only a one-line fix. The - break statement on line 1374 in multi.c caused the function to skip the call - to multistate(). - - How to reproduce this bug? Well, that's another question. evhiperfifo.c in - the examples directory chokes on this bug only _sometimes_, probably - depending on how fast the URLs are added. One way of testing the bug out is - writing to hiper.fifo from more than one source at the same time. - -Daniel Fandrich (7 Jan 2009) -- Unified much of the SessionHandle initialization done in Curl_open() and - curl_easy_reset() by creating Curl_init_userdefined(). This had the side - effect of fixing curl_easy_reset() so it now also resets - CURLOPT_FTP_FILEMETHOD and CURLOPT_SSL_SESSIONID_CACHE - -Daniel Stenberg (7 Jan 2009) -- Rob Crittenden did once again provide an NSS update: - - I have to jump through a few hoops now with the NSS library initialization - since another part of an application may have already initialized NSS by the - time Curl gets invoked. This patch is more careful to only shutdown the NSS - library if Curl did the initialization. - - It also adds in a bit of code to set the default ciphers if the app that - call NSS_Init* did not call NSS_SetDomesticPolicy() or set specific - ciphers. One might argue that this lets other application developers get - lazy and/or they aren't using the NSS API correctly, and you'd be right. - But still, this will avoid terribly difficult-to-trace crashes and is - generally helpful. - -Daniel Stenberg (1 Jan 2009) -- 'reconf' is removed since we rather have users use 'buildconf' - -Daniel Stenberg (31 Dec 2008) -- Bas Mevissen reported http://curl.haxx.se/bug/view.cgi?id=2479030 pointing - out that 'reconf' didn't properly point out the m4 subdirectory when running - aclocal. - -Daniel Stenberg (29 Dec 2008) - - Phil Lisiecki filed bug report #2413067 - (http://curl.haxx.se/bug/view.cgi?id=2413067) that identified a problem that - would cause libcurl to mark a DNS cache entry "in use" eternally if the - subsequence TCP connect failed. It would thus never get pruned and refreshed - as it should've been. - - Phil provided his own patch to this problem that while it seemed to work - wasn't complete and thus I wrote my own fix to the problem. - -Daniel Stenberg (28 Dec 2008) -- Peter Korsgaard fixed building libcurl with "configure --with-ssl - --disable-verbose". - -- Anthony Bryan fixed more language and spelling flaws in man pages. - -Daniel Stenberg (22 Dec 2008) -- Given a recent enough libssh2, libcurl can now seek/resume with SFTP even - on file indexes beyond 2 or 4GB. - -- Anthony Bryan provided a set of patches that cleaned up manual language, - corrected spellings and more. - -Daniel Stenberg (20 Dec 2008) -- Igor Novoseltsev fixed a bad situation for the multi_socket() API when doing - pipelining, as libcurl could then easily get confused and A) work on the - handle that was not "first in queue" on a pipeline, or even B) tell the app - to REMOVE a socket while it was in use by a second handle in a pipeline. Both - errors caused hanging or stalling applications. - -Daniel Stenberg (19 Dec 2008) -- curl_multi_timeout() could return a timeout value of 0 even though nothing - was actually ready to get done, as the internal time resolution is higher - than the returned millisecond timer. Therefore it could cause applications - running on fast processors to do short bursts of busy-loops. - curl_multi_timeout() will now only return 0 if the timeout is actually - alreay triggered. - -- Using the libssh2 0.19 function libssh2_session_block_directions(), libcurl - now has an improved ability to do right when the multi interface (both - "regular" and multi_socket) is used for SCP and SFTP transfers. This should - result in (much) less busy-loop situations and thus less CPU usage with no - speed loss. - -Daniel Stenberg (17 Dec 2008) -- SCP and SFTP with the multi interface had the same flaw: the 'DONE' - operation didn't complete properly if the EAGAIN equivalent was returned but - libcurl would simply continue with a half-completed close operation - performed. This ruined persistent connection re-use and cause some - SSH-protocol errors in general. The correction is unfortunately adding a - blocking function - doing it entirely non-blocking should be considered for - a better fix. - -Gisle Vanem (16 Dec 2008) -- Added the possibility to use the Watt-32 tcp/ip stack under Windows. - The change simply involved adding a USE_WATT32 section in the - config-win32.h files (under ./lib and ./src). This section disables - the use of any Winsock headers. - -Daniel Stenberg (16 Dec 2008) -- libssh2_sftp_last_error() was wrongly used at some places in libcurl which - made libcurl sometimes not properly abort problematic SFTP transfers. - -Daniel Stenberg (12 Dec 2008) -- More work with Igor Novoseltsev to first fix the remaining stuff for - removing easy handles from multi handles when the easy handle is/was within - a HTTP pipeline. His bug report #2351653 - (http://curl.haxx.se/bug/view.cgi?id=2351653) was also related and was - eventually fixed by a patch by Igor himself. - -Yang Tse (12 Dec 2008) -- Patrick Monnerat fixed a build regression, introduced in 7.19.2, affecting - OS/400 compilations with IPv6 enabled. - -Daniel Stenberg (12 Dec 2008) -- Mark Karpeles filed bug report #2416182 titled "crash in ConnectionExists - when using duphandle+curl_mutli" - (http://curl.haxx.se/bug/view.cgi?id=2416182) which showed that - curl_easy_duphandle() wrongly also copied the pointer to the connection - cache, which was plain wrong and caused a segfault if the handle would be - used in a different multi handle than the handle it was duplicated from. - -Daniel Stenberg (11 Dec 2008) -- Keshav Krity found out that libcurl failed to deal with dotted IPv6 - addresses if they were very long (>39 letters) due to a too strict address - validity parser. It now accepts addresses up to 45 bytes long. - -Daniel Stenberg (11 Dec 2008) -- Internet Explorer had a broken HTTP digest authentication before v7 and - there are servers "out there" that relies on the client doing this broken - Digest authentication. Apache even comes with an option to work with such - broken clients. - - The difference is only for URLs that contain a query-part (a '?'-letter and - text to the right of it). - - libcurl now supports this quirk, and you enable it by setting the - CURLAUTH_DIGEST_IE bit in the bitmask you pass to the CURLOPT_HTTPAUTH or - CURLOPT_PROXYAUTH options. They are thus individually controlled to server - and proxy. - - (note that there's no way to activate this with the curl tool yet) - -Daniel Fandrich (9 Dec 2008) -- Added test cases 1089 and 1090 to test --write-out after a redirect to - test a report that the size didn't work, but these test cases pass. - -- Documented CURLOPT_CONNECT_ONLY as being useful only on HTTP URLs. - -Daniel Stenberg (9 Dec 2008) -- Ken Hirsch simplified how libcurl does FTPS: now it doesn't assume any - particular state for the control connection like it did before for implicit - FTPS (libcurl assumed such control connections to be encrypted while some - FTPS servers such as FileZilla assumes such connections to be clear - mode). Use the CURLOPT_USE_SSL option to set your desired level. - -Daniel Stenberg (8 Dec 2008) -- Fred Machado posted about a weird FTP problem on the curl-users list and when - researching it, it turned out he got a 550 response back from a SIZE command - and then I fell over the text in RFC3659 that says: - - The presence of the 550 error response to a SIZE command MUST NOT be taken - by the client as an indication that the file cannot be transferred in the - current MODE and TYPE. - - In other words: the change I did on September 30th 2008 and that has been - included in the last two releases were a regression and a bad idea. We MUST - NOT take a 550 response from SIZE as a hint that the file doesn't exist. - -- Christian Krause filed bug #2221237 - (http://curl.haxx.se/bug/view.cgi?id=2221237) that identified an infinite - loop during GSS authentication given some specific conditions. With his - patience and great feedback I managed to narrow down the problem and - eventually fix it although I can't test any of this myself! - -Daniel Fandrich (3 Dec 2008) -- Fixed the getifaddrs version of Curl_if2ip to work on systems without IPv6 - support (e.g. Minix) - -Daniel Stenberg (3 Dec 2008) -- Igor Novoseltsev filed bug #2351645 - (http://curl.haxx.se/bug/view.cgi?id=2351645) that identified a problem with - the multi interface that occured if you removed an easy handle while in - progress and the handle was used in a HTTP pipeline. - -- Pawel Kierski pointed out a mistake in the cookie code that could lead to a - bad fclose() after a fatal error had occured. - (http://curl.haxx.se/bug/view.cgi?id=2382219) - -Daniel Fandrich (25 Nov 2008) -- If a HTTP request is Basic and num is already >=1000, the HTTP test - server adds 1 to num to get the data section to return. This allows - testing authentication negotiations using the Basic authentication - method. - -- Added tests 1087 and 1088 to test Basic authentication on a redirect - with and without --location-trusted - -Daniel Stenberg (24 Nov 2008) -- Based on a patch by Vlad Grachov, libcurl now uses a new libssh2 0.19 - function when built to support SCP and SFTP that helps the library to know - in which direction a particular libssh2 operation would return EAGAIN so - that libcurl knows what socket conditions to wait for before trying the - function call again. Previously (and still when using libssh2 0.18 or - earlier), libcurl will busy-loop in this situation when the easy interface - is used! - -Daniel Fandrich (20 Nov 2008) -- Automatically detect OpenBSD's CA cert bundle. - -Daniel Stenberg (19 Nov 2008) -- I removed the default use of "Pragma: no-cache" from libcurl when a proxy is - used. It has been used since forever but it was never a good idea to use - unless explicitly asked for. - -- Josef Wolf's extension that allows a $TESTDIR/gdbinit$testnum file that when - you use runtests.pl -g, will be sourced by gdb to allow additional fancy or - whatever you see fit - -- Christian Krause reported and fixed a memory leak that would occur with HTTP - GSS/kerberos authentication (http://curl.haxx.se/bug/view.cgi?id=2284386) - -- Andreas Wurf and Markus Koetter helped me analyze a problem that Andreas got - when uploading files to a single FTP server using multiple easy handle - handles with the multi interface. Occasionally a handle would stall in - mysterious ways. - - The problem turned out to be a side-effect of the ConnectionExists() - function's eagerness to re-use a handle for HTTP pipelining so it would - select it even if already being in use, due to an inadequate check for its - chances of being used for pipelnining. - -Daniel Fandrich (17 Nov 2008) -- Added more compiler warning options for gcc 4.3 - -Yang Tse (17 Nov 2008) -- Fix a remaining problem in the inet_pton() runtime configure check. And - fix internal Curl_inet_pton() failures to reject certain malformed literals. - -- Make configure script check if ioctl with the SIOCGIFADDR command can be - used, and define HAVE_IOCTL_SIOCGIFADDR if appropriate. - -Daniel Stenberg (16 Nov 2008) -- Christian Krause fixed a build failure when building with gss support - enabled and FTP disabled. - -- Added check for NULL returns from strdup() in src/main.c and lib/formdata.c - - reported by Jim Meyering also prevent buffer overflow on MSDOS when you do - for example -O on a url with a file name part longer than PATH_MAX letters - -- lib/nss.c fixes based on the report by Jim Meyering: I went over and added - checks for return codes for all calls to malloc and strdup that were - missing. I also changed a few malloc(13) to use arrays on the stack and a - few malloc(PATH_MAX) to instead use aprintf() to lower memory use. - -- I fixed a memory leak in Curl_nss_connect() when CURLOPT_ISSUERCERT is - in use. - -Daniel Fandrich (14 Nov 2008) -- Added .xml as one of the few common file extensions known by the multipart - form generator. - -- Added some #ifdefs around header files and change the EAGAIN test to - fix compilation on Cell (reported by Jeff Curley). - -Yang Tse (14 Nov 2008) -- Fixed several configure script issues affecting checks for inet_ntoa_r(), - inet_ntop(), inet_pton(), getifaddrs(), fcntl() and getaddrinfo(). - -Yang Tse (13 Nov 2008) -- Refactored configure script detection of functions used to set sockets into - non-blocking mode, and decouple function detection from function capability. + libressl: OCSP and intermediate certs workaround no longer needed + + lib/vtls/openssl.c has a workaround for a bug with OCSP responses signed + by intermediate certs, this was fixed in LibreSSL in + https://github.com/libressl-portable/openbsd/commit/912c64f68f7ac4f225b7d1fdc8fbd43168912ba0 + + Bug: https://curl.haxx.se/mail/lib-2017-06/0038.html + +- url: fix buffer overwrite with file protocol (CVE-2017-9502) + + Bug: https://github.com/curl/curl/issues/1540 + Advisory: https://curl.haxx.se/docs/adv_20170614.html + + Assisted-by: Ray Satiro + Reported-by: Marcel Raad + +- urlglob: fix division by zero + + The multiply() function that is used to avoid integer overflows, was + itself reason for a possible division by zero error when passed a + specially formatted glob. + + Reported-by: GwanYeong Kim + +- configure: update the copyright year in the output + +- [ygrek brought this change] + + BINDINGS: update SP-Forth and OCaml urls + +Michael Kaufmann (11 Jun 2017) +- FindWin32CACert: Use a temporary buffer on the stack + + Don't malloc() the temporary buffer, and use the correct type: + SearchPath() works with TCHAR, but SearchPathA() works with char. + Set the buffer size to MAX_PATH, because the terminating null byte + is already included in MAX_PATH. + + Reviewed-by: Daniel Stenberg + Reviewed-by: Marcel Raad + + Closes #1548 + +Dan Fandrich (11 Jun 2017) +- test1521: fixed OOM handling + +Daniel Stenberg (9 Jun 2017) +- RELEASE-PROCEDURE: updated future release dates + +- [Paul Harris brought this change] + + gitignore: ignore all vim swap files + + Closes #1561 + +- lib1521: fix compiler warnings on the use of bad 'long' values + + Reported-by: Marcel Raad + Bug: https://github.com/curl/curl/commit/cccac4fb2b20d6ed87da7978408c3ecacc464fe4#commitcomment-22453387 + +- setopt: check CURLOPT_ADDRESS_SCOPE option range + + ... and return error instead of triggering an assert() when being way + out of range. + +Jay Satiro (8 Jun 2017) +- [TheAssassin brought this change] + + cmake: Fix inconsistency regarding mbed TLS include directory + + Previously, one had to set MBEDTLS_INCLUDE_DIR to make CMake find the + headers, but the system complained that mbed TLS wasn't found due to + MBEDTLS_INCLUDE_DIRS (note the trailing s) was not set. This commit + attempts to fix that. + + Closes https://github.com/curl/curl/pull/1541 + +Daniel Stenberg (8 Jun 2017) +- [Ryuichi KAWAMATA brought this change] + + examples/multi-uv.c: fix deprecated symbol + + Closes #1557 + +- asyn-ares: s/Curl_expire_latest/Curl_expire + +- expire: remove Curl_expire_latest() + + With the introduction of expire IDs and the fact that existing timers + can be removed now and thus never expire, the concept with adding a + "latest" timer is not working anymore as it risks to not expire at all. + + So, to be certain the timers actually are in line and will expire, the + plain Curl_expire() needs to be used. The _latest() function was added + as a sort of shortcut in the past that's quite simply not necessary + anymore. + + Follow-up to 31b39c40cf90 + + Reported-by: Paul Harris + + Closes #1555 + +- [Chris Carlmar brought this change] + + configure: fix link with librtmp when specifying path + + Bug: https://curl.haxx.se/mail/lib-2017-06/0017.html + +- file: make speedcheck use current time for checks + + ... as it would previously just get the "now" timestamp before the + transfer starts and then not update it again. + + Closes #1550 + +- metalink: remove unused printf() argument + +- travis: let some builds *not* use --enable-debug + + typecheck-gcc and other things require optimized builds + + Closes #1544 + +- README.md: show the coverall coverage on github + +- lib1521: fix compiler warnings + +- test1521: make the code < 80 columns wide + +- test1121: use stricter types to work with typcheck-gcc + +- typecheck-gcc: allow CURLOPT_STDERR to be NULL too + +- test1521: test *all* curl_easy_setopt options + + mk-lib1521.pl generates a test program (lib1521.c) that calls + curl_easy_setopt() for every known option with a few typical values to + make sure they work (ignoring the return codes). + + Some small changes were necessary to avoid asserts and NULL accesses + when doing this. + + The perl script needs to be manually rerun when we add new options. + + Closes #1543 + +Dan Fandrich (5 Jun 2017) +- test1538: added "verbose logs" keyword + + These error messages are not displayed with --disable-verbose + +Daniel Stenberg (5 Jun 2017) +- test1262: verify ftp download with -z for "if older than this" + +Marcel Raad (5 Jun 2017) +- curl_ntlm_core: use Curl_raw_toupper instead of toupper + + This was the only remaining use of toupper in the entire source code. + + Suggested-by: Daniel Stenberg +Daniel Stenberg (4 Jun 2017) +- RELEASE-NOTES: synced with 65ba92650