5 \___|\___/|_| \_\_____|
9 Version 7.53.1 (24 Feb 2017)
11 Daniel Stenberg (24 Feb 2017)
14 - Revert "tests: use consistent environment variables for setting charset"
16 This reverts commit ecd1d020abdae3c3ce3643ddab3106501e62e7c0.
18 That commit caused test failures on my Debian Linux machine for all
19 changed test cases. We need to reconsider how that should get done.
21 Dan Fandrich (23 Feb 2017)
22 - tests: use consistent environment variables for setting charset
24 Character set in POSIX is set by the locale defined (in decreasing order
25 of precedence) by the LC_ALL, LC_CTYPE and LANG environment variables (I
26 believe CHARSET is only historic). LC_ALL is cleared to ensure that
27 LC_CTYPE takes effect, but LC_ALL is not used to set the locale to
28 ensure that other parts of the locale aren't overriden, if set. Since
29 there doesn't seem to be a cross-platform way of specifying a UTF-8
30 locale, and not all systems may support UTF-8, a <precheck> is used
31 (where relevant) to skip the test if UTF-8 isn't in use. Test 1035 was
32 also converted to UTF-8 for consistency, as the actual character set
33 used there is irrelevant to the test.
35 Jay Satiro (23 Feb 2017)
36 - url: Default the CA proxy bundle location to CURL_CA_BUNDLE
38 If the compile-time CURL_CA_BUNDLE location is defined use it as the
39 default value for the proxy CA bundle location, which is the same as
40 what we already do for the regular CA bundle location.
42 Ref: https://github.com/curl/curl/pull/1257
44 Daniel Stenberg (23 Feb 2017)
45 - [Sergii Pylypenko brought this change]
47 rand: added missing #ifdef HAVE_FCNTL_H around fcntl.h header
55 - RELEASE-NOTES: synced with 443e5b03a7d441
57 - THANKS-filter: shachaf
59 - [İsmail Dönmez brought this change]
61 tests: Set CHARSET & LANG to UTF-8 in 1035, 2046 and 2047
66 - bump: 7.53.1 coming up
68 synced with df665f4df0f7a352
70 - formdata: check for EOF when reading from stdin
72 Reported-by: shachaf@users.noreply.github.com
76 Jay Satiro (22 Feb 2017)
77 - docs: gitignore curl.1
79 curl.1 is generated by the cmdline-opts script since 4c49b83.
81 Daniel Stenberg (22 Feb 2017)
82 - TODO: HTTP Digest using SHA-256
84 - TODO: brotli is deployed widely now
86 Jay Satiro (21 Feb 2017)
87 - [Viktor Szakats brought this change]
89 urldata: include curl_sspi.h when Windows SSPI is enabled
91 f77dabe broke builds in Windows using Windows SSPI but not Windows SSL.
93 Bug: https://github.com/curl/curl/issues/1276
94 Reported-by: jveazey@users.noreply.github.com
96 - url: Improve CURLOPT_PROXY_CAPATH error handling
98 - Change CURLOPT_PROXY_CAPATH to return CURLE_NOT_BUILT_IN if the option
99 is not supported, which is the same as what we already do for
102 - Change the curl tool to handle CURLOPT_PROXY_CAPATH error
103 CURLE_NOT_BUILT_IN as a warning instead of as an error, which is the
104 same as what we already do for CURLOPT_CAPATH.
106 - Fix CAPATH docs to show that CURLE_NOT_BUILT_IN is returned when the
107 respective CAPATH option is not supported by the SSL library.
109 Ref: https://github.com/curl/curl/pull/1257
113 Version 7.53.0 (22 Feb 2017)
115 Daniel Stenberg (22 Feb 2017)
118 - cookie: fix declaration of 'dup' shadows a global declaration
120 - TLS: make SSL_VERIFYSTATUS work again
122 The CURLOPT_SSL_VERIFYSTATUS option was not properly handled by libcurl
123 and thus even if the status couldn't be verified, the connection would
124 be allowed and the user would not be told about the failed verification.
126 Regression since cb4e2be7c6d42ca
129 Bug: https://curl.haxx.se/docs/adv_20170222.html
131 Reported-by: Marcus Hoffmann
133 Jay Satiro (21 Feb 2017)
134 - digest_sspi: Handle 'stale=TRUE' directive in HTTP digest
136 - If the server has provided another challenge use it as the replacement
137 input token if stale=TRUE. Otherwise previous credentials have failed
138 so return CURLE_LOGIN_DENIED.
140 Prior to this change the stale directive was ignored and if another
141 challenge was received it would cause error CURLE_BAD_CONTENT_ENCODING.
143 Ref: https://tools.ietf.org/html/rfc2617#page-10
145 Bug: https://github.com/curl/curl/issues/928
146 Reported-by: tarek112@users.noreply.github.com
148 Daniel Stenberg (20 Feb 2017)
149 - smb: use getpid replacement for windows UWP builds
151 Source: https://github.com/Microsoft/vcpkg/blob/7676b8780db1e1e591c4fc7eba4f96f73c428cb4/ports/curl/0002_fix_uwp.patch
153 - TODO: CURLOPT_RESOLVE for any port number
157 - RELEASE-NOTES: synced with af30f1152d43dcdb
159 - [Jean Gressmann brought this change]
161 sftp: improved checks for create dir failures
163 Since negative values are errors and not only -1. This makes SFTP upload
164 with --create-dirs work (again).
168 Jay Satiro (20 Feb 2017)
169 - [Max Khon brought this change]
171 digest_sspi: Fix nonce-count generation in HTTP digest
173 - on the first invocation: keep security context returned by
174 InitializeSecurityContext()
176 - on subsequent invocations: use MakeSignature() instead of
177 InitializeSecurityContext() to generate HTTP digest response
179 Bug: https://github.com/curl/curl/issues/870
180 Reported-by: Andreas Roth
182 Closes https://github.com/curl/curl/pull/1251
184 - examples/multi-uv: checksrc compliance
186 Michael Kaufmann (19 Feb 2017)
187 - string formatting: fix 4 printf-style format strings
189 Dan Fandrich (18 Feb 2017)
190 - tests: removed the obsolete name parameter
192 Michael Kaufmann (18 Feb 2017)
193 - speed caps: update the timeouts if the speed is too low/high
197 Fixes https://github.com/curl/curl/issues/793
198 Fixes https://github.com/curl/curl/issues/942
200 - docs: fix timeout handling in multi-uv example
202 - proxy: fix hostname resolution and IDN conversion
204 Properly resolve, convert and log the proxy host names.
205 Support the "--connect-to" feature for SOCKS proxies and for passive FTP
210 Reported-by: Jay Satiro
211 Fixes https://github.com/curl/curl/issues/1248
213 Jay Satiro (17 Feb 2017)
214 - [Isaac Boukris brought this change]
216 http: fix missing 'Content-Length: 0' while negotiating auth
218 - While negotiating auth during PUT/POST if a user-specified
219 Content-Length header is set send 'Content-Length: 0'.
221 This is what we do already in HTTPREQ_POST_FORM and what we did in the
222 HTTPREQ_POST case (regression since afd288b).
224 Prior to this change no Content-Length header would be sent in such a
227 Bug: https://curl.haxx.se/mail/lib-2017-02/0006.html
228 Reported-by: Dominik Hölzl
230 Closes https://github.com/curl/curl/pull/1242
232 Daniel Stenberg (16 Feb 2017)
233 - [Simon Warta brought this change]
235 winbuild: add note on auto-detection of MACHINE in Makefile.vc
239 - RELEASE-PROCEDURE: update the upcoming release calendar
241 - TODO: consider file name from the redirected URL with -O ?
243 It isn't easily solved, but with some thinking someone could probably
244 come up with a working approach?
248 Jay Satiro (15 Feb 2017)
249 - tool_urlglob: Allow a glob range with the same start and stop
251 For example allow ranges like [1-1] and [a-a] etc.
253 Regression since 5ca96cb.
255 Bug: https://github.com/curl/curl/issues/1238
256 Reported-by: R. Dennis Steed
258 Daniel Stenberg (15 Feb 2017)
259 - axtls: adapt to API changes
261 Builds with axTLS 2.1.2. This then also breaks compatibility with axTLS
262 < 2.1.0 (the older API)
264 ... and fix the session_id mixup brought in 04b4ee549
268 - RELEASE-NOTES: synced with 690935390c29c
270 - [Nick Draffen brought this change]
272 curl: fix typo in time condition warning message
274 The warning message had a typo. The argument long form is --time-cond
281 Jay Satiro (14 Feb 2017)
282 - configure: Allow disabling pthreads, fall back on Win32 threads
284 When the threaded resolver option is specified for configure the default
285 thread library is pthreads. This change makes it possible to
286 --disable-pthreads and then configure can fall back on Win32 threads for
287 native Windows builds.
289 Closes https://github.com/curl/curl/pull/1260
291 Daniel Stenberg (13 Feb 2017)
292 - http2: fix memory-leak when denying push streams
294 Reported-by: zelinchen@users.noreply.github.com
297 Jay Satiro (11 Feb 2017)
298 - tool_operate: Show HTTPS-Proxy options on CURLE_SSL_CACERT
300 When CURLE_SSL_CACERT occurs the tool shows a lengthy error message to
301 the user explaining possible solutions such as --cacert and --insecure.
303 This change appends to that message similar options --proxy-cacert and
304 --proxy-insecure when there's a specified HTTPS proxy.
306 Closes https://github.com/curl/curl/issues/1258
308 Daniel Stenberg (10 Feb 2017)
309 - cmdline-opts/page-footer: ftp.sunet.se is no longer an FTP mirror
311 - URL: only accept ";options" in SMTP/POP3/IMAP URL schemes
315 Jay Satiro (9 Feb 2017)
316 - cmdline-opts/socks*: Mention --preproxy in --socks* opts
318 - Document in --socks* opts they're still mutually exclusive of --proxy.
320 Partial revert of 423a93c; I had misinterpreted the SOCKS proxy +
321 HTTP/HTTPS proxy combination.
323 - Document in --socks* opts that --preproxy can be used to specify a
324 SOCKS proxy at the same time --proxy is used with an HTTP/HTTPS proxy.
326 Daniel Stenberg (9 Feb 2017)
327 - CURLOPT_SSL_VERIFYPEER.3: also the https proxy version
329 Kamil Dudka (9 Feb 2017)
330 - nss: make FTPS work with --proxytunnel
332 If the NSS code was in the middle of a non-blocking handshake and it
333 was asked to finish the handshake in blocking mode, it unexpectedly
334 continued in the non-blocking mode, which caused a FTPS connection
335 over CONNECT to fail with "(81) Socket not ready for send/recv".
337 Bug: https://bugzilla.redhat.com/1420327
339 Daniel Stenberg (9 Feb 2017)
340 - examples/multithread.c: link to our multi-thread docs
342 ... instead of the OpenSSL mutex page.
344 - http_proxy: avoid freeing static memory
346 Follow up to 7fe81ec298e0: make sure 'host' is either NULL or malloced.
348 - [Cameron MacMinn brought this change]
350 http_proxy: Fix tiny memory leak upon edge case connecting to proxy
354 Michael Kaufmann (8 Feb 2017)
355 - polarssl, mbedtls: Fix detection of pending data
357 Reported-by: Dan Fandrich
358 Bug: https://curl.haxx.se/mail/lib-2017-02/0032.html
360 Dan Fandrich (7 Feb 2017)
361 - test1139: Added the --manual keyword since the manual is required
363 Daniel Stenberg (7 Feb 2017)
364 - RELEASE-NOTES: synced with 102454459dd688c
366 - THANKS-filter: polish some recent contributors
368 - http2: reset push header counter fixes crash
370 When removing an easy handler from a multi before it completed its
371 transfer, and it had pushed streams, it would segfault due to the pushed
372 counted not being cleared.
374 Fixed-by: zelinchen@users.noreply.github.com
377 - [Markus Westerlind brought this change]
379 transfer: only retry nobody-requests for HTTP
381 Using sftp to delete a file with CURLOPT_NOBODY set with a reused
382 connection would fail as curl expected to get some data. Thus it would
383 retry the command again which fails as the file has already been
388 Jay Satiro (7 Feb 2017)
389 - [Daniel Gustafsson brought this change]
393 Ref: https://github.com/curl/curl/pull/1245
395 - [Daniel Gustafsson brought this change]
399 Closes https://github.com/curl/curl/pull/1245
401 - [Daniel Gustafsson brought this change]
403 darwinssl: Avoid parsing certificates when not in verbose mode
405 The information extracted from the server certificates in step 3 is only
406 used when in verbose mode, and there is no error handling or validation
407 performed as that has already been done. Only run the certificate
408 information extraction when in verbose mode and libcurl was built with
411 Closes https://github.com/curl/curl/pull/1246
413 - [JDepooter brought this change]
415 schannel: Remove incorrect SNI disabled message
417 - Remove the SNI disabled when host verification disabled message
418 since that is incorrect.
420 - Show a message for legacy versions of Windows <= XP that connections
421 may fail since those versions of WinSSL lack SNI, algorithms, etc.
423 Bug: https://github.com/curl/curl/pull/1240
425 Daniel Stenberg (7 Feb 2017)
426 - CHANGES: spell fix, use correct path to script
430 This is the previously manually edited changelog, not touched since Aug
431 2015. Still present in git for those who wants it.
433 Dan Fandrich (6 Feb 2017)
434 - cmdline-opts: Fixed build and test in out of source tree builds
436 Viktor Szakats (6 Feb 2017)
437 - use *.sourceforge.io and misc URL updates
439 Ref: https://sourceforge.net/blog/introducing-https-for-project-websites/
440 Closes: https://github.com/curl/curl/pull/1247
442 Jay Satiro (6 Feb 2017)
443 - docs: Add more HTTPS proxy documentation
445 - Document HTTPS proxy type.
447 - Document --write-out %{proxy_ssl_verify_result}.
449 - Document SOCKS proxy + HTTP/HTTPS proxy combination.
451 HTTPS proxy support was added in 7.52.0 for OpenSSL, GnuTLS and NSS.
453 Ref: https://github.com/curl/curl/commit/cb4e2be
457 - s/CURLOPT_SOCKS_PROXY/CURLOPT_PRE_PROXY
458 Follow-up to 7907a2b and 845522c.
460 - Fix incorrect id for CURLOPT_PROXY_PINNEDPUBLICKEY.
462 - Add id for CURLOPT_ABSTRACT_UNIX_SOCKET.
464 Bug: https://github.com/curl/curl/issues/1237
465 Reported-by: jonrumsey@users.noreply.github.com
467 - [Sean Burford brought this change]
469 cmake: Support curl --xattr when built with cmake
471 - Test for and set HAVE_FSETXATTR when support for extended file
472 attributes is present.
474 Closes https://github.com/curl/curl/pull/1176
476 - [Adam Langley brought this change]
478 openssl: Don't use certificate after transferring ownership
480 SSL_CTX_add_extra_chain_cert takes ownership of the given certificate
481 while, despite the similar name, SSL_CTX_add_client_CA does not. Thus
482 it's best to call SSL_CTX_add_client_CA before
483 SSL_CTX_add_extra_chain_cert, while the code still has ownership of the
486 Closes https://github.com/curl/curl/pull/1236
488 Daniel Stenberg (29 Jan 2017)
489 - [Antoine Aubert brought this change]
491 mbedtls: implement CTR-DRBG and HAVEGE random generators
495 - docs: we no longer ship HTML versions of man pages
497 ... refer to the web site for the web versions.
499 - [railsnewbie257 brought this change]
501 docs: proofread README.netware README.win32
505 - RELEASE-NOTES; synced with ab08d82648
507 Michael Kaufmann (28 Jan 2017)
508 - mbedtls: disable TLS session tickets
510 SSL session reuse with TLS session tickets is not supported yet.
511 Use SSL session IDs instead.
513 See https://github.com/curl/curl/issues/1109
515 - gnutls: disable TLS session tickets
517 SSL session reuse with TLS session tickets is not supported yet.
518 Use SSL session IDs instead.
520 Fixes https://github.com/curl/curl/issues/1109
522 - polarssl: fix hangs
524 This bugfix is similar to commit c111178bd4.
526 Daniel Stenberg (27 Jan 2017)
527 - cookies: do not assume a valid domain has a dot
529 This repairs cookies for localhost.
531 Non-PSL builds will now only accept "localhost" without dots, while PSL
532 builds okeys everything not listed as PSL.
534 Added test 1258 to verify.
536 This was a regression brought in a76825a5efa6b4
538 - TODO: remove "Support TLS v1.3"
540 Support is trickling in already.
542 - [railsnewbie257 brought this change]
544 INTERNALS.md: language improvements
548 - telnet: fix windows compiler warnings
550 Thumbs-up-by: Jay Satiro
554 - VC: remove the makefile.vc6 build infra
556 The winbuild/ build files is now the single MSVC makefile build choice.
560 - [Jay Satiro brought this change]
562 cmdline-opts/gen.pl: Open input files in CRLF mode
564 On Windows it's possible to have input files with CRLF line endings and
565 a perl that defaults to LF line endings (eg msysgit). Currently that
566 results in generator output of mixed line endings of CR, LF and CRLF.
568 This change fixes that issue in the most succinct way by opening the
569 files in :crlf text mode even when the perl being used does not default
570 to that mode. (On operating systems that don't have a separate text mode
571 it's essentially a no-op.) The output continues to be in the perl's
574 - docs/curl.1: generate from the cmdline-opts script
576 - vtls: source indentation fix
578 - contri*.sh: cut off parentheses from names too
580 - RELEASE-NOTES: synced with 01ab7c30bba6f
582 - vtls: fix PolarSSL non-blocking handling
584 A regression brought in cb4e2be
586 Reported-by: Michael Kaufmann
587 Bug: https://github.com/curl/curl/issues/1174#issuecomment-274018791
589 - [Antoine Aubert brought this change]
591 vtls: fix mbedtls multi non blocking handshake.
593 When using multi, mbedtls handshake is in non blocking mode. vtls must
594 set wait for read/write flags for the socket.
598 - [Richy Kim brought this change]
600 CURLOPT_BUFFERSIZE: support enlarging receive buffer
602 Replace use of fixed macro BUFSIZE to define the size of the receive
603 buffer. Reappropriate CURLOPT_BUFFERSIZE to include enlarging receive
604 buffer size. Upon setting, resize buffer if larger than the current
605 default size up to a MAX_BUFSIZE (512KB). This can benefit protocols
610 - sws: use SOCKERRNO, not errno
612 Reported-by: Gisle Vanem
614 Michael Kaufmann (19 Jan 2017)
615 - KNOWN_BUGS: HTTP/2 server push enabled when no pushes can be accepted
617 This has been implemented with commit 9ad034e.
619 Viktor Szakats (19 Jan 2017)
620 - *.rc: escape non-ASCII/non-UTF-8 character for clarity
622 Closes https://github.com/curl/curl/pull/1217
624 Kamil Dudka (19 Jan 2017)
625 - docs: non-blocking SSL handshake is now supported with NSS
627 Implemented since curl-7_36_0-130-g8868a22
629 Reported-by: Fahim Chandurwala
631 Michael Kaufmann (18 Jan 2017)
632 - CURLOPT_CONNECT_TO: Fix compile warnings
634 Fix compile warnings that appeared only when curl has been configured
635 with '--disable-verbose'.
637 Daniel Stenberg (18 Jan 2017)
638 - usercertinmem.c: improve the short description
640 - parseurl: move back buffer to function scope
642 Regression since 1d4202ad, which moved the buffer into a more narrow
643 scope, but the data in that buffer was used outside of that more narrow
646 Reported-by: Dan Fandrich
647 Bug: https://curl.haxx.se/mail/lib-2017-01/0093.html
649 Jay Satiro (17 Jan 2017)
650 - openssl: Fix random generation
652 - Fix logic error in Curl_ossl_random.
654 Broken a few days ago in 807698d.
656 Daniel Stenberg (17 Jan 2017)
657 - TODO: share OpenSSL contexts
659 By supporting this, subsequent connects would load a lot less data from
664 - bump: next release will be 7.53.0
666 Kamil Dudka (15 Jan 2017)
667 - nss: use the correct lock in nss_find_slot_by_name()
669 Alessandro Ghedini (15 Jan 2017)
670 - http2: disable server push if not requested
672 Ref: https://github.com/curl/curl/pull/1160
674 Daniel Stenberg (14 Jan 2017)
675 - [railsnewbie257 brought this change]
677 docs: improved language in README.md HISTORY.md CONTRIBUTE.md
681 Alessandro Ghedini (14 Jan 2017)
682 - http: print correct HTTP string in verbose output when using HTTP/2
686 % src/curl https://sigsegv.ninja/ -v --http2
689 > Host: sigsegv.ninja
690 > User-Agent: curl/7.52.2-DEV
698 % src/curl https://sigsegv.ninja/ -v --http2
701 > Host: sigsegv.ninja
702 > User-Agent: curl/7.52.2-DEV
707 Daniel Stenberg (14 Jan 2017)
708 - TODO: send only part of --data
712 - TODO: implemened "--fail-fast to exit on first transfer fail"
714 Even though it is called --fail-early
716 - TODO: Chunked transfer multipart formpost
720 - TODO: Improve formpost API, not just add an easy argument
722 - addrinfo: fix compiler warning on offsetof() use
724 curl_addrinfo.c:519:20: error: conversion to ‘curl_socklen_t {aka
725 unsigned int}’ from ‘long unsigned int’ may alter its value
728 Follow-up to 1d786faee1046f
730 - THANKS-filter: Jiri Malak
732 - RELEASE-NOTES: synced with a7c73ae309c
734 Peter Wu (13 Jan 2017)
735 - [Isaac Boukris brought this change]
737 unix_socket: add support for abstract unix domain socket
739 In addition to unix domain sockets, Linux also supports an
740 abstract namespace which is independent of the filesystem.
742 In order to support it, add new CURLOPT_ABSTRACT_UNIX_SOCKET
743 option which uses the same storage as CURLOPT_UNIX_SOCKET_PATH
744 internally, along with a flag to specify abstract socket.
746 On non-supporting platforms, the abstract address will be
747 interpreted as an empty string and fail gracefully.
749 Also add new --abstract-unix-socket tool parameter.
751 Signed-off-by: Isaac Boukris <iboukris@gmail.com>
752 Reported-by: Chungtsun Li (typeless)
753 Reviewed-by: Daniel Stenberg
754 Reviewed-by: Peter Wu
758 Daniel Stenberg (13 Jan 2017)
759 - write-out.d: 'time_total' is not always shown with ms precision
761 We have higher resolution since 7.52.0
763 - next.d: --trace and --trace-ascii are also global
765 - [Isaac Boukris brought this change]
767 curl: reset the easy handle at --next
769 So that only "global" options (verbose mostly) survive into the next
770 transfer, and the others have to be set again unless default is fine.
772 - [Frank Gevaerts brought this change]
774 docs: Add note about libcurl copying strings to CURLOPT_* manpages
778 - [Frank Gevaerts brought this change]
780 CURLOPT_PREQUOTE.3: takes a struct curl_slist*, not a char*
782 - IDN: Use TR46 non-transitional
784 Assisted-by: Tim Rühsen
786 - IDN: revert use of the transitional option
788 It made the german ß get converted to ss, IDNA2003 style, and we can't
789 have that for the .de TLD - a primary reason for our switch to IDNA2008.
793 - [Tim Rühsen brought this change]
795 IDN: Fix compile time detection of linidn2 TR46
797 Follow-up to f30cbcac1
801 - [ERAMOTO Masaya brought this change]
803 url: --noproxy option overrides NO_PROXY environment variable
805 Under condition using http_proxy env var, noproxy list was the
806 combination of --noproxy option and NO_PROXY env var previously. Since
807 this commit, --noproxy option overrides NO_PROXY environment variable
808 even if use http_proxy env var.
812 - [ERAMOTO Masaya brought this change]
814 url: Refactor detect_proxy()
816 If defined CURL_DISABLE_HTTP, detect_proxy() returned NULL. If not
817 defined CURL_DISABLE_HTTP, detect_proxy() checked noproxy list.
819 Thus refactor to set proxy to NULL instead of calling detect_proxy() if
820 define CURL_DISABLE_HTTP, and refactor to call detect_proxy() if not
821 define CURL_DISABLE_HTTP and the host is not in the noproxy list.
823 - [ERAMOTO Masaya brought this change]
825 url: Fix NO_PROXY env var to work properly with --proxy option.
827 The combination of --noproxy option and http_proxy env var works well
828 both for proxied hosts and non-proxied hosts.
830 However, when combining NO_PROXY env var with --proxy option,
831 non-proxied hosts are not reachable while proxied host is OK.
833 This patch allows us to access non-proxied hosts even if using NO_PROXY
834 env var with --proxy option.
836 - [Tim Rühsen brought this change]
838 IDN: Use TR46 'transitional' for toASCII translations
840 References: http://unicode.org/faq/idn.html
841 http://unicode.org/reports/tr46
845 - [railsnewbie257 brought this change]
847 docs: FAQ MAIL-ETIQUETTE language fixes
851 - [Marcus Hoffmann brought this change]
853 gnutls: check for alpn and ocsp in configure
855 Check for presence of gnutls_alpn_* and gnutls_ocsp_* functions during
856 configure instead of relying on the version number. GnuTLS has options
857 to turn these features off and we ca just work with with such builds
858 like we work with older versions.
860 Signed-off-by: Marcus Hoffmann <m.hoffmann@cartelsol.com>
864 Jay Satiro (12 Jan 2017)
865 - url: Fix parsing for when 'file' is the default protocol
867 Follow-up to 3463408.
869 Prior to 3463408 file:// hostnames were silently stripped.
871 Prior to this commit it did not work when a schemeless url was used with
872 file as the default protocol.
874 Ref: https://curl.haxx.se/mail/lib-2016-11/0081.html
875 Closes https://github.com/curl/curl/pull/1124
877 Also fix for drive letters:
879 - Support --proto-default file c:/foo/bar.txt
881 - Support file://c:/foo/bar.txt
883 - Fail when a file:// drive letter is detected and not MSDOS/Windows.
885 Bug: https://github.com/curl/curl/issues/1187
886 Reported-by: Anatol Belski
887 Assisted-by: Anatol Belski
889 Daniel Stenberg (12 Jan 2017)
890 - rand: make it work without TLS backing
892 Regression introduced in commit f682156a4fc6c4
894 Reported-by: John Kohl
895 Bug: https://curl.haxx.se/mail/lib-2017-01/0055.html
897 Jay Satiro (12 Jan 2017)
898 - STARTTLS: Don't print response character in denied messages
900 Both IMAP and POP3 response characters are used internally, but when
901 appended to the STARTTLS denial message likely could confuse the user.
903 Closes https://github.com/curl/curl/pull/1203
905 - smtp: Fix STARTTLS denied error message
907 - Format the numeric denial code as an integer instead of a character.
909 Daniel Stenberg (11 Jan 2017)
910 - http2_send: avoid unsigned integer wrap around
912 ... when checking for a too large request.
914 Jay Satiro (9 Jan 2017)
915 - [Jiri Malak brought this change]
917 cmake: Fix passing _WINSOCKAPI_ macro to compiler
919 Define _WINSOCKAPI_ blank rather than to 1 in order to match the value
920 used by Microsoft's winsock header files.
922 Closes https://github.com/curl/curl/pull/1195
924 Daniel Stenberg (9 Jan 2017)
925 - sws: retry send() on EWOULDBLOCK
927 Fixes spurious test 1060 and 1061 failures on OpenBSD, Solaris and more.
929 Bug: https://curl.haxx.se/mail/lib-2017-01/0009.html
930 Reported-by: Christian Weisgerber
932 - RELEASE-NOTES: synced with a41e8592d6b3e58
934 - examples: make the C++ examples follow our code style too
936 At least mostly, not counting // comments.
938 - [Aulddays brought this change]
940 asiohiper: improved socket handling
942 libcurl requires CURLMOPT_SOCKETFUNCTION to KEEP watching socket events
943 and notify back. Modify event_cb() to continue watching events when
948 Fixed-by: Mingliang Zhu
950 - [Jiří Malák brought this change]
952 lib506: fix build for Open Watcom
954 Rename symbol lock to locks to not clash with OW CRTL function name.
958 - ROADMAP: 2017 cleanup
960 Removed items already fixed, clarified a few others.
962 - COPYING: update the generic copyright year range
964 - docs/silent: mention --show-error in --silent description
967 Reported-by: Dan Jacobson
969 - docs/page-header: mention how to disable the progress meter
971 curl.1 is regenerated
975 Dan Fandrich (7 Jan 2017)
976 - wolfssl: display negotiated SSL version and cipher
978 - wolfssl: support setting cipher list
980 Patrick Monnerat (6 Jan 2017)
981 - CIPHERS.md: document GSKit ciphers
983 Jay Satiro (5 Jan 2017)
984 - [peterpih brought this change]
986 TheArtOfHttpScripting: grammar
988 Nick Zitzmann (3 Jan 2017)
989 - darwinssl: --insecure overrides --cacert if both settings are in use
993 Jay Satiro (2 Jan 2017)
994 - docs/libcurl: TCP_KEEPALIVE start and interval default to 60
996 Since the TCP keep-alive options were added in 705f0f7 the start and
997 interval default values have been 60, but that wasn't documented.
999 Bug: https://curl.haxx.se/mail/lib-2017-01/0000.html
1000 Reported-by: Praveen Pvs
1002 Daniel Stenberg (29 Dec 2016)
1003 - curl.h: CURLE_FUNCTION_NOT_FOUND is no longer in use
1005 This error code was once introduced when some library was dynamically
1006 loaded and a funciton within said library couldn't be found.
1008 - content_encoding: change return code on a failure
1010 Failure to decompress is now a write error instead of the weird
1011 "function not found".
1013 - page-footer: error 36 is protocol agnostic!
1015 Jay Satiro (28 Dec 2016)
1016 - tool_operate: Fix --remote-time incorrect times on Windows
1018 - Use Windows API SetFileTime to set the file time instead of utime.
1020 Avoid utime on Windows if possible because it may apply a daylight
1021 saving time offset to our UTC file time.
1023 Bug: https://curl.haxx.se/mail/archive-2016-11/0033.html
1026 Closes https://github.com/curl/curl/pull/1121
1028 Daniel Stenberg (29 Dec 2016)
1029 - [Max Khon brought this change]
1031 digest_sspi: copy terminating NUL as well
1033 Curl_auth_decode_digest_http_message(): copy terminating NUL as later
1034 Curl_override_sspi_http_realm() expects a NUL-terminated string.
1038 - curl_formadd.3: CURLFORM_CONTENTSLENGTH not needed when chunked
1042 - [Kyselgov E.N brought this change]
1044 cmake: use crypt32.lib when building with OpenSSL on windows
1046 Reviewed-by: Peter Wu
1050 - [Chris Araman brought this change]
1052 darwinssl: fix CFArrayRef leak
1054 Reviewed-by: Nick Zitzmann
1057 - [Chris Araman brought this change]
1059 darwinssl: fix iOS build
1061 Reviewed-by: Nick Zitzmann
1064 - curl: remove superfluous include file
1066 The <netinet/tcp.h> is a leftover from the past when TCP socket options
1067 were set in this file. This include causes build issues on AIX 4.3.
1069 Reported-by: Kim Minjoong
1073 - RELEASE-NOTES: synced with a7b38c9dc98481e
1075 - vtls: s/SSLEAY/OPENSSL
1077 Fixed an old leftover use of the USE_SSLEAY define which would make a
1078 socket get removed from the applications sockets to monitor when the
1079 multi_socket API was used, leading to timeouts.
1083 - docs/ciphers: link to our own new page about ciphers
1085 ... as the former ones always go stale!
1087 - cmdline-opts/page-footer: add three more exit codes
1089 ... and regenerated curl.1
1091 - formdata: use NULL, not 0, when returning pointers
1093 - ftp: failure to resolve proxy should return that error code
1095 - configure: accept --with-libidn2 instead
1097 ... which the help text already implied since we switched to libidn2
1098 from libidn in commit 9c91ec778104ae3b back in October 2016.
1100 Reported-by: Christian Weisgerber
1101 Bug: https://curl.haxx.se/mail/lib-2016-12/0110.html
1103 - test1282: verify the ftp-gss check
1105 - ftp-gss: check for init before use
1107 To avoid dereferencing a NULL pointer.
1109 Reported-by: Daniel Romero
1111 Jay Satiro (24 Dec 2016)
1112 - build-wolfssl: Sync config with wolfSSL 3.10
1114 wolfSSL configure script relevant changes from 3.9 to 3.10:
1116 - DES3 no longer enabled by default
1117 - Shamir no longer enabled by default
1118 - Extended master secret enabled by default
1119 - RSA and ECC timing protections enabled by default
1121 For backwards compatibility I enabled DES3 and ECC shamir config options
1122 (ie no change from 3.9), and the other changes are included.
1124 - cyassl: use time_t instead of long for timeout
1126 Daniel Stenberg (23 Dec 2016)
1127 - bump: toward next release
1129 - http: remove "Curl_http_done: called premature" message
1131 ... it only confuses people.
1133 - openssl-random: check return code when asking for random
1135 and fail appropriately if it returns error
1137 - gnutls-random: check return code for failed random
1139 Version 7.52.1 (22 Dec 2016)
1141 Daniel Stenberg (22 Dec 2016)
1142 - RELEASE-NOTES: curl 7.52.1
1144 - lib557.c: use a shorter MAXIMIZE representation
1146 Since several compilers had problems with the previous one
1148 Reported-by: Ray Satiro
1149 Bug: https://curl.haxx.se/mail/lib-2016-12/0098.html
1151 - runtests: remove the valgrind parser
1153 Old legacy parsing that 1) hid problems for us and 2) probably isn't
1156 - [Kamil Dudka brought this change]
1158 randit: store the value in the buffer
1160 - tests/Makefile: run checksrc on debug builds
1162 ... just like we already do in src/ and lib/
1164 - lib557: move the "enable LONGLINE" to allow more long lines
1166 This file is riddled with them...
1168 - bump: toward next release
1170 Marcel Raad (21 Dec 2016)
1171 - lib: fix MSVC compiler warnings
1173 Visual C++ complained:
1174 warning C4267: '=': conversion from 'size_t' to 'long', possible loss of data
1175 warning C4701: potentially uninitialized local variable 'path' used
1177 Version 7.52.0 (20 Dec 2016)
1179 Daniel Stenberg (20 Dec 2016)
1180 - THANKS: 13 new contributors from 7.52.0
1182 - RELEASE-NOTES: 7.52.0
1184 - ssh: inhibit coverity warning with (void)
1186 CID 1397391 (#1 of 1): Unchecked return value (CHECKED_RETURN)
1188 - Curl_recv_has_postponed_data: silence compiler warnings
1190 Follow-up to d00f2a8f2
1192 Jay Satiro (19 Dec 2016)
1193 - tests: checksrc compliance
1195 - http_proxy: Fix proxy CONNECT hang on pending data
1197 - Check for pending data before waiting on the socket.
1199 Bug: https://github.com/curl/curl/issues/1156
1200 Reported-by: Adam Langley
1202 Daniel Stenberg (19 Dec 2016)
1203 - cmdline-opts/tlsv1.d: rephrased
1205 - [Dan McNulty brought this change]
1207 schannel: fix wildcard cert name validation on Win CE
1209 Fixes a few issues in manual wildcard cert name validation in
1210 schannel support code for Win32 CE:
1211 - when comparing the wildcard name to the hostname, the wildcard
1212 character was removed from the cert name and the hostname
1213 was checked to see if it ended with the modified cert name.
1214 This allowed cert names like *.com to match the connection
1215 hostname. This violates recommendations from RFC 6125.
1216 - when the wildcard name in the certificate is longer than the
1217 connection hostname, a buffer overread of the connection
1218 hostname buffer would occur during the comparison of the
1219 certificate name and the connection hostname.
1221 - printf: fix floating point buffer overflow issues
1223 ... and add a bunch of floating point printf tests
1225 - config-amigaos.h: (embarrassed) made the line shorter
1227 - config-amigaos.h: fix bug report email reference
1229 - RELEASE-NOTES: synced with 4517158abfeba
1231 - CIPHERS.md: backtick the names to show underscores fine
1233 - form-string.d: fix format mistake
1235 and regenerated curl.1
1237 Reported-by: Gisle Vanem
1239 Michael Kaufmann (18 Dec 2016)
1240 - openssl: simplify expression in Curl_ossl_version
1242 - curl_easy_recv: Improve documentation and example program
1244 Follow-up to 82245ea: Fix the example program sendrecv.c (handle
1245 CURLE_AGAIN, handle incomplete send). Improve the documentation
1246 for curl_easy_recv() and curl_easy_send().
1248 Reviewed-by: Frank Meier
1249 Assisted-by: Jay Satiro
1251 See https://github.com/curl/curl/pull/1134
1253 - [Isaac Boukris brought this change]
1255 Curl_getconnectinfo: avoid checking if the connection is closed
1257 It doesn't benefit us much as the connection could get closed at
1258 any time, and also by checking we lose the ability to determine
1259 if the socket was closed by reading zero bytes.
1261 Reported-by: Michael Kaufmann
1263 Closes https://github.com/curl/curl/pull/1134
1265 Daniel Stenberg (18 Dec 2016)
1266 - CIPHERS.md: attempt to document TLS cipher names
1268 As the official docs seems really hard to keep track of and link to over
1271 - curl.1: generated after 6cce4dbf830
1273 - cmdline-opts/post30X.d: fix the RFC references
1275 - curl.1: regenerated
1277 Fixed trailing whitespace and numerous formatting glitches
1279 - cmdline-opts: formatting fixes
1281 - curl_easy_setopt.3: removed CURLOPT_SOCKS_PROXYTYPE
1283 - tool_getparam.c: make comments use the up-to-date option names
1285 - manpage-scan.pl: allow deprecated options to get removed from curl.1
1287 --krb4, --ftp-ssl and --ftp-ssl-reqd no longer need to be documented in the
1290 - cmdline-opts/gen.pl: trim off trailing spaces
1292 - cmdline-opts/proxy-tlsuser.d: remove trailing .d
1294 - curl_easy_setopt.3: CURLOPT_PRE_PROXY instead of CURLOPT_SOCKS_PROXY
1296 - symbols: removed two, added one
1298 - cmdline-opts: include the man page split up files in the dist
1300 - curl.1: generated with gen.pl
1302 This is the first time we replace the manually edited curt.1 with the
1303 generated one created by gen.pl and the individual option documentation
1306 Do not edit this file, edit the individual pages and regenerate this
1309 This file will be generated by the build system soon and then removed
1312 - cmdline-opts: added some missing info
1314 - CURLINFO_SSL_VERIFYRESULT.3: language
1316 - HTTPS-PROXY docs: update/polish
1318 - cmdline-opts/page-header: mention it is generated
1320 ... to avoid people from trying to edit the pending curl.1 version that
1321 gets generated by gen.pl
1323 - preproxy: renamed what was added as SOCKS_PROXY
1325 CURLOPT_SOCKS_PROXY -> CURLOPT_PRE_PROXY
1327 Added the corresponding --preroxy command line option. Sets a SOCKS
1328 proxy to connect to _before_ connecting to a HTTP(S) proxy.
1330 - curl: normal socks proxies still use CURLOPT_PROXY
1332 ... the newly introduced CURLOPT_SOCKS_PROXY is special and should be
1333 asked for specially. (Needs new code.)
1335 Unified proxy type to a single variable in the config struct.
1337 - CURLOPT_SOCKS_PROXYTYPE: removed
1339 This was added as part of the SOCKS+HTTPS proxy merge but there's no
1340 need to support this as we prefer to have the protocol specified as a
1343 - curl_multi_socket.3: fix typo
1345 - checksrc: warn for assignments within if() expressions
1347 ... they're already frowned upon in our source code style guide, this
1348 now enforces the rule harder.
1350 - checksrc: stricter no-space-before-paren enforcement
1352 In order to make the code style more uniform everywhere
1354 - ISSUE_TEMPLATE: try mentioning known bugs/todo in new issue template
1356 - RELEASE-NOTES: synced with 71a55534fa6
1358 - [Adam Langley brought this change]
1360 openssl: don't use OpenSSL's ERR_PACK.
1362 ERR_PACK is an internal detail of OpenSSL. Also, when using it, a
1363 function name must be specified which is overly specific: the test will
1364 break whenever OpenSSL internally change things so that a different
1365 function creates the error.
1369 Dan Fandrich (5 Dec 2016)
1370 - test2032: Mark test as flaky
1372 Jay Satiro (3 Dec 2016)
1373 - [Jeremy Pearson brought this change]
1375 libcurl-multi.3: typo
1377 Closes https://github.com/curl/curl/pull/1153
1379 Dan Fandrich (2 Dec 2016)
1380 - test1281: added http as a required feature
1382 Daniel Stenberg (2 Dec 2016)
1383 - curl: support zero-length argument strings in config files
1385 ... like 'user-agent = ""'
1387 Adjusted test 71 to verify.
1389 - http_proxy: simplify CONNECT response reading
1391 Since it now reads responses one byte a time, a loop could be removed
1392 and it is no longer limited to get the whole response within 16K, it is
1393 now instead only limited to 16K maximum header line lengths.
1395 - tests: fix CONNECT test cases to be more strict
1397 ... as they broke with the cleaned up CONNECT handling
1399 - CONNECT: read responses one byte at a time
1401 ... so that it doesn't read data that is actually coming from the
1402 remote. 2xx responses have no body from the proxy, that data is from the
1407 - CONNECT: reject TE or CL in 2xx responses
1409 A server MUST NOT send any Transfer-Encoding or Content-Length header
1410 fields in a 2xx (Successful) response to CONNECT. (RFC 7231 section
1413 Also fixes the three test cases that did this.
1415 - URL parser: reject non-numerical port numbers
1417 Test 1281 added to verify
1419 Dan Fandrich (30 Nov 2016)
1420 - runtests: made Servers: output be more consistent by removing OFF
1422 - cyassl: fixed typo introduced in 4f8b1774
1424 Michael Kaufmann (30 Nov 2016)
1425 - CURLOPT_CONNECT_TO: Skip non-matching "connect-to" entries properly
1427 If a port number in a "connect-to" entry does not match, skip this
1428 entry instead of connecting to port 0.
1430 If a port number in a "connect-to" entry matches, use this entry
1431 and look no further.
1433 Reported-by: Jay Satiro
1434 Assisted-by: Jay Satiro, Daniel Stenberg
1438 Daniel Stenberg (29 Nov 2016)
1439 - BUGS: describe bug handling process
1441 - RELEASE-NOTES: synced with 19613fb3
1443 Jay Satiro (28 Nov 2016)
1444 - http2: check nghttp2_session_set_local_window_size exists
1446 The function only exists since nghttp2 1.12.0.
1448 Bug: https://github.com/curl/curl/commit/a4d8888#commitcomment-19985676
1449 Reported-by: Michael Kaufmann
1451 Daniel Stenberg (28 Nov 2016)
1452 - [Anders Bakken brought this change]
1454 http2: Fix crashes when parent stream gets aborted
1458 - cmdline-docs: more options converted and fixed
1460 Now all options are in the new system.
1462 - gen: include footer in mainpage output
1464 Jay Satiro (28 Nov 2016)
1465 - lib1536: checksrc compliance
1467 Daniel Stenberg (28 Nov 2016)
1468 - cmdline-opts: more command line options documented
1470 Moved over to the new format
1472 - curl: remove --proxy-ssl* options
1474 There's mostly likely no need to allow setting SSLv2/3 version for HTTPS
1475 proxy. Those protocols are insecure by design and deprecated.
1477 - CURLOPT_PROXY_*.3: polished some proxy option man pages
1479 Patrick Monnerat (26 Nov 2016)
1480 - os400: support CURLOPT_PROXY_PINNEDPUBLICKEY
1482 Also define it in ILE/RPG binding.
1484 Daniel Stenberg (26 Nov 2016)
1485 - [Okhin Vasilij brought this change]
1487 curl_version_info: add CURL_VERSION_HTTPS_PROXY
1491 - [Frank Gevaerts brought this change]
1493 tests: Add some testcases for recent new features.
1495 Add missing tests for CURLINFO_SCHEME, CURLINFO_PROTOCOL, %{scheme},
1500 - [Frank Gevaerts brought this change]
1502 curl_easy_reset: clear info for CULRINFO_PROTOCOL and CURLINFO_SCHEME
1504 - CURLOPT_PROXY_CAINFO.3: clarify proxy use
1506 - CURLOPT_PROXY_CRLFILE.3: clarify https proxy and availability
1508 - curl_easy_setopt.3: add CURLOPT_PROXY_PINNEDPUBLICKEY
1510 Follow-up to 4f8b17743d7c55a
1512 - docs: include all opts man pages in dist
1514 Sorted the lists too.
1516 ... and include the new ones in the PDF and HTML generation targets
1518 - [Thomas Glanzmann brought this change]
1520 HTTPS Proxy: Implement CURLOPT_PROXY_PINNEDPUBLICKEY
1522 - [Thomas Glanzmann brought this change]
1524 url: proxy: Use 443 as default port for https proxies
1526 - TODO: removed "HTTPS proxy"
1528 - [Jan-E brought this change]
1530 winbuild: add config option ENABLE_NGHTTP2
1534 Jay Satiro (24 Nov 2016)
1535 - tool_urlglob: Improve sanity check in glob_range
1537 Prior to this change we depended on errno if strtol could not perform a
1538 conversion. POSIX says EINVAL *may* be set. Some implementations like
1539 Microsoft's will not set it if there's no conversion.
1541 Ref: https://github.com/curl/curl/commit/ee4f7660#commitcomment-19658189
1543 - tool_help: Change description for --retry-connrefused
1545 Ref: https://github.com/curl/curl/pull/1064#issuecomment-260052409
1547 Patrick Monnerat (25 Nov 2016)
1548 - os400: sync ILE/RPG binding
1550 Jay Satiro (24 Nov 2016)
1551 - test1135: Fix curl_easy_duphandle prototype for code style
1553 Follow-up to dbadaeb which changed the style.
1555 - x509asn1: Restore the parameter check in Curl_getASN1Element
1557 - Restore the removed parts of the parameter check.
1559 Follow-up to 945f60e which altered the parameter check.
1561 Daniel Stenberg (25 Nov 2016)
1562 - RELEASE-NOTES: update option counters
1564 - [Frank Gevaerts brought this change]
1566 add CURLINFO_SCHEME, CURLINFO_PROTOCOL, and %{scheme}
1568 Adds access to the effectively used protocol/scheme to both libcurl and
1569 curl, both in string and numeric (CURLPROTO_*) form.
1571 Note that the string form will be uppercase, as it is just the internal
1574 As these strings are declared internally as const, and all other strings
1575 returned by curl_easy_getinfo() are de-facto const as well, string
1576 handling in getinfo.c got const-ified.
1580 - RELEASE-NOTES: synced with 63198a4750aeb
1582 - curl.1: the new --proxy options ship in 7.52.0
1584 - checksrc: move open braces to comply with function declaration style
1586 - checksrc: detect wrongly placed open braces in func declarations
1588 - checksrc: white space edits to comply to stricter checksrc
1590 - checksrc: verify ASTERISKNOSPACE
1592 Detects (char*) and 'char*foo' uses.
1594 - checksrc: code style: use 'char *name' style
1596 - checksrc: add ASTERISKSPACE
1598 Verifies a 'char *name' style, with no space after the asterisk.
1600 - openssl: remove dead code
1602 Coverity CID 1394666
1604 - [Okhin Vasilij brought this change]
1606 HTTPS-proxy: fixed mbedtls and polishing
1608 - darwinssl: adopted to the HTTPS proxy changes
1610 It builds and runs all test cases. No adaptations for actual HTTPS proxy
1611 support has been made.
1613 - gtls: fix indent to silence compiler warning
1615 vtls/gtls.c: In function ‘Curl_gtls_data_pending’:
1616 vtls/gtls.c:1429:3: error: this ‘if’ clause does not guard... [-Werror=misleading-indentation]
1617 if(conn->proxy_ssl[connindex].session &&
1619 vtls/gtls.c:1433:5: note: ...this statement, but the latter is misleadingly indented as if it is guarded by the ‘if’
1622 - [Thomas Glanzmann brought this change]
1624 mbedtls: Fix compile errors
1626 - [Alex Rousskov brought this change]
1628 proxy: Support HTTPS proxy and SOCKS+HTTP(s)
1632 An HTTPS proxy receives all transactions over an SSL/TLS connection.
1633 Once a secure connection with the proxy is established, the user agent
1634 uses the proxy as usual, including sending CONNECT requests to instruct
1635 the proxy to establish a [usually secure] TCP tunnel with an origin
1636 server. HTTPS proxies protect nearly all aspects of user-proxy
1637 communications as opposed to HTTP proxies that receive all requests
1638 (including CONNECT requests) in vulnerable clear text.
1640 With HTTPS proxies, it is possible to have two concurrent _nested_
1641 SSL/TLS sessions: the "outer" one between the user agent and the proxy
1642 and the "inner" one between the user agent and the origin server
1643 (through the proxy). This change adds supports for such nested sessions
1646 A secure connection with a proxy requires its own set of the usual SSL
1647 options (their actual descriptions differ and need polishing, see TODO):
1649 --proxy-cacert FILE CA certificate to verify peer against
1650 --proxy-capath DIR CA directory to verify peer against
1651 --proxy-cert CERT[:PASSWD] Client certificate file and password
1652 --proxy-cert-type TYPE Certificate file type (DER/PEM/ENG)
1653 --proxy-ciphers LIST SSL ciphers to use
1654 --proxy-crlfile FILE Get a CRL list in PEM format from the file
1655 --proxy-insecure Allow connections to proxies with bad certs
1656 --proxy-key KEY Private key file name
1657 --proxy-key-type TYPE Private key file type (DER/PEM/ENG)
1658 --proxy-pass PASS Pass phrase for the private key
1659 --proxy-ssl-allow-beast Allow security flaw to improve interop
1660 --proxy-sslv2 Use SSLv2
1661 --proxy-sslv3 Use SSLv3
1662 --proxy-tlsv1 Use TLSv1
1663 --proxy-tlsuser USER TLS username
1664 --proxy-tlspassword STRING TLS password
1665 --proxy-tlsauthtype STRING TLS authentication type (default SRP)
1667 All --proxy-foo options are independent from their --foo counterparts,
1668 except --proxy-crlfile which defaults to --crlfile and --proxy-capath
1669 which defaults to --capath.
1671 Curl now also supports %{proxy_ssl_verify_result} --write-out variable,
1672 similar to the existing %{ssl_verify_result} variable.
1674 Supported backends: OpenSSL, GnuTLS, and NSS.
1676 * A SOCKS proxy + HTTP/HTTPS proxy combination:
1678 If both --socks* and --proxy options are given, Curl first connects to
1679 the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS
1682 TODO: Update documentation for the new APIs and --proxy-* options.
1683 Look for "Added in 7.XXX" marks.
1685 Patrick Monnerat (24 Nov 2016)
1686 - Declare endian read functions argument as a const pointer.
1687 This is done for all functions of the form Curl_read[136][624]_[lb]e.
1689 - Limit ASN.1 structure sizes to 256K. Prevent some allocation size overflows.
1692 Jay Satiro (22 Nov 2016)
1693 - url: Fix conn reuse for local ports and interfaces
1695 - Fix connection reuse for when the proposed new conn 'needle' has a
1696 specified local port but does not have a specified device interface.
1698 Bug: https://curl.haxx.se/mail/lib-2016-11/0137.html
1699 Reported-by: bjt3[at]hotmail.com
1701 Daniel Stenberg (21 Nov 2016)
1702 - rand: pass in number of randoms as an unsigned argument
1704 Jay Satiro (20 Nov 2016)
1705 - rand: Fix potentially uninitialized result warning
1707 Marcel Raad (19 Nov 2016)
1708 - vtls: fix build warnings
1710 Fix warnings about conversions from long to time_t in openssl.c and
1713 Follow-up to de4de4e3c7c
1715 Daniel Stenberg (18 Nov 2016)
1716 - [Marcel Raad brought this change]
1718 lib: fix compiler warnings after de4de4e3c7c
1720 Visual C++ now complains about implicitly casting time_t (64-bit) to
1721 long (32-bit). Fix this by changing some variables from long to time_t,
1722 or explicitly casting to long where the public interface would be
1727 Peter Wu (17 Nov 2016)
1728 - [Isaac Boukris brought this change]
1730 Don't mix unix domain sockets with regular ones
1732 When reusing a connection, make sure the unix domain
1733 socket option matches.
1735 Jay Satiro (17 Nov 2016)
1736 - tests: Fix HTTP2-Settings header for huge window size
1738 Follow-up to a4d8888. Changing the window size in that commit resulted
1739 in a different HTTP2-Settings upgrade header, causing test 1800 to fail.
1741 - http2: Use huge HTTP/2 windows
1743 - Improve performance by using a huge HTTP/2 window size.
1745 Bug: https://github.com/curl/curl/issues/1102
1746 Reported-by: afrind@users.noreply.github.com
1747 Assisted-by: Tatsuhiro Tsujikawa
1749 Daniel Stenberg (16 Nov 2016)
1750 - cmdline-docs: more conversion
1752 - gen: support 'protos'
1754 and warn on unrecognized lines
1756 - gen: support 'single' to make an individual page man page
1758 - cmdline-docs: more options converted over
1760 - gen: support 'redirect'
1762 ... and warn for too long --help lines
1764 - cmdline/gen: replace options in texts better
1766 Jay Satiro (16 Nov 2016)
1767 - http2: Fix address sanitizer memcpy warning
1769 - In Curl_http2_switched don't call memcpy when src is NULL.
1771 Curl_http2_switched can be called like:
1773 Curl_http2_switched(conn, NULL, 0);
1775 .. and prior to this change memcpy was then called like:
1777 memcpy(dest, NULL, 0)
1779 .. causing address sanitizer to warn:
1781 http2.c:2057:3: runtime error: null pointer passed as argument 2, which
1782 is declared to never be null
1784 - tool_help: Clarify --dump-header only writes received headers
1786 - curl.1: Clarify --dump-header only writes received headers
1788 Daniel Stenberg (15 Nov 2016)
1789 - [Alex Chan brought this change]
1791 docs: Spelling fixes
1793 Kamil Dudka (15 Nov 2016)
1794 - docs: the next release will be 7.52.0
1796 Daniel Stenberg (15 Nov 2016)
1797 - cmdline-opts: support generating the --help output
1799 - [David Schweikert brought this change]
1801 darwinssl: fix SSL client certificate not found on MacOS Sierra
1803 Reviewed-by: Nick Zitzmann
1807 - curl: add --fail-early to help output
1809 Fixes test 1139 failures
1811 Follow-up to f82bbe01c8835
1813 - glob: fix [a-c] globbing regression
1815 Brought in ee4f76606cf
1817 Added test case 1280 to verify
1819 Reported-by: Dave Reisner
1821 Bug: https://github.com/curl/curl/commit/ee4f76606cfa4ee068bf28edd37c8dae7e8db317#commitcomment-19823146
1823 - curl: add --fail-early
1825 Exit with an error on the first transfer error instead of continuing to
1826 do the rest of the URLs.
1828 Discussion: https://curl.haxx.se/mail/archive-2016-11/0038.html
1830 - Curl_rand: fixed and moved to rand.c
1832 Now Curl_rand() is made to fail if it cannot get the necessary random
1835 Changed the proto of Curl_rand() slightly to provide a number of ints at
1838 Moved out from vtls, since it isn't a TLS function and vtls provides
1839 Curl_ssl_random() for this to use.
1841 Discussion: https://curl.haxx.se/mail/lib-2016-11/0119.html
1843 - cmdline-opts: first test version of a new man page generator kit
1845 See MANPAGE.md for the description of how this works. Each command line
1846 option is now described in a separate .d file.
1848 - time_t fix: follow-up to de4de4e3c7c
1850 Blah, I accidentally wrote size_t instead of time_t for two variables.
1852 Reported-by: Dave Reisner
1854 - timeval: prefer time_t to hold seconds instead of long
1856 ... as long is still 32bit on modern 64bit windows machines, while
1857 time_t is generally 64bit.
1859 Dan Fandrich (12 Nov 2016)
1860 - tests: fixed variable might be clobbered warning
1862 This stops the compiler from potentially making invalid assumptions
1863 about the immutability of sdp and sap across the longjmp boundary.
1865 Daniel Stenberg (12 Nov 2016)
1866 - RELEASE-NOTES: synced with 346340808c
1868 - URL-parser: for file://[host]/ URLs, the [host] must be localhost
1870 Previously, the [host] part was just ignored which made libcurl accept
1871 strange URLs misleading users. like "file://etc/passwd" which might've
1872 looked like it refers to "/etc/passwd" but is just "/passwd" since the
1873 "etc" is an ignored host name.
1875 Reported-by: Mike Crowe
1876 Assisted-by: Kamil Dudka
1878 - test558: adapt to 0649433da
1880 - openssl: make sure to fail in the unlikely event that PRNG seeding fails
1882 - openssl: avoid unnecessary seeding if already done
1884 1.1.0+ does more of this by itself so we can avoid extra processing this
1887 - openssl: RAND_status always exists in OpenSSL >= 0.9.7
1889 and remove RAND_screen from configure since nothing is using that
1892 - Curl_pgrsUpdate: use dedicated function for time passed
1894 - realloc: use Curl_saferealloc to avoid common mistakes
1896 Discussed: https://curl.haxx.se/mail/lib-2016-11/0087.html
1898 - [Daniel Hwang brought this change]
1900 curl: Add --retry-connrefused
1902 to consider ECONNREFUSED as a transient error.
1906 - openssl: raise the max_version to 1.3 if asked for
1908 Now I've managed to negotiate TLS 1.3 with https://enabled.tls13.com/ when
1911 Jay Satiro (9 Nov 2016)
1912 - vtls: Fail on unrecognized param for CURLOPT_SSLVERSION
1914 - Fix GnuTLS code for CURL_SSLVERSION_TLSv1_2 that broke when the
1915 TLS 1.3 support was added in 6ad3add.
1917 - Homogenize across code for all backends the error message when TLS 1.3
1918 is not available to "<backend>: TLS 1.3 is not yet supported".
1920 - Return an error when a user-specified ssl version is unrecognized.
1924 Prior to this change our code for some of the backends used the
1925 'default' label in the switch statement (ie ver unrecognized) for
1926 ssl.version and treated it the same as CURL_SSLVERSION_DEFAULT.
1928 Bug: https://curl.haxx.se/mail/lib-2016-11/0048.html
1929 Reported-by: Kamil Dudka
1931 Daniel Stenberg (9 Nov 2016)
1932 - [Isaac Boukris brought this change]
1934 SPNEGO: Fix memory leak when authentication fails
1936 If SPNEGO fails, cleanup the negotiate handle right away.
1940 Signed-off-by: Isaac Boukris <iboukris@gmail.com>
1941 Reported-by: ashman-p
1943 - CODE_STYLE.md: link to INTERNALS.md correctly
1945 - bump: next version will be 7.52.0
1947 - RELEASE-NOTES: synced with dfcdaaba371e9a3
1949 - examples/fileupload.c: fclose the file as well
1951 - printf: fix ".*f" handling
1953 It would always use precision 1 instead of reading it from the argument
1956 Reported-by: Ray Satiro
1960 - curl_formadd.3: *_FILECONTENT and *_FILE need the file to be kept
1962 Reported-by: Frank Gevaerts
1964 Kamil Dudka (7 Nov 2016)
1965 - nss: silence warning 'SSL_NEXT_PROTO_EARLY_VALUE not handled in switch'
1967 ... with nss-3.26.0 and newer
1969 Reported-by: Daniel Stenberg
1971 Daniel Stenberg (7 Nov 2016)
1972 - openssl: initial TLS 1.3 adaptions
1974 BoringSSL supports TLSv1.3 already, but these changes don't seem to be anough
1977 - ssh: check md5 fingerprints case insensitively (regression)
1979 Revert the change from ce8d09483eea but use the new function
1981 Reported-by: Kamil Dudka
1982 Bug: https://github.com/curl/curl/commit/ce8d09483eea2fcb1b50e323e1a8ed1f3613b2e3#commitcomment-19666146
1984 Kamil Dudka (7 Nov 2016)
1985 - curl: introduce the --tlsv1.3 option to force TLS 1.3
1987 Fully implemented with the NSS backend only for now.
1989 Reviewed-by: Ray Satiro
1991 - vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3
1993 Fully implemented with the NSS backend only for now.
1995 Reviewed-by: Ray Satiro
1997 - nss: map CURL_SSLVERSION_DEFAULT to NSS default
1999 ... but make sure we use at least TLSv1.0 according to libcurl API
2002 Reviewed-by: Ray Satiro
2004 Daniel Stenberg (7 Nov 2016)
2007 We're mostly saying just "curl" in lower case these days so here's a big
2008 cleanup to adapt to this reality. A few instances are left as the
2009 project could still formally be considered called cURL.
2011 Jay Satiro (7 Nov 2016)
2012 - [Tatsuhiro Tsujikawa brought this change]
2014 http2: Don't send header fields prohibited by HTTP/2 spec
2016 Previously, we just ignored "Connection" header field. But HTTP/2
2017 specification actually prohibits few more header fields. This commit
2018 ignores all of them so that we don't send these bad header fields.
2020 Bug: https://curl.haxx.se/mail/archive-2016-10/0033.html
2021 Reported-by: Ricki Hirner
2023 Closes https://github.com/curl/curl/pull/1092
2025 Daniel Stenberg (7 Nov 2016)
2026 - curl.1: explain the SMTP data expected for -T
2030 Reported-by: Adam Piggott
2032 Peter Wu (6 Nov 2016)
2033 - cmake: disable poll for macOS
2035 Mirrors the autotools behavior introduced with curl-7_50_3-83-ga34c7ce.
2039 Jay Satiro (5 Nov 2016)
2040 - easy: Initialize info variables on easy init and duphandle
2042 - Call Curl_initinfo on init and duphandle.
2044 Prior to this change the statistical and informational variables were
2045 simply zeroed by calloc on easy init and duphandle. While zero is the
2046 correct default value for almost all info variables, there is one where
2047 it isn't (filetime initializes to -1).
2049 Bug: https://github.com/curl/curl/issues/1103
2050 Reported-by: Neal Poole
2052 Daniel Stenberg (5 Nov 2016)
2053 - [Mauro Rappa brought this change]
2055 curl -w: added more decimal digits to timing counters
2057 Now showing microsecond resolution.
2061 Jakub Zakrzewski (4 Nov 2016)
2062 - dist: add CMakeLists.txt to the tarball
2064 Daniel Stenberg (4 Nov 2016)
2065 - mbedtls: fix build with mbedtls versions < 2.4.0
2067 Regression added in 62a8095e714
2069 Reported-by: Tony Kelman
2073 - configure: verify that compiler groks -Werror=partial-availability
2075 Reported-by: bemoody
2079 - docs: shorten and simplify the top comment in multi-uv.c
2081 and change URL to use https
2083 - [Andrei Sedoi brought this change]
2085 docs: handle CURL_POLL_INOUT in multi-uv example
2087 - [Andrei Sedoi brought this change]
2089 docs: multi-uv: don't use CURLMsg after cleanup
2091 - [Andrei Sedoi brought this change]
2093 docs: remove unused variables in multi-uv example
2095 - bump: start working on 7.51.1
2097 - winbuild: remove strcase.obj from curl build
2099 Reported-by: Bruce Stephens
2103 Dan Fandrich (2 Nov 2016)
2104 - msvc: removed a straggling reference to strequal.c
2106 Follow-up to 502acba2
2108 Version 7.51.0 (2 Nov 2016)
2110 Daniel Stenberg (2 Nov 2016)
2111 - THANKS: synced with 7.51.0
2113 - RELEASE-NOTES: 7.51.0
2115 - ftp_done: don't clobber the passed in error code
2117 Coverity CID 1374359 pointed out the unused result value.
2119 - ftp: remove dead code in ftp_done
2121 Coverity CID 1374358
2123 Jay Satiro (1 Nov 2016)
2124 - generate.bat: Include include/curl in libcurl VS projects
2126 .. because including those headers helps Visual Studio's Intellisense.
2128 - generate.bat: Remove strcase.[ch] from curl tool VS projects
2130 ..because they're no longer needed in the tool build. strcase is still
2131 built by the libcurl project and exports curl_str(n)equal which is used
2134 Bug: https://github.com/curl/curl/commit/9363f1a#all_commit_comments
2136 Daniel Stenberg (2 Nov 2016)
2137 - metalink: simplify the hex parsing function
2139 ... and now it avoids using the libcurl toupper() function
2141 Michael Kaufmann (1 Nov 2016)
2142 - file: fix compiler warning
2144 follow-up to 46133aa5
2146 Dan Fandrich (1 Nov 2016)
2147 - strcase: fixed Metalink builds by redefining checkprefix()
2149 ...to use the public function curl_strnequal(). This isn't ideal because
2150 it adds extra overhead to any internal calls to checkprefix.
2152 follow-up to 95bd2b3e
2154 Daniel Stenberg (1 Nov 2016)
2157 - curl.1: expand on how multiple uses of -o looks
2159 Suggested-by: Dan Jacobson
2160 Issue: https://github.com/curl/curl/issues/1097
2162 - tests/util: get a private strncasecompare clone
2164 ... since the curlx_* code no longer provides one and we don't link
2165 libcurl to these test servers.
2167 - strcase: make the tool use curl_str[n]equal instead
2169 As they are after all part of the public API. Saves space and reduces
2170 complexity. Remove the strcase defines from the curlx_ family.
2172 Suggested-by: Dan Fandrich
2173 Idea: https://curl.haxx.se/mail/lib-2016-10/0136.html
2175 Kamil Dudka (31 Oct 2016)
2176 - gskit, nss: do not include strequal.h
2178 follow-up to 811a693b80
2180 Dan Fandrich (31 Oct 2016)
2181 - strcasecompare: include curl.h in strcase.c
2183 This should fix the "warning: 'curl_strequal' redeclared without
2184 dllimport attribute: previous dllimport ignored" message and subsequent
2185 link error on Windows because of the missing CURL_EXTERN on the
2188 Daniel Stenberg (31 Oct 2016)
2189 - strcase: fix the remaining rawstr users
2191 - msvc builds: s/rawstr/strcase
2193 Follow-up to 811a693b
2195 Dan Fandrich (31 Oct 2016)
2196 - strcasecompare: replaced remaining rawstr.h with strcase.h
2198 This is a followup to commit 811a693b
2200 Marcel Raad (31 Oct 2016)
2201 - digest_sspi: fix include
2203 Fix compile break from 811a693b80
2205 Dan Fandrich (31 Oct 2016)
2206 - libauthretry: use the external function curl_strequal
2208 The internal version strcasecompare isn't available outside libcurl
2210 Daniel Stenberg (31 Oct 2016)
2211 - RELEASE-NOTES: synced with d14538d2501ef0da
2213 - configure: raise the default minimum version for macos to 10.8
2215 follow-up to 4f8d0b6f02aa7043. Since the darwinssl code breaks
2216 otherwise. If you build without darwinssl 10.5 works fine.
2218 - unit1301: keep testing curl_strequal
2220 as that is still part of the API, fix from 8fe4bd084412f30
2224 Fix bug from 811a693b80
2226 - url: remove unconditional idn2.h include
2228 Mistake brought by 9c91ec778104a
2230 - curl_strequal: part of public API/ABI, needs to be kept
2232 These two public functions have been mentioned as deprecated since a
2233 very long time but since they are still part of the API and ABI we need
2234 to keep them around.
2236 - strcase: s/strequal/strcasecompare
2238 some more follow-ups to 811a693b80
2240 - ldap: fix strcase use
2242 follow-up to 811a693b80
2244 - test165: adapted to the libidn2 use and IDNA2008 fix
2246 - cookie: replace use of fgets() with custom version
2248 ... that will ignore lines that are too long to fit in the buffer.
2252 Bug: https://curl.haxx.se/docs/adv_20161102A.html
2255 - strcasecompare: all case insensitive string compares ignore locale now
2257 We had some confusions on when each function was used. We should not act
2258 differently on different locales anyway.
2260 - strcasecompare: is the new name for strequal()
2262 ... to make it less likely that we forget that the function actually
2263 does case insentive compares. Also replaced several invokes of the
2264 function with a plain strcmp when case sensitivity is not an issue (like
2265 comparing with "-").
2267 - ftp: check for previous patch must be case sensitive!
2269 ... otherwise example.com/PATH and example.com/path would be assumed to
2270 be the same and they usually aren't!
2272 - SSH: check md5 fingerprint case sensitively
2274 - connectionexists: use case sensitive user/password comparisons
2278 Bug: https://curl.haxx.se/docs/adv_20161102B.html
2281 - base64: check for integer overflow on large input
2285 Bug: https://curl.haxx.se/docs/adv_20161102C.html
2288 - krb5: avoid realloc(0)
2290 If the requested size is zero, bail out with error instead of doing a
2291 realloc() that would cause a double-free: realloc(0) acts as a free()
2292 and then there's a second free in the cleanup path.
2296 Bug: https://curl.haxx.se/docs/adv_20161102E.html
2299 - aprintf: detect wrap-around when growing allocation
2301 On 32bit systems we could otherwise wrap around after 2GB and allocate 0
2306 Bug: https://curl.haxx.se/docs/adv_20161102D.html
2309 - range: reject char globs with missing end like '[L-]'
2311 ... which previously would lead to out of boundary reads.
2313 Reported-by: Luật Nguyễn
2315 - glob_next_url: make sure to stay within the given output buffer
2317 - range: prevent negative end number in a glob range
2321 Bug: https://curl.haxx.se/docs/adv_20161102F.html
2322 Reported-by: Luật Nguyễn
2324 - parsedate: handle cut off numbers better
2326 ... and don't read outside of the given buffer!
2330 bug: https://curl.haxx.se/docs/adv_20161102G.html
2331 Reported-by: Luật Nguyễn
2333 - escape: avoid using curl_easy_unescape() internally
2335 Since the internal Curl_urldecode() function has a better API.
2337 - unescape: avoid integer overflow
2341 Bug: https://curl.haxx.se/docs/adv_20161102H.html
2344 - cookies: getlist() now holds deep copies of all cookies
2346 Previously it only held references to them, which was reckless as the
2347 thread lock was released so the cookies could get modified by other
2348 handles that share the same cookie jar over the share interface.
2352 Bug: https://curl.haxx.se/docs/adv_20161102I.html
2355 - TODO: remove IDNA2008
2357 - idn: switch to libidn2 use and IDNA2008 support
2361 Bug: https://curl.haxx.se/docs/adv_20161102K.html
2362 Reported-by: Christian Heimes
2364 - test1246: verify URL parsing with host name ending with '#'
2366 - urlparse: accept '#' as end of host name
2368 'http://example.com#@127.0.0.1/x.txt' equals a request to example.com
2369 for the '/' document with the rest of the URL being a fragment.
2373 Bug: https://curl.haxx.se/docs/adv_20161102J.html
2374 Reported-by: Fernando Muñoz
2376 Jay Satiro (31 Oct 2016)
2377 - INTERNALS: better markdown (follow-up)
2379 - Wrap more words with underscores in backticks.
2381 Follow-up to 13f4913.
2383 Daniel Stenberg (30 Oct 2016)
2384 - INTERNALS: better markdown
2386 words with underscore need to be within `these`
2388 Bug: https://github.com/curl/curl-www/issues/19
2389 Reported-by : Jay Satiro
2391 Jay Satiro (30 Oct 2016)
2392 - mk-ca-bundle.vbs: Fix UTF-8 output
2394 - Change initial message box to mention delay when downloading/parsing.
2396 Since there is no progress meter it was somewhat unexpected that after
2397 choosing a filename nothing appears to happen, when actually the cert
2398 data is in the process of being downloaded and parsed.
2400 - Warn if OpenSSL is not present.
2402 - Use a UTF-8 stream to make the ca-bundle data.
2404 - Save the UTF-8 ca-bundle stream as binary so that no BOM is added.
2408 This is a follow-up to d2c6d15 which switched mk-ca-bundle.vbs output to
2409 ANSI due to corrupt UTF-8 output, now fixed.
2411 This change completes making the default certificate bundle output of
2412 mk-ca-bundle.vbs as close as possible to that of mk-ca-bundle.pl, which
2413 should make it easier to review any difference between their output.
2415 Ref: https://github.com/curl/curl/pull/1012
2417 Daniel Stenberg (28 Oct 2016)
2418 - BINDINGS: converted to markdown
2420 To make it render better on the web site, at the price of it becoming
2421 slightly less readable as text.
2423 Jay Satiro (27 Oct 2016)
2424 - CURLMOPT_MAX_PIPELINE_LENGTH.3: Clarify it's not for HTTP/2
2426 - Clarify that this option is only for HTTP/1.1 pipelining.
2428 Bug: https://github.com/curl/curl/issues/1059
2429 Reported-by: Jeroen Ooms
2431 Assisted-by: Daniel Stenberg
2433 Daniel Stenberg (27 Oct 2016)
2434 - KNOWN_BUGS: HTTP/2 server push enabled when no pushes can be accepted
2438 - KNOWN_BUGS: c-ares deviates from stock resolver on http://1346569778
2442 Michael Osipov (27 Oct 2016)
2443 - configure.in: Fix test syntax
2445 Some versions of test allow == for equality, but others (such as the HP-UX
2446 version) do not. Use a single = for correctness.
2449 checking for monotonic clock_gettime... ./configure[20445]: ==: A test command parameter is not valid.
2451 Daniel Stenberg (27 Oct 2016)
2452 - SECURITY: minor updates
2454 - we allow the security push up to 48 hours before the release
2456 - add a mention about possible pre-notifications
2458 - lower case the 'curl-security' title
2460 - [Andrei Sedoi brought this change]
2462 docs: fix req->data in multi-uv example
2466 - mbedtls: stop using deprecated include file
2468 Reported-by: wyattoday
2471 Kamil Dudka (25 Oct 2016)
2472 - [Martin Frodl brought this change]
2474 nss: fix tight loop in non-blocking TLS handhsake over proxy
2476 ... in case the handshake completes before entering
2477 CURLM_STATE_PROTOCONNECT
2479 Bug: https://bugzilla.redhat.com/1388162
2481 Jay Satiro (25 Oct 2016)
2482 - mk-ca-bundle: Update the vbscript version
2484 Bring the VBScript version more in line with the perl version:
2486 - Change timestamp to UTC.
2488 - Change URL retrieval to HTTPS-only by default.
2490 - Comment out the options that disabled SSL cert checking by default.
2492 - Assume OpenSSL is present, get SHA256. And add a flag to toggle it.
2494 - Fix cert issuer name output.
2496 The cert issuer output is now ansi, converted from UTF-8. Prior to this
2497 it was corrupt UTF-8. It turns out though we can work with UTF-8 the
2498 FSO object that writes ca-bundle can't write UTF-8, so there will have
2499 to be some alternative if UTF-8 is needed (like an ADODB.Stream).
2501 - Disable the certificate text info feature.
2503 The certificate text info doesn't work properly with any recent OpenSSL.
2505 Daniel Stenberg (24 Oct 2016)
2506 - TODO: indent code to make it render properly
2508 - TODO: Remove the generated include file
2510 - TODO: add "--retry should resume"
2514 - mk-ca-bundle.1: document -k
2516 Brought in 1ad2bdcf110266c. Now does HTTPS by default and needs -k to
2517 fall back to plain HTTP.
2519 - [Jay Satiro brought this change]
2521 mk-ca-bundle: Change URL retrieval to HTTPS-only by default
2523 - Change all predefined Mozilla URLs to HTTPS (Gregory Szorc).
2525 - New option -k to allow URLs other than HTTPS and enable HTTP fallback.
2527 Prior to this change the default URL retrieval mode was to fall back to
2528 HTTP if HTTPS didn't work.
2530 Reported-by: Gregory Szorc
2534 - RELEASE-NOTES: synced with 50ee3aaf1a9b22d
2536 Dan Fandrich (23 Oct 2016)
2537 - INSTALL.md: Updated minimum file sizes for 7.50.3
2539 Daniel Stenberg (22 Oct 2016)
2540 - multi: force connections to get closed in close_all_connections
2542 Several independent reports on infinite loops hanging in the
2543 close_all_connections() function when closing a multi handle, can be
2544 fixed by first marking the connection to get closed before calling
2547 This is more fixing-the-symptom rather than the underlying problem
2550 Bug: https://curl.haxx.se/mail/lib-2016-10/0011.html
2551 Bug: https://curl.haxx.se/mail/lib-2016-10/0059.html
2553 Reported-by: Dan Fandrich, Valentin David, Miloš Ljumović
2555 - [Anders Bakken brought this change]
2557 curl_multi_remove_handle: fix a double-free
2559 In short the easy handle needs to be disconnected from its connection at
2560 this point since the connection still is serving other easy handles.
2562 In our app we can reliably reproduce a crash in our http2 stress test
2563 that is fixed by this change. I can't easily reproduce the same test in
2566 This is the gdb/asan output:
2568 ==11785==ERROR: AddressSanitizer: heap-use-after-free on address 0xe9f4fb80 at pc 0x09f41f19 bp 0xf27be688 sp 0xf27be67c
2569 READ of size 4 at 0xe9f4fb80 thread T13 (RESOURCE_HTTP)
2570 #0 0x9f41f18 in curl_multi_remove_handle /path/to/source/3rdparty/curl/lib/multi.c:666
2572 0xe9f4fb80 is located 0 bytes inside of 1128-byte region [0xe9f4fb80,0xe9f4ffe8)
2573 freed by thread T13 (RESOURCE_HTTP) here:
2574 #0 0xf7b1b5c2 in __interceptor_free /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_malloc_linux.cc:45
2575 #1 0x9f7862d in conn_free /path/to/source/3rdparty/curl/lib/url.c:2808
2576 #2 0x9f78c6a in Curl_disconnect /path/to/source/3rdparty/curl/lib/url.c:2876
2577 #3 0x9f41b09 in multi_done /path/to/source/3rdparty/curl/lib/multi.c:615
2578 #4 0x9f48017 in multi_runsingle /path/to/source/3rdparty/curl/lib/multi.c:1896
2579 #5 0x9f490f1 in curl_multi_perform /path/to/source/3rdparty/curl/lib/multi.c:2123
2580 #6 0x9c4443c in perform /path/to/source/src/net/resourcemanager/ResourceManagerCurlThread.cpp:854
2584 #10 0xf7aa5780 in asan_thread_start /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_interceptors.cc:226
2585 #11 0xf4d3a16d in __clone (/lib/i386-linux-gnu/libc.so.6+0xe716d)
2587 previously allocated by thread T13 (RESOURCE_HTTP) here:
2588 #0 0xf7b1ba27 in __interceptor_calloc /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_malloc_linux.cc:70
2589 #1 0x9f7dfa6 in allocate_conn /path/to/source/3rdparty/curl/lib/url.c:3904
2590 #2 0x9f88ca0 in create_conn /path/to/source/3rdparty/curl/lib/url.c:5797
2591 #3 0x9f8c928 in Curl_connect /path/to/source/3rdparty/curl/lib/url.c:6438
2592 #4 0x9f45a8c in multi_runsingle /path/to/source/3rdparty/curl/lib/multi.c:1411
2593 #5 0x9f490f1 in curl_multi_perform /path/to/source/3rdparty/curl/lib/multi.c:2123
2594 #6 0x9c4443c in perform /path/to/source/src/net/resourcemanager/ResourceManagerCurlThread.cpp:854
2598 #10 0xf7aa5780 in asan_thread_start /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_interceptors.cc:226
2599 #11 0xf4d3a16d in __clone (/lib/i386-linux-gnu/libc.so.6+0xe716d)
2601 SUMMARY: AddressSanitizer: heap-use-after-free /path/to/source/3rdparty/curl/lib/multi.c:666 in curl_multi_remove_handle
2602 Shadow bytes around the buggy address:
2603 0x3d3e9f20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2604 0x3d3e9f30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2605 0x3d3e9f40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2606 0x3d3e9f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
2607 0x3d3e9f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
2608 =>0x3d3e9f70:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2609 0x3d3e9f80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2610 0x3d3e9f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2611 0x3d3e9fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2612 0x3d3e9fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2613 0x3d3e9fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
2614 Shadow byte legend (one shadow byte represents 8 application bytes):
2616 Partially addressable: 01 02 03 04 05 06 07
2617 Heap left redzone: fa
2618 Heap right redzone: fb
2619 Freed heap region: fd
2620 Stack left redzone: f1
2621 Stack mid redzone: f2
2622 Stack right redzone: f3
2623 Stack partial redzone: f4
2624 Stack after return: f5
2625 Stack use after scope: f8
2627 Global init order: f6
2628 Poisoned by user: f7
2629 Container overflow: fc
2631 Intra object redzone: bb
2633 Left alloca redzone: ca
2634 Right alloca redzone: cb
2637 Thread 14 "RESOURCE_HTTP" received signal SIGABRT, Aborted.
2638 [Switching to Thread 0xf27bfb40 (LWP 12324)]
2639 0xf7fd8be9 in __kernel_vsyscall ()
2641 #0 0xf7fd8be9 in __kernel_vsyscall ()
2642 #1 0xf4c7ee89 in __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:54
2643 #2 0xf4c803e7 in __GI_abort () at abort.c:89
2644 #3 0xf7b2ef2e in __sanitizer::Abort () at /opt/toolchain/src/gcc-6.2.0/libsanitizer/sanitizer_common/sanitizer_posix_libcdep.cc:122
2645 #4 0xf7b262fa in __sanitizer::Die () at /opt/toolchain/src/gcc-6.2.0/libsanitizer/sanitizer_common/sanitizer_common.cc:145
2646 #5 0xf7b21ab3 in __asan::ScopedInErrorReport::~ScopedInErrorReport (this=0xf27be171, __in_chrg=<optimized out>) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_report.cc:689
2647 #6 0xf7b214a5 in __asan::ReportGenericError (pc=166993689, bp=4068206216, sp=4068206204, addr=3925146496, is_write=false, access_size=4, exp=0, fatal=true) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_report.cc:1074
2648 #7 0xf7b21fce in __asan::__asan_report_load4 (addr=3925146496) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_rtl.cc:129
2649 #8 0x09f41f19 in curl_multi_remove_handle (multi=0xf3406080, data=0xde582400) at /path/to/source3rdparty/curl/lib/multi.c:666
2650 #9 0x09f6b277 in Curl_close (data=0xde582400) at /path/to/source3rdparty/curl/lib/url.c:415
2651 #10 0x09f3354e in curl_easy_cleanup (data=0xde582400) at /path/to/source3rdparty/curl/lib/easy.c:860
2652 #11 0x09c6de3f in ...
2653 #12 0x09c378c5 in ...
2654 #13 0x09c48133 in ...
2655 #14 0x09c4d092 in ...
2656 #15 0x0a2be6b6 in ...
2657 #16 0xf7aa5781 in asan_thread_start (arg=0xf2d22938) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_interceptors.cc:226
2658 #17 0xf5de52b5 in start_thread (arg=0xf27bfb40) at pthread_create.c:333
2659 #18 0xf4d3a16e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:114
2663 - testcurl.1: fix the URL to the autobuild summary
2665 - testcurl.1: update URLs
2667 - INSTALL: converted to markdown => INSTALL.md
2669 Also heavily edited for content. Removed lots of old cruft that we added
2670 like 10+ years ago that is likely incorrect by now.
2672 Also removed INSTALL.devcpp for same reason.
2674 - [Martin Storsjo brought this change]
2676 configure: Check for other variants of the -m*os*-version-min flags
2678 In addition to -miphoneos-version-min, the same version can be set
2679 using -mios-version-min. And for WatchOS and TvOS, there's
2680 -mwatchos-version-min and -mtvos-version-min.
2682 - configure: set min version flags for builds on mac
2684 This helps building binaries that can work on multiple macOS versions.
2686 Help-by: Martin Storsjö
2690 - curl_multi_add_handle: set timeouts in closure handles
2692 The closure handle only ever has default timeouts set. To improve the
2693 state somewhat we clone the timeouts from each added handle so that the
2694 closure handle always has the same timeouts as the most recently added
2699 - configure/CURL_CHECK_FUNC_POLL: disable poll completely on mac
2701 ... so that the same libcurl build easier can run on any version.
2703 Follow-up to issue #1057
2705 - RELEASE-NOTES: synced with f36f8c14551efc6772
2707 - test14xx: fixed --libcurl output tests again after 8e8afa82cbb
2711 The tool was never called cURL, only the project. But even so, we have
2712 more and more over time switched to just use lower case.
2714 - polarssl: indented code, removed unused variables
2716 - polarssl: reduce #ifdef madness with a macro
2718 - polarssl: fix unaligned SSL session-id lock
2720 - Curl_polarsslthreadlock_thread_setup: clear array at init
2722 ... since if it fails to init the entire array and then tries to clean
2723 it up, it would attempt to work on an uninitialized pointer.
2725 - curl: set INTERLEAVEDATA too
2727 As otherwise the callback could be called with a NULL pointer when RTSP
2730 - gopher: properly return error for poll failures
2732 - select: switch to macros in uppercase
2734 Curl_select_ready() was the former API that was replaced with
2735 Curl_select_check() a while back and the former arg setup was provided
2736 with a define (in order to leave existing code unmodified).
2738 Now we instead offer SOCKET_READABLE and SOCKET_WRITABLE for the most
2739 common shortcuts where only one socket is checked. They're also more
2742 - select: use more proper macro-looking names
2744 ... so that it becomes more obvious in the code what is what. Also added
2745 a typecast for one of the calculations.
2747 - Curl_socket_check: add extra check to avoid integer overflow
2749 - maketgz: make it support "only" generating version info
2751 ... to allow you to update the local repository with the given version
2754 Jay Satiro (17 Oct 2016)
2755 - url: skip to-be-closed connections when pipelining (follow-up)
2757 - Change back behavior so that pipelining is considered possible for
2758 connections that have not yet reached the protocol level.
2760 This is a follow-up to e5f0b1a which had changed the behavior of
2761 checking if pipelining is possible to ignore connections that had
2762 'bits.close' set. Connections that have not yet reached the protocol
2763 level also have that bit set, and we need to consider pipelining
2764 possible on those connections.
2766 Daniel Stenberg (17 Oct 2016)
2767 - HTTP2: mention the tool's limited support
2769 - RELEASE-NOTES: synced with a1a5cd04877fd6fd
2771 - [David Woodhouse brought this change]
2773 curl: do not set CURLOPT_SSLENGINEDEFAULT automatically
2775 There were bugs in the PKCS#11 engine, and fixing them triggers bugs in
2776 OpenSSL. Just don't get involved; there's no need to be making the
2777 engine methods the default anyway.
2779 https://github.com/OpenSC/libp11/pull/108
2780 https://github.com/openssl/openssl/pull/1639
2784 - KNOWN_BUGS: two more existing problems
2786 Marcel Raad (16 Oct 2016)
2787 - win: fix Universal Windows Platform build
2789 This fixes a merge error in commit 7f3df80 caused by commit 332e8d6.
2791 Additionally, this changes Curl_verify_windows_version for Windows App
2792 builds to assume to always be running on the target Windows version.
2793 There seems to be no way to determine the Windows version from a
2794 UWP app. Neither GetVersion(Ex), nor VerifyVersionInfo, nor the
2795 Version Helper functions are supported.
2797 Bug: https://github.com/curl/curl/pull/820#issuecomment-250889878
2798 Reported-by: Paul Joyce
2800 Closes https://github.com/curl/curl/pull/1048
2802 Daniel Stenberg (16 Oct 2016)
2803 - KNOWN_BUGS: minor formatting edit
2805 Jay Satiro (14 Oct 2016)
2806 - [Rider Linden brought this change]
2808 url: skip to-be-closed connections when pipelining
2810 No longer attempt to use "doomed" to-be-closed connections when
2811 pipelining. Prior to this change connections marked for deletion (e.g.
2812 timeout) would be erroneously used, resulting in sporadic crashes.
2814 As originally reported and fixed by Carlo Wood (origin unknown).
2816 Bug: https://github.com/curl/curl/issues/627
2817 Reported-by: Rider Linden
2819 Closes https://github.com/curl/curl/pull/1075
2820 Participation-by: nopjmp@users.noreply.github.com
2822 Daniel Stenberg (13 Oct 2016)
2823 - vtls: only re-use session-ids using the same scheme
2825 To make it harder to do cross-protocol mistakes
2827 Jay Satiro (11 Oct 2016)
2828 - [Torben Dannhauer brought this change]
2830 dist: add missing cmake modules to the tarball
2832 Closes https://github.com/curl/curl/pull/1070
2834 Daniel Stenberg (11 Oct 2016)
2835 - configure: detect the broken poll() in macOS 10.12
2839 - dist: remove PDF and HTML converted docs from the releases
2841 - [Remo E brought this change]
2843 cmake: add nghttp2 support
2847 - [Andreas Streichardt brought this change]
2849 resolve: add error message when resolving using SIGALRM
2853 - GIT-INFO: remove the Mac 10.1-specific details
2855 There shouldn't be many devs out there anymore using such outdated macOS
2856 versions. And it removes the dead link.
2860 - RELEASE-NOTES: spellfix
2862 - RELEASE-NOTES: synced with 82720490628cb53a
2864 5 more fixes, 2 more contributors
2866 - [Tobias Stoeckmann brought this change]
2868 smb: properly check incoming packet boundaries
2870 Not all reply messages were properly checked for their lengths, which
2871 made it possible to access uninitialized memory (but this does not lead
2872 to out of boundary accesses).
2876 - test557: verify printf() with 128 and 129 arguments
2878 - mprintf: return error on too many arguments
2880 128 arguments should be enough for everyone
2882 - ftp: fix Curl_ftpsendf()
2884 ... it no longer takes printf() arguments since it was only really taken
2885 advantage by one user and it was not written and used in a safe
2886 way. Thus the 'f' is removed from the function name and the proto is
2889 Although the current code wouldn't end up in badness, it was a risk that
2890 future changes could end up springf()ing too large data or passing in a
2891 format string inadvertently.
2893 - formpost: avoid silent snprintf() truncation
2895 The previous use of snprintf() could make libcurl silently truncate some
2896 input data and not report that back on overly large input, which could
2897 make data get sent over the network in a bad format.
2901 $ curl --form 'a=b' -H "Content-Type: $(perl -e 'print "A"x4100')"
2903 - TODO: build: Enable PIE and RELRO by default
2905 - TODO: Support better than MD5 hostkey hash (for ssh)
2907 - [Daniel Gustafsson brought this change]
2909 tests: Fix a small typo in the tests README (#1060)
2911 The subdirectory for logs in tests/ is named log/ without an 's'
2914 - TODO: Introduce --fail-fast to exit on first transfer fail
2918 - TODO: Leave secure cookies alone
2920 - [Rainer Müller brought this change]
2922 CURLOPT_DEBUGFUNCTION.3: unused argument warning (#1056)
2924 The 'userp' argument is unused in this example code.
2926 - TODO: TCP Fast Open for windows
2928 - RELEASE-NOTES: synced with 8fd2a754f0de
2930 - CURLOPT_KEEP_SENDING_ON_ERROR.3: mention when it is added
2932 - memdup: use 'void *' as return and source type
2934 - TODO: Add easy argument to formpost functions
2936 - formpost: trying to attach a directory no longer crashes
2938 The error path would previously add a freed entry to the linked list.
2940 Reported-by: Toby Peterson
2944 - [Sergei Kuzmin brought this change]
2946 cookies: same domain handling changed to match browser behavior
2948 Cokie with the same domain but different tailmatching property are now
2949 considered different and do not replace each other. If header contains
2950 following lines then two cookies will be set: Set-Cookie: foo=bar;
2951 domain=.foo.com; expires=Thu Mar 3 GMT 8:56:27 2033 Set-Cookie: foo=baz;
2952 domain=foo.com; expires=Thu Mar 3 GMT 8:56:27 2033
2954 This matches Chrome, Opera, Safari, and Firefox behavior. When sending
2955 stored tokens to foo.com Chrome, Opera, Firefox store send them in the
2956 stored order, while Safari pre-sort the cookies.
2960 - [Stephen Brokenshire brought this change]
2962 FAQ: Fix typos in section 5.14 (#1047)
2964 Type required for YourClass::func C++ function (using size_t in line
2965 with the documentation for CURLOPT_WRITEFUNCTION) and missing second
2966 colon when specifying the static function for CURLOPT_WRITEFUNCTION.
2968 - [Sebastian Mundry brought this change]
2970 KNOWN_BUGS: Fix typos in section 5.8.
2974 - [mundry brought this change]
2976 CONTRIBUTE.md: Fix typo in 'About pull requests' section. (#1045)
2978 - curl.1: --trace supports % for sending to stderr!
2980 - KNOWN_BUGS: 5.8 configure finding libs in wrong directory
2982 Dan Fandrich (24 Sep 2016)
2983 - configure: Fixed builds with libssh2 in a custom location
2985 A libssh2 library in the standard system location was being used in
2986 preference to the desired one while linking.
2988 Daniel Stenberg (23 Sep 2016)
2989 - SECURITY: remove the top ascii logo
2991 Michael Kaufmann (22 Sep 2016)
2992 - New libcurl option to keep sending on error
2994 Add the new option CURLOPT_KEEP_SENDING_ON_ERROR to control whether
2995 sending the request body shall be completed when the server responds
2996 early with an error status code.
2998 This is suitable for manual NTLM authentication.
3000 Reviewed-by: Jay Satiro
3002 Closes https://github.com/curl/curl/pull/904
3004 Kamil Dudka (22 Sep 2016)
3005 - nss: add chacha20-poly1305 cipher suites if supported by NSS
3007 - nss: add cipher suites using SHA384 if supported by NSS
3009 - nss: fix typo in ecdhe_rsa_null cipher suite string
3011 As it seems to be a rarely used cipher suite (for securely established
3012 but _unencrypted_ connections), I believe it is fine not to provide an
3013 alias for the misspelled variant.
3015 Jay Satiro (21 Sep 2016)
3016 - docs: Remove that --proto is just used for initial retrieval
3018 .. and add that --proto-redir and CURLOPT_REDIR_PROTOCOLS do not
3019 override protocols denied by --proto and CURLOPT_PROTOCOLS.
3021 - Add a test to enforce: --proto deny must override --proto-redir allow
3023 Closes https://github.com/curl/curl/pull/1031
3025 Daniel Stenberg (21 Sep 2016)
3026 - dist: add CurlSymbolHiding.cmake to the tarball
3028 Follow-up to 6140dfcf3e784
3030 Reported-by: Alexander Sinditskiy
3032 - curl_global_cleanup.3: don't unload the lib with sub threads running
3036 Assisted-by: Jay Satiro
3038 - MAIL-ETIQUETTE: language
3040 Jay Satiro (20 Sep 2016)
3041 - easy: Reset all statistical session info in curl_easy_reset
3043 Bug: https://github.com/curl/curl/issues/1017
3044 Reported-by: Jeroen Ooms
3046 Daniel Stenberg (19 Sep 2016)
3047 - RELEASE-NOTES: synced with 79607eec51055
3049 Jay Satiro (19 Sep 2016)
3050 - [Daniel Gustafsson brought this change]
3052 darwinssl: Fix typo in comment
3054 Closes https://github.com/curl/curl/pull/1028
3056 Daniel Stenberg (19 Sep 2016)
3057 - [Bernard Spil brought this change]
3059 libressl: fix version output
3061 LibreSSL defines `OPENSSL_VERSION_NUMBER` as `0x20000000L` for all
3062 versions returning `LibreSSL/2.0.0` for any LibreSSL version.
3064 This change provides a local OpenSSL_version_num function replacement
3065 returning LIBRESSL_VERSION_NUMBER instead.
3069 - [rugk brought this change]
3071 TODO: Add PINNEDPUBLICKEY - HPKP compatibility, HSTS & HPKP
3077 - openssl: don't call ERR_remote_thread_state on >= 1.1.0
3079 Follow-up fix to d9321562
3081 - openssl: don’t call CRYTPO_cleanup_all_ex_data
3083 The OpenSSL function CRYTPO_cleanup_all_ex_data() cannot be called
3084 multiple times without crashing - and other libs might call it! We
3085 basically cannot call it without risking a crash. The function is a
3086 no-op since OpenSSL 1.1.0.
3088 Not calling this function only risks a small memory leak with OpenSSL <
3091 Bug: https://curl.haxx.se/mail/lib-2016-09/0045.html
3092 Reported-by: Todd Short
3094 - TODO: Support SSLKEYLOGFILE
3096 Jay Satiro (18 Sep 2016)
3097 - CURLOPT_PINNEDPUBLICKEY.3: fix the AVAILABILITY formatting
3099 Nick Zitzmann (18 Sep 2016)
3100 - darwinssl: disable RC4 cipher-suite support
3102 RC4 was a nice alternative to CBC back in the days of BEAST, but it's insecure and obsolete now.
3104 - configure: change "iOS/Mac OS X native" to "Apple OS native"
3106 Since I first wrote that text, Apple introduced tvOS and watchOS, and renamed "Mac OS X" to "macOS." Let's make the text a little more inclusive, since curl can be built for all four operating systems.
3108 Jay Satiro (18 Sep 2016)
3111 - examples/imap-append: Set size of data to be uploaded
3113 Prior to this commit this example failed with error
3114 'Cannot APPEND with unknown input file size'.
3116 Bug: https://github.com/curl/curl/issues/1008
3117 Reported-by: lukaszgn@users.noreply.github.com
3119 Closes https://github.com/curl/curl/pull/1011
3121 Daniel Stenberg (16 Sep 2016)
3122 - [Tony Kelman brought this change]
3124 LICENSE-MIXING.md: update with mbedTLS dual licensing
3126 Recent versions of mbedTLS are available under either Apache 2.0 or GPL
3127 2.0, see https://tls.mbed.org/how-to-get
3131 - KNOWN_BUGS: chunked-encoded requests with HTTP/2 is fixed
3133 - http2: debug ouput sent HTTP/2 request headers
3135 - http: accept "Transfer-Encoding: chunked" for HTTP/2 as well
3137 ... but don't send the actual header over the wire as it isn't accepted.
3138 Chunked uploading is still triggered using this method.
3143 - openssl: fix per-thread memory leak usiong 1.0.1 or 1.0.2
3145 OpenSSL 1.0.1 and 1.0.2 build an error queue that is stored per-thread
3146 so we need to clean it when easy handles are freed, in case the thread
3147 will be killed in which the easy handle was used. All OpenSSL code in
3148 libcurl should extract the error in association with the error already
3149 so clearing this queue here should be harmless at worst.
3153 - RELEASE-NOTES: reset and go toward 7.51.0 (again)
3155 Version 7.50.3 (14 Sep 2016)
3157 Daniel Stenberg (14 Sep 2016)
3158 - THANKS: updated with curl 7.50.3 contributors
3160 - RELEASE-NOTES: curl 7.50.3
3162 - test1605: verify negative input lengths to (un)escape functions
3164 - curl_easy_unescape: deny negative string lengths as input
3168 Bug: https://curl.haxx.se/docs/adv_20160914.html
3170 - curl_easy_escape: deny negative string lengths as input
3174 Bug: https://curl.haxx.se/docs/adv_20160914.html
3176 - curl: make --create-dirs on windows grok both forward and backward slashes
3178 Reported-by: Ryan Scott
3182 - RELEASE-NOTES: synced with 665694979b6
3184 - [Tony Kelman brought this change]
3186 mbedtls: switch off NTLM in build if md4 isn't available
3188 NTLM support with mbedTLS was added in 497e7c9 but requires that mbedTLS
3189 is built with the MD4 functions available, which it isn't in default
3190 builds. This now adapts if the funtion isn't there and builds libcurl
3191 without NTLM support if so.
3195 Jay Satiro (12 Sep 2016)
3196 - CODE_STYLE: fix long-line guideline
3198 - Change maximum allowed line length from 80 to 79.
3200 - CODE_STYLE: add column alignment section
3202 Note that since the added examples are for column alignment I had to
3203 encapsulate with ~~~c markdown to preserve their alignment.
3205 Peter Wu (11 Sep 2016)
3206 - cmake: fix curl-config --static-libs
3208 The `curl-config --static-libs` command should not output paths like
3209 -l/usr/lib/libssl.so, instead print the absolute path without `-l`.
3211 This also removes the confusing message "Static linking is broken" which
3212 was printed because curl-config --static-libs was disfunctional even
3213 though the static libcurl.a library works properly.
3215 Fixes https://github.com/curl/curl/issues/841
3217 Daniel Stenberg (11 Sep 2016)
3218 - http: refuse to pass on response body with NO_NODY was set
3220 ... like when a HTTP/0.9 response comes back without any headers at all
3221 and just a body this now prevents that body from being sent to the
3224 Adapted test 1144 to verify.
3228 Assisted-by: Ray Satiro
3230 - RELEASE-NOTES: synced with 257bf3ac67eb6
3232 Jakub Zakrzewski (10 Sep 2016)
3233 - CMake: Don't build unit tests if private symbols are hidden
3235 This only excludes building unit tests from default build ( 'all' Make
3236 target or "Build Solution" in VisualStudio). The projects and Make
3237 targets will still be generated and shown in supporting IDEs.
3239 Fixes https://github.com/curl/curl/issues/981
3240 Reported-by: Randy Armstrong
3242 Closes https://github.com/curl/curl/pull/990
3244 - CMake: Try to (un-)hide private library symbols
3246 Detect support for compiler symbol visibility flags and apply those
3247 according to CURL_HIDDEN_SYMBOLS option.
3248 It should work true to the autotools build except it tries to unhide
3249 symbols on Windows when requested and prints warning if it fails.
3251 Ref: https://github.com/curl/curl/issues/981#issuecomment-242665951
3252 Reported-by: Daniel Stenberg
3254 Daniel Stenberg (9 Sep 2016)
3255 - openssl: fix bad memory free (regression)
3257 ... by partially reverting f975f06033b1. The allocation could be made by
3258 OpenSSL so the free must be made with OPENSSL_free() to avoid problems.
3260 Reported-by: Harold Stuart
3263 - http2: support > 64bit sized uploads
3265 ... by making sure we don't count down the "upload left" counter when the
3266 uploaded size is unknown and then it can be allowed to continue forever.
3270 Jay Satiro (7 Sep 2016)
3271 - errors: new alias CURLE_WEIRD_SERVER_REPLY (8)
3273 Since we're using CURLE_FTP_WEIRD_SERVER_REPLY in imap, pop3 and smtp as
3274 more of a generic "failed to parse" introduce an alias without FTP in
3277 Closes https://github.com/curl/curl/pull/975
3279 Daniel Stenberg (7 Sep 2016)
3280 - bump: toward 7.51.0
3282 - HISTORY: remove ascii logo to render nicer on web
3284 - curl: whitelist use of strtok() in non-threaded context
3286 - checksrc: detect strtok() use
3288 ... as that function slipped through once before.
3291 - [Viktor Szakats brought this change]
3293 mk-ca-bundle.pl: use SHA256 instead of SHA1
3295 This hash is used to verify the original downloaded certificate bundle
3296 and also included in the generated bundle's comment header. Also
3297 rename related internal symbols to algorithm-agnostic names.
3299 Version 7.50.2 (7 Sep 2016)
3301 Daniel Stenberg (7 Sep 2016)
3302 - RELEASE-NOTES: curl 7.50.2 release
3304 - THANKS: updated for 7.50.2
3306 Jay Satiro (6 Sep 2016)
3307 - [Gaurav Malhotra brought this change]
3309 openssl: fix CURLINFO_SSL_VERIFYRESULT
3311 CURLINFO_SSL_VERIFYRESULT does not get the certificate verification
3312 result when SSL_connect fails because of a certificate verification
3315 This fix saves the result of SSL_get_verify_result so that it is
3316 returned by CURLINFO_SSL_VERIFYRESULT.
3318 Closes https://github.com/curl/curl/pull/995
3320 Daniel Stenberg (6 Sep 2016)
3321 - [Daniel Gustafsson brought this change]
3323 darwinssl: test for errSecSuccess in PKCS12 import rather than noErr (#993)
3325 While noErr and errSecSuccess are defined as the same value, the API
3326 documentation states that SecPKCS12Import() returns errSecSuccess if
3327 there were no errors in importing. Ensure that a future change of the
3328 defined value doesn't break (however unlikely) and be consistent with
3331 - [Daniel Gustafsson brought this change]
3333 docs: Fix link to CONTRIBUTE in Github contribution guidelines (#994)
3335 - [Marcel Raad brought this change]
3337 openssl: Fix compilation with OPENSSL_API_COMPAT=0x10100000L
3339 With OPENSSL_API_COMPAT=0x10100000L (OpenSSL 1.1 API), the cleanup
3340 functions are unavailable (they're no-ops anyway in OpenSSL 1.1). The
3341 replacements for SSL_load_error_strings, SSLeay_add_ssl_algorithms, and
3342 OpenSSL_add_all_algorithms are called automatically [1][2]. SSLeay() is
3343 now called OpenSSL_version_num().
3345 [1]: https://www.openssl.org/docs/man1.1.0/ssl/OPENSSL_init_ssl.html
3346 [2]: https://www.openssl.org/docs/man1.1.0/crypto/OPENSSL_init_crypto.html
3350 - RELEASE-NOTES: synced with 3d4c0c8b9bc1d
3352 - http2: return EOF when done uploading without known size
3356 - http2: skip the content-length parsing, detect unknown size
3358 - http2: minor white space edit
3360 - http2: use named define instead of magic constant in read callback
3362 - [Craig Davison brought this change]
3364 configure: make the cpp -P detection not clobber CPPFLAGS
3366 CPPPFLAGS is now CPPPFLAG. Fixes CURL_CHECK_DEF.
3370 - [Olivier Brunel brought this change]
3372 speed caps: not based on average speeds anymore
3374 Speed limits (from CURLOPT_MAX_RECV_SPEED_LARGE &
3375 CURLOPT_MAX_SEND_SPEED_LARGE) were applied simply by comparing limits
3376 with the cumulative average speed of the entire transfer; While this
3377 might work at times with good/constant connections, in other cases it
3378 can result to the limits simply being "ignored" for more than "short
3379 bursts" (as told in man page).
3381 Consider a download that goes on much slower than the limit for some
3382 time (because bandwidth is used elsewhere, server is slow, whatever the
3383 reason), then once things get better, curl would simply ignore the limit
3384 up until the average speed (since the beginning of the transfer) reached
3385 the limit. This could prove the limit useless to effectively avoid
3386 using the entire bandwidth (at least for quite some time).
3388 So instead, we now use a "moving starting point" as reference, and every
3389 time at least as much as the limit as been transferred, we can reset
3390 this starting point to the current position. This gets a good limiting
3391 effect that applies to the "current speed" with instant reactivity (in
3392 case of sudden speed burst).
3396 - HISTORY.md: the multi socket was put in the wrong year!
3398 - [Mark Hamilton brought this change]
3400 tool_helpers.c: fix comment typo (#989)
3402 - [Mark Hamilton brought this change]
3404 libtest/test.h: fix typo (#988)
3406 - CURLMOPT_PIPELINING.3: language
3408 - CURLMOPT_PIPELINING.3: extended and clarified
3410 Especially in regards to the multiplexing part.
3412 Steve Holme (31 Aug 2016)
3413 - curl_sspi.c: Updated function description comments
3415 * Added description to Curl_sspi_free_identity()
3416 * Added parameter and return explanations to Curl_sspi_global_init()
3417 * Added parameter explaination to Curl_sspi_global_cleanup()
3419 - README: Corrected the supported Visual Studio versions
3421 Missed from commit 8356022d17.
3423 - KNOWN_BUGS: Move the Visual Studio project shortcomings from local README
3425 - KNOWN_BUGS: Expand 6.4 to include Kerberos V5
3427 ...and discuss a possible solution.
3429 Daniel Stenberg (30 Aug 2016)
3430 - connect: fix #ifdefs for debug versions of conn/streamclose() macros
3432 CURLDEBUG is for the memory debugging
3434 DEBUGBUILD is for the extra debug stuff
3436 Pointed-out-by: Steve Holme
3438 - KNOWN_BUGS: mention some cmake "support gaps"
3440 Nick Zitzmann (28 Aug 2016)
3441 - darwinssl: add documentation stating that the --cainfo option is intended for backward compatibility only
3443 In other news, I changed one other reference to "Mac OS X" in the documentation (that I previously wrote) to say "macOS" instead.
3445 Daniel Stenberg (28 Aug 2016)
3446 - http2: return CURLE_HTTP2_STREAM for unexpected stream close
3448 Follow-up to c3e906e9cd0f, seems like a more appropriate error code
3450 Suggested-by: Jay Satiro
3452 - [Tatsuhiro Tsujikawa brought this change]
3454 http2: handle closed streams when uploading
3458 - http2: make sure stream errors don't needlessly close the connection
3460 With HTTP/2 each transfer is made in an indivial logical stream over the
3461 connection, making most previous errors that caused the connection to get
3462 forced-closed now instead just kill the stream and not the connection.
3466 - Curl_verify_windows_version: minor edit to avoid compiler warnings
3468 ... instead of if() before the switch(), add a default to the switch so
3469 that the compilers don't warn on "warning: enumeration value
3470 'PLATFORM_DONT_CARE' not handled in switch" anymore.
3472 Steve Holme (27 Aug 2016)
3473 - RELEASE-NOTES: Added missing fix from commit 15592143f
3475 Jay Satiro (26 Aug 2016)
3476 - schannel: Disable ALPN for Wine since it is causing problems
3478 - Disable ALPN on Wine.
3480 - Don't pass input secbuffer when ALPN is disabled.
3482 When ALPN support was added a change was made to pass an input secbuffer
3483 to initialize the context. When ALPN is enabled the buffer contains the
3484 ALPN information, and when it's disabled the buffer is empty. In either
3485 case this input buffer caused problems with Wine and connections would
3488 Bug: https://github.com/curl/curl/issues/983
3489 Reported-by: Christian Fillion
3491 Kamil Dudka (26 Aug 2016)
3492 - [Peter Wang brought this change]
3494 nss: work around race condition in PK11_FindSlotByName()
3496 Serialise the call to PK11_FindSlotByName() to avoid spurious errors in
3497 a multi-threaded environment. The underlying cause is a race condition
3498 in nssSlot_IsTokenPresent().
3500 Bug: https://bugzilla.mozilla.org/1297397
3504 - nss: refuse previously loaded certificate from file
3506 ... when we are not asked to use a certificate from file
3508 Daniel Stenberg (26 Aug 2016)
3509 - ftp_done: remove dead code
3511 - TLS: random file/egd doesn't have to match for conn reuse
3513 - test161: add comment for the exit code
3515 Dan Fandrich (26 Aug 2016)
3516 - test219: Add http as a required feature
3518 Daniel Stenberg (25 Aug 2016)
3519 - [Michael Kaufmann brought this change]
3521 HTTP: stop parsing headers when switching to unknown protocols
3523 - unknown protocols probably won't send more headers (e.g. WebSocket)
3524 - improved comments and moved them to the correct case statements
3528 - openssl: make build with 1.1.0 again
3530 synced with OpenSSL git master commit cc06906707
3532 - INTERNALS: fix title
3534 - configure: detect zlib with our pkg-config macros
3536 ... instead of relying on the pkg-config autoconf macros to be present.
3538 Fixes #972 (again...)
3540 Jay Satiro (25 Aug 2016)
3541 - http2: Remove incorrect comments
3543 .. also remove same from scp
3545 Daniel Stenberg (23 Aug 2016)
3546 - [Ales Novak brought this change]
3548 ftp: fix wrong poll on the secondary socket
3550 When we're uploading using FTP and the server issues a tiny pause
3551 between opening the connection to the client's secondary socket, the
3552 client's initial poll() times out, which leads to second poll() which
3553 does not wait for POLLIN on the secondary socket. So that poll() also
3554 has to time out, creating a long (200ms) pause.
3556 This patch adds the correct flag to the secondary socket, making the
3557 second poll() correctly wait for the connection there too.
3559 Signed-off-by: Ales Novak <alnovak@suse.cz>
3563 - RELEASE-NOTES: synced with 95ded2c56
3565 - configure: make it work without PKG_CHECK_MODULES
3567 With commit c2f9b78 we added a new dependency on pkg-config for
3568 developers which may be unwanted. This change make the configure script
3569 still work as before if pkg-config isn't installed, it'll just use the
3570 old zlib detection logic without pkg-config.
3572 Reported-by: Marc Hörsken
3576 Marc Hoersken (21 Aug 2016)
3577 - Revert "KNOWN_BUGS: SOCKS proxy not working via IPv6"
3579 This reverts commit 9cb1059f92286a6eb5d28c477fdd3f26aed1d554.
3581 As discussed in #835 SOCKS5 supports IPv6 proxies and destinations.
3583 Daniel Stenberg (21 Aug 2016)
3584 - [Marco Deckel brought this change]
3586 win: Basic support for Universal Windows Platform apps
3590 Steve Holme (21 Aug 2016)
3591 - sasl: Don't use GSSAPI authentication when domain name not specified
3593 Only choose the GSSAPI authentication mechanism when the user name
3594 contains a Windows domain name or the user is a valid UPN.
3598 - vauth: Added check for supported SSPI based authentication mechanisms
3600 Completing commit 00417fd66c and 2708d4259b.
3602 - http.c: Remove duplicate (authp->avail & CURLAUTH_DIGEST) check
3604 From commit 2708d4259b.
3606 Marc Hoersken (20 Aug 2016)
3607 - socks.c: display the hostname returned by the SOCKS5 proxy server
3609 Instead of displaying the requested hostname the one returned
3610 by the SOCKS5 proxy server is used in case of connection error.
3611 The requested hostname is displayed earlier in the connection sequence.
3613 The upper-value of the port is moved to a temporary variable and
3614 replaced with a 0-byte to make sure the hostname is 0-terminated.
3616 Steve Holme (20 Aug 2016)
3617 - urldata.h: Corrected comment for httpcode which is also populated by SMTP
3619 As of 7.25.0 and commit 5430007222.
3621 Marc Hoersken (20 Aug 2016)
3622 - socks.c: use Curl_printable_address in SOCKS5 connection sequence
3624 Replace custom string formatting with Curl_printable_address.
3625 Add additional debug and error output in case of failures.
3627 - socks.c: align SOCKS4 connection sequence with SOCKS5
3629 Calling sscanf is not required since the raw IPv4 address is
3630 available and the protocol can be detected using ai_family.
3632 Steve Holme (20 Aug 2016)
3633 - http.c: Corrected indentation change from commit 2708d4259b
3635 Made by Visual Studio's auto-correct feature and missed by me in my own
3638 - http: Added calls to Curl_auth_is_<mechansism>_supported()
3640 Hooked up the HTTP authentication layer to query the new 'is mechanism
3641 supported' functions when deciding what mechanism to use.
3643 As per commit 00417fd66c existing functionality is maintained for now.
3645 Marc Hoersken (20 Aug 2016)
3646 - socks.c: improve verbose output of SOCKS5 connection sequence
3648 - configure.ac: add missing quotes to PKG_CHECK_MODULES
3650 Steve Holme (20 Aug 2016)
3651 - sasl: Added calls to Curl_auth_is_<mechansism>_supported()
3653 Hooked up the SASL authentication layer to query the new 'is mechanism
3654 supported' functions when deciding what mechanism to use.
3656 For now existing functionality is maintained.
3658 Daniel Stenberg (19 Aug 2016)
3659 - [Miroslav Franc brought this change]
3661 spnego_sspi: fix memory leak in case *outlen is zero (#970)
3663 - CURLMOPT_MAX_TOTAL_CONNECTIONS.3: mention it can also multiplex
3665 Steve Holme (18 Aug 2016)
3666 - vauth: Introduced Curl_auth_is_<mechansism>_supported() functions
3668 As Windows SSPI authentication calls fail when a particular mechanism
3669 isn't available, introduced these functions for DIGEST, NTLM, Kerberos 5
3670 and Negotiate to allow both HTTP and SASL authentication the opportunity
3671 to query support for a supported mechanism before selecting it.
3673 For now each function returns TRUE to maintain compatability with the
3674 existing code when called.
3676 Daniel Stenberg (18 Aug 2016)
3677 - test1144: verify HEAD with body-only response
3679 Steve Holme (17 Aug 2016)
3680 - RELEASE-PROCEDURE: Added some more future release dates
3682 ...and removed some old ones
3684 Daniel Stenberg (17 Aug 2016)
3685 - [David Woodhouse brought this change]
3687 curl: allow "pkcs11:" prefix for client certificates
3689 RFC7512 provides a standard method to reference certificates in PKCS#11
3690 tokens, by means of a URI starting 'pkcs11:'.
3692 We're working on fixing various applications so that whenever they would
3693 have been able to use certificates from a file, users can simply insert
3694 a PKCS#11 URI instead and expect it to work. This expectation is now a
3695 part of the Fedora packaging guidelines, for example.
3697 This doesn't work with cURL because of the way that the colon is used
3698 to separate the certificate argument from the passphrase. So instead of
3700 curl -E 'pkcs11:manufacturer=piv_II;id=%01' …
3702 I instead need to invoke cURL with the colon escaped, like this:
3704 curl -E 'pkcs11\:manufacturer=piv_II;id=%01' …
3706 This is suboptimal because we want *consistency* — the URI should be
3707 usable in place of a filename anywhere, without having strange
3708 differences for different applications.
3710 This patch therefore disables the processing in parse_cert_parameter()
3711 when the string starts with 'pkcs11:'. It means you can't pass a
3712 passphrase with an unescaped PKCS#11 URI, but there's no need to do so
3713 because RFC7512 allows a PIN to be given as a 'pin-value' attribute in
3716 Also, if users are already using RFC7512 URIs with the colon escaped as
3717 in the above example — even providing a passphrase for cURL to handling
3718 instead of using a pin-value attribute, that will continue to work
3719 because their string will start 'pkcs11\:' and won't match the check.
3721 What *does* break with this patch is the extremely unlikely case that a
3722 user has a file which is in the local directory and literally named
3723 just "pkcs11", and they have a passphrase on it. If that ever happened,
3724 the user would need to refer to it as './pkcs11:<passphrase>' instead.
3726 - nss: make the global variables static
3728 - openssl: use regular malloc instead of OPENSSL_malloc
3730 This allows for better memmory debugging and torture tests.
3732 - proxy: fix tests as follow-up to 93b0d907d5
3734 This fixes tests that were added after 113f04e664b as the tests would
3737 We bring back "Proxy-Connection: Keep-Alive" now unconditionally to fix
3738 regressions with old and stupid proxies, but we could possibly switch to
3739 using it only for CONNECT or only for NTLM in a future if we want to
3740 gradually reduce it.
3744 Reported-by: János Fekete
3746 - Revert "Proxy-Connection: stop sending this header by default"
3748 This reverts commit 113f04e664b16b944e64498a73a4dab990fe9a68.
3750 - CURLOPT_PROXY.3: unsupported schemes cause errors now
3752 Follow-up to a96319ebb9 (document the new behavior)
3754 - tests/README: mention nghttpx for HTTP/2 tests
3756 - README.md: add our CII Best Practices badge
3758 - proxy: polished the error message for unsupported schemes
3760 Follow up to a96319ebb93
3762 - test219: verify unsupported scheme for proxies get rejected
3764 - proxy: reject attempts to use unsupported proxy schemes
3766 I discovered some people have been using "https://example.com" style
3767 strings as proxy and it "works" (curl doesn't complain) because curl
3768 ignores unknown schemes and then assumes plain HTTP instead.
3770 I think this misleads users into believing curl uses HTTPS to proxies
3771 when it doesn't. Now curl rejects proxy strings using unsupported
3772 schemes instead of just ignoring and defaulting to HTTP.
3774 - RELEASE-NOTES: synced with b7ee5316c2fd5b
3776 Marc Hoersken (14 Aug 2016)
3777 - socks.c: Correctly calculate position of port in response packet
3779 Third commit to fix issue #944 regarding SOCKS5 error handling.
3781 Reported-by: David Kalnischkies
3783 - socks.c: Do not modify and invalidate calculated response length
3785 Second commit to fix issue #944 regarding SOCKS5 error handling.
3787 Reported-by: David Kalnischkies
3789 - socks.c: Move error output after reading the whole response packet
3791 First commit to fix issue #944 regarding SOCKS5 error handling.
3793 Reported-by: David Kalnischkies
3795 Daniel Stenberg (13 Aug 2016)
3796 - [Ronnie Mose brought this change]
3798 MANUAL: Remove invalid link to LDAP documentation (#962)
3800 The server developer.netscape.com does not resolve into any
3801 ip address and can be removed.
3803 Jay Satiro (13 Aug 2016)
3804 - openssl: accept subjectAltName iPAddress if no dNSName match
3806 Undo change introduced in d4643d6 which caused iPAddress match to be
3807 ignored if dNSName was present but did not match.
3809 Also, if iPAddress is present but does not match, and dNSName is not
3810 present, fail as no-match. Prior to this change in such a case the CN
3811 would be checked for a match.
3813 Bug: https://github.com/curl/curl/issues/959
3814 Reported-by: wmsch@users.noreply.github.com
3816 Daniel Stenberg (12 Aug 2016)
3817 - [Dambaev Alexander brought this change]
3819 configure.ac: add zlib search with pkg-config
3823 - rtsp: ignore whitespace in session id
3825 Follow-up to e577c43bb to fix test case 569 brekage: stop the parser at
3828 Help-by: Erik Janssen
3830 - HTTP: retry failed HEAD requests too
3832 Mark's new document about HTTP Retries
3833 (https://mnot.github.io/I-D/httpbis-retry/) made me check our code and I
3834 spotted that we don't retry failed HEAD requests which seems totally
3835 inconsistent and I can't see any reason for that separate treatment.
3837 So, no separate treatment for HEAD starting now. A HTTP request sent
3838 over a reused connection that gets cut off before a single byte is
3839 received will be retried on a fresh connection.
3841 Made-aware-by: Mark Nottingham
3843 - mk-ca-bundle.1: document -m, added in 1.26
3845 - RELEASE-NOTES: synced with e577c43bb5
3847 - [Erik Janssen brought this change]
3849 rtsp: accept any RTSP session id
3851 Makes libcurl work in communication with gstreamer-based RTSP
3852 servers. The original code validates the session id to be in accordance
3853 with the RFC. I think it is better not to do that:
3855 - For curl the actual content is a don't care.
3857 - The clarity of the RFC is debatable, is $ allowed or only as \$, that
3860 - Gstreamer seems to url-encode the session id but % is not allowed by
3865 With this patch curl will correctly handle real-life lines like:
3866 Session: biTN4Kc.8%2B1w-AF.; timeout=60
3868 Bug: https://curl.haxx.se/mail/lib-2016-08/0076.html
3870 - symbols-in-versions: add CURL_STRICTER
3872 Added in 5fce88aa8c12564
3874 - [Simon Warta brought this change]
3876 winbuild: Allow changing C compiler via environment variable CC (#952)
3878 This makes it possible to use specific compilers or a cache.
3880 Sample use for clcache:
3882 nmake /f Makefile.vc DEBUG=no MODE=static VC=14 GEN_PDB=no
3884 - LICENSE-MIXING.md: switched to markdown
3886 - docs-make: have markdown files use .md
3888 - curl.h: make CURL_NO_OLDIES define CURL_STRICTER
3890 - HISTORY.md: use markdown extension
3892 - SSLCERTS.md: renamed to markdown extension
3894 - INTERNALS.md: use markdown extension for markdown content
3896 - CONTRIBUTE.md: markdown extension
3898 - CONTRIBUTE: changed to markdown
3900 - CONTRIBUTE: refreshed
3902 - TODO: added an SSH section and two SFTP things to do
3904 - TODO: remove the 1.22 duplicated item
3906 - TODO: move "CURLOPT_MAIL_CLIENT" to SMTP section
3908 - TODO: API for URL parsing/splitting
3910 - TODO: move QUIC to the HTTP section
3912 - [Simon Warta brought this change]
3914 winbuild: Free name $(CC) in Makefile (#950)
3916 In the old line number 290, CC and CURL_CC had the same value. After
3917 that, /DCURL_STATICLIB was added to CC but not CURL_CC (intended?).
3919 This gets rid of the CC variable entirely. It is a first step to make it
3920 possible to manualyl set a CC variable in order to be able to change the
3923 - TODO: Use huge HTTP/2 windows
3925 - [Simon Warta brought this change]
3927 winbuild: Avoid setting redundant CFLAGS to compile commands (#949)
3929 $(CURL_CC) is always used with $(CURL_CFLAGS) appended, so before this,
3930 all arguments in CURL_CFLAGS have been added twice.
3932 Jay Satiro (8 Aug 2016)
3933 - cmake: Enable win32 threaded resolver by default
3935 - Turn on USE_THREADS_WIN32 in Windows if ares isn't on
3937 This change is similar to what we already do in the autotools build.
3939 - cmake: Enable win32 large file support by default
3941 All compilers used by cmake in Windows should support large files.
3943 - Add test SIZEOF_OFF_T
3944 - Remove outdated test SIZEOF_CURL_OFF_T
3945 - Turn on USE_WIN32_LARGE_FILES in Windows
3946 - Check for 'Largefile' during the features output
3948 Daniel Stenberg (7 Aug 2016)
3949 - TODO: added several ideas, removed SPDY
3951 - http2: always wait for readable socket
3953 Since the server can at any time send a HTTP/2 frame to us, we need to
3954 wait for the socket to be readable during all transfers so that we can
3955 act on incoming frames even when uploading etc.
3957 Reminded-by: Tatsuhiro Tsujikawa
3959 - RELEASE-NOTES: synced with 7b4bf37a44791
3961 - [Thomas Glanzmann brought this change]
3963 mbedtls: set debug threshold to 4 (verbose) when MBEDTLS_DEBUG is defined
3965 In order to make MBEDTLS_DEBUG work, the debug threshold must be unequal
3966 to 0. This patch also adds a comment how mbedtls must be compiled in
3967 order to make debugging work, and explains the possible debug levels.
3969 - CURLOPT_TCP_NODELAY: now enabled by default
3971 After a few wasted hours hunting down the reason for slowness during a
3972 TLS handshake that turned out to be because of TCP_NODELAY not being
3973 set, I think we have enough motivation to toggle the default for this
3974 option. We now enable TCP_NODELAY by default and allow applications to
3977 This also makes --tcp-nodelay unnecessary, but --no-tcp-nodelay can be
3980 Thanks-to: Tim Rühsen
3981 Bug: https://curl.haxx.se/mail/lib-2016-06/0143.html
3983 - [Serj Kalichev brought this change]
3985 TFTP: Fix upload problem with piped input
3987 When input stream for curl is stdin and input stream is not a file but
3988 generated by a script then curl can truncate data transfer to arbitrary
3989 size since a partial packet is treated as end of transfer by TFTP.
3993 - mk-ca-bundle.pl: -m keeps ca cert meta data in output
3995 Makes the script pass on comments holding meta data to the output
3996 file. Like fingerprinters, issuer, date ranges etc.
4000 - multi: make Curl_expire() work with 0 ms timeouts
4002 Previously, passing a timeout of zero to Curl_expire() was a magic code
4003 for clearing all timeouts for the handle. That is now instead made with
4004 the new Curl_expire_clear() function and thus a 0 timeout is fine to set
4005 and will trigger a timeout ASAP.
4007 This will help removing short delays, in particular notable when doing
4010 - transfer: return without select when the read loop reached maxcount
4012 Regression added in 790d6de48515. The was then added to avoid one
4013 particular transfer to starve out others. But when aborting due to
4014 reading the maxcount, the connection must be marked to be read from
4015 again without first doing a select as for some protocols (like SFTP/SCP)
4016 the data may already have been read off the socket.
4018 Reported-by: Dan Donahue
4019 Bug: https://curl.haxx.se/mail/lib-2016-07/0057.html
4021 Steve Holme (3 Aug 2016)
4022 - [Bill Nagel brought this change]
4024 mbedtls: Added support for NTLM
4026 Daniel Stenberg (3 Aug 2016)
4027 - [Sergei Nikulov brought this change]
4029 travis: removed option to rebuild autotool from source
4033 - bump: start working toward 7.50.2
4035 Version 7.50.1 (3 Aug 2016)
4037 Daniel Stenberg (3 Aug 2016)
4038 - THANKS: 7 new contributors from the 7.50.1 release
4040 - RELEASE-NOTES: 7.50.1
4042 - TLS: only reuse connections with the same client cert
4045 Bug: https://curl.haxx.se/docs/adv_20160803B.html
4047 - TLS: switch off SSL session id when client cert is used
4050 Bug: https://curl.haxx.se/docs/adv_20160803A.html
4051 Reported-by: Bru Rom
4052 Contributions-by: Eric Rescorla and Ray Satiro
4054 - curl_multi_cleanup: clear connection pointer for easy handles
4057 Bug: https://curl.haxx.se/docs/adv_20160803C.html
4058 Reported-by: Marcelo Echeverria and Fernando Muñoz
4060 - KNOWN_BUGS: SOCKS proxy not working via IPv6
4064 - KNOWN_BUGS: CURLOPT_SEEKFUNCTION not called with CURLFORM_STREAM
4068 - KNOWN_BUGS: transfer-encoding: chunked in HTTP/2
4072 - TODO: Provide cmake config-file
4076 Patrick Monnerat (2 Aug 2016)
4077 - os400: define BUILDING_LIBCURL in make script.
4079 Daniel Stenberg (1 Aug 2016)
4080 - RELEASE-NOTES: synced with aa9f536a18b
4082 Jay Satiro (1 Aug 2016)
4083 - [Thomas Glanzmann brought this change]
4085 mbedtls: Fix debug function name
4087 This patch is necessary so that curl compiles if MBEDTLS_DEBUG is
4090 Bug: https://curl.haxx.se/mail/lib-2016-08/0001.html
4092 Daniel Stenberg (1 Aug 2016)
4093 - [Sergei Nikulov brought this change]
4095 travis: fix OSX build by re-installing libtool
4097 Apparently due to a broken homebrew install
4102 - [Martin Vejnár brought this change]
4104 win32: fix a potential memory leak in Curl_load_library
4106 If a call to GetSystemDirectory fails, the `path` pointer that was
4107 previously allocated would be leaked. This makes sure that `path` is
4112 - include: revert 9adf3c4 and make public types void * again
4114 Many applications assume the actual contents of the public types and use
4115 that do for example forward declarations (saving them from including our
4116 public header) which then breaks when we switch from void * to a struct
4119 I'm not convinced we were wrong, but since this practise seems
4120 widespread enough I'm willing to (partly) step down.
4122 Now libcurl uses the struct itself when it is built and it allows
4123 applications to use the struct type if CURL_STRICTER is defined at the
4124 time of the #include.
4126 Reported-by: Peter Frühberger
4129 Jay Satiro (28 Jul 2016)
4130 - [Yonggang Luo brought this change]
4132 cmake: Fix for schannel support
4134 The check_library_exists_concat do not check crypt32 library properly.
4135 So include it directly.
4137 Bug: https://github.com/curl/curl/pull/917
4138 Reported-by: Yonggang Luo
4140 Bug: https://github.com/curl/curl/issues/935
4141 Reported-by: Alain Danteny
4143 - Revert "travis: Install libtool for OS X builds"
4147 This reverts commit 50723585ed380744358de054e2a55dccee65dfd7.
4149 - travis: Install libtool for OS X builds
4151 CI is failing due to missing libtoolize, so I'm trying this.
4153 Daniel Stenberg (26 Jul 2016)
4154 - [Viktor Szakats brought this change]
4156 TODO: minor typo in last commit
4160 - TODO: Timeout idle connections from the pool
4162 Patrick Monnerat (25 Jul 2016)
4163 - os400: minimum supported OS version: V6R1M0.
4164 Do not log compilation informational messages.
4166 Jay Satiro (24 Jul 2016)
4167 - tests: Fix for http/2 feature
4169 Bug: https://curl.haxx.se/mail/lib-2016-07/0070.html
4170 Reported-by: Paul Howarth
4172 Steve Holme (23 Jul 2016)
4173 - README: Mention wolfSSL in the 'Dependencies' section
4175 - vauth.h: No need to query HAVE_GSSAPI || USE_WINDOWS_SSPI for SPNEGO
4177 As SPNEGO is only defined when these pre-processor variables are defined
4178 there is no need to query them explicitly.
4180 - spnego: Corrected miss-placed * in Curl_auth_spnego_cleanup() declaration
4182 Typo introduced in commit ad5e9bfd5d.
4184 Daniel Stenberg (22 Jul 2016)
4185 - SECURITY: mention how to get windows-specific CVEs
4187 ... and make the distros link a proper link
4189 Dan Fandrich (21 Jul 2016)
4190 - test558: fix test by stripping file paths from FD lines
4192 Kamil Dudka (21 Jul 2016)
4193 - tests: distribute the http2-server.pl script, too
4195 - docs: distribute the CURLINFO_HTTP_VERSION(3) man page, too
4197 Daniel Stenberg (21 Jul 2016)
4198 - bump: start working on 7.50.1
4200 Version 7.50.0 (21 Jul 2016)
4202 Daniel Stenberg (21 Jul 2016)
4203 - RELEASE-NOTES: version 7.50.0 ready
4205 - THANKS: 13 new contributors from the 7.50.0 release
4207 Jay Satiro (21 Jul 2016)
4208 - winbuild: fix embedded manifest option
4210 Embedded manifest option didn't work due to typo.
4212 Reported-by: Stefan Kanthak
4214 - vauth: Fix memleak by freeing credentials if out of memory
4216 This is a follow up to the parent commit dcdd4be which fixes one leak
4217 but creates another by failing to free the credentials handle if out of
4218 memory. Also there's a second location a few lines down where we fail to
4219 do same. This commit fixes both of those issues.
4221 Daniel Stenberg (20 Jul 2016)
4222 - [Saurav Babu brought this change]
4224 vauth: Fixed memory leak due to function returning without free
4226 This patch allocates memory to "output_token" only when it is required
4227 so that memory is not leaked if function returns.
4229 - test558: updated after ipv6-check move
4231 Follow-up commit to c50980807c5 to make this test pass.
4233 Jay Satiro (20 Jul 2016)
4234 - connect: disable TFO on Linux when using SSL
4236 - Linux TFO + TLS is not implemented yet.
4238 Bug: https://github.com/curl/curl/issues/907
4240 Daniel Stenberg (19 Jul 2016)
4241 - ROADMAP: QUIC and TLS 1.3
4243 - RELEASE-NOTES: synced with c50980807c5
4245 Jay Satiro (18 Jul 2016)
4246 - [Brian Prodoehl brought this change]
4248 curl_global_init: Check if IPv6 works
4250 - Curl_ipv6works() is not thread-safe until after the first call, so
4251 call it once during global init to avoid a possible race condition.
4253 Bug: https://github.com/curl/curl/issues/915
4254 PR: https://github.com/curl/curl/pull/918
4256 - [Timothy Polich brought this change]
4258 CURLMOPT_SOCKETFUNCTION.3: fix typo
4260 Closes https://github.com/curl/curl/pull/914
4262 - [Miroslav Franc brought this change]
4264 library: Fix memory leaks found during static analysis
4266 Closes https://github.com/curl/curl/pull/913
4268 - [Viktor Szakats brought this change]
4270 cookie.c: Fix misleading indentation
4272 Closes https://github.com/curl/curl/pull/911
4274 - FAQ: Update FTP directory listing section for MLSD command
4276 Explain how some FTP servers support the machine readable listing
4277 format MLSD from RFC 3659 and compare it to LIST.
4279 Ref: https://github.com/curl/curl/issues/906
4281 Daniel Stenberg (1 Jul 2016)
4282 - [Sergei Nikulov brought this change]
4284 Appveyor: Updates for options - CURL_STATICLIB/BUILD_TESTING
4288 - TODO: 17.4 also brings more HTTP/2 support
4290 - TODO: try next proxy if one doesn't work
4294 - conn: don't free easy handle data in handler->disconnect
4296 Reported-by: Gou Lingfeng
4297 Bug: https://curl.haxx.se/mail/lib-2016-06/0139.html
4299 - test1244: test different proxy ports same URL
4301 - curl_global_init.3: improved formatting of the flags
4303 - curl_global_init.3: expand on the SSL and WIN32 bits purpose
4305 Reported-by: Richard Gray
4306 Bug: https://curl.haxx.se/mail/lib-2016-06/0136.html
4308 - [Michael Kaufmann brought this change]
4310 cleanup: minor code cleanup in Curl_http_readwrite_headers()
4312 - the expression of an 'if' was always true
4313 - a 'while' contained a condition that was always true
4314 - use 'if(k->exp100 > EXP100_SEND_DATA)' instead of 'if(k->exp100)'
4319 - SFTP: set a generic error when no SFTP one exists...
4321 ... as otherwise we could get a 0 which would count as no error and we'd
4322 wrongly continue and could end up segfaulting.
4324 Bug: https://curl.haxx.se/mail/lib-2016-06/0052.html
4327 - ROADMAP: http2 tests are merged, mention http2 perf
4329 - docs/README.md: to render nicer pages on github
4331 ... as previously the README.cmake would be picked and put at the bottom
4332 of the docs page there and it wasn't very representative!
4334 - README.md: change host name for the svg logo
4336 rawgit.com asks to use the domain cdn.rawgit.com for production
4340 - [Viktor Szakats brought this change]
4342 README.md: use the SVG logo
4344 - README.md: logo on top!
4346 - KNOWN_BUGS: 3.4 POP3 expects "CRLF.CRLF" eob for some
4350 - RELEASE-NOTES: synced with d61c80515aa8
4352 - [Michael Osipov brought this change]
4354 acinclude.m4: improve autodetection of CA bundle on FreeBSD
4356 The FreeBSD Port security/ca_root_nss installs the Mozilla NSS CA bundle
4357 to /usr/local/share/certs/ca-root-nss.crt. Use this bundle in the
4360 This change also removes the former FreeBSD path that has been obsolete
4361 for 8 years since this FreeBSD ports commit:
4362 https://svnweb.freebsd.org/ports/head/security/?view=revision&revision=215953
4366 - configure: don't specify .lib for libs on windows
4368 Another follow up for crypt32.lib linking with winssl
4370 - configure: fix winssl LIBS change typo
4372 follow-up from 120bf29e
4374 - TODO: "TCP Fast Open" is done, add monitor pool connections
4376 - configure: add crypt32.lib for winssl builds
4378 Necessary since 6cabd78531f
4380 - Makefile.vc: link with crypt32.lib for winssl builds
4382 Necessary since 6cabd78531f
4386 - [Joel Depooter brought this change]
4388 VC: Add crypt32.lib to Visual Sudio project template files
4392 - vc: fix the build for schannel certinfo support
4394 Broken since 6cabd785, which adds use of the Curl_extract_certinfo
4395 function from the x509asn1.c file.
4397 - typedefs: use the full structs in internal code...
4399 ... and save the typedef'ed names for headers and external APIs.
4401 - internals: rename the SessionHandle struct to Curl_easy
4403 - headers: forward declare CURL, CURLM and CURLSH as structs
4405 Instead of typedef'ing to void, typedef to their corresponding actual
4406 struct names to allow compilers to type-check.
4408 Assisted-by: Reinhard Max
4410 Jay Satiro (22 Jun 2016)
4411 - vtls: Only call add/getsession if session id is enabled
4413 Prior to this change we called Curl_ssl_getsessionid and
4414 Curl_ssl_addsessionid regardless of whether session ID reusing was
4415 enabled. According to comments that is in case session ID reuse was
4416 disabled but then later enabled.
4418 The old way was not intuitive and probably not something users expected.
4419 When a user disables session ID caching I'd guess they don't expect the
4420 session ID to be cached anyway in case the caching is later enabled.
4422 Daniel Stenberg (22 Jun 2016)
4423 - curl.1: the used progress meter suffix is k in lower case
4427 - [Sergei Nikulov brought this change]
4429 cmake: now using BUILD_TESTING=ON/OFF
4431 CMake build now using BUILD_TESTING=ON/OFF (default is OFF) to build
4432 tests and enabling CTest integration. Options BUILD_CURL_TESTS and
4433 BUILD_DASHBOARD_REPORTS was removed.
4437 Reviewed-by: Brad King
4439 - [Michael Kaufmann brought this change]
4441 cleanup: fix method names in code comments
4445 Kamil Dudka (21 Jun 2016)
4446 - curl-compilers.m4: improve detection of GCC's -fvisibility= flag
4448 Some builds of GCC produce output on both stdout and stderr when --help
4449 --verbose is used. The 2>&1 redirection caused them to be arbitrarily
4450 interleaved with each other because of stream buffering. Consequently,
4451 grep failed to match the fvisibility= string in the mixed output, even
4452 though the string was present in GCC's standard output.
4454 This led to silently disabling symbol hiding in some builds of curl.
4456 Daniel Stenberg (19 Jun 2016)
4457 - tests: fix the HTTP/2 tests
4459 The HTTP/2 tests brought with commit bf05606ef1f were using the internal
4460 name 'http2' for the HTTP/2 server, while in fact that name was already
4461 used for the second instance of the HTTP server. This made tests using
4462 the second instance (like test 2050) fail after a HTTP/2 test had run.
4464 The server is now known as HTTP/2 internally and within the <server>
4465 section in test cases. 1700, 1701 and 1702 were updated accordingly.
4467 - openssl: use more 'const' to fix build warnings with 1.1.0 branch
4469 - curl.1: missed 'T' in the progress unit suffixes
4471 - curl.1: mention the unix for the progress meter
4473 Patrick Monnerat (16 Jun 2016)
4474 - os400: add new definitions to ILE/RPG binding.
4476 Daniel Stenberg (16 Jun 2016)
4477 - openssl: fix cert check with non-DNS name fields present
4479 Regression introduced in 5f5b62635 (released in 7.48.0)
4481 Reported-by: Fabian Ruff
4484 Dan Fandrich (16 Jun 2016)
4485 - axtls: Use Curl_wait_ms instead of the less-portable usleep
4487 - axtls: Fixed compile after compile 31c521b0
4489 - tests: Added HTTP proxy keywords to tests 1141 & 1142
4491 Jay Satiro (15 Jun 2016)
4492 - [Sergei Nikulov brought this change]
4494 cmake: Fix build with winldap
4496 Bug: https://github.com/curl/curl/pull/874
4497 Reported-by: Sergei Nikulov
4499 - CURLOPT_POSTFIELDS.3: Clarify what happens when set empty
4501 When CURLOPT_POSTFIELDS is set to an empty string libcurl will send a
4502 zero-byte POST. Prior to this change it was documented as sending data
4503 from the read callback.
4505 This also changes the wording of what happens when empty or NULL so that
4506 it's hopefully easier to understand for people whose primary language
4509 Bug: https://github.com/curl/curl/issues/862
4510 Reported-by: Askar Safin
4512 - [Michael Wallner brought this change]
4514 curl_multi_socket_action.3: Fix rewording
4516 - Remove some erroneous text.
4518 Closes https://github.com/curl/curl/pull/865
4520 - [Luo Jinghua brought this change]
4522 resolve: enable protocol family logic for synthesized IPv6
4524 - Enable protocol family logic for IPv6 resolves even when support
4525 for synthesized addresses is enabled.
4527 This is a follow up to the parent commit that added support for
4528 synthesized IPv6 addresses from IPv4 on iOS/OS X. The protocol family
4529 logic needed for IPv6 was inadvertently excluded if support for
4530 synthesized addresses was enabled.
4532 Bug: https://github.com/curl/curl/issues/863
4533 Ref: https://github.com/curl/curl/pull/866
4534 Ref: https://github.com/curl/curl/pull/867
4536 Daniel Stenberg (7 Jun 2016)
4537 - [Luo Jinghua brought this change]
4539 resolve: add support for IPv6 DNS64/NAT64 Networks on OS X + iOS
4541 Use getaddrinfo() to resolve the IPv4 address literal on iOS/Mac OS X.
4542 If the current network interface doesn’t support IPv4, but supports
4543 IPv6, NAT64, and DNS64.
4548 - tests: two more HTTP/2 tests
4552 - runtests: don't display logs when http2 server fails to start
4554 - runtests: make stripfile work on stdout as well
4556 ... and have test 1700 use that to strip out the nghttpx server: headers
4558 - http2-tests: test1700 is the first real HTTP/2 test
4560 It requires that 'nghttpx' is in the PATH, and it will run the tests
4561 using nghttpx as a front-end proxy in front of the standard HTTP/1 test
4562 server. This uses HTTP/2 over plain TCP.
4564 If you like me have nghttpx installed in a custom path, you can run test 1700
4567 $ PATH=$PATH:$HOME/build-nghttp2/bin/ ./runtests.pl 1700
4569 - RELEASE-NOTES: synced with 34855feeb4c299
4571 Steve Holme (6 Jun 2016)
4572 - schannel: Disable ALPN on Windows < 8.1
4574 Calling QueryContextAttributes with SECPKG_ATTR_APPLICATION_PROTOCOL
4575 fails on Windows < 8.1 so we need to disable ALPN on these OS versions.
4577 Inspiration provide by: Daniel Seither
4582 Jay Satiro (5 Jun 2016)
4583 - checksrc: Add LoadLibrary to the banned functions list
4585 LoadLibrary was supplanted by Curl_load_library for security
4588 - http: Fix HTTP/2 connection reuse
4590 - Change the parser to not require a minor version for HTTP/2.
4592 HTTP/2 connection reuse broke when we changed from HTTP/2.0 to HTTP/2
4593 in 8243a95 because the parser still expected a minor version.
4595 Bug: https://github.com/curl/curl/issues/855
4596 Reported-by: Andrew Robbins, Frank Gevaerts
4598 Steve Holme (4 Jun 2016)
4599 - connect.c: Fixed compilation warning from commit 332e8d6164
4601 connect.c:952:5: warning: suggest explicit braces to avoid ambiguous 'else'
4603 - win32: Used centralised verify windows version function
4607 - win32: Added verify windows version functionality
4609 - win32: Introduced centralised verify windows version function
4611 Kamil Dudka (3 Jun 2016)
4612 - tool_urlglob: fix off-by-one error in glob_parse()
4614 ... causing SIGSEGV while parsing URL with too many globs.
4617 $ curl $(for i in $(seq 101); do printf '{a}'; done)
4619 Reported-by: Romain Coltel
4620 Bug: https://bugzilla.redhat.com/1340757
4622 Daniel Stenberg (1 Jun 2016)
4623 - [Benjamin Kircher brought this change]
4625 libcurl-multi.3: fix small typo
4629 - [Viktor Szakats brought this change]
4631 makefile.m32: add crypt32 for winssl builds
4633 Dependency added by 6cabd78
4637 - [Ivan Avdeev brought this change]
4639 vtls: fix ssl session cache race condition
4641 Sessionid cache management is inseparable from managing individual
4642 session lifetimes. E.g. for reference-counted sessions (like those in
4643 SChannel and OpenSSL engines) every session addition and removal
4644 should be accompanied with refcount increment and decrement
4645 respectively. Failing to do so synchronously leads to a race condition
4646 that causes symptoms like use-after-free and memory corruption.
4648 - makes existing session cache locking explicit, thus allowing
4649 individual engines to manage lock's scope.
4650 - fixes OpenSSL and SChannel engines by putting refcount management
4651 inside this lock's scope in relevant places.
4652 - adds these explicit locking calls to other engines that use
4653 sessionid cache to accommodate for this change. Note, however,
4654 that it is unknown whether any of these engines could also have
4657 Bug: https://github.com/curl/curl/issues/815
4661 - [Andrew Kurushin brought this change]
4663 schannel: add CURLOPT_CERTINFO support
4667 - RELEASE-NOTES: synced with 142ee9fa15002315
4669 - openssl: rename the private SSL_strerror
4671 ... to make it not look like an OpenSSL function
4673 - [Michael Kaufmann brought this change]
4675 openssl: Use correct buffer sizes for error messages
4679 - curl: fix -q [regression]
4681 This broke in 7.49.0 with commit e200034425a7625
4685 - URL parser: allow URLs to use one, two or three slashes
4687 Mostly in order to support broken web sites that redirect to broken URLs
4688 that are accepted by browsers.
4690 Browsers are typically even more leniant than this as the WHATWG URL
4691 spec they should allow an _infinite_ amount. I tested 8000 slashes with
4692 Firefox and it just worked.
4694 Added test case 1141, 1142 and 1143 to verify the new parser.
4698 - [Renaud Lehoux brought this change]
4700 cmake: Added missing mbedTLS support
4704 - [Renaud Lehoux brought this change]
4706 mbedtls: removed unused variables
4710 - [Frank Gevaerts brought this change]
4712 http: add CURLINFO_HTTP_VERSION and %{http_version}
4714 Adds access to the effectively used http version to both libcurl and
4719 - bump: start the journey toward 7.50.0
4721 - [Marcel Raad brought this change]
4723 openssl: fix build with OPENSSL_NO_COMP
4725 With OPENSSL_NO_COMP defined, there is no function
4726 SSL_COMP_free_compression_methods
4730 - [Gisle Vanem brought this change]
4732 memdebug: fix MSVC crash with -DMEMDEBUG_LOG_SYNC
4736 - [Jonathan brought this change]
4742 - RELEASE-NOTES: fix vuln link
4744 Version 7.49.1 (30 May 2016)
4746 Daniel Stenberg (30 May 2016)
4747 - RELEASE-NOTES: 7.49.1
4749 - [Steve Holme brought this change]
4751 loadlibrary: Only load system DLLs from the system directory
4753 Inspiration provided by: Daniel Stenberg and Ray Satiro
4755 Bug: https://curl.haxx.se/docs/adv_20160530.html
4757 Ref: Windows DLL hijacking with curl, CVE-2016-4802
4759 - ssh: fix version number check typo
4761 Jay Satiro (29 May 2016)
4762 - curl_share_setopt.3: Add min ver needed for ssl session lock
4764 Bug: https://github.com/curl/curl/issues/826
4765 Reported-by: Michael Wallner
4767 Daniel Stenberg (29 May 2016)
4768 - ssh: fix build for libssh2 before 1.2.6
4770 The statvfs functionality was added to libssh2 in that version, so we
4771 switch off that functionality when built with older libraries.
4775 - mbedtls: fix includes so snprintf() works
4777 Regression from the previous *printf() rearrangements, this file missed to
4778 include the correct header to make sure snprintf() works universally.
4780 Reported-by: Moti Avrahami
4781 Bug: https://curl.haxx.se/mail/lib-2016-05/0196.html
4783 Steve Holme (23 May 2016)
4784 - checksrc.pl: Added variants of strcat() & strncat() to banned function list
4786 Added support for checking the tchar, unicode and mbcs variants of
4787 strcat() and strncat() in the banned function list.
4789 Daniel Stenberg (23 May 2016)
4790 - smtp: minor ident (white space) fixes
4792 - THANKS: updated after script fixes
4794 Now giving credit properly to github user names, fixed some UTF-8 issues
4795 and added names discovered when contrithanks was improved.
4797 - THANKS-filter: more name cleanups
4799 - contrithanks.sh: exclude existing names case insensitively
4801 - contrithanks.sh: use same grep pattern and -a flag as contributors.sh
4803 - contributors.sh: better grep pattern, use grep -a
4805 - THANKS-filter: fix more names
4807 - contrithanks.sh: do the same github fix as contributors.sh
4811 Jay Satiro (23 May 2016)
4812 - contributors: Show GitHub username if real name unknown
4814 Prior to this change if a GitHub contributor's real name was unknown
4815 they would be omitted from the list.
4817 Bug: https://github.com/curl/curl/issues/824
4819 Daniel Stenberg (21 May 2016)
4820 - RELEASE-NOTES: synced with 3caaeffbe8ded4
4822 Jay Satiro (20 May 2016)
4823 - openssl: cleanup must free compression methods
4825 - Free compression methods if OpenSSL 1.0.2 to avoid a memory leak.
4827 Bug: https://github.com/curl/curl/issues/817
4828 Reported-by: jveazey@users.noreply.github.com
4830 Daniel Stenberg (20 May 2016)
4831 - [Gisle Vanem brought this change]
4833 curl_multibyte: fix compiler error
4835 While compiling lib/curl_multibyte.c with '-DUSE_WIN32_IDN' etc. I was
4838 f:\mingw32\src\inet\curl\lib\memdebug.h(38): error C2054: expected '('
4839 to follow 'CURL_EXTERN'
4841 f:\mingw32\src\inet\curl\lib\memdebug.h(38): error C2085:
4842 'curl_domalloc': not in formal parameter list
4844 - THANKS-filter: make Jan-E get proper credit
4846 - [Jan-E brought this change]
4848 winbuild/Makefile.vc: Fix check on SSL, MBEDTLS, WINSSL exclusivity
4852 - [Alexander Traud brought this change]
4854 libcurl.m4: Avoid obsolete warning
4858 Jay Satiro (20 May 2016)
4859 - [Michael Kaufmann brought this change]
4861 CURLOPT_CONNECT_TO.3: user must not free the list prematurely
4863 The connect-to list isn't copied so as long as the handle may be used
4864 for a transfer the list must be valid.
4866 Bug: https://github.com/curl/curl/pull/819
4867 Reported-by: Michael Kaufmann
4869 Daniel Stenberg (19 May 2016)
4870 - RELEASE-NOTES: synced with 48114a8634242c
4872 - openssl: ERR_remove_thread_state() is deprecated in latest 1.1.0
4874 See OpenSSL commit 21e001747d4a
4876 - http2: use HTTP/2 in the HTTP/1.1-alike header
4878 ... when generating them, not "2.0" as the protocol is called just
4879 HTTP/2 and nothing else.
4881 Jay Satiro (19 May 2016)
4882 - dist: include curl_multi_socket_all.3
4884 Closes https://github.com/curl/curl/pull/816
4886 Steve Holme (18 May 2016)
4887 - bump: Start work on 7.49.1
4889 Daniel Stenberg (18 May 2016)
4890 - curlbuild.h.dist: check __LP64__ as well to fix MIPS build
4892 The preprocessor check that sets up the 32bit defines for non-configure
4893 builds didn't work properly for MIPS systems as __mips__ is defined for
4894 both 32bit and 64bit. Now __LP64__ is also checked and indicates 64bit.
4896 Reported-by: Tomas Jakobsson
4899 - [Marcel Raad brought this change]
4901 schannel: fix compile break with MSVC XP toolset
4903 For the Windows XP toolset of Visual C++ 2013/2015, the old Windows SDK
4904 7.1 is used. In this case, _USING_V110_SDK71_ is defined.
4908 - dist: include CHECKSRC.md
4910 Reported-by: Paul Howarth
4911 Bug: https://curl.haxx.se/mail/lib-2016-05/0116.html
4913 - test/Makefile.am: include manpage-scan.pl and nroff-scan.pl in dist
4915 Reported-by: Ray Satiro
4916 Bug: https://curl.haxx.se/mail/lib-2016-05/0113.html
4918 Version 7.49.0 (17 May 2016)
4920 Daniel Stenberg (17 May 2016)
4921 - THANKS: 24 new names from 7.49.0 release notes
4923 - RELEASE-NOTES: 7.49.0
4925 - mbedtls/polarssl: set "hostname" unconditionally
4927 ...as otherwise the TLS libs will skip the CN/SAN check and just allow
4928 connection to any server. curl previously skipped this function when SNI
4929 wasn't used or when connecting to an IP address specified host.
4933 Bug: https://curl.haxx.se/docs/adv_20160518A.html
4934 Reported-by: Moti Avrahami
4936 - [Frank Gevaerts brought this change]
4938 CURLOPT_RESOLVE.3: fix typo
4942 - docs: CURLOPT_RESOLVE overrides CURLOPT_IPRESOLVE
4944 - KNOWN_BUGS: GnuTLS backend skips really long certificate fields
4948 - CURLOPT_HTTPPOST.3: the data needs to be around while in use
4950 - openssl: get_cert_chain: fix NULL dereference
4952 CID 1361815: Explicit null dereferenced (FORWARD_NULL)
4954 - openssl: get_cert_chain: avoid NULL dereference
4956 CID 1361811: Explicit null dereferenced (FORWARD_NULL)
4958 - dprintf_formatf: fix (false?) Coverity warning
4960 CID 1024412: Memory - illegal accesses (OVERRUN). Claimed to happen when
4961 we run over 'workend' but the condition says <= workend and for all I
4962 can see it should be safe. Compensating for the warning by adding a byte
4963 margin in the buffer.
4965 Also, removed the extra brace level indentation in the code and made it
4966 so that 'workend' is only assigned once within the function.
4968 - RELEASE-NOTES: synced with 2dcb5adc72d6
4970 - THANKS-filter: fixed Jonathan Cardoso
4972 Jay Satiro (15 May 2016)
4973 - ftp: fix incorrect out-of-memory code in Curl_pretransfer
4975 - Return value type must match function type.
4977 s/CURLM_OUT_OF_MEMORY/CURLE_OUT_OF_MEMORY/
4981 Daniel Stenberg (15 May 2016)
4982 - ftp wildcard: segfault due to init only in multi_perform
4984 The proper FTP wildcard init is now more properly done in Curl_pretransfer()
4985 and the corresponding cleanup in Curl_close().
4987 The previous place of init/cleanup code made the internal pointer to be NULL
4988 when this feature was used with the multi_socket() API, as it was made within
4989 the curl_multi_perform() function.
4991 Reported-by: Jonathan Cardoso Machado
4994 Jay Satiro (13 May 2016)
4995 - libcurl-tlibcurl-thread: Update OpenSSL links
4997 Because the old OpenSSL link now redirects to their master documentation
4998 (currently 1.1.0), which does not document the required actions for
5001 Daniel Stenberg (13 May 2016)
5002 - [Viktor Szakats brought this change]
5004 darwinssl.c: fix OS X codename typo in comment
5006 - RELEASE-NOTES: synced with 68701e51c1f7
5008 Added 8 bug fixes and 5 more contrbutors
5010 - [Jay Satiro brought this change]
5012 mprintf: Fix processing of width and prec args
5014 Prior to this change a width arg could be erroneously output, and also
5015 width and precision args could not be used together without crashing.
5017 "%0*d%s", 2, 9, "foo"
5022 "%*.*s", 5, 2, "foo"
5027 Test 557 is updated to verify this and more
5029 - [Michael Kaufmann brought this change]
5031 ConnectionExists: follow-up fix for proxy re-use
5033 Follow-up commit to 5823179
5037 - [Per Malmberg brought this change]
5039 darwinssl: fix certificate verification disable on OS X 10.8
5041 The new way of disabling certificate verification doesn't work on
5042 Mountain Lion (OS X 10.8) so we need to use the old way in that version
5043 too. I've tested this solution on versions 10.7.5, 10.8, 10.9, 10.10.2
5048 - [Cory Benfield brought this change]
5050 http2: Add space between colon and header value
5052 curl's representation of HTTP/2 responses involves transforming the
5053 response to a format that is similar to HTTP/1.1. Prior to this change,
5054 curl would do this by separating header names and values with only a
5055 colon, without introducing a space after the colon.
5057 While this is technically a valid way to represent a HTTP/1.1 header
5058 block, it is much more common to see a space following the colon. This
5059 change introduces that space, to ensure that incautious tools are safely
5060 able to parse the header block.
5062 This also ensures that the difference between the HTTP/1.1 and HTTP/2
5063 response layout is as minimal as possible.
5065 Bug: https://github.com/curl/curl/issues/797
5070 Kamil Dudka (12 May 2016)
5071 - openssl: fix compile-time warning in Curl_ossl_check_cxn()
5073 ... introduced in curl-7_48_0-293-g2968c83:
5075 Error: COMPILER_WARNING:
5076 lib/vtls/openssl.c: scope_hint: In function ‘Curl_ossl_check_cxn’
5077 lib/vtls/openssl.c:767:15: warning: conversion to ‘int’ from ‘ssize_t’
5078 may alter its value [-Wconversion]
5080 Jay Satiro (11 May 2016)
5081 - openssl: stricter connection check function
5083 - In the case of recv error, limit returning 'connection still in place'
5084 to EINPROGRESS, EAGAIN and EWOULDBLOCK.
5086 This is an improvement on the parent commit which changed the openssl
5087 connection check to use recv MSG_PEEK instead of SSL_peek.
5089 Ref: https://github.com/curl/curl/commit/856baf5#comments
5091 Daniel Stenberg (11 May 2016)
5092 - [Anders Bakken brought this change]
5094 TLS: SSL_peek is not a const operation
5096 Calling SSL_peek can cause bytes to be read from the raw socket which in
5097 turn can upset the select machinery that determines whether there's data
5098 available on the socket.
5100 Since Curl_ossl_check_cxn only tries to determine whether the socket is
5101 alive and doesn't actually need to see the bytes SSL_peek seems like
5102 the wrong function to call.
5104 We're able to occasionally reproduce a connect timeout due to this
5105 bug. What happens is that Curl doesn't know to call SSL_connect again
5106 after the peek happens since data is buffered in the SSL buffer and thus
5107 select won't fire for this socket.
5111 Jay Satiro (9 May 2016)
5112 - [Daniel Stenberg brought this change]
5114 TLS: move the ALPN/NPN enable bits to the connection
5116 Only protocols that actually have a protocol registered for ALPN and NPN
5117 should try to get that negotiated in the TLS handshake. That is only
5118 HTTPS (well, http/1.1 and http/2) right now. Previously ALPN and NPN
5119 would wrongly be used in all handshakes if libcurl was built with it
5122 Reported-by: Jay Satiro
5126 Daniel Stenberg (8 May 2016)
5127 - libcurl-thread.3: openssl 1.1.0 is safe, and so is boringssl
5129 - [Antonio Larrosa brought this change]
5131 connect: fix invalid "Network is unreachable" errors
5133 Sometimes, in systems with both ipv4 and ipv6 addresses but where the
5134 network doesn't support ipv6, Curl_is_connected returns an error
5135 (intermittently) even if the ipv4 socket connects successfully.
5137 This happens because there's a for-loop that iterates on the sockets but
5138 the error variable is not resetted when the ipv4 is checked and is ok.
5140 This patch fixes this problem by setting error to 0 when checking the
5141 second socket and not having a result yet.
5145 Jay Satiro (5 May 2016)
5146 - FAQ: refer to thread safety guidelines
5148 Daniel Stenberg (3 May 2016)
5149 - connections: non-HTTP proxies on different ports aren't reused either
5151 Reported-by: Oleg Pudeyev and fuchaoqun
5155 - http: make sure a blank header overrides accept_decoding
5157 Reported-by: rcanavan
5158 Assisted-by: Isaac Boukris
5161 - CHECKSRC.md: clarified, explained the whitelist file
5163 - nroff-scan.pl: verify that references are made with \fI
5165 - docs: unified man page references to use \fI
5167 - TODO: 17.14 --fail without --location should treat 3xx as a failure
5171 - RELEASE-NOTES: synced with 7987f5cb14d
5173 - [Isaac Boukris brought this change]
5175 CURLOPT_ACCEPT_ENCODING.3: Follow-up clarification
5177 Mention possible content-length mismatch with sum of bytes reported
5178 by write callbacks when auto decoding is enabled.
5182 - test1140: run nroff-scan to verify man pages
5184 - nroff-scan.pl: verify the .BR references as well
5186 - CURLOPT_CONV_TO_NETWORK_FUNCTION.3: fix bad man page reference
5188 - CURLOPT_BUFFERSIZE.3: fix reference to CURLOPT_MAX_RECV_SPEED_LARGE
5190 - curl_easy_pause.3: fix man page reference
5192 Jay Satiro (1 May 2016)
5193 - tool_cb_hdr: Fix --remote-header-name with schemeless URL
5195 - Move the existing scheme check from tool_operate.
5197 In the case of --remote-header-name we want to parse Content-disposition
5198 for a filename, but only if the scheme is http or https. A recent
5199 adjustment 0dc4d8e was made to account for schemeless URLs however it's
5200 not 100% accurate. To remedy that I've moved the scheme check to the
5201 header callback, since at that point the library has already determined
5204 Bug: https://github.com/curl/curl/issues/760
5205 Reported-by: Kai Noda
5207 Daniel Stenberg (1 May 2016)
5208 - tls: make setting pinnedkey option fail if not supported
5210 to make it obvious to users trying to use the feature with TLS backends
5214 Reported-by: Travis Burtrum
5216 - nroff-scan.pl: verifies nroff pages
5218 ... not used by any test yet but can be used stand-alone.
5220 - opts: fix broken/bad references
5222 - [Michael Kaufmann brought this change]
5224 docs: fix bugs in CURLOPT_HTTP_VERSION.3 and CURLOPT_PIPEWAIT.3
5228 - CURLOPT_ACCEPT_ENCODING.3: clarified
5230 As discussed in #785
5232 - curl.1: --mail-rcpt can be used multiple times
5234 Reported-by: mgendre
5237 - [Karlson2k brought this change]
5239 tests: Use 'pathhelp' for paths conversions in secureserver.pl
5243 - [Karlson2k brought this change]
5245 tests: Use 'pathhelp' for paths conversions in sshserver.pl
5247 - [Karlson2k brought this change]
5249 tests: Use 'pathhelp' for current path in runtests.pl
5251 - [Karlson2k brought this change]
5253 tests: pathhelp.pm to process paths on Msys/Cygwin
5255 - lib: include curl_printf.h as one of the last headers
5257 curl_printf.h defines printf to curl_mprintf, etc. This can cause
5258 problems with external headers which may use
5259 __attribute__((format(printf, ...))) markers etc.
5261 To avoid that they cause problems with system includes, we include
5262 curl_printf.h after any system headers. That makes the three last
5263 headers to always be, and we keep them in this order:
5269 None of them include system headers, they all do funny #defines.
5271 Reported-by: David Benjamin
5275 - memdebug.h: remove inclusion of other headers
5277 Mostly because they're not needed, because memdebug.h is always included
5278 last of all headers so the others already included the correct ones.
5280 But also, starting now we don't want this to accidentally include any
5281 system headers, as the header included _before_ this header may add
5282 defines and other fun stuff that we won't want used in system includes.
5284 - [Jay Satiro brought this change]
5286 curl -J: make it work even without http:// scheme on URL
5288 It does open up a miniscule risk that one of the other protocols that
5289 libcurl could use would send back a Content-Disposition header and then
5290 curl would act on it even if not HTTP.
5292 A future mitigation for this risk would be to allow the callback to ask
5293 libcurl which protocol is being used.
5295 Verified with test 1312
5299 - manpage-scan.pl: also verify the command line option docs
5301 This script now also scans src/tool_getparam.c, docs/curl.1 and
5302 src/tool_help.c and will warn if any of them lists a command line option
5303 not mentioned in one of the other places.
5305 - curl: show the long option version of -q in the -h list
5307 - curl: remove "--socks" as "--socks5" turned 8
5309 In commit 2e42b0a2524 (Jan 2008) we made the option "--socks" deprecated
5310 and it has not been documented since. The more explicit socks options
5311 (like --socks4 or --socks5) should be used.
5313 - curl.1: document the deprecated --ftp-ssl option
5315 - curl: remove --http-request
5317 It was mentioned as deprecated already in commit ae1912cb0d4 from
5318 1999. It has not been documented in this millennium.
5320 - curl: mention --ntlm-wb in -h list
5322 - curl: -h output lacked --proxy-header
5324 - curl.1: document --ntlm-wb
5326 - curl.1: document the long format of -q: --disable
5328 - curl.1: mention the deprecated --krb4 option
5330 - curl.1: document --ftp-ssl-reqd
5332 Even if deprecated, document it so that people will find it as old
5333 scripts may still use it.
5335 - curl: use --telnet-option as documented
5337 The code said "telnet-options" but no documentation ever said so. It
5338 worked fine since the code is fine with a unique match of the first
5341 - getparam: remove support for --ftpport
5343 It has been deprecated and undocumented since commit ad5ead8bed7 (Dec
5344 2003). --ftp-port is the proper long option name.
5346 - curl: make --disable work as long form of -q
5348 To make the aliases list reflect reality.
5350 - aliases: remove trailing space from capath string
5352 - cmdline parse: only single letter options have single-letter strings
5354 ... moved around options so that parsing the code to find all
5355 single-letter options easier.
5357 Jay Satiro (28 Apr 2016)
5358 - CURLINFO_TLS_SSL_PTR.3: Clarify SSL pointer availability
5360 Bug: https://curl.haxx.se/mail/lib-2016-04/0126.html
5361 Reported-by: Bru Rom
5363 Daniel Stenberg (28 Apr 2016)
5364 - curl_easy_getinfo.3: remove superfluous blank lines
5366 - test1139: verifies libcurl option man page presence
5368 - checks that each option has its own man page present
5370 - checks that each option is mentioned in its corresponding index man
5373 - curl_easy_getinfo.3: added missing mention of CURLINFO_TLS_SESSION
5375 ... although it is deprecated.
5377 Jay Satiro (28 Apr 2016)
5378 - mbedtls: Fix session resume
5380 This also fixes PolarSSL session resume.
5382 Prior to this change the TLS session information wasn't properly
5383 saved and restored for PolarSSL and mbedTLS.
5385 Bug: https://curl.haxx.se/mail/lib-2016-01/0070.html
5386 Reported-by: Thomas Glanzmann
5388 Bug: https://curl.haxx.se/mail/lib-2016-04/0095.html
5389 Reported-by: Moti Avrahami
5391 Daniel Stenberg (27 Apr 2016)
5392 - RELEASE-NOTES: synced with f4298fcc6d2
5394 - [Michael Kaufmann brought this change]
5396 opts: Fix some syntax errors in example code fragments
5400 - openssl: avoid BN_print a NULL bignum
5402 OpenSSL 1.1.0-pre seems to return NULL(?) for a whole lot of those
5403 numbers so make sure the function handles this.
5405 Reported-by: Linus Nordberg
5407 - [Marcel Raad brought this change]
5409 CONNECT_ONLY: don't close connection on GSS 401/407 reponses
5411 Previously, connections were closed immediately before the user had a
5412 chance to extract the socket when the proxy required Negotiate
5415 This regression was brought in with the security fix in commit
5420 - CURLINFO_TLS_SESSION.3: clarify TLS library support before 7.48.0
5422 - mbedtls.c: silly spellfix of a comment
5424 - KNOWN_BUGS: 1.10 Strips trailing dot from host name
5428 - test1322: verify stripping of trailing dot from host name
5430 While being debated (in #716) and a violation of RFC 7230 section 5.4,
5431 this test verifies that the existing functionality works as intended. It
5432 strips the dot from the host name and uses the host without dot
5433 throughout the internals.
5435 - multi: accidentally used resolved host name instead of proxy
5437 Regression introduced in 09b5a998
5439 Bug: https://curl.haxx.se/mail/lib-2016-04/0084.html
5442 - symbols-in-versions: added new CURLSSLBACKEND_ symbols
5444 - test148: fixed after the --ftp-create-dirs retry change
5446 follow-up commit to 3c1e84f569 as it made curl try a little harder
5448 - curl.h: clarify curl_sslbackend for openssl clones and renames
5450 - [Karlson2k brought this change]
5452 url.c: fixed DEBUGASSERT() for WinSock workaround
5454 If buffer is allocated, but nothing is received during prereceive
5455 stage, than number of processed bytes must be zero.
5459 - KNOWN_BUGS: --interface for ipv6 binds to unusable IP address
5461 Closes #686 for now.
5463 - TODO: 1.17 Add support for IRIs
5465 Adding support for IRIs is a mouthful, but is probably interesting at
5466 least for areas and countries where the use of such "URLs" are growing
5471 - THANKS-filter: Travis Burtrum
5473 - lib1517: checksrc compliance
5475 - [moparisthebest brought this change]
5477 PolarSSL: Implement public key pinning
5479 Patrick Monnerat (22 Apr 2016)
5480 - os400: upgrade ILE/RPG binding
5482 - curl.h: CURLOPT_CONNECT_TO sets a struct slist *, not a string
5484 Daniel Stenberg (22 Apr 2016)
5485 - contributors.sh: make --releasenotes implied
5487 It got too annoying to type =)
5489 - RELEASE-NOTES: synced with 3c1e84f5693d8093
5491 - curl: make --ftp-create-dirs retry on failure
5493 The underlying libcurl option used for this feature is
5494 CURLOPT_FTP_CREATE_MISSING_DIRS which has the ability to retry the dir
5495 creation, but it was never set to do that by the command line tool.
5499 Bug: https://curl.haxx.se/mail/archive-2016-04/0021.html
5500 Reported-by: John Wanghui
5503 - [Henrik Gaßmann brought this change]
5505 winbuild: add mbedtls support
5507 Add WITH_MBEDTLS option. Make WITH_SSL, WITH_MBEDTLS and ENABLE_WINSSL
5508 options mutual exclusive.
5512 - KNOWN_BUGS: fixed "5.6 Improper use of Autoconf cache variables"
5514 As of commit d9f3b365a3
5516 - [Irfan Adilovic brought this change]
5518 configure: ac_cv_ -> curl_cv_ for write-only vars
5520 These configure vars are modified in a curl-specific way but never
5521 evaluated or loaded from cache, even though they are designated as
5522 _cv_. We could either implement proper AC_CACHE_CHECKs for them, or
5523 remove them completely.
5525 Fixes #603 as ac_cv_func_gethostbyname is no longer clobbered, and
5526 AC_CHECK_FUNC(gethostbyname...) will no longer spuriously succeed after
5527 the first configure run with caching.
5529 `ac_cv_func_strcasecmp` is curious, see #770.
5531 `eval "ac_cv_func_$func=yes"` can still cause problems as it works in
5532 tandem with AC_CHECK_FUNCS and then potentially modifies its result. It
5533 would be best to rewrite this test to use a new CURL_CHECK_FUNCS macro,
5534 which works the same as AC_CHECK_FUNCS but relies on caching the values
5535 of curl_cv_func_* variables, without modifiying ac_cv_func_*.
5537 - [Irfan Adilovic brought this change]
5539 configure: ac_cv_ -> curl_cv_ for r/w vars
5541 These configure vars are modified in a curl-specific way and modified by
5542 the configure process, but are never loaded from cache, even though they
5543 are designated as _cv_. We should implement proper AC_CACHE_CHECKs for
5546 - [Irfan Adilovic brought this change]
5548 configure: ac_cv_func_clock_gettime -> curl_...
5550 This variable must not be cached in its current form, as any cached
5551 information will prevent the next configure run from determining the
5552 correct LIBS needed for the function. Thus, rename prefix `ac_cv_` to
5555 - [Irfan Adilovic brought this change]
5557 configure: ac_cv_ -> curl_cv_ for all cached vars
5559 This was automated by:
5561 sed -b -i -f <(ack -A1 AC_CACHE_CHECK | \
5562 ack -o 'ac_cv_.*?\b' | \
5563 sort -u | xargs -n1 bash -c \
5564 'echo "s/$0/curl_cv_${0#ac_cv_}/g"') \
5567 This only changed the prefix for 16 variables actually checked with
5570 - openssl: builds with OpenSSL 1.1.0-pre5
5572 The RSA, DSA and DH structs are now opaque and require use of new APIs
5576 Steve Holme (20 Apr 2016)
5577 - url.c: Prefer we don't use explicit NULLs in conditions
5579 Fixed commit fa5fa65a30 to not use NULLs in if condition.
5581 Daniel Stenberg (20 Apr 2016)
5582 - [Isaac Boukris brought this change]
5584 NTLM: check for NULL pointer before deferencing
5586 At ConnectionExists, both check->proxyuser and check->proxypasswd
5587 could be NULL, so make sure to check first.
5591 - [Karlson2k brought this change]
5593 tests: added test1517
5595 ... for checking ability to receive full HTTP response when POST request
5596 is used with slow read callback function.
5598 This test checks for bug #657 and verifies the work-around from
5603 - [Karlson2k brought this change]
5605 sendf.c: added ability to call recv() before send() as workaround
5607 WinSock destroys recv() buffer if send() is failed. As result - server
5608 response may be lost if server sent it while curl is still sending
5609 request. This behavior noticeable on HTTP server short replies if
5610 libcurl use several send() for request (usually for POST request).
5611 To workaround this problem, libcurl use recv() before every send() and
5612 keeps received data in intermediate buffer for further processing.
5617 Kamil Dudka (19 Apr 2016)
5618 - connect: make sure that rc is initialized in singleipconnect()
5620 This commit fixes a Clang warning introduced in curl-7_48_0-190-g8f72b13:
5622 Error: CLANG_WARNING:
5623 lib/connect.c:1120:11: warning: The right operand of '==' is a garbage value
5626 1120|-> if(-1 == rc)
5627 1121| error = SOCKERRNO;
5630 Daniel Stenberg (19 Apr 2016)
5631 - make/checksrc: use $srcdir, not $top_srcdir
5633 - src/checksrc.whitelist: removed
5635 - tool_operate: switch to inline checksrc ignore
5637 - lib/checksrc.whitelist: not needed anymore
5639 ... as checksrc now skips comments
5641 - vtls.h: remove a space before semicolon
5643 ... that the new checksrc detected
5645 - darwinssl: removed commented out code
5647 - http_chunks: removed checksrc disable
5649 ... since checksrc now skips comments
5651 - imap: inlined checksrc disable instead of whitelist edit
5653 - checksrc: taught to skip comments
5655 ... but output non-stripped version of the line, even if that then can
5656 make the script identify the wrong position in the line at
5657 times. Showing the line stripped (ie without comments) is just too
5660 - opts/Makefile.am: list all docs file one by one
5662 ... to make it easier to add lines in patches that won't just break all
5663 other patches trying to add lines too.
5665 - curl_easy_setopt.3: mention CURLOPT_TCP_FASTOPEN
5667 - RELEASE-NOTES: synced with 03de4e4b219
5669 (since we just merged two major features)
5671 - [Alessandro Ghedini brought this change]
5673 connect: implement TCP Fast Open for Linux
5677 - [Alessandro Ghedini brought this change]
5679 tool: add --tcp-fastopen option
5681 - [Alessandro Ghedini brought this change]
5683 connect: implement TCP Fast Open for OS X
5685 - [Alessandro Ghedini brought this change]
5687 url: add CURLOPT_TCP_FASTOPEN option
5689 - checksrc: pass on -D so the whitelists are found correctly
5691 - configure: remove check for libresolve
5693 'strncasecmp' was once provided by libresolv (no trailing e) for SunOS,
5694 but this check is broken and most likely adds nothing useful. Removing
5697 Reported-by: Irfan Adilovic
5701 - scripts/make: use $(EXEEXT) for executables
5707 - includes: avoid duplicate memory callback typdefs even harder
5709 - checksrc/makefile.am: use $top_srcdir to find source files
5711 ... to properly support out of source tree builds.
5713 - RELEASE-NOTES: synced with 26ec93dd6aeba8dfb5
5715 - opts: fix option references missing (section)
5717 - [Michael Kaufmann brought this change]
5719 news: CURLOPT_CONNECT_TO and --connect-to
5721 Makes curl connect to the given host+port instead of the host+port found
5724 - makefile.vc6: use d suffix on debug object
5726 To allow both release and debug builds in parallel.
5728 Reported-by: Rod Widdowson
5732 Jay Satiro (12 Apr 2016)
5733 - http2: Use size_t type for data drain count
5735 Ref: https://github.com/curl/curl/issues/659
5736 Ref: https://github.com/curl/curl/pull/663
5738 - http2: Improve header parsing
5740 - Error if a header line is larger than supported.
5742 - Warn if cumulative header line length may be larger than supported.
5744 - Allow spaces when parsing the path component.
5746 - Make sure each header line ends in \r\n. This fixes an out of bounds.
5748 - Disallow header continuation lines until we decide what to do.
5750 Ref: https://github.com/curl/curl/issues/659
5751 Ref: https://github.com/curl/curl/pull/663
5753 - http2: Add Curl_http2_strerror for HTTP/2 error codes
5755 Ref: https://github.com/curl/curl/issues/659
5756 Ref: https://github.com/curl/curl/pull/663
5758 - [Tatsuhiro Tsujikawa brought this change]
5760 http2: Don't increment drain when one header field is received
5762 Sicne we write header field in temporary location, not in the memory
5763 that upper layer provides, incrementing drain should not happen.
5765 Ref: https://github.com/curl/curl/issues/659
5766 Ref: https://github.com/curl/curl/pull/663
5768 - [Tatsuhiro Tsujikawa brought this change]
5770 http2: Ensure that http2_handle_stream_close is called
5772 This commit ensures that streams which was closed in on_stream_close
5773 callback gets passed to http2_handle_stream_close. Previously, this
5774 might not happen. To achieve this, we increment drain property to
5775 forcibly call recv function for that stream.
5777 To more accurately check that we have no pending event before shutting
5778 down HTTP/2 session, we sum up drain property into
5779 http_conn.drain_total. We only shutdown session if that value is 0.
5781 With this commit, when stream was closed before reading response
5782 header fields, error code CURLE_HTTP2_STREAM is returned even if
5783 HTTP/2 level error is NO_ERROR. This signals the upper layer that
5784 stream was closed by error just like TCP connection close in HTTP/1.
5786 Ref: https://github.com/curl/curl/issues/659
5787 Ref: https://github.com/curl/curl/pull/663
5789 - [Tatsuhiro Tsujikawa brought this change]
5791 http2: Process paused data first before tear down http2 session
5793 This commit ensures that data from network are processed before HTTP/2
5794 session is terminated. This is achieved by pausing nghttp2 whenever
5795 different stream than current easy handle receives data.
5797 This commit also fixes the bug that sometimes processing hangs when
5798 multiple HTTP/2 streams are multiplexed.
5800 Ref: https://github.com/curl/curl/issues/659
5801 Ref: https://github.com/curl/curl/pull/663
5803 - [Tatsuhiro Tsujikawa brought this change]
5805 http2: Check session closure early in http2_recv
5807 Ref: https://github.com/curl/curl/issues/659
5808 Ref: https://github.com/curl/curl/pull/663
5810 - [Tatsuhiro Tsujikawa brought this change]
5812 http2: Add handling stream level error
5814 Previously, when a stream was closed with other than NGHTTP2_NO_ERROR
5815 by RST_STREAM, underlying TCP connection was dropped. This is
5816 undesirable since there may be other streams multiplexed and they are
5817 very much fine. This change introduce new error code
5818 CURLE_HTTP2_STREAM, which indicates stream error that only affects the
5819 relevant stream, and connection should be kept open. The existing
5820 CURLE_HTTP2 means connection error in general.
5822 Ref: https://github.com/curl/curl/issues/659
5823 Ref: https://github.com/curl/curl/pull/663
5825 Daniel Stenberg (11 Apr 2016)
5826 - http2: drain the socket better...
5828 ... but ignore EAGAIN if the stream has ended so that we don't end up in
5829 a loop. This is a follow-up to c8ab613 in order to avoid the problem
5830 d261652 was made to fix.
5832 Reported-by: Jay Satiro
5833 Clues-provided-by: Tatsuhiro Tsujikawa
5837 - KNOWN_BUGS: added info for "Hangs with PolarSSL"
5839 - KNOWN_BUGS: 1.9 HTTP/2 frames while in the connection pool kill reuse
5843 - build: include scripts/ in the dist
5845 Steve Holme (9 Apr 2016)
5846 - CURLOPT_SOCKS5_GSSAPI_SERVICE: Merged with CURLOPT_PROXY_SERVICE_NAME
5848 As these two options provide identical functionality, the former for
5849 SOCK5 proxies and the latter for HTTP proxies, merged the two options
5852 As such CURLOPT_SOCKS5_GSSAPI_SERVICE is marked as deprecated as of
5855 - urldata: Use bool for socks5_gssapi_nec as it is a flag
5857 This value is set to TRUE or FALSE so should be a bool and not a long.
5859 - url: Ternary operator code style changes
5861 - CODE_STYLE: Added ternary operator example to 'Space around operators'
5863 Following conversation on the libcurl mailing list.
5865 - sasl: Fixed compilation errors from commit 9d89a0387
5867 ...when GSS-API or Windows SSPI are not used.
5869 - url: Corrected comments following 9d89a0387
5871 - docs: Added clarification following commit 9d89a0387
5873 - Makefile: Fixed echo of checksrc check
5875 - checksrc: Fix issue with the autobuilds not picking up the whitelist
5877 - checksrc: Added missing vauth and vtls directories
5879 - ftp/imap/pop3/smtp: Allow the service name to be overridden
5881 Allow the service name to be overridden for DIGIST-MD5 and Kerberos 5
5882 authentication in FTP, IMAP, POP3 and SMTP.
5884 - http_negotiate: Calculate service name and proxy service name locally
5886 Calculate the service name and proxy service names locally, rather than
5887 in url.c which will allow for us to support overriding the service name
5888 for other protocols such as FTP, IMAP, POP3 and SMTP.
5890 - ROADMAP: Updated following the move of the authentication code
5892 Patrick Monnerat (8 Apr 2016)
5893 - KNOWN_BUGS: openldap hangs. TODO: binary SASL.
5895 Daniel Stenberg (8 Apr 2016)
5896 - KNOWN_BUGS: 5.6 Improper use of Autoconf cache variables
5900 - KNOWN_BUGS: 11.2 error buffer not set...
5904 - KNOWN_BUGS: 11.1 Curl leaks .onion hostnames in DNS
5908 - KNOWN_BUGS: 1.8 DNS timing is wrong for HTTP redirects
5912 - TODO: HTTP/2 "prior knowledge" is implemented!
5914 - [Damien Vielpeau brought this change]
5916 mbedtls: fix MBEDTLS_DEBUG builds
5918 - mbedtls: implement and provide *_data_pending()
5920 ... as otherwise we might get stuck thinking there's no more data to
5923 Reported-by: Damien Vielpeau
5927 - mbedtls: follow-up for the previous commit
5929 - mbedtls.c: name space pollution fix, Use 'Curl_'
5931 - mbedtls.c: changed private prefix to mbed_
5933 mbedtls_ is the prefix used by the mbedTLS library itself so we should
5934 avoid using that for our private functions.
5936 - mbedtls.h: fix compiler warnings
5938 - Revert "winbuild: trying to set some files eol=crlf for git"
5940 This reverts commit 9c08b4f1e7eced5a4d3782a3e0daa484c9d77d21.
5942 Didn't help. Caused problems.
5946 - curl.1: use example.com more
5948 Make (most) example snippets use the example.com domain instead of the
5949 random ones picked and used before. Some of those were probably
5950 legitimate sites and some not. example.com is designed for this purpose.
5952 - [Michael Kaufmann brought this change]
5954 HTTP2: Add a space character after the status code
5956 The space character after the status code is mandatory, even if the
5957 reason phrase is empty (see RFC 7230 section 3.1.2)
5961 - [Viktor Szakats brought this change]
5963 URLs: change http to https in many places
5967 - winbuild: trying to set some files eol=crlf for git
5969 Thinking it might help to apply patches etc with git.
5971 - [Theodore Dubois brought this change]
5973 curl.1: change example for -F
5975 It's a bad idea to send your passwords anywhere, especially over HTTP.
5976 Modified example to send a picture instead.
5980 - KNOWN_BUGS: reorganized and cleaned up
5982 Now sorted into categories and organized in the same style we do the
5983 TODO document. It will make each issue linked properly on the
5984 https://curl.haxx.se/docs/knownbugs.html web page.
5986 The sections should make it easier to find issues and issues related to
5987 areas of the reader's specific interest.
5989 Jay Satiro (6 Apr 2016)
5990 - KNOWN_BUGS: #95 curl in Windows can't handle Unicode arguments
5992 Steve Holme (6 Apr 2016)
5993 - KNOWN_BUGS: Use https://curl.haxx.se URL for github based issues
5995 - CHECKSRC.md: Corrected some typos
5997 - RELEASE-NOTES: Corrected last updated
5999 Included a summary of the checksrc.bat updates and combined two krb5
6000 changes as they should have been implemented at the same time.
6002 - vauth: Corrected a number of typos in comments
6004 Reported-by: Michael Osipov
6006 Jay Satiro (5 Apr 2016)
6007 - KNOWN_BUGS: #94 IMAP custom requests use the LIST handler
6009 Bug: https://github.com/curl/curl/issues/536
6010 Reported-by: eXeC64@users.noreply.github.com
6012 Daniel Stenberg (5 Apr 2016)
6013 - KNOWN_BUGS: remove 68, 70 and 72.
6015 Due to their age (we don't fully know if they actually remain) and lack
6016 of detail - very few people will bother to find out what they're about
6017 or work on them. If people truly still suffer from any of these, I
6018 assume they will be reported again and then we'll deal with them.
6020 72. "Pausing pipeline problems."
6021 https://curl.haxx.se/mail/lib-2009-07/0214.html
6023 70. Problem re-using easy handle after call to curl_multi_remove_handle
6024 https://curl.haxx.se/mail/lib-2009-07/0249.html
6026 68. "More questions about ares behavior".
6027 https://curl.haxx.se/mail/lib-2009-08/0012.html
6029 - KNOWN_BUGS: remove 92 and 88, fixed
6031 - http2: fix connection reuse when PING comes after last DATA
6033 It turns out the google GFE HTTP/2 servers send a PING frame immediately
6034 after a stream ends and its last DATA has been received by curl. So if
6035 we don't drain that from the socket, it makes the socket readable in
6036 subsequent checks and libcurl then (wrongly) assumes the connection is
6037 dead when trying to reuse the connection.
6039 Reported-by: Joonas Kuorilehto
6043 - multi: remove trailing space in debug output
6045 - RELEASE-NOTES: synced with 86e97b642fb
6047 - CHECKSRC.md: mention cmdline options, fix the bullet list
6049 - docs/CHECKSRC.md: initial version
6051 Steve Holme (3 Apr 2016)
6052 - checksrc.bat: Added support for the examples
6054 Daniel Stenberg (3 Apr 2016)
6055 - lib/src: fix the checksrc invoke
6057 ... now works correctly when invoke from the root makefile