Changelog
-Version 7.50.2 (7 Sep 2016)
-
-Daniel Stenberg (7 Sep 2016)
-- RELEASE-NOTES: curl 7.50.2 release
+Version 7.53.1 (24 Feb 2017)
-- THANKS: updated for 7.50.2
+Daniel Stenberg (24 Feb 2017)
+- release: 7.53.1
-Jay Satiro (6 Sep 2016)
-- [Gaurav Malhotra brought this change]
+- Revert "tests: use consistent environment variables for setting charset"
+
+ This reverts commit ecd1d020abdae3c3ce3643ddab3106501e62e7c0.
+
+ That commit caused test failures on my Debian Linux machine for all
+ changed test cases. We need to reconsider how that should get done.
- openssl: fix CURLINFO_SSL_VERIFYRESULT
+Dan Fandrich (23 Feb 2017)
+- tests: use consistent environment variables for setting charset
- CURLINFO_SSL_VERIFYRESULT does not get the certificate verification
- result when SSL_connect fails because of a certificate verification
- error.
+ Character set in POSIX is set by the locale defined (in decreasing order
+ of precedence) by the LC_ALL, LC_CTYPE and LANG environment variables (I
+ believe CHARSET is only historic). LC_ALL is cleared to ensure that
+ LC_CTYPE takes effect, but LC_ALL is not used to set the locale to
+ ensure that other parts of the locale aren't overriden, if set. Since
+ there doesn't seem to be a cross-platform way of specifying a UTF-8
+ locale, and not all systems may support UTF-8, a <precheck> is used
+ (where relevant) to skip the test if UTF-8 isn't in use. Test 1035 was
+ also converted to UTF-8 for consistency, as the actual character set
+ used there is irrelevant to the test.
+
+Jay Satiro (23 Feb 2017)
+- url: Default the CA proxy bundle location to CURL_CA_BUNDLE
- This fix saves the result of SSL_get_verify_result so that it is
- returned by CURLINFO_SSL_VERIFYRESULT.
+ If the compile-time CURL_CA_BUNDLE location is defined use it as the
+ default value for the proxy CA bundle location, which is the same as
+ what we already do for the regular CA bundle location.
- Closes https://github.com/curl/curl/pull/995
+ Ref: https://github.com/curl/curl/pull/1257
-Daniel Stenberg (6 Sep 2016)
-- [Daniel Gustafsson brought this change]
+Daniel Stenberg (23 Feb 2017)
+- [Sergii Pylypenko brought this change]
- darwinssl: test for errSecSuccess in PKCS12 import rather than noErr (#993)
+ rand: added missing #ifdef HAVE_FCNTL_H around fcntl.h header
- While noErr and errSecSuccess are defined as the same value, the API
- documentation states that SecPKCS12Import() returns errSecSuccess if
- there were no errors in importing. Ensure that a future change of the
- defined value doesn't break (however unlikely) and be consistent with
- the API docs.
+ Closes #1285
-- [Daniel Gustafsson brought this change]
+- TODO: "OPTIONS *"
+
+ Closes #1280
- docs: Fix link to CONTRIBUTE in Github contribution guidelines (#994)
+- RELEASE-NOTES: synced with 443e5b03a7d441
-- [Marcel Raad brought this change]
+- THANKS-filter: shachaf
- openssl: Fix compilation with OPENSSL_API_COMPAT=0x10100000L
-
- With OPENSSL_API_COMPAT=0x10100000L (OpenSSL 1.1 API), the cleanup
- functions are unavailable (they're no-ops anyway in OpenSSL 1.1). The
- replacements for SSL_load_error_strings, SSLeay_add_ssl_algorithms, and
- OpenSSL_add_all_algorithms are called automatically [1][2]. SSLeay() is
- now called OpenSSL_version_num().
-
- [1]: https://www.openssl.org/docs/man1.1.0/ssl/OPENSSL_init_ssl.html
- [2]: https://www.openssl.org/docs/man1.1.0/crypto/OPENSSL_init_crypto.html
+- [İsmail Dönmez brought this change]
+
+ tests: Set CHARSET & LANG to UTF-8 in 1035, 2046 and 2047
- Closes #992
+ Closes #1283
+ Fixes #1277
-- RELEASE-NOTES: synced with 3d4c0c8b9bc1d
+- bump: 7.53.1 coming up
+
+ synced with df665f4df0f7a352
-- http2: return EOF when done uploading without known size
+- formdata: check for EOF when reading from stdin
- Fixes #982
+ Reported-by: shachaf@users.noreply.github.com
+
+ Fixes #1281
-- http2: skip the content-length parsing, detect unknown size
+Jay Satiro (22 Feb 2017)
+- docs: gitignore curl.1
+
+ curl.1 is generated by the cmdline-opts script since 4c49b83.
-- http2: minor white space edit
+Daniel Stenberg (22 Feb 2017)
+- TODO: HTTP Digest using SHA-256
-- http2: use named define instead of magic constant in read callback
+- TODO: brotli is deployed widely now
-- [Craig Davison brought this change]
+Jay Satiro (21 Feb 2017)
+- [Viktor Szakats brought this change]
- configure: make the cpp -P detection not clobber CPPFLAGS
+ urldata: include curl_sspi.h when Windows SSPI is enabled
- CPPPFLAGS is now CPPPFLAG. Fixes CURL_CHECK_DEF.
+ f77dabe broke builds in Windows using Windows SSPI but not Windows SSL.
- Fixes #958
-
-- [Olivier Brunel brought this change]
+ Bug: https://github.com/curl/curl/issues/1276
+ Reported-by: jveazey@users.noreply.github.com
- speed caps: not based on average speeds anymore
+- url: Improve CURLOPT_PROXY_CAPATH error handling
- Speed limits (from CURLOPT_MAX_RECV_SPEED_LARGE &
- CURLOPT_MAX_SEND_SPEED_LARGE) were applied simply by comparing limits
- with the cumulative average speed of the entire transfer; While this
- might work at times with good/constant connections, in other cases it
- can result to the limits simply being "ignored" for more than "short
- bursts" (as told in man page).
+ - Change CURLOPT_PROXY_CAPATH to return CURLE_NOT_BUILT_IN if the option
+ is not supported, which is the same as what we already do for
+ CURLOPT_CAPATH.
- Consider a download that goes on much slower than the limit for some
- time (because bandwidth is used elsewhere, server is slow, whatever the
- reason), then once things get better, curl would simply ignore the limit
- up until the average speed (since the beginning of the transfer) reached
- the limit. This could prove the limit useless to effectively avoid
- using the entire bandwidth (at least for quite some time).
+ - Change the curl tool to handle CURLOPT_PROXY_CAPATH error
+ CURLE_NOT_BUILT_IN as a warning instead of as an error, which is the
+ same as what we already do for CURLOPT_CAPATH.
- So instead, we now use a "moving starting point" as reference, and every
- time at least as much as the limit as been transferred, we can reset
- this starting point to the current position. This gets a good limiting
- effect that applies to the "current speed" with instant reactivity (in
- case of sudden speed burst).
+ - Fix CAPATH docs to show that CURLE_NOT_BUILT_IN is returned when the
+ respective CAPATH option is not supported by the SSL library.
- Closes #971
-
-- HISTORY.md: the multi socket was put in the wrong year!
+ Ref: https://github.com/curl/curl/pull/1257
-- [Mark Hamilton brought this change]
+- cyassl: fix typo
- tool_helpers.c: fix comment typo (#989)
+Version 7.53.0 (22 Feb 2017)
-- [Mark Hamilton brought this change]
+Daniel Stenberg (22 Feb 2017)
+- release: 7.53.0
- libtest/test.h: fix typo (#988)
+- cookie: fix declaration of 'dup' shadows a global declaration
-- CURLMOPT_PIPELINING.3: language
+- TLS: make SSL_VERIFYSTATUS work again
+
+ The CURLOPT_SSL_VERIFYSTATUS option was not properly handled by libcurl
+ and thus even if the status couldn't be verified, the connection would
+ be allowed and the user would not be told about the failed verification.
+
+ Regression since cb4e2be7c6d42ca
+
+ CVE-2017-2629
+ Bug: https://curl.haxx.se/docs/adv_20170222.html
+
+ Reported-by: Marcus Hoffmann
-- CURLMOPT_PIPELINING.3: extended and clarified
+Jay Satiro (21 Feb 2017)
+- digest_sspi: Handle 'stale=TRUE' directive in HTTP digest
- Especially in regards to the multiplexing part.
+ - If the server has provided another challenge use it as the replacement
+ input token if stale=TRUE. Otherwise previous credentials have failed
+ so return CURLE_LOGIN_DENIED.
+
+ Prior to this change the stale directive was ignored and if another
+ challenge was received it would cause error CURLE_BAD_CONTENT_ENCODING.
+
+ Ref: https://tools.ietf.org/html/rfc2617#page-10
+
+ Bug: https://github.com/curl/curl/issues/928
+ Reported-by: tarek112@users.noreply.github.com
-Steve Holme (31 Aug 2016)
-- curl_sspi.c: Updated function description comments
+Daniel Stenberg (20 Feb 2017)
+- smb: use getpid replacement for windows UWP builds
- * Added description to Curl_sspi_free_identity()
- * Added parameter and return explanations to Curl_sspi_global_init()
- * Added parameter explaination to Curl_sspi_global_cleanup()
+ Source: https://github.com/Microsoft/vcpkg/blob/7676b8780db1e1e591c4fc7eba4f96f73c428cb4/ports/curl/0002_fix_uwp.patch
-- README: Corrected the supported Visual Studio versions
+- TODO: CURLOPT_RESOLVE for any port number
- Missed from commit 8356022d17.
+ Closes #1264
-- KNOWN_BUGS: Move the Visual Studio project shortcomings from local README
+- RELEASE-NOTES: synced with af30f1152d43dcdb
-- KNOWN_BUGS: Expand 6.4 to include Kerberos V5
-
- ...and discuss a possible solution.
+- [Jean Gressmann brought this change]
-Daniel Stenberg (30 Aug 2016)
-- connect: fix #ifdefs for debug versions of conn/streamclose() macros
-
- CURLDEBUG is for the memory debugging
+ sftp: improved checks for create dir failures
- DEBUGBUILD is for the extra debug stuff
+ Since negative values are errors and not only -1. This makes SFTP upload
+ with --create-dirs work (again).
- Pointed-out-by: Steve Holme
+ Closes #1269
-- KNOWN_BUGS: mention some cmake "support gaps"
+Jay Satiro (20 Feb 2017)
+- [Max Khon brought this change]
-Nick Zitzmann (28 Aug 2016)
-- darwinssl: add documentation stating that the --cainfo option is intended for backward compatibility only
+ digest_sspi: Fix nonce-count generation in HTTP digest
- In other news, I changed one other reference to "Mac OS X" in the documentation (that I previously wrote) to say "macOS" instead.
-
-Daniel Stenberg (28 Aug 2016)
-- http2: return CURLE_HTTP2_STREAM for unexpected stream close
+ - on the first invocation: keep security context returned by
+ InitializeSecurityContext()
- Follow-up to c3e906e9cd0f, seems like a more appropriate error code
+ - on subsequent invocations: use MakeSignature() instead of
+ InitializeSecurityContext() to generate HTTP digest response
- Suggested-by: Jay Satiro
+ Bug: https://github.com/curl/curl/issues/870
+ Reported-by: Andreas Roth
+
+ Closes https://github.com/curl/curl/pull/1251
-- [Tatsuhiro Tsujikawa brought this change]
+- examples/multi-uv: checksrc compliance
- http2: handle closed streams when uploading
-
- Fixes #986
+Michael Kaufmann (19 Feb 2017)
+- string formatting: fix 4 printf-style format strings
-- http2: make sure stream errors don't needlessly close the connection
+Dan Fandrich (18 Feb 2017)
+- tests: removed the obsolete name parameter
+
+Michael Kaufmann (18 Feb 2017)
+- speed caps: update the timeouts if the speed is too low/high
- With HTTP/2 each transfer is made in an indivial logical stream over the
- connection, making most previous errors that caused the connection to get
- forced-closed now instead just kill the stream and not the connection.
+ Follow-up to 4b86113
- Fixes #941
+ Fixes https://github.com/curl/curl/issues/793
+ Fixes https://github.com/curl/curl/issues/942
-- Curl_verify_windows_version: minor edit to avoid compiler warnings
+- docs: fix timeout handling in multi-uv example
+
+- proxy: fix hostname resolution and IDN conversion
- ... instead of if() before the switch(), add a default to the switch so
- that the compilers don't warn on "warning: enumeration value
- 'PLATFORM_DONT_CARE' not handled in switch" anymore.
+ Properly resolve, convert and log the proxy host names.
+ Support the "--connect-to" feature for SOCKS proxies and for passive FTP
+ data transfers.
+
+ Follow-up to cb4e2be
+
+ Reported-by: Jay Satiro
+ Fixes https://github.com/curl/curl/issues/1248
-Steve Holme (27 Aug 2016)
-- RELEASE-NOTES: Added missing fix from commit 15592143f
+Jay Satiro (17 Feb 2017)
+- [Isaac Boukris brought this change]
-Jay Satiro (26 Aug 2016)
-- schannel: Disable ALPN for Wine since it is causing problems
+ http: fix missing 'Content-Length: 0' while negotiating auth
- - Disable ALPN on Wine.
+ - While negotiating auth during PUT/POST if a user-specified
+ Content-Length header is set send 'Content-Length: 0'.
- - Don't pass input secbuffer when ALPN is disabled.
+ This is what we do already in HTTPREQ_POST_FORM and what we did in the
+ HTTPREQ_POST case (regression since afd288b).
- When ALPN support was added a change was made to pass an input secbuffer
- to initialize the context. When ALPN is enabled the buffer contains the
- ALPN information, and when it's disabled the buffer is empty. In either
- case this input buffer caused problems with Wine and connections would
- not complete.
+ Prior to this change no Content-Length header would be sent in such a
+ case.
- Bug: https://github.com/curl/curl/issues/983
- Reported-by: Christian Fillion
+ Bug: https://curl.haxx.se/mail/lib-2017-02/0006.html
+ Reported-by: Dominik Hölzl
+
+ Closes https://github.com/curl/curl/pull/1242
-Kamil Dudka (26 Aug 2016)
-- [Peter Wang brought this change]
+Daniel Stenberg (16 Feb 2017)
+- [Simon Warta brought this change]
- nss: work around race condition in PK11_FindSlotByName()
+ winbuild: add note on auto-detection of MACHINE in Makefile.vc
- Serialise the call to PK11_FindSlotByName() to avoid spurious errors in
- a multi-threaded environment. The underlying cause is a race condition
- in nssSlot_IsTokenPresent().
+ Closes #1265
+
+- RELEASE-PROCEDURE: update the upcoming release calendar
+
+- TODO: consider file name from the redirected URL with -O ?
- Bug: https://bugzilla.mozilla.org/1297397
+ It isn't easily solved, but with some thinking someone could probably
+ come up with a working approach?
- Closes #985
+ Closes #1241
-- nss: refuse previously loaded certificate from file
+Jay Satiro (15 Feb 2017)
+- tool_urlglob: Allow a glob range with the same start and stop
- ... when we are not asked to use a certificate from file
+ For example allow ranges like [1-1] and [a-a] etc.
+
+ Regression since 5ca96cb.
+
+ Bug: https://github.com/curl/curl/issues/1238
+ Reported-by: R. Dennis Steed
-Daniel Stenberg (26 Aug 2016)
-- ftp_done: remove dead code
+Daniel Stenberg (15 Feb 2017)
+- axtls: adapt to API changes
+
+ Builds with axTLS 2.1.2. This then also breaks compatibility with axTLS
+ < 2.1.0 (the older API)
+
+ ... and fix the session_id mixup brought in 04b4ee549
+
+ Fixes #1220
-- TLS: random file/egd doesn't have to match for conn reuse
+- RELEASE-NOTES: synced with 690935390c29c
-- test161: add comment for the exit code
+- [Nick Draffen brought this change]
-Dan Fandrich (26 Aug 2016)
-- test219: Add http as a required feature
+ curl: fix typo in time condition warning message
+
+ The warning message had a typo. The argument long form is --time-cond
+ not --timecond
+
+ Closes #1263
-Daniel Stenberg (25 Aug 2016)
-- [Michael Kaufmann brought this change]
+- smb: code indent
- HTTP: stop parsing headers when switching to unknown protocols
+Jay Satiro (14 Feb 2017)
+- configure: Allow disabling pthreads, fall back on Win32 threads
- - unknown protocols probably won't send more headers (e.g. WebSocket)
- - improved comments and moved them to the correct case statements
+ When the threaded resolver option is specified for configure the default
+ thread library is pthreads. This change makes it possible to
+ --disable-pthreads and then configure can fall back on Win32 threads for
+ native Windows builds.
- Closes #899
+ Closes https://github.com/curl/curl/pull/1260
-- openssl: make build with 1.1.0 again
+Daniel Stenberg (13 Feb 2017)
+- http2: fix memory-leak when denying push streams
- synced with OpenSSL git master commit cc06906707
-
-- INTERNALS: fix title
+ Reported-by: zelinchen@users.noreply.github.com
+ Fixes #1229
-- configure: detect zlib with our pkg-config macros
+Jay Satiro (11 Feb 2017)
+- tool_operate: Show HTTPS-Proxy options on CURLE_SSL_CACERT
- ... instead of relying on the pkg-config autoconf macros to be present.
+ When CURLE_SSL_CACERT occurs the tool shows a lengthy error message to
+ the user explaining possible solutions such as --cacert and --insecure.
- Fixes #972 (again...)
-
-Jay Satiro (25 Aug 2016)
-- http2: Remove incorrect comments
+ This change appends to that message similar options --proxy-cacert and
+ --proxy-insecure when there's a specified HTTPS proxy.
- .. also remove same from scp
+ Closes https://github.com/curl/curl/issues/1258
-Daniel Stenberg (23 Aug 2016)
-- [Ales Novak brought this change]
+Daniel Stenberg (10 Feb 2017)
+- cmdline-opts/page-footer: ftp.sunet.se is no longer an FTP mirror
- ftp: fix wrong poll on the secondary socket
+- URL: only accept ";options" in SMTP/POP3/IMAP URL schemes
- When we're uploading using FTP and the server issues a tiny pause
- between opening the connection to the client's secondary socket, the
- client's initial poll() times out, which leads to second poll() which
- does not wait for POLLIN on the secondary socket. So that poll() also
- has to time out, creating a long (200ms) pause.
+ Fixes #1252
+
+Jay Satiro (9 Feb 2017)
+- cmdline-opts/socks*: Mention --preproxy in --socks* opts
- This patch adds the correct flag to the secondary socket, making the
- second poll() correctly wait for the connection there too.
+ - Document in --socks* opts they're still mutually exclusive of --proxy.
- Signed-off-by: Ales Novak <alnovak@suse.cz>
+ Partial revert of 423a93c; I had misinterpreted the SOCKS proxy +
+ HTTP/HTTPS proxy combination.
- Closes #978
+ - Document in --socks* opts that --preproxy can be used to specify a
+ SOCKS proxy at the same time --proxy is used with an HTTP/HTTPS proxy.
-- RELEASE-NOTES: synced with 95ded2c56
+Daniel Stenberg (9 Feb 2017)
+- CURLOPT_SSL_VERIFYPEER.3: also the https proxy version
-- configure: make it work without PKG_CHECK_MODULES
+Kamil Dudka (9 Feb 2017)
+- nss: make FTPS work with --proxytunnel
- With commit c2f9b78 we added a new dependency on pkg-config for
- developers which may be unwanted. This change make the configure script
- still work as before if pkg-config isn't installed, it'll just use the
- old zlib detection logic without pkg-config.
+ If the NSS code was in the middle of a non-blocking handshake and it
+ was asked to finish the handshake in blocking mode, it unexpectedly
+ continued in the non-blocking mode, which caused a FTPS connection
+ over CONNECT to fail with "(81) Socket not ready for send/recv".
- Reported-by: Marc Hörsken
+ Bug: https://bugzilla.redhat.com/1420327
+
+Daniel Stenberg (9 Feb 2017)
+- examples/multithread.c: link to our multi-thread docs
- Fixes #972
+ ... instead of the OpenSSL mutex page.
-Marc Hoersken (21 Aug 2016)
-- Revert "KNOWN_BUGS: SOCKS proxy not working via IPv6"
+- http_proxy: avoid freeing static memory
- This reverts commit 9cb1059f92286a6eb5d28c477fdd3f26aed1d554.
+ Follow up to 7fe81ec298e0: make sure 'host' is either NULL or malloced.
+
+- [Cameron MacMinn brought this change]
+
+ http_proxy: Fix tiny memory leak upon edge case connecting to proxy
- As discussed in #835 SOCKS5 supports IPv6 proxies and destinations.
+ Fixes #1255
-Daniel Stenberg (21 Aug 2016)
-- [Marco Deckel brought this change]
+Michael Kaufmann (8 Feb 2017)
+- polarssl, mbedtls: Fix detection of pending data
+
+ Reported-by: Dan Fandrich
+ Bug: https://curl.haxx.se/mail/lib-2017-02/0032.html
- win: Basic support for Universal Windows Platform apps
+Dan Fandrich (7 Feb 2017)
+- test1139: Added the --manual keyword since the manual is required
+
+Daniel Stenberg (7 Feb 2017)
+- RELEASE-NOTES: synced with 102454459dd688c
+
+- THANKS-filter: polish some recent contributors
+
+- http2: reset push header counter fixes crash
- Closes #820
+ When removing an easy handler from a multi before it completed its
+ transfer, and it had pushed streams, it would segfault due to the pushed
+ counted not being cleared.
+
+ Fixed-by: zelinchen@users.noreply.github.com
+ Fixes #1249
-Steve Holme (21 Aug 2016)
-- sasl: Don't use GSSAPI authentication when domain name not specified
+- [Markus Westerlind brought this change]
+
+ transfer: only retry nobody-requests for HTTP
- Only choose the GSSAPI authentication mechanism when the user name
- contains a Windows domain name or the user is a valid UPN.
+ Using sftp to delete a file with CURLOPT_NOBODY set with a reused
+ connection would fail as curl expected to get some data. Thus it would
+ retry the command again which fails as the file has already been
+ deleted.
- Fixes #718
+ Fixes #1243
-- vauth: Added check for supported SSPI based authentication mechanisms
+Jay Satiro (7 Feb 2017)
+- [Daniel Gustafsson brought this change]
+
+ telnet: Fix typos
- Completing commit 00417fd66c and 2708d4259b.
+ Ref: https://github.com/curl/curl/pull/1245
-- http.c: Remove duplicate (authp->avail & CURLAUTH_DIGEST) check
+- [Daniel Gustafsson brought this change]
+
+ test552: Fix typos
- From commit 2708d4259b.
+ Closes https://github.com/curl/curl/pull/1245
-Marc Hoersken (20 Aug 2016)
-- socks.c: display the hostname returned by the SOCKS5 proxy server
+- [Daniel Gustafsson brought this change]
+
+ darwinssl: Avoid parsing certificates when not in verbose mode
- Instead of displaying the requested hostname the one returned
- by the SOCKS5 proxy server is used in case of connection error.
- The requested hostname is displayed earlier in the connection sequence.
+ The information extracted from the server certificates in step 3 is only
+ used when in verbose mode, and there is no error handling or validation
+ performed as that has already been done. Only run the certificate
+ information extraction when in verbose mode and libcurl was built with
+ verbose strings.
- The upper-value of the port is moved to a temporary variable and
- replaced with a 0-byte to make sure the hostname is 0-terminated.
+ Closes https://github.com/curl/curl/pull/1246
-Steve Holme (20 Aug 2016)
-- urldata.h: Corrected comment for httpcode which is also populated by SMTP
-
- As of 7.25.0 and commit 5430007222.
+- [JDepooter brought this change]
-Marc Hoersken (20 Aug 2016)
-- socks.c: use Curl_printable_address in SOCKS5 connection sequence
+ schannel: Remove incorrect SNI disabled message
- Replace custom string formatting with Curl_printable_address.
- Add additional debug and error output in case of failures.
+ - Remove the SNI disabled when host verification disabled message
+ since that is incorrect.
+
+ - Show a message for legacy versions of Windows <= XP that connections
+ may fail since those versions of WinSSL lack SNI, algorithms, etc.
+
+ Bug: https://github.com/curl/curl/pull/1240
-- socks.c: align SOCKS4 connection sequence with SOCKS5
+Daniel Stenberg (7 Feb 2017)
+- CHANGES: spell fix, use correct path to script
+
+- CHANGES.0: removed
- Calling sscanf is not required since the raw IPv4 address is
- available and the protocol can be detected using ai_family.
+ This is the previously manually edited changelog, not touched since Aug
+ 2015. Still present in git for those who wants it.
-Steve Holme (20 Aug 2016)
-- http.c: Corrected indentation change from commit 2708d4259b
+Dan Fandrich (6 Feb 2017)
+- cmdline-opts: Fixed build and test in out of source tree builds
+
+Viktor Szakats (6 Feb 2017)
+- use *.sourceforge.io and misc URL updates
- Made by Visual Studio's auto-correct feature and missed by me in my own
- code reviews!
+ Ref: https://sourceforge.net/blog/introducing-https-for-project-websites/
+ Closes: https://github.com/curl/curl/pull/1247
-- http: Added calls to Curl_auth_is_<mechansism>_supported()
+Jay Satiro (6 Feb 2017)
+- docs: Add more HTTPS proxy documentation
- Hooked up the HTTP authentication layer to query the new 'is mechanism
- supported' functions when deciding what mechanism to use.
+ - Document HTTPS proxy type.
- As per commit 00417fd66c existing functionality is maintained for now.
+ - Document --write-out %{proxy_ssl_verify_result}.
+
+ - Document SOCKS proxy + HTTP/HTTPS proxy combination.
+
+ HTTPS proxy support was added in 7.52.0 for OpenSSL, GnuTLS and NSS.
+
+ Ref: https://github.com/curl/curl/commit/cb4e2be
-Marc Hoersken (20 Aug 2016)
-- socks.c: improve verbose output of SOCKS5 connection sequence
+- OS400: Fix symbols
+
+ - s/CURLOPT_SOCKS_PROXY/CURLOPT_PRE_PROXY
+ Follow-up to 7907a2b and 845522c.
+
+ - Fix incorrect id for CURLOPT_PROXY_PINNEDPUBLICKEY.
+
+ - Add id for CURLOPT_ABSTRACT_UNIX_SOCKET.
+
+ Bug: https://github.com/curl/curl/issues/1237
+ Reported-by: jonrumsey@users.noreply.github.com
-- configure.ac: add missing quotes to PKG_CHECK_MODULES
+- [Sean Burford brought this change]
-Steve Holme (20 Aug 2016)
-- sasl: Added calls to Curl_auth_is_<mechansism>_supported()
+ cmake: Support curl --xattr when built with cmake
- Hooked up the SASL authentication layer to query the new 'is mechanism
- supported' functions when deciding what mechanism to use.
+ - Test for and set HAVE_FSETXATTR when support for extended file
+ attributes is present.
- For now existing functionality is maintained.
+ Closes https://github.com/curl/curl/pull/1176
-Daniel Stenberg (19 Aug 2016)
-- [Miroslav Franc brought this change]
+- [Adam Langley brought this change]
- spnego_sspi: fix memory leak in case *outlen is zero (#970)
+ openssl: Don't use certificate after transferring ownership
+
+ SSL_CTX_add_extra_chain_cert takes ownership of the given certificate
+ while, despite the similar name, SSL_CTX_add_client_CA does not. Thus
+ it's best to call SSL_CTX_add_client_CA before
+ SSL_CTX_add_extra_chain_cert, while the code still has ownership of the
+ argument.
+
+ Closes https://github.com/curl/curl/pull/1236
-- CURLMOPT_MAX_TOTAL_CONNECTIONS.3: mention it can also multiplex
+Daniel Stenberg (29 Jan 2017)
+- [Antoine Aubert brought this change]
-Steve Holme (18 Aug 2016)
-- vauth: Introduced Curl_auth_is_<mechansism>_supported() functions
+ mbedtls: implement CTR-DRBG and HAVEGE random generators
- As Windows SSPI authentication calls fail when a particular mechanism
- isn't available, introduced these functions for DIGEST, NTLM, Kerberos 5
- and Negotiate to allow both HTTP and SASL authentication the opportunity
- to query support for a supported mechanism before selecting it.
+ closes #1227
+
+- docs: we no longer ship HTML versions of man pages
- For now each function returns TRUE to maintain compatability with the
- existing code when called.
+ ... refer to the web site for the web versions.
-Daniel Stenberg (18 Aug 2016)
-- test1144: verify HEAD with body-only response
+- [railsnewbie257 brought this change]
-Steve Holme (17 Aug 2016)
-- RELEASE-PROCEDURE: Added some more future release dates
+ docs: proofread README.netware README.win32
- ...and removed some old ones
+ Closes #1231
-Daniel Stenberg (17 Aug 2016)
-- [David Woodhouse brought this change]
+- RELEASE-NOTES; synced with ab08d82648
- curl: allow "pkcs11:" prefix for client certificates
+Michael Kaufmann (28 Jan 2017)
+- mbedtls: disable TLS session tickets
- RFC7512 provides a standard method to reference certificates in PKCS#11
- tokens, by means of a URI starting 'pkcs11:'.
+ SSL session reuse with TLS session tickets is not supported yet.
+ Use SSL session IDs instead.
- We're working on fixing various applications so that whenever they would
- have been able to use certificates from a file, users can simply insert
- a PKCS#11 URI instead and expect it to work. This expectation is now a
- part of the Fedora packaging guidelines, for example.
+ See https://github.com/curl/curl/issues/1109
+
+- gnutls: disable TLS session tickets
- This doesn't work with cURL because of the way that the colon is used
- to separate the certificate argument from the passphrase. So instead of
+ SSL session reuse with TLS session tickets is not supported yet.
+ Use SSL session IDs instead.
- curl -E 'pkcs11:manufacturer=piv_II;id=%01' …
+ Fixes https://github.com/curl/curl/issues/1109
+
+- polarssl: fix hangs
- I instead need to invoke cURL with the colon escaped, like this:
+ This bugfix is similar to commit c111178bd4.
+
+Daniel Stenberg (27 Jan 2017)
+- cookies: do not assume a valid domain has a dot
- curl -E 'pkcs11\:manufacturer=piv_II;id=%01' …
+ This repairs cookies for localhost.
- This is suboptimal because we want *consistency* — the URI should be
- usable in place of a filename anywhere, without having strange
- differences for different applications.
+ Non-PSL builds will now only accept "localhost" without dots, while PSL
+ builds okeys everything not listed as PSL.
- This patch therefore disables the processing in parse_cert_parameter()
- when the string starts with 'pkcs11:'. It means you can't pass a
- passphrase with an unescaped PKCS#11 URI, but there's no need to do so
- because RFC7512 allows a PIN to be given as a 'pin-value' attribute in
- the URI itself.
+ Added test 1258 to verify.
- Also, if users are already using RFC7512 URIs with the colon escaped as
- in the above example — even providing a passphrase for cURL to handling
- instead of using a pin-value attribute, that will continue to work
- because their string will start 'pkcs11\:' and won't match the check.
+ This was a regression brought in a76825a5efa6b4
+
+- TODO: remove "Support TLS v1.3"
- What *does* break with this patch is the extremely unlikely case that a
- user has a file which is in the local directory and literally named
- just "pkcs11", and they have a passphrase on it. If that ever happened,
- the user would need to refer to it as './pkcs11:<passphrase>' instead.
+ Support is trickling in already.
-- nss: make the global variables static
+- [railsnewbie257 brought this change]
-- openssl: use regular malloc instead of OPENSSL_malloc
+ INTERNALS.md: language improvements
- This allows for better memmory debugging and torture tests.
+ Closes #1226
-- proxy: fix tests as follow-up to 93b0d907d5
+- telnet: fix windows compiler warnings
- This fixes tests that were added after 113f04e664b as the tests would
- fail otherwise.
+ Thumbs-up-by: Jay Satiro
- We bring back "Proxy-Connection: Keep-Alive" now unconditionally to fix
- regressions with old and stupid proxies, but we could possibly switch to
- using it only for CONNECT or only for NTLM in a future if we want to
- gradually reduce it.
+ Closes #1225
+
+- VC: remove the makefile.vc6 build infra
- Fixes #954
+ The winbuild/ build files is now the single MSVC makefile build choice.
- Reported-by: János Fekete
+ Closes #1215
-- Revert "Proxy-Connection: stop sending this header by default"
-
- This reverts commit 113f04e664b16b944e64498a73a4dab990fe9a68.
+- [Jay Satiro brought this change]
-- CURLOPT_PROXY.3: unsupported schemes cause errors now
+ cmdline-opts/gen.pl: Open input files in CRLF mode
- Follow-up to a96319ebb9 (document the new behavior)
+ On Windows it's possible to have input files with CRLF line endings and
+ a perl that defaults to LF line endings (eg msysgit). Currently that
+ results in generator output of mixed line endings of CR, LF and CRLF.
+
+ This change fixes that issue in the most succinct way by opening the
+ files in :crlf text mode even when the perl being used does not default
+ to that mode. (On operating systems that don't have a separate text mode
+ it's essentially a no-op.) The output continues to be in the perl's
+ native line ending.
-- tests/README: mention nghttpx for HTTP/2 tests
+- docs/curl.1: generate from the cmdline-opts script
-- README.md: add our CII Best Practices badge
+- vtls: source indentation fix
-- proxy: polished the error message for unsupported schemes
-
- Follow up to a96319ebb93
+- contri*.sh: cut off parentheses from names too
-- test219: verify unsupported scheme for proxies get rejected
+- RELEASE-NOTES: synced with 01ab7c30bba6f
-- proxy: reject attempts to use unsupported proxy schemes
+- vtls: fix PolarSSL non-blocking handling
- I discovered some people have been using "https://example.com" style
- strings as proxy and it "works" (curl doesn't complain) because curl
- ignores unknown schemes and then assumes plain HTTP instead.
+ A regression brought in cb4e2be
- I think this misleads users into believing curl uses HTTPS to proxies
- when it doesn't. Now curl rejects proxy strings using unsupported
- schemes instead of just ignoring and defaulting to HTTP.
+ Reported-by: Michael Kaufmann
+ Bug: https://github.com/curl/curl/issues/1174#issuecomment-274018791
-- RELEASE-NOTES: synced with b7ee5316c2fd5b
+- [Antoine Aubert brought this change]
-Marc Hoersken (14 Aug 2016)
-- socks.c: Correctly calculate position of port in response packet
+ vtls: fix mbedtls multi non blocking handshake.
- Third commit to fix issue #944 regarding SOCKS5 error handling.
+ When using multi, mbedtls handshake is in non blocking mode. vtls must
+ set wait for read/write flags for the socket.
- Reported-by: David Kalnischkies
+ Closes #1223
-- socks.c: Do not modify and invalidate calculated response length
+- [Richy Kim brought this change]
+
+ CURLOPT_BUFFERSIZE: support enlarging receive buffer
- Second commit to fix issue #944 regarding SOCKS5 error handling.
+ Replace use of fixed macro BUFSIZE to define the size of the receive
+ buffer. Reappropriate CURLOPT_BUFFERSIZE to include enlarging receive
+ buffer size. Upon setting, resize buffer if larger than the current
+ default size up to a MAX_BUFSIZE (512KB). This can benefit protocols
+ like SFTP.
- Reported-by: David Kalnischkies
+ Closes #1222
-- socks.c: Move error output after reading the whole response packet
-
- First commit to fix issue #944 regarding SOCKS5 error handling.
+- sws: use SOCKERRNO, not errno
- Reported-by: David Kalnischkies
+ Reported-by: Gisle Vanem
-Daniel Stenberg (13 Aug 2016)
-- [Ronnie Mose brought this change]
+Michael Kaufmann (19 Jan 2017)
+- KNOWN_BUGS: HTTP/2 server push enabled when no pushes can be accepted
+
+ This has been implemented with commit 9ad034e.
- MANUAL: Remove invalid link to LDAP documentation (#962)
+Viktor Szakats (19 Jan 2017)
+- *.rc: escape non-ASCII/non-UTF-8 character for clarity
- The server developer.netscape.com does not resolve into any
- ip address and can be removed.
+ Closes https://github.com/curl/curl/pull/1217
-Jay Satiro (13 Aug 2016)
-- openssl: accept subjectAltName iPAddress if no dNSName match
+Kamil Dudka (19 Jan 2017)
+- docs: non-blocking SSL handshake is now supported with NSS
- Undo change introduced in d4643d6 which caused iPAddress match to be
- ignored if dNSName was present but did not match.
+ Implemented since curl-7_36_0-130-g8868a22
- Also, if iPAddress is present but does not match, and dNSName is not
- present, fail as no-match. Prior to this change in such a case the CN
- would be checked for a match.
+ Reported-by: Fahim Chandurwala
+
+Michael Kaufmann (18 Jan 2017)
+- CURLOPT_CONNECT_TO: Fix compile warnings
- Bug: https://github.com/curl/curl/issues/959
- Reported-by: wmsch@users.noreply.github.com
+ Fix compile warnings that appeared only when curl has been configured
+ with '--disable-verbose'.
-Daniel Stenberg (12 Aug 2016)
-- [Dambaev Alexander brought this change]
+Daniel Stenberg (18 Jan 2017)
+- usercertinmem.c: improve the short description
- configure.ac: add zlib search with pkg-config
+- parseurl: move back buffer to function scope
- Closes #956
+ Regression since 1d4202ad, which moved the buffer into a more narrow
+ scope, but the data in that buffer was used outside of that more narrow
+ scope.
+
+ Reported-by: Dan Fandrich
+ Bug: https://curl.haxx.se/mail/lib-2017-01/0093.html
-- rtsp: ignore whitespace in session id
+Jay Satiro (17 Jan 2017)
+- openssl: Fix random generation
- Follow-up to e577c43bb to fix test case 569 brekage: stop the parser at
- whitespace as well.
+ - Fix logic error in Curl_ossl_random.
- Help-by: Erik Janssen
+ Broken a few days ago in 807698d.
-- HTTP: retry failed HEAD requests too
-
- Mark's new document about HTTP Retries
- (https://mnot.github.io/I-D/httpbis-retry/) made me check our code and I
- spotted that we don't retry failed HEAD requests which seems totally
- inconsistent and I can't see any reason for that separate treatment.
+Daniel Stenberg (17 Jan 2017)
+- TODO: share OpenSSL contexts
- So, no separate treatment for HEAD starting now. A HTTP request sent
- over a reused connection that gets cut off before a single byte is
- received will be retried on a fresh connection.
+ By supporting this, subsequent connects would load a lot less data from
+ disk.
- Made-aware-by: Mark Nottingham
+ Closes #1110
-- mk-ca-bundle.1: document -m, added in 1.26
-
-- RELEASE-NOTES: synced with e577c43bb5
+- bump: next release will be 7.53.0
-- [Erik Janssen brought this change]
+Kamil Dudka (15 Jan 2017)
+- nss: use the correct lock in nss_find_slot_by_name()
- rtsp: accept any RTSP session id
-
- Makes libcurl work in communication with gstreamer-based RTSP
- servers. The original code validates the session id to be in accordance
- with the RFC. I think it is better not to do that:
+Alessandro Ghedini (15 Jan 2017)
+- http2: disable server push if not requested
- - For curl the actual content is a don't care.
+ Ref: https://github.com/curl/curl/pull/1160
+
+Daniel Stenberg (14 Jan 2017)
+- [railsnewbie257 brought this change]
+
+ docs: improved language in README.md HISTORY.md CONTRIBUTE.md
- - The clarity of the RFC is debatable, is $ allowed or only as \$, that
- is imho not clear
+ Closes #1211
+
+Alessandro Ghedini (14 Jan 2017)
+- http: print correct HTTP string in verbose output when using HTTP/2
- - Gstreamer seems to url-encode the session id but % is not allowed by
- the RFC
+ Before:
+ ```
+ % src/curl https://sigsegv.ninja/ -v --http2
+ ...
+ > GET / HTTP/1.1
+ > Host: sigsegv.ninja
+ > User-Agent: curl/7.52.2-DEV
+ > Accept: */*
+ >
+ ...
+ ```
- - less code
+ After:
+ ```
+ % src/curl https://sigsegv.ninja/ -v --http2
+ ...
+ > GET / HTTP/2
+ > Host: sigsegv.ninja
+ > User-Agent: curl/7.52.2-DEV
+ > Accept: */*
+ >
+ ```
+
+Daniel Stenberg (14 Jan 2017)
+- TODO: send only part of --data
- With this patch curl will correctly handle real-life lines like:
- Session: biTN4Kc.8%2B1w-AF.; timeout=60
+ Closes #1200
+
+- TODO: implemened "--fail-fast to exit on first transfer fail"
- Bug: https://curl.haxx.se/mail/lib-2016-08/0076.html
+ Even though it is called --fail-early
-- symbols-in-versions: add CURL_STRICTER
+- TODO: Chunked transfer multipart formpost
- Added in 5fce88aa8c12564
+ Closes #1139
-- [Simon Warta brought this change]
+- TODO: Improve formpost API, not just add an easy argument
- winbuild: Allow changing C compiler via environment variable CC (#952)
+- addrinfo: fix compiler warning on offsetof() use
- This makes it possible to use specific compilers or a cache.
+ curl_addrinfo.c:519:20: error: conversion to ‘curl_socklen_t {aka
+ unsigned int}’ from ‘long unsigned int’ may alter its value
+ [-Werror=conversion]
- Sample use for clcache:
- set CC=clcache.bat
- nmake /f Makefile.vc DEBUG=no MODE=static VC=14 GEN_PDB=no
+ Follow-up to 1d786faee1046f
-- LICENSE-MIXING.md: switched to markdown
+- THANKS-filter: Jiri Malak
-- docs-make: have markdown files use .md
+- RELEASE-NOTES: synced with a7c73ae309c
-- curl.h: make CURL_NO_OLDIES define CURL_STRICTER
+Peter Wu (13 Jan 2017)
+- [Isaac Boukris brought this change]
-- HISTORY.md: use markdown extension
+ unix_socket: add support for abstract unix domain socket
+
+ In addition to unix domain sockets, Linux also supports an
+ abstract namespace which is independent of the filesystem.
+
+ In order to support it, add new CURLOPT_ABSTRACT_UNIX_SOCKET
+ option which uses the same storage as CURLOPT_UNIX_SOCKET_PATH
+ internally, along with a flag to specify abstract socket.
+
+ On non-supporting platforms, the abstract address will be
+ interpreted as an empty string and fail gracefully.
+
+ Also add new --abstract-unix-socket tool parameter.
+
+ Signed-off-by: Isaac Boukris <iboukris@gmail.com>
+ Reported-by: Chungtsun Li (typeless)
+ Reviewed-by: Daniel Stenberg
+ Reviewed-by: Peter Wu
+ Closes #1197
+ Fixes #1061
-- SSLCERTS.md: renamed to markdown extension
+Daniel Stenberg (13 Jan 2017)
+- write-out.d: 'time_total' is not always shown with ms precision
+
+ We have higher resolution since 7.52.0
-- INTERNALS.md: use markdown extension for markdown content
+- next.d: --trace and --trace-ascii are also global
-- CONTRIBUTE.md: markdown extension
+- [Isaac Boukris brought this change]
-- CONTRIBUTE: changed to markdown
+ curl: reset the easy handle at --next
+
+ So that only "global" options (verbose mostly) survive into the next
+ transfer, and the others have to be set again unless default is fine.
-- CONTRIBUTE: refreshed
+- [Frank Gevaerts brought this change]
-- TODO: added an SSH section and two SFTP things to do
+ docs: Add note about libcurl copying strings to CURLOPT_* manpages
+
+ Closes #1169
-- TODO: remove the 1.22 duplicated item
+- [Frank Gevaerts brought this change]
-- TODO: move "CURLOPT_MAIL_CLIENT" to SMTP section
+ CURLOPT_PREQUOTE.3: takes a struct curl_slist*, not a char*
-- TODO: API for URL parsing/splitting
+- IDN: Use TR46 non-transitional
+
+ Assisted-by: Tim Rühsen
-- TODO: move QUIC to the HTTP section
+- IDN: revert use of the transitional option
+
+ It made the german ß get converted to ss, IDNA2003 style, and we can't
+ have that for the .de TLD - a primary reason for our switch to IDNA2008.
+
+ Test 165 verifies.
-- [Simon Warta brought this change]
+- [Tim Rühsen brought this change]
- winbuild: Free name $(CC) in Makefile (#950)
+ IDN: Fix compile time detection of linidn2 TR46
- In the old line number 290, CC and CURL_CC had the same value. After
- that, /DCURL_STATICLIB was added to CC but not CURL_CC (intended?).
+ Follow-up to f30cbcac1
- This gets rid of the CC variable entirely. It is a first step to make it
- possible to manualyl set a CC variable in order to be able to change the
- compiler.
+ Closes #1207
-- TODO: Use huge HTTP/2 windows
-
-- [Simon Warta brought this change]
+- [ERAMOTO Masaya brought this change]
- winbuild: Avoid setting redundant CFLAGS to compile commands (#949)
+ url: --noproxy option overrides NO_PROXY environment variable
- $(CURL_CC) is always used with $(CURL_CFLAGS) appended, so before this,
- all arguments in CURL_CFLAGS have been added twice.
+ Under condition using http_proxy env var, noproxy list was the
+ combination of --noproxy option and NO_PROXY env var previously. Since
+ this commit, --noproxy option overrides NO_PROXY environment variable
+ even if use http_proxy env var.
+
+ Closes #1140
-Jay Satiro (8 Aug 2016)
-- cmake: Enable win32 threaded resolver by default
+- [ERAMOTO Masaya brought this change]
+
+ url: Refactor detect_proxy()
- - Turn on USE_THREADS_WIN32 in Windows if ares isn't on
+ If defined CURL_DISABLE_HTTP, detect_proxy() returned NULL. If not
+ defined CURL_DISABLE_HTTP, detect_proxy() checked noproxy list.
- This change is similar to what we already do in the autotools build.
+ Thus refactor to set proxy to NULL instead of calling detect_proxy() if
+ define CURL_DISABLE_HTTP, and refactor to call detect_proxy() if not
+ define CURL_DISABLE_HTTP and the host is not in the noproxy list.
-- cmake: Enable win32 large file support by default
+- [ERAMOTO Masaya brought this change]
+
+ url: Fix NO_PROXY env var to work properly with --proxy option.
- All compilers used by cmake in Windows should support large files.
+ The combination of --noproxy option and http_proxy env var works well
+ both for proxied hosts and non-proxied hosts.
- - Add test SIZEOF_OFF_T
- - Remove outdated test SIZEOF_CURL_OFF_T
- - Turn on USE_WIN32_LARGE_FILES in Windows
- - Check for 'Largefile' during the features output
+ However, when combining NO_PROXY env var with --proxy option,
+ non-proxied hosts are not reachable while proxied host is OK.
+
+ This patch allows us to access non-proxied hosts even if using NO_PROXY
+ env var with --proxy option.
-Daniel Stenberg (7 Aug 2016)
-- TODO: added several ideas, removed SPDY
+- [Tim Rühsen brought this change]
-- http2: always wait for readable socket
+ IDN: Use TR46 'transitional' for toASCII translations
- Since the server can at any time send a HTTP/2 frame to us, we need to
- wait for the socket to be readable during all transfers so that we can
- act on incoming frames even when uploading etc.
+ References: http://unicode.org/faq/idn.html
+ http://unicode.org/reports/tr46
- Reminded-by: Tatsuhiro Tsujikawa
+ Closes #1206
-- RELEASE-NOTES: synced with 7b4bf37a44791
-
-- [Thomas Glanzmann brought this change]
+- [railsnewbie257 brought this change]
- mbedtls: set debug threshold to 4 (verbose) when MBEDTLS_DEBUG is defined
+ docs: FAQ MAIL-ETIQUETTE language fixes
- In order to make MBEDTLS_DEBUG work, the debug threshold must be unequal
- to 0. This patch also adds a comment how mbedtls must be compiled in
- order to make debugging work, and explains the possible debug levels.
+ Closes #1194
-- CURLOPT_TCP_NODELAY: now enabled by default
+- [Marcus Hoffmann brought this change]
+
+ gnutls: check for alpn and ocsp in configure
- After a few wasted hours hunting down the reason for slowness during a
- TLS handshake that turned out to be because of TCP_NODELAY not being
- set, I think we have enough motivation to toggle the default for this
- option. We now enable TCP_NODELAY by default and allow applications to
- switch it off.
+ Check for presence of gnutls_alpn_* and gnutls_ocsp_* functions during
+ configure instead of relying on the version number. GnuTLS has options
+ to turn these features off and we ca just work with with such builds
+ like we work with older versions.
- This also makes --tcp-nodelay unnecessary, but --no-tcp-nodelay can be
- used to disable it.
+ Signed-off-by: Marcus Hoffmann <m.hoffmann@cartelsol.com>
- Thanks-to: Tim Rühsen
- Bug: https://curl.haxx.se/mail/lib-2016-06/0143.html
-
-- [Serj Kalichev brought this change]
+ Closes #1204
- TFTP: Fix upload problem with piped input
+Jay Satiro (12 Jan 2017)
+- url: Fix parsing for when 'file' is the default protocol
- When input stream for curl is stdin and input stream is not a file but
- generated by a script then curl can truncate data transfer to arbitrary
- size since a partial packet is treated as end of transfer by TFTP.
+ Follow-up to 3463408.
- Fixes #857
-
-- mk-ca-bundle.pl: -m keeps ca cert meta data in output
+ Prior to 3463408 file:// hostnames were silently stripped.
- Makes the script pass on comments holding meta data to the output
- file. Like fingerprinters, issuer, date ranges etc.
+ Prior to this commit it did not work when a schemeless url was used with
+ file as the default protocol.
- Closes #937
+ Ref: https://curl.haxx.se/mail/lib-2016-11/0081.html
+ Closes https://github.com/curl/curl/pull/1124
+
+ Also fix for drive letters:
+
+ - Support --proto-default file c:/foo/bar.txt
+
+ - Support file://c:/foo/bar.txt
+
+ - Fail when a file:// drive letter is detected and not MSDOS/Windows.
+
+ Bug: https://github.com/curl/curl/issues/1187
+ Reported-by: Anatol Belski
+ Assisted-by: Anatol Belski
-- multi: make Curl_expire() work with 0 ms timeouts
+Daniel Stenberg (12 Jan 2017)
+- rand: make it work without TLS backing
- Previously, passing a timeout of zero to Curl_expire() was a magic code
- for clearing all timeouts for the handle. That is now instead made with
- the new Curl_expire_clear() function and thus a 0 timeout is fine to set
- and will trigger a timeout ASAP.
+ Regression introduced in commit f682156a4fc6c4
- This will help removing short delays, in particular notable when doing
- HTTP/2.
+ Reported-by: John Kohl
+ Bug: https://curl.haxx.se/mail/lib-2017-01/0055.html
-- transfer: return without select when the read loop reached maxcount
+Jay Satiro (12 Jan 2017)
+- STARTTLS: Don't print response character in denied messages
- Regression added in 790d6de48515. The was then added to avoid one
- particular transfer to starve out others. But when aborting due to
- reading the maxcount, the connection must be marked to be read from
- again without first doing a select as for some protocols (like SFTP/SCP)
- the data may already have been read off the socket.
+ Both IMAP and POP3 response characters are used internally, but when
+ appended to the STARTTLS denial message likely could confuse the user.
- Reported-by: Dan Donahue
- Bug: https://curl.haxx.se/mail/lib-2016-07/0057.html
+ Closes https://github.com/curl/curl/pull/1203
-Steve Holme (3 Aug 2016)
-- [Bill Nagel brought this change]
+- smtp: Fix STARTTLS denied error message
+
+ - Format the numeric denial code as an integer instead of a character.
- mbedtls: Added support for NTLM
+Daniel Stenberg (11 Jan 2017)
+- http2_send: avoid unsigned integer wrap around
+
+ ... when checking for a too large request.
-Daniel Stenberg (3 Aug 2016)
-- [Sergei Nikulov brought this change]
+Jay Satiro (9 Jan 2017)
+- [Jiri Malak brought this change]
- travis: removed option to rebuild autotool from source
+ cmake: Fix passing _WINSOCKAPI_ macro to compiler
- Fixes #943
+ Define _WINSOCKAPI_ blank rather than to 1 in order to match the value
+ used by Microsoft's winsock header files.
+
+ Closes https://github.com/curl/curl/pull/1195
-- bump: start working toward 7.50.2
+Daniel Stenberg (9 Jan 2017)
+- sws: retry send() on EWOULDBLOCK
+
+ Fixes spurious test 1060 and 1061 failures on OpenBSD, Solaris and more.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-01/0009.html
+ Reported-by: Christian Weisgerber
-Version 7.50.1 (3 Aug 2016)
+- RELEASE-NOTES: synced with a41e8592d6b3e58
-Daniel Stenberg (3 Aug 2016)
-- THANKS: 7 new contributors from the 7.50.1 release
+- examples: make the C++ examples follow our code style too
+
+ At least mostly, not counting // comments.
-- RELEASE-NOTES: 7.50.1
+- [Aulddays brought this change]
-- TLS: only reuse connections with the same client cert
+ asiohiper: improved socket handling
- CVE-2016-5420
- Bug: https://curl.haxx.se/docs/adv_20160803B.html
-
-- TLS: switch off SSL session id when client cert is used
+ libcurl requires CURLMOPT_SOCKETFUNCTION to KEEP watching socket events
+ and notify back. Modify event_cb() to continue watching events when
+ fired.
- CVE-2016-5419
- Bug: https://curl.haxx.se/docs/adv_20160803A.html
- Reported-by: Bru Rom
- Contributions-by: Eric Rescorla and Ray Satiro
+ Fixes #1191
+ Closes #1192
+ Fixed-by: Mingliang Zhu
-- curl_multi_cleanup: clear connection pointer for easy handles
-
- CVE-2016-5421
- Bug: https://curl.haxx.se/docs/adv_20160803C.html
- Reported-by: Marcelo Echeverria and Fernando Muñoz
+- [Jiří Malák brought this change]
-- KNOWN_BUGS: SOCKS proxy not working via IPv6
+ lib506: fix build for Open Watcom
- Closes #835
+ Rename symbol lock to locks to not clash with OW CRTL function name.
+
+ Closes #1196
-- KNOWN_BUGS: CURLOPT_SEEKFUNCTION not called with CURLFORM_STREAM
+- ROADMAP: 2017 cleanup
- Closes #768
+ Removed items already fixed, clarified a few others.
-- KNOWN_BUGS: transfer-encoding: chunked in HTTP/2
+- COPYING: update the generic copyright year range
+
+- docs/silent: mention --show-error in --silent description
- Closes #662
+ Reported in #1190
+ Reported-by: Dan Jacobson
-- TODO: Provide cmake config-file
+- docs/page-header: mention how to disable the progress meter
- Closes #885
+ curl.1 is regenerated
+
+ Fixes #1190
-Patrick Monnerat (2 Aug 2016)
-- os400: define BUILDING_LIBCURL in make script.
+Dan Fandrich (7 Jan 2017)
+- wolfssl: display negotiated SSL version and cipher
-Daniel Stenberg (1 Aug 2016)
-- RELEASE-NOTES: synced with aa9f536a18b
+- wolfssl: support setting cipher list
-Jay Satiro (1 Aug 2016)
-- [Thomas Glanzmann brought this change]
+Patrick Monnerat (6 Jan 2017)
+- CIPHERS.md: document GSKit ciphers
- mbedtls: Fix debug function name
-
- This patch is necessary so that curl compiles if MBEDTLS_DEBUG is
- defined.
+Jay Satiro (5 Jan 2017)
+- [peterpih brought this change]
+
+ TheArtOfHttpScripting: grammar
+
+Nick Zitzmann (3 Jan 2017)
+- darwinssl: --insecure overrides --cacert if both settings are in use
- Bug: https://curl.haxx.se/mail/lib-2016-08/0001.html
+ Fixes #1184
-Daniel Stenberg (1 Aug 2016)
-- [Sergei Nikulov brought this change]
+Jay Satiro (2 Jan 2017)
+- docs/libcurl: TCP_KEEPALIVE start and interval default to 60
+
+ Since the TCP keep-alive options were added in 705f0f7 the start and
+ interval default values have been 60, but that wasn't documented.
+
+ Bug: https://curl.haxx.se/mail/lib-2017-01/0000.html
+ Reported-by: Praveen Pvs
- travis: fix OSX build by re-installing libtool
+Daniel Stenberg (29 Dec 2016)
+- curl.h: CURLE_FUNCTION_NOT_FOUND is no longer in use
- Apparently due to a broken homebrew install
+ This error code was once introduced when some library was dynamically
+ loaded and a funciton within said library couldn't be found.
+
+- content_encoding: change return code on a failure
- fixes #934
- Closes #939
+ Failure to decompress is now a write error instead of the weird
+ "function not found".
-- [Martin Vejnár brought this change]
+- page-footer: error 36 is protocol agnostic!
- win32: fix a potential memory leak in Curl_load_library
+Jay Satiro (28 Dec 2016)
+- tool_operate: Fix --remote-time incorrect times on Windows
- If a call to GetSystemDirectory fails, the `path` pointer that was
- previously allocated would be leaked. This makes sure that `path` is
- always freed.
+ - Use Windows API SetFileTime to set the file time instead of utime.
- Closes #938
-
-- include: revert 9adf3c4 and make public types void * again
+ Avoid utime on Windows if possible because it may apply a daylight
+ saving time offset to our UTC file time.
- Many applications assume the actual contents of the public types and use
- that do for example forward declarations (saving them from including our
- public header) which then breaks when we switch from void * to a struct
- *.
+ Bug: https://curl.haxx.se/mail/archive-2016-11/0033.html
+ Reported-by: Tim
- I'm not convinced we were wrong, but since this practise seems
- widespread enough I'm willing to (partly) step down.
+ Closes https://github.com/curl/curl/pull/1121
+
+Daniel Stenberg (29 Dec 2016)
+- [Max Khon brought this change]
+
+ digest_sspi: copy terminating NUL as well
- Now libcurl uses the struct itself when it is built and it allows
- applications to use the struct type if CURL_STRICTER is defined at the
- time of the #include.
+ Curl_auth_decode_digest_http_message(): copy terminating NUL as later
+ Curl_override_sspi_http_realm() expects a NUL-terminated string.
- Reported-by: Peter Frühberger
- Fixes #926
+ Fixes #1180
-Jay Satiro (28 Jul 2016)
-- [Yonggang Luo brought this change]
+- curl_formadd.3: CURLFORM_CONTENTSLENGTH not needed when chunked
+
+ Mentioned in #1013
- cmake: Fix for schannel support
+- [Kyselgov E.N brought this change]
+
+ cmake: use crypt32.lib when building with OpenSSL on windows
- The check_library_exists_concat do not check crypt32 library properly.
- So include it directly.
+ Reviewed-by: Peter Wu
+ Closes #1149
+ Fixes #1147
+
+- [Chris Araman brought this change]
+
+ darwinssl: fix CFArrayRef leak
- Bug: https://github.com/curl/curl/pull/917
- Reported-by: Yonggang Luo
+ Reviewed-by: Nick Zitzmann
+ Closes #1173
+
+- [Chris Araman brought this change]
+
+ darwinssl: fix iOS build
- Bug: https://github.com/curl/curl/issues/935
- Reported-by: Alain Danteny
+ Reviewed-by: Nick Zitzmann
+ Fixes #1172
-- Revert "travis: Install libtool for OS X builds"
+- curl: remove superfluous include file
- Didn't work.
+ The <netinet/tcp.h> is a leftover from the past when TCP socket options
+ were set in this file. This include causes build issues on AIX 4.3.
- This reverts commit 50723585ed380744358de054e2a55dccee65dfd7.
+ Reported-by: Kim Minjoong
+
+ Closes #1178
-- travis: Install libtool for OS X builds
+- RELEASE-NOTES: synced with a7b38c9dc98481e
+
+- vtls: s/SSLEAY/OPENSSL
- CI is failing due to missing libtoolize, so I'm trying this.
+ Fixed an old leftover use of the USE_SSLEAY define which would make a
+ socket get removed from the applications sockets to monitor when the
+ multi_socket API was used, leading to timeouts.
+
+ Bug: #1174
-Daniel Stenberg (26 Jul 2016)
-- [Viktor Szakats brought this change]
+- docs/ciphers: link to our own new page about ciphers
+
+ ... as the former ones always go stale!
- TODO: minor typo in last commit
+- cmdline-opts/page-footer: add three more exit codes
- merged #931
+ ... and regenerated curl.1
-- TODO: Timeout idle connections from the pool
+- formdata: use NULL, not 0, when returning pointers
-Patrick Monnerat (25 Jul 2016)
-- os400: minimum supported OS version: V6R1M0.
- Do not log compilation informational messages.
+- ftp: failure to resolve proxy should return that error code
-Jay Satiro (24 Jul 2016)
-- tests: Fix for http/2 feature
+- configure: accept --with-libidn2 instead
- Bug: https://curl.haxx.se/mail/lib-2016-07/0070.html
- Reported-by: Paul Howarth
+ ... which the help text already implied since we switched to libidn2
+ from libidn in commit 9c91ec778104ae3b back in October 2016.
+
+ Reported-by: Christian Weisgerber
+ Bug: https://curl.haxx.se/mail/lib-2016-12/0110.html
-Steve Holme (23 Jul 2016)
-- README: Mention wolfSSL in the 'Dependencies' section
+- test1282: verify the ftp-gss check
-- vauth.h: No need to query HAVE_GSSAPI || USE_WINDOWS_SSPI for SPNEGO
+- ftp-gss: check for init before use
- As SPNEGO is only defined when these pre-processor variables are defined
- there is no need to query them explicitly.
-
-- spnego: Corrected miss-placed * in Curl_auth_spnego_cleanup() declaration
+ To avoid dereferencing a NULL pointer.
- Typo introduced in commit ad5e9bfd5d.
+ Reported-by: Daniel Romero
-Daniel Stenberg (22 Jul 2016)
-- SECURITY: mention how to get windows-specific CVEs
+Jay Satiro (24 Dec 2016)
+- build-wolfssl: Sync config with wolfSSL 3.10
- ... and make the distros link a proper link
+ wolfSSL configure script relevant changes from 3.9 to 3.10:
+
+ - DES3 no longer enabled by default
+ - Shamir no longer enabled by default
+ - Extended master secret enabled by default
+ - RSA and ECC timing protections enabled by default
+
+ For backwards compatibility I enabled DES3 and ECC shamir config options
+ (ie no change from 3.9), and the other changes are included.
-Dan Fandrich (21 Jul 2016)
-- test558: fix test by stripping file paths from FD lines
+- cyassl: use time_t instead of long for timeout
-Kamil Dudka (21 Jul 2016)
-- tests: distribute the http2-server.pl script, too
+Daniel Stenberg (23 Dec 2016)
+- bump: toward next release
-- docs: distribute the CURLINFO_HTTP_VERSION(3) man page, too
+- http: remove "Curl_http_done: called premature" message
+
+ ... it only confuses people.
-Daniel Stenberg (21 Jul 2016)
-- bump: start working on 7.50.1
+- openssl-random: check return code when asking for random
+
+ and fail appropriately if it returns error
-Version 7.50.0 (21 Jul 2016)
+- gnutls-random: check return code for failed random
-Daniel Stenberg (21 Jul 2016)
-- RELEASE-NOTES: version 7.50.0 ready
+Version 7.52.1 (22 Dec 2016)
-- THANKS: 13 new contributors from the 7.50.0 release
+Daniel Stenberg (22 Dec 2016)
+- RELEASE-NOTES: curl 7.52.1
-Jay Satiro (21 Jul 2016)
-- winbuild: fix embedded manifest option
+- lib557.c: use a shorter MAXIMIZE representation
- Embedded manifest option didn't work due to typo.
+ Since several compilers had problems with the previous one
- Reported-by: Stefan Kanthak
+ Reported-by: Ray Satiro
+ Bug: https://curl.haxx.se/mail/lib-2016-12/0098.html
-- vauth: Fix memleak by freeing credentials if out of memory
+- runtests: remove the valgrind parser
- This is a follow up to the parent commit dcdd4be which fixes one leak
- but creates another by failing to free the credentials handle if out of
- memory. Also there's a second location a few lines down where we fail to
- do same. This commit fixes both of those issues.
+ Old legacy parsing that 1) hid problems for us and 2) probably isn't
+ needed anymore.
-Daniel Stenberg (20 Jul 2016)
-- [Saurav Babu brought this change]
+- [Kamil Dudka brought this change]
- vauth: Fixed memory leak due to function returning without free
-
- This patch allocates memory to "output_token" only when it is required
- so that memory is not leaked if function returns.
+ randit: store the value in the buffer
-- test558: updated after ipv6-check move
+- tests/Makefile: run checksrc on debug builds
- Follow-up commit to c50980807c5 to make this test pass.
+ ... just like we already do in src/ and lib/
-Jay Satiro (20 Jul 2016)
-- connect: disable TFO on Linux when using SSL
+- lib557: move the "enable LONGLINE" to allow more long lines
- - Linux TFO + TLS is not implemented yet.
+ This file is riddled with them...
+
+- bump: toward next release
+
+Marcel Raad (21 Dec 2016)
+- lib: fix MSVC compiler warnings
- Bug: https://github.com/curl/curl/issues/907
+ Visual C++ complained:
+ warning C4267: '=': conversion from 'size_t' to 'long', possible loss of data
+ warning C4701: potentially uninitialized local variable 'path' used
-Daniel Stenberg (19 Jul 2016)
-- ROADMAP: QUIC and TLS 1.3
+Version 7.52.0 (20 Dec 2016)
-- RELEASE-NOTES: synced with c50980807c5
+Daniel Stenberg (20 Dec 2016)
+- THANKS: 13 new contributors from 7.52.0
-Jay Satiro (18 Jul 2016)
-- [Brian Prodoehl brought this change]
+- RELEASE-NOTES: 7.52.0
- curl_global_init: Check if IPv6 works
+- ssh: inhibit coverity warning with (void)
- - Curl_ipv6works() is not thread-safe until after the first call, so
- call it once during global init to avoid a possible race condition.
+ CID 1397391 (#1 of 1): Unchecked return value (CHECKED_RETURN)
+
+- Curl_recv_has_postponed_data: silence compiler warnings
- Bug: https://github.com/curl/curl/issues/915
- PR: https://github.com/curl/curl/pull/918
+ Follow-up to d00f2a8f2
-- [Timothy Polich brought this change]
+Jay Satiro (19 Dec 2016)
+- tests: checksrc compliance
- CURLMOPT_SOCKETFUNCTION.3: fix typo
+- http_proxy: Fix proxy CONNECT hang on pending data
- Closes https://github.com/curl/curl/pull/914
+ - Check for pending data before waiting on the socket.
+
+ Bug: https://github.com/curl/curl/issues/1156
+ Reported-by: Adam Langley
-- [Miroslav Franc brought this change]
+Daniel Stenberg (19 Dec 2016)
+- cmdline-opts/tlsv1.d: rephrased
- library: Fix memory leaks found during static analysis
-
- Closes https://github.com/curl/curl/pull/913
+- [Dan McNulty brought this change]
-- [Viktor Szakats brought this change]
+ schannel: fix wildcard cert name validation on Win CE
+
+ Fixes a few issues in manual wildcard cert name validation in
+ schannel support code for Win32 CE:
+ - when comparing the wildcard name to the hostname, the wildcard
+ character was removed from the cert name and the hostname
+ was checked to see if it ended with the modified cert name.
+ This allowed cert names like *.com to match the connection
+ hostname. This violates recommendations from RFC 6125.
+ - when the wildcard name in the certificate is longer than the
+ connection hostname, a buffer overread of the connection
+ hostname buffer would occur during the comparison of the
+ certificate name and the connection hostname.
- cookie.c: Fix misleading indentation
+- printf: fix floating point buffer overflow issues
- Closes https://github.com/curl/curl/pull/911
+ ... and add a bunch of floating point printf tests
-- FAQ: Update FTP directory listing section for MLSD command
+- config-amigaos.h: (embarrassed) made the line shorter
+
+- config-amigaos.h: fix bug report email reference
+
+- RELEASE-NOTES: synced with 4517158abfeba
+
+- CIPHERS.md: backtick the names to show underscores fine
+
+- form-string.d: fix format mistake
- Explain how some FTP servers support the machine readable listing
- format MLSD from RFC 3659 and compare it to LIST.
+ and regenerated curl.1
- Ref: https://github.com/curl/curl/issues/906
+ Reported-by: Gisle Vanem
-Daniel Stenberg (1 Jul 2016)
-- [Sergei Nikulov brought this change]
+Michael Kaufmann (18 Dec 2016)
+- openssl: simplify expression in Curl_ossl_version
- Appveyor: Updates for options - CURL_STATICLIB/BUILD_TESTING
+- curl_easy_recv: Improve documentation and example program
- Closes #892
+ Follow-up to 82245ea: Fix the example program sendrecv.c (handle
+ CURLE_AGAIN, handle incomplete send). Improve the documentation
+ for curl_easy_recv() and curl_easy_send().
+
+ Reviewed-by: Frank Meier
+ Assisted-by: Jay Satiro
+
+ See https://github.com/curl/curl/pull/1134
-- TODO: 17.4 also brings more HTTP/2 support
+- [Isaac Boukris brought this change]
-- TODO: try next proxy if one doesn't work
+ Curl_getconnectinfo: avoid checking if the connection is closed
- Closes #896
+ It doesn't benefit us much as the connection could get closed at
+ any time, and also by checking we lose the ability to determine
+ if the socket was closed by reading zero bytes.
+
+ Reported-by: Michael Kaufmann
+
+ Closes https://github.com/curl/curl/pull/1134
-- conn: don't free easy handle data in handler->disconnect
+Daniel Stenberg (18 Dec 2016)
+- CIPHERS.md: attempt to document TLS cipher names
- Reported-by: Gou Lingfeng
- Bug: https://curl.haxx.se/mail/lib-2016-06/0139.html
+ As the official docs seems really hard to keep track of and link to over
+ time
-- test1244: test different proxy ports same URL
+- curl.1: generated after 6cce4dbf830
-- curl_global_init.3: improved formatting of the flags
+- cmdline-opts/post30X.d: fix the RFC references
-- curl_global_init.3: expand on the SSL and WIN32 bits purpose
+- curl.1: regenerated
- Reported-by: Richard Gray
- Bug: https://curl.haxx.se/mail/lib-2016-06/0136.html
+ Fixed trailing whitespace and numerous formatting glitches
-- [Michael Kaufmann brought this change]
+- cmdline-opts: formatting fixes
- cleanup: minor code cleanup in Curl_http_readwrite_headers()
-
- - the expression of an 'if' was always true
- - a 'while' contained a condition that was always true
- - use 'if(k->exp100 > EXP100_SEND_DATA)' instead of 'if(k->exp100)'
- - fixed a typo
-
- Closes #889
+- curl_easy_setopt.3: removed CURLOPT_SOCKS_PROXYTYPE
-- SFTP: set a generic error when no SFTP one exists...
-
- ... as otherwise we could get a 0 which would count as no error and we'd
- wrongly continue and could end up segfaulting.
+- tool_getparam.c: make comments use the up-to-date option names
+
+- manpage-scan.pl: allow deprecated options to get removed from curl.1
- Bug: https://curl.haxx.se/mail/lib-2016-06/0052.html
- Reported-by: 暖和的和暖
+ --krb4, --ftp-ssl and --ftp-ssl-reqd no longer need to be documented in the
+ man page
-- ROADMAP: http2 tests are merged, mention http2 perf
+- cmdline-opts/gen.pl: trim off trailing spaces
-- docs/README.md: to render nicer pages on github
-
- ... as previously the README.cmake would be picked and put at the bottom
- of the docs page there and it wasn't very representative!
+- cmdline-opts/proxy-tlsuser.d: remove trailing .d
-- README.md: change host name for the svg logo
+- curl_easy_setopt.3: CURLOPT_PRE_PROXY instead of CURLOPT_SOCKS_PROXY
+
+- symbols: removed two, added one
+
+- cmdline-opts: include the man page split up files in the dist
+
+- curl.1: generated with gen.pl
- rawgit.com asks to use the domain cdn.rawgit.com for production
+ This is the first time we replace the manually edited curt.1 with the
+ generated one created by gen.pl and the individual option documentation
+ pages.
- See #900
+ Do not edit this file, edit the individual pages and regenerate this
+ output.
+
+ This file will be generated by the build system soon and then removed
+ from git.
-- [Viktor Szakats brought this change]
+- cmdline-opts: added some missing info
- README.md: use the SVG logo
+- CURLINFO_SSL_VERIFYRESULT.3: language
-- README.md: logo on top!
+- HTTPS-PROXY docs: update/polish
-- KNOWN_BUGS: 3.4 POP3 expects "CRLF.CRLF" eob for some
+- cmdline-opts/page-header: mention it is generated
- Closes #740
-
-- RELEASE-NOTES: synced with d61c80515aa8
+ ... to avoid people from trying to edit the pending curl.1 version that
+ gets generated by gen.pl
-- [Michael Osipov brought this change]
+- preproxy: renamed what was added as SOCKS_PROXY
+
+ CURLOPT_SOCKS_PROXY -> CURLOPT_PRE_PROXY
+
+ Added the corresponding --preroxy command line option. Sets a SOCKS
+ proxy to connect to _before_ connecting to a HTTP(S) proxy.
- acinclude.m4: improve autodetection of CA bundle on FreeBSD
+- curl: normal socks proxies still use CURLOPT_PROXY
- The FreeBSD Port security/ca_root_nss installs the Mozilla NSS CA bundle
- to /usr/local/share/certs/ca-root-nss.crt. Use this bundle in the
- discovery process.
+ ... the newly introduced CURLOPT_SOCKS_PROXY is special and should be
+ asked for specially. (Needs new code.)
- This change also removes the former FreeBSD path that has been obsolete
- for 8 years since this FreeBSD ports commit:
- https://svnweb.freebsd.org/ports/head/security/?view=revision&revision=215953
+ Unified proxy type to a single variable in the config struct.
+
+- CURLOPT_SOCKS_PROXYTYPE: removed
- Closes #894
+ This was added as part of the SOCKS+HTTPS proxy merge but there's no
+ need to support this as we prefer to have the protocol specified as a
+ prefix instead.
-- configure: don't specify .lib for libs on windows
+- curl_multi_socket.3: fix typo
+
+- checksrc: warn for assignments within if() expressions
- Another follow up for crypt32.lib linking with winssl
+ ... they're already frowned upon in our source code style guide, this
+ now enforces the rule harder.
-- configure: fix winssl LIBS change typo
+- checksrc: stricter no-space-before-paren enforcement
- follow-up from 120bf29e
+ In order to make the code style more uniform everywhere
-- TODO: "TCP Fast Open" is done, add monitor pool connections
+- ISSUE_TEMPLATE: try mentioning known bugs/todo in new issue template
-- configure: add crypt32.lib for winssl builds
-
- Necessary since 6cabd78531f
+- RELEASE-NOTES: synced with 71a55534fa6
-- Makefile.vc: link with crypt32.lib for winssl builds
+- [Adam Langley brought this change]
+
+ openssl: don't use OpenSSL's ERR_PACK.
- Necessary since 6cabd78531f
+ ERR_PACK is an internal detail of OpenSSL. Also, when using it, a
+ function name must be specified which is overly specific: the test will
+ break whenever OpenSSL internally change things so that a different
+ function creates the error.
- Fixes #853
+ Closes #1157
-- [Joel Depooter brought this change]
+Dan Fandrich (5 Dec 2016)
+- test2032: Mark test as flaky
- VC: Add crypt32.lib to Visual Sudio project template files
+Jay Satiro (3 Dec 2016)
+- [Jeremy Pearson brought this change]
+
+ libcurl-multi.3: typo
- Closes #854
+ Closes https://github.com/curl/curl/pull/1153
-- vc: fix the build for schannel certinfo support
+Dan Fandrich (2 Dec 2016)
+- test1281: added http as a required feature
+
+Daniel Stenberg (2 Dec 2016)
+- curl: support zero-length argument strings in config files
- Broken since 6cabd785, which adds use of the Curl_extract_certinfo
- function from the x509asn1.c file.
+ ... like 'user-agent = ""'
+
+ Adjusted test 71 to verify.
-- typedefs: use the full structs in internal code...
+- http_proxy: simplify CONNECT response reading
- ... and save the typedef'ed names for headers and external APIs.
+ Since it now reads responses one byte a time, a loop could be removed
+ and it is no longer limited to get the whole response within 16K, it is
+ now instead only limited to 16K maximum header line lengths.
-- internals: rename the SessionHandle struct to Curl_easy
+- tests: fix CONNECT test cases to be more strict
+
+ ... as they broke with the cleaned up CONNECT handling
-- headers: forward declare CURL, CURLM and CURLSH as structs
+- CONNECT: read responses one byte at a time
- Instead of typedef'ing to void, typedef to their corresponding actual
- struct names to allow compilers to type-check.
+ ... so that it doesn't read data that is actually coming from the
+ remote. 2xx responses have no body from the proxy, that data is from the
+ peer.
- Assisted-by: Reinhard Max
+ Fixes #1132
-Jay Satiro (22 Jun 2016)
-- vtls: Only call add/getsession if session id is enabled
+- CONNECT: reject TE or CL in 2xx responses
- Prior to this change we called Curl_ssl_getsessionid and
- Curl_ssl_addsessionid regardless of whether session ID reusing was
- enabled. According to comments that is in case session ID reuse was
- disabled but then later enabled.
+ A server MUST NOT send any Transfer-Encoding or Content-Length header
+ fields in a 2xx (Successful) response to CONNECT. (RFC 7231 section
+ 4.3.6)
- The old way was not intuitive and probably not something users expected.
- When a user disables session ID caching I'd guess they don't expect the
- session ID to be cached anyway in case the caching is later enabled.
+ Also fixes the three test cases that did this.
-Daniel Stenberg (22 Jun 2016)
-- curl.1: the used progress meter suffix is k in lower case
+- URL parser: reject non-numerical port numbers
- Closes #883
+ Test 1281 added to verify
-- [Sergei Nikulov brought this change]
+Dan Fandrich (30 Nov 2016)
+- runtests: made Servers: output be more consistent by removing OFF
- cmake: now using BUILD_TESTING=ON/OFF
+- cyassl: fixed typo introduced in 4f8b1774
+
+Michael Kaufmann (30 Nov 2016)
+- CURLOPT_CONNECT_TO: Skip non-matching "connect-to" entries properly
- CMake build now using BUILD_TESTING=ON/OFF (default is OFF) to build
- tests and enabling CTest integration. Options BUILD_CURL_TESTS and
- BUILD_DASHBOARD_REPORTS was removed.
+ If a port number in a "connect-to" entry does not match, skip this
+ entry instead of connecting to port 0.
- Closes #882
+ If a port number in a "connect-to" entry matches, use this entry
+ and look no further.
- Reviewed-by: Brad King
+ Reported-by: Jay Satiro
+ Assisted-by: Jay Satiro, Daniel Stenberg
+
+ Closes #1148
-- [Michael Kaufmann brought this change]
+Daniel Stenberg (29 Nov 2016)
+- BUGS: describe bug handling process
- cleanup: fix method names in code comments
+- RELEASE-NOTES: synced with 19613fb3
+
+Jay Satiro (28 Nov 2016)
+- http2: check nghttp2_session_set_local_window_size exists
- Closes #887
+ The function only exists since nghttp2 1.12.0.
+
+ Bug: https://github.com/curl/curl/commit/a4d8888#commitcomment-19985676
+ Reported-by: Michael Kaufmann
-Kamil Dudka (21 Jun 2016)
-- curl-compilers.m4: improve detection of GCC's -fvisibility= flag
+Daniel Stenberg (28 Nov 2016)
+- [Anders Bakken brought this change]
+
+ http2: Fix crashes when parent stream gets aborted
- Some builds of GCC produce output on both stdout and stderr when --help
- --verbose is used. The 2>&1 redirection caused them to be arbitrarily
- interleaved with each other because of stream buffering. Consequently,
- grep failed to match the fvisibility= string in the mixed output, even
- though the string was present in GCC's standard output.
+ Closes #1125
+
+- cmdline-docs: more options converted and fixed
- This led to silently disabling symbol hiding in some builds of curl.
+ Now all options are in the new system.
-Daniel Stenberg (19 Jun 2016)
-- tests: fix the HTTP/2 tests
+- gen: include footer in mainpage output
+
+Jay Satiro (28 Nov 2016)
+- lib1536: checksrc compliance
+
+Daniel Stenberg (28 Nov 2016)
+- cmdline-opts: more command line options documented
- The HTTP/2 tests brought with commit bf05606ef1f were using the internal
- name 'http2' for the HTTP/2 server, while in fact that name was already
- used for the second instance of the HTTP server. This made tests using
- the second instance (like test 2050) fail after a HTTP/2 test had run.
+ Moved over to the new format
+
+- curl: remove --proxy-ssl* options
- The server is now known as HTTP/2 internally and within the <server>
- section in test cases. 1700, 1701 and 1702 were updated accordingly.
+ There's mostly likely no need to allow setting SSLv2/3 version for HTTPS
+ proxy. Those protocols are insecure by design and deprecated.
-- openssl: use more 'const' to fix build warnings with 1.1.0 branch
+- CURLOPT_PROXY_*.3: polished some proxy option man pages
-- curl.1: missed 'T' in the progress unit suffixes
+Patrick Monnerat (26 Nov 2016)
+- os400: support CURLOPT_PROXY_PINNEDPUBLICKEY
+
+ Also define it in ILE/RPG binding.
-- curl.1: mention the unix for the progress meter
+Daniel Stenberg (26 Nov 2016)
+- [Okhin Vasilij brought this change]
-Patrick Monnerat (16 Jun 2016)
-- os400: add new definitions to ILE/RPG binding.
+ curl_version_info: add CURL_VERSION_HTTPS_PROXY
+
+ Closes #1142
-Daniel Stenberg (16 Jun 2016)
-- openssl: fix cert check with non-DNS name fields present
+- [Frank Gevaerts brought this change]
+
+ tests: Add some testcases for recent new features.
- Regression introduced in 5f5b62635 (released in 7.48.0)
+ Add missing tests for CURLINFO_SCHEME, CURLINFO_PROTOCOL, %{scheme},
+ and %{http_version}
- Reported-by: Fabian Ruff
- Fixes #875
+ closes #1143
-Dan Fandrich (16 Jun 2016)
-- axtls: Use Curl_wait_ms instead of the less-portable usleep
+- [Frank Gevaerts brought this change]
-- axtls: Fixed compile after compile 31c521b0
+ curl_easy_reset: clear info for CULRINFO_PROTOCOL and CURLINFO_SCHEME
-- tests: Added HTTP proxy keywords to tests 1141 & 1142
+- CURLOPT_PROXY_CAINFO.3: clarify proxy use
-Jay Satiro (15 Jun 2016)
-- [Sergei Nikulov brought this change]
+- CURLOPT_PROXY_CRLFILE.3: clarify https proxy and availability
- cmake: Fix build with winldap
+- curl_easy_setopt.3: add CURLOPT_PROXY_PINNEDPUBLICKEY
- Bug: https://github.com/curl/curl/pull/874
- Reported-by: Sergei Nikulov
+ Follow-up to 4f8b17743d7c55a
-- CURLOPT_POSTFIELDS.3: Clarify what happens when set empty
-
- When CURLOPT_POSTFIELDS is set to an empty string libcurl will send a
- zero-byte POST. Prior to this change it was documented as sending data
- from the read callback.
+- docs: include all opts man pages in dist
- This also changes the wording of what happens when empty or NULL so that
- it's hopefully easier to understand for people whose primary language
- isn't English.
+ Sorted the lists too.
- Bug: https://github.com/curl/curl/issues/862
- Reported-by: Askar Safin
+ ... and include the new ones in the PDF and HTML generation targets
-- [Michael Wallner brought this change]
+- [Thomas Glanzmann brought this change]
- curl_multi_socket_action.3: Fix rewording
-
- - Remove some erroneous text.
-
- Closes https://github.com/curl/curl/pull/865
+ HTTPS Proxy: Implement CURLOPT_PROXY_PINNEDPUBLICKEY
-- [Luo Jinghua brought this change]
+- [Thomas Glanzmann brought this change]
- resolve: enable protocol family logic for synthesized IPv6
-
- - Enable protocol family logic for IPv6 resolves even when support
- for synthesized addresses is enabled.
-
- This is a follow up to the parent commit that added support for
- synthesized IPv6 addresses from IPv4 on iOS/OS X. The protocol family
- logic needed for IPv6 was inadvertently excluded if support for
- synthesized addresses was enabled.
-
- Bug: https://github.com/curl/curl/issues/863
- Ref: https://github.com/curl/curl/pull/866
- Ref: https://github.com/curl/curl/pull/867
+ url: proxy: Use 443 as default port for https proxies
-Daniel Stenberg (7 Jun 2016)
-- [Luo Jinghua brought this change]
+- TODO: removed "HTTPS proxy"
- resolve: add support for IPv6 DNS64/NAT64 Networks on OS X + iOS
+- [Jan-E brought this change]
+
+ winbuild: add config option ENABLE_NGHTTP2
- Use getaddrinfo() to resolve the IPv4 address literal on iOS/Mac OS X.
- If the current network interface doesn’t support IPv4, but supports
- IPv6, NAT64, and DNS64.
+ Closes #1141
+
+Jay Satiro (24 Nov 2016)
+- tool_urlglob: Improve sanity check in glob_range
- Closes #866
- Fixes #863
+ Prior to this change we depended on errno if strtol could not perform a
+ conversion. POSIX says EINVAL *may* be set. Some implementations like
+ Microsoft's will not set it if there's no conversion.
+
+ Ref: https://github.com/curl/curl/commit/ee4f7660#commitcomment-19658189
-- tests: two more HTTP/2 tests
+- tool_help: Change description for --retry-connrefused
- 1701 and 1702
+ Ref: https://github.com/curl/curl/pull/1064#issuecomment-260052409
-- runtests: don't display logs when http2 server fails to start
+Patrick Monnerat (25 Nov 2016)
+- os400: sync ILE/RPG binding
-- runtests: make stripfile work on stdout as well
+Jay Satiro (24 Nov 2016)
+- test1135: Fix curl_easy_duphandle prototype for code style
- ... and have test 1700 use that to strip out the nghttpx server: headers
+ Follow-up to dbadaeb which changed the style.
-- http2-tests: test1700 is the first real HTTP/2 test
-
- It requires that 'nghttpx' is in the PATH, and it will run the tests
- using nghttpx as a front-end proxy in front of the standard HTTP/1 test
- server. This uses HTTP/2 over plain TCP.
+- x509asn1: Restore the parameter check in Curl_getASN1Element
- If you like me have nghttpx installed in a custom path, you can run test 1700
- like this:
+ - Restore the removed parts of the parameter check.
- $ PATH=$PATH:$HOME/build-nghttp2/bin/ ./runtests.pl 1700
+ Follow-up to 945f60e which altered the parameter check.
-- RELEASE-NOTES: synced with 34855feeb4c299
+Daniel Stenberg (25 Nov 2016)
+- RELEASE-NOTES: update option counters
-Steve Holme (6 Jun 2016)
-- schannel: Disable ALPN on Windows < 8.1
+- [Frank Gevaerts brought this change]
+
+ add CURLINFO_SCHEME, CURLINFO_PROTOCOL, and %{scheme}
- Calling QueryContextAttributes with SECPKG_ATTR_APPLICATION_PROTOCOL
- fails on Windows < 8.1 so we need to disable ALPN on these OS versions.
+ Adds access to the effectively used protocol/scheme to both libcurl and
+ curl, both in string and numeric (CURLPROTO_*) form.
- Inspiration provide by: Daniel Seither
+ Note that the string form will be uppercase, as it is just the internal
+ string.
- Closes #848
- Fixes #840
-
-Jay Satiro (5 Jun 2016)
-- checksrc: Add LoadLibrary to the banned functions list
+ As these strings are declared internally as const, and all other strings
+ returned by curl_easy_getinfo() are de-facto const as well, string
+ handling in getinfo.c got const-ified.
- LoadLibrary was supplanted by Curl_load_library for security
- reasons in 6df916d.
+ Closes #1137
-- http: Fix HTTP/2 connection reuse
-
- - Change the parser to not require a minor version for HTTP/2.
-
- HTTP/2 connection reuse broke when we changed from HTTP/2.0 to HTTP/2
- in 8243a95 because the parser still expected a minor version.
-
- Bug: https://github.com/curl/curl/issues/855
- Reported-by: Andrew Robbins, Frank Gevaerts
+- RELEASE-NOTES: synced with 63198a4750aeb
-Steve Holme (4 Jun 2016)
-- connect.c: Fixed compilation warning from commit 332e8d6164
-
- connect.c:952:5: warning: suggest explicit braces to avoid ambiguous 'else'
+- curl.1: the new --proxy options ship in 7.52.0
-- win32: Used centralised verify windows version function
-
- Closes #845
+- checksrc: move open braces to comply with function declaration style
-- win32: Added verify windows version functionality
+- checksrc: detect wrongly placed open braces in func declarations
-- win32: Introduced centralised verify windows version function
+- checksrc: white space edits to comply to stricter checksrc
-Kamil Dudka (3 Jun 2016)
-- tool_urlglob: fix off-by-one error in glob_parse()
-
- ... causing SIGSEGV while parsing URL with too many globs.
- Minimal example:
+- checksrc: verify ASTERISKNOSPACE
- $ curl $(for i in $(seq 101); do printf '{a}'; done)
-
- Reported-by: Romain Coltel
- Bug: https://bugzilla.redhat.com/1340757
+ Detects (char*) and 'char*foo' uses.
-Daniel Stenberg (1 Jun 2016)
-- [Benjamin Kircher brought this change]
+- checksrc: code style: use 'char *name' style
- libcurl-multi.3: fix small typo
+- checksrc: add ASTERISKSPACE
- Closes #850
+ Verifies a 'char *name' style, with no space after the asterisk.
-- [Viktor Szakats brought this change]
-
- makefile.m32: add crypt32 for winssl builds
-
- Dependency added by 6cabd78
+- openssl: remove dead code
- Closes #849
+ Coverity CID 1394666
-- [Ivan Avdeev brought this change]
+- [Okhin Vasilij brought this change]
- vtls: fix ssl session cache race condition
-
- Sessionid cache management is inseparable from managing individual
- session lifetimes. E.g. for reference-counted sessions (like those in
- SChannel and OpenSSL engines) every session addition and removal
- should be accompanied with refcount increment and decrement
- respectively. Failing to do so synchronously leads to a race condition
- that causes symptoms like use-after-free and memory corruption.
- This commit:
- - makes existing session cache locking explicit, thus allowing
- individual engines to manage lock's scope.
- - fixes OpenSSL and SChannel engines by putting refcount management
- inside this lock's scope in relevant places.
- - adds these explicit locking calls to other engines that use
- sessionid cache to accommodate for this change. Note, however,
- that it is unknown whether any of these engines could also have
- this race.
-
- Bug: https://github.com/curl/curl/issues/815
- Fixes #815
- Closes #847
+ HTTPS-proxy: fixed mbedtls and polishing
-- [Andrew Kurushin brought this change]
+- darwinssl: adopted to the HTTPS proxy changes
+
+ It builds and runs all test cases. No adaptations for actual HTTPS proxy
+ support has been made.
- schannel: add CURLOPT_CERTINFO support
+- gtls: fix indent to silence compiler warning
- Closes #822
+ vtls/gtls.c: In function ‘Curl_gtls_data_pending’:
+ vtls/gtls.c:1429:3: error: this ‘if’ clause does not guard... [-Werror=misleading-indentation]
+ if(conn->proxy_ssl[connindex].session &&
+ ^~
+ vtls/gtls.c:1433:5: note: ...this statement, but the latter is misleadingly indented as if it is guarded by the ‘if’
+ return res;
-- RELEASE-NOTES: synced with 142ee9fa15002315
+- [Thomas Glanzmann brought this change]
-- openssl: rename the private SSL_strerror
-
- ... to make it not look like an OpenSSL function
+ mbedtls: Fix compile errors
-- [Michael Kaufmann brought this change]
+- [Alex Rousskov brought this change]
- openssl: Use correct buffer sizes for error messages
+ proxy: Support HTTPS proxy and SOCKS+HTTP(s)
- Closes #844
-
-- curl: fix -q [regression]
+ * HTTPS proxies:
- This broke in 7.49.0 with commit e200034425a7625
+ An HTTPS proxy receives all transactions over an SSL/TLS connection.
+ Once a secure connection with the proxy is established, the user agent
+ uses the proxy as usual, including sending CONNECT requests to instruct
+ the proxy to establish a [usually secure] TCP tunnel with an origin
+ server. HTTPS proxies protect nearly all aspects of user-proxy
+ communications as opposed to HTTP proxies that receive all requests
+ (including CONNECT requests) in vulnerable clear text.
- Fixes #842
-
-- URL parser: allow URLs to use one, two or three slashes
+ With HTTPS proxies, it is possible to have two concurrent _nested_
+ SSL/TLS sessions: the "outer" one between the user agent and the proxy
+ and the "inner" one between the user agent and the origin server
+ (through the proxy). This change adds supports for such nested sessions
+ as well.
- Mostly in order to support broken web sites that redirect to broken URLs
- that are accepted by browsers.
+ A secure connection with a proxy requires its own set of the usual SSL
+ options (their actual descriptions differ and need polishing, see TODO):
- Browsers are typically even more leniant than this as the WHATWG URL
- spec they should allow an _infinite_ amount. I tested 8000 slashes with
- Firefox and it just worked.
+ --proxy-cacert FILE CA certificate to verify peer against
+ --proxy-capath DIR CA directory to verify peer against
+ --proxy-cert CERT[:PASSWD] Client certificate file and password
+ --proxy-cert-type TYPE Certificate file type (DER/PEM/ENG)
+ --proxy-ciphers LIST SSL ciphers to use
+ --proxy-crlfile FILE Get a CRL list in PEM format from the file
+ --proxy-insecure Allow connections to proxies with bad certs
+ --proxy-key KEY Private key file name
+ --proxy-key-type TYPE Private key file type (DER/PEM/ENG)
+ --proxy-pass PASS Pass phrase for the private key
+ --proxy-ssl-allow-beast Allow security flaw to improve interop
+ --proxy-sslv2 Use SSLv2
+ --proxy-sslv3 Use SSLv3
+ --proxy-tlsv1 Use TLSv1
+ --proxy-tlsuser USER TLS username
+ --proxy-tlspassword STRING TLS password
+ --proxy-tlsauthtype STRING TLS authentication type (default SRP)
- Added test case 1141, 1142 and 1143 to verify the new parser.
+ All --proxy-foo options are independent from their --foo counterparts,
+ except --proxy-crlfile which defaults to --crlfile and --proxy-capath
+ which defaults to --capath.
- Closes #791
-
-- [Renaud Lehoux brought this change]
-
- cmake: Added missing mbedTLS support
+ Curl now also supports %{proxy_ssl_verify_result} --write-out variable,
+ similar to the existing %{ssl_verify_result} variable.
- Closes #837
+ Supported backends: OpenSSL, GnuTLS, and NSS.
+
+ * A SOCKS proxy + HTTP/HTTPS proxy combination:
+
+ If both --socks* and --proxy options are given, Curl first connects to
+ the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS
+ proxy.
+
+ TODO: Update documentation for the new APIs and --proxy-* options.
+ Look for "Added in 7.XXX" marks.
-- [Renaud Lehoux brought this change]
+Patrick Monnerat (24 Nov 2016)
+- Declare endian read functions argument as a const pointer.
+ This is done for all functions of the form Curl_read[136][624]_[lb]e.
- mbedtls: removed unused variables
+- Limit ASN.1 structure sizes to 256K. Prevent some allocation size overflows.
+ See CRL-01-006.
+
+Jay Satiro (22 Nov 2016)
+- url: Fix conn reuse for local ports and interfaces
- Closes #838
+ - Fix connection reuse for when the proposed new conn 'needle' has a
+ specified local port but does not have a specified device interface.
+
+ Bug: https://curl.haxx.se/mail/lib-2016-11/0137.html
+ Reported-by: bjt3[at]hotmail.com
-- [Frank Gevaerts brought this change]
+Daniel Stenberg (21 Nov 2016)
+- rand: pass in number of randoms as an unsigned argument
- http: add CURLINFO_HTTP_VERSION and %{http_version}
+Jay Satiro (20 Nov 2016)
+- rand: Fix potentially uninitialized result warning
+
+Marcel Raad (19 Nov 2016)
+- vtls: fix build warnings
- Adds access to the effectively used http version to both libcurl and
- curl.
+ Fix warnings about conversions from long to time_t in openssl.c and
+ schannel.c.
- Closes #799
-
-- bump: start the journey toward 7.50.0
+ Follow-up to de4de4e3c7c
+Daniel Stenberg (18 Nov 2016)
- [Marcel Raad brought this change]
- openssl: fix build with OPENSSL_NO_COMP
+ lib: fix compiler warnings after de4de4e3c7c
- With OPENSSL_NO_COMP defined, there is no function
- SSL_COMP_free_compression_methods
+ Visual C++ now complains about implicitly casting time_t (64-bit) to
+ long (32-bit). Fix this by changing some variables from long to time_t,
+ or explicitly casting to long where the public interface would be
+ affected.
- Closes #836
+ Closes #1131
-- [Gisle Vanem brought this change]
+Peter Wu (17 Nov 2016)
+- [Isaac Boukris brought this change]
- memdebug: fix MSVC crash with -DMEMDEBUG_LOG_SYNC
+ Don't mix unix domain sockets with regular ones
- Fixes #828
+ When reusing a connection, make sure the unix domain
+ socket option matches.
-- [Jonathan brought this change]
+Jay Satiro (17 Nov 2016)
+- tests: Fix HTTP2-Settings header for huge window size
+
+ Follow-up to a4d8888. Changing the window size in that commit resulted
+ in a different HTTP2-Settings upgrade header, causing test 1800 to fail.
- README.md: polish
+- http2: Use huge HTTP/2 windows
- Closes #834
+ - Improve performance by using a huge HTTP/2 window size.
+
+ Bug: https://github.com/curl/curl/issues/1102
+ Reported-by: afrind@users.noreply.github.com
+ Assisted-by: Tatsuhiro Tsujikawa
-- RELEASE-NOTES: fix vuln link
+Daniel Stenberg (16 Nov 2016)
+- cmdline-docs: more conversion
-Version 7.49.1 (30 May 2016)
+- gen: support 'protos'
+
+ and warn on unrecognized lines
-Daniel Stenberg (30 May 2016)
-- RELEASE-NOTES: 7.49.1
+- gen: support 'single' to make an individual page man page
-- [Steve Holme brought this change]
+- cmdline-docs: more options converted over
- loadlibrary: Only load system DLLs from the system directory
-
- Inspiration provided by: Daniel Stenberg and Ray Satiro
+- gen: support 'redirect'
- Bug: https://curl.haxx.se/docs/adv_20160530.html
-
- Ref: Windows DLL hijacking with curl, CVE-2016-4802
+ ... and warn for too long --help lines
-- ssh: fix version number check typo
+- cmdline/gen: replace options in texts better
-Jay Satiro (29 May 2016)
-- curl_share_setopt.3: Add min ver needed for ssl session lock
+Jay Satiro (16 Nov 2016)
+- http2: Fix address sanitizer memcpy warning
- Bug: https://github.com/curl/curl/issues/826
- Reported-by: Michael Wallner
-
-Daniel Stenberg (29 May 2016)
-- ssh: fix build for libssh2 before 1.2.6
+ - In Curl_http2_switched don't call memcpy when src is NULL.
- The statvfs functionality was added to libssh2 in that version, so we
- switch off that functionality when built with older libraries.
+ Curl_http2_switched can be called like:
- Fixes #831
-
-- mbedtls: fix includes so snprintf() works
+ Curl_http2_switched(conn, NULL, 0);
- Regression from the previous *printf() rearrangements, this file missed to
- include the correct header to make sure snprintf() works universally.
+ .. and prior to this change memcpy was then called like:
- Reported-by: Moti Avrahami
- Bug: https://curl.haxx.se/mail/lib-2016-05/0196.html
-
-Steve Holme (23 May 2016)
-- checksrc.pl: Added variants of strcat() & strncat() to banned function list
+ memcpy(dest, NULL, 0)
- Added support for checking the tchar, unicode and mbcs variants of
- strcat() and strncat() in the banned function list.
+ .. causing address sanitizer to warn:
+
+ http2.c:2057:3: runtime error: null pointer passed as argument 2, which
+ is declared to never be null
-Daniel Stenberg (23 May 2016)
-- smtp: minor ident (white space) fixes
+- tool_help: Clarify --dump-header only writes received headers
-- THANKS: updated after script fixes
-
- Now giving credit properly to github user names, fixed some UTF-8 issues
- and added names discovered when contrithanks was improved.
+- curl.1: Clarify --dump-header only writes received headers
-- THANKS-filter: more name cleanups
+Daniel Stenberg (15 Nov 2016)
+- [Alex Chan brought this change]
-- contrithanks.sh: exclude existing names case insensitively
+ docs: Spelling fixes
-- contrithanks.sh: use same grep pattern and -a flag as contributors.sh
+Kamil Dudka (15 Nov 2016)
+- docs: the next release will be 7.52.0
-- contributors.sh: better grep pattern, use grep -a
+Daniel Stenberg (15 Nov 2016)
+- cmdline-opts: support generating the --help output
-- THANKS-filter: fix more names
+- [David Schweikert brought this change]
-- contrithanks.sh: do the same github fix as contributors.sh
+ darwinssl: fix SSL client certificate not found on MacOS Sierra
- from 1577bfa35ba
+ Reviewed-by: Nick Zitzmann
+
+ Closes #1105
-Jay Satiro (23 May 2016)
-- contributors: Show GitHub username if real name unknown
+- curl: add --fail-early to help output
- Prior to this change if a GitHub contributor's real name was unknown
- they would be omitted from the list.
+ Fixes test 1139 failures
- Bug: https://github.com/curl/curl/issues/824
-
-Daniel Stenberg (21 May 2016)
-- RELEASE-NOTES: synced with 3caaeffbe8ded4
+ Follow-up to f82bbe01c8835
-Jay Satiro (20 May 2016)
-- openssl: cleanup must free compression methods
+- glob: fix [a-c] globbing regression
- - Free compression methods if OpenSSL 1.0.2 to avoid a memory leak.
+ Brought in ee4f76606cf
- Bug: https://github.com/curl/curl/issues/817
- Reported-by: jveazey@users.noreply.github.com
+ Added test case 1280 to verify
+
+ Reported-by: Dave Reisner
+
+ Bug: https://github.com/curl/curl/commit/ee4f76606cfa4ee068bf28edd37c8dae7e8db317#commitcomment-19823146
-Daniel Stenberg (20 May 2016)
-- [Gisle Vanem brought this change]
+- curl: add --fail-early
+
+ Exit with an error on the first transfer error instead of continuing to
+ do the rest of the URLs.
+
+ Discussion: https://curl.haxx.se/mail/archive-2016-11/0038.html
- curl_multibyte: fix compiler error
+- Curl_rand: fixed and moved to rand.c
- While compiling lib/curl_multibyte.c with '-DUSE_WIN32_IDN' etc. I was
- getting:
+ Now Curl_rand() is made to fail if it cannot get the necessary random
+ level.
- f:\mingw32\src\inet\curl\lib\memdebug.h(38): error C2054: expected '('
- to follow 'CURL_EXTERN'
+ Changed the proto of Curl_rand() slightly to provide a number of ints at
+ once.
- f:\mingw32\src\inet\curl\lib\memdebug.h(38): error C2085:
- 'curl_domalloc': not in formal parameter list
-
-- THANKS-filter: make Jan-E get proper credit
+ Moved out from vtls, since it isn't a TLS function and vtls provides
+ Curl_ssl_random() for this to use.
+
+ Discussion: https://curl.haxx.se/mail/lib-2016-11/0119.html
-- [Jan-E brought this change]
+- cmdline-opts: first test version of a new man page generator kit
+
+ See MANPAGE.md for the description of how this works. Each command line
+ option is now described in a separate .d file.
- winbuild/Makefile.vc: Fix check on SSL, MBEDTLS, WINSSL exclusivity
+- time_t fix: follow-up to de4de4e3c7c
- Closes #818
+ Blah, I accidentally wrote size_t instead of time_t for two variables.
+
+ Reported-by: Dave Reisner
-- [Alexander Traud brought this change]
+- timeval: prefer time_t to hold seconds instead of long
+
+ ... as long is still 32bit on modern 64bit windows machines, while
+ time_t is generally 64bit.
- libcurl.m4: Avoid obsolete warning
+Dan Fandrich (12 Nov 2016)
+- tests: fixed variable might be clobbered warning
- Closes #821
+ This stops the compiler from potentially making invalid assumptions
+ about the immutability of sdp and sap across the longjmp boundary.
-Jay Satiro (20 May 2016)
-- [Michael Kaufmann brought this change]
+Daniel Stenberg (12 Nov 2016)
+- RELEASE-NOTES: synced with 346340808c
- CURLOPT_CONNECT_TO.3: user must not free the list prematurely
+- URL-parser: for file://[host]/ URLs, the [host] must be localhost
- The connect-to list isn't copied so as long as the handle may be used
- for a transfer the list must be valid.
+ Previously, the [host] part was just ignored which made libcurl accept
+ strange URLs misleading users. like "file://etc/passwd" which might've
+ looked like it refers to "/etc/passwd" but is just "/passwd" since the
+ "etc" is an ignored host name.
- Bug: https://github.com/curl/curl/pull/819
- Reported-by: Michael Kaufmann
+ Reported-by: Mike Crowe
+ Assisted-by: Kamil Dudka
-Daniel Stenberg (19 May 2016)
-- RELEASE-NOTES: synced with 48114a8634242c
+- test558: adapt to 0649433da
-- openssl: ERR_remove_thread_state() is deprecated in latest 1.1.0
-
- See OpenSSL commit 21e001747d4a
+- openssl: make sure to fail in the unlikely event that PRNG seeding fails
-- http2: use HTTP/2 in the HTTP/1.1-alike header
+- openssl: avoid unnecessary seeding if already done
- ... when generating them, not "2.0" as the protocol is called just
- HTTP/2 and nothing else.
+ 1.1.0+ does more of this by itself so we can avoid extra processing this
+ way.
-Jay Satiro (19 May 2016)
-- dist: include curl_multi_socket_all.3
+- openssl: RAND_status always exists in OpenSSL >= 0.9.7
- Closes https://github.com/curl/curl/pull/816
+ and remove RAND_screen from configure since nothing is using that
+ function
-Steve Holme (18 May 2016)
-- bump: Start work on 7.49.1
+- Curl_pgrsUpdate: use dedicated function for time passed
-Daniel Stenberg (18 May 2016)
-- curlbuild.h.dist: check __LP64__ as well to fix MIPS build
+- realloc: use Curl_saferealloc to avoid common mistakes
- The preprocessor check that sets up the 32bit defines for non-configure
- builds didn't work properly for MIPS systems as __mips__ is defined for
- both 32bit and 64bit. Now __LP64__ is also checked and indicates 64bit.
-
- Reported-by: Tomas Jakobsson
- Fixes #813
+ Discussed: https://curl.haxx.se/mail/lib-2016-11/0087.html
-- [Marcel Raad brought this change]
+- [Daniel Hwang brought this change]
- schannel: fix compile break with MSVC XP toolset
+ curl: Add --retry-connrefused
- For the Windows XP toolset of Visual C++ 2013/2015, the old Windows SDK
- 7.1 is used. In this case, _USING_V110_SDK71_ is defined.
+ to consider ECONNREFUSED as a transient error.
- Closes #812
+ Closes #1064
-- dist: include CHECKSRC.md
+- openssl: raise the max_version to 1.3 if asked for
- Reported-by: Paul Howarth
- Bug: https://curl.haxx.se/mail/lib-2016-05/0116.html
+ Now I've managed to negotiate TLS 1.3 with https://enabled.tls13.com/ when
+ using boringssl.
-- test/Makefile.am: include manpage-scan.pl and nroff-scan.pl in dist
+Jay Satiro (9 Nov 2016)
+- vtls: Fail on unrecognized param for CURLOPT_SSLVERSION
- Reported-by: Ray Satiro
- Bug: https://curl.haxx.se/mail/lib-2016-05/0113.html
+ - Fix GnuTLS code for CURL_SSLVERSION_TLSv1_2 that broke when the
+ TLS 1.3 support was added in 6ad3add.
+
+ - Homogenize across code for all backends the error message when TLS 1.3
+ is not available to "<backend>: TLS 1.3 is not yet supported".
+
+ - Return an error when a user-specified ssl version is unrecognized.
+
+ ---
+
+ Prior to this change our code for some of the backends used the
+ 'default' label in the switch statement (ie ver unrecognized) for
+ ssl.version and treated it the same as CURL_SSLVERSION_DEFAULT.
+
+ Bug: https://curl.haxx.se/mail/lib-2016-11/0048.html
+ Reported-by: Kamil Dudka
-Version 7.49.0 (17 May 2016)
+Daniel Stenberg (9 Nov 2016)
+- [Isaac Boukris brought this change]
-Daniel Stenberg (17 May 2016)
-- THANKS: 24 new names from 7.49.0 release notes
+ SPNEGO: Fix memory leak when authentication fails
+
+ If SPNEGO fails, cleanup the negotiate handle right away.
+
+ Fixes #1115
+
+ Signed-off-by: Isaac Boukris <iboukris@gmail.com>
+ Reported-by: ashman-p
-- RELEASE-NOTES: 7.49.0
+- CODE_STYLE.md: link to INTERNALS.md correctly
-- mbedtls/polarssl: set "hostname" unconditionally
+- bump: next version will be 7.52.0
+
+- RELEASE-NOTES: synced with dfcdaaba371e9a3
+
+- examples/fileupload.c: fclose the file as well
+
+- printf: fix ".*f" handling
- ...as otherwise the TLS libs will skip the CN/SAN check and just allow
- connection to any server. curl previously skipped this function when SNI
- wasn't used or when connecting to an IP address specified host.
+ It would always use precision 1 instead of reading it from the argument
+ list as intended.
- CVE-2016-3739
+ Reported-by: Ray Satiro
- Bug: https://curl.haxx.se/docs/adv_20160518A.html
- Reported-by: Moti Avrahami
-
-- [Frank Gevaerts brought this change]
+ Bug: #1113
- CURLOPT_RESOLVE.3: fix typo
+- curl_formadd.3: *_FILECONTENT and *_FILE need the file to be kept
- Closes #811
+ Reported-by: Frank Gevaerts
-- docs: CURLOPT_RESOLVE overrides CURLOPT_IPRESOLVE
+Kamil Dudka (7 Nov 2016)
+- nss: silence warning 'SSL_NEXT_PROTO_EARLY_VALUE not handled in switch'
+
+ ... with nss-3.26.0 and newer
+
+ Reported-by: Daniel Stenberg
-- KNOWN_BUGS: GnuTLS backend skips really long certificate fields
+Daniel Stenberg (7 Nov 2016)
+- openssl: initial TLS 1.3 adaptions
- Closes #762
+ BoringSSL supports TLSv1.3 already, but these changes don't seem to be anough
+ to get it working.
-- CURLOPT_HTTPPOST.3: the data needs to be around while in use
+- ssh: check md5 fingerprints case insensitively (regression)
+
+ Revert the change from ce8d09483eea but use the new function
+
+ Reported-by: Kamil Dudka
+ Bug: https://github.com/curl/curl/commit/ce8d09483eea2fcb1b50e323e1a8ed1f3613b2e3#commitcomment-19666146
-- openssl: get_cert_chain: fix NULL dereference
+Kamil Dudka (7 Nov 2016)
+- curl: introduce the --tlsv1.3 option to force TLS 1.3
- CID 1361815: Explicit null dereferenced (FORWARD_NULL)
+ Fully implemented with the NSS backend only for now.
+
+ Reviewed-by: Ray Satiro
-- openssl: get_cert_chain: avoid NULL dereference
+- vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3
- CID 1361811: Explicit null dereferenced (FORWARD_NULL)
+ Fully implemented with the NSS backend only for now.
+
+ Reviewed-by: Ray Satiro
-- dprintf_formatf: fix (false?) Coverity warning
+- nss: map CURL_SSLVERSION_DEFAULT to NSS default
- CID 1024412: Memory - illegal accesses (OVERRUN). Claimed to happen when
- we run over 'workend' but the condition says <= workend and for all I
- can see it should be safe. Compensating for the warning by adding a byte
- margin in the buffer.
+ ... but make sure we use at least TLSv1.0 according to libcurl API
- Also, removed the extra brace level indentation in the code and made it
- so that 'workend' is only assigned once within the function.
+ Reported-by: Cure53
+ Reviewed-by: Ray Satiro
-- RELEASE-NOTES: synced with 2dcb5adc72d6
+Daniel Stenberg (7 Nov 2016)
+- s/cURL/curl
+
+ We're mostly saying just "curl" in lower case these days so here's a big
+ cleanup to adapt to this reality. A few instances are left as the
+ project could still formally be considered called cURL.
-- THANKS-filter: fixed Jonathan Cardoso
+Jay Satiro (7 Nov 2016)
+- [Tatsuhiro Tsujikawa brought this change]
-Jay Satiro (15 May 2016)
-- ftp: fix incorrect out-of-memory code in Curl_pretransfer
+ http2: Don't send header fields prohibited by HTTP/2 spec
- - Return value type must match function type.
+ Previously, we just ignored "Connection" header field. But HTTP/2
+ specification actually prohibits few more header fields. This commit
+ ignores all of them so that we don't send these bad header fields.
- s/CURLM_OUT_OF_MEMORY/CURLE_OUT_OF_MEMORY/
+ Bug: https://curl.haxx.se/mail/archive-2016-10/0033.html
+ Reported-by: Ricki Hirner
- Caught by Travis CI
+ Closes https://github.com/curl/curl/pull/1092
-Daniel Stenberg (15 May 2016)
-- ftp wildcard: segfault due to init only in multi_perform
-
- The proper FTP wildcard init is now more properly done in Curl_pretransfer()
- and the corresponding cleanup in Curl_close().
+Daniel Stenberg (7 Nov 2016)
+- curl.1: explain the SMTP data expected for -T
- The previous place of init/cleanup code made the internal pointer to be NULL
- when this feature was used with the multi_socket() API, as it was made within
- the curl_multi_perform() function.
+ Fixes #1107
- Reported-by: Jonathan Cardoso Machado
- Fixes #800
+ Reported-by: Adam Piggott
-Jay Satiro (13 May 2016)
-- libcurl-tlibcurl-thread: Update OpenSSL links
+Peter Wu (6 Nov 2016)
+- cmake: disable poll for macOS
- Because the old OpenSSL link now redirects to their master documentation
- (currently 1.1.0), which does not document the required actions for
- OpenSSL <= 1.0.2.
+ Mirrors the autotools behavior introduced with curl-7_50_3-83-ga34c7ce.
+
+ Fixes #1089
-Daniel Stenberg (13 May 2016)
-- [Viktor Szakats brought this change]
+Jay Satiro (5 Nov 2016)
+- easy: Initialize info variables on easy init and duphandle
+
+ - Call Curl_initinfo on init and duphandle.
+
+ Prior to this change the statistical and informational variables were
+ simply zeroed by calloc on easy init and duphandle. While zero is the
+ correct default value for almost all info variables, there is one where
+ it isn't (filetime initializes to -1).
+
+ Bug: https://github.com/curl/curl/issues/1103
+ Reported-by: Neal Poole
- darwinssl.c: fix OS X codename typo in comment
+Daniel Stenberg (5 Nov 2016)
+- [Mauro Rappa brought this change]
-- RELEASE-NOTES: synced with 68701e51c1f7
+ curl -w: added more decimal digits to timing counters
- Added 8 bug fixes and 5 more contrbutors
+ Now showing microsecond resolution.
+
+ Closes #1106
-- [Jay Satiro brought this change]
+Jakub Zakrzewski (4 Nov 2016)
+- dist: add CMakeLists.txt to the tarball
- mprintf: Fix processing of width and prec args
+Daniel Stenberg (4 Nov 2016)
+- mbedtls: fix build with mbedtls versions < 2.4.0
- Prior to this change a width arg could be erroneously output, and also
- width and precision args could not be used together without crashing.
+ Regression added in 62a8095e714
- "%0*d%s", 2, 9, "foo"
+ Reported-by: Tony Kelman
- Before: "092"
- After: "09foo"
+ Discussed in #1087
+
+- configure: verify that compiler groks -Werror=partial-availability
- "%*.*s", 5, 2, "foo"
+ Reported-by: bemoody
- Before: crash
- After: " fo"
+ Fixes #1104
+
+- docs: shorten and simplify the top comment in multi-uv.c
- Test 557 is updated to verify this and more
+ and change URL to use https
-- [Michael Kaufmann brought this change]
+- [Andrei Sedoi brought this change]
- ConnectionExists: follow-up fix for proxy re-use
-
- Follow-up commit to 5823179
-
- Closes #648
+ docs: handle CURL_POLL_INOUT in multi-uv example
-- [Per Malmberg brought this change]
+- [Andrei Sedoi brought this change]
- darwinssl: fix certificate verification disable on OS X 10.8
-
- The new way of disabling certificate verification doesn't work on
- Mountain Lion (OS X 10.8) so we need to use the old way in that version
- too. I've tested this solution on versions 10.7.5, 10.8, 10.9, 10.10.2
- and 10.11.
-
- Closes #802
+ docs: multi-uv: don't use CURLMsg after cleanup
-- [Cory Benfield brought this change]
+- [Andrei Sedoi brought this change]
- http2: Add space between colon and header value
-
- curl's representation of HTTP/2 responses involves transforming the
- response to a format that is similar to HTTP/1.1. Prior to this change,
- curl would do this by separating header names and values with only a
- colon, without introducing a space after the colon.
-
- While this is technically a valid way to represent a HTTP/1.1 header
- block, it is much more common to see a space following the colon. This
- change introduces that space, to ensure that incautious tools are safely
- able to parse the header block.
+ docs: remove unused variables in multi-uv example
+
+- bump: start working on 7.51.1
+
+- winbuild: remove strcase.obj from curl build
- This also ensures that the difference between the HTTP/1.1 and HTTP/2
- response layout is as minimal as possible.
+ Reported-by: Bruce Stephens
- Bug: https://github.com/curl/curl/issues/797
+ Fixes #1098
+
+Dan Fandrich (2 Nov 2016)
+- msvc: removed a straggling reference to strequal.c
- Closes #798
- Fixes #797
+ Follow-up to 502acba2
-Kamil Dudka (12 May 2016)
-- openssl: fix compile-time warning in Curl_ossl_check_cxn()
+Version 7.51.0 (2 Nov 2016)
+
+Daniel Stenberg (2 Nov 2016)
+- THANKS: synced with 7.51.0
+
+- RELEASE-NOTES: 7.51.0
+
+- ftp_done: don't clobber the passed in error code
- ... introduced in curl-7_48_0-293-g2968c83:
+ Coverity CID 1374359 pointed out the unused result value.
+
+- ftp: remove dead code in ftp_done
- Error: COMPILER_WARNING:
- lib/vtls/openssl.c: scope_hint: In function ‘Curl_ossl_check_cxn’
- lib/vtls/openssl.c:767:15: warning: conversion to ‘int’ from ‘ssize_t’
- may alter its value [-Wconversion]
+ Coverity CID 1374358
-Jay Satiro (11 May 2016)
-- openssl: stricter connection check function
+Jay Satiro (1 Nov 2016)
+- generate.bat: Include include/curl in libcurl VS projects
- - In the case of recv error, limit returning 'connection still in place'
- to EINPROGRESS, EAGAIN and EWOULDBLOCK.
+ .. because including those headers helps Visual Studio's Intellisense.
+
+- generate.bat: Remove strcase.[ch] from curl tool VS projects
- This is an improvement on the parent commit which changed the openssl
- connection check to use recv MSG_PEEK instead of SSL_peek.
+ ..because they're no longer needed in the tool build. strcase is still
+ built by the libcurl project and exports curl_str(n)equal which is used
+ by the curl tool.
- Ref: https://github.com/curl/curl/commit/856baf5#comments
+ Bug: https://github.com/curl/curl/commit/9363f1a#all_commit_comments
-Daniel Stenberg (11 May 2016)
-- [Anders Bakken brought this change]
+Daniel Stenberg (2 Nov 2016)
+- metalink: simplify the hex parsing function
+
+ ... and now it avoids using the libcurl toupper() function
- TLS: SSL_peek is not a const operation
+Michael Kaufmann (1 Nov 2016)
+- file: fix compiler warning
- Calling SSL_peek can cause bytes to be read from the raw socket which in
- turn can upset the select machinery that determines whether there's data
- available on the socket.
+ follow-up to 46133aa5
+
+Dan Fandrich (1 Nov 2016)
+- strcase: fixed Metalink builds by redefining checkprefix()
- Since Curl_ossl_check_cxn only tries to determine whether the socket is
- alive and doesn't actually need to see the bytes SSL_peek seems like
- the wrong function to call.
+ ...to use the public function curl_strnequal(). This isn't ideal because
+ it adds extra overhead to any internal calls to checkprefix.
- We're able to occasionally reproduce a connect timeout due to this
- bug. What happens is that Curl doesn't know to call SSL_connect again
- after the peek happens since data is buffered in the SSL buffer and thus
- select won't fire for this socket.
+ follow-up to 95bd2b3e
+
+Daniel Stenberg (1 Nov 2016)
+- curl.1: typo
+
+- curl.1: expand on how multiple uses of -o looks
- Closes #795
+ Suggested-by: Dan Jacobson
+ Issue: https://github.com/curl/curl/issues/1097
-Jay Satiro (9 May 2016)
-- [Daniel Stenberg brought this change]
+- tests/util: get a private strncasecompare clone
+
+ ... since the curlx_* code no longer provides one and we don't link
+ libcurl to these test servers.
- TLS: move the ALPN/NPN enable bits to the connection
+- strcase: make the tool use curl_str[n]equal instead
- Only protocols that actually have a protocol registered for ALPN and NPN
- should try to get that negotiated in the TLS handshake. That is only
- HTTPS (well, http/1.1 and http/2) right now. Previously ALPN and NPN
- would wrongly be used in all handshakes if libcurl was built with it
- enabled.
+ As they are after all part of the public API. Saves space and reduces
+ complexity. Remove the strcase defines from the curlx_ family.
- Reported-by: Jay Satiro
+ Suggested-by: Dan Fandrich
+ Idea: https://curl.haxx.se/mail/lib-2016-10/0136.html
+
+Kamil Dudka (31 Oct 2016)
+- gskit, nss: do not include strequal.h
- Fixes #789
+ follow-up to 811a693b80
-Daniel Stenberg (8 May 2016)
-- libcurl-thread.3: openssl 1.1.0 is safe, and so is boringssl
+Dan Fandrich (31 Oct 2016)
+- strcasecompare: include curl.h in strcase.c
+
+ This should fix the "warning: 'curl_strequal' redeclared without
+ dllimport attribute: previous dllimport ignored" message and subsequent
+ link error on Windows because of the missing CURL_EXTERN on the
+ prototype.
-- [Antonio Larrosa brought this change]
+Daniel Stenberg (31 Oct 2016)
+- strcase: fix the remaining rawstr users
- connect: fix invalid "Network is unreachable" errors
+- msvc builds: s/rawstr/strcase
- Sometimes, in systems with both ipv4 and ipv6 addresses but where the
- network doesn't support ipv6, Curl_is_connected returns an error
- (intermittently) even if the ipv4 socket connects successfully.
+ Follow-up to 811a693b
+
+Dan Fandrich (31 Oct 2016)
+- strcasecompare: replaced remaining rawstr.h with strcase.h
- This happens because there's a for-loop that iterates on the sockets but
- the error variable is not resetted when the ipv4 is checked and is ok.
+ This is a followup to commit 811a693b
+
+Marcel Raad (31 Oct 2016)
+- digest_sspi: fix include
- This patch fixes this problem by setting error to 0 when checking the
- second socket and not having a result yet.
+ Fix compile break from 811a693b80
+
+Dan Fandrich (31 Oct 2016)
+- libauthretry: use the external function curl_strequal
- Fixes #794
+ The internal version strcasecompare isn't available outside libcurl
-Jay Satiro (5 May 2016)
-- FAQ: refer to thread safety guidelines
+Daniel Stenberg (31 Oct 2016)
+- RELEASE-NOTES: synced with d14538d2501ef0da
-Daniel Stenberg (3 May 2016)
-- connections: non-HTTP proxies on different ports aren't reused either
-
- Reported-by: Oleg Pudeyev and fuchaoqun
+- configure: raise the default minimum version for macos to 10.8
- Fixes #648
+ follow-up to 4f8d0b6f02aa7043. Since the darwinssl code breaks
+ otherwise. If you build without darwinssl 10.5 works fine.
-- http: make sure a blank header overrides accept_decoding
+- unit1301: keep testing curl_strequal
- Reported-by: rcanavan
- Assisted-by: Isaac Boukris
- Closes #785
+ as that is still part of the API, fix from 8fe4bd084412f30
-- CHECKSRC.md: clarified, explained the whitelist file
+- ldap: fix include
+
+ Fix bug from 811a693b80
-- nroff-scan.pl: verify that references are made with \fI
+- url: remove unconditional idn2.h include
+
+ Mistake brought by 9c91ec778104a
-- docs: unified man page references to use \fI
+- curl_strequal: part of public API/ABI, needs to be kept
+
+ These two public functions have been mentioned as deprecated since a
+ very long time but since they are still part of the API and ABI we need
+ to keep them around.
-- TODO: 17.14 --fail without --location should treat 3xx as a failure
+- strcase: s/strequal/strcasecompare
- Closes #727
+ some more follow-ups to 811a693b80
-- RELEASE-NOTES: synced with 7987f5cb14d
+- ldap: fix strcase use
+
+ follow-up to 811a693b80
-- [Isaac Boukris brought this change]
+- test165: adapted to the libidn2 use and IDNA2008 fix
- CURLOPT_ACCEPT_ENCODING.3: Follow-up clarification
+- cookie: replace use of fgets() with custom version
- Mention possible content-length mismatch with sum of bytes reported
- by write callbacks when auto decoding is enabled.
+ ... that will ignore lines that are too long to fit in the buffer.
- See #785
-
-- test1140: run nroff-scan to verify man pages
+ CVE-2016-8615
+
+ Bug: https://curl.haxx.se/docs/adv_20161102A.html
+ Reported-by: Cure53
-- nroff-scan.pl: verify the .BR references as well
+- strcasecompare: all case insensitive string compares ignore locale now
+
+ We had some confusions on when each function was used. We should not act
+ differently on different locales anyway.
-- CURLOPT_CONV_TO_NETWORK_FUNCTION.3: fix bad man page reference
+- strcasecompare: is the new name for strequal()
+
+ ... to make it less likely that we forget that the function actually
+ does case insentive compares. Also replaced several invokes of the
+ function with a plain strcmp when case sensitivity is not an issue (like
+ comparing with "-").
-- CURLOPT_BUFFERSIZE.3: fix reference to CURLOPT_MAX_RECV_SPEED_LARGE
+- ftp: check for previous patch must be case sensitive!
+
+ ... otherwise example.com/PATH and example.com/path would be assumed to
+ be the same and they usually aren't!
-- curl_easy_pause.3: fix man page reference
+- SSH: check md5 fingerprint case sensitively
-Jay Satiro (1 May 2016)
-- tool_cb_hdr: Fix --remote-header-name with schemeless URL
+- connectionexists: use case sensitive user/password comparisons
- - Move the existing scheme check from tool_operate.
+ CVE-2016-8616
- In the case of --remote-header-name we want to parse Content-disposition
- for a filename, but only if the scheme is http or https. A recent
- adjustment 0dc4d8e was made to account for schemeless URLs however it's
- not 100% accurate. To remedy that I've moved the scheme check to the
- header callback, since at that point the library has already determined
- the scheme.
+ Bug: https://curl.haxx.se/docs/adv_20161102B.html
+ Reported-by: Cure53
+
+- base64: check for integer overflow on large input
- Bug: https://github.com/curl/curl/issues/760
- Reported-by: Kai Noda
+ CVE-2016-8617
+
+ Bug: https://curl.haxx.se/docs/adv_20161102C.html
+ Reported-by: Cure53
-Daniel Stenberg (1 May 2016)
-- tls: make setting pinnedkey option fail if not supported
+- krb5: avoid realloc(0)
- to make it obvious to users trying to use the feature with TLS backends
- not supporting it.
+ If the requested size is zero, bail out with error instead of doing a
+ realloc() that would cause a double-free: realloc(0) acts as a free()
+ and then there's a second free in the cleanup path.
- Discussed in #781
- Reported-by: Travis Burtrum
+ CVE-2016-8619
+
+ Bug: https://curl.haxx.se/docs/adv_20161102E.html
+ Reported-by: Cure53
-- nroff-scan.pl: verifies nroff pages
+- aprintf: detect wrap-around when growing allocation
- ... not used by any test yet but can be used stand-alone.
+ On 32bit systems we could otherwise wrap around after 2GB and allocate 0
+ bytes and crash.
+
+ CVE-2016-8618
+
+ Bug: https://curl.haxx.se/docs/adv_20161102D.html
+ Reported-by: Cure53
-- opts: fix broken/bad references
+- range: reject char globs with missing end like '[L-]'
+
+ ... which previously would lead to out of boundary reads.
+
+ Reported-by: Luật Nguyễn
-- [Michael Kaufmann brought this change]
+- glob_next_url: make sure to stay within the given output buffer
- docs: fix bugs in CURLOPT_HTTP_VERSION.3 and CURLOPT_PIPEWAIT.3
+- range: prevent negative end number in a glob range
- Closes #786
+ CVE-2016-8620
+
+ Bug: https://curl.haxx.se/docs/adv_20161102F.html
+ Reported-by: Luật Nguyễn
-- CURLOPT_ACCEPT_ENCODING.3: clarified
+- parsedate: handle cut off numbers better
- As discussed in #785
+ ... and don't read outside of the given buffer!
+
+ CVE-2016-8621
+
+ bug: https://curl.haxx.se/docs/adv_20161102G.html
+ Reported-by: Luật Nguyễn
-- curl.1: --mail-rcpt can be used multiple times
+- escape: avoid using curl_easy_unescape() internally
- Reported-by: mgendre
- Closes #784
+ Since the internal Curl_urldecode() function has a better API.
-- [Karlson2k brought this change]
+- unescape: avoid integer overflow
+
+ CVE-2016-8622
+
+ Bug: https://curl.haxx.se/docs/adv_20161102H.html
+ Reported-by: Cure53
- tests: Use 'pathhelp' for paths conversions in secureserver.pl
+- cookies: getlist() now holds deep copies of all cookies
- Closes #675
+ Previously it only held references to them, which was reckless as the
+ thread lock was released so the cookies could get modified by other
+ handles that share the same cookie jar over the share interface.
+
+ CVE-2016-8623
+
+ Bug: https://curl.haxx.se/docs/adv_20161102I.html
+ Reported-by: Cure53
-- [Karlson2k brought this change]
+- TODO: remove IDNA2008
- tests: Use 'pathhelp' for paths conversions in sshserver.pl
+- idn: switch to libidn2 use and IDNA2008 support
+
+ CVE-2016-8625
+
+ Bug: https://curl.haxx.se/docs/adv_20161102K.html
+ Reported-by: Christian Heimes
-- [Karlson2k brought this change]
+- test1246: verify URL parsing with host name ending with '#'
- tests: Use 'pathhelp' for current path in runtests.pl
+- urlparse: accept '#' as end of host name
+
+ 'http://example.com#@127.0.0.1/x.txt' equals a request to example.com
+ for the '/' document with the rest of the URL being a fragment.
+
+ CVE-2016-8624
+
+ Bug: https://curl.haxx.se/docs/adv_20161102J.html
+ Reported-by: Fernando Muñoz
-- [Karlson2k brought this change]
+Jay Satiro (31 Oct 2016)
+- INTERNALS: better markdown (follow-up)
+
+ - Wrap more words with underscores in backticks.
+
+ Follow-up to 13f4913.
- tests: pathhelp.pm to process paths on Msys/Cygwin
+Daniel Stenberg (30 Oct 2016)
+- INTERNALS: better markdown
+
+ words with underscore need to be within `these`
+
+ Bug: https://github.com/curl/curl-www/issues/19
+ Reported-by : Jay Satiro
-- lib: include curl_printf.h as one of the last headers
+Jay Satiro (30 Oct 2016)
+- mk-ca-bundle.vbs: Fix UTF-8 output
- curl_printf.h defines printf to curl_mprintf, etc. This can cause
- problems with external headers which may use
- __attribute__((format(printf, ...))) markers etc.
+ - Change initial message box to mention delay when downloading/parsing.
- To avoid that they cause problems with system includes, we include
- curl_printf.h after any system headers. That makes the three last
- headers to always be, and we keep them in this order:
+ Since there is no progress meter it was somewhat unexpected that after
+ choosing a filename nothing appears to happen, when actually the cert
+ data is in the process of being downloaded and parsed.
- curl_printf.h
- curl_memory.h
- memdebug.h
+ - Warn if OpenSSL is not present.
- None of them include system headers, they all do funny #defines.
+ - Use a UTF-8 stream to make the ca-bundle data.
- Reported-by: David Benjamin
+ - Save the UTF-8 ca-bundle stream as binary so that no BOM is added.
- Fixes #743
-
-- memdebug.h: remove inclusion of other headers
+ ---
- Mostly because they're not needed, because memdebug.h is always included
- last of all headers so the others already included the correct ones.
+ This is a follow-up to d2c6d15 which switched mk-ca-bundle.vbs output to
+ ANSI due to corrupt UTF-8 output, now fixed.
- But also, starting now we don't want this to accidentally include any
- system headers, as the header included _before_ this header may add
- defines and other fun stuff that we won't want used in system includes.
+ This change completes making the default certificate bundle output of
+ mk-ca-bundle.vbs as close as possible to that of mk-ca-bundle.pl, which
+ should make it easier to review any difference between their output.
+
+ Ref: https://github.com/curl/curl/pull/1012
-- [Jay Satiro brought this change]
+Daniel Stenberg (28 Oct 2016)
+- BINDINGS: converted to markdown
+
+ To make it render better on the web site, at the price of it becoming
+ slightly less readable as text.
- curl -J: make it work even without http:// scheme on URL
+Jay Satiro (27 Oct 2016)
+- CURLMOPT_MAX_PIPELINE_LENGTH.3: Clarify it's not for HTTP/2
- It does open up a miniscule risk that one of the other protocols that
- libcurl could use would send back a Content-Disposition header and then
- curl would act on it even if not HTTP.
+ - Clarify that this option is only for HTTP/1.1 pipelining.
- A future mitigation for this risk would be to allow the callback to ask
- libcurl which protocol is being used.
+ Bug: https://github.com/curl/curl/issues/1059
+ Reported-by: Jeroen Ooms
- Verified with test 1312
+ Assisted-by: Daniel Stenberg
+
+Daniel Stenberg (27 Oct 2016)
+- KNOWN_BUGS: HTTP/2 server push enabled when no pushes can be accepted
- Closes #760
+ Closes #927
-- manpage-scan.pl: also verify the command line option docs
+- KNOWN_BUGS: c-ares deviates from stock resolver on http://1346569778
- This script now also scans src/tool_getparam.c, docs/curl.1 and
- src/tool_help.c and will warn if any of them lists a command line option
- not mentioned in one of the other places.
+ Closes #893
-- curl: show the long option version of -q in the -h list
+Michael Osipov (27 Oct 2016)
+- configure.in: Fix test syntax
+
+ Some versions of test allow == for equality, but others (such as the HP-UX
+ version) do not. Use a single = for correctness.
+
+ Error output:
+ checking for monotonic clock_gettime... ./configure[20445]: ==: A test command parameter is not valid.
-- curl: remove "--socks" as "--socks5" turned 8
+Daniel Stenberg (27 Oct 2016)
+- SECURITY: minor updates
- In commit 2e42b0a2524 (Jan 2008) we made the option "--socks" deprecated
- and it has not been documented since. The more explicit socks options
- (like --socks4 or --socks5) should be used.
+ - we allow the security push up to 48 hours before the release
+
+ - add a mention about possible pre-notifications
+
+ - lower case the 'curl-security' title
-- curl.1: document the deprecated --ftp-ssl option
+- [Andrei Sedoi brought this change]
-- curl: remove --http-request
+ docs: fix req->data in multi-uv example
- It was mentioned as deprecated already in commit ae1912cb0d4 from
- 1999. It has not been documented in this millennium.
+ Closes #1088
-- curl: mention --ntlm-wb in -h list
+- mbedtls: stop using deprecated include file
+
+ Reported-by: wyattoday
+ Fixes #1087
-- curl: -h output lacked --proxy-header
+Kamil Dudka (25 Oct 2016)
+- [Martin Frodl brought this change]
-- curl.1: document --ntlm-wb
+ nss: fix tight loop in non-blocking TLS handhsake over proxy
+
+ ... in case the handshake completes before entering
+ CURLM_STATE_PROTOCONNECT
+
+ Bug: https://bugzilla.redhat.com/1388162
-- curl.1: document the long format of -q: --disable
+Jay Satiro (25 Oct 2016)
+- mk-ca-bundle: Update the vbscript version
+
+ Bring the VBScript version more in line with the perl version:
+
+ - Change timestamp to UTC.
+
+ - Change URL retrieval to HTTPS-only by default.
+
+ - Comment out the options that disabled SSL cert checking by default.
+
+ - Assume OpenSSL is present, get SHA256. And add a flag to toggle it.
+
+ - Fix cert issuer name output.
+
+ The cert issuer output is now ansi, converted from UTF-8. Prior to this
+ it was corrupt UTF-8. It turns out though we can work with UTF-8 the
+ FSO object that writes ca-bundle can't write UTF-8, so there will have
+ to be some alternative if UTF-8 is needed (like an ADODB.Stream).
+
+ - Disable the certificate text info feature.
+
+ The certificate text info doesn't work properly with any recent OpenSSL.
-- curl.1: mention the deprecated --krb4 option
+Daniel Stenberg (24 Oct 2016)
+- TODO: indent code to make it render properly
-- curl.1: document --ftp-ssl-reqd
-
- Even if deprecated, document it so that people will find it as old
- scripts may still use it.
+- TODO: Remove the generated include file
-- curl: use --telnet-option as documented
+- TODO: add "--retry should resume"
- The code said "telnet-options" but no documentation ever said so. It
- worked fine since the code is fine with a unique match of the first
- part.
+ See #1084
-- getparam: remove support for --ftpport
+- mk-ca-bundle.1: document -k
- It has been deprecated and undocumented since commit ad5ead8bed7 (Dec
- 2003). --ftp-port is the proper long option name.
+ Brought in 1ad2bdcf110266c. Now does HTTPS by default and needs -k to
+ fall back to plain HTTP.
-- curl: make --disable work as long form of -q
+- [Jay Satiro brought this change]
+
+ mk-ca-bundle: Change URL retrieval to HTTPS-only by default
- To make the aliases list reflect reality.
+ - Change all predefined Mozilla URLs to HTTPS (Gregory Szorc).
+
+ - New option -k to allow URLs other than HTTPS and enable HTTP fallback.
+
+ Prior to this change the default URL retrieval mode was to fall back to
+ HTTP if HTTPS didn't work.
+
+ Reported-by: Gregory Szorc
+
+ Closes #1012
-- aliases: remove trailing space from capath string
+- RELEASE-NOTES: synced with 50ee3aaf1a9b22d
-- cmdline parse: only single letter options have single-letter strings
-
- ... moved around options so that parsing the code to find all
- single-letter options easier.
+Dan Fandrich (23 Oct 2016)
+- INSTALL.md: Updated minimum file sizes for 7.50.3
-Jay Satiro (28 Apr 2016)
-- CURLINFO_TLS_SSL_PTR.3: Clarify SSL pointer availability
+Daniel Stenberg (22 Oct 2016)
+- multi: force connections to get closed in close_all_connections
- Bug: https://curl.haxx.se/mail/lib-2016-04/0126.html
- Reported-by: Bru Rom
+ Several independent reports on infinite loops hanging in the
+ close_all_connections() function when closing a multi handle, can be
+ fixed by first marking the connection to get closed before calling
+ Curl_disconnect.
+
+ This is more fixing-the-symptom rather than the underlying problem
+ though.
+
+ Bug: https://curl.haxx.se/mail/lib-2016-10/0011.html
+ Bug: https://curl.haxx.se/mail/lib-2016-10/0059.html
+
+ Reported-by: Dan Fandrich, Valentin David, Miloš Ljumović
-Daniel Stenberg (28 Apr 2016)
-- curl_easy_getinfo.3: remove superfluous blank lines
+- [Anders Bakken brought this change]
-- test1139: verifies libcurl option man page presence
-
- - checks that each option has its own man page present
+ curl_multi_remove_handle: fix a double-free
+
+ In short the easy handle needs to be disconnected from its connection at
+ this point since the connection still is serving other easy handles.
+
+ In our app we can reliably reproduce a crash in our http2 stress test
+ that is fixed by this change. I can't easily reproduce the same test in
+ a small example.
+
+ This is the gdb/asan output:
+
+ ==11785==ERROR: AddressSanitizer: heap-use-after-free on address 0xe9f4fb80 at pc 0x09f41f19 bp 0xf27be688 sp 0xf27be67c
+ READ of size 4 at 0xe9f4fb80 thread T13 (RESOURCE_HTTP)
+ #0 0x9f41f18 in curl_multi_remove_handle /path/to/source/3rdparty/curl/lib/multi.c:666
+
+ 0xe9f4fb80 is located 0 bytes inside of 1128-byte region [0xe9f4fb80,0xe9f4ffe8)
+ freed by thread T13 (RESOURCE_HTTP) here:
+ #0 0xf7b1b5c2 in __interceptor_free /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_malloc_linux.cc:45
+ #1 0x9f7862d in conn_free /path/to/source/3rdparty/curl/lib/url.c:2808
+ #2 0x9f78c6a in Curl_disconnect /path/to/source/3rdparty/curl/lib/url.c:2876
+ #3 0x9f41b09 in multi_done /path/to/source/3rdparty/curl/lib/multi.c:615
+ #4 0x9f48017 in multi_runsingle /path/to/source/3rdparty/curl/lib/multi.c:1896
+ #5 0x9f490f1 in curl_multi_perform /path/to/source/3rdparty/curl/lib/multi.c:2123
+ #6 0x9c4443c in perform /path/to/source/src/net/resourcemanager/ResourceManagerCurlThread.cpp:854
+ #7 0x9c445e0 in ...
+ #8 0x9c4cf1d in ...
+ #9 0xa2be6b5 in ...
+ #10 0xf7aa5780 in asan_thread_start /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_interceptors.cc:226
+ #11 0xf4d3a16d in __clone (/lib/i386-linux-gnu/libc.so.6+0xe716d)
+
+ previously allocated by thread T13 (RESOURCE_HTTP) here:
+ #0 0xf7b1ba27 in __interceptor_calloc /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_malloc_linux.cc:70
+ #1 0x9f7dfa6 in allocate_conn /path/to/source/3rdparty/curl/lib/url.c:3904
+ #2 0x9f88ca0 in create_conn /path/to/source/3rdparty/curl/lib/url.c:5797
+ #3 0x9f8c928 in Curl_connect /path/to/source/3rdparty/curl/lib/url.c:6438
+ #4 0x9f45a8c in multi_runsingle /path/to/source/3rdparty/curl/lib/multi.c:1411
+ #5 0x9f490f1 in curl_multi_perform /path/to/source/3rdparty/curl/lib/multi.c:2123
+ #6 0x9c4443c in perform /path/to/source/src/net/resourcemanager/ResourceManagerCurlThread.cpp:854
+ #7 0x9c445e0 in ...
+ #8 0x9c4cf1d in ...
+ #9 0xa2be6b5 in ...
+ #10 0xf7aa5780 in asan_thread_start /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_interceptors.cc:226
+ #11 0xf4d3a16d in __clone (/lib/i386-linux-gnu/libc.so.6+0xe716d)
+
+ SUMMARY: AddressSanitizer: heap-use-after-free /path/to/source/3rdparty/curl/lib/multi.c:666 in curl_multi_remove_handle
+ Shadow bytes around the buggy address:
+ 0x3d3e9f20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9f30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9f40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
+ 0x3d3e9f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+ =>0x3d3e9f70:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9f80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ 0x3d3e9fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+ Shadow byte legend (one shadow byte represents 8 application bytes):
+ Addressable: 00
+ Partially addressable: 01 02 03 04 05 06 07
+ Heap left redzone: fa
+ Heap right redzone: fb
+ Freed heap region: fd
+ Stack left redzone: f1
+ Stack mid redzone: f2
+ Stack right redzone: f3
+ Stack partial redzone: f4
+ Stack after return: f5
+ Stack use after scope: f8
+ Global redzone: f9
+ Global init order: f6
+ Poisoned by user: f7
+ Container overflow: fc
+ Array cookie: ac
+ Intra object redzone: bb
+ ASan internal: fe
+ Left alloca redzone: ca
+ Right alloca redzone: cb
+ ==11785==ABORTING
+
+ Thread 14 "RESOURCE_HTTP" received signal SIGABRT, Aborted.
+ [Switching to Thread 0xf27bfb40 (LWP 12324)]
+ 0xf7fd8be9 in __kernel_vsyscall ()
+ (gdb) bt
+ #0 0xf7fd8be9 in __kernel_vsyscall ()
+ #1 0xf4c7ee89 in __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:54
+ #2 0xf4c803e7 in __GI_abort () at abort.c:89
+ #3 0xf7b2ef2e in __sanitizer::Abort () at /opt/toolchain/src/gcc-6.2.0/libsanitizer/sanitizer_common/sanitizer_posix_libcdep.cc:122
+ #4 0xf7b262fa in __sanitizer::Die () at /opt/toolchain/src/gcc-6.2.0/libsanitizer/sanitizer_common/sanitizer_common.cc:145
+ #5 0xf7b21ab3 in __asan::ScopedInErrorReport::~ScopedInErrorReport (this=0xf27be171, __in_chrg=<optimized out>) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_report.cc:689
+ #6 0xf7b214a5 in __asan::ReportGenericError (pc=166993689, bp=4068206216, sp=4068206204, addr=3925146496, is_write=false, access_size=4, exp=0, fatal=true) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_report.cc:1074
+ #7 0xf7b21fce in __asan::__asan_report_load4 (addr=3925146496) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_rtl.cc:129
+ #8 0x09f41f19 in curl_multi_remove_handle (multi=0xf3406080, data=0xde582400) at /path/to/source3rdparty/curl/lib/multi.c:666
+ #9 0x09f6b277 in Curl_close (data=0xde582400) at /path/to/source3rdparty/curl/lib/url.c:415
+ #10 0x09f3354e in curl_easy_cleanup (data=0xde582400) at /path/to/source3rdparty/curl/lib/easy.c:860
+ #11 0x09c6de3f in ...
+ #12 0x09c378c5 in ...
+ #13 0x09c48133 in ...
+ #14 0x09c4d092 in ...
+ #15 0x0a2be6b6 in ...
+ #16 0xf7aa5781 in asan_thread_start (arg=0xf2d22938) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_interceptors.cc:226
+ #17 0xf5de52b5 in start_thread (arg=0xf27bfb40) at pthread_create.c:333
+ #18 0xf4d3a16e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:114
+
+ Fixes #1083
+
+- testcurl.1: fix the URL to the autobuild summary
+
+- testcurl.1: update URLs
+
+- INSTALL: converted to markdown => INSTALL.md
+
+ Also heavily edited for content. Removed lots of old cruft that we added
+ like 10+ years ago that is likely incorrect by now.
+
+ Also removed INSTALL.devcpp for same reason.
+
+- [Martin Storsjo brought this change]
+
+ configure: Check for other variants of the -m*os*-version-min flags
- - checks that each option is mentioned in its corresponding index man
- page
+ In addition to -miphoneos-version-min, the same version can be set
+ using -mios-version-min. And for WatchOS and TvOS, there's
+ -mwatchos-version-min and -mtvos-version-min.
-- curl_easy_getinfo.3: added missing mention of CURLINFO_TLS_SESSION
+- configure: set min version flags for builds on mac
- ... although it is deprecated.
+ This helps building binaries that can work on multiple macOS versions.
+
+ Help-by: Martin Storsjö
+
+ Fixes #1069
-Jay Satiro (28 Apr 2016)
-- mbedtls: Fix session resume
+- curl_multi_add_handle: set timeouts in closure handles
- This also fixes PolarSSL session resume.
+ The closure handle only ever has default timeouts set. To improve the
+ state somewhat we clone the timeouts from each added handle so that the
+ closure handle always has the same timeouts as the most recently added
+ easy handle.
- Prior to this change the TLS session information wasn't properly
- saved and restored for PolarSSL and mbedTLS.
+ Fixes #739
+
+- configure/CURL_CHECK_FUNC_POLL: disable poll completely on mac
- Bug: https://curl.haxx.se/mail/lib-2016-01/0070.html
- Reported-by: Thomas Glanzmann
+ ... so that the same libcurl build easier can run on any version.
- Bug: https://curl.haxx.se/mail/lib-2016-04/0095.html
- Reported-by: Moti Avrahami
+ Follow-up to issue #1057
-Daniel Stenberg (27 Apr 2016)
-- RELEASE-NOTES: synced with f4298fcc6d2
+- RELEASE-NOTES: synced with f36f8c14551efc6772
-- [Michael Kaufmann brought this change]
+- test14xx: fixed --libcurl output tests again after 8e8afa82cbb
- opts: Fix some syntax errors in example code fragments
+- s/cURL/curl
- Fixes #779
+ The tool was never called cURL, only the project. But even so, we have
+ more and more over time switched to just use lower case.
-- openssl: avoid BN_print a NULL bignum
+- polarssl: indented code, removed unused variables
+
+- polarssl: reduce #ifdef madness with a macro
+
+- polarssl: fix unaligned SSL session-id lock
+
+- Curl_polarsslthreadlock_thread_setup: clear array at init
- OpenSSL 1.1.0-pre seems to return NULL(?) for a whole lot of those
- numbers so make sure the function handles this.
+ ... since if it fails to init the entire array and then tries to clean
+ it up, it would attempt to work on an uninitialized pointer.
+
+- curl: set INTERLEAVEDATA too
- Reported-by: Linus Nordberg
+ As otherwise the callback could be called with a NULL pointer when RTSP
+ data is provided.
-- [Marcel Raad brought this change]
+- gopher: properly return error for poll failures
- CONNECT_ONLY: don't close connection on GSS 401/407 reponses
-
- Previously, connections were closed immediately before the user had a
- chance to extract the socket when the proxy required Negotiate
- authentication.
+- select: switch to macros in uppercase
- This regression was brought in with the security fix in commit
- 79b9d5f1a42578f
+ Curl_select_ready() was the former API that was replaced with
+ Curl_select_check() a while back and the former arg setup was provided
+ with a define (in order to leave existing code unmodified).
- Closes #655
+ Now we instead offer SOCKET_READABLE and SOCKET_WRITABLE for the most
+ common shortcuts where only one socket is checked. They're also more
+ visibly macros.
-- CURLINFO_TLS_SESSION.3: clarify TLS library support before 7.48.0
+- select: use more proper macro-looking names
+
+ ... so that it becomes more obvious in the code what is what. Also added
+ a typecast for one of the calculations.
-- mbedtls.c: silly spellfix of a comment
+- Curl_socket_check: add extra check to avoid integer overflow
-- KNOWN_BUGS: 1.10 Strips trailing dot from host name
+- maketgz: make it support "only" generating version info
- Closes #716
+ ... to allow you to update the local repository with the given version
+ number data.
-- test1322: verify stripping of trailing dot from host name
+Jay Satiro (17 Oct 2016)
+- url: skip to-be-closed connections when pipelining (follow-up)
- While being debated (in #716) and a violation of RFC 7230 section 5.4,
- this test verifies that the existing functionality works as intended. It
- strips the dot from the host name and uses the host without dot
- throughout the internals.
+ - Change back behavior so that pipelining is considered possible for
+ connections that have not yet reached the protocol level.
+
+ This is a follow-up to e5f0b1a which had changed the behavior of
+ checking if pipelining is possible to ignore connections that had
+ 'bits.close' set. Connections that have not yet reached the protocol
+ level also have that bit set, and we need to consider pipelining
+ possible on those connections.
-- multi: accidentally used resolved host name instead of proxy
+Daniel Stenberg (17 Oct 2016)
+- HTTP2: mention the tool's limited support
+
+- RELEASE-NOTES: synced with a1a5cd04877fd6fd
+
+- [David Woodhouse brought this change]
+
+ curl: do not set CURLOPT_SSLENGINEDEFAULT automatically
- Regression introduced in 09b5a998
+ There were bugs in the PKCS#11 engine, and fixing them triggers bugs in
+ OpenSSL. Just don't get involved; there's no need to be making the
+ engine methods the default anyway.
- Bug: https://curl.haxx.se/mail/lib-2016-04/0084.html
- Reported-by: BoBo
+ https://github.com/OpenSC/libp11/pull/108
+ https://github.com/openssl/openssl/pull/1639
+
+ Merges #1042
-- symbols-in-versions: added new CURLSSLBACKEND_ symbols
+- KNOWN_BUGS: two more existing problems
-- test148: fixed after the --ftp-create-dirs retry change
+Marcel Raad (16 Oct 2016)
+- win: fix Universal Windows Platform build
- follow-up commit to 3c1e84f569 as it made curl try a little harder
+ This fixes a merge error in commit 7f3df80 caused by commit 332e8d6.
+
+ Additionally, this changes Curl_verify_windows_version for Windows App
+ builds to assume to always be running on the target Windows version.
+ There seems to be no way to determine the Windows version from a
+ UWP app. Neither GetVersion(Ex), nor VerifyVersionInfo, nor the
+ Version Helper functions are supported.
+
+ Bug: https://github.com/curl/curl/pull/820#issuecomment-250889878
+ Reported-by: Paul Joyce
+
+ Closes https://github.com/curl/curl/pull/1048
-- curl.h: clarify curl_sslbackend for openssl clones and renames
+Daniel Stenberg (16 Oct 2016)
+- KNOWN_BUGS: minor formatting edit
-- [Karlson2k brought this change]
+Jay Satiro (14 Oct 2016)
+- [Rider Linden brought this change]
- url.c: fixed DEBUGASSERT() for WinSock workaround
+ url: skip to-be-closed connections when pipelining
- If buffer is allocated, but nothing is received during prereceive
- stage, than number of processed bytes must be zero.
+ No longer attempt to use "doomed" to-be-closed connections when
+ pipelining. Prior to this change connections marked for deletion (e.g.
+ timeout) would be erroneously used, resulting in sporadic crashes.
- Closes #778
-
-- KNOWN_BUGS: --interface for ipv6 binds to unusable IP address
+ As originally reported and fixed by Carlo Wood (origin unknown).
- Closes #686 for now.
+ Bug: https://github.com/curl/curl/issues/627
+ Reported-by: Rider Linden
+
+ Closes https://github.com/curl/curl/pull/1075
+ Participation-by: nopjmp@users.noreply.github.com
-- TODO: 1.17 Add support for IRIs
+Daniel Stenberg (13 Oct 2016)
+- vtls: only re-use session-ids using the same scheme
- Adding support for IRIs is a mouthful, but is probably interesting at
- least for areas and countries where the use of such "URLs" are growing
- popularity.
+ To make it harder to do cross-protocol mistakes
+
+Jay Satiro (11 Oct 2016)
+- [Torben Dannhauer brought this change]
+
+ dist: add missing cmake modules to the tarball
- Closes #776
+ Closes https://github.com/curl/curl/pull/1070
-- THANKS-filter: Travis Burtrum
+Daniel Stenberg (11 Oct 2016)
+- configure: detect the broken poll() in macOS 10.12
+
+ Fixes #1057
-- lib1517: checksrc compliance
+- dist: remove PDF and HTML converted docs from the releases
-- [moparisthebest brought this change]
+- [Remo E brought this change]
- PolarSSL: Implement public key pinning
+ cmake: add nghttp2 support
+
+ Closes #922
-Patrick Monnerat (22 Apr 2016)
-- os400: upgrade ILE/RPG binding
+- [Andreas Streichardt brought this change]
-- curl.h: CURLOPT_CONNECT_TO sets a struct slist *, not a string
+ resolve: add error message when resolving using SIGALRM
+
+ Closes #1066
-Daniel Stenberg (22 Apr 2016)
-- contributors.sh: make --releasenotes implied
+- GIT-INFO: remove the Mac 10.1-specific details
- It got too annoying to type =)
+ There shouldn't be many devs out there anymore using such outdated macOS
+ versions. And it removes the dead link.
+
+ Closes #1049
-- RELEASE-NOTES: synced with 3c1e84f5693d8093
+- RELEASE-NOTES: spellfix
-- curl: make --ftp-create-dirs retry on failure
+- RELEASE-NOTES: synced with 82720490628cb53a
- The underlying libcurl option used for this feature is
- CURLOPT_FTP_CREATE_MISSING_DIRS which has the ability to retry the dir
- creation, but it was never set to do that by the command line tool.
+ 5 more fixes, 2 more contributors
+
+- [Tobias Stoeckmann brought this change]
+
+ smb: properly check incoming packet boundaries
- Now it does.
+ Not all reply messages were properly checked for their lengths, which
+ made it possible to access uninitialized memory (but this does not lead
+ to out of boundary accesses).
- Bug: https://curl.haxx.se/mail/archive-2016-04/0021.html
- Reported-by: John Wanghui
- Help-by: Leif W
+ Closes #1052
-- [Henrik Gaßmann brought this change]
+- test557: verify printf() with 128 and 129 arguments
- winbuild: add mbedtls support
+- mprintf: return error on too many arguments
- Add WITH_MBEDTLS option. Make WITH_SSL, WITH_MBEDTLS and ENABLE_WINSSL
- options mutual exclusive.
+ 128 arguments should be enough for everyone
+
+- ftp: fix Curl_ftpsendf()
- Closes #606
+ ... it no longer takes printf() arguments since it was only really taken
+ advantage by one user and it was not written and used in a safe
+ way. Thus the 'f' is removed from the function name and the proto is
+ changed.
+
+ Although the current code wouldn't end up in badness, it was a risk that
+ future changes could end up springf()ing too large data or passing in a
+ format string inadvertently.
-- KNOWN_BUGS: fixed "5.6 Improper use of Autoconf cache variables"
+- formpost: avoid silent snprintf() truncation
- As of commit d9f3b365a3
+ The previous use of snprintf() could make libcurl silently truncate some
+ input data and not report that back on overly large input, which could
+ make data get sent over the network in a bad format.
+
+ Example:
+
+ $ curl --form 'a=b' -H "Content-Type: $(perl -e 'print "A"x4100')"
-- [Irfan Adilovic brought this change]
+- TODO: build: Enable PIE and RELRO by default
- configure: ac_cv_ -> curl_cv_ for write-only vars
+- TODO: Support better than MD5 hostkey hash (for ssh)
+
+- [Daniel Gustafsson brought this change]
+
+ tests: Fix a small typo in the tests README (#1060)
- These configure vars are modified in a curl-specific way but never
- evaluated or loaded from cache, even though they are designated as
- _cv_. We could either implement proper AC_CACHE_CHECKs for them, or
- remove them completely.
-
- Fixes #603 as ac_cv_func_gethostbyname is no longer clobbered, and
- AC_CHECK_FUNC(gethostbyname...) will no longer spuriously succeed after
- the first configure run with caching.
-
- `ac_cv_func_strcasecmp` is curious, see #770.
+ The subdirectory for logs in tests/ is named log/ without an 's'
+ at the end.
+
+- TODO: Introduce --fail-fast to exit on first transfer fail
- `eval "ac_cv_func_$func=yes"` can still cause problems as it works in
- tandem with AC_CHECK_FUNCS and then potentially modifies its result. It
- would be best to rewrite this test to use a new CURL_CHECK_FUNCS macro,
- which works the same as AC_CHECK_FUNCS but relies on caching the values
- of curl_cv_func_* variables, without modifiying ac_cv_func_*.
+ See #1054
-- [Irfan Adilovic brought this change]
+- TODO: Leave secure cookies alone
- configure: ac_cv_ -> curl_cv_ for r/w vars
+- [Rainer Müller brought this change]
+
+ CURLOPT_DEBUGFUNCTION.3: unused argument warning (#1056)
- These configure vars are modified in a curl-specific way and modified by
- the configure process, but are never loaded from cache, even though they
- are designated as _cv_. We should implement proper AC_CACHE_CHECKs for
- them eventually.
+ The 'userp' argument is unused in this example code.
-- [Irfan Adilovic brought this change]
+- TODO: TCP Fast Open for windows
- configure: ac_cv_func_clock_gettime -> curl_...
-
- This variable must not be cached in its current form, as any cached
- information will prevent the next configure run from determining the
- correct LIBS needed for the function. Thus, rename prefix `ac_cv_` to
- just `curl_`.
+- RELEASE-NOTES: synced with 8fd2a754f0de
-- [Irfan Adilovic brought this change]
+- CURLOPT_KEEP_SENDING_ON_ERROR.3: mention when it is added
- configure: ac_cv_ -> curl_cv_ for all cached vars
+- memdup: use 'void *' as return and source type
+
+- TODO: Add easy argument to formpost functions
+
+- formpost: trying to attach a directory no longer crashes
- This was automated by:
+ The error path would previously add a freed entry to the linked list.
- sed -b -i -f <(ack -A1 AC_CACHE_CHECK | \
- ack -o 'ac_cv_.*?\b' | \
- sort -u | xargs -n1 bash -c \
- 'echo "s/$0/curl_cv_${0#ac_cv_}/g"') \
- $(git ls-files)
+ Reported-by: Toby Peterson
- This only changed the prefix for 16 variables actually checked with
- AC_CACHE_CHECK.
+ Fixes #1053
-- openssl: builds with OpenSSL 1.1.0-pre5
+- [Sergei Kuzmin brought this change]
+
+ cookies: same domain handling changed to match browser behavior
- The RSA, DSA and DH structs are now opaque and require use of new APIs
+ Cokie with the same domain but different tailmatching property are now
+ considered different and do not replace each other. If header contains
+ following lines then two cookies will be set: Set-Cookie: foo=bar;
+ domain=.foo.com; expires=Thu Mar 3 GMT 8:56:27 2033 Set-Cookie: foo=baz;
+ domain=foo.com; expires=Thu Mar 3 GMT 8:56:27 2033
- Fixes #763
-
-Steve Holme (20 Apr 2016)
-- url.c: Prefer we don't use explicit NULLs in conditions
+ This matches Chrome, Opera, Safari, and Firefox behavior. When sending
+ stored tokens to foo.com Chrome, Opera, Firefox store send them in the
+ stored order, while Safari pre-sort the cookies.
- Fixed commit fa5fa65a30 to not use NULLs in if condition.
+ Closes #1050
-Daniel Stenberg (20 Apr 2016)
-- [Isaac Boukris brought this change]
+- [Stephen Brokenshire brought this change]
- NTLM: check for NULL pointer before deferencing
+ FAQ: Fix typos in section 5.14 (#1047)
- At ConnectionExists, both check->proxyuser and check->proxypasswd
- could be NULL, so make sure to check first.
-
- Fixes #765
+ Type required for YourClass::func C++ function (using size_t in line
+ with the documentation for CURLOPT_WRITEFUNCTION) and missing second
+ colon when specifying the static function for CURLOPT_WRITEFUNCTION.
-- [Karlson2k brought this change]
+- [Sebastian Mundry brought this change]
- tests: added test1517
-
- ... for checking ability to receive full HTTP response when POST request
- is used with slow read callback function.
+ KNOWN_BUGS: Fix typos in section 5.8.
- This test checks for bug #657 and verifies the work-around from
- 72d5e144fbc6.
+ Closes #1046
+
+- [mundry brought this change]
+
+ CONTRIBUTE.md: Fix typo in 'About pull requests' section. (#1045)
+
+- curl.1: --trace supports % for sending to stderr!
+
+- KNOWN_BUGS: 5.8 configure finding libs in wrong directory
+
+Dan Fandrich (24 Sep 2016)
+- configure: Fixed builds with libssh2 in a custom location
- Closes #720
+ A libssh2 library in the standard system location was being used in
+ preference to the desired one while linking.
-- [Karlson2k brought this change]
+Daniel Stenberg (23 Sep 2016)
+- SECURITY: remove the top ascii logo
- sendf.c: added ability to call recv() before send() as workaround
+Michael Kaufmann (22 Sep 2016)
+- New libcurl option to keep sending on error
- WinSock destroys recv() buffer if send() is failed. As result - server
- response may be lost if server sent it while curl is still sending
- request. This behavior noticeable on HTTP server short replies if
- libcurl use several send() for request (usually for POST request).
- To workaround this problem, libcurl use recv() before every send() and
- keeps received data in intermediate buffer for further processing.
+ Add the new option CURLOPT_KEEP_SENDING_ON_ERROR to control whether
+ sending the request body shall be completed when the server responds
+ early with an error status code.
- Fixes: #657
- Closes: #668
-
-Kamil Dudka (19 Apr 2016)
-- connect: make sure that rc is initialized in singleipconnect()
+ This is suitable for manual NTLM authentication.
- This commit fixes a Clang warning introduced in curl-7_48_0-190-g8f72b13:
+ Reviewed-by: Jay Satiro
- Error: CLANG_WARNING:
- lib/connect.c:1120:11: warning: The right operand of '==' is a garbage value
- 1118| }
- 1119|
- 1120|-> if(-1 == rc)
- 1121| error = SOCKERRNO;
- 1122| }
-
-Daniel Stenberg (19 Apr 2016)
-- make/checksrc: use $srcdir, not $top_srcdir
+ Closes https://github.com/curl/curl/pull/904
-- src/checksrc.whitelist: removed
+Kamil Dudka (22 Sep 2016)
+- nss: add chacha20-poly1305 cipher suites if supported by NSS
-- tool_operate: switch to inline checksrc ignore
+- nss: add cipher suites using SHA384 if supported by NSS
-- lib/checksrc.whitelist: not needed anymore
+- nss: fix typo in ecdhe_rsa_null cipher suite string
- ... as checksrc now skips comments
+ As it seems to be a rarely used cipher suite (for securely established
+ but _unencrypted_ connections), I believe it is fine not to provide an
+ alias for the misspelled variant.
-- vtls.h: remove a space before semicolon
+Jay Satiro (21 Sep 2016)
+- docs: Remove that --proto is just used for initial retrieval
- ... that the new checksrc detected
+ .. and add that --proto-redir and CURLOPT_REDIR_PROTOCOLS do not
+ override protocols denied by --proto and CURLOPT_PROTOCOLS.
+
+ - Add a test to enforce: --proto deny must override --proto-redir allow
+
+ Closes https://github.com/curl/curl/pull/1031
-- darwinssl: removed commented out code
+Daniel Stenberg (21 Sep 2016)
+- dist: add CurlSymbolHiding.cmake to the tarball
+
+ Follow-up to 6140dfcf3e784
+
+ Reported-by: Alexander Sinditskiy
-- http_chunks: removed checksrc disable
+- curl_global_cleanup.3: don't unload the lib with sub threads running
- ... since checksrc now skips comments
+ Discussed in #997
+
+ Assisted-by: Jay Satiro
-- imap: inlined checksrc disable instead of whitelist edit
+- MAIL-ETIQUETTE: language
-- checksrc: taught to skip comments
+Jay Satiro (20 Sep 2016)
+- easy: Reset all statistical session info in curl_easy_reset
- ... but output non-stripped version of the line, even if that then can
- make the script identify the wrong position in the line at
- times. Showing the line stripped (ie without comments) is just too
- surprising.
+ Bug: https://github.com/curl/curl/issues/1017
+ Reported-by: Jeroen Ooms
-- opts/Makefile.am: list all docs file one by one
+Daniel Stenberg (19 Sep 2016)
+- RELEASE-NOTES: synced with 79607eec51055
+
+Jay Satiro (19 Sep 2016)
+- [Daniel Gustafsson brought this change]
+
+ darwinssl: Fix typo in comment
- ... to make it easier to add lines in patches that won't just break all
- other patches trying to add lines too.
+ Closes https://github.com/curl/curl/pull/1028
-- curl_easy_setopt.3: mention CURLOPT_TCP_FASTOPEN
+Daniel Stenberg (19 Sep 2016)
+- [Bernard Spil brought this change]
-- RELEASE-NOTES: synced with 03de4e4b219
+ libressl: fix version output
- (since we just merged two major features)
+ LibreSSL defines `OPENSSL_VERSION_NUMBER` as `0x20000000L` for all
+ versions returning `LibreSSL/2.0.0` for any LibreSSL version.
+
+ This change provides a local OpenSSL_version_num function replacement
+ returning LIBRESSL_VERSION_NUMBER instead.
+
+ Closes #1029
-- [Alessandro Ghedini brought this change]
+- [rugk brought this change]
- connect: implement TCP Fast Open for Linux
+ TODO: Add PINNEDPUBLICKEY - HPKP compatibility, HSTS & HPKP
- Closes #660
+ Closes #1025
+ Closes #1026
+ Closes #1027
-- [Alessandro Ghedini brought this change]
+- openssl: don't call ERR_remote_thread_state on >= 1.1.0
+
+ Follow-up fix to d9321562
- tool: add --tcp-fastopen option
+- openssl: don’t call CRYTPO_cleanup_all_ex_data
+
+ The OpenSSL function CRYTPO_cleanup_all_ex_data() cannot be called
+ multiple times without crashing - and other libs might call it! We
+ basically cannot call it without risking a crash. The function is a
+ no-op since OpenSSL 1.1.0.
+
+ Not calling this function only risks a small memory leak with OpenSSL <
+ 1.1.0.
+
+ Bug: https://curl.haxx.se/mail/lib-2016-09/0045.html
+ Reported-by: Todd Short
-- [Alessandro Ghedini brought this change]
+- TODO: Support SSLKEYLOGFILE
- connect: implement TCP Fast Open for OS X
+Jay Satiro (18 Sep 2016)
+- CURLOPT_PINNEDPUBLICKEY.3: fix the AVAILABILITY formatting
-- [Alessandro Ghedini brought this change]
+Nick Zitzmann (18 Sep 2016)
+- darwinssl: disable RC4 cipher-suite support
+
+ RC4 was a nice alternative to CBC back in the days of BEAST, but it's insecure and obsolete now.
- url: add CURLOPT_TCP_FASTOPEN option
+- configure: change "iOS/Mac OS X native" to "Apple OS native"
+
+ Since I first wrote that text, Apple introduced tvOS and watchOS, and renamed "Mac OS X" to "macOS." Let's make the text a little more inclusive, since curl can be built for all four operating systems.
-- checksrc: pass on -D so the whitelists are found correctly
+Jay Satiro (18 Sep 2016)
+- test2048: fix url
-- configure: remove check for libresolve
+- examples/imap-append: Set size of data to be uploaded
- 'strncasecmp' was once provided by libresolv (no trailing e) for SunOS,
- but this check is broken and most likely adds nothing useful. Removing
- now.
+ Prior to this commit this example failed with error
+ 'Cannot APPEND with unknown input file size'.
- Reported-by: Irfan Adilovic
+ Bug: https://github.com/curl/curl/issues/1008
+ Reported-by: lukaszgn@users.noreply.github.com
- Discussed in #770
+ Closes https://github.com/curl/curl/pull/1011
-- scripts/make: use $(EXEEXT) for executables
+Daniel Stenberg (16 Sep 2016)
+- [Tony Kelman brought this change]
+
+ LICENSE-MIXING.md: update with mbedTLS dual licensing
- Reported-by: bodop
+ Recent versions of mbedTLS are available under either Apache 2.0 or GPL
+ 2.0, see https://tls.mbed.org/how-to-get
- Fixes #771
+ Closes #1019
-- includes: avoid duplicate memory callback typdefs even harder
+- KNOWN_BUGS: chunked-encoded requests with HTTP/2 is fixed
-- checksrc/makefile.am: use $top_srcdir to find source files
+- http2: debug ouput sent HTTP/2 request headers
+
+- http: accept "Transfer-Encoding: chunked" for HTTP/2 as well
- ... to properly support out of source tree builds.
+ ... but don't send the actual header over the wire as it isn't accepted.
+ Chunked uploading is still triggered using this method.
+
+ Fixes #1013
+ Fixes #662
-- RELEASE-NOTES: synced with 26ec93dd6aeba8dfb5
+- openssl: fix per-thread memory leak usiong 1.0.1 or 1.0.2
+
+ OpenSSL 1.0.1 and 1.0.2 build an error queue that is stored per-thread
+ so we need to clean it when easy handles are freed, in case the thread
+ will be killed in which the easy handle was used. All OpenSSL code in
+ libcurl should extract the error in association with the error already
+ so clearing this queue here should be harmless at worst.
+
+ Fixes #964
-- opts: fix option references missing (section)
+- RELEASE-NOTES: reset and go toward 7.51.0 (again)
-- [Michael Kaufmann brought this change]
+Version 7.50.3 (14 Sep 2016)
- news: CURLOPT_CONNECT_TO and --connect-to
-
- Makes curl connect to the given host+port instead of the host+port found
- in the URL.
+Daniel Stenberg (14 Sep 2016)
+- THANKS: updated with curl 7.50.3 contributors
-- makefile.vc6: use d suffix on debug object
-
- To allow both release and debug builds in parallel.
-
- Reported-by: Rod Widdowson
-
- Fixes #769
+- RELEASE-NOTES: curl 7.50.3
-Jay Satiro (12 Apr 2016)
-- http2: Use size_t type for data drain count
-
- Ref: https://github.com/curl/curl/issues/659
- Ref: https://github.com/curl/curl/pull/663
+- test1605: verify negative input lengths to (un)escape functions
-- http2: Improve header parsing
+- curl_easy_unescape: deny negative string lengths as input
- - Error if a header line is larger than supported.
+ CVE-2016-7167
- - Warn if cumulative header line length may be larger than supported.
+ Bug: https://curl.haxx.se/docs/adv_20160914.html
+
+- curl_easy_escape: deny negative string lengths as input
- - Allow spaces when parsing the path component.
+ CVE-2016-7167
- - Make sure each header line ends in \r\n. This fixes an out of bounds.
+ Bug: https://curl.haxx.se/docs/adv_20160914.html
+
+- curl: make --create-dirs on windows grok both forward and backward slashes
- - Disallow header continuation lines until we decide what to do.
+ Reported-by: Ryan Scott
- Ref: https://github.com/curl/curl/issues/659
- Ref: https://github.com/curl/curl/pull/663
+ Fixes #1007
-- http2: Add Curl_http2_strerror for HTTP/2 error codes
-
- Ref: https://github.com/curl/curl/issues/659
- Ref: https://github.com/curl/curl/pull/663
+- RELEASE-NOTES: synced with 665694979b6
-- [Tatsuhiro Tsujikawa brought this change]
+- [Tony Kelman brought this change]
- http2: Don't increment drain when one header field is received
+ mbedtls: switch off NTLM in build if md4 isn't available
- Sicne we write header field in temporary location, not in the memory
- that upper layer provides, incrementing drain should not happen.
+ NTLM support with mbedTLS was added in 497e7c9 but requires that mbedTLS
+ is built with the MD4 functions available, which it isn't in default
+ builds. This now adapts if the funtion isn't there and builds libcurl
+ without NTLM support if so.
- Ref: https://github.com/curl/curl/issues/659
- Ref: https://github.com/curl/curl/pull/663
+ Fixes #1004
-- [Tatsuhiro Tsujikawa brought this change]
+Jay Satiro (12 Sep 2016)
+- CODE_STYLE: fix long-line guideline
+
+ - Change maximum allowed line length from 80 to 79.
- http2: Ensure that http2_handle_stream_close is called
+- CODE_STYLE: add column alignment section
- This commit ensures that streams which was closed in on_stream_close
- callback gets passed to http2_handle_stream_close. Previously, this
- might not happen. To achieve this, we increment drain property to
- forcibly call recv function for that stream.
+ Note that since the added examples are for column alignment I had to
+ encapsulate with ~~~c markdown to preserve their alignment.
+
+Peter Wu (11 Sep 2016)
+- cmake: fix curl-config --static-libs
- To more accurately check that we have no pending event before shutting
- down HTTP/2 session, we sum up drain property into
- http_conn.drain_total. We only shutdown session if that value is 0.
+ The `curl-config --static-libs` command should not output paths like
+ -l/usr/lib/libssl.so, instead print the absolute path without `-l`.
- With this commit, when stream was closed before reading response
- header fields, error code CURLE_HTTP2_STREAM is returned even if
- HTTP/2 level error is NO_ERROR. This signals the upper layer that
- stream was closed by error just like TCP connection close in HTTP/1.
+ This also removes the confusing message "Static linking is broken" which
+ was printed because curl-config --static-libs was disfunctional even
+ though the static libcurl.a library works properly.
- Ref: https://github.com/curl/curl/issues/659
- Ref: https://github.com/curl/curl/pull/663
-
-- [Tatsuhiro Tsujikawa brought this change]
+ Fixes https://github.com/curl/curl/issues/841
- http2: Process paused data first before tear down http2 session
+Daniel Stenberg (11 Sep 2016)
+- http: refuse to pass on response body with NO_NODY was set
- This commit ensures that data from network are processed before HTTP/2
- session is terminated. This is achieved by pausing nghttp2 whenever
- different stream than current easy handle receives data.
+ ... like when a HTTP/0.9 response comes back without any headers at all
+ and just a body this now prevents that body from being sent to the
+ callback etc.
- This commit also fixes the bug that sometimes processing hangs when
- multiple HTTP/2 streams are multiplexed.
+ Adapted test 1144 to verify.
- Ref: https://github.com/curl/curl/issues/659
- Ref: https://github.com/curl/curl/pull/663
+ Fixes #973
+
+ Assisted-by: Ray Satiro
-- [Tatsuhiro Tsujikawa brought this change]
+- RELEASE-NOTES: synced with 257bf3ac67eb6
- http2: Check session closure early in http2_recv
+Jakub Zakrzewski (10 Sep 2016)
+- CMake: Don't build unit tests if private symbols are hidden
- Ref: https://github.com/curl/curl/issues/659
- Ref: https://github.com/curl/curl/pull/663
+ This only excludes building unit tests from default build ( 'all' Make
+ target or "Build Solution" in VisualStudio). The projects and Make
+ targets will still be generated and shown in supporting IDEs.
+
+ Fixes https://github.com/curl/curl/issues/981
+ Reported-by: Randy Armstrong
+
+ Closes https://github.com/curl/curl/pull/990
-- [Tatsuhiro Tsujikawa brought this change]
+- CMake: Try to (un-)hide private library symbols
+
+ Detect support for compiler symbol visibility flags and apply those
+ according to CURL_HIDDEN_SYMBOLS option.
+ It should work true to the autotools build except it tries to unhide
+ symbols on Windows when requested and prints warning if it fails.
+
+ Ref: https://github.com/curl/curl/issues/981#issuecomment-242665951
+ Reported-by: Daniel Stenberg
- http2: Add handling stream level error
+Daniel Stenberg (9 Sep 2016)
+- openssl: fix bad memory free (regression)
- Previously, when a stream was closed with other than NGHTTP2_NO_ERROR
- by RST_STREAM, underlying TCP connection was dropped. This is
- undesirable since there may be other streams multiplexed and they are
- very much fine. This change introduce new error code
- CURLE_HTTP2_STREAM, which indicates stream error that only affects the
- relevant stream, and connection should be kept open. The existing
- CURLE_HTTP2 means connection error in general.
+ ... by partially reverting f975f06033b1. The allocation could be made by
+ OpenSSL so the free must be made with OPENSSL_free() to avoid problems.
- Ref: https://github.com/curl/curl/issues/659
- Ref: https://github.com/curl/curl/pull/663
+ Reported-by: Harold Stuart
+ Fixes #1005
-Daniel Stenberg (11 Apr 2016)
-- http2: drain the socket better...
+- http2: support > 64bit sized uploads
- ... but ignore EAGAIN if the stream has ended so that we don't end up in
- a loop. This is a follow-up to c8ab613 in order to avoid the problem
- d261652 was made to fix.
+ ... by making sure we don't count down the "upload left" counter when the
+ uploaded size is unknown and then it can be allowed to continue forever.
- Reported-by: Jay Satiro
- Clues-provided-by: Tatsuhiro Tsujikawa
+ Fixes #996
+
+Jay Satiro (7 Sep 2016)
+- errors: new alias CURLE_WEIRD_SERVER_REPLY (8)
- Discussed in #750
+ Since we're using CURLE_FTP_WEIRD_SERVER_REPLY in imap, pop3 and smtp as
+ more of a generic "failed to parse" introduce an alias without FTP in
+ the name.
+
+ Closes https://github.com/curl/curl/pull/975
-- KNOWN_BUGS: added info for "Hangs with PolarSSL"
+Daniel Stenberg (7 Sep 2016)
+- bump: toward 7.51.0
-- KNOWN_BUGS: 1.9 HTTP/2 frames while in the connection pool kill reuse
-
- Closes #750
+- HISTORY: remove ascii logo to render nicer on web
-- build: include scripts/ in the dist
+- curl: whitelist use of strtok() in non-threaded context
-Steve Holme (9 Apr 2016)
-- CURLOPT_SOCKS5_GSSAPI_SERVICE: Merged with CURLOPT_PROXY_SERVICE_NAME
+- checksrc: detect strtok() use
- As these two options provide identical functionality, the former for
- SOCK5 proxies and the latter for HTTP proxies, merged the two options
- together.
+ ... as that function slipped through once before.
+
+GitHub (7 Sep 2016)
+- [Viktor Szakats brought this change]
+
+ mk-ca-bundle.pl: use SHA256 instead of SHA1
- As such CURLOPT_SOCKS5_GSSAPI_SERVICE is marked as deprecated as of
- 7.49.0.
+ This hash is used to verify the original downloaded certificate bundle
+ and also included in the generated bundle's comment header. Also
+ rename related internal symbols to algorithm-agnostic names.
-- urldata: Use bool for socks5_gssapi_nec as it is a flag
+Version 7.50.2 (7 Sep 2016)
+
+Daniel Stenberg (7 Sep 2016)
+- RELEASE-NOTES: curl 7.50.2 release
+
+- THANKS: updated for 7.50.2
+
+Jay Satiro (6 Sep 2016)
+- [Gaurav Malhotra brought this change]
+
+ openssl: fix CURLINFO_SSL_VERIFYRESULT
- This value is set to TRUE or FALSE so should be a bool and not a long.
+ CURLINFO_SSL_VERIFYRESULT does not get the certificate verification
+ result when SSL_connect fails because of a certificate verification
+ error.
+
+ This fix saves the result of SSL_get_verify_result so that it is
+ returned by CURLINFO_SSL_VERIFYRESULT.
+
+ Closes https://github.com/curl/curl/pull/995
-- url: Ternary operator code style changes
+Daniel Stenberg (6 Sep 2016)
+- [Daniel Gustafsson brought this change]
-- CODE_STYLE: Added ternary operator example to 'Space around operators'
+ darwinssl: test for errSecSuccess in PKCS12 import rather than noErr (#993)
- Following conversation on the libcurl mailing list.
+ While noErr and errSecSuccess are defined as the same value, the API
+ documentation states that SecPKCS12Import() returns errSecSuccess if
+ there were no errors in importing. Ensure that a future change of the
+ defined value doesn't break (however unlikely) and be consistent with
+ the API docs.
-- sasl: Fixed compilation errors from commit 9d89a0387
+- [Daniel Gustafsson brought this change]
+
+ docs: Fix link to CONTRIBUTE in Github contribution guidelines (#994)
+
+- [Marcel Raad brought this change]
+
+ openssl: Fix compilation with OPENSSL_API_COMPAT=0x10100000L
- ...when GSS-API or Windows SSPI are not used.
+ With OPENSSL_API_COMPAT=0x10100000L (OpenSSL 1.1 API), the cleanup
+ functions are unavailable (they're no-ops anyway in OpenSSL 1.1). The
+ replacements for SSL_load_error_strings, SSLeay_add_ssl_algorithms, and
+ OpenSSL_add_all_algorithms are called automatically [1][2]. SSLeay() is
+ now called OpenSSL_version_num().
+
+ [1]: https://www.openssl.org/docs/man1.1.0/ssl/OPENSSL_init_ssl.html
+ [2]: https://www.openssl.org/docs/man1.1.0/crypto/OPENSSL_init_crypto.html
+
+ Closes #992
-- url: Corrected comments following 9d89a0387
+- RELEASE-NOTES: synced with 3d4c0c8b9bc1d
-- docs: Added clarification following commit 9d89a0387
+- http2: return EOF when done uploading without known size
+
+ Fixes #982
-- Makefile: Fixed echo of checksrc check
+- http2: skip the content-length parsing, detect unknown size
-- checksrc: Fix issue with the autobuilds not picking up the whitelist
+- http2: minor white space edit
-- checksrc: Added missing vauth and vtls directories
+- http2: use named define instead of magic constant in read callback
-- ftp/imap/pop3/smtp: Allow the service name to be overridden
+- [Craig Davison brought this change]
+
+ configure: make the cpp -P detection not clobber CPPFLAGS
- Allow the service name to be overridden for DIGIST-MD5 and Kerberos 5
- authentication in FTP, IMAP, POP3 and SMTP.
+ CPPPFLAGS is now CPPPFLAG. Fixes CURL_CHECK_DEF.
+
+ Fixes #958
-- http_negotiate: Calculate service name and proxy service name locally
+- [Olivier Brunel brought this change]
+
+ speed caps: not based on average speeds anymore
- Calculate the service name and proxy service names locally, rather than
- in url.c which will allow for us to support overriding the service name
- for other protocols such as FTP, IMAP, POP3 and SMTP.
+ Speed limits (from CURLOPT_MAX_RECV_SPEED_LARGE &
+ CURLOPT_MAX_SEND_SPEED_LARGE) were applied simply by comparing limits
+ with the cumulative average speed of the entire transfer; While this
+ might work at times with good/constant connections, in other cases it
+ can result to the limits simply being "ignored" for more than "short
+ bursts" (as told in man page).
+
+ Consider a download that goes on much slower than the limit for some
+ time (because bandwidth is used elsewhere, server is slow, whatever the
+ reason), then once things get better, curl would simply ignore the limit
+ up until the average speed (since the beginning of the transfer) reached
+ the limit. This could prove the limit useless to effectively avoid
+ using the entire bandwidth (at least for quite some time).
+
+ So instead, we now use a "moving starting point" as reference, and every
+ time at least as much as the limit as been transferred, we can reset
+ this starting point to the current position. This gets a good limiting
+ effect that applies to the "current speed" with instant reactivity (in
+ case of sudden speed burst).
+
+ Closes #971
-- ROADMAP: Updated following the move of the authentication code
+- HISTORY.md: the multi socket was put in the wrong year!
-Patrick Monnerat (8 Apr 2016)
-- KNOWN_BUGS: openldap hangs. TODO: binary SASL.
+- [Mark Hamilton brought this change]
-Daniel Stenberg (8 Apr 2016)
-- KNOWN_BUGS: 5.6 Improper use of Autoconf cache variables
+ tool_helpers.c: fix comment typo (#989)
+
+- [Mark Hamilton brought this change]
+
+ libtest/test.h: fix typo (#988)
+
+- CURLMOPT_PIPELINING.3: language
+
+- CURLMOPT_PIPELINING.3: extended and clarified
- Closes #603
+ Especially in regards to the multiplexing part.
-- KNOWN_BUGS: 11.2 error buffer not set...
+Steve Holme (31 Aug 2016)
+- curl_sspi.c: Updated function description comments
- Closes #544
+ * Added description to Curl_sspi_free_identity()
+ * Added parameter and return explanations to Curl_sspi_global_init()
+ * Added parameter explaination to Curl_sspi_global_cleanup()
-- KNOWN_BUGS: 11.1 Curl leaks .onion hostnames in DNS
+- README: Corrected the supported Visual Studio versions
- Closes #543
+ Missed from commit 8356022d17.
-- KNOWN_BUGS: 1.8 DNS timing is wrong for HTTP redirects
+- KNOWN_BUGS: Move the Visual Studio project shortcomings from local README
+
+- KNOWN_BUGS: Expand 6.4 to include Kerberos V5
- Closes #522
+ ...and discuss a possible solution.
-- TODO: HTTP/2 "prior knowledge" is implemented!
+Daniel Stenberg (30 Aug 2016)
+- connect: fix #ifdefs for debug versions of conn/streamclose() macros
+
+ CURLDEBUG is for the memory debugging
+
+ DEBUGBUILD is for the extra debug stuff
+
+ Pointed-out-by: Steve Holme
-- [Damien Vielpeau brought this change]
+- KNOWN_BUGS: mention some cmake "support gaps"
- mbedtls: fix MBEDTLS_DEBUG builds
+Nick Zitzmann (28 Aug 2016)
+- darwinssl: add documentation stating that the --cainfo option is intended for backward compatibility only
+
+ In other news, I changed one other reference to "Mac OS X" in the documentation (that I previously wrote) to say "macOS" instead.
-- mbedtls: implement and provide *_data_pending()
+Daniel Stenberg (28 Aug 2016)
+- http2: return CURLE_HTTP2_STREAM for unexpected stream close
- ... as otherwise we might get stuck thinking there's no more data to
- handle.
+ Follow-up to c3e906e9cd0f, seems like a more appropriate error code
- Reported-by: Damien Vielpeau
+ Suggested-by: Jay Satiro
+
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: handle closed streams when uploading
- Fixes #737
+ Fixes #986
-- mbedtls: follow-up for the previous commit
+- http2: make sure stream errors don't needlessly close the connection
+
+ With HTTP/2 each transfer is made in an indivial logical stream over the
+ connection, making most previous errors that caused the connection to get
+ forced-closed now instead just kill the stream and not the connection.
+
+ Fixes #941
-- mbedtls.c: name space pollution fix, Use 'Curl_'
+- Curl_verify_windows_version: minor edit to avoid compiler warnings
+
+ ... instead of if() before the switch(), add a default to the switch so
+ that the compilers don't warn on "warning: enumeration value
+ 'PLATFORM_DONT_CARE' not handled in switch" anymore.
-- mbedtls.c: changed private prefix to mbed_
+Steve Holme (27 Aug 2016)
+- RELEASE-NOTES: Added missing fix from commit 15592143f
+
+Jay Satiro (26 Aug 2016)
+- schannel: Disable ALPN for Wine since it is causing problems
- mbedtls_ is the prefix used by the mbedTLS library itself so we should
- avoid using that for our private functions.
+ - Disable ALPN on Wine.
+
+ - Don't pass input secbuffer when ALPN is disabled.
+
+ When ALPN support was added a change was made to pass an input secbuffer
+ to initialize the context. When ALPN is enabled the buffer contains the
+ ALPN information, and when it's disabled the buffer is empty. In either
+ case this input buffer caused problems with Wine and connections would
+ not complete.
+
+ Bug: https://github.com/curl/curl/issues/983
+ Reported-by: Christian Fillion
-- mbedtls.h: fix compiler warnings
+Kamil Dudka (26 Aug 2016)
+- [Peter Wang brought this change]
-- Revert "winbuild: trying to set some files eol=crlf for git"
+ nss: work around race condition in PK11_FindSlotByName()
- This reverts commit 9c08b4f1e7eced5a4d3782a3e0daa484c9d77d21.
+ Serialise the call to PK11_FindSlotByName() to avoid spurious errors in
+ a multi-threaded environment. The underlying cause is a race condition
+ in nssSlot_IsTokenPresent().
- Didn't help. Caused problems.
+ Bug: https://bugzilla.mozilla.org/1297397
- Fixes #756
+ Closes #985
-- curl.1: use example.com more
+- nss: refuse previously loaded certificate from file
- Make (most) example snippets use the example.com domain instead of the
- random ones picked and used before. Some of those were probably
- legitimate sites and some not. example.com is designed for this purpose.
+ ... when we are not asked to use a certificate from file
+
+Daniel Stenberg (26 Aug 2016)
+- ftp_done: remove dead code
+
+- TLS: random file/egd doesn't have to match for conn reuse
+- test161: add comment for the exit code
+
+Dan Fandrich (26 Aug 2016)
+- test219: Add http as a required feature
+
+Daniel Stenberg (25 Aug 2016)
- [Michael Kaufmann brought this change]
- HTTP2: Add a space character after the status code
+ HTTP: stop parsing headers when switching to unknown protocols
+
+ - unknown protocols probably won't send more headers (e.g. WebSocket)
+ - improved comments and moved them to the correct case statements
+
+ Closes #899
+
+- openssl: make build with 1.1.0 again
+
+ synced with OpenSSL git master commit cc06906707
+
+- INTERNALS: fix title
+
+- configure: detect zlib with our pkg-config macros
+
+ ... instead of relying on the pkg-config autoconf macros to be present.
+
+ Fixes #972 (again...)
+
+Jay Satiro (25 Aug 2016)
+- http2: Remove incorrect comments
+
+ .. also remove same from scp
+
+Daniel Stenberg (23 Aug 2016)
+- [Ales Novak brought this change]
+
+ ftp: fix wrong poll on the secondary socket
+
+ When we're uploading using FTP and the server issues a tiny pause
+ between opening the connection to the client's secondary socket, the
+ client's initial poll() times out, which leads to second poll() which
+ does not wait for POLLIN on the secondary socket. So that poll() also
+ has to time out, creating a long (200ms) pause.
+
+ This patch adds the correct flag to the secondary socket, making the
+ second poll() correctly wait for the connection there too.
+
+ Signed-off-by: Ales Novak <alnovak@suse.cz>
+
+ Closes #978
+
+- RELEASE-NOTES: synced with 95ded2c56
+
+- configure: make it work without PKG_CHECK_MODULES
+
+ With commit c2f9b78 we added a new dependency on pkg-config for
+ developers which may be unwanted. This change make the configure script
+ still work as before if pkg-config isn't installed, it'll just use the
+ old zlib detection logic without pkg-config.
+
+ Reported-by: Marc Hörsken
+
+ Fixes #972
+
+Marc Hoersken (21 Aug 2016)
+- Revert "KNOWN_BUGS: SOCKS proxy not working via IPv6"
+
+ This reverts commit 9cb1059f92286a6eb5d28c477fdd3f26aed1d554.
+
+ As discussed in #835 SOCKS5 supports IPv6 proxies and destinations.
+
+Daniel Stenberg (21 Aug 2016)
+- [Marco Deckel brought this change]
+
+ win: Basic support for Universal Windows Platform apps
+
+ Closes #820
+
+Steve Holme (21 Aug 2016)
+- sasl: Don't use GSSAPI authentication when domain name not specified
+
+ Only choose the GSSAPI authentication mechanism when the user name
+ contains a Windows domain name or the user is a valid UPN.
+
+ Fixes #718
+
+- vauth: Added check for supported SSPI based authentication mechanisms
+
+ Completing commit 00417fd66c and 2708d4259b.
+
+- http.c: Remove duplicate (authp->avail & CURLAUTH_DIGEST) check
+
+ From commit 2708d4259b.
+
+Marc Hoersken (20 Aug 2016)
+- socks.c: display the hostname returned by the SOCKS5 proxy server
- The space character after the status code is mandatory, even if the
- reason phrase is empty (see RFC 7230 section 3.1.2)
+ Instead of displaying the requested hostname the one returned
+ by the SOCKS5 proxy server is used in case of connection error.
+ The requested hostname is displayed earlier in the connection sequence.
- Closes #755
+ The upper-value of the port is moved to a temporary variable and
+ replaced with a 0-byte to make sure the hostname is 0-terminated.
-- [Viktor Szakats brought this change]
+Steve Holme (20 Aug 2016)
+- urldata.h: Corrected comment for httpcode which is also populated by SMTP
+
+ As of 7.25.0 and commit 5430007222.
- URLs: change http to https in many places
+Marc Hoersken (20 Aug 2016)
+- socks.c: use Curl_printable_address in SOCKS5 connection sequence
- Closes #754
+ Replace custom string formatting with Curl_printable_address.
+ Add additional debug and error output in case of failures.
-- winbuild: trying to set some files eol=crlf for git
+- socks.c: align SOCKS4 connection sequence with SOCKS5
- Thinking it might help to apply patches etc with git.
+ Calling sscanf is not required since the raw IPv4 address is
+ available and the protocol can be detected using ai_family.
-- [Theodore Dubois brought this change]
+Steve Holme (20 Aug 2016)
+- http.c: Corrected indentation change from commit 2708d4259b
+
+ Made by Visual Studio's auto-correct feature and missed by me in my own
+ code reviews!
- curl.1: change example for -F
+- http: Added calls to Curl_auth_is_<mechansism>_supported()
- It's a bad idea to send your passwords anywhere, especially over HTTP.
- Modified example to send a picture instead.
+ Hooked up the HTTP authentication layer to query the new 'is mechanism
+ supported' functions when deciding what mechanism to use.
- Fixes #752
+ As per commit 00417fd66c existing functionality is maintained for now.
-- KNOWN_BUGS: reorganized and cleaned up
+Marc Hoersken (20 Aug 2016)
+- socks.c: improve verbose output of SOCKS5 connection sequence
+
+- configure.ac: add missing quotes to PKG_CHECK_MODULES
+
+Steve Holme (20 Aug 2016)
+- sasl: Added calls to Curl_auth_is_<mechansism>_supported()
- Now sorted into categories and organized in the same style we do the
- TODO document. It will make each issue linked properly on the
- https://curl.haxx.se/docs/knownbugs.html web page.
+ Hooked up the SASL authentication layer to query the new 'is mechanism
+ supported' functions when deciding what mechanism to use.
- The sections should make it easier to find issues and issues related to
- areas of the reader's specific interest.
+ For now existing functionality is maintained.
-Jay Satiro (6 Apr 2016)
-- KNOWN_BUGS: #95 curl in Windows can't handle Unicode arguments
+Daniel Stenberg (19 Aug 2016)
+- [Miroslav Franc brought this change]
-Steve Holme (6 Apr 2016)
-- KNOWN_BUGS: Use https://curl.haxx.se URL for github based issues
+ spnego_sspi: fix memory leak in case *outlen is zero (#970)
-- CHECKSRC.md: Corrected some typos
+- CURLMOPT_MAX_TOTAL_CONNECTIONS.3: mention it can also multiplex
-- RELEASE-NOTES: Corrected last updated
+Steve Holme (18 Aug 2016)
+- vauth: Introduced Curl_auth_is_<mechansism>_supported() functions
- Included a summary of the checksrc.bat updates and combined two krb5
- changes as they should have been implemented at the same time.
-
-- vauth: Corrected a number of typos in comments
+ As Windows SSPI authentication calls fail when a particular mechanism
+ isn't available, introduced these functions for DIGEST, NTLM, Kerberos 5
+ and Negotiate to allow both HTTP and SASL authentication the opportunity
+ to query support for a supported mechanism before selecting it.
- Reported-by: Michael Osipov
+ For now each function returns TRUE to maintain compatability with the
+ existing code when called.
-Jay Satiro (5 Apr 2016)
-- KNOWN_BUGS: #94 IMAP custom requests use the LIST handler
+Daniel Stenberg (18 Aug 2016)
+- test1144: verify HEAD with body-only response
+
+Steve Holme (17 Aug 2016)
+- RELEASE-PROCEDURE: Added some more future release dates
- Bug: https://github.com/curl/curl/issues/536
- Reported-by: eXeC64@users.noreply.github.com
+ ...and removed some old ones
-Daniel Stenberg (5 Apr 2016)
-- KNOWN_BUGS: remove 68, 70 and 72.
+Daniel Stenberg (17 Aug 2016)
+- [David Woodhouse brought this change]
+
+ curl: allow "pkcs11:" prefix for client certificates
- Due to their age (we don't fully know if they actually remain) and lack
- of detail - very few people will bother to find out what they're about
- or work on them. If people truly still suffer from any of these, I
- assume they will be reported again and then we'll deal with them.
+ RFC7512 provides a standard method to reference certificates in PKCS#11
+ tokens, by means of a URI starting 'pkcs11:'.
- 72. "Pausing pipeline problems."
- https://curl.haxx.se/mail/lib-2009-07/0214.html
+ We're working on fixing various applications so that whenever they would
+ have been able to use certificates from a file, users can simply insert
+ a PKCS#11 URI instead and expect it to work. This expectation is now a
+ part of the Fedora packaging guidelines, for example.
- 70. Problem re-using easy handle after call to curl_multi_remove_handle
- https://curl.haxx.se/mail/lib-2009-07/0249.html
+ This doesn't work with cURL because of the way that the colon is used
+ to separate the certificate argument from the passphrase. So instead of
- 68. "More questions about ares behavior".
- https://curl.haxx.se/mail/lib-2009-08/0012.html
-
-- KNOWN_BUGS: remove 92 and 88, fixed
-
-- http2: fix connection reuse when PING comes after last DATA
+ curl -E 'pkcs11:manufacturer=piv_II;id=%01' …
- It turns out the google GFE HTTP/2 servers send a PING frame immediately
- after a stream ends and its last DATA has been received by curl. So if
- we don't drain that from the socket, it makes the socket readable in
- subsequent checks and libcurl then (wrongly) assumes the connection is
- dead when trying to reuse the connection.
+ I instead need to invoke cURL with the colon escaped, like this:
- Reported-by: Joonas Kuorilehto
+ curl -E 'pkcs11\:manufacturer=piv_II;id=%01' …
- Discussed in #750
-
-- multi: remove trailing space in debug output
-
-- RELEASE-NOTES: synced with 86e97b642fb
-
-- CHECKSRC.md: mention cmdline options, fix the bullet list
-
-- docs/CHECKSRC.md: initial version
-
-Steve Holme (3 Apr 2016)
-- checksrc.bat: Added support for the examples
-
-Daniel Stenberg (3 Apr 2016)
-- lib/src: fix the checksrc invoke
+ This is suboptimal because we want *consistency* — the URI should be
+ usable in place of a filename anywhere, without having strange
+ differences for different applications.
- ... now works correctly when invoke from the root makefile
-
-- nw: please the stricter checksrc
-
-Steve Holme (3 Apr 2016)
-- checksrc.bat: Re-enabled the tests directory by default
+ This patch therefore disables the processing in parse_cert_parameter()
+ when the string starts with 'pkcs11:'. It means you can't pass a
+ passphrase with an unescaped PKCS#11 URI, but there's no need to do so
+ because RFC7512 allows a PIN to be given as a 'pin-value' attribute in
+ the URI itself.
- Following the recent changes to the source in the tests directory,
- re-enabled tests for the default scan.
-
-- checksrc.bat: Added tests/server directory support
+ Also, if users are already using RFC7512 URIs with the colon escaped as
+ in the above example — even providing a passphrase for cURL to handling
+ instead of using a pin-value attribute, that will continue to work
+ because their string will start 'pkcs11\:' and won't match the check.
- In addition to commit 83b174b3f0 and following the recent changes.
-
-- tests: Fixed header files to comply with our code style
+ What *does* break with this patch is the extremely unlikely case that a
+ user has a file which is in the local directory and literally named
+ just "pkcs11", and they have a passphrase on it. If that ever happened,
+ the user would need to refer to it as './pkcs11:<passphrase>' instead.
-Daniel Stenberg (3 Apr 2016)
-- make checksrc: run it in docs/examples too by default
+- nss: make the global variables static
-- docs/examples: remove spurious white spaces all over
+- openssl: use regular malloc instead of OPENSSL_malloc
- ... to please the new, slightly picker, checksrc.pl
-
-- tests: fix make checksrc in servers/
-
-- tests: 'make checksrc' now checks server/ too
-
-- root/make: have checksrc run in include/curl too
-
-- tests/server: comply with our code style
-
-- code: style updates
-
-- checksrc: check for more malplaced spaces
+ This allows for better memmory debugging and torture tests.
-- unit: make unit test source code checksrc compliant
+- proxy: fix tests as follow-up to 93b0d907d5
+
+ This fixes tests that were added after 113f04e664b as the tests would
+ fail otherwise.
+
+ We bring back "Proxy-Connection: Keep-Alive" now unconditionally to fix
+ regressions with old and stupid proxies, but we could possibly switch to
+ using it only for CONNECT or only for NTLM in a future if we want to
+ gradually reduce it.
+
+ Fixes #954
+
+ Reported-by: János Fekete
-- checksrc: run checksrc in tests when 'make checksrc' in root
+- Revert "Proxy-Connection: stop sending this header by default"
+
+ This reverts commit 113f04e664b16b944e64498a73a4dab990fe9a68.
-- checksrc: remove debug crap
+- CURLOPT_PROXY.3: unsupported schemes cause errors now
+
+ Follow-up to a96319ebb9 (document the new behavior)
-- lib557: allow too long lines
+- tests/README: mention nghttpx for HTTP/2 tests
-- checksrc: allow ignore of specific warnings within a file (section)
+- README.md: add our CII Best Practices badge
-- checksrc: add warning names, explain on help output
+- proxy: polished the error message for unsupported schemes
+
+ Follow up to a96319ebb93
-Steve Holme (3 Apr 2016)
-- checksrc.bat: Disable tests by default until warnings are fixed
+- test219: verify unsupported scheme for proxies get rejected
-- checksrc.bat: Added support for the tests directory
+- proxy: reject attempts to use unsupported proxy schemes
+
+ I discovered some people have been using "https://example.com" style
+ strings as proxy and it "works" (curl doesn't complain) because curl
+ ignores unknown schemes and then assumes plain HTTP instead.
+
+ I think this misleads users into believing curl uses HTTPS to proxies
+ when it doesn't. Now curl rejects proxy strings using unsupported
+ schemes instead of just ignoring and defaulting to HTTP.
-- vauth: Removed the need for a separate GSS-API based SPN function
+- RELEASE-NOTES: synced with b7ee5316c2fd5b
-- curl_sasl: Fixed potential null pointer utilisation
-
- Although this should never happen due to the relationship between the
- 'mech' and 'resp' variables, and the way they are allocated together,
- it does cause problems for code analysis tools:
+Marc Hoersken (14 Aug 2016)
+- socks.c: Correctly calculate position of port in response packet
- V595 The 'mech' pointer was utilized before it was verified against
- nullptr. Check lines: 376, 381. curl_sasl.c 376
+ Third commit to fix issue #944 regarding SOCKS5 error handling.
- Bug: https://github.com/curl/curl/issues/745
- Reported-by: Alexis La Goutte
+ Reported-by: David Kalnischkies
-- spnego: Small code tidy up
+- socks.c: Do not modify and invalidate calculated response length
- * Prefer dereference of string pointer rather than strlen()
- * Free challenge pointer in one place
- * Additional comments
-
-- krb5: Small code tidy up
+ Second commit to fix issue #944 regarding SOCKS5 error handling.
- * Prefer dereference of string pointer rather than strlen()
- * Free challenge pointer in one place
- * Additional comments
+ Reported-by: David Kalnischkies
-- krb5_gssapi: Only process challenge when present
+- socks.c: Move error output after reading the whole response packet
- This wouldn't cause a problem because of the way the function is called,
- but prior to this change, we were processing the challenge message when
- the credentials were NULL rather than when the challenge message was
- populated.
+ First commit to fix issue #944 regarding SOCKS5 error handling.
- This also brings this part of the Kerberos 5 code in line with the
- Negotiate code.
+ Reported-by: David Kalnischkies
+
+Daniel Stenberg (13 Aug 2016)
+- [Ronnie Mose brought this change]
-- krb5: Fixed missing client response when mutual authentication enabled
+ MANUAL: Remove invalid link to LDAP documentation (#962)
- Although mutual authentication is currently turned off and can only be
- enabled by changing libcurl source code, authentication using Kerberos
- 5 has been broken since commit 79543caf90 in this use case.
+ The server developer.netscape.com does not resolve into any
+ ip address and can be removed.
-- krb5_sspi: Only process challenge when present
+Jay Satiro (13 Aug 2016)
+- openssl: accept subjectAltName iPAddress if no dNSName match
+
+ Undo change introduced in d4643d6 which caused iPAddress match to be
+ ignored if dNSName was present but did not match.
+
+ Also, if iPAddress is present but does not match, and dNSName is not
+ present, fail as no-match. Prior to this change in such a case the CN
+ would be checked for a match.
- This wouldn't cause a problem because of the way the function is called,
- but prior to this change, we were processing the challenge message when
- the credentials were NULL rather than when the challenge message was
- populated.
+ Bug: https://github.com/curl/curl/issues/959
+ Reported-by: wmsch@users.noreply.github.com
+
+Daniel Stenberg (12 Aug 2016)
+- [Dambaev Alexander brought this change]
+
+ configure.ac: add zlib search with pkg-config
- This also brings this part of the Kerberos 5 code in line with the
- Negotiate code.
+ Closes #956
-- krb5_sspi: Only generate the output token when its not allocated
+- rtsp: ignore whitespace in session id
- Prior to this change, we were generating the output token when the
- credentials were NULL rather than when the output token was NULL.
+ Follow-up to e577c43bb to fix test case 569 brekage: stop the parser at
+ whitespace as well.
- This also brings this part of the Kerberos 5 code in line with the
- Negotiate code.
+ Help-by: Erik Janssen
-- krb5: Only generate a SPN when its not known
+- HTTP: retry failed HEAD requests too
+
+ Mark's new document about HTTP Retries
+ (https://mnot.github.io/I-D/httpbis-retry/) made me check our code and I
+ spotted that we don't retry failed HEAD requests which seems totally
+ inconsistent and I can't see any reason for that separate treatment.
- Prior to this change, we were generating the SPN in the SSPI code when
- the credentials were NULL and in the GSS-API code when the context was
- empty. It is better to decouple the SPN generation from these checks
- and only generate it when the SPN itself is NULL.
+ So, no separate treatment for HEAD starting now. A HTTP request sent
+ over a reused connection that gets cut off before a single byte is
+ received will be retried on a fresh connection.
- This also brings this part of the Kerberos 5 code in line with the
- Negotiate code.
+ Made-aware-by: Mark Nottingham
-Daniel Stenberg (3 Apr 2016)
-- tests/libtest: follow our code style guidelines better
-
- ... checksrc of all test code is pending.
+- mk-ca-bundle.1: document -m, added in 1.26
-- checksrc.whitelist: remove fopen() uses
+- RELEASE-NOTES: synced with e577c43bb5
-- formdata: use appropriate fopen() macros
+- [Erik Janssen brought this change]
-- checksrc: improve the fopen() parser somewhat
+ rtsp: accept any RTSP session id
- The quote scanner was too fragile, now look for a comma instead to find
- the mode argument.
-
-- unit1604: fix snprintf
+ Makes libcurl work in communication with gstreamer-based RTSP
+ servers. The original code validates the session id to be in accordance
+ with the RFC. I think it is better not to do that:
+
+ - For curl the actual content is a don't care.
- follow-up to 0326b06
+ - The clarity of the RFC is debatable, is $ allowed or only as \$, that
+ is imho not clear
- sizeof(pointer) is no good for the buffer size!
+ - Gstreamer seems to url-encode the session id but % is not allowed by
+ the RFC
- Reported-by: Viktor Szakats
-
-Steve Holme (3 Apr 2016)
-- unittests: Fixed compilation warnings
+ - less code
- warning: implicit declaration of function 'sprintf_was_used'
- [-Wimplicit-function-declaration]
+ With this patch curl will correctly handle real-life lines like:
+ Session: biTN4Kc.8%2B1w-AF.; timeout=60
- Follow up to the modications made to tests/libtest in commit 55452ebdff
- as we prefer not to use sprintf() now.
+ Bug: https://curl.haxx.se/mail/lib-2016-08/0076.html
-Daniel Stenberg (2 Apr 2016)
-- curl.1: -w filename_effective was introduced in 7.26.0
+- symbols-in-versions: add CURL_STRICTER
- We never made a 7.25.1 release
+ Added in 5fce88aa8c12564
-- 7.49.0: next release version
+- [Simon Warta brought this change]
-- http2: make use of the nghttp2 error callback
-
- It offers extra info from nghttp2 in certain error cases. Like for
- example when trying prior-knowledge http2 on a server that doesn't speak
- http2 at all. The error message is passed on as a verbose message to
- libcurl.
+ winbuild: Allow changing C compiler via environment variable CC (#952)
- Discussed in #722
+ This makes it possible to use specific compilers or a cache.
- The error callback was added in nghttp2 1.9.0
+ Sample use for clcache:
+ set CC=clcache.bat
+ nmake /f Makefile.vc DEBUG=no MODE=static VC=14 GEN_PDB=no
-Steve Holme (2 Apr 2016)
-- spnego: Renamed the context's SPN variable
-
- To be consistent with the Kerberos 5 context and other authentication
- code.
+- LICENSE-MIXING.md: switched to markdown
-- krb5_gssapi: Renamed the status variables
-
- For consistency with the spnego code.
+- docs-make: have markdown files use .md
-- krb5: Moved host from Curl_auth_create_gssapi_user_message() to be argument
-
- For consistency with the spnego and oauth2 code moved the setting of
- the host name outside of the Curl_auth_create_gssapi_user_messag()
- function.
-
- This will allow us to more easily override it in the future.
+- curl.h: make CURL_NO_OLDIES define CURL_STRICTER
-- test1119: Fixed missing CURL_DID_MEMORY_FUNC_TYPEDEFS symbol
+- HISTORY.md: use markdown extension
-- RELEASE-NOTES: Removed "http_negotiate: Corrected host and proxy host name"
-
- As this was introduced in the recent vauth changes and not a prior
- release.
+- SSLCERTS.md: renamed to markdown extension
-Daniel Stenberg (1 Apr 2016)
-- RELEASE-NOTES: synced with 0aa8da10bbdafa
+- INTERNALS.md: use markdown extension for markdown content
-Steve Holme (1 Apr 2016)
-- http_negotiate: Corrected host and proxy host name being wrong way round
-
- I had accidentally used the proxy server name for the host and the host
- server name for the proxy in commit ad5e9bfd5d and 6d6f9ca1d9. Whilst
- Windows SSPI was quite happy with this, GSS-API wasn't.
-
- Thanks-to: Michael Osipov
+- CONTRIBUTE.md: markdown extension
-- build: Changed the Visual Studio projects warning level from 3 to 4
-
- After squashing most of our compiler warnings, up'ed the default
- warning level from 3 to 4 in order to increase the likelyhood of
- catching future warnings.
+- CONTRIBUTE: changed to markdown
-Daniel Stenberg (1 Apr 2016)
-- [ehlertjd@gmail.com brought this change]
+- CONTRIBUTE: refreshed
- IMAP: check pointer before dereferencing it
-
- may be null in the CURLOPT_CONNECT_ONLY case
-
- Fixes #747
+- TODO: added an SSH section and two SFTP things to do
-Steve Holme (1 Apr 2016)
-- .gitignore: Added new VC14 SQLite based program database files
+- TODO: remove the 1.22 duplicated item
-- curl_memory.h: Fixed typo in comment
-
- From commit 7218b52c49.
+- TODO: move "CURLOPT_MAIL_CLIENT" to SMTP section
-- spnego: Corrected some typos in comments
-
- Corrected typos from commit ad5e9bfd5d and 6d6f9ca1d9.
+- TODO: API for URL parsing/splitting
-- memdebug: Ensure curl/curl.h is included before curl_memory.h
-
- Follow up to commit 7db9782dd6.
+- TODO: move QUIC to the HTTP section
-Daniel Stenberg (1 Apr 2016)
-- upload: missing rewind call could make libcurl hang
-
- When an upload is done, there are two places where that can be detected
- and only one of them would rewind the input stream - which sometimes is
- necessary for example when doing NTLM HTTP POSTs and more.
-
- This could then end up libcurl hanging.
-
- Figured-out-by: Isaac Boukris
- Reported-by: Anatol Belski
-
- Fixes #741
+- [Simon Warta brought this change]
-- curl.h: define CURL_DID_MEMORY_FUNC_TYPEDEFS
+ winbuild: Free name $(CC) in Makefile (#950)
- So that we only do the extra typedefs in curl_memory.h when we really
- need to and avoid double typedefs.
+ In the old line number 290, CC and CURL_CC had the same value. After
+ that, /DCURL_STATICLIB was added to CC but not CURL_CC (intended?).
- follow-up commit to 7218b52c49aeb1
+ This gets rid of the CC variable entirely. It is a first step to make it
+ possible to manualyl set a CC variable in order to be able to change the
+ compiler.
+
+- TODO: Use huge HTTP/2 windows
+
+- [Simon Warta brought this change]
+
+ winbuild: Avoid setting redundant CFLAGS to compile commands (#949)
- Thanks-to: Steve Holme
+ $(CURL_CC) is always used with $(CURL_CFLAGS) appended, so before this,
+ all arguments in CURL_CFLAGS have been added twice.
-- curl/mprintf.h: remove support for _MPRINTF_REPLACE
+Jay Satiro (8 Aug 2016)
+- cmake: Enable win32 threaded resolver by default
- The define is not in our name space and is therefore not protected by
- our API promises.
+ - Turn on USE_THREADS_WIN32 in Windows if ares isn't on
- It was only really used by libcurl internals but was mostly erased from
- there already in 8aabbf5 (March 2015). This is supposedly the final
- death blow to that define from everywhere.
+ This change is similar to what we already do in the autotools build.
+
+- cmake: Enable win32 large file support by default
- As a side-effect, making sure _MPRINTF_REPLACE is gone and not used, I
- made the lib tests in tests/libtest/ use curl_printf.h for its redefine
- magic and then subsequently the use of sprintf() got banned in the tests
- as well (as it is in libcurl internals) and I then replaced them all
- with snprintf().
+ All compilers used by cmake in Windows should support large files.
- In the unlikely event that any users is actually using this define and
- gets sad by this change, it is very easily copied to the user's own
- code.
+ - Add test SIZEOF_OFF_T
+ - Remove outdated test SIZEOF_CURL_OFF_T
+ - Turn on USE_WIN32_LARGE_FILES in Windows
+ - Check for 'Largefile' during the features output
-- curl_memory.h: avoid the curl/curl.h include
-
- Discussed in #743
+Daniel Stenberg (7 Aug 2016)
+- TODO: added several ideas, removed SPDY
-Steve Holme (1 Apr 2016)
-- url: Corrected get protocol family for FTP and LDAP
+- http2: always wait for readable socket
- Fixed copy/paste error from commit a5aec58726.
-
-Jay Satiro (31 Mar 2016)
-- strerror: don't bit shift a signed integer
+ Since the server can at any time send a HTTP/2 frame to us, we need to
+ wait for the socket to be readable during all transfers so that we can
+ act on incoming frames even when uploading etc.
- Bug: https://github.com/curl/curl/issues/744
- Reported-by: Alexis La Goutte
+ Reminded-by: Tatsuhiro Tsujikawa
-Daniel Stenberg (31 Mar 2016)
-- http2: more documentation for prior knowledge
+- RELEASE-NOTES: synced with 7b4bf37a44791
-- [Diego Bes brought this change]
+- [Thomas Glanzmann brought this change]
- http2: support "prior knowledge", no upgrade from HTTP/1.1
+ mbedtls: set debug threshold to 4 (verbose) when MBEDTLS_DEBUG is defined
- Supports HTTP/2 over clear TCP
+ In order to make MBEDTLS_DEBUG work, the debug threshold must be unequal
+ to 0. This patch also adds a comment how mbedtls must be compiled in
+ order to make debugging work, and explains the possible debug levels.
+
+- CURLOPT_TCP_NODELAY: now enabled by default
- - Optimize switching to HTTP/2 by removing calls to init and setup
- before switching. Switching will eventually call setup and setup calls
- init.
+ After a few wasted hours hunting down the reason for slowness during a
+ TLS handshake that turned out to be because of TCP_NODELAY not being
+ set, I think we have enough motivation to toggle the default for this
+ option. We now enable TCP_NODELAY by default and allow applications to
+ switch it off.
- - Supports new version to “force” the use of HTTP/2 over clean TCP
+ This also makes --tcp-nodelay unnecessary, but --no-tcp-nodelay can be
+ used to disable it.
- - Add common line parameter “--http2-prior-knowledge” to the Curl
- command line tool.
+ Thanks-to: Tim Rühsen
+ Bug: https://curl.haxx.se/mail/lib-2016-06/0143.html
+
+- [Serj Kalichev brought this change]
-- imap: remove duplicated function
+ TFTP: Fix upload problem with piped input
- The list and search response functions were identical! Merged into one
- now. Detected by PVS Studio.
+ When input stream for curl is stdin and input stream is not a file but
+ generated by a script then curl can truncate data transfer to arbitrary
+ size since a partial packet is treated as end of transfer by TFTP.
- Reported-by: Alexis La Goutte
+ Fixes #857
-- SOCKS5_gssapi_negotiate: don't assume little-endian ints
+- mk-ca-bundle.pl: -m keeps ca cert meta data in output
- The code copied one byte from a 32bit integer, which works fine as long
- as the byte order is the same. Not a fine assumption. Reported by PVS
- Studio.
+ Makes the script pass on comments holding meta data to the output
+ file. Like fingerprinters, issuer, date ranges etc.
- Reported-by: Alexis La Goutte
-
-- http: remove ((expression)) double parentheses
+ Closes #937
-- Curl_add_buffer_send: avoid possible NULL dereference
+- multi: make Curl_expire() work with 0 ms timeouts
- ... as we check for a NULL pointer below, we move the derefence to after
- the check. Detected by PVS Studio.
+ Previously, passing a timeout of zero to Curl_expire() was a magic code
+ for clearing all timeouts for the handle. That is now instead made with
+ the new Curl_expire_clear() function and thus a 0 timeout is fine to set
+ and will trigger a timeout ASAP.
- Reported-by: Alexis La Goutte
+ This will help removing short delays, in particular notable when doing
+ HTTP/2.
-- file: remove duplicate checks of the same variable
+- transfer: return without select when the read loop reached maxcount
- ... as it doesn't change in between. Deteced by PVS Studio.
+ Regression added in 790d6de48515. The was then added to avoid one
+ particular transfer to starve out others. But when aborting due to
+ reading the maxcount, the connection must be marked to be read from
+ again without first doing a select as for some protocols (like SFTP/SCP)
+ the data may already have been read off the socket.
- Reported-by: Alexis La Goutte
+ Reported-by: Dan Donahue
+ Bug: https://curl.haxx.se/mail/lib-2016-07/0057.html
-Steve Holme (30 Mar 2016)
-- [Marcel Raad brought this change]
+Steve Holme (3 Aug 2016)
+- [Bill Nagel brought this change]
- openssl: Fix compilation warnings
-
- When compiling with OpenSSL 1.1.0 (so that the HAVE_X509_GET0_SIGNATURE
- && HAVE_X509_GET0_EXTENSIONS pre-processor block is active), Visual C++
- 14 complains:
-
- warning C4701: potentially uninitialized local variable 'palg' used
- warning C4701: potentially uninitialized local variable 'psig' used
+ mbedtls: Added support for NTLM
-Daniel Stenberg (30 Mar 2016)
-- multi: turn Curl_done into file local multi_done
-
- ... as it now is used by multi.c only.
+Daniel Stenberg (3 Aug 2016)
+- [Sergei Nikulov brought this change]
-- multi: multi_reconnect_request is the former Curl_reconnect_request
+ travis: removed option to rebuild autotool from source
- now a file local function in multi.c
+ Fixes #943
-- multi: move Curl_do and Curl_do_done to multi.c and make static
-
- ... called multi_do and multi_do_done as they're file local now.
+- bump: start working toward 7.50.2
-Jay Satiro (29 Mar 2016)
-- wolfssl: Use ECC supported curves extension
-
- https://github.com/wolfSSL/wolfssl/issues/366
+Version 7.50.1 (3 Aug 2016)
-- build-wolfssl: Allow a broader range of ciphers (Visual Studio)
-
- This is an update to the build-time options used to build wolfSSL in
- Visual Studio for greater compatibility, and make it behave similar to
- the way OpenSSL 1.0.2 behaves. Starting in wolfSSL v3.6.6 static ciphers
- and SSLv3 are disabled by default at build time, but we can use both.
-
- - Enable static cipher suites TLS_ECDH_ and TLS_RSA_.
-
- - Enable SSLv3 hello. Though in libcurl we disable it by default at
- runtime, we make it available so the user can manually select it if
- necessary.
+Daniel Stenberg (3 Aug 2016)
+- THANKS: 7 new contributors from the 7.50.1 release
-Daniel Stenberg (29 Mar 2016)
-- [Isaac Boukris brought this change]
+- RELEASE-NOTES: 7.50.1
- GSS: make Curl_gss_log_error more verbose
-
- Also display the GSS_C_GSS_CODE (major code) when specified instead of
- only GSS_C_MECH_CODE (minor code).
-
- In addition, the old code was printing a colon twice after the prefix
- and also miscalculated the length of the buffer in between calls to
- gss_display_status (the length of ": " was missing).
-
- Also, gss_buffer is not guaranteed to be NULL terminated and thus need
- to restrict reading by its length.
+- TLS: only reuse connections with the same client cert
- Closes #738
+ CVE-2016-5420
+ Bug: https://curl.haxx.se/docs/adv_20160803B.html
-- build: use roffit 0.11 feature
+- TLS: switch off SSL session id when client cert is used
- ... load file specified as argument.
+ CVE-2016-5419
+ Bug: https://curl.haxx.se/docs/adv_20160803A.html
+ Reported-by: Bru Rom
+ Contributions-by: Eric Rescorla and Ray Satiro
-- http2: set correct scheme in handler structs [regression]
-
- Since commit a5aec58 the handler schemes need to match for the
- connections to be reused and for HTTP/2 multiplexing to work, reusing
- connections is very important!
+- curl_multi_cleanup: clear connection pointer for easy handles
- Closes #736
+ CVE-2016-5421
+ Bug: https://curl.haxx.se/docs/adv_20160803C.html
+ Reported-by: Marcelo Echeverria and Fernando Muñoz
-- hostip.c: minor white space edit for style
+- KNOWN_BUGS: SOCKS proxy not working via IPv6
+
+ Closes #835
-- [Viktor Szakats brought this change]
+- KNOWN_BUGS: CURLOPT_SEEKFUNCTION not called with CURLFORM_STREAM
+
+ Closes #768
- TODO: use secure protocol in recently added URL
+- KNOWN_BUGS: transfer-encoding: chunked in HTTP/2
- Closes #733
+ Closes #662
-- HTTP2.md: mention libressl and boringssl too
+- TODO: Provide cmake config-file
+
+ Closes #885
-- docs/HTTP-COOKIES: converted to markdown
+Patrick Monnerat (2 Aug 2016)
+- os400: define BUILDING_LIBCURL in make script.
-- HTTP2: s/polarssl/mbedtls
+Daniel Stenberg (1 Aug 2016)
+- RELEASE-NOTES: synced with aa9f536a18b
-Jay Satiro (28 Mar 2016)
-- wolfssl: Add ALPN support
+Jay Satiro (1 Aug 2016)
+- [Thomas Glanzmann brought this change]
-- tool_operate: remove mixed declaration
+ mbedtls: Fix debug function name
- This is a follow up to the previous commit.
-
-Daniel Stenberg (28 Mar 2016)
-- curl: warn for --capath use if not supported by libcurl
+ This patch is necessary so that curl compiles if MBEDTLS_DEBUG is
+ defined.
- Closes #492
+ Bug: https://curl.haxx.se/mail/lib-2016-08/0001.html
-- TODO: 2.5 Edge-triggered sockets should work
+Daniel Stenberg (1 Aug 2016)
+- [Sergei Nikulov brought this change]
-- Makefile.am: skip the scripts dir
-
- Skipping the scripts dir is primarily done for 'make install' so that it
- does not attempt to install the zsh completion script as we've not yet
- found a proper way to do/run that at install time.
+ travis: fix OSX build by re-installing libtool
- By leaving the script dir's Makefile in place, a user can still opt to
- run make install manually in there.
+ Apparently due to a broken homebrew install
- Closes #620
+ fixes #934
+ Closes #939
-- CURLMOPT_SOCKETFUNCTION.3: describe the 'what' argument
+- [Martin Vejnár brought this change]
-- curl_multi_socket_action.3: mark the options properly
+ win32: fix a potential memory leak in Curl_load_library
- ... to make them appear as links on the html version.
-
-Steve Holme (27 Mar 2016)
-- RELEASE-NOTES: Synced with f0bdd72c10
+ If a call to GetSystemDirectory fails, the `path` pointer that was
+ previously allocated would be leaked. This makes sure that `path` is
+ always freed.
+
+ Closes #938
-- http_ntlm: Renamed from curl_ntlm.[c|h]
+- include: revert 9adf3c4 and make public types void * again
- Renamed the header and source files for this module as they are HTTP
- specific and as such, they should use the naming convention as other
- HTTP authentication source files do - this revert commit 260ee6b7bf.
+ Many applications assume the actual contents of the public types and use
+ that do for example forward declarations (saving them from including our
+ public header) which then breaks when we switch from void * to a struct
+ *.
- Note: We could also rename curl_ntlm_wb.[c|h], however, the Winbind
- code needs separating from the HTTP protocol and migrating into the
- vauth directory, thus adding support for Winbind to the SASL based
- protocols such as IMAP, POP3 and SMTP.
-
-Daniel Stenberg (27 Mar 2016)
-- [marquis-de-muesli brought this change]
-
- docs: curlinfo_filetime sftp support, new curlopt_quote "statvfs"
+ I'm not convinced we were wrong, but since this practise seems
+ widespread enough I'm willing to (partly) step down.
- Closes #677
-
-- [marquis-de-muesli brought this change]
-
- SSH: new CURLOPT_QUOTE command "statvfs"
+ Now libcurl uses the struct itself when it is built and it allows
+ applications to use the struct type if CURL_STRICTER is defined at the
+ time of the #include.
- usage: "statvfs path"
- returns remote file system statistics
-
-- [marquis-de-muesli brought this change]
-
- SSH: support CURLINFO_FILETIME
+ Reported-by: Peter Frühberger
+ Fixes #926
-- [Karlson2k brought this change]
+Jay Satiro (28 Jul 2016)
+- [Yonggang Luo brought this change]
- sshserver.pl: use quotes for given options
+ cmake: Fix for schannel support
- Fixed failed redirection of stderr with some options. At least on Msys2,
- perl fails to redirect stderr if $value contains newline or other weird
- characters.
-
-Jay Satiro (26 Mar 2016)
-- url: don't use bad offset in tld_check_name to show error
+ The check_library_exists_concat do not check crypt32 library properly.
+ So include it directly.
- libidn's tld_check_lz returns an error offset of the first character
- that it failed to process, however that offset is not a byte offset and
- may not even be in the locale encoding therefore we can't use it to show
- the user the character that failed to process.
+ Bug: https://github.com/curl/curl/pull/917
+ Reported-by: Yonggang Luo
- Bug: https://github.com/curl/curl/issues/731
- Reported-by: Karlson2k
+ Bug: https://github.com/curl/curl/issues/935
+ Reported-by: Alain Danteny
-Steve Holme (26 Mar 2016)
-- http_negotiate: Combine GSS-API and SSPI source files
+- Revert "travis: Install libtool for OS X builds"
- As the GSS-API and SSPI based source files are no longer library/API
- specific, following the extraction of that authentication code to the
- vauth directory, combine these files rather than maintain two separate
- versions.
-
-- vauth: Moved the Negotiate authentication code to the new vauth directory
+ Didn't work.
- Part 2 of 2 - Moved the GSS-API based Negotiate authentication code.
+ This reverts commit 50723585ed380744358de054e2a55dccee65dfd7.
-- vauth: Moved the Negotiate authentication code to the new vauth directory
+- travis: Install libtool for OS X builds
- Part 1 of 2 - Moved the SSPI based Negotiate authentication code.
+ CI is failing due to missing libtoolize, so I'm trying this.
-- warnless.h: Removed spurious character from commit 696bc6b9c9
-
- Not picked up by checksrc or Visual Studio but my own code review, this
- would haven broken Intel based Unix builds - Perhaps I should learn to
- type on my laptop's keyboard before committing!
+Daniel Stenberg (26 Jul 2016)
+- [Viktor Szakats brought this change]
-- schannel: Fixed compilation warning from commit f8d88a4913
+ TODO: minor typo in last commit
- warning C4244: '=': conversion from 'int' to 'unsigned short', possible
- loss of data
+ merged #931
-- warnless?: Added some integer based conversion functions
+- TODO: Timeout idle connections from the pool
-Daniel Stenberg (25 Mar 2016)
-- [Dusty Mabe brought this change]
+Patrick Monnerat (25 Jul 2016)
+- os400: minimum supported OS version: V6R1M0.
+ Do not log compilation informational messages.
- docs/TODO: Add feature request for metalink in HTTP headers
+Jay Satiro (24 Jul 2016)
+- tests: Fix for http/2 feature
- Closes #729
- Closes #728
+ Bug: https://curl.haxx.se/mail/lib-2016-07/0070.html
+ Reported-by: Paul Howarth
-Steve Holme (25 Mar 2016)
-- build: Corrected typos from commit 70e56939aa
+Steve Holme (23 Jul 2016)
+- README: Mention wolfSSL in the 'Dependencies' section
-- vauth: Refactored function names after move to new vauth directory
+- vauth.h: No need to query HAVE_GSSAPI || USE_WINDOWS_SSPI for SPNEGO
- Renamed all the SASL functions that moved to the new vauth directory to
- include the correct module name.
+ As SPNEGO is only defined when these pre-processor variables are defined
+ there is no need to query them explicitly.
-- vauth: Updated the copyright year after recent changes
+- spnego: Corrected miss-placed * in Curl_auth_spnego_cleanup() declaration
- As most of this work was performed in 2015 but not pushed until 2016
- updated the copyright year to reflect the public facing changes.
-
-- vauth: Moved the OAuth 2.0 authentication code to the new vauth directory
+ Typo introduced in commit ad5e9bfd5d.
-- vauth: Moved the NTLM authentication code to the new vauth directory
+Daniel Stenberg (22 Jul 2016)
+- SECURITY: mention how to get windows-specific CVEs
+
+ ... and make the distros link a proper link
-- vauth: Moved the Kerberos V5 authentication code to the new vauth directory
+Dan Fandrich (21 Jul 2016)
+- test558: fix test by stripping file paths from FD lines
-- digest.c: Fixed checksrc warnings
+Kamil Dudka (21 Jul 2016)
+- tests: distribute the http2-server.pl script, too
-- vauth: Moved the DIGEST authentication code to the new vauth directory
+- docs: distribute the CURLINFO_HTTP_VERSION(3) man page, too
-- vauth: Moved the CRAM-MD5 authentication code to the new vauth directory
+Daniel Stenberg (21 Jul 2016)
+- bump: start working on 7.50.1
-- vauth: Moved the ClearText authentication code to the new vauth directory
+Version 7.50.0 (21 Jul 2016)
-- vauth: Moved Curl_sasl_build_spn() to create the initial vauth source files
+Daniel Stenberg (21 Jul 2016)
+- RELEASE-NOTES: version 7.50.0 ready
-- checksrc.bat: Added support for checking the new vauth directory
+- THANKS: 13 new contributors from the 7.50.0 release
-- build: Updated all makefiles and project files for the new vauth directory
+Jay Satiro (21 Jul 2016)
+- winbuild: fix embedded manifest option
- Updated the makefiles and Visual Studio project files to support moving
- the authentication code to the new lib/vauth directory that was started
- in commit 0d04e859e1.
-
-Daniel Stenberg (24 Mar 2016)
-- [JDepooter brought this change]
-
- schannel: Add ALPN support
+ Embedded manifest option didn't work due to typo.
- Add ALPN support for schannel. This allows cURL to negotiate
- HTTP/2.0 connections when built with schannel.
+ Reported-by: Stefan Kanthak
+
+- vauth: Fix memleak by freeing credentials if out of memory
- Closes #724
+ This is a follow up to the parent commit dcdd4be which fixes one leak
+ but creates another by failing to free the credentials handle if out of
+ memory. Also there's a second location a few lines down where we fail to
+ do same. This commit fixes both of those issues.
-Steve Holme (24 Mar 2016)
-- http: Minor update based on CODE_STYLE guidelines
+Daniel Stenberg (20 Jul 2016)
+- [Saurav Babu brought this change]
-Daniel Stenberg (23 Mar 2016)
-- multi: fix "Operation timed out after" timer
-
- Use the local, reasonably updated, 'now' value when creating the message
- string to output for the timeout condition.
+ vauth: Fixed memory leak due to function returning without free
- Fixes #619
+ This patch allocates memory to "output_token" only when it is required
+ so that memory is not leaked if function returns.
-- openssl: boringssl provides the same numbering as openssl
-
- ... so we don't need extra boringssl precautions for for
- HAVE_ERR_REMOVE_THREAD_STATE_NOARG.
+- test558: updated after ipv6-check move
- Pointed-out-by: David Benjamin
+ Follow-up commit to c50980807c5 to make this test pass.
-- openssl: fix ERR_remove_thread_state() for boringssl/libressl
+Jay Satiro (20 Jul 2016)
+- connect: disable TFO on Linux when using SSL
- The removed arg is only done in OpenSSL
+ - Linux TFO + TLS is not implemented yet.
- Bug: https://twitter.com/xtraemeat/status/712564874098917376
-
-- bump: work on 7.48.1
+ Bug: https://github.com/curl/curl/issues/907
-- RELEASE-PROCEDURE: mention the github release tag edit
-
- ... and update the coming release dates a bit
+Daniel Stenberg (19 Jul 2016)
+- ROADMAP: QUIC and TLS 1.3
-Steve Holme (23 Mar 2016)
-- checksrc.bat: Updated the help to be consistent with generate.bat
-
- Follow up to commit a8c7f0fcbf prior to release.
+- RELEASE-NOTES: synced with c50980807c5
-Version 7.48.0 (23 Mar 2016)
+Jay Satiro (18 Jul 2016)
+- [Brian Prodoehl brought this change]
-Daniel Stenberg (23 Mar 2016)
-- RELEASE-NOTES: curl 7.48.0
+ curl_global_init: Check if IPv6 works
+
+ - Curl_ipv6works() is not thread-safe until after the first call, so
+ call it once during global init to avoid a possible race condition.
+
+ Bug: https://github.com/curl/curl/issues/915
+ PR: https://github.com/curl/curl/pull/918
-- THANKS: 15 new contributors from 7.48.0 release
+- [Timothy Polich brought this change]
-Jay Satiro (23 Mar 2016)
-- CURLINFO_TLS_SSL_PTR.3: Warn about limitations
+ CURLMOPT_SOCKETFUNCTION.3: fix typo
- Bug: https://github.com/curl/curl/issues/685
+ Closes https://github.com/curl/curl/pull/914
-Daniel Stenberg (22 Mar 2016)
-- Revert "sshserver: remove use of AuthorizedKeysFile2"
-
- It seems we may have some autobuild problems after this commit went
- in. Trying to see if a revert helps to get them back.
-
- This reverts commit 2716350d1f3edc8e929f6ceeee05051090f6d642.
+- [Miroslav Franc brought this change]
-- maketgz: add -j to make dist
+ library: Fix memory leaks found during static analysis
- ... makes it a lot faster
-
-- libcurl-thread.3: minor nroff format fix
+ Closes https://github.com/curl/curl/pull/913
-- CURLINFO_TLS_SSL_PTR.3: minor nroff format fix
+- [Viktor Szakats brought this change]
-- CODE_STYLE: indend example code
+ cookie.c: Fix misleading indentation
- ... to make it look nicer in markdown outputa
+ Closes https://github.com/curl/curl/pull/911
-Jay Satiro (22 Mar 2016)
-- build-wolfssl: Update VS properties for wolfSSL v3.9.0
-
- - Do not use wolfSSL's sample user-setting files.
-
- wolfSSL starting in v3.9.0 has added their own sample user settings that
- are applied by default, but we don't use them because we have our own
- settings.
-
- - Do not use wolfSSL's Visual Studio Unicode character setting.
-
- wolfSSL Visual Studio projects use the Unicode character set however our
- settings and options imitate mingw build which does not use the Unicode
- character set. This does not appear to have any effect at the moment but
- better safe than sorry.
+- FAQ: Update FTP directory listing section for MLSD command
+ Explain how some FTP servers support the machine readable listing
+ format MLSD from RFC 3659 and compare it to LIST.
- These changes are backwards compatible with earlier versions.
+ Ref: https://github.com/curl/curl/issues/906
-Steve Holme (22 Mar 2016)
-- hostip6: Fixed compilation warnings when verbose strings disabled
-
- warning C4189: 'data': local variable is initialized but not referenced
-
- ...and some minor formatting/spacing changes.
+Daniel Stenberg (1 Jul 2016)
+- [Sergei Nikulov brought this change]
-Daniel Stenberg (21 Mar 2016)
-- sshserver: remove use of AuthorizedKeysFile2
-
- Support for the (undocumented) AuthorizedKeysFile2 was removed in
- OpenSSH 5.9, released in September 2011
+ Appveyor: Updates for options - CURL_STATICLIB/BUILD_TESTING
- Closes #715
+ Closes #892
-Steve Holme (20 Mar 2016)
-- connect/ntlm/http: Fixed compilation warnings when verbose strings disabled
-
- warning C4189: 'data': local variable is initialized but not referenced
+- TODO: 17.4 also brings more HTTP/2 support
-- openssl: Fixed compilation warning when /Wall enabled
+- TODO: try next proxy if one doesn't work
- warning C4706: assignment within conditional expression
+ Closes #896
-- CODE_STYLE: Use boolean conditions
-
- Rather than use TRUE, FALSE, NULL, 0 or != 0 in if/while conditions.
+- conn: don't free easy handle data in handler->disconnect
- Additionally, corrected some example code to adhere to the recommended
- coding style.
+ Reported-by: Gou Lingfeng
+ Bug: https://curl.haxx.se/mail/lib-2016-06/0139.html
-- inet_pton.c: Fixed compilation warnings
-
- warning: conversion to 'unsigned char' from 'int' may alter its value
+- test1244: test different proxy ports same URL
-Daniel Stenberg (19 Mar 2016)
-- RELEASE-NOTES: synced with 80851028efc2fa9
+- curl_global_init.3: improved formatting of the flags
-- mbedtls: fix compiler warning
+- curl_global_init.3: expand on the SSL and WIN32 bits purpose
- vtls/mbedtls.h:67:36: warning: implicit declaration of function
- ‘mbedtls_sha256’ [-Wimplicit-function-declaration]
+ Reported-by: Richard Gray
+ Bug: https://curl.haxx.se/mail/lib-2016-06/0136.html
-Steve Holme (19 Mar 2016)
-- easy: Minor coding standard and style updates
-
- Following commit c5744340db. Additionally removes the need for a second
- 'result code' variable as well.
+- [Michael Kaufmann brought this change]
-Jay Satiro (19 Mar 2016)
-- easy: Remove poll failure check in easy_transfer
-
- .. because curl_multi_wait can no longer signal poll failure.
+ cleanup: minor code cleanup in Curl_http_readwrite_headers()
- follow-up to 77e1726
+ - the expression of an 'if' was always true
+ - a 'while' contained a condition that was always true
+ - use 'if(k->exp100 > EXP100_SEND_DATA)' instead of 'if(k->exp100)'
+ - fixed a typo
- Bug: https://github.com/curl/curl/issues/707
+ Closes #889
-Steve Holme (19 Mar 2016)
-- build: Added missing Visual Studio filter files for VC10 onwards
+- SFTP: set a generic error when no SFTP one exists...
- As these files don't need to contain references to the source files,
- although typically do, added basic files which only include three
- filters and don't require the project file generator to be modified.
+ ... as otherwise we could get a 0 which would count as no error and we'd
+ wrongly continue and could end up segfaulting.
- These files allow the source code to be viewed in the Solution Explorer
- in versions of Visual Studio from 2010 onwards in the same manner as
- previous versions did rather than one large view of files.
+ Bug: https://curl.haxx.se/mail/lib-2016-06/0052.html
+ Reported-by: 暖和的和暖
-- ftp/imap/pop3/smtp: Fixed compilation warning when /Wall enabled
-
- warning C4706: assignment within conditional expression
+- ROADMAP: http2 tests are merged, mention http2 perf
-- config-w32.h: Fixed compilation warning when /Wall enabled
+- docs/README.md: to render nicer pages on github
- warning C4668: 'USE_IPV6' is not defined as a preprocessor macro,
- replacing with '0' for '#if/#elif'
+ ... as previously the README.cmake would be picked and put at the bottom
+ of the docs page there and it wasn't very representative!
-- imap.c: Fixed compilation warning with /Wall enabled
-
- warning C4701: potentially uninitialized local variable 'size' used
+- README.md: change host name for the svg logo
- Technically this can't happen, as the usage of 'size' is protected by
- 'if(parsed)' and 'parsed' is only set after 'size' has been parsed.
+ rawgit.com asks to use the domain cdn.rawgit.com for production
- Anyway, lets keep the compiler happy.
+ See #900
-- KNOWN_BUGS: #93 Issue with CURLFORM_CONTENTLEN in arrays on 32-bit platforms
+- [Viktor Szakats brought this change]
-Daniel Stenberg (18 Mar 2016)
-- bump: the coming release is 7.48.0
+ README.md: use the SVG logo
-- configure: use cpp -P when needed
-
- Since gcc 5, the processor output can get split up on multiple lines
- that made the configure script fail to figure out values from
- definitions. The fix is to use cpp -P, and this fix now first checks if
- cpp -P is necessary and then if cpp -P works before it uses that to
- extract defined values.
-
- Fixes #719
+- README.md: logo on top!
-Steve Holme (18 Mar 2016)
-- formdata.c: Fixed compilation warning
-
- formdata.c:390: warning: cast from pointer to integer of different size
-
- Introduced in commit ca5f9341ef this happens because a char*, which is
- 32-bits wide in 32-bit land, is being cast to a curl_off_t which is
- 64-bits wide where 64-bit integers are supported by the compiler.
-
- This doesn't happen in 64-bit land as a pointer is the same size as a
- curl_off_t.
+- KNOWN_BUGS: 3.4 POP3 expects "CRLF.CRLF" eob for some
- This fix doesn't address the fact that a 64-bit value cannot be used
- for CURLFORM_CONTENTLEN when set in a form array and compiled on a
- 32-bit platforms, it does at least suppress the compilation warning.
+ Closes #740
-Daniel Stenberg (18 Mar 2016)
-- FAQ: 2.5 Install libcurl for both 32bit and 64bit?
+- RELEASE-NOTES: synced with d61c80515aa8
-- [Gisle Vanem brought this change]
+- [Michael Osipov brought this change]
- openssl: adapt to API breakage in ERR_remove_thread_state()
+ acinclude.m4: improve autodetection of CA bundle on FreeBSD
- The OpenSSL API change that broke this is "Convert ERR_STATE to new
- multi-threading API": openssl commit 8509dcc.
+ The FreeBSD Port security/ca_root_nss installs the Mozilla NSS CA bundle
+ to /usr/local/share/certs/ca-root-nss.crt. Use this bundle in the
+ discovery process.
- Closes #713
-
-- version: init moved to private name space, added protos
+ This change also removes the former FreeBSD path that has been obsolete
+ for 8 years since this FreeBSD ports commit:
+ https://svnweb.freebsd.org/ports/head/security/?view=revision&revision=215953
- follow-up to 80015cdd52145
+ Closes #894
-- openssl: verbose: show matching SAN pattern
-
- ... to allow users to see which specfic wildcard that matched when such
- is used.
+- configure: don't specify .lib for libs on windows
- Also minor logic cleanup to simplify the code, and I removed all tabs
- from verbose strings.
-
-Jay Satiro (16 Mar 2016)
-- version: thread safety
+ Another follow up for crypt32.lib linking with winssl
-Steve Holme (16 Mar 2016)
-- transfer: Removed redundant HTTP authentication include files
+- configure: fix winssl LIBS change typo
- It would also seem that share.h is not required here either as there
- are no references to the Curl_share structure or functions.
+ follow-up from 120bf29e
-- easy: Removed redundant HTTP authentication include files
+- TODO: "TCP Fast Open" is done, add monitor pool connections
-Jay Satiro (15 Mar 2016)
-- CURLOPT_SSLENGINE.3: Only for OpenSSL built with engine support
+- configure: add crypt32.lib for winssl builds
- Bug: https://curl.haxx.se/mail/lib-2016-03/0150.html
- Reported-by: Oliver Graute
-
-Steve Holme (15 Mar 2016)
-- curl_sasl: Minor code indent fixes
-
-Daniel Stenberg (14 Mar 2016)
-- runtests: mention when run event-based
+ Necessary since 6cabd78531f
-- easy: add check to malloc() when running event-based
+- Makefile.vc: link with crypt32.lib for winssl builds
+
+ Necessary since 6cabd78531f
- ... to allow torture tests then too.
+ Fixes #853
-- memdebug: skip logging the limit countdown, fflush when reached
+- [Joel Depooter brought this change]
-- CODE_STYLE: Space around operators
+ VC: Add crypt32.lib to Visual Sudio project template files
- As just discussed on the mailing list, also document how we prefer
- spacing in expressions.
+ Closes #854
-- curl: glob_range: no need to check unsigned variable for negative
-
- cppcheck warned:
+- vc: fix the build for schannel certinfo support
- [src/tool_urlglob.c:283]: (style) Checking if unsigned variable 'step_n'
- is less than zero.
-
-- CODE_STYLE: add example for indent style as well
-
-- CODE_STYLE: mention braces for functions too
-
-- docs/Makefile.am: include CODE_STYLE in tarball too
-
-- CONTRIBUTE: moved out code style to a separate document
+ Broken since 6cabd785, which adds use of the Curl_extract_certinfo
+ function from the x509asn1.c file.
-- CODE_STYLE: initial version
+- typedefs: use the full structs in internal code...
- Ripped out from CONTRIBUTE into its own document, but also extended from
- there.
+ ... and save the typedef'ed names for headers and external APIs.
-- curl_sasl.c: minor code indent fixes
+- internals: rename the SessionHandle struct to Curl_easy
-- multi: simplified singlesocket
+- headers: forward declare CURL, CURLM and CURLSH as structs
- Since sh_getentry() now checks for invalid sockets itself and by
- narrowing the scope of the remove_sock_from_hash variable.
-
-- multi: introduce sh_getentry() for looking up sockets in the sockhash
+ Instead of typedef'ing to void, typedef to their corresponding actual
+ struct names to allow compilers to type-check.
- Simplify the code by using a single entry that looks for a socket in the
- socket hash. As indicated in #712, the code looked for CURL_SOCKET_BAD
- at some point and that is ineffective/wrong and this makes it easier to
- avoid that.
-
-- [Jaime Fullaondo brought this change]
+ Assisted-by: Reinhard Max
- multi hash: ensure modulo performed on curl_socket_t
+Jay Satiro (22 Jun 2016)
+- vtls: Only call add/getsession if session id is enabled
- Closes #712
+ Prior to this change we called Curl_ssl_getsessionid and
+ Curl_ssl_addsessionid regardless of whether session ID reusing was
+ enabled. According to comments that is in case session ID reuse was
+ disabled but then later enabled.
+
+ The old way was not intuitive and probably not something users expected.
+ When a user disables session ID caching I'd guess they don't expect the
+ session ID to be cached anyway in case the caching is later enabled.
-Steve Holme (13 Mar 2016)
-- base64: Minor coding standard and style updates
+Daniel Stenberg (22 Jun 2016)
+- curl.1: the used progress meter suffix is k in lower case
+
+ Closes #883
-- base64: Use 'CURLcode result' for curl result codes
+- [Sergei Nikulov brought this change]
-- negotiate: Use 'CURLcode result' for curl result codes
+ cmake: now using BUILD_TESTING=ON/OFF
+
+ CMake build now using BUILD_TESTING=ON/OFF (default is OFF) to build
+ tests and enabling CTest integration. Options BUILD_CURL_TESTS and
+ BUILD_DASHBOARD_REPORTS was removed.
+
+ Closes #882
+
+ Reviewed-by: Brad King
-Daniel Stenberg (13 Mar 2016)
-- [Maksim Kuzevanov brought this change]
+- [Michael Kaufmann brought this change]
- multi_runsingle: avoid loop in CURLM_STATE_WAITPROXYCONNECT
+ cleanup: fix method names in code comments
- Closes #703
-
-- TODO: Use the RFC6265 test suite
+ Closes #887
-Steve Holme (13 Mar 2016)
-- checksrc.bat: Added the ability to scan src and lib source independently
+Kamil Dudka (21 Jun 2016)
+- curl-compilers.m4: improve detection of GCC's -fvisibility= flag
+
+ Some builds of GCC produce output on both stdout and stderr when --help
+ --verbose is used. The 2>&1 redirection caused them to be arbitrarily
+ interleaved with each other because of stream buffering. Consequently,
+ grep failed to match the fvisibility= string in the mixed output, even
+ though the string was present in GCC's standard output.
+
+ This led to silently disabling symbol hiding in some builds of curl.
-- digest: Use boolean based success code for Curl_sasl_digest_get_pair()
+Daniel Stenberg (19 Jun 2016)
+- tests: fix the HTTP/2 tests
+
+ The HTTP/2 tests brought with commit bf05606ef1f were using the internal
+ name 'http2' for the HTTP/2 server, while in fact that name was already
+ used for the second instance of the HTTP server. This made tests using
+ the second instance (like test 2050) fail after a HTTP/2 test had run.
- Rather than use a 0 and 1 integer base result code use a TRUE / FALSE
- based success code.
+ The server is now known as HTTP/2 internally and within the <server>
+ section in test cases. 1700, 1701 and 1702 were updated accordingly.
-- digest: Corrected some typos in comments
+- openssl: use more 'const' to fix build warnings with 1.1.0 branch
-- krb5: Corrected some typos in function descriptions
+- curl.1: missed 'T' in the progress unit suffixes
-- ntlm: Corrected some typos in function descriptions
+- curl.1: mention the unix for the progress meter
-- url: Corrected indentation when calling idna_to_ascii_lz()
+Patrick Monnerat (16 Jun 2016)
+- os400: add new definitions to ILE/RPG binding.
-- idn_win32: Use boolean based success codes
+Daniel Stenberg (16 Jun 2016)
+- openssl: fix cert check with non-DNS name fields present
- Rather than use 0 and 1 integer base result codes use a FALSE / TRUE
- based success code.
+ Regression introduced in 5f5b62635 (released in 7.48.0)
+
+ Reported-by: Fabian Ruff
+ Fixes #875
-Daniel Stenberg (10 Mar 2016)
-- idn_win32.c: warning: Trailing whitespace
+Dan Fandrich (16 Jun 2016)
+- axtls: Use Curl_wait_ms instead of the less-portable usleep
-Steve Holme (10 Mar 2016)
-- idn_win32.c: Fixed compilation warning from commit 9e7fcd4291
-
- warning C4267: 'function': conversion from 'size_t' to 'int',
- possible loss of data
+- axtls: Fixed compile after compile 31c521b0
-Daniel Stenberg (10 Mar 2016)
-- THANKS-filter: unify Michael König
+- tests: Added HTTP proxy keywords to tests 1141 & 1142
-- RELEASE-NOTES: synced with 863c5766dd
+Jay Satiro (15 Jun 2016)
+- [Sergei Nikulov brought this change]
-- ftp: remove a check for NULL(!)
+ cmake: Fix build with winldap
- ... as it implies we need to check for that on all the other variable
- references as well (as Coverity otherwise warns us for missing NULL
- checks), and we're alredy making sure that the pointer is never NULL.
+ Bug: https://github.com/curl/curl/pull/874
+ Reported-by: Sergei Nikulov
-- cookies: first n/v pair in Set-Cookie: is the cookie, then parameters
-
- RFC 6265 section 4.1.1 spells out that the first name/value pair in the
- header is the actual cookie name and content, while the following are
- the parameters.
+- CURLOPT_POSTFIELDS.3: Clarify what happens when set empty
- libcurl previously had a more liberal approach which causes significant
- problems when introducing new cookie parameters, like the suggested new
- cookie priority draft.
+ When CURLOPT_POSTFIELDS is set to an empty string libcurl will send a
+ zero-byte POST. Prior to this change it was documented as sending data
+ from the read callback.
- The previous logic read all n/v pairs from left-to-right and the first
- name used that wassn't a known parameter name would be used as the
- cookie name, thus accepting "Set-Cookie: Max-Age=2; person=daniel" to be
- a cookie named 'person' while an RFC 6265 compliant parser should
- consider that to be a cookie named 'Max-Age' with an (unknown) parameter
- 'person'.
+ This also changes the wording of what happens when empty or NULL so that
+ it's hopefully easier to understand for people whose primary language
+ isn't English.
- Fixes #709
-
-- krb5: improved type handling to avoid clang compiler warnings
+ Bug: https://github.com/curl/curl/issues/862
+ Reported-by: Askar Safin
-- url.c: fix clang warning: no newline at end of file
+- [Michael Wallner brought this change]
-- curl_multi_wait: never return -1 in 'numfds'
+ curl_multi_socket_action.3: Fix rewording
- Such a return value isn't documented but could still happen, and the
- curl tool code checks for it. It would happen when the underlying
- Curl_poll() function returns an error. Starting now we mask that error
- as a user of curl_multi_wait() would have no way to handle it anyway.
+ - Remove some erroneous text.
- Reported-by: Jay Satiro
- Closes #707
-
-- HTTP2.md: add CURL_HTTP_VERSION_2TLS and updated alt-svc link
+ Closes https://github.com/curl/curl/pull/865
-- curl_multi_wait.3: add example
+- [Luo Jinghua brought this change]
-Steve Holme (8 Mar 2016)
-- imap/pop3/smtp: Fixed connections upgraded with TLS are not reused
-
- Regression since commit 710f14edba.
+ resolve: enable protocol family logic for synthesized IPv6
- Bug: https://github.com/curl/curl/issues/422
- Reported-by: Justin Ehlert
-
-Jay Satiro (8 Mar 2016)
-- opt-docs: fix heading macros
+ - Enable protocol family logic for IPv6 resolves even when support
+ for synthesized addresses is enabled.
- ..SH should be .SH
+ This is a follow up to the parent commit that added support for
+ synthesized IPv6 addresses from IPv4 on iOS/OS X. The protocol family
+ logic needed for IPv6 was inadvertently excluded if support for
+ synthesized addresses was enabled.
- Bug: https://github.com/curl/curl/issues/705
- Reported-by: Eric S. Raymond
-
-Kamil Dudka (8 Mar 2016)
-- [Tim Rühsen brought this change]
+ Bug: https://github.com/curl/curl/issues/863
+ Ref: https://github.com/curl/curl/pull/866
+ Ref: https://github.com/curl/curl/pull/867
- cookie: do not refuse cookies for localhost
-
- Closes #658
+Daniel Stenberg (7 Jun 2016)
+- [Luo Jinghua brought this change]
-Daniel Stenberg (8 Mar 2016)
-- ftp_done: clear tunnel_state when secondary socket closes
+ resolve: add support for IPv6 DNS64/NAT64 Networks on OS X + iOS
- Introducing a function for closing the secondary connection to make this
- bug less likely to happen again.
+ Use getaddrinfo() to resolve the IPv4 address literal on iOS/Mac OS X.
+ If the current network interface doesn’t support IPv4, but supports
+ IPv6, NAT64, and DNS64.
- Reported-by: daboul
- Closes #701
-
-- [Gisle Vanem brought this change]
+ Closes #866
+ Fixes #863
- openssl: use the correct OpenSSL/BoringSSL/LibreSSL in messages
+- tests: two more HTTP/2 tests
+
+ 1701 and 1702
-- HTTP2.md: HTTP/2 by default for curl's HTTPS connections
+- runtests: don't display logs when http2 server fails to start
-- [Anders Bakken brought this change]
+- runtests: make stripfile work on stdout as well
+
+ ... and have test 1700 use that to strip out the nghttpx server: headers
- pipeline: Sanity check pipeline pointer before accessing it.
+- http2-tests: test1700 is the first real HTTP/2 test
- I got a crash with this stack:
+ It requires that 'nghttpx' is in the PATH, and it will run the tests
+ using nghttpx as a front-end proxy in front of the standard HTTP/1 test
+ server. This uses HTTP/2 over plain TCP.
- curl/lib/url.c:2873 (Curl_removeHandleFromPipeline)
- curl/lib/url.c:2919 (Curl_getoff_all_pipelines)
- curl/lib/multi.c:561 (curl_multi_remove_handle)
- curl/lib/url.c:415 (Curl_close)
- curl/lib/easy.c:859 (curl_easy_cleanup)
+ If you like me have nghttpx installed in a custom path, you can run test 1700
+ like this:
- Closes #704
-
-- HTTP2.md: mention the disable ALPN and NPN options
+ $ PATH=$PATH:$HOME/build-nghttp2/bin/ ./runtests.pl 1700
-- TODO: 17.12 keep running, read instructions from pipe/socket
-
- And delete trailing whitespace
- And rename section 17 to "command line tool" from "client"
-
- Closes #702
+- RELEASE-NOTES: synced with 34855feeb4c299
-- README.md: linkified
+Steve Holme (6 Jun 2016)
+- schannel: Disable ALPN on Windows < 8.1
- It also makes it less readable as plain text, so let's keep this
- primarily for github use.
+ Calling QueryContextAttributes with SECPKG_ATTR_APPLICATION_PROTOCOL
+ fails on Windows < 8.1 so we need to disable ALPN on these OS versions.
- Removed the top ascii art logo, as it looks weird when markdownified.
-
-- README.md: markdown version of README
+ Inspiration provide by: Daniel Seither
- Attempt to make it look more appealing on github
-
-Jay Satiro (6 Mar 2016)
-- mprintf: update trio project link
-
-Daniel Stenberg (6 Mar 2016)
-- CURLOPT_ACCEPTTIMEOUT_MS.3: added example
-
-- CURLOPT_ACCEPT_ENCODING.3: added example
-
-- CURLOPT_APPEND.3: added example
-
-- CURLOPT_NOPROGRESS.3: added example, conform to stardard style
+ Closes #848
+ Fixes #840
-Steve Holme (6 Mar 2016)
-- build-openssl/checksrc.bat: Fixed prepend vs append of Perl path
+Jay Satiro (5 Jun 2016)
+- checksrc: Add LoadLibrary to the banned functions list
- Fixed inconsistency from commit 1eae114065 and 0ad6c72227 of the order
- in which Perl was added to the PATH.
-
-Daniel Stenberg (6 Mar 2016)
-- opts: added two examples
-
-- CURLOPT_SSL_CTX_FUNCTION.3: use .NF for example
+ LoadLibrary was supplanted by Curl_load_library for security
+ reasons in 6df916d.
-- CURLOPT_SSL_CTX_FUNCTION.3: added example
+- http: Fix HTTP/2 connection reuse
- and removed erroneous reference to test case lib509
-
-- curlx.c: use more curl style code
-
-- test46: change cookie expiry date
+ - Change the parser to not require a minor version for HTTP/2.
- Since two of the cookies would now otherwise expire and cause the test
- to fail after commit 20de9b4f09
+ HTTP/2 connection reuse broke when we changed from HTTP/2.0 to HTTP/2
+ in 8243a95 because the parser still expected a minor version.
- Discussed in #697
-
-Jay Satiro (5 Mar 2016)
-- [Viktor Szakats brought this change]
+ Bug: https://github.com/curl/curl/issues/855
+ Reported-by: Andrew Robbins, Frank Gevaerts
- makefile.m32: add missing libs for static -winssl-ssh2 builds
+Steve Holme (4 Jun 2016)
+- connect.c: Fixed compilation warning from commit 332e8d6164
- Bug: https://github.com/curl/curl/pull/693
+ connect.c:952:5: warning: suggest explicit braces to avoid ambiguous 'else'
-- mbedtls: fix user-specified SSL protocol version
+- win32: Used centralised verify windows version function
- Prior to this change when a single protocol CURL_SSLVERSION_ was
- specified by the user that version was set only as the minimum version
- but not as the maximum version as well.
-
-Steve Holme (5 Mar 2016)
-- .gitignore: Added *.VC.opendb and *.vcxproj.user files for VC14
-
-- build-openssl.bat: Fixed cannot find perl if installed but not in path
+ Closes #845
-- checksrc.bat: Fixed cannot find perl if installed but not in path
+- win32: Added verify windows version functionality
-Jay Satiro (5 Mar 2016)
-- [Viktor Szakats brought this change]
+- win32: Introduced centralised verify windows version function
- makefile.m32: fix to allow -ssh2-winssl combination
+Kamil Dudka (3 Jun 2016)
+- tool_urlglob: fix off-by-one error in glob_parse()
- In makefile.m32, option -ssh2 (libssh2) automatically implied -ssl
- (OpenSSL) option, with no way to override it with -winssl. Since both
- libssh2 and curl support using Windows's built-in SSL backend, modify
- the logic to allow that combination.
-
-- cookie: Don't expire session cookies in remove_expired
+ ... causing SIGSEGV while parsing URL with too many globs.
+ Minimal example:
- Prior to this change cookies with an expiry date that failed parsing
- and were converted to session cookies could be purged in remove_expired.
+ $ curl $(for i in $(seq 101); do printf '{a}'; done)
- Bug: https://github.com/curl/curl/issues/697
- Reported-by: Seth Mos
+ Reported-by: Romain Coltel
+ Bug: https://bugzilla.redhat.com/1340757
-Daniel Stenberg (3 Mar 2016)
-- cookie: remove redundant check
-
- ... as it was already checked previously within the function.
+Daniel Stenberg (1 Jun 2016)
+- [Benjamin Kircher brought this change]
+
+ libcurl-multi.3: fix small typo
- Reported-by: Dmitry-Me
- Closes #695
+ Closes #850
-Jay Satiro (1 Mar 2016)
-- [Anders Bakken brought this change]
+- [Viktor Szakats brought this change]
- url: if Curl_done is premature then pipeline not in use
+ makefile.m32: add crypt32 for winssl builds
- Prevent a crash if 2 (or more) requests are made to the same host and
- pipelining is enabled and the connection does not complete.
+ Dependency added by 6cabd78
- Bug: https://github.com/curl/curl/pull/690
+ Closes #849
-- [Viktor Szakats brought this change]
+- [Ivan Avdeev brought this change]
- makefile.m32: allow to pass .dll/.exe-specific LDFLAGS
-
- using envvars `CURL_LDFLAG_EXTRAS_DLL` and
- `CURL_LDFLAG_EXTRAS_EXE` respectively. This
- is useful f.e. to pass ASLR-related extra
- options, that are required to make this
- feature work when using the mingw toolchain.
+ vtls: fix ssl session cache race condition
- Ref: https://github.com/curl/curl/pull/670#issuecomment-190863985
+ Sessionid cache management is inseparable from managing individual
+ session lifetimes. E.g. for reference-counted sessions (like those in
+ SChannel and OpenSSL engines) every session addition and removal
+ should be accompanied with refcount increment and decrement
+ respectively. Failing to do so synchronously leads to a race condition
+ that causes symptoms like use-after-free and memory corruption.
+ This commit:
+ - makes existing session cache locking explicit, thus allowing
+ individual engines to manage lock's scope.
+ - fixes OpenSSL and SChannel engines by putting refcount management
+ inside this lock's scope in relevant places.
+ - adds these explicit locking calls to other engines that use
+ sessionid cache to accommodate for this change. Note, however,
+ that it is unknown whether any of these engines could also have
+ this race.
- Closes https://github.com/curl/curl/pull/689
+ Bug: https://github.com/curl/curl/issues/815
+ Fixes #815
+ Closes #847
-Daniel Stenberg (29 Feb 2016)
-- formpost: fix memory leaks in AddFormData error branches
-
- Reported-by: Dmitry-Me
- Fixes #688
+- [Andrew Kurushin brought this change]
-Jay Satiro (28 Feb 2016)
-- getinfo: Fix syntax error when mbedTLS
+ schannel: add CURLOPT_CERTINFO support
- The assignment of the mbedTLS TLS session info in the parent commit was
- incorrect. Change the assignment to a pointer to the session structure.
+ Closes #822
-- getinfo: Add support for mbedTLS TLS session info
+- RELEASE-NOTES: synced with 142ee9fa15002315
+
+- openssl: rename the private SSL_strerror
- .. and preprocessor check TLS session info is defined for all backends.
+ ... to make it not look like an OpenSSL function
-Daniel Stenberg (26 Feb 2016)
-- ROADMAP: clarify on the TLS proxy, mention HTTP cookies to work on
+- [Michael Kaufmann brought this change]
-- file: try reading from files with no size
-
- Some systems have special files that report as 0 bytes big, but still
- contain data that can be read (for example /proc/cpuinfo on
- Linux). Starting now, a zero byte size is considered "unknown" size and
- will be read as far as possible anyway.
-
- Reported-by: Jesse Tan
+ openssl: Use correct buffer sizes for error messages
- Closes #681
+ Closes #844
-Jay Satiro (25 Feb 2016)
-- configure: warn on invalid ca bundle or path
+- curl: fix -q [regression]
- - Warn if --with-ca-bundle file does not exist.
+ This broke in 7.49.0 with commit e200034425a7625
- - Warn if --with-ca-path directory does not contain certificates.
+ Fixes #842
+
+- URL parser: allow URLs to use one, two or three slashes
- - Improve help messages for both.
+ Mostly in order to support broken web sites that redirect to broken URLs
+ that are accepted by browsers.
- Example configure output:
+ Browsers are typically even more leniant than this as the WHATWG URL
+ spec they should allow an _infinite_ amount. I tested 8000 slashes with
+ Firefox and it just worked.
- ca cert bundle: /some/file (warning: certs not found)
- ca cert path: /some/dir (warning: certs not found)
+ Added test case 1141, 1142 and 1143 to verify the new parser.
- Bug: https://github.com/curl/curl/issues/404
- Reported-by: Jeffrey Walton
+ Closes #791
-Daniel Stenberg (24 Feb 2016)
-- Curl_read: check for activated HTTP/1 pipelining, not only requested
-
- ... as when pipelining is used, we read things into a unified buffer and
- we don't do that with HTTP/2. This could then easily make programs that
- set CURLMOPT_PIPELINING = CURLPIPE_HTTP1|CURLPIPE_MULTIPLEX to get data
- intermixed or plain broken between HTTP/2 streams.
+- [Renaud Lehoux brought this change]
+
+ cmake: Added missing mbedTLS support
- Reported-by: Anders Bakken
+ Closes #837
-Patrick Monnerat (24 Feb 2016)
-- os400: Fix ILE/RPG definition of CURLOPT_TFTP_NO_OPTIONS
+- [Renaud Lehoux brought this change]
-Jay Satiro (23 Feb 2016)
-- getinfo: CURLINFO_TLS_SSL_PTR supersedes CURLINFO_TLS_SESSION
-
- The two options are almost the same, except in the case of OpenSSL:
-
- CURLINFO_TLS_SESSION OpenSSL session internals is SSL_CTX *.
-
- CURLINFO_TLS_SSL_PTR OpenSSL session internals is SSL *.
-
- For backwards compatibility we couldn't modify CURLINFO_TLS_SESSION to
- return an SSL pointer for OpenSSL.
-
- Also, add support for the 'internals' member to point to SSL object for
- the other backends axTLS, PolarSSL, Secure Channel, Secure Transport and
- wolfSSL.
-
- Bug: https://github.com/curl/curl/issues/234
- Reported-by: dkjjr89@users.noreply.github.com
+ mbedtls: removed unused variables
- Bug: https://curl.haxx.se/mail/lib-2015-09/0127.html
- Reported-by: Michael König
+ Closes #838
-Daniel Stenberg (23 Feb 2016)
-- multi_remove_handle: keep the timeout list until after disconnect
-
- The internal Curl_done() function uses Curl_expire() at times and that
- uses the timeout list. Better clean up the list once we're done using
- it. This caused a segfault.
-
- Reported-by: 蔡文凱
- Bug: https://curl.haxx.se/mail/lib-2016-02/0097.html
+- [Frank Gevaerts brought this change]
-Kamil Dudka (23 Feb 2016)
-- tests/sshserver.pl: use RSA instead of DSA for host auth
-
- DSA is no longer supported by OpenSSH 7.0, which causes all SCP/SFTP
- test cases to be skipped. Using RSA for host authentication works with
- both old and new versions of OpenSSH.
+ http: add CURLINFO_HTTP_VERSION and %{http_version}
- Reported-by: Karlson2k
+ Adds access to the effectively used http version to both libcurl and
+ curl.
- Closes #676
+ Closes #799
-Jay Satiro (23 Feb 2016)
-- TFTP: add option to suppress TFTP option requests (Part 2)
-
- - Add tests.
-
- - Add an example to CURLOPT_TFTP_NO_OPTIONS.3.
+- bump: start the journey toward 7.50.0
+
+- [Marcel Raad brought this change]
+
+ openssl: fix build with OPENSSL_NO_COMP
- - Add --tftp-no-options to expose CURLOPT_TFTP_NO_OPTIONS.
+ With OPENSSL_NO_COMP defined, there is no function
+ SSL_COMP_free_compression_methods
- Bug: https://github.com/curl/curl/issues/481
+ Closes #836
-- [Michael Koenig brought this change]
+- [Gisle Vanem brought this change]
- TFTP: add option to suppress TFTP option requests (Part 1)
-
- Some TFTP server implementations ignore the "TFTP Option extension"
- (RFC 1782-1784, 2347-2349), or implement it in a flawed way, causing
- problems with libcurl. Another switch for curl_easy_setopt
- "CURLOPT_TFTP_NO_OPTIONS" is introduced which prevents libcurl from
- sending TFTP option requests to a server, avoiding many problems caused
- by faulty implementations.
+ memdebug: fix MSVC crash with -DMEMDEBUG_LOG_SYNC
- Bug: https://github.com/curl/curl/issues/481
+ Fixes #828
-Daniel Stenberg (22 Feb 2016)
-- [Karlson2k brought this change]
+- [Jonathan brought this change]
- runtests: Fixed usage of %PWD on MinGW64
+ README.md: polish
- Closes #672
+ Closes #834
-Jay Satiro (20 Feb 2016)
-- CURLOPT_DEBUGFUNCTION.3: Fix example
+- RELEASE-NOTES: fix vuln link
-- [Viktor Szakats brought this change]
+Version 7.49.1 (30 May 2016)
+
+Daniel Stenberg (30 May 2016)
+- RELEASE-NOTES: 7.49.1
+
+- [Steve Holme brought this change]
- src/Makefile.m32: add CURL_{LD,C}FLAGS_EXTRAS support
+ loadlibrary: Only load system DLLs from the system directory
+
+ Inspiration provided by: Daniel Stenberg and Ray Satiro
- Sync with lib/Makefile.m32 which already uses those variables.
+ Bug: https://curl.haxx.se/docs/adv_20160530.html
- Bug: https://github.com/curl/curl/pull/670
+ Ref: Windows DLL hijacking with curl, CVE-2016-4802
-Dan Fandrich (20 Feb 2016)
-- Enabled test 1437 after the bug fix in commit 3fa220a6
+- ssh: fix version number check typo
-Jay Satiro (19 Feb 2016)
-- [Emil Lerner brought this change]
+Jay Satiro (29 May 2016)
+- curl_share_setopt.3: Add min ver needed for ssl session lock
+
+ Bug: https://github.com/curl/curl/issues/826
+ Reported-by: Michael Wallner
- curl_sasl: Fix memory leak in digest parser
+Daniel Stenberg (29 May 2016)
+- ssh: fix build for libssh2 before 1.2.6
- If any parameter in a HTTP DIGEST challenge message is present multiple
- times, memory allocated for all but the last entry should be freed.
+ The statvfs functionality was added to libssh2 in that version, so we
+ switch off that functionality when built with older libraries.
- Bug: https://github.com/curl/curl/pull/667
+ Fixes #831
-Dan Fandrich (19 Feb 2016)
-- Added test 1437 to verify a memory leak
+- mbedtls: fix includes so snprintf() works
- Reported-by: neex@users.noreply.github.com
-
-Jay Satiro (18 Feb 2016)
-- CURLOPT_COOKIEFILE.3: HTTP headers must be Set-Cookie style
+ Regression from the previous *printf() rearrangements, this file missed to
+ include the correct header to make sure snprintf() works universally.
- Bug: https://github.com/curl/curl/issues/666
- Reported-by: baumanj@users.noreply.github.com
+ Reported-by: Moti Avrahami
+ Bug: https://curl.haxx.se/mail/lib-2016-05/0196.html
-- curl.1: HTTP headers for --cookie must be Set-Cookie style
+Steve Holme (23 May 2016)
+- checksrc.pl: Added variants of strcat() & strncat() to banned function list
- Bug: https://github.com/curl/curl/issues/666
- Reported-by: baumanj@users.noreply.github.com
-
-Daniel Stenberg (18 Feb 2016)
-- curl.1: add a missing dash
-
-- CONTRIBUTING.md: fix links
+ Added support for checking the tchar, unicode and mbcs variants of
+ strcat() and strncat() in the banned function list.
-- ISSUE_TEMPLATE: github issue template
-
- First version, try this out!
+Daniel Stenberg (23 May 2016)
+- smtp: minor ident (white space) fixes
-- CONTRIBUTING.md: move into .github
+- THANKS: updated after script fixes
- To hide github specific files somewhat from the rest.
-
-- opts: add references
+ Now giving credit properly to github user names, fixed some UTF-8 issues
+ and added names discovered when contrithanks was improved.
-- examples/make: add 'checksrc' target
+- THANKS-filter: more name cleanups
-- 10-at-a-time: typecast the argument passed to sleep()
+- contrithanks.sh: exclude existing names case insensitively
-- externalsocket.c: fix compiler warning for fwrite return type
+- contrithanks.sh: use same grep pattern and -a flag as contributors.sh
-- anyauthput.c: fix compiler warnings
+- contributors.sh: better grep pattern, use grep -a
-- simplessl.c: warning: while with space
+- THANKS-filter: fix more names
-- curlx.c: i2s_ASN1_IA5STRING() clashes with an openssl function
+- contrithanks.sh: do the same github fix as contributors.sh
- Reported-By: Gisle Vanem
+ from 1577bfa35ba
-- http2: don't decompress gzip decoding automatically
-
- At one point during the development of HTTP/2, the commit 133cdd29ea0
- introduced automatic decompression of Content-Encoding as that was what
- the spec said then. Now however, HTTP/2 should work the same way as
- HTTP/1 in this regard.
+Jay Satiro (23 May 2016)
+- contributors: Show GitHub username if real name unknown
- Reported-by: Kazuho Oku
+ Prior to this change if a GitHub contributor's real name was unknown
+ they would be omitted from the list.
- Closes #661
+ Bug: https://github.com/curl/curl/issues/824
-Jay Satiro (16 Feb 2016)
-- [Tatsuhiro Tsujikawa brought this change]
+Daniel Stenberg (21 May 2016)
+- RELEASE-NOTES: synced with 3caaeffbe8ded4
- http: Don't break the header into chunks if HTTP/2
+Jay Satiro (20 May 2016)
+- openssl: cleanup must free compression methods
- nghttp2 callback deals with TLS layer and therefore the header does not
- need to be broken into chunks.
+ - Free compression methods if OpenSSL 1.0.2 to avoid a memory leak.
- Bug: https://github.com/curl/curl/issues/659
- Reported-by: Kazuho Oku
-
-Daniel Stenberg (16 Feb 2016)
-- [Viktor Szakats brought this change]
-
- openssl: use macro to guard the opaque EVP_PKEY branch
+ Bug: https://github.com/curl/curl/issues/817
+ Reported-by: jveazey@users.noreply.github.com
-- [Viktor Szakats brought this change]
+Daniel Stenberg (20 May 2016)
+- [Gisle Vanem brought this change]
- openssl: avoid direct PKEY access with OpenSSL 1.1.0
-
- by using API instead of accessing an internal structure.
- This is required starting OpenSSL 1.1.0-pre3.
+ curl_multibyte: fix compiler error
- Closes #650
-
-- RELEASE-NOTES: synced with ede0bfc079da
-
-- [Clint Clayton brought this change]
-
- CURLOPT_CONNECTTIMEOUT_MS.3: Fix example to use milliseconds option
+ While compiling lib/curl_multibyte.c with '-DUSE_WIN32_IDN' etc. I was
+ getting:
- Change the example in the docs for CURLOPT_CONNECTTIMEOUT_MS to use
- CURLOPT_CONNECTTIMEOUT_MS instead of CURLOPT_CONNECTTIMEOUT.
+ f:\mingw32\src\inet\curl\lib\memdebug.h(38): error C2054: expected '('
+ to follow 'CURL_EXTERN'
- Closes #653
+ f:\mingw32\src\inet\curl\lib\memdebug.h(38): error C2085:
+ 'curl_domalloc': not in formal parameter list
-- opt-docs: add more references
+- THANKS-filter: make Jan-E get proper credit
-- [David Byron brought this change]
+- [Jan-E brought this change]
- SCP: use libssh2_scp_recv2 to support > 2GB files on windows
-
- libssh2_scp_recv2 is introduced in libssh2 1.7.0 - to be released "any
- day now.
+ winbuild/Makefile.vc: Fix check on SSL, MBEDTLS, WINSSL exclusivity
- Closes #451
+ Closes #818
-Jay Satiro (13 Feb 2016)
-- [Shine Fan brought this change]
+- [Alexander Traud brought this change]
- gtls: fix for builds lacking encrypted key file support
+ libcurl.m4: Avoid obsolete warning
- Bug: https://github.com/curl/curl/pull/651
+ Closes #821
-Dan Fandrich (13 Feb 2016)
-- test1604: Add to Makefile.inc so it gets run
+Jay Satiro (20 May 2016)
+- [Michael Kaufmann brought this change]
-Jay Satiro (12 Feb 2016)
-- generate.bat: Fix comment bug by removing old comments
+ CURLOPT_CONNECT_TO.3: user must not free the list prematurely
- Remove NOTES section, it's no longer needed since we aren't setting the
- errorlevel and more importantly the recently updated URL in the comments
- is causing some unusual behavior that breaks the script.
+ The connect-to list isn't copied so as long as the handle may be used
+ for a transfer the list must be valid.
- Closes https://github.com/curl/curl/issues/649
+ Bug: https://github.com/curl/curl/pull/819
+ Reported-by: Michael Kaufmann
-Kamil Dudka (12 Feb 2016)
-- curl.1: --disable-{eprt,epsv} are ignored for IPv6 hosts
-
- The behavior has been clarified in CURLOPT_FTP_USE_{EPRT,EPSV}.3 man
- pages since curl-7_12_3~131. This patch makes it clear in the curl.1
- man page, too.
-
- Bug: https://bugzilla.redhat.com/1305970
+Daniel Stenberg (19 May 2016)
+- RELEASE-NOTES: synced with 48114a8634242c
-Daniel Stenberg (12 Feb 2016)
-- dist: ship buildconf.bat too
+- openssl: ERR_remove_thread_state() is deprecated in latest 1.1.0
- As the winbuild/* stuff uses it!
+ See OpenSSL commit 21e001747d4a
-- curlx_tvdiff: handle 32bit time_t overflows
-
- On 32bit systems, make sure we don't overflow and return funky values
- for very large time differences.
-
- Reported-by: Anders Bakken
+- http2: use HTTP/2 in the HTTP/1.1-alike header
- Closes #646
+ ... when generating them, not "2.0" as the protocol is called just
+ HTTP/2 and nothing else.
-- examples: fix some compiler warnings
+Jay Satiro (19 May 2016)
+- dist: include curl_multi_socket_all.3
+
+ Closes https://github.com/curl/curl/pull/816
-- simplessl.c: fix my breakage
+Steve Holme (18 May 2016)
+- bump: Start work on 7.49.1
-- examples: adhere to curl code style
+Daniel Stenberg (18 May 2016)
+- curlbuild.h.dist: check __LP64__ as well to fix MIPS build
- All plain C examples now (mostly) adhere to the curl code style. While
- they are only examples, they had diverted so much and contained all
- sorts of different mixed code styles by now. Having them use a unified
- style helps users and readability. Also, as they get copy-and-pasted
- widely by users, making sure they're clean and nice is a good idea.
+ The preprocessor check that sets up the 32bit defines for non-configure
+ builds didn't work properly for MIPS systems as __mips__ is defined for
+ both 32bit and 64bit. Now __LP64__ is also checked and indicates 64bit.
- 573 checksrc warnings were addressed.
+ Reported-by: Tomas Jakobsson
+ Fixes #813
+
+- [Marcel Raad brought this change]
-- examples/cookie_interface.c: add cleanup call
+ schannel: fix compile break with MSVC XP toolset
- cleaning up handles is a good idea as we leak memory otherwise
+ For the Windows XP toolset of Visual C++ 2013/2015, the old Windows SDK
+ 7.1 is used. In this case, _USING_V110_SDK71_ is defined.
- Also, line wrapped before 80 columns.
+ Closes #812
-Kamil Dudka (10 Feb 2016)
-- nss: search slash in forward direction in dup_nickname()
+- dist: include CHECKSRC.md
- It is wasteful to search it backwards if we look for _any_ slash.
+ Reported-by: Paul Howarth
+ Bug: https://curl.haxx.se/mail/lib-2016-05/0116.html
-- nss: do not count enabled cipher-suites
+- test/Makefile.am: include manpage-scan.pl and nroff-scan.pl in dist
- We only care if at least one cipher-suite is enabled, so it does
- not make any sense to iterate till the end and count all enabled
- cipher-suites.
-
-Daniel Stenberg (10 Feb 2016)
-- contributors.sh: make 79 the max column width (from 80)
+ Reported-by: Ray Satiro
+ Bug: https://curl.haxx.se/mail/lib-2016-05/0113.html
-- RELEASE-NOTES: synced with c276aefee3995
+Version 7.49.0 (17 May 2016)
-- mbedtls.c: re-indent to better match curl standards
+Daniel Stenberg (17 May 2016)
+- THANKS: 24 new names from 7.49.0 release notes
-- [Rafael Antonio brought this change]
+- RELEASE-NOTES: 7.49.0
- mbedtls: fix memory leak when destroying SSL connection data
+- mbedtls/polarssl: set "hostname" unconditionally
- Closes #626
-
-- mbedtls: fix ALPN usage segfault
+ ...as otherwise the TLS libs will skip the CN/SAN check and just allow
+ connection to any server. curl previously skipped this function when SNI
+ wasn't used or when connecting to an IP address specified host.
- Since we didn't keep the input argument around after having called
- mbedtls, it could end up accessing the wrong memory when figuring out
- the ALPN protocols.
+ CVE-2016-3739
- Closes #642
+ Bug: https://curl.haxx.se/docs/adv_20160518A.html
+ Reported-by: Moti Avrahami
-Jay Satiro (9 Feb 2016)
-- [Timotej Lazar brought this change]
+- [Frank Gevaerts brought this change]
- opts: update references to renamed options
+ CURLOPT_RESOLVE.3: fix typo
+
+ Closes #811
-- KNOWN_BUGS: Update #92 - Windows device prefix
+- docs: CURLOPT_RESOLVE overrides CURLOPT_IPRESOLVE
-- tool_doswin: Support for literal path prefix \\?\
+- KNOWN_BUGS: GnuTLS backend skips really long certificate fields
- For example something like --output \\?\C:\foo
-
-Daniel Stenberg (9 Feb 2016)
-- configure: state "BoringSSL" in summary when that was detected
+ Closes #762
-- [David Benjamin brought this change]
+- CURLOPT_HTTPPOST.3: the data needs to be around while in use
- openssl: remove most BoringSSL #ifdefs.
-
- As of https://boringssl-review.googlesource.com/#/c/6980/, almost all of
- BoringSSL #ifdefs in cURL should be unnecessary:
-
- - BoringSSL provides no-op stubs for compatibility which replaces most
- #ifdefs.
-
- - DES_set_odd_parity has been in BoringSSL for nearly a year now. Remove
- the compatibility codepath.
-
- - With a small tweak to an extend_key_56_to_64 call, the NTLM code
- builds fine.
+- openssl: get_cert_chain: fix NULL dereference
- - Switch OCSP-related #ifdefs to the more generally useful
- OPENSSL_NO_OCSP.
+ CID 1361815: Explicit null dereferenced (FORWARD_NULL)
+
+- openssl: get_cert_chain: avoid NULL dereference
- The only #ifdefs which remain are Curl_ossl_version and the #undefs to
- work around OpenSSL and wincrypt.h name conflicts. (BoringSSL leaves
- that to the consumer. The in-header workaround makes things sensitive to
- include order.)
+ CID 1361811: Explicit null dereferenced (FORWARD_NULL)
+
+- dprintf_formatf: fix (false?) Coverity warning
- This change errs on the side of removing conditionals despite many of
- the restored codepaths being no-ops. (BoringSSL generally adds no-op
- compatibility stubs when possible. OPENSSL_VERSION_NUMBER #ifdefs are
- bad enough!)
+ CID 1024412: Memory - illegal accesses (OVERRUN). Claimed to happen when
+ we run over 'workend' but the condition says <= workend and for all I
+ can see it should be safe. Compensating for the warning by adding a byte
+ margin in the buffer.
- Closes #640
+ Also, removed the extra brace level indentation in the code and made it
+ so that 'workend' is only assigned once within the function.
-Jay Satiro (8 Feb 2016)
-- KNOWN_BUGS: Windows device prefix is required for devices
+- RELEASE-NOTES: synced with 2dcb5adc72d6
+
+- THANKS-filter: fixed Jonathan Cardoso
-- tool_urlglob: Allow reserved dos device names (Windows)
+Jay Satiro (15 May 2016)
+- ftp: fix incorrect out-of-memory code in Curl_pretransfer
- Allow --output to reserved dos device names without the device prefix
- for backwards compatibility.
+ - Return value type must match function type.
- Example: --output NUL can be used instead of --output \\.\NUL
+ s/CURLM_OUT_OF_MEMORY/CURLE_OUT_OF_MEMORY/
- Bug: https://github.com/curl/curl/commit/4520534#commitcomment-15954863
- Reported-by: Gisle Vanem
+ Caught by Travis CI
-Daniel Stenberg (8 Feb 2016)
-- cookies: allow spaces in cookie names, cut of trailing spaces
-
- It turns out Firefox and Chrome both allow spaces in cookie names and
- there are sites out there using that.
+Daniel Stenberg (15 May 2016)
+- ftp wildcard: segfault due to init only in multi_perform
- Turned out the code meant to strip off trailing space from cookie names
- didn't work. Fixed now.
+ The proper FTP wildcard init is now more properly done in Curl_pretransfer()
+ and the corresponding cleanup in Curl_close().
- Test case 8 modified to verify both these changes.
+ The previous place of init/cleanup code made the internal pointer to be NULL
+ when this feature was used with the multi_socket() API, as it was made within
+ the curl_multi_perform() function.
- Closes #639
+ Reported-by: Jonathan Cardoso Machado
+ Fixes #800
-Patrick Monnerat (8 Feb 2016)
-- Merge branch 'master' of github.com:curl/curl
+Jay Satiro (13 May 2016)
+- libcurl-tlibcurl-thread: Update OpenSSL links
+
+ Because the old OpenSSL link now redirects to their master documentation
+ (currently 1.1.0), which does not document the required actions for
+ OpenSSL <= 1.0.2.
-- os400: sync ILE/RPG definitions with latest public header files.
+Daniel Stenberg (13 May 2016)
+- [Viktor Szakats brought this change]
-Daniel Stenberg (8 Feb 2016)
-- [Ludwig Nussel brought this change]
+ darwinssl.c: fix OS X codename typo in comment
- SSLCERTS: update wrt SSL CA certificate store
+- RELEASE-NOTES: synced with 68701e51c1f7
+
+ Added 8 bug fixes and 5 more contrbutors
-- [Ludwig Nussel brought this change]
+- [Jay Satiro brought this change]
- configure: --with-ca-fallback: use built-in TLS CA fallback
+ mprintf: Fix processing of width and prec args
- When trying to verify a peer without having any root CA certificates
- set, this makes libcurl use the TLS library's built in default as
- fallback.
+ Prior to this change a width arg could be erroneously output, and also
+ width and precision args could not be used together without crashing.
- Closes #569
-
-- Proxy-Connection: stop sending this header by default
+ "%0*d%s", 2, 9, "foo"
- RFC 7230 says we should stop. Firefox already stopped.
+ Before: "092"
+ After: "09foo"
- Bug: https://github.com/curl/curl/issues/633
- Reported-By: Brad Fitzpatrick
+ "%*.*s", 5, 2, "foo"
- Closes #633
-
-- bump: work toward the next release
-
-- THANKS: 2 contributors from the 7.47.1 release
-
-- RELEASE-PROCEDURE: remove the github upload part
+ Before: crash
+ After: " fo"
- ... as we're HTTPS on the main site now, there's no point in that
- extra step
-
-Version 7.47.1 (8 Feb 2016)
+ Test 557 is updated to verify this and more
-Daniel Stenberg (8 Feb 2016)
-- RELEASE-NOTES: curl 7.47.1 time!
+- [Michael Kaufmann brought this change]
-Jay Satiro (8 Feb 2016)
-- tool_operhlp: Check for backslashes in get_url_file_name
-
- Extract the filename from the last slash or backslash. Prior to this
- change backslashes could be part of the filename.
+ ConnectionExists: follow-up fix for proxy re-use
- This change needed for the curl tool built for Cygwin. Refer to the
- CYGWIN addendum in advisory 20160127B.
+ Follow-up commit to 5823179
- Bug: https://curl.haxx.se/docs/adv_20160127B.html
+ Closes #648
-Daniel Stenberg (7 Feb 2016)
-- RELEASE-NOTES: synced with d6a8869ea34
+- [Per Malmberg brought this change]
-Jay Satiro (6 Feb 2016)
-- openssl: Fix signed/unsigned mismatch warning in X509V3_ext
+ darwinssl: fix certificate verification disable on OS X 10.8
- sk_X509_EXTENSION_num may return an unsigned integer, however the value
- will fit in an int.
+ The new way of disabling certificate verification doesn't work on
+ Mountain Lion (OS X 10.8) so we need to use the old way in that version
+ too. I've tested this solution on versions 10.7.5, 10.8, 10.9, 10.10.2
+ and 10.11.
- Bug: https://github.com/curl/curl/commit/dd1b44c#commitcomment-15913896
- Reported-by: Gisle Vanem
-
-Daniel Stenberg (7 Feb 2016)
-- TODO: 17.11 -w output to stderr
+ Closes #802
-Jay Satiro (6 Feb 2016)
-- [Michael Kaufmann brought this change]
+- [Cory Benfield brought this change]
- idn_win32: Better error checking
+ http2: Add space between colon and header value
- .. also fix a conversion bug in the unused function
- curl_win32_ascii_to_idn().
+ curl's representation of HTTP/2 responses involves transforming the
+ response to a format that is similar to HTTP/1.1. Prior to this change,
+ curl would do this by separating header names and values with only a
+ colon, without introducing a space after the colon.
- And remove wprintfs on error (Jay).
+ While this is technically a valid way to represent a HTTP/1.1 header
+ block, it is much more common to see a space following the colon. This
+ change introduces that space, to ensure that incautious tools are safely
+ able to parse the header block.
- Bug: https://github.com/curl/curl/pull/637
-
-- [Gisle Vanem brought this change]
-
- examples/asiohiper: Avoid function name collision on Windows
+ This also ensures that the difference between the HTTP/1.1 and HTTP/2
+ response layout is as minimal as possible.
- closesocket => close_socket
- Winsock already has the former.
+ Bug: https://github.com/curl/curl/issues/797
- Bug: https://curl.haxx.se/mail/lib-2016-02/0016.html
-
-- [Gisle Vanem brought this change]
+ Closes #798
+ Fixes #797
- examples/htmltitle: Use _stricmp on Windows
+Kamil Dudka (12 May 2016)
+- openssl: fix compile-time warning in Curl_ossl_check_cxn()
- Bug: https://curl.haxx.se/mail/lib-2016-02/0017.html
-
-Daniel Stenberg (6 Feb 2016)
-- COPYING: clarify that Daniel is not the sole author
+ ... introduced in curl-7_48_0-293-g2968c83:
- ... done on request and as it is a fair point.
-
-Jay Satiro (5 Feb 2016)
-- unit1604: Fix unit setup return code
-
-- tool_doswin: Use type SANITIZEcode in sanitize_file_name
+ Error: COMPILER_WARNING:
+ lib/vtls/openssl.c: scope_hint: In function ‘Curl_ossl_check_cxn’
+ lib/vtls/openssl.c:767:15: warning: conversion to ‘int’ from ‘ssize_t’
+ may alter its value [-Wconversion]
-- tool_doswin: Improve sanitization processing
+Jay Satiro (11 May 2016)
+- openssl: stricter connection check function
+
+ - In the case of recv error, limit returning 'connection still in place'
+ to EINPROGRESS, EAGAIN and EWOULDBLOCK.
- - Add unit test 1604 to test the sanitize_file_name function.
+ This is an improvement on the parent commit which changed the openssl
+ connection check to use recv MSG_PEEK instead of SSL_peek.
- - Use -DCURL_STATICLIB when building libcurltool for unit testing.
+ Ref: https://github.com/curl/curl/commit/856baf5#comments
+
+Daniel Stenberg (11 May 2016)
+- [Anders Bakken brought this change]
+
+ TLS: SSL_peek is not a const operation
- - Better detection of reserved DOS device names.
+ Calling SSL_peek can cause bytes to be read from the raw socket which in
+ turn can upset the select machinery that determines whether there's data
+ available on the socket.
- - New flags to modify sanitize behavior:
+ Since Curl_ossl_check_cxn only tries to determine whether the socket is
+ alive and doesn't actually need to see the bytes SSL_peek seems like
+ the wrong function to call.
- SANITIZE_ALLOW_COLONS: Allow colons
- SANITIZE_ALLOW_PATH: Allow path separators and colons
- SANITIZE_ALLOW_RESERVED: Allow reserved device names
- SANITIZE_ALLOW_TRUNCATE: Allow truncating a long filename
+ We're able to occasionally reproduce a connect timeout due to this
+ bug. What happens is that Curl doesn't know to call SSL_connect again
+ after the peek happens since data is buffered in the SSL buffer and thus
+ select won't fire for this socket.
- - Restore sanitization of banned characters from user-specified outfile.
+ Closes #795
+
+Jay Satiro (9 May 2016)
+- [Daniel Stenberg brought this change]
+
+ TLS: move the ALPN/NPN enable bits to the connection
- Prior to this commit sanitization of a user-specified outfile was
- temporarily disabled in 2b6dadc because there was no way to allow path
- separators and colons through while replacing other banned characters.
- Now in such a case we call the sanitize function with
- SANITIZE_ALLOW_PATH which allows path separators and colons to pass
- through.
+ Only protocols that actually have a protocol registered for ALPN and NPN
+ should try to get that negotiated in the TLS handshake. That is only
+ HTTPS (well, http/1.1 and http/2) right now. Previously ALPN and NPN
+ would wrongly be used in all handshakes if libcurl was built with it
+ enabled.
+ Reported-by: Jay Satiro
- Closes https://github.com/curl/curl/issues/624
- Reported-by: Octavio Schroeder
+ Fixes #789
-- [Viktor Szakats brought this change]
+Daniel Stenberg (8 May 2016)
+- libcurl-thread.3: openssl 1.1.0 is safe, and so is boringssl
- URLs: change more http to https
+- [Antonio Larrosa brought this change]
-- sasl_sspi: Fix memory leak in domain populate
+ connect: fix invalid "Network is unreachable" errors
- Free an existing domain before replacing it.
+ Sometimes, in systems with both ipv4 and ipv6 addresses but where the
+ network doesn't support ipv6, Curl_is_connected returns an error
+ (intermittently) even if the ipv4 socket connects successfully.
- Bug: https://github.com/curl/curl/issues/635
- Reported-by: silveja1@users.noreply.github.com
-
-Daniel Stenberg (4 Feb 2016)
-- [Viktor Szakats brought this change]
-
- URLs: follow GitHub project rename (also Travis CI)
+ This happens because there's a for-loop that iterates on the sockets but
+ the error variable is not resetted when the ipv4 is checked and is ok.
- Closes #632
-
-- CHANGES.o: fix references to curl.haxx.nu
+ This patch fixes this problem by setting error to 0 when checking the
+ second socket and not having a result yet.
- I removed the scheme prefix from the URLs references this host name, as
- we don't own/run that anymore but the name is kept for historic reasons.
-
-- HISTORY: add some info about when we used which host names
+ Fixes #794
-Jay Satiro (2 Feb 2016)
-- [Viktor Szakats brought this change]
+Jay Satiro (5 May 2016)
+- FAQ: refer to thread safety guidelines
- URLs: change more http to https
+Daniel Stenberg (3 May 2016)
+- connections: non-HTTP proxies on different ports aren't reused either
+
+ Reported-by: Oleg Pudeyev and fuchaoqun
+
+ Fixes #648
-Dan Fandrich (3 Feb 2016)
-- URLs: Change more haxx.se URLs from http: to https:
+- http: make sure a blank header overrides accept_decoding
+
+ Reported-by: rcanavan
+ Assisted-by: Isaac Boukris
+ Closes #785
-Daniel Stenberg (3 Feb 2016)
-- RELEASE-NOTES: synced with 4af40b364
+- CHECKSRC.md: clarified, explained the whitelist file
-- URLs: change all http:// URLs to https://
+- nroff-scan.pl: verify that references are made with \fI
-- configure: update the copyright year range in output
+- docs: unified man page references to use \fI
-- dotdot: allow an empty input string too
-
- It isn't used by the code in current conditions but for safety it seems
- sensible to at least not crash on such input.
+- TODO: 17.14 --fail without --location should treat 3xx as a failure
- Extended unit test 1395 to verify this too as well as a plain "/" input.
-
-- HTTPS: update a bunch of URLs from HTTP to HTTPS
+ Closes #727
-- [Sergei Nikulov brought this change]
+- RELEASE-NOTES: synced with 7987f5cb14d
- AppVeyor: updated to handle OpenSSL/WinSSL builds
-
- Closes #621
+- [Isaac Boukris brought this change]
-Jay Satiro (1 Feb 2016)
-- tool_operate: Don't sanitize --output path (Windows)
-
- Due to path separators being incorrectly sanitized in --output
- pathnames, eg -o c:\foo => c__foo
+ CURLOPT_ACCEPT_ENCODING.3: Follow-up clarification
- This is a partial revert of 3017d8a until I write a proper fix. The
- remote-name will continue to be sanitized, but if the user specified an
- --output with string replacement (#1, #2, etc) that data is unsanitized
- until I finish a fix.
+ Mention possible content-length mismatch with sum of bytes reported
+ by write callbacks when auto decoding is enabled.
- Bug: https://github.com/bagder/curl/issues/624
- Reported-by: Octavio Schroeder
+ See #785
-- curl.1: Explain remote-name behavior if file already exists
-
- .. also warn about letting the server pick the filename.
+- test1140: run nroff-scan to verify man pages
-- [Gisle Vanem brought this change]
+- nroff-scan.pl: verify the .BR references as well
- urldata: Error on missing SSL backend-specific connect info
+- CURLOPT_CONV_TO_NETWORK_FUNCTION.3: fix bad man page reference
-Daniel Stenberg (28 Jan 2016)
-- bump: towards the next (7.47.1 ?)
+- CURLOPT_BUFFERSIZE.3: fix reference to CURLOPT_MAX_RECV_SPEED_LARGE
-- [Sergei Nikulov brought this change]
+- curl_easy_pause.3: fix man page reference
- cmake: fixed when OpenSSL enabled on Windows and schannel detected
+Jay Satiro (1 May 2016)
+- tool_cb_hdr: Fix --remote-header-name with schemeless URL
- Closes #617
-
-Jay Satiro (28 Jan 2016)
-- [Sergei Nikulov brought this change]
-
- urldata: moved common variable out of ifdef
+ - Move the existing scheme check from tool_operate.
- Closes https://github.com/bagder/curl/pull/618
-
-- [Viktor Szakats brought this change]
+ In the case of --remote-header-name we want to parse Content-disposition
+ for a filename, but only if the scheme is http or https. A recent
+ adjustment 0dc4d8e was made to account for schemeless URLs however it's
+ not 100% accurate. To remedy that I've moved the scheme check to the
+ header callback, since at that point the library has already determined
+ the scheme.
+
+ Bug: https://github.com/curl/curl/issues/760
+ Reported-by: Kai Noda
- tool_doswin: silence unused function warning
+Daniel Stenberg (1 May 2016)
+- tls: make setting pinnedkey option fail if not supported
- tool_doswin.c:185:14: warning: 'msdosify' defined but not used
- [-Wunused-function]
+ to make it obvious to users trying to use the feature with TLS backends
+ not supporting it.
- Closes https://github.com/bagder/curl/pull/616
+ Discussed in #781
+ Reported-by: Travis Burtrum
-Daniel Stenberg (27 Jan 2016)
-- getredirect.c: fix variable name
+- nroff-scan.pl: verifies nroff pages
- Reported-by: Bernard Spil
-
-Version 7.47.0 (27 Jan 2016)
-
-Daniel Stenberg (27 Jan 2016)
-- examples/Makefile.inc: specify programs without .c!
+ ... not used by any test yet but can be used stand-alone.
-- THANKS: 6 new contributors from 7.47.0 release notes
+- opts: fix broken/bad references
-- [Isaac Boukris brought this change]
+- [Michael Kaufmann brought this change]
- NTLM: Fix ConnectionExists to compare Proxy credentials
-
- Proxy NTLM authentication should compare credentials when
- re-using a connection similar to host authentication, as it
- authenticate the connection.
-
- Example:
- curl -v -x http://proxy:port http://host/ -U good_user:good_pwd
- --proxy-ntlm --next -x http://proxy:port http://host/
- [-U fake_user:fake_pwd --proxy-ntlm]
-
- CVE-2016-0755
+ docs: fix bugs in CURLOPT_HTTP_VERSION.3 and CURLOPT_PIPEWAIT.3
- Bug: http://curl.haxx.se/docs/adv_20160127A.html
-
-- [Ray Satiro brought this change]
+ Closes #786
- curl: avoid local drive traversal when saving file (Windows)
-
- curl does not sanitize colons in a remote file name that is used as the
- local file name. This may lead to a vulnerability on systems where the
- colon is a special path character. Currently Windows/DOS is the only OS
- where this vulnerability applies.
+- CURLOPT_ACCEPT_ENCODING.3: clarified
- CVE-2016-0754
+ As discussed in #785
+
+- curl.1: --mail-rcpt can be used multiple times
- Bug: http://curl.haxx.se/docs/adv_20160127B.html
+ Reported-by: mgendre
+ Closes #784
-- RELEASE-NOTES: 7.47.0
+- [Karlson2k brought this change]
-- FAQ: language fix in 4.19
+ tests: Use 'pathhelp' for paths conversions in secureserver.pl
+
+ Closes #675
-- [paulehoffman brought this change]
+- [Karlson2k brought this change]
- FAQ: Update to point to GitHub
-
- Current FAQ didn't make it clear where the main repo is.
-
- Closes #612
+ tests: Use 'pathhelp' for paths conversions in sshserver.pl
-- maketgz: generate date stamp with LC_TIME=C
-
- bug: http://curl.haxx.se/mail/lib-2016-01/0123.html
+- [Karlson2k brought this change]
-- curl_multi_socket_action.3: line wrap
+ tests: Use 'pathhelp' for current path in runtests.pl
-- RELEASE-NOTES: synced with d58ba66eeceb
+- [Karlson2k brought this change]
-Steve Holme (21 Jan 2016)
-- TODO: "Create remote directories" for SMB
+ tests: pathhelp.pm to process paths on Msys/Cygwin
-Jay Satiro (18 Jan 2016)
-- mbedtls: Fix pinned key return value on fail
-
- - Switch from verifying a pinned public key in a callback during the
- certificate verification to inline after the certificate verification.
-
- The callback method had three problems:
+- lib: include curl_printf.h as one of the last headers
- 1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH
- was not returned.
+ curl_printf.h defines printf to curl_mprintf, etc. This can cause
+ problems with external headers which may use
+ __attribute__((format(printf, ...))) markers etc.
- 2. If peer certificate verification was disabled the pinned key
- verification did not take place as it should.
+ To avoid that they cause problems with system includes, we include
+ curl_printf.h after any system headers. That makes the three last
+ headers to always be, and we keep them in this order:
- 3. (related to #2) If there was no certificate of depth 0 the callback
- would not have checked the pinned public key.
+ curl_printf.h
+ curl_memory.h
+ memdebug.h
- Though all those problems could have been fixed it would have made the
- code more complex. Instead we now verify inline after the certificate
- verification in mbedtls_connect_step2.
+ None of them include system headers, they all do funny #defines.
- Ref: http://curl.haxx.se/mail/lib-2016-01/0047.html
- Ref: https://github.com/bagder/curl/pull/601
-
-- tests: Add a test for pinnedpubkey fail even when insecure
+ Reported-by: David Benjamin
- Because disabling the peer verification (--insecure) must not disable
- the public key pinning check (--pinnedpubkey).
-
-- [Daniel Schauenberg brought this change]
-
- CURLINFO_RESPONSE_CODE.3: add example
+ Fixes #743
-Kamil Dudka (15 Jan 2016)
-- ssh: make CURLOPT_SSH_PUBLIC_KEYFILE treat "" as NULL
-
- The CURLOPT_SSH_PUBLIC_KEYFILE option has been documented to handle
- empty strings specially since curl-7_25_0-31-g05a443a but the behavior
- was unintentionally removed in curl-7_38_0-47-gfa7d04f.
+- memdebug.h: remove inclusion of other headers
- This commit restores the original behavior and clarifies it in the
- documentation that NULL and "" have both the same meaning when passed
- to CURLOPT_SSH_PUBLIC_KEYFILE.
+ Mostly because they're not needed, because memdebug.h is always included
+ last of all headers so the others already included the correct ones.
- Bug: http://curl.haxx.se/mail/lib-2016-01/0072.html
+ But also, starting now we don't want this to accidentally include any
+ system headers, as the header included _before_ this header may add
+ defines and other fun stuff that we won't want used in system includes.
-Daniel Stenberg (14 Jan 2016)
-- RELEASE-NOTES: synced with 35083ca60ed035a
+- [Jay Satiro brought this change]
-- openssl: improved error detection/reporting
+ curl -J: make it work even without http:// scheme on URL
- ... by extracting the LIB + REASON from the OpenSSL error code. OpenSSL
- 1.1.0+ returned a new func number of another cerfificate fail so this
- required a fix and this is the better way to catch this error anyway.
-
-- openssl: for 1.1.0+ they now provide a SSLeay() macro of their own
-
-- CURLOPT_RESOLVE.3: minor language polish
-
-- configure: assume IPv6 works when cross-compiled
+ It does open up a miniscule risk that one of the other protocols that
+ libcurl could use would send back a Content-Disposition header and then
+ curl would act on it even if not HTTP.
- The configure test uses AC_TRY_RUN to figure out if an ipv6 socket
- works, and testing like that doesn't work for cross-compiles. These days
- IPv6 support is widespread so a blind guess is probably more likely to
- be 'yes' than 'no' now.
+ A future mitigation for this risk would be to allow the callback to ask
+ libcurl which protocol is being used.
- Further: anyone who cross-compiles can use configure's --disable-ipv6 to
- explicitly disable IPv6 and that also works for cross-compiles.
+ Verified with test 1312
- Made happen after discussions in issue #594
+ Closes #760
-- TODO: "Try to URL encode given URL"
+- manpage-scan.pl: also verify the command line option docs
- Closes #514
+ This script now also scans src/tool_getparam.c, docs/curl.1 and
+ src/tool_help.c and will warn if any of them lists a command line option
+ not mentioned in one of the other places.
-- ConnectionExists: only do pipelining/multiplexing when asked
-
- When an HTTP/2 upgrade request fails (no protocol switch), it would
- previously detect that as still possible to pipeline on (which is
- acorrect) and do that when PIPEWAIT was enabled even if pipelining was
- not explictily enabled.
-
- It should only pipelined if explicitly asked to.
+- curl: show the long option version of -q in the -h list
+
+- curl: remove "--socks" as "--socks5" turned 8
- Closes #584
+ In commit 2e42b0a2524 (Jan 2008) we made the option "--socks" deprecated
+ and it has not been documented since. The more explicit socks options
+ (like --socks4 or --socks5) should be used.
-- [Mohammad AlSaleh brought this change]
+- curl.1: document the deprecated --ftp-ssl option
- lib: Prefix URLs with lower-case protocol names/schemes
-
- Before this patch, if a URL does not start with the protocol
- name/scheme, effective URLs would be prefixed with upper-case protocol
- names/schemes. This behavior might not be expected by library users or
- end users.
-
- For example, if `CURLOPT_DEFAULT_PROTOCOL` is set to "https". And the
- URL is "hostname/path". The effective URL would be
- "HTTPS://hostname/path" instead of "https://hostname/path".
-
- After this patch, effective URLs would be prefixed with a lower-case
- protocol name/scheme.
-
- Closes #597
+- curl: remove --http-request
- Signed-off-by: Mohammad AlSaleh <CE.Mohammad.AlSaleh@gmail.com>
+ It was mentioned as deprecated already in commit ae1912cb0d4 from
+ 1999. It has not been documented in this millennium.
-- [Alessandro Ghedini brought this change]
+- curl: mention --ntlm-wb in -h list
- scripts: don't generate and install zsh completion when cross-compiling
+- curl: -h output lacked --proxy-header
-- [Alessandro Ghedini brought this change]
+- curl.1: document --ntlm-wb
- scripts: fix zsh completion generation
-
- The script should use the just-built curl, not the system one. This fixes
- zsh completion generation when no system curl is installed.
+- curl.1: document the long format of -q: --disable
-- [Alessandro Ghedini brought this change]
+- curl.1: mention the deprecated --krb4 option
- zsh.pl: fail if no curl is found
+- curl.1: document --ftp-ssl-reqd
- Instead of generation a broken completion file.
-
-- [Michael Kaufmann brought this change]
+ Even if deprecated, document it so that people will find it as old
+ scripts may still use it.
- IDN host names: Remove the port number before converting to ACE
+- curl: use --telnet-option as documented
- Closes #596
+ The code said "telnet-options" but no documentation ever said so. It
+ worked fine since the code is fine with a unique match of the first
+ part.
-Jay Satiro (10 Jan 2016)
-- runtests: Add mbedTLS to the SSL backends
+- getparam: remove support for --ftpport
- .. and enable SSLpinning tests for mbedTLS, BoringSSL and LibreSSL.
+ It has been deprecated and undocumented since commit ad5ead8bed7 (Dec
+ 2003). --ftp-port is the proper long option name.
-Daniel Stenberg (10 Jan 2016)
-- [Thomas Glanzmann brought this change]
+- curl: make --disable work as long form of -q
+
+ To make the aliases list reflect reality.
- mbedtls: implement CURLOPT_PINNEDPUBLICKEY
+- aliases: remove trailing space from capath string
-Jay Satiro (9 Jan 2016)
-- [Tatsuhiro Tsujikawa brought this change]
+- cmdline parse: only single letter options have single-letter strings
+
+ ... moved around options so that parsing the code to find all
+ single-letter options easier.
- url: Fix compile error with --enable-werror
+Jay Satiro (28 Apr 2016)
+- CURLINFO_TLS_SSL_PTR.3: Clarify SSL pointer availability
+
+ Bug: https://curl.haxx.se/mail/lib-2016-04/0126.html
+ Reported-by: Bru Rom
-- [Tatsuhiro Tsujikawa brought this change]
+Daniel Stenberg (28 Apr 2016)
+- curl_easy_getinfo.3: remove superfluous blank lines
- http2: Ensure that http2_handle_stream_close is called
+- test1139: verifies libcurl option man page presence
- Previously, when HTTP/2 is enabled and used, and stream has content
- length known, Curl_read was not called when there was no bytes left to
- read. Because of this, we could not make sure that
- http2_handle_stream_close was called for every stream. Since we use
- http2_handle_stream_close to emit trailer fields, they were
- effectively ignored. This commit changes the code so that Curl_read is
- called even if no bytes left to read, to ensure that
- http2_handle_stream_close is called for every stream.
+ - checks that each option has its own man page present
- Discussed in https://github.com/bagder/curl/pull/564
+ - checks that each option is mentioned in its corresponding index man
+ page
-Daniel Stenberg (8 Jan 2016)
-- http2: handle the received SETTINGS frame
-
- This regression landed in 5778e6f5 and made libcurl not act on received
- settings and instead stayed with its internal defaults.
+- curl_easy_getinfo.3: added missing mention of CURLINFO_TLS_SESSION
- Bug: http://curl.haxx.se/mail/lib-2016-01/0031.html
- Reported-by: Bankde
+ ... although it is deprecated.
-- Revert "multiplex: allow only once HTTP/2 is actually used"
+Jay Satiro (28 Apr 2016)
+- mbedtls: Fix session resume
+
+ This also fixes PolarSSL session resume.
- This reverts commit 46cb70e9fa81c9a56de484cdd7c5d9d0d9fbec36.
+ Prior to this change the TLS session information wasn't properly
+ saved and restored for PolarSSL and mbedTLS.
- Bug: http://curl.haxx.se/mail/lib-2016-01/0031.html
-
-Jay Satiro (8 Jan 2016)
-- [Tatsuhiro Tsujikawa brought this change]
-
- http2: Fix PUSH_PROMISE headers being treated as trailers
+ Bug: https://curl.haxx.se/mail/lib-2016-01/0070.html
+ Reported-by: Thomas Glanzmann
- Discussed in https://github.com/bagder/curl/pull/564
+ Bug: https://curl.haxx.se/mail/lib-2016-04/0095.html
+ Reported-by: Moti Avrahami
+
+Daniel Stenberg (27 Apr 2016)
+- RELEASE-NOTES: synced with f4298fcc6d2
-Daniel Stenberg (8 Jan 2016)
- [Michael Kaufmann brought this change]
- connection reuse: IDN host names fixed
+ opts: Fix some syntax errors in example code fragments
+
+ Fixes #779
+
+- openssl: avoid BN_print a NULL bignum
- Use the ACE form of IDN hostnames as key in the connection cache. Add
- new tests.
+ OpenSSL 1.1.0-pre seems to return NULL(?) for a whole lot of those
+ numbers so make sure the function handles this.
- Closes #592
+ Reported-by: Linus Nordberg
-- tests: mark IPv6 FTP and FTPS tests with the FTP keyword
+- [Marcel Raad brought this change]
-Jay Satiro (7 Jan 2016)
-- mbedtls: Fix ALPN support
-
- - Fix ALPN reply detection.
+ CONNECT_ONLY: don't close connection on GSS 401/407 reponses
- - Wrap nghttp2 code in ifdef USE_NGHTTP2.
+ Previously, connections were closed immediately before the user had a
+ chance to extract the socket when the proxy required Negotiate
+ authentication.
+ This regression was brought in with the security fix in commit
+ 79b9d5f1a42578f
- Prior to this change ALPN and HTTP/2 did not work properly in mbedTLS.
+ Closes #655
-- http2: Fix client write for trailers on stream close
-
- Check that the trailer buffer exists before attempting a client write
- for trailers on stream close.
-
- Refer to comments in https://github.com/bagder/curl/pull/564
+- CURLINFO_TLS_SESSION.3: clarify TLS library support before 7.48.0
-Daniel Stenberg (7 Jan 2016)
-- COPYING: update general copyright year range
+- mbedtls.c: silly spellfix of a comment
-- ConnectionExists: add missing newline in infof() call
+- KNOWN_BUGS: 1.10 Strips trailing dot from host name
- Mistake from commit a464f33843ee1
+ Closes #716
-- multiplex: allow only once HTTP/2 is actually used
-
- To make sure curl doesn't allow multiplexing before a connection is
- upgraded to HTTP/2 (like when Upgrade: h2c fails), we must make sure the
- connection uses HTTP/2 as well and not only check what's wanted.
-
- Closes #584
+- test1322: verify stripping of trailing dot from host name
- Patch-by: c0ff
+ While being debated (in #716) and a violation of RFC 7230 section 5.4,
+ this test verifies that the existing functionality works as intended. It
+ strips the dot from the host name and uses the host without dot
+ throughout the internals.
-Jay Satiro (4 Jan 2016)
-- curl_global_init.3: Add Windows-specific info for init via DLL
+- multi: accidentally used resolved host name instead of proxy
- - Add to both curl_global_init.3 and libcurl.3 the caveat for Windows
- that initializing libcurl via a DLL's DllMain or static initializer
- could cause a deadlock.
+ Regression introduced in 09b5a998
- Bug: https://github.com/bagder/curl/issues/586
- Reported-by: marc-groundctl@users.noreply.github.com
-
-Daniel Stenberg (4 Jan 2016)
-- FAQ: clarify who to mail about ECCN clarifications
-
-- progressfunc.c: spellfix description
-
-- docs/examples/multi-app.c: fix bad desc formatting
-
-- examples: added descriptions
-
-- example/simple.c: add description
+ Bug: https://curl.haxx.se/mail/lib-2016-04/0084.html
+ Reported-by: BoBo
-- getredirect.c: a new example
+- symbols-in-versions: added new CURLSSLBACKEND_ symbols
-Marc Hoersken (27 Dec 2015)
-- RELEASE-NOTES: add 5e0e81a9c4e35f04ca
+- test148: fixed after the --ftp-create-dirs retry change
+
+ follow-up commit to 3c1e84f569 as it made curl try a little harder
-Daniel Stenberg (26 Dec 2015)
-- RELEASE-NOTES: synced with 2aec4359db1088b10d
+- curl.h: clarify curl_sslbackend for openssl clones and renames
-Marc Hoersken (26 Dec 2015)
-- test 1515: add data check
+- [Karlson2k brought this change]
-- test 1515: add MSYS support by passing a relative path
+ url.c: fixed DEBUGASSERT() for WinSock workaround
- MSYS would otherwise turn a /-style path into a C:\-style path.
-
-- test 539: use datacheck mode text for ASCII-mode LISTings
+ If buffer is allocated, but nothing is received during prereceive
+ stage, than number of processed bytes must be zero.
- While still using datacheck mode binary for the inline reply data.
+ Closes #778
-- runtests.pl: check up to 5 data parts with different text modes
+- KNOWN_BUGS: --interface for ipv6 binds to unusable IP address
- Move the text-mode conversion for reply/replycheck from the verify
- section into the load section and add support for 4 more check parts.
-
-Daniel Stenberg (24 Dec 2015)
-- CURLOPT_RANGE: for HTTP servers, range support is optional
-
-Marc Hoersken (24 Dec 2015)
-- tests 1048 and 1050: use datacheck mode text for ASCII-mode LISTings
-
-- tests 706 and 707: use datacheck mode text for ASCII-mode LISTings
-
-- tests 400,403,406: use datacheck mode text for ASCII-mode LISTings
+ Closes #686 for now.
-- sockfilt.c: fix calculation of sleep timeout on Windows
+- TODO: 1.17 Add support for IRIs
- Not converting to double caused small timeouts to be skipped.
-
-- tests first.c: fix calculation of sleep timeout on Windows
+ Adding support for IRIs is a mouthful, but is probably interesting at
+ least for areas and countries where the use of such "URLs" are growing
+ popularity.
- Not converting to double caused small timeouts to be skipped.
+ Closes #776
-- test 573: add more debug output
+- THANKS-filter: Travis Burtrum
-- ftplistparser.c: fix handling of file LISTings using Windows EOL
-
- Previously file.txt[CR][LF] would have been returned as file.tx
- (without the last t) if filetype is symlink. Now the t is
- included and the internal item_length includes the zero byte.
-
- Spotted using test 576 on Windows.
+- lib1517: checksrc compliance
-- test 16: fix on Linux (and Windows) by using plain ASCII characters
-
- Follow up on b064ff0c351bb287557228575ef4c1d079b866fb, thanks Daniel.
+- [moparisthebest brought this change]
-- tftpd server: add Windows support by writing files in binary mode
+ PolarSSL: Implement public key pinning
-- tests 252-255: use datacheck mode text for ASCII-mode LISTings
+Patrick Monnerat (22 Apr 2016)
+- os400: upgrade ILE/RPG binding
-- test 16: fix on Windows by converting data file from ANSI to UTF-8
+- curl.h: CURLOPT_CONNECT_TO sets a struct slist *, not a string
-Daniel Stenberg (23 Dec 2015)
-- Makefile.inc: s/curl_SOURCES/CURL_FILES
-
- This allows the root Makefile.am to include the Makefile.inc without
- causing automake to warn on it (variables named *_SOURCES are
- magic). curl_SOURCES is then instead assigned properly in
- src/Makefile.am only.
+Daniel Stenberg (22 Apr 2016)
+- contributors.sh: make --releasenotes implied
- Closes #577
+ It got too annoying to type =)
-- [Anders Bakken brought this change]
+- RELEASE-NOTES: synced with 3c1e84f5693d8093
- ConnectionExists: with *PIPEWAIT, wait for connections
+- curl: make --ftp-create-dirs retry on failure
+
+ The underlying libcurl option used for this feature is
+ CURLOPT_FTP_CREATE_MISSING_DIRS which has the ability to retry the dir
+ creation, but it was never set to do that by the command line tool.
- Try harder to prevent libcurl from opening up an additional socket when
- CURLOPT_PIPEWAIT is set. Accomplished by letting ongoing TCP and TLS
- handshakes complete first before the decision is made.
+ Now it does.
- Closes #575
+ Bug: https://curl.haxx.se/mail/archive-2016-04/0021.html
+ Reported-by: John Wanghui
+ Help-by: Leif W
-- [Anders Bakken brought this change]
+- [Henrik Gaßmann brought this change]
- Add .dir-locals and set c-basic-offset to 2.
+ winbuild: add mbedtls support
- This makes it easier for emacs users to automatically get the right
- 2-space indentation when they edit curl source files.
+ Add WITH_MBEDTLS option. Make WITH_SSL, WITH_MBEDTLS and ENABLE_WINSSL
+ options mutual exclusive.
- c++-mode is in there as well because Emacs can't easily know if
- something is a C or C++ header.
+ Closes #606
+
+- KNOWN_BUGS: fixed "5.6 Improper use of Autoconf cache variables"
- Closes #574
+ As of commit d9f3b365a3
-- [Johannes Schindelin brought this change]
+- [Irfan Adilovic brought this change]
- configure: detect IPv6 support on Windows
+ configure: ac_cv_ -> curl_cv_ for write-only vars
- This patch was "nicked" from the MINGW-packages project by Daniel.
+ These configure vars are modified in a curl-specific way but never
+ evaluated or loaded from cache, even though they are designated as
+ _cv_. We could either implement proper AC_CACHE_CHECKs for them, or
+ remove them completely.
- https://github.com/Alexpux/MINGW-packages/commit/9253d0bf58a1486e91f7efb5316e7fdb48fa4007
- Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
-
-- configure: allow static builds on mingw
+ Fixes #603 as ac_cv_func_gethostbyname is no longer clobbered, and
+ AC_CHECK_FUNC(gethostbyname...) will no longer spuriously succeed after
+ the first configure run with caching.
- This patch is adopted from the MINGW-packages project. It makes it
- possible to build curl both shared and static again.
+ `ac_cv_func_strcasecmp` is curious, see #770.
- URL: https://github.com/Alexpux/MINGW-packages/tree/master/mingw-w64-curl
+ `eval "ac_cv_func_$func=yes"` can still cause problems as it works in
+ tandem with AC_CHECK_FUNCS and then potentially modifies its result. It
+ would be best to rewrite this test to use a new CURL_CHECK_FUNCS macro,
+ which works the same as AC_CHECK_FUNCS but relies on caching the values
+ of curl_cv_func_* variables, without modifiying ac_cv_func_*.
-Marc Hoersken (17 Dec 2015)
-- test 1326: fix file check since curl is outputting binary data
+- [Irfan Adilovic brought this change]
-- test 1326: fix getting stuck on Windows due to incomplete request
+ configure: ac_cv_ -> curl_cv_ for r/w vars
- The request needs to be read and send in binary mode in order to use
- CRLF instead of LF. Adding --upload-file - causes curl to read stdin
- in binary mode.
-
-Daniel Stenberg (17 Dec 2015)
-- RELEASE-NOTES: command line option recount
+ These configure vars are modified in a curl-specific way and modified by
+ the configure process, but are never loaded from cache, even though they
+ are designated as _cv_. We should implement proper AC_CACHE_CHECKs for
+ them eventually.
-Dan Fandrich (16 Dec 2015)
-- scripts/Makefile: build zsh script even in an out-of-tree build
+- [Irfan Adilovic brought this change]
-Marc Hoersken (16 Dec 2015)
-- sockfilt.c: added some debug output to select_ws
+ configure: ac_cv_func_clock_gettime -> curl_...
+
+ This variable must not be cached in its current form, as any cached
+ information will prevent the next configure run from determining the
+ correct LIBS needed for the function. Thus, rename prefix `ac_cv_` to
+ just `curl_`.
-- sockfilt.c: keep lines shorter than 80 chars
+- [Irfan Adilovic brought this change]
-- sockfilt.c: do not wait on unreliable file or pipe handle
+ configure: ac_cv_ -> curl_cv_ for all cached vars
- The previous implementation caused issues on modern MSYS2 runtimes.
-
-Daniel Stenberg (16 Dec 2015)
-- cyassl: deal with lack of *get_peer_certificate
+ This was automated by:
+
+ sed -b -i -f <(ack -A1 AC_CACHE_CHECK | \
+ ack -o 'ac_cv_.*?\b' | \
+ sort -u | xargs -n1 bash -c \
+ 'echo "s/$0/curl_cv_${0#ac_cv_}/g"') \
+ $(git ls-files)
- The function is only present in wolfssl/cyassl if it was built with
- --enable-opensslextra. With these checks added, pinning support is disabled
- unless the TLS lib has that function available.
+ This only changed the prefix for 16 variables actually checked with
+ AC_CACHE_CHECK.
+
+- openssl: builds with OpenSSL 1.1.0-pre5
- Also fix the mistake in configure that checks for the wrong lib name.
+ The RSA, DSA and DH structs are now opaque and require use of new APIs
- Closes #566
+ Fixes #763
-- wolfssl: handle builds without SSLv3 support
+Steve Holme (20 Apr 2016)
+- url.c: Prefer we don't use explicit NULLs in conditions
+
+ Fixed commit fa5fa65a30 to not use NULLs in if condition.
-- [Tatsuhiro Tsujikawa brought this change]
+Daniel Stenberg (20 Apr 2016)
+- [Isaac Boukris brought this change]
- http2: Support trailer fields
+ NTLM: check for NULL pointer before deferencing
- This commit adds trailer support in HTTP/2. In HTTP/1.1, chunked
- encoding must be used to send trialer fields. HTTP/2 deprecated any
- trandfer-encoding, including chunked. But trailer fields are now
- always available.
+ At ConnectionExists, both check->proxyuser and check->proxypasswd
+ could be NULL, so make sure to check first.
- Since trailer fields are relatively rare these days (gRPC uses them
- extensively though), allocating buffer for trailer fields is done when
- we detect that HEADERS frame containing trailer fields is started. We
- use Curl_add_buffer_* functions to buffer all trailers, just like we
- do for regular header fields. And then deliver them when stream is
- closed. We have to be careful here so that all data are delivered to
- upper layer before sending trailers to the application.
+ Fixes #765
+
+- [Karlson2k brought this change]
+
+ tests: added test1517
- We can deliver trailer field one by one using NGHTTP2_ERR_PAUSE
- mechanism, but current method is far more simple.
+ ... for checking ability to receive full HTTP response when POST request
+ is used with slow read callback function.
- Another possibility is use chunked encoding internally for HTTP/2
- traffic. I have not tested it, but it could add another overhead.
+ This test checks for bug #657 and verifies the work-around from
+ 72d5e144fbc6.
- Closes #564
+ Closes #720
-- RELEASE-NOTES: synced with 6c2c019654e658a
+- [Karlson2k brought this change]
-Jay Satiro (15 Dec 2015)
-- x509asn1: Fix host altname verification
-
- - In Curl_verifyhost check all altnames in the certificate.
+ sendf.c: added ability to call recv() before send() as workaround
- Prior to this change only the first altname was checked. Only the GSKit
- SSL backend was affected by this bug.
+ WinSock destroys recv() buffer if send() is failed. As result - server
+ response may be lost if server sent it while curl is still sending
+ request. This behavior noticeable on HTTP server short replies if
+ libcurl use several send() for request (usually for POST request).
+ To workaround this problem, libcurl use recv() before every send() and
+ keeps received data in intermediate buffer for further processing.
- Bug: http://curl.haxx.se/mail/lib-2015-12/0062.html
- Reported-by: John Kohl
+ Fixes: #657
+ Closes: #668
-Daniel Stenberg (15 Dec 2015)
-- curl --expect100-timeout: added
+Kamil Dudka (19 Apr 2016)
+- connect: make sure that rc is initialized in singleipconnect()
- This is the new command line option to set the value for the existing
- libcurl option CURLOPT_EXPECT_100_TIMEOUT_MS
-
-- cyassl: fix compiler warning on type conversion
-
-- curlver: the pending release will become 7.47.0
-
-- [Anders Bakken brought this change]
-
- setstropt: const-correctness
+ This commit fixes a Clang warning introduced in curl-7_48_0-190-g8f72b13:
- Closes #565
-
-- ROADMAP: implemented HTTP2 for HTTPS-only
+ Error: CLANG_WARNING:
+ lib/connect.c:1120:11: warning: The right operand of '==' is a garbage value
+ 1118| }
+ 1119|
+ 1120|-> if(-1 == rc)
+ 1121| error = SOCKERRNO;
+ 1122| }
-- HTTP2.md: spell fix and remove TODO now implemented
+Daniel Stenberg (19 Apr 2016)
+- make/checksrc: use $srcdir, not $top_srcdir
-- libressl: the latest openssl x509 funcs are not in libressl
+- src/checksrc.whitelist: removed
-- curl: use 2TLS by default
-
- Make this the default for the curl tool (if built with HTTP/2 powers
- enabled) unless a specific HTTP version is requested on the command
- line.
-
- This should allow more users to get HTTP/2 powers without having to
- change anything.
+- tool_operate: switch to inline checksrc ignore
-- http: add libcurl option to allow HTTP/2 for HTTPS only
+- lib/checksrc.whitelist: not needed anymore
- ... and stick to 1.1 for HTTP. This is in line with what browsers do and
- should have very little risk.
+ ... as checksrc now skips comments
-- openssl: adapt to openssl >= 1.1.0 X509 opaque structs
+- vtls.h: remove a space before semicolon
- Closes #491
-
-- openssl: avoid BIO_reset() warnings since it returns a value
-
-- openssl: adapt to 1.1.0+ name changes
+ ... that the new checksrc detected
-- scripts/makefile: add standard header
+- darwinssl: removed commented out code
-- scripts/Makefile: fix GNUism and survive no perl
-
- Closes #555
+- http_chunks: removed checksrc disable
- Reported-by: Thomas Klausner
-
-- fix b6d5cb40d7038fe
+ ... since checksrc now skips comments
-- [Tatsuhiro Tsujikawa brought this change]
+- imap: inlined checksrc disable instead of whitelist edit
- http2: Fix hanging paused stream
+- checksrc: taught to skip comments
- When NGHTTP2_ERR_PAUSE is returned from data_source_read_callback, we
- might not process DATA frame fully. Calling nghttp2_session_mem_recv()
- again will continue to process DATA frame, but if there is no incoming
- frames, then we have to call it again with 0-length data. Without this,
- on_stream_close callback will not be called, and stream could be hanged.
+ ... but output non-stripped version of the line, even if that then can
+ make the script identify the wrong position in the line at
+ times. Showing the line stripped (ie without comments) is just too
+ surprising.
+
+- opts/Makefile.am: list all docs file one by one
- Bug: http://curl.haxx.se/mail/lib-2015-11/0103.html
- Reported-by: Francisco Moraes
+ ... to make it easier to add lines in patches that won't just break all
+ other patches trying to add lines too.
-- [Christian Stewart brought this change]
+- curl_easy_setopt.3: mention CURLOPT_TCP_FASTOPEN
- build: fix compilation error with CURL_DISABLE_VERBOSE_STRINGS
-
- With curl disable verbose strings in http.c the compilation fails due to
- the data variable being undefined later on in the function.
+- RELEASE-NOTES: synced with 03de4e4b219
- Closes #558
+ (since we just merged two major features)
-Jay Satiro (7 Dec 2015)
-- [Gisle Vanem brought this change]
+- [Alessandro Ghedini brought this change]
- config-win32: Fix warning HAVE_WINSOCK2_H undefined
+ connect: implement TCP Fast Open for Linux
+
+ Closes #660
-- [Gisle Vanem brought this change]
+- [Alessandro Ghedini brought this change]
- openssl: BoringSSL doesn't have CONF_modules_free
+ tool: add --tcp-fastopen option
-- [Gisle Vanem brought this change]
+- [Alessandro Ghedini brought this change]
- lwip: Fix compatibility issues with later versions
-
- The name of the header guard in lwIP's <lwip/opt.h> has changed from
- '__LWIP_OPT_H__' to 'LWIP_HDR_OPT_H' (bug #35874 in May 2015).
-
- Other fixes:
-
- - In curl_setup.h, the problem with an old PSDK doesn't apply if lwIP is
- used.
-
- - In memdebug.h, the 'socket' should be undefined first due to lwIP's
- lwip_socket() macro.
-
- - In curl_addrinfo.c lwIP's getaddrinfo() + freeaddrinfo() macros need
- special handling because they were undef'ed in memdebug.h.
-
- - In select.c we can't use preprocessor conditionals inside select if
- MSVC and select is a macro, as it is with lwIP.
-
- http://curl.haxx.se/mail/lib-2015-12/0023.html
- http://curl.haxx.se/mail/lib-2015-12/0024.html
+ connect: implement TCP Fast Open for OS X
-Patrick Monnerat (7 Dec 2015)
-- os400: define CURL_VERSION_PSL in ILE/RPG binding
+- [Alessandro Ghedini brought this change]
-Jay Satiro (7 Dec 2015)
-- [Gisle Vanem brought this change]
+ url: add CURLOPT_TCP_FASTOPEN option
- version: Add flag CURL_VERSION_PSL for libpsl
+- checksrc: pass on -D so the whitelists are found correctly
-- formdata: Check if length is too large for memory
+- configure: remove check for libresolve
- - If the size of the length type (curl_off_t) is greater than the size
- of the size_t type then check before allocating memory to make sure the
- value of length will fit in a size_t without overflow. If it doesn't
- then return CURLE_BAD_FUNCTION_ARGUMENT.
+ 'strncasecmp' was once provided by libresolv (no trailing e) for SunOS,
+ but this check is broken and most likely adds nothing useful. Removing
+ now.
- Bug: https://github.com/bagder/curl/issues/425#issuecomment-154518679
- Reported-by: Steve Holme
-
-Steve Holme (3 Dec 2015)
-- tests: Corrected copy and pasted comments from commit e643c5c908
-
-Daniel Stenberg (3 Dec 2015)
-- curl: remove keepalive #ifdef checks done on libcurl's behalf
+ Reported-by: Irfan Adilovic
- They didn't match the ifdef logic used within libcurl anyway so they
- could indeed warn for the wrong case - plus the tool cannot know how the
- lib actually performs at that level.
-
-Steve Holme (2 Dec 2015)
-- test947: Corrected typo in test name
+ Discussed in #770
-- tests: Disable the OAUTHBEARER tests when using a non-default port number
-
- Tests 842, 843, 844, 845, 887, 888, 889, 890, 946, 947, 948 and 949 fail
- if a custom port number is specified via the -b option of runtests.pl.
+- scripts/make: use $(EXEEXT) for executables
- Suggested by: Kamil Dudka
- Bug: http://curl.haxx.se/mail/lib-2015-12/0003.html
-
-Daniel Stenberg (2 Dec 2015)
-- bump: towards next release
+ Reported-by: bodop
- for all we know now, it might be called 7.46.1
-
-Version 7.46.0 (1 Dec 2015)
-
-Daniel Stenberg (1 Dec 2015)
-- RELEASE-NOTES: updated contributor count for 7.46.0
-
-- THANKS: new contributors from the 7.46.0 release
+ Fixes #771
-- THANKS-filter: single Tim Rühsen spelling
+- includes: avoid duplicate memory callback typdefs even harder
-- docs/examples: gitignore some more built examples
+- checksrc/makefile.am: use $top_srcdir to find source files
+
+ ... to properly support out of source tree builds.
-- RELEASE-NOTES; this bug was never released
+- RELEASE-NOTES: synced with 26ec93dd6aeba8dfb5
-- RELEASE-NOTES: synced with e55f15454efacb0
+- opts: fix option references missing (section)
-- [Flavio Medeiros brought this change]
+- [Michael Kaufmann brought this change]
- Curl_read_plain: clean up ifdefs that break statements
+ news: CURLOPT_CONNECT_TO and --connect-to
- Closes #546
-
-- http2: convert some verbose output into debug-only output
+ Makes curl connect to the given host+port instead of the host+port found
+ in the URL.
-- http2 push: add missing inits of new stream
+- makefile.vc6: use d suffix on debug object
+
+ To allow both release and debug builds in parallel.
- - set the correct stream_id for pushed streams
- - init maxdownload and size properly
-
-- http2 push: set weight for new stream
+ Reported-by: Rod Widdowson
- give the new stream the old one's stream_weight internally to avoid
- sending a PRIORITY frame unless asked for it
+ Fixes #769
-- curl_setup.h: undef freeaddrinfo in c-ares block to fix build
+Jay Satiro (12 Apr 2016)
+- http2: Use size_t type for data drain count
- Fixes warnings 78c25c854a added.
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-- nonblock: fix setting non-blocking mode for Amiga
-
- IoctlSocket() apparently wants a pointer to a long, passed as a char *
- in its third parameter. This bug was introduced already back in commit
- c5fdeef41d from October 1 2001!
+- http2: Improve header parsing
- Bug: http://curl.haxx.se/mail/lib-2015-11/0088.html
- Reported-by: Norbert Kett
-
-- zsh install: fix DESTDIR support
+ - Error if a header line is larger than supported.
- Reported-by: Mohammad AlSaleh
-
-Dan Fandrich (27 Nov 2015)
-- lib: Only define curl_dofreeaddrinfo if struct addrinfo is available
-
-Steve Holme (27 Nov 2015)
-- tool_paramhlp: Fixed display of URL index in password prompt for --next
+ - Warn if cumulative header line length may be larger than supported.
- Commit f3bae6ed73 added the URL index to the password prompt when using
- --next. Unfortunately, because the size_t specifier (%zu) is not
- supported by all sprintf() implementations we use the curl_off_t format
- specifier instead. The display of an incorrect value arises on platforms
- where size_t and curl_off_t are of a different size.
-
-Daniel Stenberg (25 Nov 2015)
-- timecond: do not add if-modified-since without timecondition
+ - Allow spaces when parsing the path component.
- The RTSP code path didn't skip adding the if-modified-since for certain
- RTSP code paths, even if CURLOPT_TIMECONDITION was set to
- CURL_TIMECOND_NONE.
+ - Make sure each header line ends in \r\n. This fixes an out of bounds.
- Also, an unknown non-zero CURLOPT_TIMECONDITION value no longer equals
- CURL_TIMECOND_IFMODSINCE.
+ - Disallow header continuation lines until we decide what to do.
- Bug: http://stackoverflow.com/questions/33903982/curl-timecond-none-doesnt-work-how-to-remove-if-modified-since-header
-
-- RELEASE-NOTES: synced with 99d17a5e2ba77e58
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-- examples/README: cut out the incomplete list
+- http2: Add Curl_http2_strerror for HTTP/2 error codes
- ... and add a generic explanation for them instead. Each example file
- should contain its own description these days.
-
-- test1513: make sure the callback is only called once
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-- [Daniel Shahaf brought this change]
+- [Tatsuhiro Tsujikawa brought this change]
- build: Install zsh completion
+ http2: Don't increment drain when one header field is received
+
+ Sicne we write header field in temporary location, not in the memory
+ that upper layer provides, incrementing drain should not happen.
- Fixes #534
- Closes #537
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-- done: make sure the final progress update is made
+- [Tatsuhiro Tsujikawa brought this change]
+
+ http2: Ensure that http2_handle_stream_close is called
- It would previously be skipped if an existing error was returned, but
- would lead to a previous value being left there and later used.
- CURLINFO_TOTAL_TIME for example.
+ This commit ensures that streams which was closed in on_stream_close
+ callback gets passed to http2_handle_stream_close. Previously, this
+ might not happen. To achieve this, we increment drain property to
+ forcibly call recv function for that stream.
- Still it avoids that final progress update if we reached DONE as the
- result of a callback abort to avoid another callback to be called after
- an abort-by-callback.
+ To more accurately check that we have no pending event before shutting
+ down HTTP/2 session, we sum up drain property into
+ http_conn.drain_total. We only shutdown session if that value is 0.
- Reported-by: Lukas Ruzicka
+ With this commit, when stream was closed before reading response
+ header fields, error code CURLE_HTTP2_STREAM is returned even if
+ HTTP/2 level error is NO_ERROR. This signals the upper layer that
+ stream was closed by error just like TCP connection close in HTTP/1.
- Closes #538
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-- curl: expanded the -XHEAD warning text
-
- ... to also mention the specific options used.
+- [Tatsuhiro Tsujikawa brought this change]
-- Revert "cleanup: general removal of TODO (and similar) comments"
-
- This reverts commit 64e959ffe37c436503f9fed1ce2d6ee6ae50bd9a.
+ http2: Process paused data first before tear down http2 session
- Feedback-by: Dan Fandrich
- URL: http://curl.haxx.se/mail/lib-2015-11/0062.html
-
-- CURLOPT_HEADERFUNCTION.3: fix typo
+ This commit ensures that data from network are processed before HTTP/2
+ session is terminated. This is achieved by pausing nghttp2 whenever
+ different stream than current easy handle receives data.
- Refer to _HEADERDATA not _WRITEDATA.
+ This commit also fixes the bug that sometimes processing hangs when
+ multiple HTTP/2 streams are multiplexed.
- Reported-by: Michał Piechowski
-
-- TODO: TCP Fast Open
-
-Steve Holme (22 Nov 2015)
-- examples: Added website parse-able descriptions to the e-mail examples
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-- TODO: Added another 'multi-interface' idea
+- [Tatsuhiro Tsujikawa brought this change]
-- smb.c: Fixed compilation warnings
+ http2: Check session closure early in http2_recv
- smb.c:134:3: warning: conversion to 'short unsigned int' from 'int' may
- alter its value
- smb.c:146:42: warning: conversion to 'unsigned int' from 'long long
- unsigned int' may alter its value
- smb.c:146:65: warning: conversion to 'unsigned int' from 'long long
- unsigned int' may alter its value
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-- schannel: Corrected copy/paste error in commit 8d17117683
+- [Tatsuhiro Tsujikawa brought this change]
-- schannel: Use GetVersionEx() when VerifyVersionInfo() isn't available
+ http2: Add handling stream level error
- Regression from commit 7a8e861a5 as highlighted in the msys autobuilds.
-
-- examples: Fixed compilation warnings
+ Previously, when a stream was closed with other than NGHTTP2_NO_ERROR
+ by RST_STREAM, underlying TCP connection was dropped. This is
+ undesirable since there may be other streams multiplexed and they are
+ very much fine. This change introduce new error code
+ CURLE_HTTP2_STREAM, which indicates stream error that only affects the
+ relevant stream, and connection should be kept open. The existing
+ CURLE_HTTP2 means connection error in general.
- pop3-multi.c:96:5: warning: implicit declaration of function 'memset'
- imap-multi.c:96:5: warning: implicit declaration of function 'memset'
- http2-download.c:226:5: warning: implicit declaration of function 'memset'
- http2-upload.c:290:5: warning: implicit declaration of function 'memset'
- http2-upload.c:290:5: warning: implicit declaration of function 'memset'
+ Ref: https://github.com/curl/curl/issues/659
+ Ref: https://github.com/curl/curl/pull/663
-- Makefile.inc: Fixed test run error
+Daniel Stenberg (11 Apr 2016)
+- http2: drain the socket better...
- test845 not present in tests/data/Makefile.inc
+ ... but ignore EAGAIN if the stream has ended so that we don't end up in
+ a loop. This is a follow-up to c8ab613 in order to avoid the problem
+ d261652 was made to fix.
+
+ Reported-by: Jay Satiro
+ Clues-provided-by: Tatsuhiro Tsujikawa
+
+ Discussed in #750
-Daniel Stenberg (20 Nov 2015)
-- TODO: remove duplicated title
+- KNOWN_BUGS: added info for "Hangs with PolarSSL"
-- TODO: added two more libcurl ideas
+- KNOWN_BUGS: 1.9 HTTP/2 frames while in the connection pool kill reuse
- Moved some ideas from "next major" to just ordinary ideas since we can
- always add new things while keeping the old without doing a "next
- major".
+ Closes #750
-Steve Holme (20 Nov 2015)
-- tests: Re-enabled tests 889 and 890 following POP3 fix
+- build: include scripts/ in the dist
-- pop3: Differentiate between success and continuation responses
+Steve Holme (9 Apr 2016)
+- CURLOPT_SOCKS5_GSSAPI_SERVICE: Merged with CURLOPT_PROXY_SERVICE_NAME
+
+ As these two options provide identical functionality, the former for
+ SOCK5 proxies and the latter for HTTP proxies, merged the two options
+ together.
+
+ As such CURLOPT_SOCKS5_GSSAPI_SERVICE is marked as deprecated as of
+ 7.49.0.
-- pop3: Added clarity on some server response codes
+- urldata: Use bool for socks5_gssapi_nec as it is a flag
+
+ This value is set to TRUE or FALSE so should be a bool and not a long.
-Daniel Stenberg (20 Nov 2015)
-- [Daniel Shahaf brought this change]
+- url: Ternary operator code style changes
- build: Fix theoretical infinite loops
+- CODE_STYLE: Added ternary operator example to 'Space around operators'
- Add error-checking to 'cd' in a few cases where omitting the checks
- might result in an infinite loop.
+ Following conversation on the libcurl mailing list.
+
+- sasl: Fixed compilation errors from commit 9d89a0387
- Closes #535
+ ...when GSS-API or Windows SSPI are not used.
+
+- url: Corrected comments following 9d89a0387
-Patrick Monnerat (19 Nov 2015)
-- curl.h: s/#defien/#define/
+- docs: Added clarification following commit 9d89a0387
-- os400: synchronize ILE/RPG header file
+- Makefile: Fixed echo of checksrc check
-- os400: Provide options for libssh2 use in compile scripts. Adjust README.
+- checksrc: Fix issue with the autobuilds not picking up the whitelist
-Daniel Stenberg (19 Nov 2015)
-- [danielsh@apache.org brought this change]
+- checksrc: Added missing vauth and vtls directories
- zsh completion: Preserve single quotes in output
+- ftp/imap/pop3/smtp: Allow the service name to be overridden
- When an option's help string contains literal single quotes, those
- single quotes would be stripped from the option's description in the
- completion output (unless the zsh RC_QUOTES option were set while the
- completion function was being sourced, which is not the default). This
- patch makes the completion output contain single quotes where the --help
- output does.
+ Allow the service name to be overridden for DIGIST-MD5 and Kerberos 5
+ authentication in FTP, IMAP, POP3 and SMTP.
+
+- http_negotiate: Calculate service name and proxy service name locally
- Closes #532
+ Calculate the service name and proxy service names locally, rather than
+ in url.c which will allow for us to support overriding the service name
+ for other protocols such as FTP, IMAP, POP3 and SMTP.
-Jay Satiro (18 Nov 2015)
-- [MaxGiting brought this change]
+- ROADMAP: Updated following the move of the authentication code
- FAQ: Grammar changes
-
- Closes https://github.com/bagder/curl/pull/533
+Patrick Monnerat (8 Apr 2016)
+- KNOWN_BUGS: openldap hangs. TODO: binary SASL.
-Daniel Stenberg (17 Nov 2015)
-- http2: http_done: don't free already-freed push headers
-
- The push headers are freed after the push callback has been invoked,
- meaning this code should only free the headers if the callback was never
- invoked and thus the headers weren't freed at that time.
+Daniel Stenberg (8 Apr 2016)
+- KNOWN_BUGS: 5.6 Improper use of Autoconf cache variables
- Reported-by: Davey Shafik
+ Closes #603
-- [Anders Bakken brought this change]
+- KNOWN_BUGS: 11.2 error buffer not set...
+
+ Closes #544
- getconnectinfo: Don't call recv(2) if socket == -1
+- KNOWN_BUGS: 11.1 Curl leaks .onion hostnames in DNS
- Closes #528
+ Closes #543
-- CURLMOPT_PUSHFUNCTION.3: *_byname() returns only the first header
+- KNOWN_BUGS: 1.8 DNS timing is wrong for HTTP redirects
- ... if there are more than one using the same name
+ Closes #522
-- http2: minor comment typo
+- TODO: HTTP/2 "prior knowledge" is implemented!
-- sasl; fix checksrc warnings
+- [Damien Vielpeau brought this change]
-Steve Holme (15 Nov 2015)
-- RELEASE-NOTES: Adjusted for the recent OAuth 2.0 activity
+ mbedtls: fix MBEDTLS_DEBUG builds
-- tests: Disabled 889 and 890 until we support POP3 continuation responses
+- mbedtls: implement and provide *_data_pending()
- As POP3 final and continuation responses both begin with a + character,
- and both the finalcode and contcode variables in SASLprotoc are set as
- such, we cannot tell the difference between them when we are expecting
- an optional continuation from the server such as the following:
+ ... as otherwise we might get stuck thinking there's no more data to
+ handle.
- + something else from the server
- +OK final response
+ Reported-by: Damien Vielpeau
- Disabled these tests until such a time we can tell the responses apart.
+ Fixes #737
-- tests: Corrected typos from commit ba4d8f7eba
+- mbedtls: follow-up for the previous commit
-- tests: Added OAUTHBEARER failure response tests
+- mbedtls.c: name space pollution fix, Use 'Curl_'
-- oauth2: Support OAUTHBEARER failures sent as continuation responses
-
- According to RFC7628 a failure message may be sent by the server in a
- base64 encoded JSON string as a continuation response.
+- mbedtls.c: changed private prefix to mbed_
- Currently only implemented for OAUTHBEARER and not XAUTH2.
-
-Daniel Stenberg (15 Nov 2015)
-- RELEASE-NOTES: synced with 808a17ee675
-
-Steve Holme (14 Nov 2015)
-- tests: Renamed existing OAuth 2.0 (XOAUTH) tests
+ mbedtls_ is the prefix used by the mbedTLS library itself so we should
+ avoid using that for our private functions.
-- tests: Added OAuth 2.0 (OAUTHBEARER) tests
+- mbedtls.h: fix compiler warnings
-- oauth2: Added support for OAUTHBEARER SASL mechanism to IMAP, POP3 and SNMP
+- Revert "winbuild: trying to set some files eol=crlf for git"
- OAUTHBEARER is now the official "registered" SASL mechanism name for
- OAuth 2.0. However, we don't want to drop support for XOAUTH2 as some
- servers won't support the new mechanism yet.
-
-Daniel Stenberg (13 Nov 2015)
-- RELEASE-NOTES: recounted curl_easy_setopt() options
-
-- typecheck-gcc.h: add missing slist-using options
+ This reverts commit 9c08b4f1e7eced5a4d3782a3e0daa484c9d77d21.
- CURLOPT_RESOLVE and CURLOPT_PROXYHEADER were missing
+ Didn't help. Caused problems.
- Also sorted the list.
+ Fixes #756
-- typecheck-gcc.h: added CURLOPT_CLOSESOCKETDATA
+- curl.1: use example.com more
- ... and sorted curl_is_cb_data_option alphabetically
-
-Jay Satiro (13 Nov 2015)
-- [Sebastian Pohlschmidt brought this change]
+ Make (most) example snippets use the example.com domain instead of the
+ random ones picked and used before. Some of those were probably
+ legitimate sites and some not. example.com is designed for this purpose.
- openssl: Free modules on cleanup
-
- Curl_ossl_init calls OPENSSL_load_builtin_modules() but
- Curl_ossl_cleanup doesn't make a call to free these modules.
-
- Bug: https://github.com/bagder/curl/issues/526
+- [Michael Kaufmann brought this change]
-Steve Holme (13 Nov 2015)
-- symbols-in-versions: Added new CURLOPTTYPE_STRINGPOINT alias
+ HTTP2: Add a space character after the status code
- ...following commit aba281e762 to fix test 1119.
-
-Daniel Stenberg (13 Nov 2015)
-- curl: mark two more options strings for --libcurl output
-
-- typecheck-gcc.h: add some missing string types
+ The space character after the status code is mandatory, even if the
+ reason phrase is empty (see RFC 7230 section 3.1.2)
- Also sorted that list alphabetically
+ Closes #755
-- curl.h: introducing the STRINGPOINT alias
-
- As an alias for OBJECTPOINT. Provided to allow us to grep for all string
- options easier.
+- [Viktor Szakats brought this change]
-- cleanup: general removal of TODO (and similar) comments
+ URLs: change http to https in many places
- They tend to never get updated anyway so they're frequently inaccurate
- and we never go back to revisit them anyway. We document issues to work
- on properly in KNOWN_BUGS and TODO instead.
-
-- ftplistparser: remove empty function
-
-- openssl: remove #if check for 0.9.7 for ENGINE_load_private_key
+ Closes #754
-- openssl: all supported versions have X509_STORE_set_flags
+- winbuild: trying to set some files eol=crlf for git
- Simplify by removing #ifdefs and macros
+ Thinking it might help to apply patches etc with git.
-- openssl: remove 0.9.3 check
+- [Theodore Dubois brought this change]
-- openssl: remove #ifdefs for < 0.9.5 support
+ curl.1: change example for -F
- We only support >= 0.9.7
-
-- lib/vtls/openssl: remove unused traces of yassl ifdefs
-
-Dan Fandrich (12 Nov 2015)
-- [dfandrich brought this change]
-
- unit1603: Demote hash mismatch failure to a warning
+ It's a bad idea to send your passwords anywhere, especially over HTTP.
+ Modified example to send a picture instead.
- The hashes can vary between architectures (e.g. Sparc differs from x86_64).
- This is not a fatal problem but just reduces the coverage of these white-box
- tests, as the assumptions about into which hash bucket each key falls are no
- longer valid.
-
-- [dfandrich brought this change]
-
- unit1603: Added unit tests for hash functions
-
-- [dfandrich brought this change]
-
- unit1602: Fixed failure in torture test
+ Fixes #752
-Steve Holme (12 Nov 2015)
-- sasl: Re-introduced XOAUTH2 in the default enabled authentication mechanism
+- KNOWN_BUGS: reorganized and cleaned up
- Following the fix in commit d6d58dd558 it is necessary to re-introduce
- XOAUTH2 in the default enabled authentication mechanism, which was
- removed in commit 7b2012f262, otherwise users will have to specify
- AUTH=XOAUTH2 in the URL.
+ Now sorted into categories and organized in the same style we do the
+ TODO document. It will make each issue linked properly on the
+ https://curl.haxx.se/docs/knownbugs.html web page.
- Note: OAuth 2.0 will only be used when the bearer is specified.
+ The sections should make it easier to find issues and issues related to
+ areas of the reader's specific interest.
-- [Stefan Bühler brought this change]
+Jay Satiro (6 Apr 2016)
+- KNOWN_BUGS: #95 curl in Windows can't handle Unicode arguments
- sasl_sspi: fix identity memory leak in digest authentication
+Steve Holme (6 Apr 2016)
+- KNOWN_BUGS: Use https://curl.haxx.se URL for github based issues
-- [Stefan Bühler brought this change]
+- CHECKSRC.md: Corrected some typos
- sasl_sspi: fixed unicode build for digest authentication
+- RELEASE-NOTES: Corrected last updated
- Closes #525
+ Included a summary of the checksrc.bat updates and combined two krb5
+ changes as they should have been implemented at the same time.
-- oauth2: Re-factored OAuth 2.0 state variable
+- vauth: Corrected a number of typos in comments
+
+ Reported-by: Michael Osipov
-- sasl: Don't choose OAuth 2.0 if mechanism not advertised
+Jay Satiro (5 Apr 2016)
+- KNOWN_BUGS: #94 IMAP custom requests use the LIST handler
- Regression from commit 9e8ced9890 which meant if --oauth2-bearer was
- specified but the SASL mechanism wasn't supported by the server then
- the mechanism would be chosen.
+ Bug: https://github.com/curl/curl/issues/536
+ Reported-by: eXeC64@users.noreply.github.com
-Daniel Stenberg (12 Nov 2015)
-- runtests: more compact "System characteristics" output
+Daniel Stenberg (5 Apr 2016)
+- KNOWN_BUGS: remove 68, 70 and 72.
+
+ Due to their age (we don't fully know if they actually remain) and lack
+ of detail - very few people will bother to find out what they're about
+ or work on them. If people truly still suffer from any of these, I
+ assume they will be reported again and then we'll deal with them.
- - no point in repeating curl features that is already listed as features
- from the curl -V output
+ 72. "Pausing pipeline problems."
+ https://curl.haxx.se/mail/lib-2009-07/0214.html
- - remove the port numbers/unix domain path from the output unless
- verbose is used, as that is rarely interesting to users.
-
-- runtests: rename conditional curl-features to $has_[name]
-
-Steve Holme (11 Nov 2015)
-- oauth2: Introduced support for host and port details
+ 70. Problem re-using easy handle after call to curl_multi_remove_handle
+ https://curl.haxx.se/mail/lib-2009-07/0249.html
- Added support to the OAuth 2.0 message function for host and port, in
- order to accommodate the official OAUTHBEARER SASL mechanism which is
- to be added shortly.
+ 68. "More questions about ares behavior".
+ https://curl.haxx.se/mail/lib-2009-08/0012.html
-- curl_setup.h: Removed duplicate CURL_DISABLE_RTSP when HTTP_ONLY defined
+- KNOWN_BUGS: remove 92 and 88, fixed
-- cmake: Add missing feature macros in config header (Part 2)
+- http2: fix connection reuse when PING comes after last DATA
- In addition to commit a215381c94 added the RTSP, RTMP and SMB protocols.
-
-Daniel Stenberg (10 Nov 2015)
-- [Douglas Creager brought this change]
-
- cmake: Add missing feature macros in config header
+ It turns out the google GFE HTTP/2 servers send a PING frame immediately
+ after a stream ends and its last DATA has been received by curl. So if
+ we don't drain that from the socket, it makes the socket readable in
+ subsequent checks and libcurl then (wrongly) assumes the connection is
+ dead when trying to reuse the connection.
- The curl_config.h file can be generated either from curl_config.h.cmake
- or curl_config.h.in, depending on whether you're building using CMake or
- the autotools. The CMake template header doesn't include entries for
- all of the protocols that you can disable, which (I think) means that
- you can't actually disable those protocols when building via CMake.
+ Reported-by: Joonas Kuorilehto
- Closes #523
+ Discussed in #750
-- [Douglas Creager brought this change]
+- multi: remove trailing space in debug output
- BoringSSL: Work with stricter BIO_get_mem_data()
-
- BoringSSL implements `BIO_get_mem_data` as a function, instead of a
- macro, and expects the output pointer to be a `char **`. We have to add
- an explicit cast to grab the pointer as a `const char **`.
-
- Closes #524
+- RELEASE-NOTES: synced with 86e97b642fb
-- http2: rectify the http2 version #if check
-
- We need 1.0.0 or later. Also verified by configure.
+- CHECKSRC.md: mention cmdline options, fix the bullet list
-Steve Holme (9 Nov 2015)
-- oauth2: Don't use XAUTH2 in OAuth 2.0 function name
+- docs/CHECKSRC.md: initial version
-- oauth2: Don't use XOAUTH2 in OAuth 2.0 variables
+Steve Holme (3 Apr 2016)
+- checksrc.bat: Added support for the examples
-- oauth2: Use OAuth 2.0 rather than XOAUTH2 in comments
+Daniel Stenberg (3 Apr 2016)
+- lib/src: fix the checksrc invoke
- When referring to OAuth 2.0 we should use the official name rather the
- SASL mechanism name.
+ ... now works correctly when invoke from the root makefile